authentik: 2024.6.4 -> 2024.12.1 (#363930) (414c48bc) · Commits · nix / nixpkgs

pkgs/by-name/au/authentik/ldap.nix

+5 −2

Original line number	Diff line number	Diff line
		{ buildGoModule, authentik }:
		{
		buildGoModule,
		authentik,
		}:

		buildGoModule {
		pname = "authentik-ldap-outpost";
		inherit (authentik) version src;

		vendorHash = "sha256-BcL9QAc2jJqoPaQImJIFtCiu176nxmVcCLPjXjNBwqI=";
		vendorHash = "sha256-FyRTPs2xfostV2x03IjrxEYBSrsZwnuPn+oHyQq1Kq0=";

		env.CGO_ENABLED = 0;

pkgs/by-name/au/authentik/outposts.nix

+3 −1

Original line number	Diff line number	Diff line
		{ callPackage }: {
		{ callPackage }:
		{
		ldap = callPackage ./ldap.nix { };
		proxy = callPackage ./proxy.nix { };
		radius = callPackage ./radius.nix { };
		}

pkgs/by-name/au/authentik/package.nix

+159 −119

Original line number	Diff line number	Diff line
		{ lib
		, stdenvNoCC
		, callPackages
		, fetchFromGitHub
		, fetchpatch
		, fetchzip
		, buildNpmPackage
		, buildGoModule
		, runCommand
		, openapi-generator-cli
		, nodejs
		, python312
		, codespell
		, makeWrapper }:
		{
		lib,
		stdenvNoCC,
		callPackages,
		cacert,
		fetchFromGitHub,
		buildNpmPackage,
		buildGoModule,
		runCommand,
		chromedriver,
		openapi-generator-cli,
		nodejs,
		python312,
		makeWrapper,
		}:

		let
		version = "2024.6.4";
		version = "2024.12.1";

		src = fetchFromGitHub {
		owner = "goauthentik";
		repo = "authentik";
		rev = "version/${version}";
		hash = "sha256-QwK/auMLCJEHHtyexFnO+adCq/u0fezHQ90fXW9J4c4=";
		hash = "sha256-CkUmsVKzAQ/VWIhtxWxlcGtrWVa8hxqsMqvfcsG5ktA=";
		};

		meta = with lib; {
		@@ -29,34 +30,69 @@ let
		homepage = "https://goauthentik.io/";
		license = licenses.mit;
		platforms = platforms.linux;
		maintainers = with maintainers; [ jvanbruegge risson ];
		knownVulnerabilities = [
		"CVE-2024-52307"
		"CVE-2024-52287"
		"CVE-2024-52289"
		"Authentik 2024.6.x is end-of-life, consider using https://github.com/nix-community/authentik-nix for an up-to-date alternative"
		maintainers = with maintainers; [
		jvanbruegge
		risson
		];
		};

		website = buildNpmPackage {
		# prefetch-npm-deps does not save all dependencies even though the lockfile is fine
		website-deps = stdenvNoCC.mkDerivation {
		pname = "authentik-website-deps";
		inherit src version meta;

		sourceRoot = "source/website";

		outputHash = "sha256-SONw9v67uuVk8meRIuS1KaBGbej6Gbz6nZxPDnHfCwQ=";
		outputHashMode = "recursive";

		nativeBuildInputs = [
		nodejs
		cacert
		];

		buildPhase = ''
		npm ci --cache ./cache
		rm -r ./cache
		'';

		installPhase = ''
		mv node_modules $out
		'';

		dontPatchShebangs = true;
		};

		website = stdenvNoCC.mkDerivation {
		pname = "authentik-website";
		inherit version src meta;
		npmDepsHash = "sha256-JM+ae+zDsMdvovd2p4IJIH89KlMeDU7HOZjFbDCyehw=";
		inherit src version meta;

		NODE_ENV = "production";
		NODE_OPTIONS = "--openssl-legacy-provider";
		nativeBuildInputs = [ nodejs ];

		postPatch = ''
		cd website
		substituteInPlace package.json --replace-fail 'cross-env ' ""
		'';

		sourceRoot = "source/website";

		buildPhase = ''
		runHook preBuild

		cp -r ${website-deps} node_modules
		chmod -R +w node_modules
		pushd node_modules/.bin
		patchShebangs $(readlink docusaurus)
		popd
		cat node_modules/.bin/docusaurus
		npm run build-bundled

		runHook postBuild
		'';

		installPhase = ''
		mkdir $out
		cp -r build $out/help
		'';

		npmBuildScript = "build-bundled";
		npmFlags = [ "--ignore-scripts" ];
		};

		clientapi = stdenvNoCC.mkDerivation {
		@@ -93,12 +129,14 @@ let
		ln -s ${src}/website $out/
		ln -s ${clientapi} $out/web/node_modules/@goauthentik/api
		'';
		npmDepsHash = "sha256-8TzB3ylZzVLePD86of8E/lGgIQCciWMQF9m1Iqv9ZTY=";
		npmDepsHash = "sha256-aRfpJWTp2WQB3E9aqzJn3BiPLwpCkdvMoyHexaKvz0U=";

		postPatch = ''
		cd web
		'';

		CHROMEDRIVER_FILEPATH = lib.getExe chromedriver;

		installPhase = ''
		runHook preInstall
		mkdir $out
		@@ -110,7 +148,10 @@ let
		NODE_ENV = "production";
		NODE_OPTIONS = "--openssl-legacy-provider";

		npmInstallFlags = [ "--include=dev" ];
		npmInstallFlags = [
		"--include=dev"
		"--ignore-scripts"
		];
		};

		python = python312.override {
		@@ -164,14 +205,6 @@ let
		inherit version src meta;
		pyproject = true;

		patches = [
		(fetchpatch {
		name = "scim-schema-load.patch";
		url = "https://github.com/goauthentik/authentik/commit/f3640bd3c0ee2f43efcfd506bb71d2b7b6761017.patch";
		hash = "sha256-4AC7Dc4TM7ok964ztc+XdHvoU/DKyi9yJoz5u1dljEM=";
		})
		];

		postPatch = ''
		rm lifecycle/system_migrations/tenant_files.py
		substituteInPlace authentik/root/settings.py \
		@@ -186,19 +219,23 @@ let
		--replace-fail 'web/' '${webui}/'
		'';

		nativeBuildInputs = [ prev.poetry-core ];
		nativeBuildInputs = [
		prev.poetry-core
		];

		propagatedBuildInputs = with final; [
		propagatedBuildInputs =
		with final;
		[
		argon2-cffi
		celery
		channels
		channels-redis
		codespell
		colorama
		cryptography
		dacite
		deepmerge
		defusedxml
		django
		django-countries
		django-cte
		django-filter
		django-guardian
		@@ -211,15 +248,17 @@ let
		djangorestframework
		djangorestframework-guardian2
		docker
		drf-orjson-renderer
		drf-spectacular
		duo-client
		facebook-sdk
		fido2
		flower
		geoip2
		google-api-python-client
		gunicorn
		gssapi
		jsonpatch
		jwcrypto
		kubernetes
		ldap3
		lxml
		@@ -231,6 +270,8 @@ let
		pydantic
		pydantic-scim
		pyjwt
		pyrad
		python-kadmin-rs
		pyyaml
		requests-oauthlib
		scim2-filter-parser
		@@ -241,7 +282,6 @@ let
		swagger-spec-validator
		tenant-schemas-celery
		twilio
		twisted
		ua-parser
		urllib3
		uvicorn
		@@ -251,7 +291,6 @@ let
		xmlsec
		zxcvbn
		]
		++ channels.optional-dependencies.daphne
		++ django-storages.optional-dependencies.s3
		++ opencontainers.optional-dependencies.reggie
		++ psycopg.optional-dependencies.c
		@@ -287,7 +326,7 @@ let

		env.CGO_ENABLED = 0;

		vendorHash = "sha256-BcL9QAc2jJqoPaQImJIFtCiu176nxmVcCLPjXjNBwqI=";
		vendorHash = "sha256-FyRTPs2xfostV2x03IjrxEYBSrsZwnuPn+oHyQq1Kq0=";

		postInstall = ''
		mv $out/bin/server $out/bin/authentik
		@@ -296,18 +335,14 @@ let
		subPackages = [ "cmd/server" ];
		};

		in stdenvNoCC.mkDerivation {
		in
		stdenvNoCC.mkDerivation {
		pname = "authentik";
		inherit src version;

		postPatch = ''
		rm Makefile
		patchShebangs lifecycle/ak

		# This causes issues in systemd services
		substituteInPlace lifecycle/ak \
		--replace-fail 'printf' '>&2 printf' \
		--replace-fail '> /dev/stderr' ""
		'';

		installPhase = ''
		@@ -316,7 +351,12 @@ in stdenvNoCC.mkDerivation {
		cp -r lifecycle/ak $out/bin/

		wrapProgram $out/bin/ak \
		--prefix PATH : ${lib.makeBinPath [ (python.withPackages (ps: [ps.authentik-django])) proxy ]} \
		--prefix PATH : ${
		lib.makeBinPath [
		(python.withPackages (ps: [ ps.authentik-django ]))
		proxy
		]
		} \
		--set TMPDIR /dev/shm \
		--set PYTHONDONTWRITEBYTECODE 1 \
		--set PYTHONUNBUFFERED 1

pkgs/by-name/au/authentik/proxy.nix

0 → 100644

+21 −0

Original line number	Diff line number	Diff line
		{
		buildGoModule,
		authentik,
		}:

		buildGoModule {
		pname = "authentik-proxy-outpost";
		inherit (authentik) version src;

		vendorHash = "sha256-FyRTPs2xfostV2x03IjrxEYBSrsZwnuPn+oHyQq1Kq0=";

		env.CGO_ENABLED = 0;

		subPackages = [ "cmd/proxy" ];

		meta = authentik.meta // {
		description = "Authentik proxy outpost which is used for HTTP reverse proxy authentication";
		homepage = "https://goauthentik.io/docs/providers/proxy/";
		mainProgram = "proxy";
		};
		}

pkgs/by-name/au/authentik/radius.nix

+5 −2

Original line number	Diff line number	Diff line
		{ buildGoModule, authentik }:
		{
		buildGoModule,
		authentik,
		}:

		buildGoModule {
		pname = "authentik-radius-outpost";
		inherit (authentik) version src;

		vendorHash = "sha256-BcL9QAc2jJqoPaQImJIFtCiu176nxmVcCLPjXjNBwqI=";
		vendorHash = "sha256-FyRTPs2xfostV2x03IjrxEYBSrsZwnuPn+oHyQq1Kq0=";

		env.CGO_ENABLED = 0;

Admin message