tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
authentik-nix/flake.nix
WilliButz d464790711
update: 2023.6.1 -> 2023.6.2 (security update) 
contains fix for CVE-2023-39522
https://github.com/goauthentik/authentik/security/advisories/GHSA-vmf9-6pcv-xr87

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/d6af506a78caaf9e6ef394dffa1f931bcc2cd656' (2023-07-10)
  → 'github:goauthentik/authentik/aba857753bcf785a2023d3ac80f9a6f7f15979fe' (2023-08-29)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/8e8d955c22df93dbe24f19ea04f47a74adbdc5ec' (2023-07-04)
  → 'github:hercules-ci/flake-parts/59cf3f1447cfc75087e7273b04b31e689a8599fb' (2023-08-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:NixOS/nixpkgs/4bc72cae107788bf3f24f30db2e2f685c9298dc9?dir=lib' (2023-06-29)
  → 'github:NixOS/nixpkgs/9e1960bc196baf6881340d53dccb203a951745a2?dir=lib' (2023-08-01)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7' (2023-06-25)
  → 'github:numtide/flake-utils/f9e7cf818399d17d347f847525c5a5a8032e4e44' (2023-08-23)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e11142026e2cef35ea52c9205703823df225c947' (2023-07-05)
  → 'github:NixOS/nixpkgs/c540061ac8d72d6e6d99345bd2d590c82b2f58c1' (2023-08-28)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/f9c886e188503db79b59f15c014d86aa680d9141' (2023-07-07)
  → 'github:nix-community/poetry2nix/5b3a5151cf212021ff8d424f215fb030e4ff2837' (2023-08-26)
• Added input 'poetry2nix/nix-github-actions':
    'github:nix-community/nix-github-actions/165b1650b753316aa7f1787f3005a8d2da0f5301' (2023-07-09)
• Added input 'poetry2nix/nix-github-actions/nixpkgs':
    follows 'poetry2nix/nixpkgs'
2023-08-29 20:18:44 +02:00

217 lines
8.1 KiB
Nix
Raw Blame History

{
description = "Nix package, NixOS module and VM integration test for authentik";
inputs = {
flake-utils.url = "github:numtide/flake-utils";
flake-parts.url = "github:hercules-ci/flake-parts";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
poetry2nix = {
url = "github:nix-community/poetry2nix";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
napalm = {
url = "github:nix-community/napalm";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
};
};
authentik-src = { # change version string in outputs as well when updating
url = "github:goauthentik/authentik/version/2023.6.2";
flake = false;
};
};
outputs = inputs@{
self,
nixpkgs,
flake-parts,
poetry2nix,
napalm,
authentik-src,
...
}:
flake-parts.lib.mkFlake
{ inherit inputs; }
({ inputs, lib, withSystem, ... }:
let
authentik-version = "2023.6.2"; # to pass to the drvs of some components
in {
systems = [
"x86_64-linux"
"aarch64-linux" # not tested
];
flake = {
nixosModules.default = { pkgs, ... }: {
imports = [ ./module.nix ];
services.authentik.authentikComponents = withSystem pkgs.stdenv.hostPlatform.system (
{ config, ... }:
{ inherit (config.packages) celery staticWorkdirDeps migrate pythonEnv frontend gopkgs docs; }
);
};
};
perSystem = { inputs', pkgs, system, ... }: let
inherit (inputs'.poetry2nix.legacyPackages)
mkPoetryEnv
defaultPoetryOverrides;
in {
packages = rec {
docs = napalm.legacyPackages.${system}.buildPackage "${authentik-src}/website" {
version = authentik-version; # 0.0.0 specified upstream in package.json
NODE_ENV = "production";
nodejs = pkgs.nodejs_20;
npmCommands = [
"cp -v ${authentik-src}/SECURITY.md ../SECURITY.md"
"cp -vr ${authentik-src}/blueprints ../blueprints"
"npm install --include=dev"
"npm run build-docs-only"
];
installPhase = ''
mv -v ../website $out
'';
};
frontend = napalm.legacyPackages.${system}.buildPackage "${authentik-src}/web" {
version = authentik-version; # 0.0.0 specified upstream in package.json
packageLock = let
# https://github.com/goauthentik/authentik/issues/6180
srcWithFullyResolvedLockfile = pkgs.applyPatches {
name = "authentik-src-with-patched-package-lock";
src = authentik-src;
patches = [
./web-package-lock.json.patch
];
};
in "${srcWithFullyResolvedLockfile}/web/package-lock.json";
NODE_ENV = "production";
nodejs = pkgs.nodejs_20;
preBuild = ''
ln -sv ${docs} ../website
'';
npmCommands = [
"npm install --include=dev --nodedir=${pkgs.nodejs_20}/include/node --loglevel verbose --ignore-scripts"
"npm run build"
];
installPhase = ''
mkdir $out
mv dist $out/dist
cp -r authentik icons $out
'';
};
pythonEnv = mkPoetryEnv {
projectDir = authentik-src;
python = pkgs.python311;
overrides = [ defaultPoetryOverrides ] ++ (import ./poetry2nix-python-overrides.nix pkgs);
};
# server + outposts
gopkgs = pkgs.buildGo120Module {
pname = "authentik-gopkgs";
version = authentik-version;
prePatch = ''
sed -i"" -e 's,./web/dist/,${frontend}/dist/,' web/static.go
sed -i"" -e 's,./web/dist/,${frontend}/dist/,' internal/web/static.go
sed -i"" -e 's,./lifecycle/gunicorn.conf.py,${staticWorkdirDeps}/lifecycle/gunicorn.conf.py,' internal/gounicorn/gounicorn.go
'';
src = pkgs.lib.cleanSourceWith {
src = authentik-src;
filter = (path: _:
(builtins.any (x: x) (
(map (infix: pkgs.lib.hasInfix infix path) [
"/cmd"
"/internal"
])
++
(map (suffix: pkgs.lib.hasSuffix suffix path) [
"/web"
"/web/static.go"
"/web/robots.txt"
"/web/security.txt"
"go.mod"
"go.sum"
])
))
);
};
subPackages = [
"cmd/ldap"
"cmd/server"
"cmd/proxy"
"cmd/radius"
];
vendorSha256 = "sha256-HYj5m4yFqqaxUY3YpLePzjdXnQlTIgk9h9glVeuCoLI=";
nativeBuildInputs = [ pkgs.makeWrapper ];
postInstall = ''
wrapProgram $out/bin/server --prefix PATH : ${pythonEnv}/bin
wrapProgram $out/bin/server --prefix PYTHONPATH : ${staticWorkdirDeps}
'';
};
staticWorkdirDeps = pkgs.linkFarm "authentik-static-workdir-deps" [
{ name = "authentik"; path = "${authentik-src}/authentik"; }
{ name = "locale"; path = "${authentik-src}/locale"; }
{ name = "blueprints"; path = "${authentik-src}/blueprints"; }
{ name = "internal"; path = "${authentik-src}/internal"; }
{ name = "lifecycle"; path = "${authentik-src}/lifecycle"; }
{ name = "schemas"; path = "${authentik-src}/schemas"; }
{ name = "web"; path = frontend; }
];
migrate = pkgs.runCommandLocal "authentik-migrate.py" {
nativeBuildInputs = [ pkgs.makeWrapper ];
} ''
mkdir -vp $out/bin
cp ${authentik-src}/lifecycle/migrate.py $out/bin/migrate.py
chmod +w $out/bin/migrate.py
patchShebangs $out/bin/migrate.py
substituteInPlace $out/bin/migrate.py \
--replace \
'migration in Path(__file__).parent.absolute().glob("system_migrations/*.py")' \
'migration in Path("${staticWorkdirDeps}/lifecycle").glob("system_migrations/*.py")'
wrapProgram $out/bin/migrate.py \
--prefix PATH : ${pythonEnv}/bin \
--prefix PYTHONPATH : ${staticWorkdirDeps}
'';
# worker
celery = pkgs.runCommandLocal "authentik-celery" {
nativeBuildInputs = [ pkgs.makeWrapper ];
} ''
mkdir -vp $out/bin
ln -sv ${pythonEnv}/bin/celery $out/bin/celery
wrapProgram $out/bin/celery \
--prefix PYTHONPATH : ${staticWorkdirDeps}
'';
# terraform provider
terraform-provider-authentik = pkgs.buildGo118Module rec {
pname = "terraform-provider-authentik";
version = "2023.6.0";
src = pkgs.fetchFromGitHub {
owner = "goauthentik";
repo = pname;
rev = "v${version}";
sha256 = "sha256-a09ZiyDptjHFYTtD2fA0be/RERvrVR68vT6xEePt3dI=";
};
doCheck = false; # tests are run against authentik -> vm test
vendorSha256 = "sha256-oxPIFvH7EazHiY0ymakOsXOiP3jnkFPgwHIcK4cPkQY=";
postInstall = ''
path="$out/libexec/terraform-providers/registry.terraform.io/goauthentik/authentik/${version}/''${GOOS}_''${GOARCH}/"
mkdir -p "$path"
mv $out/bin/${pname} $path/${pname}_v${version}
rmdir $out/bin
'';
};
};
checks.default = (import ./test.nix {
inherit pkgs;
inherit (self) nixosModules;
});
devShells.default = pkgs.mkShell {
packages = [
# to generate a v2 lockfile from the v3 lockfile provided by upstream:
# npm install --lockfile-version 2 --package-lock-only
pkgs.nodejs
];
};
};
});
}
Reference in a new issue View git blame Copy permalink