Closes#83Closes#85
ChangeLog: https://docs.goauthentik.io/releases/2025.12⚠️ When using the Avatar upload, you'll have to make your users
re-upload their avatars due to changes in how media is served by
Authentik[1].
For now, we're using a branch from me that is 2025.12.1 with an update
of `@goauthentik/api` on top[2]. Without that change, `AdminFileListUsageEnum`
doesn't exist which breaks all usage of `AdminFileListUsageEnum.Media`:
TypeError: can't access property "Media", R.AdminFileListUsageEnum is undefined
renderForm ApplicationForm.ts:191
[...]
This made e.g. the modal to edit applications unusable which infinitely
hang on a loading spinner.
The media path now points to `/var/lib/authentik`. This path is only
used for media storage and Authentik now always appends the "usage name"
as directory behind the storage path, i.e. it already appends
`/var/lib/authentik/media`, so this is needed to make Authentik discover
existing media.
Finally, I added a `patches` attribute to the authentik scope that
applies patches to both the workdir-deps (which is the PYTHONPATH in the
end, i.e. where we load the authentik module from) and the gopkgs. We're
still missing patchability for frontend (since we directly build the
subdir in napalm), but I think that's a step in the right direction.
[1] https://github.com/goauthentik/authentik/discussions/6824#discussioncomment-15490793
[2] Upstream PR: https://github.com/goauthentik/authentik/pull/19542
We kept nodejs_22 in 6dc84faaec because of
a bug in NPM preventing us from upgrading[1]. This got solved in the
meantime and seems to have landed in a nodejs release (these usually
bundle NPM versions), so we can use the nodejs version that upstream
also uses again.
[1] https://github.com/npm/cli/issues/8541
Release notes: https://docs.goauthentik.io/docs/releases/2024.6
Includes a hacky workaround for a node dependency that is required to
build the `/website` subdirectory of the authentik repo, i.e. "docs".
That should not be required after the next major update, as the
dependency causing this is no longer used on authentik's main branch.
See components/docs.nix for more info.
Flake lock file updates:
• Updated input 'authentik-src':
'github:goauthentik/authentik/5afceaa55f4d831db0cf9d80562e86eb43b622ec' (2024-06-26)
→ 'github:goauthentik/authentik/9075270b01e784d25f2ec08b82e73f1ce3086184' (2024-07-11)
• Updated input 'flake-parts':
'github:hercules-ci/flake-parts/9126214d0a59633752a136528f5f3b9aa8565b7d' (2024-04-01)
→ 'github:hercules-ci/flake-parts/c3c5ecc05edc7dafba779c6c1a61cd08ac6583e9' (2024-06-30)
• Updated input 'flake-parts/nixpkgs-lib':
'github:NixOS/nixpkgs/d8fe5e6c92d0d190646fb9f1056741a229980089?dir=lib' (2024-03-29)
→ 'https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz?narHash=sha256-lIbdfCsf8LMFloheeE6N31%2BBMIeixqyQWbSr2vk79EQ%3D' (2024-06-01)
• Updated input 'napalm':
'github:nix-community/napalm/edcb26c266ca37c9521f6a97f33234633cbec186' (2023-12-20)
→ 'github:nix-community/napalm/e1babff744cd278b56abe8478008b4a9e23036cf' (2024-06-09)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/6143fc5eeb9c4f00163267708e26191d1e918932' (2024-04-21)
→ 'github:NixOS/nixpkgs/feb2849fdeb70028c70d73b848214b00d324a497' (2024-07-29)
• Updated input 'poetry2nix':
'github:nix-community/poetry2nix/e6b36523407ae6a7a4dfe29770c30b3a3563b43a' (2024-05-06)
→ 'github:nix-community/poetry2nix/4fd045cdb85f2a0173021a4717dc01d92d7ab2b2' (2024-06-28)
• Updated input 'poetry2nix/treefmt-nix':
'github:numtide/treefmt-nix/c6aaf729f34a36c445618580a9f95a48f5e4e03f' (2024-04-25)
→ 'github:numtide/treefmt-nix/68eb1dc333ce82d0ab0c0357363ea17c31ea1f81' (2024-06-16)
Before this change it was very inconvenient to override specific
dependencies, e.g. patching something in pythonEnv and having its
dependents use that patched version.
This is just a step towards better overridability for the individual
authentik components, because patched versions of components still need
to be manually passed to their dependents. An overlay-like approach
would be even better.
