tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
253 commits 1 branch 0 tags 968 KiB
Commit graph

253 commits

This branch
This branch
All branches
Author SHA1 Message Date
Maximilian Bosch
f86fa999ab
Merge pull request #100 from bartoostveen/2026.2.2 
update: 2026.2.1 -> 2026.2.2
 2026-04-13 14:07:25 +01:00
Bart Oostveen
8048437d60
update: 2026.2.1 -> 2026.2.2 2026-04-07 19:06:07 +02:00
Maximilian Bosch
1f279763d8
Merge pull request #97 from networkException/service-dependency-fix 
module: fix Before=authentik-worker.service in authentik-migrate.service
 2026-03-21 08:49:22 +01:00
networkException
92e192cd9c
module: fix Before=authentik-worker.service in authentik-migrate.service 2026-03-20 19:56:07 +01:00
Maximilian Bosch
7e4730351f
Merge pull request #96 from freiheitsrechte/authentik-2026.2.1 
update: 2026.2 -> 2026.2.1
 2026-03-07 19:43:41 +01:00
Lennart Mühlenmeier
6857248084
update: 2026.2 -> 2026.2.1 
ChangeLog: https://docs.goauthentik.io/releases/2026.2/#fixed-in-202621
 2026-03-07 11:06:30 +01:00
Maximilian Bosch
5818986331
Merge pull request #95 from freiheitsrechte/add-docs-migrating 
README: Add considerations for migrating a deployment
 2026-02-28 20:54:41 +01:00
Lennart Mühlenmeier
013eadba88
README: Add considerations for migrating a deployment 
We migrated `authentik-nix` a few weeks ago to another machine. Was real
painless.

Not too sure how helpful these considerations are written down into the
README but they might lower the stress levels for some though.
 2026-02-28 20:39:58 +01:00
Maximilian Bosch
cb09279e74
Merge pull request #94 from nix-community/authentik-2026.2 
update: 2025.12.4 -> 2026.2.0
 2026-02-28 18:58:35 +01:00
Maximilian Bosch
4b7126941b
update: 2025.12.4 -> 2026.2.0 
ChangeLog: https://docs.goauthentik.io/releases/2026.2/
 2026-02-28 13:30:11 +01:00
Maximilian Bosch
3abc7ff26a
flake.lock: Update 
Flake lock file updates:

• Updated input 'authentik-go':
    'github:goauthentik/client-go/280022b0a8de5c8f4b2965d1147a1c4fa846ba64' (2026-02-05)
  → 'github:goauthentik/client-go/4c1444ee54d945fbcc5ae107b4f191ca0352023d' (2026-02-23)
• Updated input 'flake-compat':
    'github:edolstra/flake-compat/65f23138d8d09a92e30f1e5c87611b23ef451bf3' (2025-12-07)
  → 'github:edolstra/flake-compat/5edf11c44bc78a0d334f6334cdaf7d60d732daab' (2025-12-29)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/a34fae9c08a15ad73f295041fec82323541400a9' (2025-12-15)
  → 'github:hercules-ci/flake-parts/57928607ea566b5db3ad13af0e57e921e6b12381' (2026-02-02)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/2075416fcb47225d9b68ac469a5c4801a9c4dd85' (2025-12-14)
  → 'github:nix-community/nixpkgs.lib/72716169fe93074c333e8d0173151350670b824c' (2026-02-01)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/1412caf7bf9e660f2f962917c14b1ea1c3bc695e' (2026-01-13)
  → 'github:NixOS/nixpkgs/2fc6539b481e1d2569f25f8799236694180c0993' (2026-02-23)
• Updated input 'pyproject-build-systems':
    'github:pyproject-nix/build-system-pkgs/042904167604c681a090c07eb6967b4dd4dae88c' (2025-11-20)
  → 'github:pyproject-nix/build-system-pkgs/04e9c186e01f0830dad3739088070e4c551191a4' (2026-02-18)
• Updated input 'pyproject-nix':
    'github:pyproject-nix/pyproject.nix/2c8df1383b32e5443c921f61224b198a2282a657' (2025-11-26)
  → 'github:pyproject-nix/pyproject.nix/eb204c6b3335698dec6c7fc1da0ebc3c6df05937' (2026-02-19)
• Updated input 'uv2nix':
    'github:pyproject-nix/uv2nix/4cca323a547a1aaa9b94929c4901bed5343eafe8' (2025-12-13)
  → 'github:pyproject-nix/uv2nix/abe65de114300de41614002fe9dce2152ac2ac23' (2026-02-27)
 2026-02-28 13:30:11 +01:00
Maximilian Bosch
905036eb17
tests: don't run update checks in VM tests 2026-02-27 15:00:05 +01:00
Maximilian Bosch
3df5c21303
Merge pull request #93 from kilimnik/sandbox 
docs: fix build in non sandboxed mode
 2026-02-21 15:58:40 +01:00
Daniel Kilimnik
9eee350b95
docs: fix build in non sandboxed mode 2026-02-19 13:36:07 +01:00
Maximilian Bosch
0487b4db05
update: 2025.12.3 -> 2025.12.4, fix CVE-2026-25227, CVE-2026-25748, CVE-2026-25227 
Changes: https://docs.goauthentik.io/releases/2025.12/#fixed-in-2025124
 2026-02-12 22:25:30 +01:00
Maximilian Bosch
b09825ea48
Merge pull request #91 from Ma27/2025.12.3 
update: 2025.12.1 -> 2025.12.3
 2026-02-08 08:18:14 +01:00
Maximilian Bosch
9eed4f7e7e
update: 2025.12.1 -> 2025.12.3 
Closes #90

ChangeLogs:
* https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.2
* https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.3

Using the `client-go` library that is vendored in this release's `go.mod`
breaks all outposts for me, so we're now doing what upstream is also
doing, i.e. generating the Go client code ourselves.
 2026-02-07 16:52:28 +01:00
Maximilian Bosch
eee255ff2f
module: wait for postgresql.target 
This is needed since 25.11 because the target is what makes sure that
PostgreSQL is not only up, but also in rw-mode (and ensure* being
applied).

Also adding this to `authentik-worker` to prevent situations where
postgresql.service stops before the worker on reboot and the worker
blocks shutdown while trying to reconnect to the database[1].

[1] https://github.com/nix-community/authentik-nix/pull/86#issuecomment-3794325343
 2026-01-25 14:49:58 +01:00
Maximilian Bosch
1cab906a5c
Merge pull request #86 from nix-community/authentik-2025.12 
update: 2025.10.3 -> 2025.12.1
 2026-01-24 10:48:14 +01:00
Maximilian Bosch
801ff190cf
TODO: remove implemented things 2026-01-21 08:53:17 +01:00
Maximilian Bosch
25a380396f
terraform-provider-authentik: 2025.10.0 -> 2025.12.0 2026-01-17 09:22:53 +01:00
Maximilian Bosch
ad2994c95f
update: 2025.10.3 -> 2025.12.1 
Closes #83
Closes #85

ChangeLog: https://docs.goauthentik.io/releases/2025.12

⚠️ When using the Avatar upload, you'll have to make your users
re-upload their avatars due to changes in how media is served by
Authentik[1].

For now, we're using a branch from me that is 2025.12.1 with an update
of `@goauthentik/api` on top[2]. Without that change, `AdminFileListUsageEnum`
doesn't exist which breaks all usage of `AdminFileListUsageEnum.Media`:

    TypeError: can't access property "Media", R.AdminFileListUsageEnum is undefined
      renderForm ApplicationForm.ts:191
      [...]

This made e.g. the modal to edit applications unusable which infinitely
hang on a loading spinner.

The media path now points to `/var/lib/authentik`. This path is only
used for media storage and Authentik now always appends the "usage name"
as directory behind the storage path, i.e. it already appends
`/var/lib/authentik/media`, so this is needed to make Authentik discover
existing media.

Finally, I added a `patches` attribute to the authentik scope that
applies patches to both the workdir-deps (which is the PYTHONPATH in the
end, i.e. where we load the authentik module from) and the gopkgs. We're
still missing patchability for frontend (since we directly build the
subdir in napalm), but I think that's a step in the right direction.

[1] https://github.com/goauthentik/authentik/discussions/6824#discussioncomment-15490793
[2] Upstream PR: https://github.com/goauthentik/authentik/pull/19542
 2026-01-17 09:22:53 +01:00
Maximilian Bosch
94c544f6cd
Merge pull request #84 from Ma27/restart-worker 
module: restart worker when cert is changed
 2026-01-12 13:13:36 +01:00
Maximilian Bosch
cf07c71418
module: restart worker when cert is changed 
Closes #12

The worker gets access to the ACME-managed certs via `LoadCredential`,
however that doesn't refresh files when the files in the credential
source change. Explicitly restart the worker to make sure these changes
are reflected in what the worker sees.
 2026-01-06 15:06:31 +01:00
Maximilian Bosch
e929253ded
update: 2025.10.2 -> 2025.10.3 
ChangeLog: https://github.com/goauthentik/authentik/releases/tag/version/2025.10.3
 2025-12-17 12:38:30 +01:00
Maximilian Bosch
c487a94057
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-compat':
    'github:edolstra/flake-compat/f387cd2afec9419c8ee37694406ca490c3f34ee5' (2025-10-27)
  → 'github:edolstra/flake-compat/65f23138d8d09a92e30f1e5c87611b23ef451bf3' (2025-12-07)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/52a2caecc898d0b46b2b905f058ccc5081f842da' (2025-11-12)
  → 'github:hercules-ci/flake-parts/a34fae9c08a15ad73f295041fec82323541400a9' (2025-12-15)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/719359f4562934ae99f5443f20aa06c2ffff91fc' (2025-10-29)
  → 'github:nix-community/nixpkgs.lib/2075416fcb47225d9b68ac469a5c4801a9c4dd85' (2025-12-14)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/89c2b2330e733d6cdb5eae7b899326930c2c0648' (2025-11-17)
  → 'github:NixOS/nixpkgs/1306659b587dc277866c7b69eb97e5f07864d8c4' (2025-12-15)
• Updated input 'pyproject-build-systems':
    'github:pyproject-nix/build-system-pkgs/795a980d25301e5133eca37adae37283ec3c8e66' (2025-10-29)
  → 'github:pyproject-nix/build-system-pkgs/042904167604c681a090c07eb6967b4dd4dae88c' (2025-11-20)
• Updated input 'pyproject-nix':
    'github:pyproject-nix/pyproject.nix/7d3d8848358ccbd415afe2139f12b9e1508d3ace' (2025-11-18)
  → 'github:pyproject-nix/pyproject.nix/2c8df1383b32e5443c921f61224b198a2282a657' (2025-11-26)
• Updated input 'uv2nix':
    'github:pyproject-nix/uv2nix/c9752c6c5915eece99505612d8f7805185cff990' (2025-11-17)
  → 'github:pyproject-nix/uv2nix/4cca323a547a1aaa9b94929c4901bed5343eafe8' (2025-12-13)
 2025-12-17 11:11:58 +01:00
Maximilian Bosch
4a67075708
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-compat':
    'github:edolstra/flake-compat/9100a0f413b0c601e0533d1d94ffd501ce2e7885' (2025-05-12)
  → 'github:edolstra/flake-compat/f387cd2afec9419c8ee37694406ca490c3f34ee5' (2025-10-27)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/864599284fc7c0ba6357ed89ed5e2cd5040f0c04' (2025-10-20)
  → 'github:hercules-ci/flake-parts/52a2caecc898d0b46b2b905f058ccc5081f842da' (2025-11-12)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/a73b9c743612e4244d865a2fdee11865283c04e6' (2025-08-10)
  → 'github:nix-community/nixpkgs.lib/719359f4562934ae99f5443f20aa06c2ffff91fc' (2025-10-29)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/01f116e4df6a15f4ccdffb1bcd41096869fb385c' (2025-10-22)
  → 'github:NixOS/nixpkgs/89c2b2330e733d6cdb5eae7b899326930c2c0648' (2025-11-17)
• Updated input 'pyproject-build-systems':
    'github:pyproject-nix/build-system-pkgs/dbfc0483b5952c6b86e36f8b3afeb9dde30ea4b5' (2025-09-29)
  → 'github:pyproject-nix/build-system-pkgs/795a980d25301e5133eca37adae37283ec3c8e66' (2025-10-29)
• Updated input 'pyproject-nix':
    'github:pyproject-nix/pyproject.nix/84c4ea102127c77058ea1ed7be7300261fafc7d2' (2025-10-14)
  → 'github:pyproject-nix/pyproject.nix/7d3d8848358ccbd415afe2139f12b9e1508d3ace' (2025-11-18)
• Updated input 'uv2nix':
    'github:pyproject-nix/uv2nix/e6e728d9719e989c93e65145fe3f9e0c65a021a2' (2025-10-22)
  → 'github:pyproject-nix/uv2nix/c9752c6c5915eece99505612d8f7805185cff990' (2025-11-17)
 2025-11-20 13:51:20 +01:00
Maximilian Bosch
a5c8611fda
update: 2025.10.1 -> 2025.10.2 
Changes: https://github.com/goauthentik/authentik/releases/tag/version/2025.10.2

Fixes CVE-2025-64521[1] & CVE-2025-64708[2].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-64521
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-64708
 2025-11-20 13:49:22 +01:00
Maximilian Bosch
c14192ad67
Merge pull request #80 from Ma27/default-pg-host 
module: set postgresql.host to /run/postgresql
 2025-11-09 16:17:37 +01:00
Maximilian Bosch
21cafb4b85
module: set postgresql.host to /run/postgresql 
Closes #79

So apparently the Python-based server knew to use `/run/postgresql` if
`host` is empty, but the Go driver tripped over it. Use this explicitly
to fix both cases.
 2025-11-09 13:37:45 +01:00
Maximilian Bosch
bbd5f56c4b
Merge pull request #78 from Ma27/authentik-2025.10 
update: 2025.8.4 -> 2025.10.0
 2025-11-04 11:44:08 +01:00
Maximilian Bosch
bb1a7604fc
terraform-provider-authentik: 2025.8.0 -> 2025.10.0 2025-11-04 11:18:38 +01:00
Maximilian Bosch
62cb06d2ef
update: 2025.8.4 -> 2025.10.1 
See https://version-2025-10.goauthentik.io/releases/2025.10/
 2025-11-04 11:18:38 +01:00
Maximilian Bosch
ea1e06f9fe
Merge pull request #48 from dminuoso/add-rac-outpost 
Add RAC outpost
 2025-10-29 09:35:59 +01:00
Victor Nawothnig
e31ed431d7
Add RAC outpost 
Co-authored-by: Maximilian Bosch <maximilian@mbosch.me>
 2025-10-27 15:20:28 +01:00
Maximilian Bosch
3082a94074
Merge pull request #50 from GeoffreyFrogeye/push-pollrpxtlxts 
Split gopkgs
 2025-10-27 14:52:31 +01:00
Maximilian Bosch
3cf7092397
components/{docs,frontend}: use nodejs_24 again 
We kept nodejs_22 in 6dc84faaec because of
a bug in NPM preventing us from upgrading[1]. This got solved in the
meantime and seems to have landed in a nodejs release (these usually
bundle NPM versions), so we can use the nodejs version that upstream
also uses again.

[1] https://github.com/npm/cli/issues/8541
 2025-10-27 14:28:29 +01:00
Maximilian Bosch
be208eac08
python-overrides/lxml: fix build w/ libxml-2.15 
Closes #76
 2025-10-27 12:48:13 +01:00
Geoffrey “Frogeye” Preud'homme
960bc776bb
Make gopkgs a split package 2025-10-26 11:45:06 +01:00
Maximilian Bosch
6ae9b507c8
flake.lock: Update 
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/4524271976b625a4a605beefd893f270620fd751' (2025-09-01)
  → 'github:hercules-ci/flake-parts/864599284fc7c0ba6357ed89ed5e2cd5040f0c04' (2025-10-20)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/c23193b943c6c689d70ee98ce3128239ed9e32d1' (2025-09-13)
  → 'github:NixOS/nixpkgs/01f116e4df6a15f4ccdffb1bcd41096869fb385c' (2025-10-22)
• Updated input 'pyproject-build-systems':
    'github:pyproject-nix/build-system-pkgs/5b8e37fe0077db5c1df3a5ee90a651345f085d38' (2025-09-08)
  → 'github:pyproject-nix/build-system-pkgs/dbfc0483b5952c6b86e36f8b3afeb9dde30ea4b5' (2025-09-29)
• Updated input 'pyproject-nix':
    'github:pyproject-nix/pyproject.nix/8d77f342d66ad1601cdb9d97e9388b69f64d4c8e' (2025-09-07)
  → 'github:pyproject-nix/pyproject.nix/84c4ea102127c77058ea1ed7be7300261fafc7d2' (2025-10-14)
• Updated input 'uv2nix':
    'github:pyproject-nix/uv2nix/780494c40895bb7419a73d942bee326291e80b3b' (2025-09-15)
  → 'github:pyproject-nix/uv2nix/e6e728d9719e989c93e65145fe3f9e0c65a021a2' (2025-10-22)
 2025-10-26 08:16:15 +01:00
Maximilian Bosch
69fac057b2
update: 2025.8.3 -> 2025.8.4 
ChangeLog: https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.4
 2025-10-01 14:42:09 +02:00
Maximilian Bosch
4c626ed84c
Merge pull request #73 from Ma27/fix-port-collision 
update: 2025.8.2 -> 2025.8.3; fix port collisions
 2025-09-18 08:30:15 +02:00
Maximilian Bosch
c7ed264bc4
update: 2025.8.2 -> 2025.8.3 
ChangeLog: https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.3
 2025-09-17 10:44:09 +02:00
Maximilian Bosch
0c6391c85e
module: also use non-conflicting ports for other outposts 
Incidentally I had parts of that already in my private config and immediately
forgot. But now that we're at it, let's fix it up properly as well.
 2025-09-17 10:44:09 +02:00
Maximilian Bosch
15d4d6f9fc
module: fmt 2025-09-17 10:44:08 +02:00
Maximilian Bosch
6a080328a3
module: override metrics & http address for worker 
Closes #72

So, #72 is about a segfault in the LDAP outpost, but this is the actual
culprit[0]:

* Both server & worker share the same configuration in this setup.

* Since 2025.8 this means that both try to start a server for metrics at
  port 9300 and an HTTP server (in the worker case for healthchecks) at
  port 9000.

* On upgrades, migrations are performed. Only the server waited for the
  migrations to finish, hence the worker started up earlier. As a
  result, it was quicker in binding port 9000 in ONLY this case (and
  thus, this was never reproducible on a second attempt!). Now, on port
  9000 was NOT the authentik server, but something that returned an
  empty response for everything that's not the healthcheck.

* As a result, the LDAP outpost got a response from what it believed was
  authentik, but actually `nil, nil` because of the empty response.
  Trying to dereference values from that response[1] caused the
  segfault.

The fix is pretty easy, just override the listen ports via the
environment. Unfortunately, the docs[2] are apparently not entirely correct[3],
given the Python code it must be LISTEN__LISTEN_HTTP[4]. I added a
test-case to ensure that the config is properly applied.

[0] Reported as https://github.com/goauthentik/authentik/issues/16850
[1] 57e12cef06/internal/outpost/ak/api.go (L95)
[2] https://docs.goauthentik.io/install-config/configuration/#listen-settings
[3] Reported as https://github.com/goauthentik/authentik/issues/16851
[4] 57e12cef06/authentik/lib/config.py (L238)
 2025-09-17 10:43:50 +02:00
Maximilian Bosch
1c79d48248
module: run migrations before attempting to start worker 
`manage.py` attempts migrations on its own[1], so try let's try to
prevent another potential for races.

[1] https://github.com/goauthentik/authentik/blob/version/2025.8.3/manage.py#L17-L24
 2025-09-17 10:12:38 +02:00
Maximilian Bosch
039fcdfd00
module: replace requiredBy with inverse requires 
IMHO that way it's easier to reason about what relationship exists here.
 2025-09-16 11:32:11 +02:00
Maximilian Bosch
367332e56e
update: 2025.8.1 -> 2025.8.2 
ChangeLog: https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.2

Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/af66ad14b28a127c5c0f3bbb298218fc63528a18' (2025-08-06)
  → 'github:hercules-ci/flake-parts/4524271976b625a4a605beefd893f270620fd751' (2025-09-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/0f36c44e01a6129be94e3ade315a5883f0228a6e' (2025-07-27)
  → 'github:nix-community/nixpkgs.lib/a73b9c743612e4244d865a2fdee11865283c04e6' (2025-08-10)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/dfb2f12e899db4876308eba6d93455ab7da304cd' (2025-08-28)
  → 'github:NixOS/nixpkgs/c23193b943c6c689d70ee98ce3128239ed9e32d1' (2025-09-13)
• Updated input 'pyproject-build-systems':
    'github:pyproject-nix/build-system-pkgs/6edb3ae27395cd88be3d64b732d1539957dad59c' (2025-08-25)
  → 'github:pyproject-nix/build-system-pkgs/5b8e37fe0077db5c1df3a5ee90a651345f085d38' (2025-09-08)
• Updated input 'pyproject-nix':
    'github:pyproject-nix/pyproject.nix/030dffc235dcf240d918c651c78dc5f158067b51' (2025-08-28)
  → 'github:pyproject-nix/pyproject.nix/8d77f342d66ad1601cdb9d97e9388b69f64d4c8e' (2025-09-07)
• Updated input 'uv2nix':
    'github:pyproject-nix/uv2nix/0529e6d8227517205afcd1b37eee3088db745730' (2025-08-29)
  → 'github:pyproject-nix/uv2nix/780494c40895bb7419a73d942bee326291e80b3b' (2025-09-15)
 2025-09-16 10:47:47 +02:00
Maximilian Bosch
04db807ac0
Merge pull request #35 from SuperSandro2000/patch-1 
Fix indentation of markdown code blocks
 2025-09-12 13:35:06 +02:00