blumeops/containers/authentik/webui-deps.nix

# Fixed-output derivation for authentik web UI npm dependencies
#
# Runs `npm ci` in the web/ directory to fetch all Node.js dependencies.
# This is a FOD (fixed-output derivation) so it has network access during build
# but the output hash must match exactly.
#
# The output hash is platform-specific because npm downloads platform-specific
# native binaries for esbuild, rollup, and SWC.
#
# Workspace packages (under web/packages/*) have their own node_modules,
# so we collect all node_modules directories via find.
#
# Output: all node_modules directories from the web/ tree
{ pkgs ? import <nixpkgs> { }, sources ? import ./sources.nix { inherit pkgs; } }:

pkgs.stdenvNoCC.mkDerivation {
  pname = "authentik-webui-deps";
  inherit (sources) version src meta;

  sourceRoot = "${sources.src.name}/web";

  outputHash =
    {
      "x86_64-linux" = "sha256-+4cWvFuixCcO7P+z701/0H+Ah/Z5sbLNsdx2Uowqwf4=";
    }
    .${pkgs.stdenvNoCC.hostPlatform.system}
      or (throw "authentik-webui-deps: unsupported host platform ${pkgs.stdenvNoCC.hostPlatform.system}");
  outputHashMode = "recursive";

  nativeBuildInputs = with pkgs; [
    nodejs_24
    cacert
  ];

  buildPhase = ''
    npm ci --cache ./cache --ignore-scripts
    rm -r ./cache node_modules/.package-lock.json
  '';

  # Workspace packages install dependencies into separate node_modules
  # directories with symlinks between them — copy all of them
  installPhase = ''
    mkdir $out
    find -type d -name node_modules -prune -print \
      -exec mkdir -p $out/{} \; \
      -exec cp -rT {} $out/{} \;
  '';

  dontCheckForBrokenSymlinks = true;
  dontPatchShebangs = true;
}
C2: Build authentik from source (Mikado chain) (#274) ## Mikado Chain: build-authentik-from-source Replace `pkgs.authentik` from nixpkgs with a custom Nix derivation built from source. This removes the dependency on the nixpkgs packaging timeline and gives full version control. Target version: 2025.12.4 (nixpkgs reference, upgrading from deployed 2025.10.1). ### Dependency Graph ``` build-authentik-from-source (goal) ├── authentik-go-server-derivation │ ├── authentik-api-client-generation ← IN PROGRESS │ └── authentik-python-backend-derivation ├── authentik-web-ui-derivation │ └── authentik-api-client-generation ← IN PROGRESS └── authentik-python-backend-derivation ``` ### Ready Leaves - `authentik-api-client-generation` — Go + TypeScript client generation from OpenAPI schema - `authentik-python-backend-derivation` — Django backend with 60+ deps, 4 in-tree packages ### Architecture Ported from [nixpkgs `pkgs/by-name/au/authentik/package.nix`](https://github.com/NixOS/nixpkgs/tree/master/pkgs/by-name/au/authentik): - `source.nix` — shared version/source fetch - `client-go.nix` — Go API client generation - `client-ts.nix` — TypeScript API client generation - `api-go-vendor-hook.nix` — Go vendor directory injection hook - (more components to follow as leaves are closed) ### Related Cards - [[build-authentik-from-source]] — Goal card - [[authentik-api-client-generation]] - [[authentik-python-backend-derivation]] - [[authentik-web-ui-derivation]] - [[authentik-go-server-derivation]] Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/274 2026-03-01 13:45:00 -08:00			`# Fixed-output derivation for authentik web UI npm dependencies`
			`#`
			# Runs `npm ci` in the web/ directory to fetch all Node.js dependencies.
			`# This is a FOD (fixed-output derivation) so it has network access during build`
			`# but the output hash must match exactly.`
			`#`
			`# The output hash is platform-specific because npm downloads platform-specific`
			`# native binaries for esbuild, rollup, and SWC.`
			`#`
			`# Workspace packages (under web/packages/*) have their own node_modules,`
			`# so we collect all node_modules directories via find.`
			`#`
			`# Output: all node_modules directories from the web/ tree`
			`{ pkgs ? import <nixpkgs> { }, sources ? import ./sources.nix { inherit pkgs; } }:`

			`pkgs.stdenvNoCC.mkDerivation {`
			`pname = "authentik-webui-deps";`
			`inherit (sources) version src meta;`

			`sourceRoot = "${sources.src.name}/web";`

			`outputHash =`
			`{`
			`"x86_64-linux" = "sha256-+4cWvFuixCcO7P+z701/0H+Ah/Z5sbLNsdx2Uowqwf4=";`
			`}`
			`.${pkgs.stdenvNoCC.hostPlatform.system}`
			`or (throw "authentik-webui-deps: unsupported host platform ${pkgs.stdenvNoCC.hostPlatform.system}");`
			`outputHashMode = "recursive";`

			`nativeBuildInputs = with pkgs; [`
			`nodejs_24`
			`cacert`
			`];`

			`buildPhase = ''`
			`npm ci --cache ./cache --ignore-scripts`
			`rm -r ./cache node_modules/.package-lock.json`
			`'';`

			`# Workspace packages install dependencies into separate node_modules`
			`# directories with symlinks between them — copy all of them`
			`installPhase = ''`
			`mkdir $out`
			`find -type d -name node_modules -prune -print \`
			`-exec mkdir -p $out/{} \; \`
			`-exec cp -rT {} $out/{} \;`
			`'';`

			`dontCheckForBrokenSymlinks = true;`
			`dontPatchShebangs = true;`
			`}`