nix/pkgs/authentik: tighten this up

nix/pkgs/authentik/default.nix

@@ -1,39 +1,145 @@
-{ pkgs, ... }@args:
+{ pkgs, lib, ... }@args:
 
 let
-  version = "2025.2.1-lukegb";
+  version = "2025.2.1";
+  srcHash = "sha256-KZalpsM9rvki9GD+urf8idHOEnvBJtkSvE1b2b4KL/4=";
 
   rawSrc = pkgs.fetchFromGitHub {
-    owner = "lukegb";
+    owner = "goauthentik";
     repo = "authentik";
-    rev = "16fe28545d96d1eec5f262df92537ac53fdcbc51";
-    hash = "sha256-Y6EQSFQkDziDA767PwfV+Sb9fuIYOMsdq7BLpSUJpHQ=";
+    tag = "version/${version}";
+    hash = srcHash;
+  };
+  src = pkgs.stdenv.mkDerivation {
+    pname = "authentik-src";
+    version = "${version}-lukegb";
+    src = rawSrc;
+
+    clientGoSrc = pkgs.fetchFromGitHub {
+      owner = "goauthentik";
+      repo = "client-go";
+      tag = "v3.2025021.2";
+      hash = "sha256-AtbbV3MV2HlvO7FD+W08ST80IULVi/NsOrYr1SFYV38=";
+    };
+
+    patches = [
+      (pkgs.fetchpatch {
+        url = "https://raw.githubusercontent.com/nix-community/authentik-nix/bfcad34becd76d148e1ad537b5dcbd58d858a5bb/components/authentik_media_tenant_files_migration.patch";
+        hash = "sha256-jahcyBFTo9vObTbxAKxQu+uHDNztjcvy5lv3tXs0yKQ=";
+      })
+      (pkgs.fetchpatch {
+        url = "https://raw.githubusercontent.com/nix-community/authentik-nix/bfcad34becd76d148e1ad537b5dcbd58d858a5bb/components/authentik_media_upload.patch";
+        hash = "sha256-eAbZ/UlImezLKcUC7jRPLKwLO9r4RoKSXrtU+scIMnE=";
+      })
+      (pkgs.fetchpatch {
+        url = "https://github.com/lukegb/authentik/commit/df97b7a0c73e51507e7ce15bf4b75a61644dd253.patch";
+        hash = "sha256-oSX7BVdaGiyjyVq0IvPvDpopFJVVSsVnxhaxQSEqqI0=";
+      })
+    ];
+
+    postPatch = ''
+      # empty content gets dropped by filterdiff inside fetchpatch
+      touch authentik/stages/ext_auth/migrations/__init__.py
+
+      patchShebangs lifecycle/ak  # NOTE: reverted in installPhase
+    '';
+
+    buildInputs = with pkgs; [
+      libpq
+      krb5
+      cacert
+    ];
+    nativeBuildInputs = with pkgs; [
+      poetry
+      postgresql
+      go
+      openapi-generator-cli
+      gotools
+    ];
+    outputHash = "sha256-gGoAWgp1+IVwxhDo8/es4mlZkXEy0nNVWDtMFoWMHmE=";
+    outputHashMode = "recursive";
+
+    buildPhase = ''
+      runHook preBuild
+
+      export PATH=$PATH:$PWD/lifecycle
+
+      export POSTGRESPATH=$NIX_BUILD_TOP/postgres
+      mkdir $POSTGRESPATH
+      initdb -D $POSTGRESPATH
+      postgres -D $POSTGRESPATH -c 'listen_addresses=' -c "unix_socket_directories=$POSTGRESPATH" -c 'fsync=off' -c 'synchronous_commit=off' -c 'full_page_writes=off' -c 'shared_buffers=512MB' &
+      export PGHOST=$POSTGRESPATH
+
+      export HOME=$NIX_BUILD_TOP/home
+      mkdir -p $HOME
+
+      export NIX_CFLAGS_COMPILE="-DHAS_GSSAPI_EXT_H"
+
+      export AUTHENTIK_DEBUG=true
+      export AUTHENTIK_TENANTS__ENABLED=true
+      export AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true
+      export AUTHENTIK_POSTGRESQL__HOST=$PGHOST
+      export AUTHENTIK_POSTGRESQL__USER=$(id -un)
+
+      make gen-clean
+
+      poetry install --no-ansi --no-interaction --no-root
+      poetry run make gen-dev-config
+      createdb authentik
+
+      poetry run make migrate
+      poetry run make gen-build
+
+      # gen-client-ts
+      sed -i 's,/local/,,g' scripts/api-ts-config.yaml
+      openapi-generator-cli generate \
+        -i schema.yml \
+        -g typescript-fetch \
+        -o gen-ts-api \
+        -c scripts/api-ts-config.yaml \
+        --additional-properties=npmVersion=$(poetry run python -m scripts.npm_version) \
+        --git-repo-id authentik \
+        --git-user-id goauthentik
+      mkdir -p web/node_modules/@goauthentik
+      mv gen-ts-api web/node_modules/@goauthentik/api
+
+      # gen-client-go
+      mkdir -p gen-go-api gen-go-api/templates
+      cp $clientGoSrc/config.yaml gen-go-api/
+      cp $clientGoSrc/templates/README.mustache gen-go-api/templates/
+      cp $clientGoSrc/templates/go.mod.mustache gen-go-api/templates/
+      chmod -R +w gen-go-api
+      sed -i 's,/local/,gen-go-api/,g' gen-go-api/config.yaml
+      openapi-generator-cli generate \
+        -i schema.yml \
+        -g go \
+        -o gen-go-api \
+        -c gen-go-api/config.yaml
+      go mod edit -replace goauthentik.io/api/v3=./gen-go-api
+      go get gopkg.in/validator.v2@v2.0.1
+      goimports -w gen-go-api
+      rm -rf gen-go-api/config.yaml gen-go-api/templates/
+
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      rm local.env.yml
+
+      cp -R . $out
+      cp $src/lifecycle/ak $out/lifecycle/ak  # un-patchShebang
+
+      runHook postInstall
+    '';
+
+    dontFixup = true;  # FOD, no fixups please
   };
 
-  patches = [
-    (pkgs.fetchpatch {
-      url = "https://raw.githubusercontent.com/nix-community/authentik-nix/bfcad34becd76d148e1ad537b5dcbd58d858a5bb/components/authentik_media_tenant_files_migration.patch";
-      hash = "sha256-jahcyBFTo9vObTbxAKxQu+uHDNztjcvy5lv3tXs0yKQ=";
-    })
-    (pkgs.fetchpatch {
-      url = "https://raw.githubusercontent.com/nix-community/authentik-nix/bfcad34becd76d148e1ad537b5dcbd58d858a5bb/components/authentik_media_upload.patch";
-      hash = "sha256-eAbZ/UlImezLKcUC7jRPLKwLO9r4RoKSXrtU+scIMnE=";
-    })
-  ];
-  src = pkgs.runCommand "authentik-src" { inherit patches; src = rawSrc; } ''
-    cp -R $src $out
-    chmod -R u+w $out
-
-    pushd $out
-    for patch in $patches; do
-      patch -p1 < $patch
-    done
-    popd
-  '';
-
-  subargs = args // { inherit src version; };
+  subargs = args // { inherit src; version = "${version}-lukegb"; };
 in rec {
-  inherit src;
+  inherit rawSrc src;
   docs = import ./docs subargs;
   webui = import ./webui subargs;
   pythonapp = import ./pythonapp subargs;

nix/pkgs/authentik/docs/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, src, version, ... }:
+{ pkgs, lib, src, version, ... }:
 
 pkgs.buildNpmPackage rec {
   pname = "authentik-docs";
@@ -6,9 +6,13 @@ pkgs.buildNpmPackage rec {
 
   sourceRoot = "${src.name}/website";
 
+  postPatch = ''
+    cp ${assert lib.assertMsg (version == "2025.2.1-lukegb") "version has changed (now ${version}); update or remove docs/package-lock.json"; ./package-lock.json} package-lock.json
+  '';
+
   nodejs = pkgs.nodejs_22;
 
-  npmDepsHash = "sha256-ObPoXg6sbA7bfT/QQZAZ3Ty1KV5C+QBx95N2Rrwqzow=";
+  npmDepsHash = "sha256-yTnliQVxxK8fPwXvsOFiMwBNxZoQinybZ2ia9yzTuPM=";
   npmRebuildFlags = "--ignore-scripts";
 
   dontNpmInstall = true;

nix/pkgs/authentik/goserver/default.nix

@@ -4,6 +4,28 @@ pkgs.buildGoModule {
   pname = "authentik-server";
   inherit src version;
 
-  vendorHash = "sha256-XY8if9Cw7OFq2k/h0jtqfEDvdzrsjgQhK1DmdPnldUk=";
+  vendorHash = "sha256-TsXVpB0azs0MusWhIlvKZWP6z/MEadop8FmsFZsWMhY=";
   subPackages = "cmd/server";
+
+  postPatch = ''
+    substituteInPlace internal/outpost/ak/crypto.go \
+      --replace-fail 'api.CryptoApiService' 'api.CryptoAPIService'
+
+    substituteInPlace internal/outpost/ak/api.go \
+      --replace-fail 'OutpostsApi' 'OutpostsAPI' \
+      --replace-fail 'RootApi' 'RootAPI'
+
+    substituteInPlace internal/web/brand_tls/brand_tls.go \
+      --replace-fail 'CryptoApi' 'CryptoAPI' \
+      --replace-fail 'CoreApi' 'CoreAPI'
+
+    substituteInPlace internal/outpost/proxyv2/application/mode_common.go \
+      --replace-fail 'EventsApi' 'EventsAPI'
+
+    substituteInPlace internal/outpost/proxyv2/proxyv2.go \
+      --replace-fail 'CryptoApi' 'CryptoAPI'
+
+    substituteInPlace internal/outpost/proxyv2/refresh.go \
+      --replace-fail 'OutpostsApi' 'OutpostsAPI'
+  '';
 }

nix/pkgs/authentik/webui/default.nix

@@ -9,7 +9,7 @@ pkgs.buildNpmPackage {
   nodejs = pkgs.nodejs_20;
 
   nativeBuildInputs = [ pkgs.python3 ];
-  npmDepsHash = "sha256-MUKGwXYXtN4uwFmwQUh8/PwaNQtXnR47KmDU4brnWOQ=";
+  npmDepsHash = "sha256-uVur1DyXaIGPny7u/JQyx9HQ7VJqeSi2pPSORZgLjEw=";
   npmRebuildFlags = "--ignore-scripts";
 
   dontNpmInstall = true;