7f46d7ee99
Flake lock file updates:
• Updated input 'flake-parts':
'github:hercules-ci/flake-parts/c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4' (2023-10-03)
→ 'github:hercules-ci/flake-parts/34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5' (2023-12-01)
• Updated input 'flake-parts/nixpkgs-lib':
'github:NixOS/nixpkgs/f5892ddac112a1e9b3612c39af1b72987ee5783a?dir=lib' (2023-09-29)
→ 'github:NixOS/nixpkgs/e92039b55bcd58469325ded85d4f58dd5a4eaf58?dir=lib' (2023-11-29)
• Updated input 'flake-utils':
'github:numtide/flake-utils/ff7b65b44d01cf9ba6a71320833626af21126384' (2023-09-12)
→ 'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04)
• Updated input 'nixpkgs-23-05':
'github:NixOS/nixpkgs/41de143fda10e33be0f47eab2bfe08a50f234267' (2023-11-06)
→ 'github:NixOS/nixpkgs/e9f06adb793d1cca5384907b3b8a4071d5d7cb19' (2023-12-03)
• Updated input 'poetry2nix':
'github:nix-community/poetry2nix/8f2c483f9a40db26011f6668559574a4b86ed499' (2023-10-26)
→ 'github:nix-community/poetry2nix/9fc487b32a68473da4bf9573f85b388043c5ecda' (2023-12-06)
• Updated input 'poetry2nix/nix-github-actions':
'github:nix-community/nix-github-actions/bd5bdbb52350e145c526108f4ef192eb8e554fa0' (2023-09-02)
→ 'github:nix-community/nix-github-actions/4bb5e752616262457bc7ca5882192a564c0472d2' (2023-11-03)
• Updated input 'poetry2nix/treefmt-nix':
'github:numtide/treefmt-nix/aae39f64f5ecbe89792d05eacea5cb241891292a' (2023-10-15)
→ 'github:numtide/treefmt-nix/e82f32aa7f06bbbd56d7b12186d555223dc399d1' (2023-11-12)
227 lines
8.7 KiB
Nix
227 lines
8.7 KiB
Nix
{
|
|
description = "Nix package, NixOS module and VM integration test for authentik";
|
|
|
|
inputs = {
|
|
flake-utils.url = "github:numtide/flake-utils";
|
|
flake-parts.url = "github:hercules-ci/flake-parts";
|
|
flake-compat = {
|
|
url = "github:edolstra/flake-compat";
|
|
flake = false;
|
|
};
|
|
# nixos-unstable required for go 1.21 until 23.11 release
|
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
|
|
# explicitly required for go 1.18 (terraform-provider)
|
|
nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05";
|
|
poetry2nix = {
|
|
url = "github:nix-community/poetry2nix";
|
|
inputs = {
|
|
nixpkgs.follows = "nixpkgs";
|
|
flake-utils.follows = "flake-utils";
|
|
};
|
|
};
|
|
napalm = {
|
|
url = "github:nix-community/napalm";
|
|
inputs = {
|
|
nixpkgs.follows = "nixpkgs";
|
|
flake-utils.follows = "flake-utils";
|
|
};
|
|
};
|
|
authentik-src = { # change version string in outputs as well when updating
|
|
url = "github:goauthentik/authentik/version/2023.10.4";
|
|
flake = false;
|
|
};
|
|
};
|
|
|
|
outputs = inputs@{
|
|
self,
|
|
nixpkgs,
|
|
nixpkgs-23-05,
|
|
flake-parts,
|
|
poetry2nix,
|
|
napalm,
|
|
authentik-src,
|
|
...
|
|
}:
|
|
|
|
flake-parts.lib.mkFlake
|
|
{ inherit inputs; }
|
|
({ inputs, lib, withSystem, ... }:
|
|
let
|
|
authentik-version = "2023.10.4"; # to pass to the drvs of some components
|
|
in {
|
|
systems = [
|
|
"x86_64-linux"
|
|
"aarch64-linux" # not tested
|
|
];
|
|
flake = {
|
|
nixosModules.default = { pkgs, ... }: {
|
|
imports = [ ./module.nix ];
|
|
services.authentik.authentikComponents = withSystem pkgs.stdenv.hostPlatform.system (
|
|
{ config, ... }:
|
|
{ inherit (config.packages) celery staticWorkdirDeps migrate pythonEnv frontend gopkgs docs; }
|
|
);
|
|
};
|
|
};
|
|
perSystem = { pkgs, system, ... }: let
|
|
inherit (import inputs.poetry2nix { inherit pkgs; })
|
|
mkPoetryEnv
|
|
defaultPoetryOverrides;
|
|
in {
|
|
packages = rec {
|
|
docs = napalm.legacyPackages.${system}.buildPackage "${authentik-src}/website" {
|
|
version = authentik-version; # 0.0.0 specified upstream in package.json
|
|
NODE_ENV = "production";
|
|
nodejs = pkgs.nodejs_20;
|
|
npmCommands = [
|
|
"cp -v ${authentik-src}/SECURITY.md ../SECURITY.md"
|
|
"cp -vr ${authentik-src}/blueprints ../blueprints"
|
|
"npm install --include=dev"
|
|
"npm run build-docs-only"
|
|
];
|
|
installPhase = ''
|
|
rm -r ../website/node_modules/.cache
|
|
mv -v ../website $out
|
|
'';
|
|
};
|
|
frontend = napalm.legacyPackages.${system}.buildPackage "${authentik-src}/web" rec {
|
|
version = authentik-version; # 0.0.0 specified upstream in package.json
|
|
NODE_ENV = "production";
|
|
nodejs = pkgs.nodejs_21;
|
|
preBuild = ''
|
|
ln -sv ${docs} ../website
|
|
'';
|
|
npmCommands = [
|
|
"npm install --include=dev --nodedir=${nodejs}/include/node --loglevel verbose --ignore-scripts"
|
|
"npm run build"
|
|
];
|
|
installPhase = ''
|
|
mkdir $out
|
|
mv dist $out/dist
|
|
cp -r authentik icons $out
|
|
'';
|
|
};
|
|
pythonEnv = mkPoetryEnv {
|
|
projectDir = authentik-src;
|
|
python = pkgs.python311;
|
|
overrides = [ defaultPoetryOverrides ] ++ (import ./poetry2nix-python-overrides.nix pkgs);
|
|
# workaround to remove dev-dependencies for the current combination of legacy pyproject.toml format
|
|
# used by authentik and poetry2nix's behavior
|
|
groups = [];
|
|
checkGroups = [];
|
|
pyproject = pkgs.runCommandLocal "patched-pyproject.toml" {} ''
|
|
sed -e 's,tool.poetry.dev-dependencies,tool.poetry.group.dev.dependencies,' ${authentik-src}/pyproject.toml > $out
|
|
'';
|
|
};
|
|
# server + outposts
|
|
gopkgs = pkgs.buildGo121Module {
|
|
pname = "authentik-gopkgs";
|
|
version = authentik-version;
|
|
prePatch = ''
|
|
sed -i"" -e 's,./web/dist/,${frontend}/dist/,' web/static.go
|
|
sed -i"" -e 's,./web/dist/,${frontend}/dist/,' internal/web/static.go
|
|
sed -i"" -e 's,./lifecycle/gunicorn.conf.py,${staticWorkdirDeps}/lifecycle/gunicorn.conf.py,' internal/gounicorn/gounicorn.go
|
|
'';
|
|
src = pkgs.lib.cleanSourceWith {
|
|
src = authentik-src;
|
|
filter = (path: _:
|
|
(builtins.any (x: x) (
|
|
(map (infix: pkgs.lib.hasInfix infix path) [
|
|
"/authentik"
|
|
"/cmd"
|
|
"/internal"
|
|
])
|
|
++
|
|
(map (suffix: pkgs.lib.hasSuffix suffix path) [
|
|
"/web"
|
|
"/web/static.go"
|
|
"/web/robots.txt"
|
|
"/web/security.txt"
|
|
"go.mod"
|
|
"go.sum"
|
|
])
|
|
))
|
|
);
|
|
};
|
|
subPackages = [
|
|
"cmd/ldap"
|
|
"cmd/server"
|
|
"cmd/proxy"
|
|
"cmd/radius"
|
|
];
|
|
vendorSha256 = "sha256-8F9emmQmbe7R+xtGrjV5ht0adGasU6WAvLa8Wxr+j8M=";
|
|
nativeBuildInputs = [ pkgs.makeWrapper ];
|
|
postInstall = ''
|
|
wrapProgram $out/bin/server --prefix PATH : ${pythonEnv}/bin
|
|
wrapProgram $out/bin/server --prefix PYTHONPATH : ${staticWorkdirDeps}
|
|
'';
|
|
};
|
|
staticWorkdirDeps = pkgs.linkFarm "authentik-static-workdir-deps" [
|
|
{ name = "authentik"; path = "${authentik-src}/authentik"; }
|
|
{ name = "locale"; path = "${authentik-src}/locale"; }
|
|
{ name = "blueprints"; path = "${authentik-src}/blueprints"; }
|
|
{ name = "internal"; path = "${authentik-src}/internal"; }
|
|
{ name = "lifecycle"; path = "${authentik-src}/lifecycle"; }
|
|
{ name = "schemas"; path = "${authentik-src}/schemas"; }
|
|
{ name = "web"; path = frontend; }
|
|
];
|
|
migrate = pkgs.runCommandLocal "authentik-migrate.py" {
|
|
nativeBuildInputs = [ pkgs.makeWrapper ];
|
|
} ''
|
|
mkdir -vp $out/bin
|
|
cp ${authentik-src}/lifecycle/migrate.py $out/bin/migrate.py
|
|
chmod +w $out/bin/migrate.py
|
|
patchShebangs $out/bin/migrate.py
|
|
substituteInPlace $out/bin/migrate.py \
|
|
--replace \
|
|
'migration_path in Path(__file__).parent.absolute().glob("system_migrations/*.py")' \
|
|
'migration_path in Path("${staticWorkdirDeps}/lifecycle").glob("system_migrations/*.py")'
|
|
wrapProgram $out/bin/migrate.py \
|
|
--prefix PATH : ${pythonEnv}/bin \
|
|
--prefix PYTHONPATH : ${staticWorkdirDeps}
|
|
'';
|
|
# worker
|
|
celery = pkgs.runCommandLocal "authentik-celery" {
|
|
nativeBuildInputs = [ pkgs.makeWrapper ];
|
|
} ''
|
|
mkdir -vp $out/bin
|
|
ln -sv ${pythonEnv}/bin/celery $out/bin/celery
|
|
wrapProgram $out/bin/celery \
|
|
--prefix PYTHONPATH : ${staticWorkdirDeps}
|
|
'';
|
|
# terraform provider
|
|
terraform-provider-authentik = inputs.nixpkgs-23-05.legacyPackages.${system}.buildGo118Module rec {
|
|
pname = "terraform-provider-authentik";
|
|
version = "2023.10.0";
|
|
src = pkgs.fetchFromGitHub {
|
|
owner = "goauthentik";
|
|
repo = pname;
|
|
rev = "v${version}";
|
|
sha256 = "sha256-eyWpssvYe3KKr2vfMRBfE4W1xrZZFeP55VmAQoitamc=";
|
|
};
|
|
doCheck = false; # tests are run against authentik -> vm test
|
|
vendorSha256 = "sha256-aDExL3uFLhCqFibrepb2zVOJ7aW5CWjuqtx73w7p1qc=";
|
|
postInstall = ''
|
|
path="$out/libexec/terraform-providers/registry.terraform.io/goauthentik/authentik/${version}/''${GOOS}_''${GOARCH}/"
|
|
mkdir -p "$path"
|
|
mv $out/bin/${pname} $path/${pname}_v${version}
|
|
rmdir $out/bin
|
|
'';
|
|
};
|
|
};
|
|
checks = {
|
|
default = self.checks.${system}.vmtest;
|
|
vmtest = (import ./test.nix {
|
|
inherit pkgs authentik-version;
|
|
inherit (self) nixosModules;
|
|
});
|
|
};
|
|
devShells.default = pkgs.mkShell {
|
|
packages = [
|
|
# to generate a v2 lockfile from the v3 lockfile provided by upstream:
|
|
# npm install --lockfile-version 2 --package-lock-only
|
|
pkgs.nodejs
|
|
];
|
|
};
|
|
};
|
|
});
|
|
}
|