diff --git a/docs/how-to/authentik/authentik-api-client-generation.md b/docs/how-to/authentik/authentik-api-client-generation.md index 1624f72..933ffe9 100644 --- a/docs/how-to/authentik/authentik-api-client-generation.md +++ b/docs/how-to/authentik/authentik-api-client-generation.md @@ -2,6 +2,8 @@ title: Generate Authentik API Clients modified: 2026-02-28 status: active +requires: + - mirror-authentik-build-deps tags: - how-to - authentik diff --git a/docs/how-to/authentik/authentik-python-backend-derivation.md b/docs/how-to/authentik/authentik-python-backend-derivation.md index 5df7365..a1e6546 100644 --- a/docs/how-to/authentik/authentik-python-backend-derivation.md +++ b/docs/how-to/authentik/authentik-python-backend-derivation.md @@ -2,6 +2,8 @@ title: Build Authentik Python Backend modified: 2026-02-28 status: active +requires: + - mirror-authentik-build-deps tags: - how-to - authentik diff --git a/docs/how-to/authentik/build-authentik-from-source.md b/docs/how-to/authentik/build-authentik-from-source.md index f0c1cee..8a263c2 100644 --- a/docs/how-to/authentik/build-authentik-from-source.md +++ b/docs/how-to/authentik/build-authentik-from-source.md @@ -19,7 +19,9 @@ Replace `pkgs.authentik` from nixpkgs with a custom Nix derivation that builds a ## Motivation -The nix-container-builder runner on ringtail resolves `nixpkgs` via the NixOS nix registry, which pins to `nixos-25.11`. That channel lags behind upstream authentik releases — e.g. nixos-25.11 has 2025.10.1 while upstream is at 2025.12.4+. Building from source lets us target any release. +The nix-container-builder runner on ringtail resolves `nixpkgs` via the NixOS nix registry, which pins to `nixos-25.11`. That channel lags behind upstream authentik releases — e.g. nixos-25.11 has 2025.10.1 while upstream is at 2026.2.0. Building from source lets us target any release. + +Target version: **2026.2.0** (latest stable, released 2026-02-24). Notable changes from the nixpkgs reference (2025.12.4): requires Python 3.14, Go 1.25.5. This also serves as practice for packaging services from source using Nix, relying on nixpkgs only for satellite dependencies (Python interpreter, Node.js, Go toolchain, system libraries). @@ -36,9 +38,35 @@ The final package is the `ak` bash wrapper that orchestrates Go server + Python ## Source -Forge mirror: https://forge.ops.eblu.me/mirrors/authentik (upstream: `goauthentik/authentik`) +Forge mirrors (all derivations should fetch from forge, not GitHub): +- https://forge.ops.eblu.me/mirrors/authentik (upstream: `goauthentik/authentik`) +- https://forge.ops.eblu.me/mirrors/authentik-client-go (upstream: `goauthentik/client-go`) — pending [[mirror-authentik-build-deps]] +- https://forge.ops.eblu.me/mirrors/authentik-django-rest-framework (upstream: `authentik-community/django-rest-framework`) — pending [[mirror-authentik-build-deps]] -Reference derivation: [nixpkgs `pkgs/by-name/au/authentik/package.nix`](https://github.com/NixOS/nixpkgs/tree/master/pkgs/by-name/au/authentik) +Reference derivation: [nixpkgs `pkgs/by-name/au/authentik/package.nix`](https://github.com/NixOS/nixpkgs/tree/master/pkgs/by-name/au/authentik) — targets 2025.12.4, we are porting to 2026.2.0 so hashes and some deps will differ. + +## Testing + +Nix derivations target `x86_64-linux` and can't be built on macOS. Test incrementally on ringtail: + +```fish +# Copy derivation files to a temp dir on ringtail +set tmpdir (ssh ringtail 'mktemp -d /tmp/authentik-test.XXXXXX') +scp containers/authentik/*.nix containers/authentik/*.patch ringtail:$tmpdir/ + +# Write a test-build.nix that instantiates components, then: +ssh ringtail "cd $tmpdir && nix-build test-build.nix -A --extra-experimental-features 'nix-command flakes'" + +# Clean up +ssh ringtail "rm -rf $tmpdir" +``` + +Use `builtins.getFlake "nixpkgs"` instead of `` (ringtail uses flakes, no NIX_PATH). + +Prefetch hashes for `fetchgit` sources: +```fish +ssh ringtail 'nix shell nixpkgs#nix-prefetch-git --extra-experimental-features "nix-command flakes" -c nix-prefetch-git --url --rev --quiet' +``` ## What to Do diff --git a/docs/how-to/authentik/mirror-authentik-build-deps.md b/docs/how-to/authentik/mirror-authentik-build-deps.md new file mode 100644 index 0000000..c45fbfc --- /dev/null +++ b/docs/how-to/authentik/mirror-authentik-build-deps.md @@ -0,0 +1,41 @@ +--- +title: Mirror Authentik Build Dependencies +modified: 2026-02-28 +status: active +tags: + - how-to + - authentik +--- + +# Mirror Authentik Build Dependencies + +Mirror the external repositories needed to build authentik from source onto the forge, ensuring full supply chain control. + +## Context + +Building authentik from source requires fetching code from three GitHub repositories. The main `goauthentik/authentik` repo is already mirrored, but two companion repos are not: + +- **`goauthentik/client-go`** — Go API client bindings, versioned in lockstep with authentik (e.g. `v3.2026.2.0` matches `version/2026.2.0`). Used by the Go server build. +- **`authentik-community/django-rest-framework`** — Fork of DRF pinned to a specific commit. Authentik's Python backend requires this custom version. The upstream org name (`authentik-community`) differs from the main repo org (`goauthentik`), so the mirror name must be explicit. + +## What to Do + +1. Mirror `goauthentik/client-go`: + ```fish + mise run mirror-create https://github.com/goauthentik/client-go.git \ + --name authentik-client-go \ + --description "Go API client for authentik (lockstep versioned)" + ``` +2. Mirror `authentik-community/django-rest-framework`: + ```fish + mise run mirror-create https://github.com/authentik-community/django-rest-framework.git \ + --name authentik-django-rest-framework \ + --description "Authentik fork of Django REST Framework" + ``` +3. Verify both mirrors sync: check tags appear on forge + +## Related + +- [[build-authentik-from-source]] — Parent goal +- [[authentik-api-client-generation]] — Consumes client-go mirror +- [[authentik-python-backend-derivation]] — Consumes django-rest-framework mirror diff --git a/docs/how-to/how-to.md b/docs/how-to/how-to.md index 33a9b89..2a80d7d 100644 --- a/docs/how-to/how-to.md +++ b/docs/how-to/how-to.md @@ -101,6 +101,7 @@ Mikado chain for deploying Authentik. Track progress with `mise run docs-mikado Mikado chain for building Authentik from a custom Nix derivation (from source). Track progress with `mise run docs-mikado build-authentik-from-source`. - [[build-authentik-from-source]] +- [[mirror-authentik-build-deps]] - [[authentik-api-client-generation]] - [[authentik-python-backend-derivation]] - [[authentik-web-ui-derivation]]