add patch to fix failing "tenant_files" migration

The new migration in tenant_files.py references a MEDIA_ROOT directory
based on its own path, which in our case is in the read-only /nix/store.

We need it to refer to the actual authentik state directory instead,
which defaults to /var/lib/authentik/media in module.nix

components/authentik_media_tenant_files_miration.patch

@@ -0,0 +1,15 @@
+diff --git a/lifecycle/system_migrations/tenant_files.py b/lifecycle/system_migrations/tenant_files.py
+index 40795d460..7ac1efb34 100644
+--- a/lifecycle/system_migrations/tenant_files.py
++++ b/lifecycle/system_migrations/tenant_files.py
+@@ -2,8 +2,9 @@
+ from pathlib import Path
+ 
+ from lifecycle.migrate import BaseMigration
++from authentik.lib.config import CONFIG
+ 
+-MEDIA_ROOT = Path(__file__).parent.parent.parent / "media"
++MEDIA_ROOT = Path(CONFIG.get("paths.media"))
+ TENANT_MEDIA_ROOT = MEDIA_ROOT / "public"
+ 
+ 

components/staticWorkdirDeps.nix

@@ -4,10 +4,13 @@
 , applyPatches
 }:
 let
-  patched-src = applyPatches { 
+  patched-src = applyPatches {
     src = authentik-src;
     name = "patched-authentik-source";
-    patches = [ ./authentik_media_upload.patch ];
+    patches = [
+      ./authentik_media_upload.patch
+      ./authentik_media_tenant_files_miration.patch
+    ];
   };
 in
 linkFarm "authentik-static-workdir-deps" [
@@ -15,7 +18,7 @@ linkFarm "authentik-static-workdir-deps" [
   { name = "locale"; path = "${authentik-src}/locale"; }
   { name = "blueprints"; path = "${authentik-src}/blueprints"; }
   { name = "internal"; path = "${authentik-src}/internal"; }
-  { name = "lifecycle"; path = "${authentik-src}/lifecycle"; }
+  { name = "lifecycle"; path = "${patched-src}/lifecycle"; }
   { name = "schemas"; path = "${authentik-src}/schemas"; }
   { name = "web"; path = authentikComponents.frontend; }
 ]