authentik-nix

Author	SHA1	Message	Date
WilliButz	262910c7e9	README: add new matrix room	2024-07-12 12:24:51 +02:00
WilliButz	bb756751b0	update: 2024.4.2 -> 2024.4.3 (security update) Fixes CVE-2024-37905 and CVE-2024-38371 See https://docs.goauthentik.io/docs/releases/2024.4#fixed-in-202443 Flake lock file update: • Updated input 'authentik-src': 'github:goauthentik/authentik/1f5953b5b7e72c085246e8f19b94482dac946d83' (2024-05-07) → 'github:goauthentik/authentik/5afceaa55f4d831db0cf9d80562e86eb43b622ec' (2024-06-26)	2024-06-26 13:36:02 +02:00
WilliButz	1942bdac27	Merge pull request #25 from Ma27/media-root-cfg-fix module: fix media root config	2024-06-07 13:19:13 +02:00
WilliButz	46785dd20a	Merge pull request #26 from Ma27/go-testing components/gopkgs: skip tests	2024-06-07 13:17:48 +02:00
Maximilian Bosch	a220eb605f	components/gopkgs: skip tests There aren't any tests, but it's hanging in this phase for a while since it compiles Go code to see if there are any tests in the modules. authentik-gopkgs> Running phase: checkPhase authentik-gopkgs> ? goauthentik.io/cmd/ldap [no test files] authentik-gopkgs> ? goauthentik.io/cmd/server [no test files] authentik-gopkgs> ? goauthentik.io/cmd/proxy [no test files] authentik-gopkgs> ? goauthentik.io/cmd/radius [no test files]	2024-06-02 21:07:19 +02:00
Maximilian Bosch	d4c45b01f2	module: fix media root config Was changed within upstream commit abc0c2d2a2a0bfb0214798ed6bca9d59359b39f8. The sole reason this worked was that `settings.storage.media.file.path` pointed to `./media`, relative to `/var/lib/authentik`. Update our config accordingly.	2024-06-02 17:40:27 +02:00
WilliButz	e9ae3992d5	flake: comment out override-scope test for ci	2024-05-08 21:59:17 +02:00
WilliButz	dd78a73a98	terraform-provider: 2024.4.0 -> 2024.4.1	2024-05-08 13:09:35 +02:00
WilliButz	53e00921be	update: 2024.4.1 -> 2024.4.2 - removed patch for frontend package-lock.json, meaning IFD (import from derivation) is no longer an issue Flake lock file updates: • Updated input 'authentik-src': 'github:goauthentik/authentik/ca70c963e55daf73b479a4513da06ac5cea77718' (2024-04-26) → 'github:goauthentik/authentik/1f5953b5b7e72c085246e8f19b94482dac946d83' (2024-05-07) • Updated input 'poetry2nix': 'github:nix-community/poetry2nix/9245811b58905453033f1ef551f516cbee71c42c' (2024-04-26) → 'github:nix-community/poetry2nix/e6b36523407ae6a7a4dfe29770c30b3a3563b43a' (2024-05-06) • Updated input 'poetry2nix/treefmt-nix': 'github:numtide/treefmt-nix/e504621290a1fd896631ddbc5e9c16f4366c9f65' (2024-02-19) → 'github:numtide/treefmt-nix/c6aaf729f34a36c445618580a9f95a48f5e4e03f' (2024-04-25)	2024-05-08 13:00:03 +02:00
WilliButz	47e376250e	module: increase priority for posgresql package default This gives the default value from this module a slightly higher priority than the upstream module's default, while still allowing users to simply set `services.postgresql.package` using the default priority. The change in `8bc790171f` introduced `mkDefault` for the postgresql package. Unfortunately the upstream package option default is also specified using `mkDefault` instead of the more appropriate `mkOptionDefault`. This meant that users with a `system.stateVersion` other than `22.05`, `22.11` or `23.05` got an evaluation error because there are two conflicting definitions for the package option.	2024-05-02 18:27:53 +02:00
WilliButz	e9a0d0e62f	tests: update instructions, fix override-scope test Fixes divergence between the two test scripts. The test doesn't need to be executed by default. It is just a demonstration on how to use a custom scope that can be created with the function `mkAuthentikScope`, that is available through the `lib` flake output.	2024-05-02 17:05:13 +02:00
WilliButz	e3a0712b29	Merge pull request #18 from quentinmit/softer-integration Reduce NixOS config overrides	2024-04-30 16:48:25 +02:00
WilliButz	965f4d4012	module: drop default settings for airgapped mode These settings were originally taken from https://docs.goauthentik.io/docs/installation/air-gapped but I think they should be configured by users themselves rather than being enforced by this module. Notes: * error reporting is already disabled by default * the update check setting obviously didn't do anthing as the update check was always running * "startup analytics" currently refers to a post request[1] to upstream authentik, that includes the running version and a SHA-512 digest of the unique installation id and an env string that refers to the environment in which authentik is running, that should be "custom"[2] for NixOS. [1]: https://github.com/goauthentik/authentik/blob/version/2024.4.1/lifecycle/gunicorn.conf.py#L122-L137 [2]: https://github.com/goauthentik/authentik/blob/version/2024.4.1/authentik/lib/utils/reflection.py#L52-L64	2024-04-28 14:18:53 +02:00
WilliButz	876db63217	module: don't set services.postgresql.package for new installations	2024-04-28 14:18:53 +02:00
Quentin Smith	8bc790171f	module: don't force Postgres 14	2024-04-28 13:13:42 +02:00
Quentin Smith	c178d820d7	module: use TZ environment variable to set UTC timezone instead of overriding system zone	2024-04-28 13:13:26 +02:00
WilliButz	d2a70db150	terraform-provider: 2023.10.0 -> 2024.4.0	2024-04-27 22:09:32 +02:00
WilliButz	608c5dd4f5	update: 2024.2.3 -> 2024.4.1 Release notes: https://docs.goauthentik.io/docs/releases/2024.4 Notable dependency updates: python 3.11 -> python 3.12 golang 1.21 -> golang 1.22 nixpkgs-23.11 -> nixpkgs-unstable (for golang 1.22 until 24.05) Introduces patch to `web/package-lock.json`, see `components/frontend.nix`, this will cause IFD until the issue is resolved. https://nixos.org/manual/nix/stable/language/import-from-derivation Flake lock file updates: • Updated input 'authentik-src': 'github:goauthentik/authentik/6bb180f94ec124092c4f87ae5f5d892a70b32ff3' (2024-04-17) → 'github:goauthentik/authentik/ca70c963e55daf73b479a4513da06ac5cea77718' (2024-04-26) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/53a2c32bc66f5ae41a28d7a9a49d321172af621e' (2024-04-15) → 'github:NixOS/nixpkgs/6143fc5eeb9c4f00163267708e26191d1e918932' (2024-04-21) • Updated input 'poetry2nix': 'github:nix-community/poetry2nix/3c92540611f42d3fb2d0d084a6c694cd6544b609' (2024-02-22) → 'github:nix-community/poetry2nix/9245811b58905453033f1ef551f516cbee71c42c' (2024-04-26)	2024-04-27 20:59:27 +02:00
WilliButz	5011f30262	update README - dropped table of contents. There is one rendered by the GitHub UI and it became inconsistent anyway. - add short section about usage without flakes	2024-04-17 15:53:34 +02:00
WilliButz	4cdde46347	update: 2024.2.2 -> 2024.2.3 Adapted media upload patch. Flake lock file updates: • Updated input 'authentik-src': 'github:goauthentik/authentik/4ec37c52395df6a3b431934cb27771ff814b024c' (2024-03-04) → 'github:goauthentik/authentik/6bb180f94ec124092c4f87ae5f5d892a70b32ff3' (2024-04-17)	2024-04-17 14:53:22 +02:00
WilliButz	8be1dcc549	flake.lock: Update Flake lock file updates: • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2' (2024-03-01) → 'github:hercules-ci/flake-parts/9126214d0a59633752a136528f5f3b9aa8565b7d' (2024-04-01) • Updated input 'flake-parts/nixpkgs-lib': 'github:NixOS/nixpkgs/1536926ef5621b09bba54035ae2bb6d806d72ac8?dir=lib' (2024-02-29) → 'github:NixOS/nixpkgs/d8fe5e6c92d0d190646fb9f1056741a229980089?dir=lib' (2024-03-29) • Updated input 'flake-utils': 'github:numtide/flake-utils/d465f4819400de7c8d874d50b982301f28a84605' (2024-02-28) → 'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a' (2024-03-11) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/617579a787259b9a6419492eaac670a5f7663917' (2024-03-04) → 'github:NixOS/nixpkgs/53a2c32bc66f5ae41a28d7a9a49d321172af621e' (2024-04-15)	2024-04-17 14:25:17 +02:00
WilliButz	d700a0df67	Merge pull request #21 from MarcelCoding/main ordering authentik after network is configured	2024-04-06 21:57:13 +02:00
Marcel	29c944aece	fixed broken online dependencies	2024-04-06 21:51:16 +02:00
WilliButz	30686ffd70	update: 2024.2.1 -> 2024.2.2 https://docs.goauthentik.io/docs/releases/2024.2#fixed-in-202422 Flake lock file updates: • Updated input 'authentik-src': 'github:goauthentik/authentik/8256f1897df0a741a81dcb066d4edae879c30408' (2024-02-22) → 'github:goauthentik/authentik/4ec37c52395df6a3b431934cb27771ff814b024c' (2024-03-04)	2024-03-05 10:41:30 +01:00
WilliButz	a6284190eb	flake.lock: Update Flake lock file updates: • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/07f6395285469419cf9d078f59b5b49993198c00' (2024-01-11) → 'github:hercules-ci/flake-parts/f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2' (2024-03-01) • Updated input 'flake-parts/nixpkgs-lib': 'github:NixOS/nixpkgs/b0d36bd0a420ecee3bc916c91886caca87c894e9?dir=lib' (2023-12-30) → 'github:NixOS/nixpkgs/1536926ef5621b09bba54035ae2bb6d806d72ac8?dir=lib' (2024-02-29) • Updated input 'flake-utils': 'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26' (2024-01-15) → 'github:numtide/flake-utils/d465f4819400de7c8d874d50b982301f28a84605' (2024-02-28) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/56911ef3403a9318b7621ce745f5452fb9ef6867' (2024-01-27) → 'github:NixOS/nixpkgs/617579a787259b9a6419492eaac670a5f7663917' (2024-03-04) • Updated input 'poetry2nix': 'github:nix-community/poetry2nix/403d923ea8e2e6cedce3a0f04a9394c4244cb806' (2024-02-17) → 'github:nix-community/poetry2nix/3c92540611f42d3fb2d0d084a6c694cd6544b609' (2024-02-22) • Updated input 'poetry2nix/nix-github-actions': 'github:nix-community/nix-github-actions/4bb5e752616262457bc7ca5882192a564c0472d2' (2023-11-03) → 'github:nix-community/nix-github-actions/5163432afc817cf8bd1f031418d1869e4c9d5547' (2023-12-29) • Updated input 'poetry2nix/treefmt-nix': 'github:numtide/treefmt-nix/e82f32aa7f06bbbd56d7b12186d555223dc399d1' (2023-11-12) → 'github:numtide/treefmt-nix/e504621290a1fd896631ddbc5e9c16f4366c9f65' (2024-02-19)	2024-03-05 10:41:30 +01:00
WilliButz	1392167355	Merge pull request #20 from Ma27/ak-script module: add `ak` script	2024-02-26 11:00:19 +01:00
Maximilian Bosch	2da27254c1	module: add `ak` script This was made possible by `d85dacb6c2` which allows to directly use `manage.py`. That script is effectively used whenever the `ak` command is referenced in the docs, e.g. to set a new password for the superuser or to send a test email. This needs to run as the same (dynamic) user and with the same env file, otherwise `manage.py` exits early. To achieve that, I decided to use `systemd-run(1)` because now the invocation can be configured the same way as services are.	2024-02-26 09:32:48 +01:00
WilliButz	5ed5c481f2	update: 2024.2.0 -> 2024.2.1 release notes: https://goauthentik.io/docs/releases/2024.2#fixed-in-202421 cryptography hash: https://github.com/nix-community/poetry2nix/pull/1538 Flake lock file updates: • Updated input 'authentik-src': 'github:goauthentik/authentik/310983a4d027174afe40e6db908cdfdebf1182b8' (2024-02-21) → 'github:goauthentik/authentik/8256f1897df0a741a81dcb066d4edae879c30408' (2024-02-22)	2024-02-22 17:38:01 +01:00
WilliButz	189ab274f5	Merge pull request #17 from MarcelCoding/radius Added radius outpost	2024-02-22 15:01:51 +01:00
WilliButz	eb572302be	tests/minimal-vmtest: fix version check It's now further up :)	2024-02-21 22:12:02 +01:00
WilliButz	d060292aa6	add patch to fix failing "tenant_files" migration The new migration in tenant_files.py references a MEDIA_ROOT directory based on its own path, which in our case is in the read-only /nix/store. We need it to refer to the actual authentik state directory instead, which defaults to /var/lib/authentik/media in module.nix	2024-02-21 22:12:02 +01:00
WilliButz	d85dacb6c2	components: drop celery, package manage.py instead	2024-02-21 22:12:02 +01:00
WilliButz	8edfcf318a	update: 2023.10.7 -> 2024.2.0 Release notes: https://goauthentik.io/docs/releases/2024.2 Flake lock file updates: • Updated input 'authentik-src': 'github:goauthentik/authentik/e095e9f694d2a427940bc8616bc4025fef502a8b' (2024-01-29) → 'github:goauthentik/authentik/310983a4d027174afe40e6db908cdfdebf1182b8' (2024-02-21) • Updated input 'poetry2nix': 'github:nix-community/poetry2nix/4eb2ac54029af42a001c9901194e9ce19cbd8a40' (2024-02-06) → 'github:nix-community/poetry2nix/403d923ea8e2e6cedce3a0f04a9394c4244cb806' (2024-02-17)	2024-02-21 22:12:02 +01:00
Marcel	52b831735c	Added radius outpost	2024-02-14 22:00:58 +01:00
WilliButz	497c207488	flake.lock: update poetry2nix, fixes IFD in watchfiles Fixes #5 Flake lock file updates: • Updated input 'poetry2nix': 'github:nix-community/poetry2nix/e0b44e9e2d3aa855d1dd77b06f067cd0e0c3860d' (2024-01-12) → 'github:nix-community/poetry2nix/4eb2ac54029af42a001c9901194e9ce19cbd8a40' (2024-02-06)	2024-02-06 11:50:50 +01:00
WilliButz	a3663ee7bc	github/workflows/flakehub-publish: drop	2024-02-06 11:50:50 +01:00
WilliButz	2fb62afc42	Merge pull request #16 from MarcelCoding/postgres Made postgres optional	2024-01-31 11:22:01 +01:00
Marcel	347066b2ca	Made postgres optional	2024-01-31 10:26:11 +01:00
WilliButz	5fa451e055	flake.lock: Update Flake lock file updates: • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5' (2023-12-01) → 'github:hercules-ci/flake-parts/07f6395285469419cf9d078f59b5b49993198c00' (2024-01-11) • Updated input 'flake-parts/nixpkgs-lib': 'github:NixOS/nixpkgs/e92039b55bcd58469325ded85d4f58dd5a4eaf58?dir=lib' (2023-11-29) → 'github:NixOS/nixpkgs/b0d36bd0a420ecee3bc916c91886caca87c894e9?dir=lib' (2023-12-30) • Updated input 'flake-utils': 'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04) → 'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26' (2024-01-15) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/933d7dc155096e7575d207be6fb7792bc9f34f6d' (2023-12-02) → 'github:NixOS/nixpkgs/56911ef3403a9318b7621ce745f5452fb9ef6867' (2024-01-27) • Updated input 'nixpkgs-23-05': 'github:NixOS/nixpkgs/e9f06adb793d1cca5384907b3b8a4071d5d7cb19' (2023-12-03) → 'github:NixOS/nixpkgs/70bdadeb94ffc8806c0570eb5c2695ad29f0e421' (2024-01-03) • Updated input 'poetry2nix': 'github:nix-community/poetry2nix/9fc487b32a68473da4bf9573f85b388043c5ecda' (2023-12-06) → 'github:nix-community/poetry2nix/e0b44e9e2d3aa855d1dd77b06f067cd0e0c3860d' (2024-01-12)	2024-01-29 18:32:43 +01:00
WilliButz	30e4ac1dfd	update: 2023.10.6 -> 2023.10.7 (security update) Fixes CVE-2024-23647 See https://goauthentik.io/docs/security/CVE-2024-23647 Flake lock file updates: • Updated input 'authentik-src': 'github:goauthentik/authentik/1cd000dfe204b9605c85e6cebc051586a0329604' (2024-01-09) → 'github:goauthentik/authentik/e095e9f694d2a427940bc8616bc4025fef502a8b' (2024-01-29)	2024-01-29 18:17:08 +01:00
WilliButz	3904e3d29b	module: remove restartTriggers from ldap outpost service Fixes #15 Before this change it was non-trivial to deploy the ldap outpost without also activating the main authentik service on the same host. Adding functionality to provide a separate configuration file for the outpost service remains an open task.	2024-01-28 21:15:41 +01:00
WilliButz	bc628c0094	Merge pull request #14 from shokinn/fix-service-dependencies Add dependency to network-online.target for authentik.service	2024-01-28 13:00:07 +01:00
shokinn	4dd485a366	Add dependency to network-online.target for authentik-ldap.service	2024-01-28 00:42:02 +01:00
shokinn	3bf78b1126	Add dependency to network-online.target for authentik.service	2024-01-24 18:42:16 +01:00
WilliButz	d5e41d40fa	Merge pull request #10 from xanderio/media_upload enable media uploads	2024-01-15 22:10:58 +01:00
Alexander Sieg	8e23ad0cef	enable media uploads The media upload feature is build around being deployed in a container and only enables uploads when `/media` is a mountpoint. This isn't the case on nixos and as such media uploads are disable. In order to enable this, we need to patch authentik so that the `can_save_media` capability is enabled.	2024-01-15 17:10:22 +01:00
WilliButz	8ff6252370	update: 2023.10.5 -> 2023.10.6 (security update) Fixes CVE-2024-21637 See https://goauthentik.io/docs/security/CVE-2024-21637 Flake lock file updates: • Updated input 'authentik-src': 'github:goauthentik/authentik/a15a04036223c53bea841436f4943278b4eab460' (2023-12-21) → 'github:goauthentik/authentik/1cd000dfe204b9605c85e6cebc051586a0329604' (2024-01-09)	2024-01-09 18:54:16 +01:00
WilliButz	1d2fe8bd1e	Merge pull request #9 from Ma27/restart-ldap-outpost authentik-ldap: restart on failure	2024-01-03 20:06:33 +01:00
WilliButz	010cb5fae5	Merge pull request #7 from shokinn/fix-sending-email-missing-assets link static workdir deps to /run/authentik	2024-01-03 20:05:43 +01:00
Maximilian Bosch	7c6103be81	authentik-ldap: restart on failure I'm occasionally seeing the following error: Jan 01 22:02:10 auth ldap[151813]: fatal error: concurrent map writes Jan 01 22:02:10 auth ldap[151813]: fatal error: concurrent map writes Jan 01 22:02:10 auth ldap[151813]: goroutine 4841 [running]: Jan 01 22:02:10 auth ldap[151813]: goauthentik.io/api/v3.(Configuration).AddDefaultHeader(...) Jan 01 22:02:10 auth ldap[151813]: goauthentik.io/api/v3@v3.2023101.1/configuration.go:120 Jan 01 22:02:10 auth ldap[151813]: goauthentik.io/internal/outpost/ldap/search/direct.(DirectSearcher).Search(0xc0002ba4f8, 0xc000510dd0) Jan 01 22:02:10 auth ldap[151813]: goauthentik.io/internal/outpost/ldap/search/direct/direct.go:112 +0x65a [...] Jan 01 22:02:10 auth systemd[1]: authentik-ldap.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Jan 01 22:02:10 auth systemd[1]: authentik-ldap.service: Failed with result 'exit-code'. Obviously, I need to find out what's up there. However, services shouldn't just die on a crash, but restart in that case. If that happens too often, StartLimitBurst/StartLimitIntervalSec ensure that the (re)start attempt is aborted eventually. This is especially problematic because Nextcloud tries to contact the LDAP server on every single request for a sync which means that the entire service is down when such a crash happens.	2024-01-03 12:52:42 +01:00

1 2 3 4 5

215 commits