Loading pkgs/by-name/au/authentik/client-go-config.patch 0 → 100644 +9 −0 Original line number Diff line number Diff line diff --git a/config.yaml b/config.yaml index 2f07ea7..0f90432 100644 --- a/config.yaml +++ b/config.yaml @@ -4,3 +4,4 @@ additionalProperties: packageName: api enumClassPrefix: true useOneOfDiscriminatorLookup: true + disallowAdditionalPropertiesIfNotPresent: false pkgs/by-name/au/authentik/ldap.nix +3 −0 Original line number Diff line number Diff line { buildGoModule, authentik, apiGoVendorHook, vendorHash, }: Loading @@ -9,6 +10,8 @@ buildGoModule { inherit (authentik) version src; inherit vendorHash; nativeBuildInputs = [ apiGoVendorHook ]; env.CGO_ENABLED = 0; subPackages = [ "cmd/ldap" ]; Loading pkgs/by-name/au/authentik/outposts.nix +4 −3 Original line number Diff line number Diff line { callPackage, authentik, apiGoVendorHook ? authentik.apiGoVendorHook, vendorHash ? authentik.proxy.vendorHash, }: { ldap = callPackage ./ldap.nix { inherit vendorHash; }; proxy = callPackage ./proxy.nix { inherit vendorHash; }; radius = callPackage ./radius.nix { inherit vendorHash; }; ldap = callPackage ./ldap.nix { inherit apiGoVendorHook vendorHash; }; proxy = callPackage ./proxy.nix { inherit apiGoVendorHook vendorHash; }; radius = callPackage ./radius.nix { inherit apiGoVendorHook vendorHash; }; } pkgs/by-name/au/authentik/package.nix +152 −13 Original line number Diff line number Diff line Loading @@ -10,18 +10,23 @@ nodejs_24, python3, makeWrapper, openapi-generator-cli, go, typescript, makeSetupHook, writeShellScript, }: let nodejs = nodejs_24; version = "2025.10.1"; version = "2025.12.4"; src = fetchFromGitHub { owner = "goauthentik"; repo = "authentik"; tag = "version/${version}"; hash = "sha256-HowB6DTGCqz770fKYbnE+rQ11XRV0WSNkLD+HSWZwz8="; hash = "sha256-alTyrMBbjZbw4jhEna8saabf93sqSrZCu+Z5xH3pZ7M="; }; meta = { Loading @@ -39,6 +44,90 @@ let ]; }; client-go = stdenvNoCC.mkDerivation { pname = "authentik-client-go"; version = "3.${version}"; inherit meta; src = fetchFromGitHub { owner = "goauthentik"; repo = "client-go"; tag = "v3.${version}"; hash = "sha256-+/CfOE2HkBU+ZddvdXGenB/z8xNFk8cujpZpMXyh3cY="; }; patches = [ ./client-go-config.patch ]; postPatch = '' substituteInPlace ./config.yaml \ --replace-fail '/local' "$(pwd)" ''; nativeBuildInputs = [ openapi-generator-cli go ]; buildPhase = '' runHook preBuild openapi-generator-cli generate \ -i ${src}/schema.yml -o $out \ -g go \ -c ./config.yaml gofmt -w $out runHook postBuild ''; installPhase = '' runHook preInstall cp go.mod go.sum $out cd $out rm -rf test rm -f .travis.yml git_push.sh runHook postInstall ''; }; client-ts = stdenvNoCC.mkDerivation { pname = "authentik-client-ts"; inherit version src meta; postPatch = '' substituteInPlace ./scripts/api/ts-config.yaml \ --replace-fail '/local' "$(pwd)" ''; nativeBuildInputs = [ nodejs openapi-generator-cli typescript ]; buildPhase = '' runHook preBuild openapi-generator-cli generate \ -i ./schema.yml -o $out \ -g typescript-fetch \ -c ./scripts/api/ts-config.yaml \ --additional-properties=npmVersion=${version} \ --git-repo-id authentik --git-user-id goauthentik cd $out npm run build runHook postBuild ''; }; # prefetch-npm-deps does not save all dependencies even though the lockfile is fine website-deps = stdenvNoCC.mkDerivation { pname = "authentik-website-deps"; Loading @@ -48,8 +137,8 @@ let outputHash = { "aarch64-linux" = "sha256-aXXlzTsZp5mOrsxy9oHNzcc+1cFSnbC9RmtawBohmLI="; "x86_64-linux" = "sha256-Hi0HXzwTLuer0v4IKF3aim0tVe7AVLi67DiMimrIq5s="; "aarch64-linux" = "sha256-GL5FPIBnoEXYtw8DPJpRPe3tT3qioN4AdoeOmCoiYsM="; "x86_64-linux" = "sha256-AnceTipq6uUvTbOAZanVshAbAJ9LS1kwImbttTOcWxc="; } .${stdenvNoCC.hostPlatform.system} or (throw "authentik-website-deps: unsupported host platform"); Loading Loading @@ -119,8 +208,8 @@ let outputHash = { "aarch64-linux" = "sha256-t/jyzG3ibTW3fu8Gl1tWkSjMG6Lek/7JDccDrZX6sD0="; "x86_64-linux" = "sha256-8I1YAKvgWjM3p9O1mCetZvhZelrfB31w0ZwkZBUEoh4="; "aarch64-linux" = "sha256-eZZ5Ynj81KwFsU5emPtYZ2CxO8MFvWbJnCHs+L88KQQ="; "x86_64-linux" = "sha256-yUAyyO1NFav1EptrRYGSzC8dxCxYVj0FmzHk8IckFZM="; } .${stdenvNoCC.hostPlatform.system} or (throw "authentik-webui-deps: unsupported host platform"); outputHashMode = "recursive"; Loading Loading @@ -172,6 +261,10 @@ let find -type d -name node_modules -prune -print -exec cp -rT {} $buildRoot/{} \; popd chmod -R +w node_modules/@goauthentik rm -R node_modules/@goauthentik/api ln -sn ${client-ts} node_modules/@goauthentik/api pushd node_modules/.bin patchShebangs $(readlink rollup) patchShebangs $(readlink wireit) Loading Loading @@ -208,6 +301,21 @@ let # https://github.com/goauthentik/authentik/pull/16324 django = final.django_5; ak-guardian = final.buildPythonPackage { pname = "ak-guardian"; inherit version src meta; pyproject = true; sourceRoot = "${src.name}/packages/ak-guardian"; build-system = with final; [ hatchling ]; propagatedBuildInputs = with final; [ django typing-extensions ]; }; django-channels-postgres = final.buildPythonPackage { pname = "django-channels-postgres"; inherit version src meta; Loading Loading @@ -330,14 +438,15 @@ let pyproject = true; postPatch = '' rm lifecycle/system_migrations/tenant_files.py substituteInPlace authentik/root/settings.py \ --replace-fail 'Path(__file__).absolute().parent.parent.parent' "Path(\"$out\")" substituteInPlace authentik/lib/default.yml \ --replace-fail '/blueprints' "$out/blueprints" \ --replace-fail './media' '/var/lib/authentik/media' --replace-fail '/blueprints' "$out/blueprints" substituteInPlace authentik/stages/email/utils.py \ --replace-fail 'web/' '${webui}/' # allways allow file upload if the data directoy exists substituteInPlace authentik/admin/files/backends/file.py \ --replace-fail "and (self._base_dir.is_mount() or (self._base_dir / self.usage.value).is_mount())" "" ''; build-system = [ Loading @@ -351,6 +460,7 @@ let dependencies = with final; [ ak-guardian argon2-cffi cachetools channels Loading @@ -364,7 +474,6 @@ let django-cte django-dramatiq-postgres django-filter django-guardian django-model-utils django-pglock django-pgtrigger Loading @@ -375,7 +484,6 @@ let django-tenants djangoql djangorestframework djangorestframework-guardian docker drf-orjson-renderer drf-spectacular Loading Loading @@ -440,6 +548,31 @@ let inherit (python.pkgs) authentik-django; # Provide a setup-hook to configure the Go vendor directory with up-to-date API bindings. # This is done to avoid the `vendorHash` depending on anything in the `client-go` build (e.g. # openapi-generator-cli version updates changing the produced content) and invalidating the hash. apiGoVendorHook = makeSetupHook { name = "authentik-api-go-vendor-hook"; } ( writeShellScript "authentik-api-go-vendor-hook" '' authentikApiGoVendorHook() { chmod -R +w vendor/goauthentik.io/api rm -rf vendor/goauthentik.io/api/v3 cp -r ${client-go} vendor/goauthentik.io/api/v3 echo "Finished authentikApiGoVendorHook" } # don't run for FOD, e.g. the `goModules` build if [ -z ''${outputHash-} ]; then postConfigureHooks+=(authentikApiGoVendorHook) fi '' ); proxy = buildGoModule { pname = "authentik-proxy"; inherit version src meta; Loading @@ -453,9 +586,14 @@ let --replace-fail './web' "${authentik-django}/web" ''; nativeBuildInputs = [ apiGoVendorHook ]; env.CGO_ENABLED = 0; vendorHash = "sha256-m2shrCwoVdbtr8B83ZcAyG+J6dEys2xdjtlfFFF4CDo="; # calculate the vendorHash without other dependencies, so it is only based on the `go.sum` file overrideModAttrs.postPatch = ""; vendorHash = "sha256-pdQg02f1K4nOhsnadoplQYOhEybqZxn+yDQRN5RNygM="; postInstall = '' mv $out/bin/server $out/bin/authentik Loading Loading @@ -500,9 +638,10 @@ stdenvNoCC.mkDerivation { ''; passthru = { inherit proxy; inherit proxy apiGoVendorHook; outposts = callPackages ./outposts.nix { inherit (proxy) vendorHash; inherit apiGoVendorHook; }; }; Loading pkgs/by-name/au/authentik/proxy.nix +3 −0 Original line number Diff line number Diff line { buildGoModule, authentik, apiGoVendorHook, vendorHash, }: Loading @@ -9,6 +10,8 @@ buildGoModule { inherit (authentik) version src; inherit vendorHash; nativeBuildInputs = [ apiGoVendorHook ]; env.CGO_ENABLED = 0; subPackages = [ "cmd/proxy" ]; Loading Loading
pkgs/by-name/au/authentik/client-go-config.patch 0 → 100644 +9 −0 Original line number Diff line number Diff line diff --git a/config.yaml b/config.yaml index 2f07ea7..0f90432 100644 --- a/config.yaml +++ b/config.yaml @@ -4,3 +4,4 @@ additionalProperties: packageName: api enumClassPrefix: true useOneOfDiscriminatorLookup: true + disallowAdditionalPropertiesIfNotPresent: false
pkgs/by-name/au/authentik/ldap.nix +3 −0 Original line number Diff line number Diff line { buildGoModule, authentik, apiGoVendorHook, vendorHash, }: Loading @@ -9,6 +10,8 @@ buildGoModule { inherit (authentik) version src; inherit vendorHash; nativeBuildInputs = [ apiGoVendorHook ]; env.CGO_ENABLED = 0; subPackages = [ "cmd/ldap" ]; Loading
pkgs/by-name/au/authentik/outposts.nix +4 −3 Original line number Diff line number Diff line { callPackage, authentik, apiGoVendorHook ? authentik.apiGoVendorHook, vendorHash ? authentik.proxy.vendorHash, }: { ldap = callPackage ./ldap.nix { inherit vendorHash; }; proxy = callPackage ./proxy.nix { inherit vendorHash; }; radius = callPackage ./radius.nix { inherit vendorHash; }; ldap = callPackage ./ldap.nix { inherit apiGoVendorHook vendorHash; }; proxy = callPackage ./proxy.nix { inherit apiGoVendorHook vendorHash; }; radius = callPackage ./radius.nix { inherit apiGoVendorHook vendorHash; }; }
pkgs/by-name/au/authentik/package.nix +152 −13 Original line number Diff line number Diff line Loading @@ -10,18 +10,23 @@ nodejs_24, python3, makeWrapper, openapi-generator-cli, go, typescript, makeSetupHook, writeShellScript, }: let nodejs = nodejs_24; version = "2025.10.1"; version = "2025.12.4"; src = fetchFromGitHub { owner = "goauthentik"; repo = "authentik"; tag = "version/${version}"; hash = "sha256-HowB6DTGCqz770fKYbnE+rQ11XRV0WSNkLD+HSWZwz8="; hash = "sha256-alTyrMBbjZbw4jhEna8saabf93sqSrZCu+Z5xH3pZ7M="; }; meta = { Loading @@ -39,6 +44,90 @@ let ]; }; client-go = stdenvNoCC.mkDerivation { pname = "authentik-client-go"; version = "3.${version}"; inherit meta; src = fetchFromGitHub { owner = "goauthentik"; repo = "client-go"; tag = "v3.${version}"; hash = "sha256-+/CfOE2HkBU+ZddvdXGenB/z8xNFk8cujpZpMXyh3cY="; }; patches = [ ./client-go-config.patch ]; postPatch = '' substituteInPlace ./config.yaml \ --replace-fail '/local' "$(pwd)" ''; nativeBuildInputs = [ openapi-generator-cli go ]; buildPhase = '' runHook preBuild openapi-generator-cli generate \ -i ${src}/schema.yml -o $out \ -g go \ -c ./config.yaml gofmt -w $out runHook postBuild ''; installPhase = '' runHook preInstall cp go.mod go.sum $out cd $out rm -rf test rm -f .travis.yml git_push.sh runHook postInstall ''; }; client-ts = stdenvNoCC.mkDerivation { pname = "authentik-client-ts"; inherit version src meta; postPatch = '' substituteInPlace ./scripts/api/ts-config.yaml \ --replace-fail '/local' "$(pwd)" ''; nativeBuildInputs = [ nodejs openapi-generator-cli typescript ]; buildPhase = '' runHook preBuild openapi-generator-cli generate \ -i ./schema.yml -o $out \ -g typescript-fetch \ -c ./scripts/api/ts-config.yaml \ --additional-properties=npmVersion=${version} \ --git-repo-id authentik --git-user-id goauthentik cd $out npm run build runHook postBuild ''; }; # prefetch-npm-deps does not save all dependencies even though the lockfile is fine website-deps = stdenvNoCC.mkDerivation { pname = "authentik-website-deps"; Loading @@ -48,8 +137,8 @@ let outputHash = { "aarch64-linux" = "sha256-aXXlzTsZp5mOrsxy9oHNzcc+1cFSnbC9RmtawBohmLI="; "x86_64-linux" = "sha256-Hi0HXzwTLuer0v4IKF3aim0tVe7AVLi67DiMimrIq5s="; "aarch64-linux" = "sha256-GL5FPIBnoEXYtw8DPJpRPe3tT3qioN4AdoeOmCoiYsM="; "x86_64-linux" = "sha256-AnceTipq6uUvTbOAZanVshAbAJ9LS1kwImbttTOcWxc="; } .${stdenvNoCC.hostPlatform.system} or (throw "authentik-website-deps: unsupported host platform"); Loading Loading @@ -119,8 +208,8 @@ let outputHash = { "aarch64-linux" = "sha256-t/jyzG3ibTW3fu8Gl1tWkSjMG6Lek/7JDccDrZX6sD0="; "x86_64-linux" = "sha256-8I1YAKvgWjM3p9O1mCetZvhZelrfB31w0ZwkZBUEoh4="; "aarch64-linux" = "sha256-eZZ5Ynj81KwFsU5emPtYZ2CxO8MFvWbJnCHs+L88KQQ="; "x86_64-linux" = "sha256-yUAyyO1NFav1EptrRYGSzC8dxCxYVj0FmzHk8IckFZM="; } .${stdenvNoCC.hostPlatform.system} or (throw "authentik-webui-deps: unsupported host platform"); outputHashMode = "recursive"; Loading Loading @@ -172,6 +261,10 @@ let find -type d -name node_modules -prune -print -exec cp -rT {} $buildRoot/{} \; popd chmod -R +w node_modules/@goauthentik rm -R node_modules/@goauthentik/api ln -sn ${client-ts} node_modules/@goauthentik/api pushd node_modules/.bin patchShebangs $(readlink rollup) patchShebangs $(readlink wireit) Loading Loading @@ -208,6 +301,21 @@ let # https://github.com/goauthentik/authentik/pull/16324 django = final.django_5; ak-guardian = final.buildPythonPackage { pname = "ak-guardian"; inherit version src meta; pyproject = true; sourceRoot = "${src.name}/packages/ak-guardian"; build-system = with final; [ hatchling ]; propagatedBuildInputs = with final; [ django typing-extensions ]; }; django-channels-postgres = final.buildPythonPackage { pname = "django-channels-postgres"; inherit version src meta; Loading Loading @@ -330,14 +438,15 @@ let pyproject = true; postPatch = '' rm lifecycle/system_migrations/tenant_files.py substituteInPlace authentik/root/settings.py \ --replace-fail 'Path(__file__).absolute().parent.parent.parent' "Path(\"$out\")" substituteInPlace authentik/lib/default.yml \ --replace-fail '/blueprints' "$out/blueprints" \ --replace-fail './media' '/var/lib/authentik/media' --replace-fail '/blueprints' "$out/blueprints" substituteInPlace authentik/stages/email/utils.py \ --replace-fail 'web/' '${webui}/' # allways allow file upload if the data directoy exists substituteInPlace authentik/admin/files/backends/file.py \ --replace-fail "and (self._base_dir.is_mount() or (self._base_dir / self.usage.value).is_mount())" "" ''; build-system = [ Loading @@ -351,6 +460,7 @@ let dependencies = with final; [ ak-guardian argon2-cffi cachetools channels Loading @@ -364,7 +474,6 @@ let django-cte django-dramatiq-postgres django-filter django-guardian django-model-utils django-pglock django-pgtrigger Loading @@ -375,7 +484,6 @@ let django-tenants djangoql djangorestframework djangorestframework-guardian docker drf-orjson-renderer drf-spectacular Loading Loading @@ -440,6 +548,31 @@ let inherit (python.pkgs) authentik-django; # Provide a setup-hook to configure the Go vendor directory with up-to-date API bindings. # This is done to avoid the `vendorHash` depending on anything in the `client-go` build (e.g. # openapi-generator-cli version updates changing the produced content) and invalidating the hash. apiGoVendorHook = makeSetupHook { name = "authentik-api-go-vendor-hook"; } ( writeShellScript "authentik-api-go-vendor-hook" '' authentikApiGoVendorHook() { chmod -R +w vendor/goauthentik.io/api rm -rf vendor/goauthentik.io/api/v3 cp -r ${client-go} vendor/goauthentik.io/api/v3 echo "Finished authentikApiGoVendorHook" } # don't run for FOD, e.g. the `goModules` build if [ -z ''${outputHash-} ]; then postConfigureHooks+=(authentikApiGoVendorHook) fi '' ); proxy = buildGoModule { pname = "authentik-proxy"; inherit version src meta; Loading @@ -453,9 +586,14 @@ let --replace-fail './web' "${authentik-django}/web" ''; nativeBuildInputs = [ apiGoVendorHook ]; env.CGO_ENABLED = 0; vendorHash = "sha256-m2shrCwoVdbtr8B83ZcAyG+J6dEys2xdjtlfFFF4CDo="; # calculate the vendorHash without other dependencies, so it is only based on the `go.sum` file overrideModAttrs.postPatch = ""; vendorHash = "sha256-pdQg02f1K4nOhsnadoplQYOhEybqZxn+yDQRN5RNygM="; postInstall = '' mv $out/bin/server $out/bin/authentik Loading Loading @@ -500,9 +638,10 @@ stdenvNoCC.mkDerivation { ''; passthru = { inherit proxy; inherit proxy apiGoVendorHook; outposts = callPackages ./outposts.nix { inherit (proxy) vendorHash; inherit apiGoVendorHook; }; }; Loading
pkgs/by-name/au/authentik/proxy.nix +3 −0 Original line number Diff line number Diff line { buildGoModule, authentik, apiGoVendorHook, vendorHash, }: Loading @@ -9,6 +10,8 @@ buildGoModule { inherit (authentik) version src; inherit vendorHash; nativeBuildInputs = [ apiGoVendorHook ]; env.CGO_ENABLED = 0; subPackages = [ "cmd/proxy" ]; Loading
