tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
105 commits 1 branch 0 tags 968 KiB
Commit graph

105 commits

This branch
This branch
All branches
Author SHA1 Message Date
WilliButz
e9a0d0e62f
tests: update instructions, fix override-scope test 
Fixes divergence between the two test scripts.
The test doesn't need to be executed by default. It is just a
demonstration on how to use a custom scope that can be created with
the function `mkAuthentikScope`, that is available through the `lib`
flake output.
 2024-05-02 17:05:13 +02:00
WilliButz
e3a0712b29
Merge pull request #18 from quentinmit/softer-integration 
Reduce NixOS config overrides
 2024-04-30 16:48:25 +02:00
WilliButz
965f4d4012
module: drop default settings for airgapped mode 
These settings were originally taken from
https://docs.goauthentik.io/docs/installation/air-gapped
but I think they should be configured by users themselves rather than
being enforced by this module.

Notes:
* error reporting is already disabled by default
* the update check setting obviously didn't do anthing as the update
  check was always running
* "startup analytics" currently refers to a post request[1] to upstream authentik,
  that includes the running version and a SHA-512 digest of the unique
  installation id and an env string that refers to the environment in which
  authentik is running, that should be "custom"[2] for NixOS.

[1]: https://github.com/goauthentik/authentik/blob/version/2024.4.1/lifecycle/gunicorn.conf.py#L122-L137
[2]: https://github.com/goauthentik/authentik/blob/version/2024.4.1/authentik/lib/utils/reflection.py#L52-L64
 2024-04-28 14:18:53 +02:00
WilliButz
876db63217
module: don't set services.postgresql.package for new installations 2024-04-28 14:18:53 +02:00
Quentin Smith
8bc790171f
module: don't force Postgres 14 2024-04-28 13:13:42 +02:00
Quentin Smith
c178d820d7
module: use TZ environment variable to set UTC timezone instead of overriding system zone 2024-04-28 13:13:26 +02:00
WilliButz
d2a70db150
terraform-provider: 2023.10.0 -> 2024.4.0 2024-04-27 22:09:32 +02:00
WilliButz
608c5dd4f5
update: 2024.2.3 -> 2024.4.1 
Release notes: https://docs.goauthentik.io/docs/releases/2024.4

Notable dependency updates:
python 3.11 -> python 3.12
golang 1.21 -> golang 1.22
nixpkgs-23.11 -> nixpkgs-unstable (for golang 1.22 until 24.05)

Introduces patch to `web/package-lock.json`, see `components/frontend.nix`,
this will cause IFD until the issue is resolved.
https://nixos.org/manual/nix/stable/language/import-from-derivation

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/6bb180f94ec124092c4f87ae5f5d892a70b32ff3' (2024-04-17)
  → 'github:goauthentik/authentik/ca70c963e55daf73b479a4513da06ac5cea77718' (2024-04-26)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/53a2c32bc66f5ae41a28d7a9a49d321172af621e' (2024-04-15)
  → 'github:NixOS/nixpkgs/6143fc5eeb9c4f00163267708e26191d1e918932' (2024-04-21)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/3c92540611f42d3fb2d0d084a6c694cd6544b609' (2024-02-22)
  → 'github:nix-community/poetry2nix/9245811b58905453033f1ef551f516cbee71c42c' (2024-04-26)
 2024-04-27 20:59:27 +02:00
WilliButz
5011f30262
update README 
- dropped table of contents. There is one rendered by the GitHub UI and it became
inconsistent anyway.
- add short section about usage without flakes
 2024-04-17 15:53:34 +02:00
WilliButz
4cdde46347
update: 2024.2.2 -> 2024.2.3 
Adapted media upload patch.

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/4ec37c52395df6a3b431934cb27771ff814b024c' (2024-03-04)
  → 'github:goauthentik/authentik/6bb180f94ec124092c4f87ae5f5d892a70b32ff3' (2024-04-17)
 2024-04-17 14:53:22 +02:00
WilliButz
8be1dcc549
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2' (2024-03-01)
  → 'github:hercules-ci/flake-parts/9126214d0a59633752a136528f5f3b9aa8565b7d' (2024-04-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/1536926ef5621b09bba54035ae2bb6d806d72ac8?dir=lib' (2024-02-29)
  → 'github:NixOS/nixpkgs/d8fe5e6c92d0d190646fb9f1056741a229980089?dir=lib' (2024-03-29)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/d465f4819400de7c8d874d50b982301f28a84605' (2024-02-28)
  → 'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a' (2024-03-11)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/617579a787259b9a6419492eaac670a5f7663917' (2024-03-04)
  → 'github:NixOS/nixpkgs/53a2c32bc66f5ae41a28d7a9a49d321172af621e' (2024-04-15)
 2024-04-17 14:25:17 +02:00
WilliButz
d700a0df67
Merge pull request #21 from MarcelCoding/main 
ordering authentik after network is configured
 2024-04-06 21:57:13 +02:00
Marcel
29c944aece
fixed broken online dependencies 2024-04-06 21:51:16 +02:00
WilliButz
30686ffd70
update: 2024.2.1 -> 2024.2.2 
https://docs.goauthentik.io/docs/releases/2024.2#fixed-in-202422

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/8256f1897df0a741a81dcb066d4edae879c30408' (2024-02-22)
  → 'github:goauthentik/authentik/4ec37c52395df6a3b431934cb27771ff814b024c' (2024-03-04)
 2024-03-05 10:41:30 +01:00
WilliButz
a6284190eb
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/07f6395285469419cf9d078f59b5b49993198c00' (2024-01-11)
  → 'github:hercules-ci/flake-parts/f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2' (2024-03-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/b0d36bd0a420ecee3bc916c91886caca87c894e9?dir=lib' (2023-12-30)
  → 'github:NixOS/nixpkgs/1536926ef5621b09bba54035ae2bb6d806d72ac8?dir=lib' (2024-02-29)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26' (2024-01-15)
  → 'github:numtide/flake-utils/d465f4819400de7c8d874d50b982301f28a84605' (2024-02-28)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/56911ef3403a9318b7621ce745f5452fb9ef6867' (2024-01-27)
  → 'github:NixOS/nixpkgs/617579a787259b9a6419492eaac670a5f7663917' (2024-03-04)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/403d923ea8e2e6cedce3a0f04a9394c4244cb806' (2024-02-17)
  → 'github:nix-community/poetry2nix/3c92540611f42d3fb2d0d084a6c694cd6544b609' (2024-02-22)
• Updated input 'poetry2nix/nix-github-actions':
    'github:nix-community/nix-github-actions/4bb5e752616262457bc7ca5882192a564c0472d2' (2023-11-03)
  → 'github:nix-community/nix-github-actions/5163432afc817cf8bd1f031418d1869e4c9d5547' (2023-12-29)
• Updated input 'poetry2nix/treefmt-nix':
    'github:numtide/treefmt-nix/e82f32aa7f06bbbd56d7b12186d555223dc399d1' (2023-11-12)
  → 'github:numtide/treefmt-nix/e504621290a1fd896631ddbc5e9c16f4366c9f65' (2024-02-19)
 2024-03-05 10:41:30 +01:00
WilliButz
1392167355
Merge pull request #20 from Ma27/ak-script 
module: add `ak` script
 2024-02-26 11:00:19 +01:00
Maximilian Bosch
2da27254c1
module: add ak script 
This was made possible by d85dacb6c2
which allows to directly use `manage.py`. That script is
effectively used whenever the `ak` command is referenced in the docs,
e.g. to set a new password for the superuser or to send a test email.

This needs to run as the same (dynamic) user and with the same env file,
otherwise `manage.py` exits early. To achieve that, I
decided to use `systemd-run(1)` because now the invocation can be
configured the same way as services are.
 2024-02-26 09:32:48 +01:00
WilliButz
5ed5c481f2
update: 2024.2.0 -> 2024.2.1 
release notes: https://goauthentik.io/docs/releases/2024.2#fixed-in-202421

cryptography hash: https://github.com/nix-community/poetry2nix/pull/1538

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/310983a4d027174afe40e6db908cdfdebf1182b8' (2024-02-21)
  → 'github:goauthentik/authentik/8256f1897df0a741a81dcb066d4edae879c30408' (2024-02-22)
 2024-02-22 17:38:01 +01:00
WilliButz
189ab274f5
Merge pull request #17 from MarcelCoding/radius 
Added radius outpost
 2024-02-22 15:01:51 +01:00
WilliButz
eb572302be
tests/minimal-vmtest: fix version check 
It's now further up :)
 2024-02-21 22:12:02 +01:00
WilliButz
d060292aa6
add patch to fix failing "tenant_files" migration 
The new migration in tenant_files.py references a MEDIA_ROOT directory
based on its own path, which in our case is in the read-only /nix/store.

We need it to refer to the actual authentik state directory instead,
which defaults to /var/lib/authentik/media in module.nix
 2024-02-21 22:12:02 +01:00
WilliButz
d85dacb6c2
components: drop celery, package manage.py instead 2024-02-21 22:12:02 +01:00
WilliButz
8edfcf318a
update: 2023.10.7 -> 2024.2.0 
Release notes: https://goauthentik.io/docs/releases/2024.2

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/e095e9f694d2a427940bc8616bc4025fef502a8b' (2024-01-29)
  → 'github:goauthentik/authentik/310983a4d027174afe40e6db908cdfdebf1182b8' (2024-02-21)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/4eb2ac54029af42a001c9901194e9ce19cbd8a40' (2024-02-06)
  → 'github:nix-community/poetry2nix/403d923ea8e2e6cedce3a0f04a9394c4244cb806' (2024-02-17)
 2024-02-21 22:12:02 +01:00
Marcel
52b831735c
Added radius outpost 2024-02-14 22:00:58 +01:00
WilliButz
497c207488
flake.lock: update poetry2nix, fixes IFD in watchfiles 
Fixes #5

Flake lock file updates:

• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/e0b44e9e2d3aa855d1dd77b06f067cd0e0c3860d' (2024-01-12)
  → 'github:nix-community/poetry2nix/4eb2ac54029af42a001c9901194e9ce19cbd8a40' (2024-02-06)
 2024-02-06 11:50:50 +01:00
WilliButz
a3663ee7bc
github/workflows/flakehub-publish: drop 2024-02-06 11:50:50 +01:00
WilliButz
2fb62afc42
Merge pull request #16 from MarcelCoding/postgres 
Made postgres optional
 2024-01-31 11:22:01 +01:00
Marcel
347066b2ca
Made postgres optional 2024-01-31 10:26:11 +01:00
WilliButz
5fa451e055
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5' (2023-12-01)
  → 'github:hercules-ci/flake-parts/07f6395285469419cf9d078f59b5b49993198c00' (2024-01-11)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/e92039b55bcd58469325ded85d4f58dd5a4eaf58?dir=lib' (2023-11-29)
  → 'github:NixOS/nixpkgs/b0d36bd0a420ecee3bc916c91886caca87c894e9?dir=lib' (2023-12-30)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04)
  → 'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26' (2024-01-15)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/933d7dc155096e7575d207be6fb7792bc9f34f6d' (2023-12-02)
  → 'github:NixOS/nixpkgs/56911ef3403a9318b7621ce745f5452fb9ef6867' (2024-01-27)
• Updated input 'nixpkgs-23-05':
    'github:NixOS/nixpkgs/e9f06adb793d1cca5384907b3b8a4071d5d7cb19' (2023-12-03)
  → 'github:NixOS/nixpkgs/70bdadeb94ffc8806c0570eb5c2695ad29f0e421' (2024-01-03)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/9fc487b32a68473da4bf9573f85b388043c5ecda' (2023-12-06)
  → 'github:nix-community/poetry2nix/e0b44e9e2d3aa855d1dd77b06f067cd0e0c3860d' (2024-01-12)
 2024-01-29 18:32:43 +01:00
WilliButz
30e4ac1dfd
update: 2023.10.6 -> 2023.10.7 (security update) 
Fixes CVE-2024-23647

See https://goauthentik.io/docs/security/CVE-2024-23647

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/1cd000dfe204b9605c85e6cebc051586a0329604' (2024-01-09)
  → 'github:goauthentik/authentik/e095e9f694d2a427940bc8616bc4025fef502a8b' (2024-01-29)
 2024-01-29 18:17:08 +01:00
WilliButz
3904e3d29b
module: remove restartTriggers from ldap outpost service 
Fixes #15

Before this change it was non-trivial to deploy the ldap outpost without
also activating the main authentik service on the same host. Adding
functionality to provide a separate configuration file for the outpost
service remains an open task.
 2024-01-28 21:15:41 +01:00
WilliButz
bc628c0094
Merge pull request #14 from shokinn/fix-service-dependencies 
Add dependency to network-online.target for authentik.service
 2024-01-28 13:00:07 +01:00
shokinn
4dd485a366 Add dependency to network-online.target for authentik-ldap.service 2024-01-28 00:42:02 +01:00
shokinn
3bf78b1126 Add dependency to network-online.target for authentik.service 2024-01-24 18:42:16 +01:00
WilliButz
d5e41d40fa
Merge pull request #10 from xanderio/media_upload 
enable media uploads
 2024-01-15 22:10:58 +01:00
Alexander Sieg
8e23ad0cef
enable media uploads 
The media upload feature is build around being deployed in a container
and only enables uploads when `/media` is a mountpoint. This isn't the
case on nixos and as such media uploads are disable.

In order to enable this, we need to patch authentik so that the
`can_save_media` capability is enabled.
 2024-01-15 17:10:22 +01:00
WilliButz
8ff6252370
update: 2023.10.5 -> 2023.10.6 (security update) 
Fixes CVE-2024-21637

See https://goauthentik.io/docs/security/CVE-2024-21637

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/a15a04036223c53bea841436f4943278b4eab460' (2023-12-21)
  → 'github:goauthentik/authentik/1cd000dfe204b9605c85e6cebc051586a0329604' (2024-01-09)
 2024-01-09 18:54:16 +01:00
WilliButz
1d2fe8bd1e
Merge pull request #9 from Ma27/restart-ldap-outpost 
authentik-ldap: restart on failure
 2024-01-03 20:06:33 +01:00
WilliButz
010cb5fae5
Merge pull request #7 from shokinn/fix-sending-email-missing-assets 
link static workdir deps to /run/authentik
 2024-01-03 20:05:43 +01:00
Maximilian Bosch
7c6103be81
authentik-ldap: restart on failure 
I'm occasionally seeing the following error:

    Jan 01 22:02:10 auth ldap[151813]: fatal error: concurrent map writes
    Jan 01 22:02:10 auth ldap[151813]: fatal error: concurrent map writes
    Jan 01 22:02:10 auth ldap[151813]: goroutine 4841 [running]:
    Jan 01 22:02:10 auth ldap[151813]: goauthentik.io/api/v3.(*Configuration).AddDefaultHeader(...)
    Jan 01 22:02:10 auth ldap[151813]:         goauthentik.io/api/v3@v3.2023101.1/configuration.go:120
    Jan 01 22:02:10 auth ldap[151813]: goauthentik.io/internal/outpost/ldap/search/direct.(*DirectSearcher).Search(0xc0002ba4f8, 0xc000510dd0)
    Jan 01 22:02:10 auth ldap[151813]:         goauthentik.io/internal/outpost/ldap/search/direct/direct.go:112 +0x65a
    [...]
    Jan 01 22:02:10 auth systemd[1]: authentik-ldap.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
    Jan 01 22:02:10 auth systemd[1]: authentik-ldap.service: Failed with result 'exit-code'.

Obviously, I need to find out what's up there. However, services
shouldn't just die on a crash, but restart in that case. If that happens
too often, StartLimitBurst/StartLimitIntervalSec ensure that the
(re)start attempt is aborted eventually.

This is especially problematic because Nextcloud tries to contact the
LDAP server on every single request for a sync which means that the
entire service is down when such a crash happens.
 2024-01-03 12:52:42 +01:00
shokinn
47e0cb8e14 link static workdir deps to /run/authentik 2023-12-29 15:01:03 +01:00
WilliButz
d2367d0c21
update: 2023.10.4 -> 2023.10.5 
Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/a2a67161ac8b840d63cbaacdfbebb60fd48e901b' (2023-11-21)
  → 'github:goauthentik/authentik/a15a04036223c53bea841436f4943278b4eab460' (2023-12-21)
 2023-12-21 14:44:38 +01:00
WilliButz
4a61f8afb4
README: update 2023-12-20 21:34:25 +01:00
WilliButz
be532175cd
flake.lock: update napalm 
Flake lock file updates:

• Updated input 'napalm':
    'github:nix-community/napalm/a8215ccf1c80070f51a92771f3bc637dd9b9f7ee' (2023-09-06)
  → 'github:nix-community/napalm/edcb26c266ca37c9521f6a97f33234633cbec186' (2023-12-20)
 2023-12-20 21:19:38 +01:00
WilliButz
9b18007aac
provide authentik components in separate scope 
* provides a new function `lib.mkAuthentikScope` as a flake output to
  create a custom scope with overrides outside of this flake
* adds a slightly altered version of existing vm test to demonstrate the
  usage of `mkAuthentikScope` for overriding individual authentik
  components in tests/override-scope.nix
 2023-12-14 15:04:06 +01:00
WilliButz
6df56466f9
factor out components with callPackage to allow for easier overrides 
Before this change it was very inconvenient to override specific
dependencies, e.g. patching something in pythonEnv and having its
dependents use that patched version.
This is just a step towards better overridability for the individual
authentik components, because patched versions of components still need
to be manually passed to their dependents. An overlay-like approach
would be even better.
 2023-12-14 15:04:04 +01:00
WilliButz
d12bdcc87d
flake: replace runCommandLocal with builtin functions to avoid IFD 
Pointed out in https://github.com/nix-community/authentik-nix/issues/5

Co-authored-by: Philip Henning <philip.henning@base23.de>
 2023-12-11 15:31:43 +01:00
WilliButz
07c6476fbf
module: make authentikComponents a simple attrset 2023-12-10 15:16:53 +01:00
WilliButz
1b9f4dce95
test: move to tests dir 2023-12-10 15:16:53 +01:00
WilliButz
ed999ba030
use mkDefault for authentikComponents 2023-12-10 15:16:53 +01:00