tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
140 commits 1 branch 0 tags 968 KiB
Commit graph

140 commits

This branch
This branch
All branches
Author SHA1 Message Date
WilliButz
1392167355
Merge pull request #20 from Ma27/ak-script 
module: add `ak` script
 2024-02-26 11:00:19 +01:00
Maximilian Bosch
2da27254c1
module: add ak script 
This was made possible by d85dacb6c2
which allows to directly use `manage.py`. That script is
effectively used whenever the `ak` command is referenced in the docs,
e.g. to set a new password for the superuser or to send a test email.

This needs to run as the same (dynamic) user and with the same env file,
otherwise `manage.py` exits early. To achieve that, I
decided to use `systemd-run(1)` because now the invocation can be
configured the same way as services are.
 2024-02-26 09:32:48 +01:00
WilliButz
5ed5c481f2
update: 2024.2.0 -> 2024.2.1 
release notes: https://goauthentik.io/docs/releases/2024.2#fixed-in-202421

cryptography hash: https://github.com/nix-community/poetry2nix/pull/1538

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/310983a4d027174afe40e6db908cdfdebf1182b8' (2024-02-21)
  → 'github:goauthentik/authentik/8256f1897df0a741a81dcb066d4edae879c30408' (2024-02-22)
 2024-02-22 17:38:01 +01:00
WilliButz
189ab274f5
Merge pull request #17 from MarcelCoding/radius 
Added radius outpost
 2024-02-22 15:01:51 +01:00
WilliButz
eb572302be
tests/minimal-vmtest: fix version check 
It's now further up :)
 2024-02-21 22:12:02 +01:00
WilliButz
d060292aa6
add patch to fix failing "tenant_files" migration 
The new migration in tenant_files.py references a MEDIA_ROOT directory
based on its own path, which in our case is in the read-only /nix/store.

We need it to refer to the actual authentik state directory instead,
which defaults to /var/lib/authentik/media in module.nix
 2024-02-21 22:12:02 +01:00
WilliButz
d85dacb6c2
components: drop celery, package manage.py instead 2024-02-21 22:12:02 +01:00
WilliButz
8edfcf318a
update: 2023.10.7 -> 2024.2.0 
Release notes: https://goauthentik.io/docs/releases/2024.2

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/e095e9f694d2a427940bc8616bc4025fef502a8b' (2024-01-29)
  → 'github:goauthentik/authentik/310983a4d027174afe40e6db908cdfdebf1182b8' (2024-02-21)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/4eb2ac54029af42a001c9901194e9ce19cbd8a40' (2024-02-06)
  → 'github:nix-community/poetry2nix/403d923ea8e2e6cedce3a0f04a9394c4244cb806' (2024-02-17)
 2024-02-21 22:12:02 +01:00
Marcel
52b831735c
Added radius outpost 2024-02-14 22:00:58 +01:00
WilliButz
497c207488
flake.lock: update poetry2nix, fixes IFD in watchfiles 
Fixes #5

Flake lock file updates:

• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/e0b44e9e2d3aa855d1dd77b06f067cd0e0c3860d' (2024-01-12)
  → 'github:nix-community/poetry2nix/4eb2ac54029af42a001c9901194e9ce19cbd8a40' (2024-02-06)
 2024-02-06 11:50:50 +01:00
WilliButz
a3663ee7bc
github/workflows/flakehub-publish: drop 2024-02-06 11:50:50 +01:00
WilliButz
2fb62afc42
Merge pull request #16 from MarcelCoding/postgres 
Made postgres optional
 2024-01-31 11:22:01 +01:00
Marcel
347066b2ca
Made postgres optional 2024-01-31 10:26:11 +01:00
WilliButz
5fa451e055
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5' (2023-12-01)
  → 'github:hercules-ci/flake-parts/07f6395285469419cf9d078f59b5b49993198c00' (2024-01-11)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/e92039b55bcd58469325ded85d4f58dd5a4eaf58?dir=lib' (2023-11-29)
  → 'github:NixOS/nixpkgs/b0d36bd0a420ecee3bc916c91886caca87c894e9?dir=lib' (2023-12-30)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04)
  → 'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26' (2024-01-15)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/933d7dc155096e7575d207be6fb7792bc9f34f6d' (2023-12-02)
  → 'github:NixOS/nixpkgs/56911ef3403a9318b7621ce745f5452fb9ef6867' (2024-01-27)
• Updated input 'nixpkgs-23-05':
    'github:NixOS/nixpkgs/e9f06adb793d1cca5384907b3b8a4071d5d7cb19' (2023-12-03)
  → 'github:NixOS/nixpkgs/70bdadeb94ffc8806c0570eb5c2695ad29f0e421' (2024-01-03)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/9fc487b32a68473da4bf9573f85b388043c5ecda' (2023-12-06)
  → 'github:nix-community/poetry2nix/e0b44e9e2d3aa855d1dd77b06f067cd0e0c3860d' (2024-01-12)
 2024-01-29 18:32:43 +01:00
WilliButz
30e4ac1dfd
update: 2023.10.6 -> 2023.10.7 (security update) 
Fixes CVE-2024-23647

See https://goauthentik.io/docs/security/CVE-2024-23647

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/1cd000dfe204b9605c85e6cebc051586a0329604' (2024-01-09)
  → 'github:goauthentik/authentik/e095e9f694d2a427940bc8616bc4025fef502a8b' (2024-01-29)
 2024-01-29 18:17:08 +01:00
WilliButz
3904e3d29b
module: remove restartTriggers from ldap outpost service 
Fixes #15

Before this change it was non-trivial to deploy the ldap outpost without
also activating the main authentik service on the same host. Adding
functionality to provide a separate configuration file for the outpost
service remains an open task.
 2024-01-28 21:15:41 +01:00
WilliButz
bc628c0094
Merge pull request #14 from shokinn/fix-service-dependencies 
Add dependency to network-online.target for authentik.service
 2024-01-28 13:00:07 +01:00
shokinn
4dd485a366 Add dependency to network-online.target for authentik-ldap.service 2024-01-28 00:42:02 +01:00
shokinn
3bf78b1126 Add dependency to network-online.target for authentik.service 2024-01-24 18:42:16 +01:00
WilliButz
d5e41d40fa
Merge pull request #10 from xanderio/media_upload 
enable media uploads
 2024-01-15 22:10:58 +01:00
Alexander Sieg
8e23ad0cef
enable media uploads 
The media upload feature is build around being deployed in a container
and only enables uploads when `/media` is a mountpoint. This isn't the
case on nixos and as such media uploads are disable.

In order to enable this, we need to patch authentik so that the
`can_save_media` capability is enabled.
 2024-01-15 17:10:22 +01:00
WilliButz
8ff6252370
update: 2023.10.5 -> 2023.10.6 (security update) 
Fixes CVE-2024-21637

See https://goauthentik.io/docs/security/CVE-2024-21637

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/a15a04036223c53bea841436f4943278b4eab460' (2023-12-21)
  → 'github:goauthentik/authentik/1cd000dfe204b9605c85e6cebc051586a0329604' (2024-01-09)
 2024-01-09 18:54:16 +01:00
WilliButz
1d2fe8bd1e
Merge pull request #9 from Ma27/restart-ldap-outpost 
authentik-ldap: restart on failure
 2024-01-03 20:06:33 +01:00
WilliButz
010cb5fae5
Merge pull request #7 from shokinn/fix-sending-email-missing-assets 
link static workdir deps to /run/authentik
 2024-01-03 20:05:43 +01:00
Maximilian Bosch
7c6103be81
authentik-ldap: restart on failure 
I'm occasionally seeing the following error:

    Jan 01 22:02:10 auth ldap[151813]: fatal error: concurrent map writes
    Jan 01 22:02:10 auth ldap[151813]: fatal error: concurrent map writes
    Jan 01 22:02:10 auth ldap[151813]: goroutine 4841 [running]:
    Jan 01 22:02:10 auth ldap[151813]: goauthentik.io/api/v3.(*Configuration).AddDefaultHeader(...)
    Jan 01 22:02:10 auth ldap[151813]:         goauthentik.io/api/v3@v3.2023101.1/configuration.go:120
    Jan 01 22:02:10 auth ldap[151813]: goauthentik.io/internal/outpost/ldap/search/direct.(*DirectSearcher).Search(0xc0002ba4f8, 0xc000510dd0)
    Jan 01 22:02:10 auth ldap[151813]:         goauthentik.io/internal/outpost/ldap/search/direct/direct.go:112 +0x65a
    [...]
    Jan 01 22:02:10 auth systemd[1]: authentik-ldap.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
    Jan 01 22:02:10 auth systemd[1]: authentik-ldap.service: Failed with result 'exit-code'.

Obviously, I need to find out what's up there. However, services
shouldn't just die on a crash, but restart in that case. If that happens
too often, StartLimitBurst/StartLimitIntervalSec ensure that the
(re)start attempt is aborted eventually.

This is especially problematic because Nextcloud tries to contact the
LDAP server on every single request for a sync which means that the
entire service is down when such a crash happens.
 2024-01-03 12:52:42 +01:00
shokinn
47e0cb8e14 link static workdir deps to /run/authentik 2023-12-29 15:01:03 +01:00
WilliButz
d2367d0c21
update: 2023.10.4 -> 2023.10.5 
Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/a2a67161ac8b840d63cbaacdfbebb60fd48e901b' (2023-11-21)
  → 'github:goauthentik/authentik/a15a04036223c53bea841436f4943278b4eab460' (2023-12-21)
 2023-12-21 14:44:38 +01:00
WilliButz
4a61f8afb4
README: update 2023-12-20 21:34:25 +01:00
WilliButz
be532175cd
flake.lock: update napalm 
Flake lock file updates:

• Updated input 'napalm':
    'github:nix-community/napalm/a8215ccf1c80070f51a92771f3bc637dd9b9f7ee' (2023-09-06)
  → 'github:nix-community/napalm/edcb26c266ca37c9521f6a97f33234633cbec186' (2023-12-20)
 2023-12-20 21:19:38 +01:00
WilliButz
9b18007aac
provide authentik components in separate scope 
* provides a new function `lib.mkAuthentikScope` as a flake output to
  create a custom scope with overrides outside of this flake
* adds a slightly altered version of existing vm test to demonstrate the
  usage of `mkAuthentikScope` for overriding individual authentik
  components in tests/override-scope.nix
 2023-12-14 15:04:06 +01:00
WilliButz
6df56466f9
factor out components with callPackage to allow for easier overrides 
Before this change it was very inconvenient to override specific
dependencies, e.g. patching something in pythonEnv and having its
dependents use that patched version.
This is just a step towards better overridability for the individual
authentik components, because patched versions of components still need
to be manually passed to their dependents. An overlay-like approach
would be even better.
 2023-12-14 15:04:04 +01:00
WilliButz
d12bdcc87d
flake: replace runCommandLocal with builtin functions to avoid IFD 
Pointed out in https://github.com/nix-community/authentik-nix/issues/5

Co-authored-by: Philip Henning <philip.henning@base23.de>
 2023-12-11 15:31:43 +01:00
WilliButz
07c6476fbf
module: make authentikComponents a simple attrset 2023-12-10 15:16:53 +01:00
WilliButz
1b9f4dce95
test: move to tests dir 2023-12-10 15:16:53 +01:00
WilliButz
ed999ba030
use mkDefault for authentikComponents 2023-12-10 15:16:53 +01:00
WilliButz
8b05ebf200
module: drop unused recursiveUpdate 2023-12-10 15:16:53 +01:00
WilliButz
332d717766
module: update postgres config (ensurePermissions -> ensureDBOwnership) 
see https://github.com/NixOS/nixpkgs/pull/266270
 2023-12-10 15:16:41 +01:00
WilliButz
aeba8124d2
flake: drop obsolete devShell 2023-12-10 15:13:28 +01:00
WilliButz
7f46d7ee99
flake.lock: Update, reference nixos-23.11 instead of unstable 
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4' (2023-10-03)
  → 'github:hercules-ci/flake-parts/34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5' (2023-12-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/f5892ddac112a1e9b3612c39af1b72987ee5783a?dir=lib' (2023-09-29)
  → 'github:NixOS/nixpkgs/e92039b55bcd58469325ded85d4f58dd5a4eaf58?dir=lib' (2023-11-29)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/ff7b65b44d01cf9ba6a71320833626af21126384' (2023-09-12)
  → 'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04)
• Updated input 'nixpkgs-23-05':
    'github:NixOS/nixpkgs/41de143fda10e33be0f47eab2bfe08a50f234267' (2023-11-06)
  → 'github:NixOS/nixpkgs/e9f06adb793d1cca5384907b3b8a4071d5d7cb19' (2023-12-03)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/8f2c483f9a40db26011f6668559574a4b86ed499' (2023-10-26)
  → 'github:nix-community/poetry2nix/9fc487b32a68473da4bf9573f85b388043c5ecda' (2023-12-06)
• Updated input 'poetry2nix/nix-github-actions':
    'github:nix-community/nix-github-actions/bd5bdbb52350e145c526108f4ef192eb8e554fa0' (2023-09-02)
  → 'github:nix-community/nix-github-actions/4bb5e752616262457bc7ca5882192a564c0472d2' (2023-11-03)
• Updated input 'poetry2nix/treefmt-nix':
    'github:numtide/treefmt-nix/aae39f64f5ecbe89792d05eacea5cb241891292a' (2023-10-15)
  → 'github:numtide/treefmt-nix/e82f32aa7f06bbbd56d7b12186d555223dc399d1' (2023-11-12)
 2023-12-10 15:13:28 +01:00
WilliButz
9663811618
update: 2023.10.3 -> 2023.10.4 (security update) 
Includes fix for https://goauthentik.io/docs/security/CVE-2023-48228

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/82b5274b15ddf6d9925e7b349f70bbff5be1d8be' (2023-11-09)
  → 'github:goauthentik/authentik/a2a67161ac8b840d63cbaacdfbebb60fd48e901b' (2023-11-21)
 2023-11-21 18:47:39 +01:00
WilliButz
976d382bf4
update: 2023.10.2 -> 2023.10.3 
Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/8e72fcab59a65e900a35a0faa21fe0bfef4c63c3' (2023-10-28)
  → 'github:goauthentik/authentik/82b5274b15ddf6d9925e7b349f70bbff5be1d8be' (2023-11-09)
 2023-11-09 19:08:49 +01:00
WilliButz
2445de2001
terraform-provider-authentik: 2023.8.0 -> 2023.10.0 
The provider still specifies go 1.18 in go.mod, so nixpkgs@23.05 needs
to be pulled in again. Not really happy about this, maybe there's some
cleaner approach.
 2023-11-08 15:31:30 +01:00
WilliButz
c775e737f5
update: 2023.10.1 -> 2023.10.2 
Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/64c38909ffd969787f2d634b0e971b90a451d5db' (2023-10-26)
  → 'github:goauthentik/authentik/8e72fcab59a65e900a35a0faa21fe0bfef4c63c3' (2023-10-28)
 2023-10-28 22:42:43 +02:00
WilliButz
d3b1353030
github-workflows/flakehub: don't auto run 2023-10-28 22:42:28 +02:00
WilliButz
1ec83f48ae
update: 2023.10.0 -> 2023.10.1 2023-10-27 17:02:14 +02:00
WilliButz
e1ccfb9fb6
test: add trailing slash to urls 
Before 2023.10 this was implicitly supported, but undocumented.
See https://github.com/goauthentik/authentik/pull/6928/commits/c4ea44da1bb63182e5413bdf8f0a9
 2023-10-27 17:02:14 +02:00
WilliButz
cdffc37ad9
update: 2023.8.3 -> 2023.10.0 
* nixpkgs-23.05 -> nixpkgs-unstable (for nodejs 21)
* nodejs_20 -> nodejs_21
* go_1_20 -> go_1_21
* added workaround for poetry2nix to drop python dev-dependencies

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/f885f8c0395df639ccabd762910867bef0f4577c' (2023-09-11)
  → 'github:goauthentik/authentik/b7c02808c664714144bd7ae6fee4c6402a88f426' (2023-10-26)
• Updated input 'flake-compat':
    'github:edolstra/flake-compat/35bb57c0c8d8b62bbfd284272c928ceb64ddbde9' (2023-01-17)
  → 'github:edolstra/flake-compat/0f9255e01c2351cc7d116c072cb317785dd33b33' (2023-10-04)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/7f53fdb7bdc5bb237da7fefef12d099e4fd611ca' (2023-09-01)
  → 'github:hercules-ci/flake-parts/c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4' (2023-10-03)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/3e52e76b70d5508f3cec70b882a29199f4d1ee85?dir=lib' (2023-08-31)
  → 'github:NixOS/nixpkgs/f5892ddac112a1e9b3612c39af1b72987ee5783a?dir=lib' (2023-09-29)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/f9e7cf818399d17d347f847525c5a5a8032e4e44' (2023-08-23)
  → 'github:numtide/flake-utils/ff7b65b44d01cf9ba6a71320833626af21126384' (2023-09-12)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760' (2023-09-10)
  → 'github:NixOS/nixpkgs/8efd5d1e283604f75a808a20e6cde0ef313d07d4' (2023-10-24)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/c3d3c4a0396b1bcccd72c82551a319229997f6e4' (2023-09-08)
  → 'github:nix-community/poetry2nix/8f2c483f9a40db26011f6668559574a4b86ed499' (2023-10-26)
• Updated input 'poetry2nix/nix-github-actions':
    'github:nix-community/nix-github-actions/165b1650b753316aa7f1787f3005a8d2da0f5301' (2023-07-09)
  → 'github:nix-community/nix-github-actions/bd5bdbb52350e145c526108f4ef192eb8e554fa0' (2023-09-02)
• Added input 'poetry2nix/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Added input 'poetry2nix/treefmt-nix':
    'github:numtide/treefmt-nix/aae39f64f5ecbe89792d05eacea5cb241891292a' (2023-10-15)
• Added input 'poetry2nix/treefmt-nix/nixpkgs':
    follows 'poetry2nix/nixpkgs'
 2023-10-27 17:02:13 +02:00
WilliButz
e3e7edaba4
README: add explicit comment about secrets and enviromentFile 2023-10-04 20:13:25 +02:00
WilliButz
b200238be2
fill README with some instructions 2023-10-04 19:35:39 +02:00
WilliButz
f7fa85cc1f
module: add nginx support with cert auto-discovery 2023-10-04 17:55:39 +02:00