tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

treewide: nixfmt

Browse source
This commit is contained in:
WilliButz 2025-02-02 14:16:38 +01:00
parent d653af66b3
commit dbfc2207df
No known key found for this signature in database
GPG key ID: AB05DF703EB9DC70
14 changed files with 688 additions and 564 deletions
Download patch file Download diff file Expand all files Collapse all files

14
components/docs.nix
View file

@ -1,7 +1,8 @@
{ authentik-src
, authentik-version
, buildNapalmPackage
, nodejs_22
{
authentik-src,
authentik-version,
buildNapalmPackage,
nodejs_22,
}:
buildNapalmPackage "${authentik-src}/website" {
@ -52,8 +53,7 @@ buildNapalmPackage "${authentik-src}/website" {
let
files = builtins.readDir ./docs-extra-package-locks;
in
builtins.concatMap (f:
if files.${f} == "regular"
then [ (./docs-extra-package-locks + "/${f}") ] else []
builtins.concatMap (
f: if files.${f} == "regular" then [ (./docs-extra-package-locks + "/${f}") ] else [ ]
) (builtins.attrNames files);
}

11
components/frontend.nix
View file

@ -1,8 +1,9 @@
{ authentik-src
, authentik-version
, authentikComponents
, buildNapalmPackage
, nodejs_22
{
authentik-src,
authentik-version,
authentikComponents,
buildNapalmPackage,
nodejs_22,
}:
buildNapalmPackage "${authentik-src}/web" rec {
version = authentik-version; # 0.0.0 specified upstream in package.json

19
components/gopkgs.nix
View file

@ -1,9 +1,10 @@
{ authentik-src
, authentik-version
, authentikComponents
, buildGo123Module
, lib
, makeWrapper
{
authentik-src,
authentik-version,
authentikComponents,
buildGo123Module,
lib,
makeWrapper,
}:
buildGo123Module {
@ -16,15 +17,15 @@ buildGo123Module {
'';
src = lib.cleanSourceWith {
src = authentik-src;
filter = (path: _:
filter = (
path: _:
(builtins.any (x: x) (
(map (infix: lib.hasInfix infix path) [
"/authentik"
"/cmd"
"/internal"
])
++
(map (suffix: lib.hasSuffix suffix path) [
++ (map (suffix: lib.hasSuffix suffix path) [
"/web"
"/web/static.go"
"/web/robots.txt"

15
components/manage.nix
View file

@ -1,12 +1,15 @@
{ authentik-src
, authentikComponents
, makeWrapper
, runCommandLocal
{
authentik-src,
authentikComponents,
makeWrapper,
runCommandLocal,
}:
runCommandLocal "authentik-manage" {
runCommandLocal "authentik-manage"
{
nativeBuildInputs = [ makeWrapper ];
} ''
}
''
mkdir -vp $out/bin
cp -v ${authentik-src}/manage.py $out/bin/manage.py

15
components/migrate.nix
View file

@ -1,12 +1,15 @@
{ authentik-src
, authentikComponents
, makeWrapper
, runCommandLocal
{
authentik-src,
authentikComponents,
makeWrapper,
runCommandLocal,
}:
runCommandLocal "authentik-migrate.py" {
runCommandLocal "authentik-migrate.py"
{
nativeBuildInputs = [ makeWrapper ];
} ''
}
''
mkdir -vp $out/bin
cp ${authentik-src}/lifecycle/migrate.py $out/bin/migrate.py
chmod +w $out/bin/migrate.py

21
components/pythonEnv.nix
View file

@ -1,9 +1,10 @@
{ authentik-src
, authentikPoetryOverrides
, defaultPoetryOverrides
, lib
, mkPoetryEnv
, python312
{
authentik-src,
authentikPoetryOverrides,
defaultPoetryOverrides,
lib,
mkPoetryEnv,
python312,
}:
mkPoetryEnv {
@ -16,9 +17,9 @@ mkPoetryEnv {
checkGroups = [ ];
# workaround to remove dev-dependencies for the current combination of legacy
# used by authentik and poetry2nix's behavior
pyproject = builtins.toFile "patched-pyproject.toml" (lib.replaceStrings
["tool.poetry.dev-dependencies"]
["tool.poetry.group.dev.dependencies"]
(builtins.readFile "${authentik-src}/pyproject.toml")
pyproject = builtins.toFile "patched-pyproject.toml" (
lib.replaceStrings [ "tool.poetry.dev-dependencies" ] [ "tool.poetry.group.dev.dependencies" ] (
builtins.readFile "${authentik-src}/pyproject.toml"
)
);
}

44
components/staticWorkdirDeps.nix
View file

@ -1,7 +1,8 @@
{ authentik-src
, authentikComponents
, linkFarm
, applyPatches
{
authentik-src,
authentikComponents,
linkFarm,
applyPatches,
}:
let
patched-src = applyPatches {
@ -14,11 +15,32 @@ let
};
in
linkFarm "authentik-static-workdir-deps" [
{ name = "authentik"; path = "${patched-src}/authentik"; }
{ name = "locale"; path = "${authentik-src}/locale"; }
{ name = "blueprints"; path = "${authentik-src}/blueprints"; }
{ name = "internal"; path = "${authentik-src}/internal"; }
{ name = "lifecycle"; path = "${patched-src}/lifecycle"; }
{ name = "schemas"; path = "${authentik-src}/schemas"; }
{ name = "web"; path = authentikComponents.frontend; }
{
name = "authentik";
path = "${patched-src}/authentik";
}
{
name = "locale";
path = "${authentik-src}/locale";
}
{
name = "blueprints";
path = "${authentik-src}/blueprints";
}
{
name = "internal";
path = "${authentik-src}/internal";
}
{
name = "lifecycle";
path = "${patched-src}/lifecycle";
}
{
name = "schemas";
path = "${authentik-src}/schemas";
}
{
name = "web";
path = authentikComponents.frontend;
}
]

11
default.nix
View file

@ -1,10 +1,9 @@
(import
(
let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
(import (
let
lock = builtins.fromJSON (builtins.readFile ./flake.lock);
in
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}
)
{ src = ./.; }
).defaultNix
) { src = ./.; }).defaultNix

97
flake.nix
View file

@ -30,13 +30,15 @@
flake-utils.follows = "flake-utils";
};
};
authentik-src = { # change version string in outputs as well when updating
authentik-src = {
# change version string in outputs as well when updating
url = "github:goauthentik/authentik/version/2024.12.3";
flake = false;
};
};
outputs = inputs@{
outputs =
inputs@{
self,
nixpkgs,
flake-parts,
@ -46,20 +48,41 @@
...
}:
flake-parts.lib.mkFlake
{ inherit inputs; }
({ inputs, lib, withSystem, ... }:
flake-parts.lib.mkFlake { inherit inputs; } (
{
inputs,
lib,
withSystem,
...
}:
let
authentik-version = "2024.12.3"; # to pass to the drvs of some components
in {
in
{
systems = import inputs.systems;
flake = { self, ... }: {
nixosModules.default = { pkgs, ... }: {
flake =
{ self, ... }:
{
nixosModules.default =
{ pkgs, ... }:
{
imports = [ ./module.nix ];
services.authentik.authentikComponents = pkgs.lib.mkDefault (withSystem pkgs.stdenv.hostPlatform.system (
services.authentik.authentikComponents = pkgs.lib.mkDefault (
withSystem pkgs.stdenv.hostPlatform.system (
{ config, ... }:
{ inherit (config.packages) manage staticWorkdirDeps migrate pythonEnv frontend gopkgs docs; }
));
{
inherit (config.packages)
manage
staticWorkdirDeps
migrate
pythonEnv
frontend
gopkgs
docs
;
}
)
);
};
# returns a scope which includes the attrset `authentikComponents`
@ -68,22 +91,42 @@
# create a new scope with patched versions of individual authentik components
#
# see ./tests/override-scope.nix for a usage example
lib.mkAuthentikScope = let authentik-version' = authentik-version; in {
lib.mkAuthentikScope =
let
authentik-version' = authentik-version;
in
{
pkgs,
system ? pkgs.stdenv.hostPlatform.system,
authentik-version ? authentik-version',
mkPoetryEnv ? (import inputs.poetry2nix { inherit pkgs; }).mkPoetryEnv,
defaultPoetryOverrides ? (import inputs.poetry2nix { inherit pkgs; }).defaultPoetryOverrides,
authentikPoetryOverrides ? import ./poetry2nix-python-overrides.nix pkgs,
buildNapalmPackage ? napalm.legacyPackages.${system}.buildPackage
buildNapalmPackage ? napalm.legacyPackages.${system}.buildPackage,
}:
import ./components {
inherit pkgs authentik-src authentik-version mkPoetryEnv defaultPoetryOverrides authentikPoetryOverrides buildNapalmPackage;
inherit
pkgs
authentik-src
authentik-version
mkPoetryEnv
defaultPoetryOverrides
authentikPoetryOverrides
buildNapalmPackage
;
};
};
perSystem = { pkgs, system, self', ... }: let
perSystem =
{
pkgs,
system,
self',
...
}:
let
inherit (self.lib.mkAuthentikScope { inherit pkgs; }) authentikComponents;
in {
in
{
packages = {
inherit (authentikComponents)
docs
@ -92,7 +135,8 @@
gopkgs
staticWorkdirDeps
migrate
manage;
manage
;
terraform-provider-authentik = inputs.nixpkgs.legacyPackages.${system}.buildGo123Module rec {
pname = "terraform-provider-authentik";
@ -115,16 +159,21 @@
};
checks = {
default = self.checks.${system}.vmtest;
vmtest = (import tests/minimal-vmtest.nix {
vmtest = (
import tests/minimal-vmtest.nix {
inherit pkgs authentik-version;
inherit (self) nixosModules;
});
override-scope = (import tests/override-scope.nix {
}
);
override-scope = (
import tests/override-scope.nix {
inherit pkgs authentik-version;
inherit (self) nixosModules;
inherit (self.lib) mkAuthentikScope;
});
};
};
});
}
);
};
};
}
);
}

92
module.nix
View file

@ -1,39 +1,47 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
types;
types
;
inherit (lib.attrsets)
attrNames
getAttrs
mapAttrsToList;
mapAttrsToList
;
inherit (lib.lists)
flatten
toList;
toList
;
inherit (lib.modules)
mkDefault
mkIf
mkMerge
mkOverride;
mkOverride
;
inherit (lib.options)
mkEnableOption
mkOption;
mkOption
;
inherit (lib.strings)
concatStringsSep
optionalString
versionOlder;
versionOlder
;
inherit (lib.trivial)
boolToString
isBool;
isBool
;
settingsFormat = pkgs.formats.yaml { };
in
@ -141,7 +149,8 @@ in
config = mkMerge [
# authentik server
(mkIf config.services.authentik.enable (let
(mkIf config.services.authentik.enable (
let
cfg = config.services.authentik;
# https://goauthentik.io/docs/installation/docker-compose#startup
@ -153,18 +162,21 @@ in
User = "authentik";
EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
};
akOptions = flatten (mapAttrsToList
akOptions = flatten (
mapAttrsToList
# Map defaults for each authentik service (listed above) to command line parameters for
# `systemd-run(1)` in order to spin up an environment with correct (dynamic) user,
# state directory and environment to run `ak` inside.
(k: vs: map
(v: "--property ${k}=${if isBool v then boolToString v else toString v}")
(toList vs))
(k: vs: map (v: "--property ${k}=${if isBool v then boolToString v else toString v}") (toList vs))
# Read serviceDefaults from `authentik.service`. That way, module system primitives (mk*)
# can be used inside `serviceDefaults` and it doesn't need to be evaluated here again.
(getAttrs (attrNames serviceDefaults) config.systemd.services.authentik.serviceConfig // {
(
getAttrs (attrNames serviceDefaults) config.systemd.services.authentik.serviceConfig
// {
StateDirectory = "authentik";
}));
}
)
);
in
{
services = {
@ -193,7 +205,10 @@ in
enable = true;
ensureDatabases = [ "authentik" ];
ensureUsers = [
{ name = "authentik"; ensureDBOwnership = true; }
{
name = "authentik";
ensureDBOwnership = true;
}
];
};
};
@ -207,7 +222,8 @@ in
'')
];
environment.etc."authentik/config.yml".source = settingsFormat.generate "authentik.yml" cfg.settings;
environment.etc."authentik/config.yml".source =
settingsFormat.generate "authentik.yml" cfg.settings;
systemd.services = {
authentik-migrate = {
@ -218,7 +234,9 @@ in
before = [ "authentik.service" ];
restartTriggers = [ config.environment.etc."authentik/config.yml".source ];
environment.TZ = tz;
serviceConfig = mkMerge [ serviceDefaults {
serviceConfig = mkMerge [
serviceDefaults
{
Type = "oneshot";
RemainAfterExit = true;
RuntimeDirectory = "authentik-migrate";
@ -231,7 +249,8 @@ in
Restart = "on-failure";
RestartSec = "1s";
inherit (config.systemd.services.authentik.serviceConfig) StateDirectory;
} ];
}
];
};
authentik-worker = {
requiredBy = [ "authentik.service" ];
@ -243,7 +262,9 @@ in
ln -svf ${config.services.authentik.authentikComponents.staticWorkdirDeps}/* /run/authentik/
'';
environment.TZ = tz;
serviceConfig = mkMerge [ serviceDefaults {
serviceConfig = mkMerge [
serviceDefaults
{
RuntimeDirectory = "authentik";
WorkingDirectory = "%t/authentik";
ExecStart = "${cfg.authentikComponents.manage}/bin/manage.py worker";
@ -255,7 +276,8 @@ in
];
# needs access to $StateDirectory/media/public
inherit (config.systemd.services.authentik.serviceConfig) StateDirectory;
} ];
}
];
};
authentik = {
wantedBy = [ "multi-user.target" ];
@ -272,7 +294,9 @@ in
''}
'';
environment.TZ = tz;
serviceConfig = mkMerge [ serviceDefaults {
serviceConfig = mkMerge [
serviceDefaults
{
StateDirectory = "authentik";
UMask = "0027";
# TODO /run might be sufficient
@ -280,7 +304,8 @@ in
ExecStart = "${cfg.authentikComponents.gopkgs}/bin/server";
Restart = "on-failure";
RestartSec = "1s";
} ];
}
];
};
};
@ -297,10 +322,12 @@ in
};
};
};
}))
}
))
# LDAP outpost
(mkIf config.services.authentik-ldap.enable (let
(mkIf config.services.authentik-ldap.enable (
let
cfg = config.services.authentik-ldap;
in
{
@ -321,10 +348,12 @@ in
Restart = "on-failure";
};
};
}))
}
))
# RADIUS outpost
(mkIf config.services.authentik-radius.enable (let
(mkIf config.services.authentik-radius.enable (
let
cfg = config.services.authentik-radius;
in
{
@ -345,7 +374,8 @@ in
Restart = "on-failure";
};
};
}))
}
))
# This is an attempt to solve a rather ugly problem that was
# caused by previously setting a default for the option

31
poetry2nix-python-overrides.nix
View file

@ -1,23 +1,35 @@
pkgs:
[
pkgs: [
# modules missing only setuptools
(final: prev:
(builtins.listToAttrs (map (name: {
(
final: prev:
(builtins.listToAttrs (
map
(name: {
inherit name;
value = prev.${name}.overrideAttrs (oA: {
nativeBuildInputs = (oA.nativeBuildInputs or [ ]) ++ [ final.setuptools ];
});
}) [
})
[
"django-cte"
"django-tenants"
"dumb-init"
"drf-orjson-renderer"
]))
]
))
)
(final: prev: {
xmlsec = prev.xmlsec.overridePythonAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [ final.setuptools final.pkgconfig ];
buildInputs = [ pkgs.xmlsec.dev pkgs.xmlsec pkgs.libxml2 pkgs.libtool ];
nativeBuildInputs = oA.nativeBuildInputs ++ [
final.setuptools
final.pkgconfig
];
buildInputs = [
pkgs.xmlsec.dev
pkgs.xmlsec
pkgs.libxml2
pkgs.libtool
];
env.NIX_CFLAGS_COMPILE = "-Wno-error=incompatible-pointer-types";
});
opencontainers = prev.opencontainers.overrideAttrs (oA: {
@ -153,6 +165,5 @@ pkgs:
ua-parser-builtins = prev.ua-parser-builtins.overridePythonAttrs (oA: {
propagatedBuildInputs = builtins.filter (p: p.pname != "ua-parser") oA.propagatedBuildInputs;
});
}
)
})
]

11
shell.nix
View file

@ -1,10 +1,9 @@
(import
(
let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
(import (
let
lock = builtins.fromJSON (builtins.readFile ./flake.lock);
in
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}
)
{ src = ./.; }
).shellNix
) { src = ./.; }).shellNix

7
tests/minimal-vmtest.nix
View file

@ -1,6 +1,7 @@
{ pkgs
, authentik-version
, nixosModules
{
pkgs,
authentik-version,
nixosModules,
}:
let
# use a root-owned EnvironmentFile in production instead (services.authentik.environmentFile)

38
tests/override-scope.nix
View file

@ -1,19 +1,20 @@
{ pkgs
, authentik-version
, nixosModules
, mkAuthentikScope
{
pkgs,
authentik-version,
nixosModules,
mkAuthentikScope,
}:
/*
* This is just meant as a demonstration on how to override the scope which includes the
* authentik components. This is an extended version of ./minimal-vmtest.nix
*
* First, a new scope is created from the default one using `overrideScope` on the result
* from `mkAuthentikScope`.
* Components with overrides in that scope are used by their dependents, i.e. dependents
* of `pythonEnv` (e.g. gopkgs) also pull in that overridden `pythonEnv`
* Then, that scope is passed to the module via the `services.authentik.authentikComponents` option
* And finally, the test script checks if the patched welcome string is present.
This is just meant as a demonstration on how to override the scope which includes the
authentik components. This is an extended version of ./minimal-vmtest.nix
First, a new scope is created from the default one using `overrideScope` on the result
from `mkAuthentikScope`.
Components with overrides in that scope are used by their dependents, i.e. dependents
of `pythonEnv` (e.g. gopkgs) also pull in that overridden `pythonEnv`
Then, that scope is passed to the module via the `services.authentik.authentikComponents` option
And finally, the test script checks if the patched welcome string is present.
*/
let
@ -26,14 +27,16 @@ let
# creates a new scope using python 3.12 for mkPoetryEnv
# and overrides the welcome string for the default oobe intial-setup flow
customScope = (mkAuthentikScope { inherit pkgs; }).overrideScope
(final: prev: {
customScope = (mkAuthentikScope { inherit pkgs; }).overrideScope (
final: prev: {
authentikComponents = prev.authentikComponents // {
pythonEnv = prev.authentikComponents.pythonEnv.overrideAttrs (_: {
python = pkgs.python312;
});
staticWorkdirDeps = prev.authentikComponents.staticWorkdirDeps.overrideAttrs (oA: {
buildCommand = oA.buildCommand + ''
buildCommand =
oA.buildCommand
+ ''
rm -v $out/blueprints
cp -vr ${prev.authentik-src}/blueprints $out/blueprints
substituteInPlace $out/blueprints/default/flow-oobe.yaml \
@ -41,7 +44,8 @@ let
'';
});
};
});
}
);
in
pkgs.nixosTest {
name = "authentik";