authentik: various fixups

2025-03-04 23:29:07 +00:00 · 2025-03-04 23:29:07 +00:00 · 3179ec7ec0
commit 3179ec7ec0
parent 0b4fb44b79
6 changed files with 56 additions and 5 deletions
--- a/nix/pkgs/authentik/default.nix
+++ b/nix/pkgs/authentik/default.nix
@ -2,12 +2,35 @@

 let
  version = "2025.2.1-lukegb";
-  src = pkgs.fetchFromGitHub {
+
+  rawSrc = pkgs.fetchFromGitHub {
    owner = "lukegb";
    repo = "authentik";
    rev = "16fe28545d96d1eec5f262df92537ac53fdcbc51";
    hash = "sha256-Y6EQSFQkDziDA767PwfV+Sb9fuIYOMsdq7BLpSUJpHQ=";
  };
+
+  patches = [
+    (pkgs.fetchpatch {
+      url = "https://raw.githubusercontent.com/nix-community/authentik-nix/bfcad34becd76d148e1ad537b5dcbd58d858a5bb/components/authentik_media_tenant_files_migration.patch";
+      hash = "sha256-jahcyBFTo9vObTbxAKxQu+uHDNztjcvy5lv3tXs0yKQ=";
+    })
+    (pkgs.fetchpatch {
+      url = "https://raw.githubusercontent.com/nix-community/authentik-nix/bfcad34becd76d148e1ad537b5dcbd58d858a5bb/components/authentik_media_upload.patch";
+      hash = "sha256-eAbZ/UlImezLKcUC7jRPLKwLO9r4RoKSXrtU+scIMnE=";
+    })
+  ];
+  src = pkgs.runCommand "authentik-src" { inherit patches; src = rawSrc; } ''
+    cp -R $src $out
+    chmod -R u+w $out
+
+    pushd $out
+    for patch in $patches; do
+      patch -p1 < $patch
+    done
+    popd
+  '';
+
  subargs = args // { inherit src version; };
 in rec {
  inherit src;
--- a/nix/pkgs/authentik/docs/default.nix
+++ b/nix/pkgs/authentik/docs/default.nix
@ -4,7 +4,7 @@ pkgs.buildNpmPackage rec {
  pname = "authentik-docs";
  inherit src version;

-  sourceRoot = "source/website";
+  sourceRoot = "${src.name}/website";

  nodejs = pkgs.nodejs_22;

--- a/nix/pkgs/authentik/server/default.nix
+++ b/nix/pkgs/authentik/server/default.nix
@ -25,6 +25,7 @@ pkgs.stdenv.mkDerivation {
    ln -s ${webui}/authentik $out/share/authentik/web/authentik
    mkdir $out/share/authentik/website
    ln -s ${docs} $out/share/authentik/website/help
+    cp -R $src/blueprints $out/share/authentik/blueprints

    ln -s /etc/authentik/authentik.yml $out/share/local.env.yml

--- a/nix/pkgs/authentik/webui/default.nix
+++ b/nix/pkgs/authentik/webui/default.nix
@ -4,7 +4,7 @@ pkgs.buildNpmPackage {
  pname = "authentik-webui";
  inherit src version;

-  sourceRoot = "source/web";
+  sourceRoot = "${src.name}/web";

  nodejs = pkgs.nodejs_20;

--- a/ops/nixos/totoro/authentik.nix
+++ b/ops/nixos/totoro/authentik.nix
@ -1,4 +1,4 @@
-{ depot, config, ... }:
+{ depot, pkgs, config, ... }:

 let
  authentikEnvironment = {
@ -6,10 +6,25 @@ let
    AUTHENTIK_POSTGRESQL__USER = "authentik";
    AUTHENTIK_POSTGRESQL__PASSWORD = "";
    AUTHENTIK_POSTGRESQL__HOST = "";
+    AUTHENTIK_STORAGE__MEDIA__FILE__PATH = "/var/lib/authentik/media";
+    AUTHENTIK_BLUEPRINTS__DIR = "${depot.nix.pkgs.authentik.server}/share/authentik/blueprints";
    PROMETHEUS_MULTIPROC_DIR = "/tmp";
  };
 in
 {
+  services.geoipupdate = {
+    enable = true;
+    settings = {
+      AccountID = 1135779;
+      LicenseKey = { _secret = config.my.vault.secrets.maxmind-license-key.path; };
+      EditionID = [
+        "GeoLite2-ASN"
+        "GeoLite2-City"
+        "GeoLite2-Country"
+      ];
+    };
+  };
+
  services.nginx.virtualHosts."auth.lukegb.com" = {
    forceSSL = true;
    locations."/" = {
@ -40,6 +55,7 @@ in
      User = "authentik";
      PrivateTmp = true;
      EnvironmentFile = config.my.vault.secrets.authentik-environment.path;
+      StateDirectory = "authentik";
    };
  };
  systemd.services.authentik-worker = {
@ -51,6 +67,7 @@ in
      ExecStart = "${depot.nix.pkgs.authentik.server}/bin/authentik-celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events";
      PrivateTmp = true;
      EnvironmentFile = config.my.vault.secrets.authentik-environment.path;
+      StateDirectory = "authentik";
    };
  };

@ -63,4 +80,13 @@ in
      {{ end }}
    '';
  };
+  my.vault.secrets.maxmind-license-key = {
+    restartUnits = ["geoipupdate.service"];
+    group = "root";
+    template = ''
+      {{ with secret "kv/apps/maxmind" -}}
+      {{ .Data.data.licensekey }}
+      {{- end }}
+    '';
+  };
 }
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@ -76,6 +76,7 @@
  my.apps.hackyplayer = {};
  my.apps.emfminiserv = {};
  my.apps.bsky-pds = {};
+  my.apps.maxmind = {};

  my.servers.etheroute-lon01.apps = [ "pomerium" ];
  my.servers.bvm-forgejo.apps = [ "pomerium" "gitea-runner" ];
@ -91,5 +92,5 @@
  my.servers.bvm-prosody.apps = [ "turn" ];
  my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ];
  my.servers.bvm-netbox.apps = [ "netbox" ];
-  my.servers.rexxar.apps = [ "deluge" "gitea-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" "bsky-pds" ];
+  my.servers.rexxar.apps = [ "deluge" "gitea-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" "bsky-pds" "maxmind" ];
 }