tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
214 commits 1 branch 0 tags 968 KiB
Commit graph

29 commits

Author SHA1 Message Date
Geoffrey “Frogeye” Preud'homme
960bc776bb
Make gopkgs a split package 2025-10-26 11:45:06 +01:00
Maximilian Bosch
6dc84faaec
update: 2025.6.4 -> 2025.8.1 
See https://next.goauthentik.io/releases/2025.8/
ChangeLog: https://next.goauthentik.io/releases/2025.8/#fixed-in-202581

The following things changed:

* We're blocked on going to NodeJS 24.x (which is the version upstream
  uses) because it breaks with napalm[1].

* The worker has been switched from celery to dramatiq. An automatic
  migration of the tasks doesn't exist, the operator must make sure to
  stop the server and let the queue drain[2].

  While this eliminates the need of Redis for Celery, the tests fails
  without Redis. After inspecting the code, it looks like it's still
  needed for e.g. session management.

[1] https://github.com/npm/cli/issues/8541
[2] https://next.goauthentik.io/releases/2025.8/#fixed-in-202581
 2025-08-30 12:34:10 +02:00
Alexander Sieg
e155dd91f6
update: 2025.4.4 -> 2025.6.4 
co-authored-by: Maximilian Bosch <maximilian@mbosch.me>
 2025-07-24 15:00:27 +02:00
Maximilian Bosch
893670fa74
update: 2025.2.4 -> 2025.4.0 
See https://docs.goauthentik.io/docs/releases/2025.4
 2025-05-03 16:22:32 +02:00
WilliButz
543e15bee6
update: 2024.12.3 -> 2025.2.0 
See https://docs.goauthentik.io/docs/releases/2025.2

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/f1b7a9f934e6b58a1884ba753575eac6267f4b6e' (2025-01-29)
  → 'github:goauthentik/authentik/5c5cc1c7daa4248c5a2c29ac47f3639d4eaa8ff5' (2025-02-24)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/be1fe795035d3d36359ca9135b26dcc5321b31fb' (2025-02-05)
  → 'github:nix-community/poetry2nix/d90f9db68a4bda31c346be16dfd8d3263be4547e' (2025-02-18)
 2025-02-24 17:45:30 +01:00
Franz Pletz
74feeec4f1
docs: fix broken blueprints symlink 
Recent nixpkgs unstable added a symlink checker that discovered the
blueprints symlink didn't point to the correct directory location.
 2025-02-15 03:19:49 +01:00
WilliButz
dbfc2207df
treewide: nixfmt 2025-02-02 14:25:09 +01:00
WilliButz
d653af66b3
cleanup scope and re-enable override-scope test 
Based on the discussion from #27
 2025-02-02 14:24:51 +01:00
WilliButz
6da4c7da80
update: 2024.10.5 -> 2024.12.1 
See https://docs.goauthentik.io/docs/releases/2024.12

guess we're doing rust now

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/0edd7531a152910e6bdd4f7d3d0cde3ed5fdd956' (2024-12-10)
  → 'github:goauthentik/authentik/e87a17fd8169d3fa92bcc47eb2743928df83bc95' (2024-12-23)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/43a898b4d76f7f3f70df77a2cc2d40096bc9d75e' (2024-10-30)
  → 'github:nix-community/poetry2nix/1fb01e90771f762655be7e0e805516cd7fa4d58e' (2024-12-25)

Co-authored-by: Franz Pletz <fpletz@fnordicwalking.de>
 2025-01-04 16:20:11 +01:00
WilliButz
26829732e1
update: 2024.8.4 -> 2024.10.0 
See https://docs.goauthentik.io/docs/releases/2024.10
 2024-10-31 17:01:18 +01:00
WilliButz
4e1f5a6a36
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a' (2024-09-12)
  → 'github:hercules-ci/flake-parts/3d04084d54bedc3d6b8b736c70ef449225c361b1' (2024-10-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz?narHash=sha256-Ss8QWLXdr2JCBPcYChJhz4xJm%2Bh/xjl4G0c0XlP6a74%3D' (2024-09-01)
  → 'https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz?narHash=sha256-0xHYkMkeLVQAMa7gvkddbPqpxph%2BhDzdu1XdGPJR%2BOs%3D' (2024-10-01)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/9357f4f23713673f310988025d9dc261c20e70c6' (2024-09-21)
  → 'github:NixOS/nixpkgs/807e9154dcb16384b1b765ebe9cd2bba2ac287fd' (2024-10-29)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/7624b3e0275d9b52dbdda46ef7ffee66b36ff823' (2024-09-24)
  → 'github:nix-community/poetry2nix/43a898b4d76f7f3f70df77a2cc2d40096bc9d75e' (2024-10-30)
• Updated input 'poetry2nix/nix-github-actions':
    'github:nix-community/nix-github-actions/5163432afc817cf8bd1f031418d1869e4c9d5547' (2023-12-29)
  → 'github:nix-community/nix-github-actions/e04df33f62cdcf93d73e9a04142464753a16db67' (2024-10-24)
• Updated input 'poetry2nix/treefmt-nix':
    'github:numtide/treefmt-nix/8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd' (2024-06-30)
  → 'github:numtide/treefmt-nix/9ef337e492a5555d8e17a51c911ff1f02635be15' (2024-10-28)
 2024-10-31 17:41:50 +01:00
WilliButz
1138b948d3
update: 2024.8.1 -> 2024.8.3 (security update) 
Fixes CVE-2024-47070 and CVE-2024-47077

See https://docs.goauthentik.io/docs/releases/2024.8#fixed-in-202483

Dropped manually resolved lockfiles, fixed upstream in
https://github.com/goauthentik/authentik/pull/11509

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/f5580d311d01f2202b666f76931ed04f30b9ec30' (2024-09-07)
  → 'github:goauthentik/authentik/91d2445c61da49026f76dceb7f5b524e30335a42' (2024-09-27)
 2024-09-27 18:04:42 +02:00
WilliButz
0fd076529b
components: fix typo 2024-09-08 17:29:30 +02:00
WilliButz
a1630aaf9f
update: 2024.6.4 -> 2024.8.1 
Release notes: https://docs.goauthentik.io/docs/releases/2024.8

Still includes the same hacky workaround for one of the dependencies
that was introduced in the 2024.6.1 update. See components/docs.nix for
more information.

Also, as upstream package-lock.json files do not include source hashes
and urls for a lot of dependencies, building authentik from source is
only possible after they've been resolved. This makes it kind of a
gamble to try and reproduce a build with the same set of dependencies
that the devs use. This is why the two relevant lock files are vendored
here now. See upstream issues for more information:
- https://github.com/goauthentik/authentik/issues/6180
- https://github.com/goauthentik/authentik/issues/11169
and the npm issue for the underlying reason:
https://github.com/npm/cli/issues/4263

Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/8471fe90ad337a8074e957b69ca4d0089218391d' (2024-08-01)
  → 'github:hercules-ci/flake-parts/567b938d64d4b4112ee253b9274472dc3a346eb6' (2024-09-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz?narHash=sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q%3D' (2024-08-01)
  → 'https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz?narHash=sha256-Ss8QWLXdr2JCBPcYChJhz4xJm%2Bh/xjl4G0c0XlP6a74%3D' (2024-09-01)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/c374d94f1536013ca8e92341b540eba4c22f9c62' (2024-08-21)
  → 'github:NixOS/nixpkgs/574d1eac1c200690e27b8eb4e24887f8df7ac27c' (2024-09-06)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/884b66152b0c625b8220b570a31dc7acc36749a3' (2024-08-21)
  → 'github:nix-community/poetry2nix/a313fd7169ae43ecd1a2ea2f1e4899fe3edba4d2' (2024-09-05)
 2024-09-07 22:07:37 +02:00
WilliButz
9067dd09db
update: 2024.6.1 -> 2024.6.2 
Release notes: https://docs.goauthentik.io/docs/releases/2024.6#fixed-in-202462

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/9075270b01e784d25f2ec08b82e73f1ce3086184' (2024-07-11)
  → 'github:goauthentik/authentik/d6904b6aa1440f98f8061c3d12f7358c21b5ae2d' (2024-07-31)
 2024-08-03 10:24:41 +02:00
WilliButz
0fc8ad1349
update: 2024.4.3 -> 2024.6.1 
Release notes: https://docs.goauthentik.io/docs/releases/2024.6

Includes a hacky workaround for a node dependency that is required to
build the `/website` subdirectory of the authentik repo, i.e. "docs".
That should not be required after the next major update, as the
dependency causing this is no longer used on authentik's main branch.

See components/docs.nix for more info.

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/5afceaa55f4d831db0cf9d80562e86eb43b622ec' (2024-06-26)
  → 'github:goauthentik/authentik/9075270b01e784d25f2ec08b82e73f1ce3086184' (2024-07-11)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/9126214d0a59633752a136528f5f3b9aa8565b7d' (2024-04-01)
  → 'github:hercules-ci/flake-parts/c3c5ecc05edc7dafba779c6c1a61cd08ac6583e9' (2024-06-30)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/d8fe5e6c92d0d190646fb9f1056741a229980089?dir=lib' (2024-03-29)
  → 'https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz?narHash=sha256-lIbdfCsf8LMFloheeE6N31%2BBMIeixqyQWbSr2vk79EQ%3D' (2024-06-01)
• Updated input 'napalm':
    'github:nix-community/napalm/edcb26c266ca37c9521f6a97f33234633cbec186' (2023-12-20)
  → 'github:nix-community/napalm/e1babff744cd278b56abe8478008b4a9e23036cf' (2024-06-09)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/6143fc5eeb9c4f00163267708e26191d1e918932' (2024-04-21)
  → 'github:NixOS/nixpkgs/feb2849fdeb70028c70d73b848214b00d324a497' (2024-07-29)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/e6b36523407ae6a7a4dfe29770c30b3a3563b43a' (2024-05-06)
  → 'github:nix-community/poetry2nix/4fd045cdb85f2a0173021a4717dc01d92d7ab2b2' (2024-06-28)
• Updated input 'poetry2nix/treefmt-nix':
    'github:numtide/treefmt-nix/c6aaf729f34a36c445618580a9f95a48f5e4e03f' (2024-04-25)
  → 'github:numtide/treefmt-nix/68eb1dc333ce82d0ab0c0357363ea17c31ea1f81' (2024-06-16)
 2024-07-12 12:24:51 +02:00
WilliButz
1942bdac27
Merge pull request #25 from Ma27/media-root-cfg-fix 
module: fix media root config
 2024-06-07 13:19:13 +02:00
Maximilian Bosch
a220eb605f
components/gopkgs: skip tests 
There aren't any tests, but it's hanging in this phase for a while since
it compiles Go code to see if there are any tests in the modules.

    authentik-gopkgs> Running phase: checkPhase
    authentik-gopkgs> ?     goauthentik.io/cmd/ldap [no test files]
    authentik-gopkgs> ?     goauthentik.io/cmd/server       [no test files]
    authentik-gopkgs> ?     goauthentik.io/cmd/proxy        [no test files]
    authentik-gopkgs> ?     goauthentik.io/cmd/radius       [no test files]
 2024-06-02 21:07:19 +02:00
Maximilian Bosch
d4c45b01f2
module: fix media root config 
Was changed within upstream commit abc0c2d2a2a0bfb0214798ed6bca9d59359b39f8.

The sole reason this worked was that `settings.storage.media.file.path`
pointed to `./media`, relative to `/var/lib/authentik`.

Update our config accordingly.
 2024-06-02 17:40:27 +02:00
WilliButz
53e00921be
update: 2024.4.1 -> 2024.4.2 
- removed patch for frontend package-lock.json, meaning IFD (import from
  derivation) is no longer an issue

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/ca70c963e55daf73b479a4513da06ac5cea77718' (2024-04-26)
  → 'github:goauthentik/authentik/1f5953b5b7e72c085246e8f19b94482dac946d83' (2024-05-07)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/9245811b58905453033f1ef551f516cbee71c42c' (2024-04-26)
  → 'github:nix-community/poetry2nix/e6b36523407ae6a7a4dfe29770c30b3a3563b43a' (2024-05-06)
• Updated input 'poetry2nix/treefmt-nix':
    'github:numtide/treefmt-nix/e504621290a1fd896631ddbc5e9c16f4366c9f65' (2024-02-19)
  → 'github:numtide/treefmt-nix/c6aaf729f34a36c445618580a9f95a48f5e4e03f' (2024-04-25)
 2024-05-08 13:00:03 +02:00
WilliButz
608c5dd4f5
update: 2024.2.3 -> 2024.4.1 
Release notes: https://docs.goauthentik.io/docs/releases/2024.4

Notable dependency updates:
python 3.11 -> python 3.12
golang 1.21 -> golang 1.22
nixpkgs-23.11 -> nixpkgs-unstable (for golang 1.22 until 24.05)

Introduces patch to `web/package-lock.json`, see `components/frontend.nix`,
this will cause IFD until the issue is resolved.
https://nixos.org/manual/nix/stable/language/import-from-derivation

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/6bb180f94ec124092c4f87ae5f5d892a70b32ff3' (2024-04-17)
  → 'github:goauthentik/authentik/ca70c963e55daf73b479a4513da06ac5cea77718' (2024-04-26)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/53a2c32bc66f5ae41a28d7a9a49d321172af621e' (2024-04-15)
  → 'github:NixOS/nixpkgs/6143fc5eeb9c4f00163267708e26191d1e918932' (2024-04-21)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/3c92540611f42d3fb2d0d084a6c694cd6544b609' (2024-02-22)
  → 'github:nix-community/poetry2nix/9245811b58905453033f1ef551f516cbee71c42c' (2024-04-26)
 2024-04-27 20:59:27 +02:00
WilliButz
4cdde46347
update: 2024.2.2 -> 2024.2.3 
Adapted media upload patch.

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/4ec37c52395df6a3b431934cb27771ff814b024c' (2024-03-04)
  → 'github:goauthentik/authentik/6bb180f94ec124092c4f87ae5f5d892a70b32ff3' (2024-04-17)
 2024-04-17 14:53:22 +02:00
WilliButz
d060292aa6
add patch to fix failing "tenant_files" migration 
The new migration in tenant_files.py references a MEDIA_ROOT directory
based on its own path, which in our case is in the read-only /nix/store.

We need it to refer to the actual authentik state directory instead,
which defaults to /var/lib/authentik/media in module.nix
 2024-02-21 22:12:02 +01:00
WilliButz
d85dacb6c2
components: drop celery, package manage.py instead 2024-02-21 22:12:02 +01:00
WilliButz
8edfcf318a
update: 2023.10.7 -> 2024.2.0 
Release notes: https://goauthentik.io/docs/releases/2024.2

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/e095e9f694d2a427940bc8616bc4025fef502a8b' (2024-01-29)
  → 'github:goauthentik/authentik/310983a4d027174afe40e6db908cdfdebf1182b8' (2024-02-21)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/4eb2ac54029af42a001c9901194e9ce19cbd8a40' (2024-02-06)
  → 'github:nix-community/poetry2nix/403d923ea8e2e6cedce3a0f04a9394c4244cb806' (2024-02-17)
 2024-02-21 22:12:02 +01:00
WilliButz
30e4ac1dfd
update: 2023.10.6 -> 2023.10.7 (security update) 
Fixes CVE-2024-23647

See https://goauthentik.io/docs/security/CVE-2024-23647

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/1cd000dfe204b9605c85e6cebc051586a0329604' (2024-01-09)
  → 'github:goauthentik/authentik/e095e9f694d2a427940bc8616bc4025fef502a8b' (2024-01-29)
 2024-01-29 18:17:08 +01:00
Alexander Sieg
8e23ad0cef
enable media uploads 
The media upload feature is build around being deployed in a container
and only enables uploads when `/media` is a mountpoint. This isn't the
case on nixos and as such media uploads are disable.

In order to enable this, we need to patch authentik so that the
`can_save_media` capability is enabled.
 2024-01-15 17:10:22 +01:00
WilliButz
9b18007aac
provide authentik components in separate scope 
* provides a new function `lib.mkAuthentikScope` as a flake output to
  create a custom scope with overrides outside of this flake
* adds a slightly altered version of existing vm test to demonstrate the
  usage of `mkAuthentikScope` for overriding individual authentik
  components in tests/override-scope.nix
 2023-12-14 15:04:06 +01:00
WilliButz
6df56466f9
factor out components with callPackage to allow for easier overrides 
Before this change it was very inconvenient to override specific
dependencies, e.g. patching something in pythonEnv and having its
dependents use that patched version.
This is just a step towards better overridability for the individual
authentik components, because patched versions of components still need
to be manually passed to their dependents. An overlay-like approach
would be even better.
 2023-12-14 15:04:04 +01:00