9eed4f7e7e
Closes #90 ChangeLogs: * https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.2 * https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.3 Using the `client-go` library that is vendored in this release's `go.mod` breaks all outposts for me, so we're now doing what upstream is also doing, i.e. generating the Go client code ourselves.
215 lines
6.8 KiB
Nix
215 lines
6.8 KiB
Nix
{
|
|
description = "Nix package, NixOS module and VM integration test for authentik";
|
|
|
|
inputs = {
|
|
systems.url = "github:nix-systems/default-linux";
|
|
flake-utils = {
|
|
url = "github:numtide/flake-utils";
|
|
inputs.systems.follows = "systems";
|
|
};
|
|
flake-parts.url = "github:hercules-ci/flake-parts";
|
|
flake-compat = {
|
|
url = "github:edolstra/flake-compat";
|
|
flake = false;
|
|
};
|
|
|
|
pyproject-nix = {
|
|
url = "github:pyproject-nix/pyproject.nix";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
uv2nix = {
|
|
url = "github:pyproject-nix/uv2nix";
|
|
inputs.pyproject-nix.follows = "pyproject-nix";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
pyproject-build-systems = {
|
|
url = "github:pyproject-nix/build-system-pkgs";
|
|
inputs.pyproject-nix.follows = "pyproject-nix";
|
|
inputs.uv2nix.follows = "uv2nix";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
|
|
|
napalm = {
|
|
url = "github:willibutz/napalm/avoid-foldl-stack-overflow";
|
|
inputs = {
|
|
nixpkgs.follows = "nixpkgs";
|
|
flake-utils.follows = "flake-utils";
|
|
};
|
|
};
|
|
authentik-src = {
|
|
# change version string in outputs as well when updating
|
|
url = "github:goauthentik/authentik/version/2025.12.3";
|
|
flake = false;
|
|
};
|
|
authentik-go = {
|
|
url = "github:goauthentik/client-go";
|
|
flake = false;
|
|
};
|
|
};
|
|
|
|
outputs =
|
|
inputs@{
|
|
self,
|
|
flake-parts,
|
|
napalm,
|
|
authentik-src,
|
|
authentik-go,
|
|
uv2nix,
|
|
pyproject-build-systems,
|
|
pyproject-nix,
|
|
...
|
|
}:
|
|
|
|
flake-parts.lib.mkFlake { inherit inputs; } (
|
|
{
|
|
inputs,
|
|
lib,
|
|
withSystem,
|
|
...
|
|
}:
|
|
let
|
|
authentik-version = "2025.12.3"; # to pass to the drvs of some components
|
|
in
|
|
{
|
|
systems = import inputs.systems;
|
|
flake =
|
|
{ self, ... }:
|
|
{
|
|
nixosModules.default =
|
|
{ pkgs, ... }:
|
|
{
|
|
imports = [ ./module.nix ];
|
|
services.authentik.authentikComponents = pkgs.lib.mkDefault (
|
|
withSystem pkgs.stdenv.hostPlatform.system (
|
|
{ config, ... }:
|
|
{
|
|
inherit (config.packages)
|
|
manage
|
|
staticWorkdirDeps
|
|
migrate
|
|
pythonEnv
|
|
frontend
|
|
gopkgs
|
|
docs
|
|
;
|
|
}
|
|
)
|
|
);
|
|
};
|
|
|
|
# returns a scope which includes the attrset `authentikComponents`
|
|
#
|
|
# the returned scope may be overridden using its `overrideScope` function to
|
|
# create a new scope with patched versions of individual authentik components
|
|
#
|
|
# see ./tests/override-scope.nix for a usage example
|
|
lib.mkAuthentikScope =
|
|
let
|
|
authentik-version' = authentik-version;
|
|
in
|
|
{
|
|
pkgs,
|
|
system ? pkgs.stdenv.hostPlatform.system,
|
|
python ? pkgs.python313,
|
|
authentik-version ? authentik-version',
|
|
buildNapalmPackage ? napalm.legacyPackages.${system}.buildPackage,
|
|
}:
|
|
pkgs.lib.makeScope pkgs.newScope (final: {
|
|
authentikComponents = {
|
|
docs = final.callPackage ./components/docs.nix { };
|
|
frontend = final.callPackage ./components/frontend.nix { };
|
|
pythonEnv = final.callPackage ./components/pythonEnv.nix { };
|
|
# server + outposts
|
|
gopkgs = final.callPackage ./components/gopkgs.nix { };
|
|
staticWorkdirDeps = final.callPackage ./components/staticWorkdirDeps.nix { };
|
|
migrate = final.callPackage ./components/migrate.nix { };
|
|
# worker
|
|
manage = final.callPackage ./components/manage.nix { };
|
|
};
|
|
|
|
generatedGoClient = final.callPackage ./components/client-go.nix { };
|
|
|
|
# for uv2nix
|
|
pythonOverlay = final.callPackage ./components/python-overrides.nix { };
|
|
|
|
patches = [
|
|
./components/0002-admin-file-dir-doesn-t-have-to-be-a-mountpoint.patch
|
|
];
|
|
|
|
inherit
|
|
authentik-src
|
|
authentik-go
|
|
authentik-version
|
|
buildNapalmPackage
|
|
uv2nix
|
|
pyproject-build-systems
|
|
pyproject-nix
|
|
python
|
|
;
|
|
});
|
|
};
|
|
perSystem =
|
|
{
|
|
pkgs,
|
|
system,
|
|
self',
|
|
...
|
|
}:
|
|
let
|
|
inherit (self.lib.mkAuthentikScope { inherit pkgs; }) authentikComponents;
|
|
in
|
|
{
|
|
packages = {
|
|
inherit (authentikComponents)
|
|
docs
|
|
frontend
|
|
pythonEnv
|
|
gopkgs
|
|
staticWorkdirDeps
|
|
migrate
|
|
manage
|
|
;
|
|
|
|
terraform-provider-authentik = inputs.nixpkgs.legacyPackages.${system}.buildGoModule rec {
|
|
pname = "terraform-provider-authentik";
|
|
version = "2025.12.0";
|
|
src = pkgs.fetchFromGitHub {
|
|
owner = "goauthentik";
|
|
repo = pname;
|
|
rev = "v${version}";
|
|
sha256 = "sha256-1a8HaOqTckkbbHLM58L+LY1eCp8+sVkuOmAw7xljpTU=";
|
|
};
|
|
doCheck = false; # tests are run against authentik -> vm test
|
|
vendorHash = "sha256-LvXWlmCBXnHElZyTKpKPwfXgT53HpR+Bc5XjkB7bM/A=";
|
|
postInstall = ''
|
|
path="$out/libexec/terraform-providers/registry.terraform.io/goauthentik/authentik/${version}/''${GOOS}_''${GOARCH}/"
|
|
mkdir -p "$path"
|
|
mv $out/bin/${pname} $path/${pname}_v${version}
|
|
rmdir $out/bin
|
|
'';
|
|
};
|
|
};
|
|
checks = {
|
|
default = self.checks.${system}.vmtest;
|
|
vmtest = (
|
|
import tests/minimal-vmtest.nix {
|
|
inherit pkgs authentik-version;
|
|
inherit (self) nixosModules;
|
|
}
|
|
);
|
|
override-scope = (
|
|
import tests/override-scope.nix {
|
|
inherit pkgs authentik-version;
|
|
inherit (self) nixosModules;
|
|
inherit (self.lib) mkAuthentikScope;
|
|
}
|
|
);
|
|
};
|
|
};
|
|
}
|
|
);
|
|
}
|