C2(authentik-source-build): impl add API client generation derivations

Add Nix derivations for generating Go and TypeScript API client bindings from authentik's OpenAPI schema: - source.nix: shared version (2025.12.4) and source fetch - client-go.nix: Go client from goauthentik/client-go repo - client-ts.nix: TypeScript fetch client from main schema.yml - api-go-vendor-hook.nix: setup hook to inject Go client into vendor dir - client-go-config.patch: OpenAPI generator config fix Ported from nixpkgs pkgs/by-name/au/authentik/package.nix. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 09:06:01 -08:00 · 2026-02-28 09:06:01 -08:00 · 8920b87bdd
commit 8920b87bdd
parent 0aaf9bb8b2
5 changed files with 169 additions and 0 deletions
--- a/containers/authentik/api-go-vendor-hook.nix
+++ b/containers/authentik/api-go-vendor-hook.nix
@ -0,0 +1,29 @@
+# Setup hook that injects generated Go API client into the vendor directory.
+# Skips itself during fixed-output derivation (FOD) builds so the vendorHash
+# only depends on go.sum, not on the generated client content.
+{
+  makeSetupHook,
+  writeShellScript,
+  client-go,
+}:
+
+makeSetupHook
+  {
+    name = "authentik-api-go-vendor-hook";
+  }
+  (
+    writeShellScript "authentik-api-go-vendor-hook" ''
+      authentikApiGoVendorHook() {
+        chmod -R +w vendor/goauthentik.io/api
+        rm -rf vendor/goauthentik.io/api/v3
+        cp -r ${client-go} vendor/goauthentik.io/api/v3
+
+        echo "Finished authentikApiGoVendorHook"
+      }
+
+      # don't run for FOD, e.g. the goModules build
+      if [ -z ''${outputHash-} ]; then
+        postConfigureHooks+=(authentikApiGoVendorHook)
+      fi
+    ''
+  )
--- a/containers/authentik/client-go-config.patch
+++ b/containers/authentik/client-go-config.patch
@ -0,0 +1,9 @@
+diff --git a/config.yaml b/config.yaml
+index 2f07ea7..0f90432 100644
+--- a/config.yaml
+++ b/config.yaml
+@@ -4,3 +4,4 @@ additionalProperties:
+   packageName: api
+   enumClassPrefix: true
+   useOneOfDiscriminatorLookup: true
+  disallowAdditionalPropertiesIfNotPresent: false
--- a/containers/authentik/client-go.nix
+++ b/containers/authentik/client-go.nix
@ -0,0 +1,64 @@
+# Generate Go API client bindings from authentik's OpenAPI schema.
+# Fetches goauthentik/client-go (which has schema.yml + config.yaml + go.mod/go.sum),
+# then runs openapi-generator-cli to produce Go code.
+# Output is injected into the Go server's vendor directory via apiGoVendorHook.
+{
+  stdenvNoCC,
+  fetchFromGitHub,
+  openapi-generator-cli,
+  go,
+  version,
+  meta,
+}:
+
+stdenvNoCC.mkDerivation {
+  pname = "authentik-client-go";
+  version = "3.${version}";
+  inherit meta;
+
+  src = fetchFromGitHub {
+    owner = "goauthentik";
+    repo = "client-go";
+    tag = "v3.${version}";
+    hash = "sha256-+/CfOE2HkBU+ZddvdXGenB/z8xNFk8cujpZpMXyh3cY=";
+  };
+
+  patches = [
+    ./client-go-config.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace ./config.yaml \
+      --replace-fail '/local' "$(pwd)"
+  '';
+
+  nativeBuildInputs = [
+    openapi-generator-cli
+    go
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    openapi-generator-cli generate \
+      -i ./schema.yml -o $out \
+      -g go \
+      -c ./config.yaml
+
+    gofmt -w $out
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    cp go.mod go.sum $out
+
+    cd $out
+    rm -rf test
+    rm -f .travis.yml git_push.sh
+
+    runHook postInstall
+  '';
+}
--- a/containers/authentik/client-ts.nix
+++ b/containers/authentik/client-ts.nix
@ -0,0 +1,44 @@
+# Generate TypeScript fetch API client bindings from authentik's OpenAPI schema.
+# Uses the main authentik source (schema.yml + scripts/api/ts-config.yaml).
+# Output is patched into the web UI's node_modules/@goauthentik/api/.
+{
+  stdenvNoCC,
+  nodejs_24,
+  openapi-generator-cli,
+  typescript,
+  version,
+  src,
+  meta,
+}:
+
+stdenvNoCC.mkDerivation {
+  pname = "authentik-client-ts";
+  inherit version src meta;
+
+  postPatch = ''
+    substituteInPlace ./scripts/api/ts-config.yaml \
+      --replace-fail '/local' "$(pwd)"
+  '';
+
+  nativeBuildInputs = [
+    nodejs_24
+    openapi-generator-cli
+    typescript
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    openapi-generator-cli generate \
+      -i ./schema.yml -o $out \
+      -g typescript-fetch \
+      -c ./scripts/api/ts-config.yaml \
+      --additional-properties=npmVersion=${version} \
+      --git-repo-id authentik --git-user-id goauthentik
+
+    cd $out
+    npm run build
+
+    runHook postBuild
+  '';
+}
--- a/containers/authentik/source.nix
+++ b/containers/authentik/source.nix
@ -0,0 +1,23 @@
+# Shared source and version for all authentik build components.
+# Target version: 2025.12.4 (matching nixpkgs reference derivation).
+# Forge mirror: https://forge.ops.eblu.me/mirrors/authentik
+{ fetchFromGitHub }:
+
+let
+  version = "2025.12.4";
+in
+{
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = "goauthentik";
+    repo = "authentik";
+    tag = "version/${version}";
+    hash = "sha256-alTyrMBbjZbw4jhEna8saabf93sqSrZCu+Z5xH3pZ7M=";
+  };
+
+  meta = {
+    description = "Authentication glue you need";
+    homepage = "https://goauthentik.io/";
+  };
+}