Release notes: https://docs.goauthentik.io/docs/releases/2024.6
Includes a hacky workaround for a node dependency that is required to
build the `/website` subdirectory of the authentik repo, i.e. "docs".
That should not be required after the next major update, as the
dependency causing this is no longer used on authentik's main branch.
See components/docs.nix for more info.
Flake lock file updates:
• Updated input 'authentik-src':
'github:goauthentik/authentik/5afceaa55f4d831db0cf9d80562e86eb43b622ec' (2024-06-26)
→ 'github:goauthentik/authentik/9075270b01e784d25f2ec08b82e73f1ce3086184' (2024-07-11)
• Updated input 'flake-parts':
'github:hercules-ci/flake-parts/9126214d0a59633752a136528f5f3b9aa8565b7d' (2024-04-01)
→ 'github:hercules-ci/flake-parts/c3c5ecc05edc7dafba779c6c1a61cd08ac6583e9' (2024-06-30)
• Updated input 'flake-parts/nixpkgs-lib':
'github:NixOS/nixpkgs/d8fe5e6c92d0d190646fb9f1056741a229980089?dir=lib' (2024-03-29)
→ 'https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz?narHash=sha256-lIbdfCsf8LMFloheeE6N31%2BBMIeixqyQWbSr2vk79EQ%3D' (2024-06-01)
• Updated input 'napalm':
'github:nix-community/napalm/edcb26c266ca37c9521f6a97f33234633cbec186' (2023-12-20)
→ 'github:nix-community/napalm/e1babff744cd278b56abe8478008b4a9e23036cf' (2024-06-09)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/6143fc5eeb9c4f00163267708e26191d1e918932' (2024-04-21)
→ 'github:NixOS/nixpkgs/feb2849fdeb70028c70d73b848214b00d324a497' (2024-07-29)
• Updated input 'poetry2nix':
'github:nix-community/poetry2nix/e6b36523407ae6a7a4dfe29770c30b3a3563b43a' (2024-05-06)
→ 'github:nix-community/poetry2nix/4fd045cdb85f2a0173021a4717dc01d92d7ab2b2' (2024-06-28)
• Updated input 'poetry2nix/treefmt-nix':
'github:numtide/treefmt-nix/c6aaf729f34a36c445618580a9f95a48f5e4e03f' (2024-04-25)
→ 'github:numtide/treefmt-nix/68eb1dc333ce82d0ab0c0357363ea17c31ea1f81' (2024-06-16)
There aren't any tests, but it's hanging in this phase for a while since
it compiles Go code to see if there are any tests in the modules.
authentik-gopkgs> Running phase: checkPhase
authentik-gopkgs> ? goauthentik.io/cmd/ldap [no test files]
authentik-gopkgs> ? goauthentik.io/cmd/server [no test files]
authentik-gopkgs> ? goauthentik.io/cmd/proxy [no test files]
authentik-gopkgs> ? goauthentik.io/cmd/radius [no test files]
Was changed within upstream commit abc0c2d2a2a0bfb0214798ed6bca9d59359b39f8.
The sole reason this worked was that `settings.storage.media.file.path`
pointed to `./media`, relative to `/var/lib/authentik`.
Update our config accordingly.
This gives the default value from this module a slightly higher
priority than the upstream module's default, while still allowing users
to simply set `services.postgresql.package` using the default priority.
The change in 8bc790171f introduced
`mkDefault` for the postgresql package.
Unfortunately the upstream package option default is also specified
using `mkDefault` instead of the more appropriate `mkOptionDefault`.
This meant that users with a `system.stateVersion` other than `22.05`,
`22.11` or `23.05` got an evaluation error because there are two
conflicting definitions for the package option.
Fixes divergence between the two test scripts.
The test doesn't need to be executed by default. It is just a
demonstration on how to use a custom scope that can be created with
the function `mkAuthentikScope`, that is available through the `lib`
flake output.
This was made possible by d85dacb6c2
which allows to directly use `manage.py`. That script is
effectively used whenever the `ak` command is referenced in the docs,
e.g. to set a new password for the superuser or to send a test email.
This needs to run as the same (dynamic) user and with the same env file,
otherwise `manage.py` exits early. To achieve that, I
decided to use `systemd-run(1)` because now the invocation can be
configured the same way as services are.
The new migration in tenant_files.py references a MEDIA_ROOT directory
based on its own path, which in our case is in the read-only /nix/store.
We need it to refer to the actual authentik state directory instead,
which defaults to /var/lib/authentik/media in module.nix
Fixes#15
Before this change it was non-trivial to deploy the ldap outpost without
also activating the main authentik service on the same host. Adding
functionality to provide a separate configuration file for the outpost
service remains an open task.
The media upload feature is build around being deployed in a container
and only enables uploads when `/media` is a mountpoint. This isn't the
case on nixos and as such media uploads are disable.
In order to enable this, we need to patch authentik so that the
`can_save_media` capability is enabled.
