From d060292aa6ada79824349c33f3e0e08ad7242e94 Mon Sep 17 00:00:00 2001
From: WilliButz <willibutz@posteo.de>
Date: Wed, 21 Feb 2024 22:02:29 +0100
Subject: [PATCH] add patch to fix failing "tenant_files" migration

The new migration in tenant_files.py references a MEDIA_ROOT directory
based on its own path, which in our case is in the read-only /nix/store.

We need it to refer to the actual authentik state directory instead,
which defaults to /var/lib/authentik/media in module.nix
---
 .../authentik_media_tenant_files_miration.patch   | 15 +++++++++++++++
 components/staticWorkdirDeps.nix                  |  9 ++++++---
 module.nix                                        |  1 +
 3 files changed, 22 insertions(+), 3 deletions(-)
 create mode 100644 components/authentik_media_tenant_files_miration.patch

diff --git a/components/authentik_media_tenant_files_miration.patch b/components/authentik_media_tenant_files_miration.patch
new file mode 100644
index 0000000..cc7a616
--- /dev/null
+++ b/components/authentik_media_tenant_files_miration.patch
@@ -0,0 +1,15 @@
+diff --git a/lifecycle/system_migrations/tenant_files.py b/lifecycle/system_migrations/tenant_files.py
+index 40795d460..7ac1efb34 100644
+--- a/lifecycle/system_migrations/tenant_files.py
++++ b/lifecycle/system_migrations/tenant_files.py
+@@ -2,8 +2,9 @@
+ from pathlib import Path
+ 
+ from lifecycle.migrate import BaseMigration
++from authentik.lib.config import CONFIG
+ 
+-MEDIA_ROOT = Path(__file__).parent.parent.parent / "media"
++MEDIA_ROOT = Path(CONFIG.get("paths.media"))
+ TENANT_MEDIA_ROOT = MEDIA_ROOT / "public"
+ 
+ 
diff --git a/components/staticWorkdirDeps.nix b/components/staticWorkdirDeps.nix
index e5d6122..15b6870 100644
--- a/components/staticWorkdirDeps.nix
+++ b/components/staticWorkdirDeps.nix
@@ -4,10 +4,13 @@
 , applyPatches
 }:
 let
-  patched-src = applyPatches { 
+  patched-src = applyPatches {
     src = authentik-src;
     name = "patched-authentik-source";
-    patches = [ ./authentik_media_upload.patch ];
+    patches = [
+      ./authentik_media_upload.patch
+      ./authentik_media_tenant_files_miration.patch
+    ];
   };
 in
 linkFarm "authentik-static-workdir-deps" [
@@ -15,7 +18,7 @@ linkFarm "authentik-static-workdir-deps" [
   { name = "locale"; path = "${authentik-src}/locale"; }
   { name = "blueprints"; path = "${authentik-src}/blueprints"; }
   { name = "internal"; path = "${authentik-src}/internal"; }
-  { name = "lifecycle"; path = "${authentik-src}/lifecycle"; }
+  { name = "lifecycle"; path = "${patched-src}/lifecycle"; }
   { name = "schemas"; path = "${authentik-src}/schemas"; }
   { name = "web"; path = authentikComponents.frontend; }
 ]
diff --git a/module.nix b/module.nix
index 110b1af..3fe487d 100644
--- a/module.nix
+++ b/module.nix
@@ -150,6 +150,7 @@ in
             User = "authentik";
             ExecStart = "${cfg.authentikComponents.migrate}/bin/migrate.py";
             EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
+            inherit (config.systemd.services.authentik.serviceConfig) StateDirectory;
           };
         };
         authentik-worker = {