tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
172 commits 1 branch 0 tags 968 KiB
Commit graph

172 commits

This branch
This branch
All branches
Author SHA1 Message Date
shokinn
3bf78b1126 Add dependency to network-online.target for authentik.service 2024-01-24 18:42:16 +01:00
WilliButz
d5e41d40fa
Merge pull request #10 from xanderio/media_upload 
enable media uploads
 2024-01-15 22:10:58 +01:00
Alexander Sieg
8e23ad0cef
enable media uploads 
The media upload feature is build around being deployed in a container
and only enables uploads when `/media` is a mountpoint. This isn't the
case on nixos and as such media uploads are disable.

In order to enable this, we need to patch authentik so that the
`can_save_media` capability is enabled.
 2024-01-15 17:10:22 +01:00
WilliButz
8ff6252370
update: 2023.10.5 -> 2023.10.6 (security update) 
Fixes CVE-2024-21637

See https://goauthentik.io/docs/security/CVE-2024-21637

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/a15a04036223c53bea841436f4943278b4eab460' (2023-12-21)
  → 'github:goauthentik/authentik/1cd000dfe204b9605c85e6cebc051586a0329604' (2024-01-09)
 2024-01-09 18:54:16 +01:00
WilliButz
1d2fe8bd1e
Merge pull request #9 from Ma27/restart-ldap-outpost 
authentik-ldap: restart on failure
 2024-01-03 20:06:33 +01:00
WilliButz
010cb5fae5
Merge pull request #7 from shokinn/fix-sending-email-missing-assets 
link static workdir deps to /run/authentik
 2024-01-03 20:05:43 +01:00
Maximilian Bosch
7c6103be81
authentik-ldap: restart on failure 
I'm occasionally seeing the following error:

    Jan 01 22:02:10 auth ldap[151813]: fatal error: concurrent map writes
    Jan 01 22:02:10 auth ldap[151813]: fatal error: concurrent map writes
    Jan 01 22:02:10 auth ldap[151813]: goroutine 4841 [running]:
    Jan 01 22:02:10 auth ldap[151813]: goauthentik.io/api/v3.(*Configuration).AddDefaultHeader(...)
    Jan 01 22:02:10 auth ldap[151813]:         goauthentik.io/api/v3@v3.2023101.1/configuration.go:120
    Jan 01 22:02:10 auth ldap[151813]: goauthentik.io/internal/outpost/ldap/search/direct.(*DirectSearcher).Search(0xc0002ba4f8, 0xc000510dd0)
    Jan 01 22:02:10 auth ldap[151813]:         goauthentik.io/internal/outpost/ldap/search/direct/direct.go:112 +0x65a
    [...]
    Jan 01 22:02:10 auth systemd[1]: authentik-ldap.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
    Jan 01 22:02:10 auth systemd[1]: authentik-ldap.service: Failed with result 'exit-code'.

Obviously, I need to find out what's up there. However, services
shouldn't just die on a crash, but restart in that case. If that happens
too often, StartLimitBurst/StartLimitIntervalSec ensure that the
(re)start attempt is aborted eventually.

This is especially problematic because Nextcloud tries to contact the
LDAP server on every single request for a sync which means that the
entire service is down when such a crash happens.
 2024-01-03 12:52:42 +01:00
shokinn
47e0cb8e14 link static workdir deps to /run/authentik 2023-12-29 15:01:03 +01:00
WilliButz
d2367d0c21
update: 2023.10.4 -> 2023.10.5 
Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/a2a67161ac8b840d63cbaacdfbebb60fd48e901b' (2023-11-21)
  → 'github:goauthentik/authentik/a15a04036223c53bea841436f4943278b4eab460' (2023-12-21)
 2023-12-21 14:44:38 +01:00
WilliButz
4a61f8afb4
README: update 2023-12-20 21:34:25 +01:00
WilliButz
be532175cd
flake.lock: update napalm 
Flake lock file updates:

• Updated input 'napalm':
    'github:nix-community/napalm/a8215ccf1c80070f51a92771f3bc637dd9b9f7ee' (2023-09-06)
  → 'github:nix-community/napalm/edcb26c266ca37c9521f6a97f33234633cbec186' (2023-12-20)
 2023-12-20 21:19:38 +01:00
WilliButz
9b18007aac
provide authentik components in separate scope 
* provides a new function `lib.mkAuthentikScope` as a flake output to
  create a custom scope with overrides outside of this flake
* adds a slightly altered version of existing vm test to demonstrate the
  usage of `mkAuthentikScope` for overriding individual authentik
  components in tests/override-scope.nix
 2023-12-14 15:04:06 +01:00
WilliButz
6df56466f9
factor out components with callPackage to allow for easier overrides 
Before this change it was very inconvenient to override specific
dependencies, e.g. patching something in pythonEnv and having its
dependents use that patched version.
This is just a step towards better overridability for the individual
authentik components, because patched versions of components still need
to be manually passed to their dependents. An overlay-like approach
would be even better.
 2023-12-14 15:04:04 +01:00
WilliButz
d12bdcc87d
flake: replace runCommandLocal with builtin functions to avoid IFD 
Pointed out in https://github.com/nix-community/authentik-nix/issues/5

Co-authored-by: Philip Henning <philip.henning@base23.de>
 2023-12-11 15:31:43 +01:00
WilliButz
07c6476fbf
module: make authentikComponents a simple attrset 2023-12-10 15:16:53 +01:00
WilliButz
1b9f4dce95
test: move to tests dir 2023-12-10 15:16:53 +01:00
WilliButz
ed999ba030
use mkDefault for authentikComponents 2023-12-10 15:16:53 +01:00
WilliButz
8b05ebf200
module: drop unused recursiveUpdate 2023-12-10 15:16:53 +01:00
WilliButz
332d717766
module: update postgres config (ensurePermissions -> ensureDBOwnership) 
see https://github.com/NixOS/nixpkgs/pull/266270
 2023-12-10 15:16:41 +01:00
WilliButz
aeba8124d2
flake: drop obsolete devShell 2023-12-10 15:13:28 +01:00
WilliButz
7f46d7ee99
flake.lock: Update, reference nixos-23.11 instead of unstable 
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4' (2023-10-03)
  → 'github:hercules-ci/flake-parts/34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5' (2023-12-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/f5892ddac112a1e9b3612c39af1b72987ee5783a?dir=lib' (2023-09-29)
  → 'github:NixOS/nixpkgs/e92039b55bcd58469325ded85d4f58dd5a4eaf58?dir=lib' (2023-11-29)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/ff7b65b44d01cf9ba6a71320833626af21126384' (2023-09-12)
  → 'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04)
• Updated input 'nixpkgs-23-05':
    'github:NixOS/nixpkgs/41de143fda10e33be0f47eab2bfe08a50f234267' (2023-11-06)
  → 'github:NixOS/nixpkgs/e9f06adb793d1cca5384907b3b8a4071d5d7cb19' (2023-12-03)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/8f2c483f9a40db26011f6668559574a4b86ed499' (2023-10-26)
  → 'github:nix-community/poetry2nix/9fc487b32a68473da4bf9573f85b388043c5ecda' (2023-12-06)
• Updated input 'poetry2nix/nix-github-actions':
    'github:nix-community/nix-github-actions/bd5bdbb52350e145c526108f4ef192eb8e554fa0' (2023-09-02)
  → 'github:nix-community/nix-github-actions/4bb5e752616262457bc7ca5882192a564c0472d2' (2023-11-03)
• Updated input 'poetry2nix/treefmt-nix':
    'github:numtide/treefmt-nix/aae39f64f5ecbe89792d05eacea5cb241891292a' (2023-10-15)
  → 'github:numtide/treefmt-nix/e82f32aa7f06bbbd56d7b12186d555223dc399d1' (2023-11-12)
 2023-12-10 15:13:28 +01:00
WilliButz
9663811618
update: 2023.10.3 -> 2023.10.4 (security update) 
Includes fix for https://goauthentik.io/docs/security/CVE-2023-48228

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/82b5274b15ddf6d9925e7b349f70bbff5be1d8be' (2023-11-09)
  → 'github:goauthentik/authentik/a2a67161ac8b840d63cbaacdfbebb60fd48e901b' (2023-11-21)
 2023-11-21 18:47:39 +01:00
WilliButz
976d382bf4
update: 2023.10.2 -> 2023.10.3 
Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/8e72fcab59a65e900a35a0faa21fe0bfef4c63c3' (2023-10-28)
  → 'github:goauthentik/authentik/82b5274b15ddf6d9925e7b349f70bbff5be1d8be' (2023-11-09)
 2023-11-09 19:08:49 +01:00
WilliButz
2445de2001
terraform-provider-authentik: 2023.8.0 -> 2023.10.0 
The provider still specifies go 1.18 in go.mod, so nixpkgs@23.05 needs
to be pulled in again. Not really happy about this, maybe there's some
cleaner approach.
 2023-11-08 15:31:30 +01:00
WilliButz
c775e737f5
update: 2023.10.1 -> 2023.10.2 
Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/64c38909ffd969787f2d634b0e971b90a451d5db' (2023-10-26)
  → 'github:goauthentik/authentik/8e72fcab59a65e900a35a0faa21fe0bfef4c63c3' (2023-10-28)
 2023-10-28 22:42:43 +02:00
WilliButz
d3b1353030
github-workflows/flakehub: don't auto run 2023-10-28 22:42:28 +02:00
WilliButz
1ec83f48ae
update: 2023.10.0 -> 2023.10.1 2023-10-27 17:02:14 +02:00
WilliButz
e1ccfb9fb6
test: add trailing slash to urls 
Before 2023.10 this was implicitly supported, but undocumented.
See https://github.com/goauthentik/authentik/pull/6928/commits/c4ea44da1bb63182e5413bdf8f0a9
 2023-10-27 17:02:14 +02:00
WilliButz
cdffc37ad9
update: 2023.8.3 -> 2023.10.0 
* nixpkgs-23.05 -> nixpkgs-unstable (for nodejs 21)
* nodejs_20 -> nodejs_21
* go_1_20 -> go_1_21
* added workaround for poetry2nix to drop python dev-dependencies

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/f885f8c0395df639ccabd762910867bef0f4577c' (2023-09-11)
  → 'github:goauthentik/authentik/b7c02808c664714144bd7ae6fee4c6402a88f426' (2023-10-26)
• Updated input 'flake-compat':
    'github:edolstra/flake-compat/35bb57c0c8d8b62bbfd284272c928ceb64ddbde9' (2023-01-17)
  → 'github:edolstra/flake-compat/0f9255e01c2351cc7d116c072cb317785dd33b33' (2023-10-04)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/7f53fdb7bdc5bb237da7fefef12d099e4fd611ca' (2023-09-01)
  → 'github:hercules-ci/flake-parts/c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4' (2023-10-03)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/3e52e76b70d5508f3cec70b882a29199f4d1ee85?dir=lib' (2023-08-31)
  → 'github:NixOS/nixpkgs/f5892ddac112a1e9b3612c39af1b72987ee5783a?dir=lib' (2023-09-29)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/f9e7cf818399d17d347f847525c5a5a8032e4e44' (2023-08-23)
  → 'github:numtide/flake-utils/ff7b65b44d01cf9ba6a71320833626af21126384' (2023-09-12)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760' (2023-09-10)
  → 'github:NixOS/nixpkgs/8efd5d1e283604f75a808a20e6cde0ef313d07d4' (2023-10-24)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/c3d3c4a0396b1bcccd72c82551a319229997f6e4' (2023-09-08)
  → 'github:nix-community/poetry2nix/8f2c483f9a40db26011f6668559574a4b86ed499' (2023-10-26)
• Updated input 'poetry2nix/nix-github-actions':
    'github:nix-community/nix-github-actions/165b1650b753316aa7f1787f3005a8d2da0f5301' (2023-07-09)
  → 'github:nix-community/nix-github-actions/bd5bdbb52350e145c526108f4ef192eb8e554fa0' (2023-09-02)
• Added input 'poetry2nix/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Added input 'poetry2nix/treefmt-nix':
    'github:numtide/treefmt-nix/aae39f64f5ecbe89792d05eacea5cb241891292a' (2023-10-15)
• Added input 'poetry2nix/treefmt-nix/nixpkgs':
    follows 'poetry2nix/nixpkgs'
 2023-10-27 17:02:13 +02:00
WilliButz
e3e7edaba4
README: add explicit comment about secrets and enviromentFile 2023-10-04 20:13:25 +02:00
WilliButz
b200238be2
fill README with some instructions 2023-10-04 19:35:39 +02:00
WilliButz
f7fa85cc1f
module: add nginx support with cert auto-discovery 2023-10-04 17:55:39 +02:00
WilliButz
bc05d5ce25
test: check for correct version in admin settings 2023-10-04 16:32:01 +02:00
WilliButz
251d78a7f2
module: provide option to specify EnvironmentFile for secrets 
The systemd service module references the module's environmentFile in a
list to allow for merging with EnvironmentFiles injected elsewhere.
 2023-10-04 14:47:29 +02:00
WilliButz
cd00a35204
flake: remove node_modules/.cache in output 
(reduces closure size by ~250MiB)
 2023-09-11 22:03:14 +02:00
WilliButz
e298bde8c0
github-workflows/flakehub: try workaround for accepted version format 2023-09-11 21:32:32 +02:00
WilliButz
0fa7dd5ac7
update: 2023.8.2 -> 2023.8.3 
Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/97e4c8d5e22f21295b8d0eda039243433253ddfc' (2023-09-01)
  → 'github:goauthentik/authentik/f885f8c0395df639ccabd762910867bef0f4577c' (2023-09-11)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/59cf3f1447cfc75087e7273b04b31e689a8599fb' (2023-08-01)
  → 'github:hercules-ci/flake-parts/7f53fdb7bdc5bb237da7fefef12d099e4fd611ca' (2023-09-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/9e1960bc196baf6881340d53dccb203a951745a2?dir=lib' (2023-08-01)
  → 'github:NixOS/nixpkgs/3e52e76b70d5508f3cec70b882a29199f4d1ee85?dir=lib' (2023-08-31)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/c540061ac8d72d6e6d99345bd2d590c82b2f58c1' (2023-08-28)
  → 'github:NixOS/nixpkgs/4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760' (2023-09-10)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/5b3a5151cf212021ff8d424f215fb030e4ff2837' (2023-08-26)
  → 'github:nix-community/poetry2nix/c3d3c4a0396b1bcccd72c82551a319229997f6e4' (2023-09-08)
 2023-09-11 21:26:18 +02:00
WilliButz
374fe09426
init flakehub-publish-tagged.yml 2023-09-09 15:39:41 +02:00
WilliButz
42e9874ace
add flake-compat 2023-09-09 11:35:21 +02:00
WilliButz
f89134f9ce
frontend: drop patch for package-lock.json after napalm update 
Napalm now correctly handles aliased dependencies.
 2023-09-06 12:45:03 +02:00
WilliButz
4ae65bc41c
flake.lock: Update 
Flake lock file updates:

• Updated input 'napalm':
    'github:nix-community/napalm/22b610cdb812ad7abf22c05af45778ee394fbfd1' (2023-06-22)
  → 'github:nix-community/napalm/a8215ccf1c80070f51a92771f3bc637dd9b9f7ee' (2023-09-06)
 2023-09-06 12:44:40 +02:00
WilliButz
604736f429
update: 2023.8.1 -> 2023.8.2 
Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/be3cfaee560a7d6fac157d61ae7186a92a279c9c' (2023-08-29)
  → 'github:goauthentik/authentik/97e4c8d5e22f21295b8d0eda039243433253ddfc' (2023-09-01)
 2023-09-01 18:43:47 +02:00
WilliButz
fbac551e86
terraform-provider: 2023.6.0 -> 2023.8.0 2023-08-31 11:58:28 +02:00
WilliButz
5d5cd2f358
README: drop outdated info 2023-08-30 16:48:59 +02:00
WilliButz
ae8ff44762
update: 2023.6.2 -> 2023.8.1 
* patched the package-lock for /web slightly to avoid what's likely a
  bug in napalm, causing the request for wrap-ansi@7.0.0 to be answered
  with a a 500 response. This seems to be the case because a name
  override is used for this module in the lock-file. While that is also
  the case for some other modules like string-width@4.2.3, they have a
  matching module with the name used in the override at the same
  version. Only wrap-ansi's version differs here, which causes the
  issue.
 2023-08-30 16:37:06 +02:00
WilliButz
d464790711
update: 2023.6.1 -> 2023.6.2 (security update) 
contains fix for CVE-2023-39522
https://github.com/goauthentik/authentik/security/advisories/GHSA-vmf9-6pcv-xr87

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/d6af506a78caaf9e6ef394dffa1f931bcc2cd656' (2023-07-10)
  → 'github:goauthentik/authentik/aba857753bcf785a2023d3ac80f9a6f7f15979fe' (2023-08-29)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/8e8d955c22df93dbe24f19ea04f47a74adbdc5ec' (2023-07-04)
  → 'github:hercules-ci/flake-parts/59cf3f1447cfc75087e7273b04b31e689a8599fb' (2023-08-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/4bc72cae107788bf3f24f30db2e2f685c9298dc9?dir=lib' (2023-06-29)
  → 'github:NixOS/nixpkgs/9e1960bc196baf6881340d53dccb203a951745a2?dir=lib' (2023-08-01)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7' (2023-06-25)
  → 'github:numtide/flake-utils/f9e7cf818399d17d347f847525c5a5a8032e4e44' (2023-08-23)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e11142026e2cef35ea52c9205703823df225c947' (2023-07-05)
  → 'github:NixOS/nixpkgs/c540061ac8d72d6e6d99345bd2d590c82b2f58c1' (2023-08-28)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/f9c886e188503db79b59f15c014d86aa680d9141' (2023-07-07)
  → 'github:nix-community/poetry2nix/5b3a5151cf212021ff8d424f215fb030e4ff2837' (2023-08-26)
• Added input 'poetry2nix/nix-github-actions':
    'github:nix-community/nix-github-actions/165b1650b753316aa7f1787f3005a8d2da0f5301' (2023-07-09)
• Added input 'poetry2nix/nix-github-actions/nixpkgs':
    follows 'poetry2nix/nixpkgs'
 2023-08-29 20:18:44 +02:00
WilliButz
a0111331a9
Merge pull request #2 from muccc/terraform-provider-2023.6.0 
terraform-provider-authentik: 2023.5.0 -> 2023.6.0
 2023-07-31 12:27:16 +02:00
Franz Pletz
77eef774b5
authentik-gopkgs: fix typo 2023-07-31 12:16:16 +02:00
Franz Pletz
f9ccfdbb61
flake: remove unused rec 2023-07-31 12:16:16 +02:00
Franz Pletz
41eca29b3a
terraform-provider-authentik: 2023.5.0 -> 2023.6.0 2023-07-31 12:16:16 +02:00