C2(authentik-source-build): plan add mirror-authentik-build-deps prerequisite

Discovered during implementation: the build-from-source derivations need to fetch from forge mirrors for supply chain control, but client-go and django-rest-framework repos aren't mirrored yet. Also corrects target version to 2026.2.0 (latest stable) — the whole point of building from source is to escape nixpkgs lag. Changes: - New card: mirror-authentik-build-deps - authentik-api-client-generation now requires mirror-authentik-build-deps - authentik-python-backend-derivation now requires mirror-authentik-build-deps - Goal card updated with 2026.2.0 target version Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 09:33:30 -08:00 · 2026-02-28 09:33:30 -08:00 · 2495ad01c6
commit 2495ad01c6
parent 0aaf9bb8b2
5 changed files with 77 additions and 3 deletions
--- a/docs/how-to/authentik/authentik-api-client-generation.md
+++ b/docs/how-to/authentik/authentik-api-client-generation.md
@ -2,6 +2,8 @@
 title: Generate Authentik API Clients
 modified: 2026-02-28
 status: active
+requires:
+  - mirror-authentik-build-deps
 tags:
  - how-to
  - authentik
--- a/docs/how-to/authentik/authentik-python-backend-derivation.md
+++ b/docs/how-to/authentik/authentik-python-backend-derivation.md
@ -2,6 +2,8 @@
 title: Build Authentik Python Backend
 modified: 2026-02-28
 status: active
+requires:
+  - mirror-authentik-build-deps
 tags:
  - how-to
  - authentik
--- a/docs/how-to/authentik/build-authentik-from-source.md
+++ b/docs/how-to/authentik/build-authentik-from-source.md
@ -19,7 +19,9 @@ Replace `pkgs.authentik` from nixpkgs with a custom Nix derivation that builds a

 ## Motivation

-The nix-container-builder runner on ringtail resolves `nixpkgs` via the NixOS nix registry, which pins to `nixos-25.11`. That channel lags behind upstream authentik releases — e.g. nixos-25.11 has 2025.10.1 while upstream is at 2025.12.4+. Building from source lets us target any release.
+The nix-container-builder runner on ringtail resolves `nixpkgs` via the NixOS nix registry, which pins to `nixos-25.11`. That channel lags behind upstream authentik releases — e.g. nixos-25.11 has 2025.10.1 while upstream is at 2026.2.0. Building from source lets us target any release.
+
+Target version: **2026.2.0** (latest stable, released 2026-02-24). Notable changes from the nixpkgs reference (2025.12.4): requires Python 3.14, Go 1.25.5.

 This also serves as practice for packaging services from source using Nix, relying on nixpkgs only for satellite dependencies (Python interpreter, Node.js, Go toolchain, system libraries).

@ -36,9 +38,35 @@ The final package is the `ak` bash wrapper that orchestrates Go server + Python

 ## Source

-Forge mirror: https://forge.ops.eblu.me/mirrors/authentik (upstream: `goauthentik/authentik`)
+Forge mirrors (all derivations should fetch from forge, not GitHub):
+- https://forge.ops.eblu.me/mirrors/authentik (upstream: `goauthentik/authentik`)
+- https://forge.ops.eblu.me/mirrors/authentik-client-go (upstream: `goauthentik/client-go`) — pending [[mirror-authentik-build-deps]]
+- https://forge.ops.eblu.me/mirrors/authentik-django-rest-framework (upstream: `authentik-community/django-rest-framework`) — pending [[mirror-authentik-build-deps]]

-Reference derivation: [nixpkgs `pkgs/by-name/au/authentik/package.nix`](https://github.com/NixOS/nixpkgs/tree/master/pkgs/by-name/au/authentik)
+Reference derivation: [nixpkgs `pkgs/by-name/au/authentik/package.nix`](https://github.com/NixOS/nixpkgs/tree/master/pkgs/by-name/au/authentik) — targets 2025.12.4, we are porting to 2026.2.0 so hashes and some deps will differ.
+
+## Testing
+
+Nix derivations target `x86_64-linux` and can't be built on macOS. Test incrementally on ringtail:
+
+```fish
+# Copy derivation files to a temp dir on ringtail
+set tmpdir (ssh ringtail 'mktemp -d /tmp/authentik-test.XXXXXX')
+scp containers/authentik/*.nix containers/authentik/*.patch ringtail:$tmpdir/
+
+# Write a test-build.nix that instantiates components, then:
+ssh ringtail "cd $tmpdir && nix-build test-build.nix -A <component> --extra-experimental-features 'nix-command flakes'"
+
+# Clean up
+ssh ringtail "rm -rf $tmpdir"
+```
+
+Use `builtins.getFlake "nixpkgs"` instead of `<nixpkgs>` (ringtail uses flakes, no NIX_PATH).
+
+Prefetch hashes for `fetchgit` sources:
+```fish
+ssh ringtail 'nix shell nixpkgs#nix-prefetch-git --extra-experimental-features "nix-command flakes" -c nix-prefetch-git --url <url> --rev <tag> --quiet'
+```

 ## What to Do

--- a/docs/how-to/authentik/mirror-authentik-build-deps.md
+++ b/docs/how-to/authentik/mirror-authentik-build-deps.md
@ -0,0 +1,41 @@
+---
+title: Mirror Authentik Build Dependencies
+modified: 2026-02-28
+status: active
+tags:
+  - how-to
+  - authentik
+---
+
+# Mirror Authentik Build Dependencies
+
+Mirror the external repositories needed to build authentik from source onto the forge, ensuring full supply chain control.
+
+## Context
+
+Building authentik from source requires fetching code from three GitHub repositories. The main `goauthentik/authentik` repo is already mirrored, but two companion repos are not:
+
+- **`goauthentik/client-go`** — Go API client bindings, versioned in lockstep with authentik (e.g. `v3.2026.2.0` matches `version/2026.2.0`). Used by the Go server build.
+- **`authentik-community/django-rest-framework`** — Fork of DRF pinned to a specific commit. Authentik's Python backend requires this custom version. The upstream org name (`authentik-community`) differs from the main repo org (`goauthentik`), so the mirror name must be explicit.
+
+## What to Do
+
+1. Mirror `goauthentik/client-go`:
+   ```fish
+   mise run mirror-create https://github.com/goauthentik/client-go.git \
+     --name authentik-client-go \
+     --description "Go API client for authentik (lockstep versioned)"
+   ```
+2. Mirror `authentik-community/django-rest-framework`:
+   ```fish
+   mise run mirror-create https://github.com/authentik-community/django-rest-framework.git \
+     --name authentik-django-rest-framework \
+     --description "Authentik fork of Django REST Framework"
+   ```
+3. Verify both mirrors sync: check tags appear on forge
+
+## Related
+
+- [[build-authentik-from-source]] — Parent goal
+- [[authentik-api-client-generation]] — Consumes client-go mirror
+- [[authentik-python-backend-derivation]] — Consumes django-rest-framework mirror
--- a/docs/how-to/how-to.md
+++ b/docs/how-to/how-to.md
@ -101,6 +101,7 @@ Mikado chain for deploying Authentik. Track progress with `mise run docs-mikado
 Mikado chain for building Authentik from a custom Nix derivation (from source). Track progress with `mise run docs-mikado build-authentik-from-source`.

 - [[build-authentik-from-source]]
+- [[mirror-authentik-build-deps]]
 - [[authentik-api-client-generation]]
 - [[authentik-python-backend-derivation]]
 - [[authentik-web-ui-derivation]]