tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
226 commits 1 branch 0 tags 968 KiB
Commit graph

226 commits

This branch
This branch
All branches
Author SHA1 Message Date
Maximilian Bosch
a5c8611fda
update: 2025.10.1 -> 2025.10.2 
Changes: https://github.com/goauthentik/authentik/releases/tag/version/2025.10.2

Fixes CVE-2025-64521[1] & CVE-2025-64708[2].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-64521
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-64708
 2025-11-20 13:49:22 +01:00
Maximilian Bosch
c14192ad67
Merge pull request #80 from Ma27/default-pg-host 
module: set postgresql.host to /run/postgresql
 2025-11-09 16:17:37 +01:00
Maximilian Bosch
21cafb4b85
module: set postgresql.host to /run/postgresql 
Closes #79

So apparently the Python-based server knew to use `/run/postgresql` if
`host` is empty, but the Go driver tripped over it. Use this explicitly
to fix both cases.
 2025-11-09 13:37:45 +01:00
Maximilian Bosch
bbd5f56c4b
Merge pull request #78 from Ma27/authentik-2025.10 
update: 2025.8.4 -> 2025.10.0
 2025-11-04 11:44:08 +01:00
Maximilian Bosch
bb1a7604fc
terraform-provider-authentik: 2025.8.0 -> 2025.10.0 2025-11-04 11:18:38 +01:00
Maximilian Bosch
62cb06d2ef
update: 2025.8.4 -> 2025.10.1 
See https://version-2025-10.goauthentik.io/releases/2025.10/
 2025-11-04 11:18:38 +01:00
Maximilian Bosch
ea1e06f9fe
Merge pull request #48 from dminuoso/add-rac-outpost 
Add RAC outpost
 2025-10-29 09:35:59 +01:00
Victor Nawothnig
e31ed431d7
Add RAC outpost 
Co-authored-by: Maximilian Bosch <maximilian@mbosch.me>
 2025-10-27 15:20:28 +01:00
Maximilian Bosch
3082a94074
Merge pull request #50 from GeoffreyFrogeye/push-pollrpxtlxts 
Split gopkgs
 2025-10-27 14:52:31 +01:00
Maximilian Bosch
3cf7092397
components/{docs,frontend}: use nodejs_24 again 
We kept nodejs_22 in 6dc84faaec because of
a bug in NPM preventing us from upgrading[1]. This got solved in the
meantime and seems to have landed in a nodejs release (these usually
bundle NPM versions), so we can use the nodejs version that upstream
also uses again.

[1] https://github.com/npm/cli/issues/8541
 2025-10-27 14:28:29 +01:00
Maximilian Bosch
be208eac08
python-overrides/lxml: fix build w/ libxml-2.15 
Closes #76
 2025-10-27 12:48:13 +01:00
Geoffrey “Frogeye” Preud'homme
960bc776bb
Make gopkgs a split package 2025-10-26 11:45:06 +01:00
Maximilian Bosch
6ae9b507c8
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/4524271976b625a4a605beefd893f270620fd751' (2025-09-01)
  → 'github:hercules-ci/flake-parts/864599284fc7c0ba6357ed89ed5e2cd5040f0c04' (2025-10-20)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/c23193b943c6c689d70ee98ce3128239ed9e32d1' (2025-09-13)
  → 'github:NixOS/nixpkgs/01f116e4df6a15f4ccdffb1bcd41096869fb385c' (2025-10-22)
• Updated input 'pyproject-build-systems':
    'github:pyproject-nix/build-system-pkgs/5b8e37fe0077db5c1df3a5ee90a651345f085d38' (2025-09-08)
  → 'github:pyproject-nix/build-system-pkgs/dbfc0483b5952c6b86e36f8b3afeb9dde30ea4b5' (2025-09-29)
• Updated input 'pyproject-nix':
    'github:pyproject-nix/pyproject.nix/8d77f342d66ad1601cdb9d97e9388b69f64d4c8e' (2025-09-07)
  → 'github:pyproject-nix/pyproject.nix/84c4ea102127c77058ea1ed7be7300261fafc7d2' (2025-10-14)
• Updated input 'uv2nix':
    'github:pyproject-nix/uv2nix/780494c40895bb7419a73d942bee326291e80b3b' (2025-09-15)
  → 'github:pyproject-nix/uv2nix/e6e728d9719e989c93e65145fe3f9e0c65a021a2' (2025-10-22)
 2025-10-26 08:16:15 +01:00
Maximilian Bosch
69fac057b2
update: 2025.8.3 -> 2025.8.4 
ChangeLog: https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.4
 2025-10-01 14:42:09 +02:00
Maximilian Bosch
4c626ed84c
Merge pull request #73 from Ma27/fix-port-collision 
update: 2025.8.2 -> 2025.8.3; fix port collisions
 2025-09-18 08:30:15 +02:00
Maximilian Bosch
c7ed264bc4
update: 2025.8.2 -> 2025.8.3 
ChangeLog: https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.3
 2025-09-17 10:44:09 +02:00
Maximilian Bosch
0c6391c85e
module: also use non-conflicting ports for other outposts 
Incidentally I had parts of that already in my private config and immediately
forgot. But now that we're at it, let's fix it up properly as well.
 2025-09-17 10:44:09 +02:00
Maximilian Bosch
15d4d6f9fc
module: fmt 2025-09-17 10:44:08 +02:00
Maximilian Bosch
6a080328a3
module: override metrics & http address for worker 
Closes #72

So, #72 is about a segfault in the LDAP outpost, but this is the actual
culprit[0]:

* Both server & worker share the same configuration in this setup.

* Since 2025.8 this means that both try to start a server for metrics at
  port 9300 and an HTTP server (in the worker case for healthchecks) at
  port 9000.

* On upgrades, migrations are performed. Only the server waited for the
  migrations to finish, hence the worker started up earlier. As a
  result, it was quicker in binding port 9000 in ONLY this case (and
  thus, this was never reproducible on a second attempt!). Now, on port
  9000 was NOT the authentik server, but something that returned an
  empty response for everything that's not the healthcheck.

* As a result, the LDAP outpost got a response from what it believed was
  authentik, but actually `nil, nil` because of the empty response.
  Trying to dereference values from that response[1] caused the
  segfault.

The fix is pretty easy, just override the listen ports via the
environment. Unfortunately, the docs[2] are apparently not entirely correct[3],
given the Python code it must be LISTEN__LISTEN_HTTP[4]. I added a
test-case to ensure that the config is properly applied.

[0] Reported as https://github.com/goauthentik/authentik/issues/16850
[1] 57e12cef06/internal/outpost/ak/api.go (L95)
[2] https://docs.goauthentik.io/install-config/configuration/#listen-settings
[3] Reported as https://github.com/goauthentik/authentik/issues/16851
[4] 57e12cef06/authentik/lib/config.py (L238)
 2025-09-17 10:43:50 +02:00
Maximilian Bosch
1c79d48248
module: run migrations before attempting to start worker 
`manage.py` attempts migrations on its own[1], so try let's try to
prevent another potential for races.

[1] https://github.com/goauthentik/authentik/blob/version/2025.8.3/manage.py#L17-L24
 2025-09-17 10:12:38 +02:00
Maximilian Bosch
039fcdfd00
module: replace requiredBy with inverse requires 
IMHO that way it's easier to reason about what relationship exists here.
 2025-09-16 11:32:11 +02:00
Maximilian Bosch
367332e56e
update: 2025.8.1 -> 2025.8.2 
ChangeLog: https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.2

Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/af66ad14b28a127c5c0f3bbb298218fc63528a18' (2025-08-06)
  → 'github:hercules-ci/flake-parts/4524271976b625a4a605beefd893f270620fd751' (2025-09-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/0f36c44e01a6129be94e3ade315a5883f0228a6e' (2025-07-27)
  → 'github:nix-community/nixpkgs.lib/a73b9c743612e4244d865a2fdee11865283c04e6' (2025-08-10)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/dfb2f12e899db4876308eba6d93455ab7da304cd' (2025-08-28)
  → 'github:NixOS/nixpkgs/c23193b943c6c689d70ee98ce3128239ed9e32d1' (2025-09-13)
• Updated input 'pyproject-build-systems':
    'github:pyproject-nix/build-system-pkgs/6edb3ae27395cd88be3d64b732d1539957dad59c' (2025-08-25)
  → 'github:pyproject-nix/build-system-pkgs/5b8e37fe0077db5c1df3a5ee90a651345f085d38' (2025-09-08)
• Updated input 'pyproject-nix':
    'github:pyproject-nix/pyproject.nix/030dffc235dcf240d918c651c78dc5f158067b51' (2025-08-28)
  → 'github:pyproject-nix/pyproject.nix/8d77f342d66ad1601cdb9d97e9388b69f64d4c8e' (2025-09-07)
• Updated input 'uv2nix':
    'github:pyproject-nix/uv2nix/0529e6d8227517205afcd1b37eee3088db745730' (2025-08-29)
  → 'github:pyproject-nix/uv2nix/780494c40895bb7419a73d942bee326291e80b3b' (2025-09-15)
 2025-09-16 10:47:47 +02:00
Maximilian Bosch
04db807ac0
Merge pull request #35 from SuperSandro2000/patch-1 
Fix indentation of markdown code blocks
 2025-09-12 13:35:06 +02:00
Maximilian Bosch
22827e9a0c
terraform-provider-authentik: 2025.6.0 -> 2025.8.0 2025-09-05 10:53:16 +02:00
Maximilian Bosch
cfa634fd2d
Merge pull request #70 from nix-community/authentik-2025.8 
update: 2025.6.4 -> 2025.8.1
 2025-09-05 10:49:56 +02:00
Maximilian Bosch
6dc84faaec
update: 2025.6.4 -> 2025.8.1 
See https://next.goauthentik.io/releases/2025.8/
ChangeLog: https://next.goauthentik.io/releases/2025.8/#fixed-in-202581

The following things changed:

* We're blocked on going to NodeJS 24.x (which is the version upstream
  uses) because it breaks with napalm[1].

* The worker has been switched from celery to dramatiq. An automatic
  migration of the tasks doesn't exist, the operator must make sure to
  stop the server and let the queue drain[2].

  While this eliminates the need of Redis for Celery, the tests fails
  without Redis. After inspecting the code, it looks like it's still
  needed for e.g. session management.

[1] https://github.com/npm/cli/issues/8541
[2] https://next.goauthentik.io/releases/2025.8/#fixed-in-202581
 2025-08-30 12:34:10 +02:00
Maximilian Bosch
a31bbcc1bf
Merge pull request #68 from quentinmit/ak-properties 
module: support additional properties in "ak"
 2025-08-29 16:03:43 +02:00
Quentin Smith
940f49870b
module: support additional properties in "ak" 
This changes the "ak" script to contain all properties from the
authentik.service unit except the Exec* and Restart* properties. This allows the
script to work when the user has added additional properties to the unit (e.g.
the `SupplementaryGroups` property to connect to Redis over a Unix socket).
 2025-08-26 17:24:35 -04:00
Maximilian Bosch
1361d269fe
terraform-provider: 2025.4.0 -> 2025.6.0 
https://github.com/goauthentik/terraform-provider-authentik/releases/tag/v2025.6.0
 2025-07-24 16:59:22 +02:00
Maximilian Bosch
3634900731
Merge pull request #67 from xanderio/authentik-2025.06 
update: 2025.4.4 -> 2025.6.4
 2025-07-24 16:51:41 +02:00
Alexander Sieg
e155dd91f6
update: 2025.4.4 -> 2025.6.4 
co-authored-by: Maximilian Bosch <maximilian@mbosch.me>
 2025-07-24 15:00:27 +02:00
Maximilian Bosch
7bb4dfd067
update: 2025.4.3 -> 2025.4.4, fix CVE-2025-53942 
See https://docs.goauthentik.io/docs/security/cves/CVE-2025-53942
 2025-07-22 16:55:55 +02:00
Maximilian Bosch
1a4d6a5dd6
update: 2025.4.2 -> 2025.4.3, fix CVE-2025-52553 
You're most likely not affected unless you override the Go part yourself
to enable the RAC provider.

See https://version-2025-4.goauthentik.io/docs/releases/2025.4#fixed-in-202543

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/bda30c5ad5838fea36dc0a06f8580cca437f0fc0' (2025-06-04)
  → 'github:goauthentik/authentik/b34665fabd8d938d81ce871a4e86ca528c5f253b' (2025-06-27)
 2025-06-27 16:05:52 +02:00
Maximilian Bosch
79e3b86100
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/49f0870db23e8c1ca0b5259734a02cd9e1e371a1' (2025-06-01)
  → 'github:hercules-ci/flake-parts/9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569' (2025-06-08)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/c2a03962b8e24e669fb37b7df10e7c79531ff1a4' (2025-06-03)
  → 'github:NixOS/nixpkgs/30a61f056ac492e3b7cdcb69c1e6abdcf00e39cf' (2025-06-24)
• Updated input 'pyproject-build-systems':
    'github:pyproject-nix/build-system-pkgs/33bd58351957bb52dd1700ea7eeefe34de06a892' (2025-05-29)
  → 'github:pyproject-nix/build-system-pkgs/7c06967eca687f3482624250428cc12f43c92523' (2025-06-10)
• Updated input 'pyproject-nix':
    'github:pyproject-nix/pyproject.nix/e09c10c24ebb955125fda449939bfba664c467fd' (2025-05-06)
  → 'github:pyproject-nix/pyproject.nix/e824458bd917b44bf4c38795dea2650336b2f55d' (2025-06-21)
• Updated input 'uv2nix':
    'github:pyproject-nix/uv2nix/a4dd471de62b27928191908f57bfcd702ec2bfc9' (2025-06-03)
  → 'github:pyproject-nix/uv2nix/4b703d851b61e664a70238711a8ff0efa1aa2f52' (2025-06-27)
 2025-06-27 13:33:24 +02:00
Maximilian Bosch
271a38f7c4
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/c621e8422220273271f52058f618c94e405bb0f5' (2025-04-01)
  → 'github:hercules-ci/flake-parts/49f0870db23e8c1ca0b5259734a02cd9e1e371a1' (2025-06-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/e4822aea2a6d1cdd36653c134cacfd64c97ff4fa' (2025-03-30)
  → 'github:nix-community/nixpkgs.lib/656a64127e9d791a334452c6b6606d17539476e2' (2025-06-01)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/adaa24fbf46737f3f1b5497bf64bae750f82942e' (2025-05-13)
  → 'github:NixOS/nixpkgs/c2a03962b8e24e669fb37b7df10e7c79531ff1a4' (2025-06-03)
• Updated input 'pyproject-build-systems':
    'github:pyproject-nix/build-system-pkgs/7dba6dbc73120e15b558754c26024f6c93015dd7' (2025-04-14)
  → 'github:pyproject-nix/build-system-pkgs/33bd58351957bb52dd1700ea7eeefe34de06a892' (2025-05-29)
• Updated input 'uv2nix':
    'github:pyproject-nix/uv2nix/fe540e91c26f378c62bf6da365a97e848434d0cd' (2025-05-07)
  → 'github:pyproject-nix/uv2nix/a4dd471de62b27928191908f57bfcd702ec2bfc9' (2025-06-03)
 2025-06-05 15:26:02 +02:00
Maximilian Bosch
4465579623
update: 2025.4.1 -> 2025.4.2 
See https://docs.goauthentik.io/docs/releases/2025.4#fixed-in-202542

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/ae47624761f05040149d856d5e55a90cd7492740' (2025-05-15)
  → 'github:goauthentik/authentik/bda30c5ad5838fea36dc0a06f8580cca437f0fc0' (2025-06-04)
 2025-06-05 15:03:01 +02:00
Maximilian Bosch
f204746603
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-compat':
    'github:edolstra/flake-compat/ff81ac966bb2cae68946d5ed5fc4994f96d0ffec' (2024-12-04)
  → 'github:edolstra/flake-compat/9100a0f413b0c601e0533d1d94ffd501ce2e7885' (2025-05-12)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/f02fddb8acef29a8b32f10a335d44828d7825b78' (2025-05-01)
  → 'github:NixOS/nixpkgs/adaa24fbf46737f3f1b5497bf64bae750f82942e' (2025-05-13)
• Updated input 'pyproject-nix':
    'github:pyproject-nix/pyproject.nix/3e9623bdd86a3c545e82b7f97cfdba5f07232d9a' (2025-05-02)
  → 'github:pyproject-nix/pyproject.nix/e09c10c24ebb955125fda449939bfba664c467fd' (2025-05-06)
• Updated input 'uv2nix':
    'github:pyproject-nix/uv2nix/680e2f8e637bc79b84268949d2f2b2f5e5f1d81c' (2025-04-30)
  → 'github:pyproject-nix/uv2nix/fe540e91c26f378c62bf6da365a97e848434d0cd' (2025-05-07)
 2025-05-16 11:11:18 +02:00
Maximilian Bosch
9509c52f62
update: 2025.4.0 -> 2025.4.1 
See https://docs.goauthentik.io/docs/releases/2025.4#fixed-in-202541

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/22412729e2379d645da2ac0c0270a0ac6147945e' (2025-04-29)
  → 'github:goauthentik/authentik/ae47624761f05040149d856d5e55a90cd7492740' (2025-05-15)
 2025-05-16 11:07:49 +02:00
Maximilian Bosch
2ef24fac99
Merge pull request #46 from GeoffreyFrogeye/push-xklzwvrxluln 
module: add basic proxy outpost service
 2025-05-10 12:54:52 +02:00
Maximilian Bosch
0b5a364838
Merge pull request #59 from Ma27/authentik-2025.04 
update: 2025.2.4 -> 2025.4.0, switch to uv
 2025-05-09 08:03:44 +02:00
Maximilian Bosch
c350e8655c
flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7' (2025-04-23)
  → 'github:NixOS/nixpkgs/f02fddb8acef29a8b32f10a335d44828d7825b78' (2025-05-01)
• Updated input 'pyproject-nix':
    'github:pyproject-nix/pyproject.nix/2db2d95ddbc4ff5e29730cb82fdba6647be258a7' (2025-04-27)
  → 'github:pyproject-nix/pyproject.nix/3e9623bdd86a3c545e82b7f97cfdba5f07232d9a' (2025-05-02)
• Updated input 'uv2nix':
    'github:pyproject-nix/uv2nix/6d19baf0fcc7a013ae9c1c188bbf7cfe37b566e0' (2025-04-30)
  → 'github:pyproject-nix/uv2nix/680e2f8e637bc79b84268949d2f2b2f5e5f1d81c' (2025-04-30)
 2025-05-03 16:26:07 +02:00
Maximilian Bosch
cfe34a4975
terraform-provider: 2025.2.0 -> 2025.4.0 2025-05-03 16:25:40 +02:00
Maximilian Bosch
893670fa74
update: 2025.2.4 -> 2025.4.0 
See https://docs.goauthentik.io/docs/releases/2025.4
 2025-05-03 16:22:32 +02:00
Maximilian Bosch
ce1abb8640
Merge pull request #58 from MarcelCoding/patch-1 
Add NixOS support notice
 2025-05-02 20:28:01 +02:00
Marcel
ca24576392
Update README.md 2025-05-01 19:22:01 +02:00
Marcel
73af54b0d6
Update README.md 2025-05-01 19:00:34 +02:00
Geoffrey “Frogeye” Preud'homme
794eb56bac
module: add basic proxy outpost service 2025-05-01 18:46:01 +02:00
Marcel
ac06ee0ecc
Update README.md 2025-05-01 18:40:48 +02:00
Maximilian Bosch
618330bee6
Merge pull request #51 from Ma27/path-type 
module: prohibit store-paths for environmentFile
 2025-04-28 16:50:30 +02:00
Maximilian Bosch
e9bde1ace0
module: prohibit store-paths for environmentFile 
The store is world-readable, so secrets shouldn't end up there in the
first place. On top, `types.path` has the following behavior:

* `toString foo` returns the absolute path
* `${foo}` copies the path silently into the store and returns the
  store-path.

This happens without any real feedback, so this can be caused by an
innocent looking change.

To address this problem, `pathsWith` was introduced into <nixpkgs/lib>
which allows absolute paths represented as string, but rejects things
pointing to the store and path literals which may be copied later on.
 2025-04-28 13:52:51 +02:00