From 2ac353b7bff03e40a1be30bc630997b2fb524f2c Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sun, 1 Mar 2026 15:48:05 -0800
Subject: [PATCH] Fix authentik container: create /tmp for unprivileged user

buildLayeredImage doesn't create /tmp by default. The container runs
as user 65534 (nobody) which can't mkdir /tmp at runtime.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 containers/authentik/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/containers/authentik/default.nix b/containers/authentik/default.nix
index 8c34cb9..e1d2773 100644
--- a/containers/authentik/default.nix
+++ b/containers/authentik/default.nix
@@ -57,8 +57,8 @@ pkgs.dockerTools.buildLayeredImage {
   # authentik-django hardcodes blueprints_dir to $out/blueprints; the AUTHENTIK_BLUEPRINTS_DIR
   # env var overrides it to /blueprints, where custom blueprints are mounted by k8s ConfigMap.
   extraCommands = ''
-    mkdir -p blueprints
-    chmod 777 blueprints
+    mkdir -p blueprints tmp
+    chmod 777 blueprints tmp
   '';
 
   config = {