update: 2025.10.3 -> 2025.12.1

Closes #83 Closes #85 ChangeLog: https://docs.goauthentik.io/releases/2025.12 ⚠️ When using the Avatar upload, you'll have to make your users re-upload their avatars due to changes in how media is served by Authentik[1]. For now, we're using a branch from me that is 2025.12.1 with an update of `@goauthentik/api` on top[2]. Without that change, `AdminFileListUsageEnum` doesn't exist which breaks all usage of `AdminFileListUsageEnum.Media`: TypeError: can't access property "Media", R.AdminFileListUsageEnum is undefined renderForm ApplicationForm.ts:191 [...] This made e.g. the modal to edit applications unusable which infinitely hang on a loading spinner. The media path now points to `/var/lib/authentik`. This path is only used for media storage and Authentik now always appends the "usage name" as directory behind the storage path, i.e. it already appends `/var/lib/authentik/media`, so this is needed to make Authentik discover existing media. Finally, I added a `patches` attribute to the authentik scope that applies patches to both the workdir-deps (which is the PYTHONPATH in the end, i.e. where we load the authentik module from) and the gopkgs. We're still missing patchability for frontend (since we directly build the subdir in napalm), but I think that's a step in the right direction. [1] https://github.com/goauthentik/authentik/discussions/6824#discussioncomment-15490793 [2] Upstream PR: https://github.com/goauthentik/authentik/pull/19542
2026-01-16 21:54:23 +01:00 · 2026-01-16 21:54:23 +01:00 · ad2994c95f
commit ad2994c95f
parent 94c544f6cd
12 changed files with 118 additions and 123 deletions
--- a/components/0002-admin-file-dir-doesn-t-have-to-be-a-mountpoint.patch
+++ b/components/0002-admin-file-dir-doesn-t-have-to-be-a-mountpoint.patch
@ -0,0 +1,24 @@
+From 2f51711b64204d090ad8cd6b2ef19fd11a1a6469 Mon Sep 17 00:00:00 2001
+From: Maximilian Bosch <maximilian@mbosch.me>
+Date: Fri, 16 Jan 2026 21:50:11 +0100
+Subject: [PATCH 2/2] admin: file dir doesn't have to be a mountpoint
+
+---
+ authentik/admin/files/backends/file.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/authentik/admin/files/backends/file.py b/authentik/admin/files/backends/file.py
+index 7858ed5e9b..8a6d55ce64 100644
+--- a/authentik/admin/files/backends/file.py
+++ b/authentik/admin/files/backends/file.py
+@@ -47,7 +47,6 @@ class FileBackend(ManageableBackend):
+     def manageable(self) -> bool:
+         return (
+             self.base_path.exists()
+-            and (self._base_dir.is_mount() or (self._base_dir / self.usage.value).is_mount())
+             or (settings.DEBUG or settings.TEST)
+         )
+ 
+-- 
+2.51.2
+
--- a/components/authentik_media_tenant_files_migration.patch
+++ b/components/authentik_media_tenant_files_migration.patch
@ -1,15 +0,0 @@
-diff --git a/lifecycle/system_migrations/tenant_files.py b/lifecycle/system_migrations/tenant_files.py
-index 40795d460..7ac1efb34 100644
--- a/lifecycle/system_migrations/tenant_files.py
-+++ b/lifecycle/system_migrations/tenant_files.py
-@@ -2,8 +2,9 @@
- from pathlib import Path
- 
- from lifecycle.migrate import BaseMigration
-+from authentik.lib.config import CONFIG
- 
-MEDIA_ROOT = Path(__file__).parent.parent.parent / "media"
-+MEDIA_ROOT = Path(CONFIG.get("storage.media.file.path"))
- TENANT_MEDIA_ROOT = MEDIA_ROOT / "public"
- 
- 
--- a/components/authentik_media_upload.patch
+++ b/components/authentik_media_upload.patch
@ -1,11 +0,0 @@
-diff --git a/authentik/api/v3/config.py b/authentik/api/v3/config.py
--- a/authentik/api/v3/config.py
-+++ b/authentik/api/v3/config.py
-@@ -71,6 +71,7 @@ class ConfigView(APIView):
-         if (
-             CONFIG.get("storage.media.backend", "file") == "s3"
-             or Path(settings.STORAGES["default"]["OPTIONS"]["location"]).is_mount()
-+            or CONFIG.get_bool("media.enable_upload")
-             or deb_test
-         ):
-             caps.append(Capabilities.CAN_SAVE_MEDIA)
--- a/components/docs-extra-package-locks/js-fetch-npm-shrinkwrap.json
+++ b/components/docs-extra-package-locks/js-fetch-npm-shrinkwrap.json
@ -4,57 +4,58 @@
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
-    "asynckit": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
-      "integrity": "sha1-x57Zf380y48robyXkLzDZkdLS3k=",
+    "data-uri-to-buffer": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/data-uri-to-buffer/-/data-uri-to-buffer-4.0.1.tgz",
+      "integrity": "sha512-0R9ikRb668HB7QDxT1vkpuUBtqc53YyAwMwGeUFKRojY/NWKvdZ+9UYtRfGmhqNbRkTSVpMbmyhXipFFv2cb/A==",
      "dev": true
    },
-    "combined-stream": {
-      "version": "1.0.8",
-      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
-      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+    "fetch-blob": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/fetch-blob/-/fetch-blob-3.2.0.tgz",
+      "integrity": "sha512-7yAQpD2UMJzLi1Dqv7qFYnPbaPx7ZfFK6PiIxQ4PfkGPyNyl2Ugx+a/umUonmKqjhM4DnfbMvdX6otXq83soQQ==",
      "dev": true,
      "requires": {
-        "delayed-stream": "~1.0.0"
+        "node-domexception": "^1.0.0",
+        "web-streams-polyfill": "^3.0.3"
      }
    },
-    "delayed-stream": {
+    "formdata-node": {
+      "version": "6.0.3",
+      "resolved": "https://registry.npmjs.org/formdata-node/-/formdata-node-6.0.3.tgz",
+      "integrity": "sha512-8e1++BCiTzUno9v5IZ2J6bv4RU+3UKDmqWUQD0MIMVCd9AdhWkO1gw57oo1mNEX1dMq2EGI+FbWz4B92pscSQg==",
+      "dev": true
+    },
+    "formdata-polyfill": {
+      "version": "4.0.10",
+      "resolved": "https://registry.npmjs.org/formdata-polyfill/-/formdata-polyfill-4.0.10.tgz",
+      "integrity": "sha512-buewHzMvYL29jdeQTVILecSaZKnt/RJWjoZCF5OW60Z67/GmSLBkOFM7qh1PI3zFNtJbaZL5eQu1vLfazOwj4g==",
+      "dev": true,
+      "requires": {
+        "fetch-blob": "^3.1.2"
+      }
+    },
+    "node-domexception": {
      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
-      "integrity": "sha1-3zrhmayt+31ECqrgsp4icrJOxhk=",
+      "resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz",
+      "integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==",
      "dev": true
    },
-    "form-data": {
-      "version": "2.5.1",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.1.tgz",
-      "integrity": "sha512-m21N3WOmEEURgk6B9GLOE4RuWOFf28Lhh9qGYeNlGq4VDXUlJy2th2slBNU8Gp8EzloYZOibZJ7t5ecIrFSjVA==",
-      "dev": true,
-      "requires": {
-        "asynckit": "^0.4.0",
-        "combined-stream": "^1.0.6",
-        "mime-types": "^2.1.12"
-      }
-    },
-    "mime-db": {
-      "version": "1.44.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.44.0.tgz",
-      "integrity": "sha512-/NOTfLrsPBVeH7YtFPgsVWveuL+4SjjYxaQ1xtM1KMFj7HdxlBlxeyNLzhyJVx7r4rZGJAZ/6lkKCitSc/Nmpg==",
-      "dev": true
-    },
-    "mime-types": {
-      "version": "2.1.27",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.27.tgz",
-      "integrity": "sha512-JIhqnCasI9yD+SsmkquHBxTSEuZdQX5BuQnS2Vc7puQQQ+8yiP5AY5uWhpdv4YL4VM5c6iliiYWPgJ/nJQLp7w==",
-      "dev": true,
-      "requires": {
-        "mime-db": "1.44.0"
-      }
-    },
    "node-fetch": {
-      "version": "2.6.7",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
-      "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
+      "version": "3.3.2",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.3.2.tgz",
+      "integrity": "sha512-dRB78srN/l6gqWulah9SrxeYnxeddIG30+GOqK/9OlLVyLg3HPnr6SqOWTWOXKRwC2eGYCkZ59NNuSgvSrpgOA==",
+      "dev": true,
+      "requires": {
+        "data-uri-to-buffer": "^4.0.0",
+        "fetch-blob": "^3.1.4",
+        "formdata-polyfill": "^4.0.10"
+      }
+    },
+    "node-fetch2": {
+      "version": "npm:node-fetch@2.7.0",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz",
+      "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==",
      "dev": true,
      "requires": {
        "whatwg-url": "^5.0.0"
@ -66,6 +67,12 @@
      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==",
      "dev": true
    },
+    "web-streams-polyfill": {
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/web-streams-polyfill/-/web-streams-polyfill-3.3.3.tgz",
+      "integrity": "sha512-d2JWLCivmZYTSIoge9MsgFCZrt571BikcWGYkjC1khllbTeDlGqZ2D8vD8E/lJa8WGWbb7Plm8/XJYV7IJHZZw==",
+      "dev": true
+    },
    "webidl-conversions": {
      "version": "3.0.1",
      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
--- a/components/docs-extra-package-locks/nodejs-native-npm-shrinkwrap.json
+++ b/components/docs-extra-package-locks/nodejs-native-npm-shrinkwrap.json
@ -48,23 +48,15 @@
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
    },
-    "lru-cache": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
-      "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
-      "requires": {
-        "yallist": "^4.0.0"
-      }
-    },
    "mime-db": {
      "version": "1.52.0",
      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg=="
    },
    "mime-format": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/mime-format/-/mime-format-2.0.1.tgz",
-      "integrity": "sha512-XxU3ngPbEnrYnNbIX+lYSaYg0M01v6p2ntd2YaFksTu0vayaw5OJvbdRyWs07EYRlLED5qadUZ+xo+XhOvFhwg==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/mime-format/-/mime-format-2.0.2.tgz",
+      "integrity": "sha512-Y5ERWVcyh3sby9Fx2U5F1yatiTFjNsqF5NltihTWI9QgNtr5o3dbCZdcKa1l2wyfhnwwoP9HGNxga7LqZLA6gw==",
      "requires": {
        "charset": "^1.0.0"
      }
@ -78,9 +70,9 @@
      }
    },
    "postman-collection": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/postman-collection/-/postman-collection-4.4.0.tgz",
-      "integrity": "sha512-2BGDFcUwlK08CqZFUlIC8kwRJueVzPjZnnokWPtJCd9f2J06HBQpGL7t2P1Ud1NEsK9NHq9wdipUhWLOPj5s/Q==",
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/postman-collection/-/postman-collection-5.0.0.tgz",
+      "integrity": "sha512-1LK795Atv/ZX3jK1MCTx9KCBz0rAiIJJhTLqnJ4AsXLiLSqJuAH1w5jI1CQzHVLpPFg6E8Rl4tQIhF0eBgKNQQ==",
      "requires": {
        "@faker-js/faker": "5.5.3",
        "file-type": "3.9.0",
@ -88,19 +80,19 @@
        "iconv-lite": "0.6.3",
        "liquid-json": "0.3.1",
        "lodash": "4.17.21",
-        "mime-format": "2.0.1",
+        "mime-format": "2.0.2",
        "mime-types": "2.1.35",
-        "postman-url-encoder": "3.0.5",
-        "semver": "7.5.4",
+        "postman-url-encoder": "3.0.6",
+        "semver": "7.7.1",
        "uuid": "8.3.2"
      }
    },
    "postman-url-encoder": {
-      "version": "3.0.5",
-      "resolved": "https://registry.npmjs.org/postman-url-encoder/-/postman-url-encoder-3.0.5.tgz",
-      "integrity": "sha512-jOrdVvzUXBC7C+9gkIkpDJ3HIxOHTIqjpQ4C1EMt1ZGeMvSEpbFCKq23DEfgsj46vMnDgyQf+1ZLp2Wm+bKSsA==",
+      "version": "3.0.6",
+      "resolved": "https://registry.npmjs.org/postman-url-encoder/-/postman-url-encoder-3.0.6.tgz",
+      "integrity": "sha512-uOlnZW+4Cmpbfbuq02hdj1hSpcIFmQxlAwsO6dflwUIVpt9+1duYVxXv3ikf+wHrAO8Wy98uVKnnuR8R0Qpdng==",
      "requires": {
-        "punycode": "^2.1.1"
+        "punycode": "^2.3.1"
      }
    },
    "punycode": {
@ -114,22 +106,14 @@
      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
    },
    "semver": {
-      "version": "7.5.4",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
-      "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==",
-      "requires": {
-        "lru-cache": "^6.0.0"
-      }
+      "version": "7.7.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.1.tgz",
+      "integrity": "sha512-hlq8tAfn0m/61p4BVRcPzIGr6LKiMwo4VM6dGi6pt4qcRkmNzTcWq6eCEjEh+qXjkMDvPlOFFSGwQjoEa6gyMA=="
    },
    "uuid": {
      "version": "8.3.2",
      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
-    },
-    "yallist": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
-      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A=="
    }
  }
 }
--- a/components/docs-extra-package-locks/postman-cli-npm-shrinkwrap.json
+++ b/components/docs-extra-package-locks/postman-cli-npm-shrinkwrap.json
@ -0,0 +1,5 @@
+{
+  "name": "@postman/codegen-postman-cli",
+  "version": "0.0.1",
+  "lockfileVersion": 1
+}
--- a/components/docs.nix
+++ b/components/docs.nix
@ -64,7 +64,7 @@ buildNapalmPackage "${authentik-src}/website" {
  # $ cd postman-code-generators
  # $ git checkout v[version-from-lockfile]
  # $ cd codegens/ 
-  # $ for f in **/npm-shrinkfile.json; do cp "$f" "[this projects root]/comonents/docs-extra-package-locks/${f//\//-}"
+  # $ for f in **/npm-shrinkwrap.json; do cp "$f" "[this projects root]/components/docs-extra-package-locks/${f//\//-}"; done
  #
  #

--- a/components/gopkgs.nix
+++ b/components/gopkgs.nix
@ -2,19 +2,21 @@
  authentik-src,
  authentik-version,
  authentikComponents,
-  buildGo124Module,
+  buildGo125Module,
  lib,
  makeWrapper,
  guacamole-server,
  stdenv,
+  patches,
 }:

 let
  guacamoleAvailable = lib.meta.availableOn stdenv.hostPlatform guacamole-server;
 in
-buildGo124Module {
+buildGo125Module {
  pname = "authentik-gopkgs";
  version = authentik-version;
+  inherit patches;
  prePatch = ''
    sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' web/static.go
    sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' internal/web/static.go
@ -61,7 +63,7 @@ buildGo124Module {
  ] ++ lib.optionals guacamoleAvailable [
    "cmd/rac"
  ];
-  vendorHash = "sha256-m2shrCwoVdbtr8B83ZcAyG+J6dEys2xdjtlfFFF4CDo=";
+  vendorHash = "sha256-u/kAqDCeWHPaw/0+lQ9U6/pHSgdANOeflQLVgUV64Vs=";
  nativeBuildInputs = [ makeWrapper ];
  doCheck = false;
  postInstall = ''
--- a/components/staticWorkdirDeps.nix
+++ b/components/staticWorkdirDeps.nix
@ -3,15 +3,13 @@
  authentikComponents,
  linkFarm,
  applyPatches,
+  patches,
 }:
 let
  patched-src = applyPatches {
    src = authentik-src;
    name = "patched-authentik-source";
-    patches = [
-      ./authentik_media_upload.patch
-      ./authentik_media_tenant_files_migration.patch
-    ];
+    inherit patches;
  };
 in
 linkFarm "authentik-static-workdir-deps" [
--- a/flake.lock
+++ b/flake.lock
@ -3,16 +3,16 @@
    "authentik-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1765907481,
-        "narHash": "sha256-d0pPNE2T30COdFse0T15Mx8XW4BGg8hgPQvmW2dAV9s=",
-        "owner": "goauthentik",
+        "lastModified": 1768596569,
+        "narHash": "sha256-HDTbQB/sMhYh2b95dQwzF8OgrwLWdl4hVmx6wtDcgE8=",
+        "owner": "ma27",
        "repo": "authentik",
-        "rev": "0d617e4ad1eb9e4540ba5381e6ce06e971affc63",
+        "rev": "72ad5fe320f2201fc2a37372d4c9cb46377a58e5",
        "type": "github"
      },
      "original": {
-        "owner": "goauthentik",
-        "ref": "version/2025.10.3",
+        "owner": "ma27",
+        "ref": "2025.12.1-dependency-fix",
        "repo": "authentik",
        "type": "github"
      }
@ -97,11 +97,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1765779637,
-        "narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
+        "lastModified": 1768305791,
+        "narHash": "sha256-AIdl6WAn9aymeaH/NvBj0H9qM+XuAuYbGMZaP0zcXAQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
+        "rev": "1412caf7bf9e660f2f962917c14b1ea1c3bc695e",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -42,7 +42,8 @@
    };
    authentik-src = {
      # change version string in outputs as well when updating
-      url = "github:goauthentik/authentik/version/2025.10.3";
+      #url = "github:goauthentik/authentik/version/2025.12.1";
+      url = "github:ma27/authentik/2025.12.1-dependency-fix";
      flake = false;
    };
  };
@ -67,7 +68,7 @@
        ...
      }:
      let
-        authentik-version = "2025.10.3"; # to pass to the drvs of some components
+        authentik-version = "2025.12.1"; # to pass to the drvs of some components
      in
      {
        systems = import inputs.systems;
@ -129,6 +130,10 @@
                # for uv2nix
                pythonOverlay = final.callPackage ./components/python-overrides.nix { };

+                patches = [
+                  ./components/0002-admin-file-dir-doesn-t-have-to-be-a-mountpoint.patch
+                ];
+
                inherit
                  authentik-src
                  authentik-version
--- a/module.nix
+++ b/module.nix
@ -323,10 +323,9 @@ in
            storage.media = {
              backend = mkDefault "file";
              file = mkDefault {
-                path = "/var/lib/authentik/media";
+                path = "/var/lib/authentik";
              };
            };
-            media.enable_upload = mkDefault true;
          };
          postgresql = mkIf cfg.createDatabase {
            enable = true;
@ -428,9 +427,6 @@ in
            restartTriggers = [ config.environment.etc."authentik/config.yml".source ];
            preStart = ''
              ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/* /var/lib/authentik/
-              ${optionalString (cfg.settings.storage.media.backend == "file") ''
-                mkdir -p ${cfg.settings.storage.media.file.path}
-              ''}
            '';
            environment = mkMerge [
              environment