From 8920b87bdd8815aea9b30cb2f654574334be407e Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sat, 28 Feb 2026 09:06:01 -0800 Subject: [PATCH] C2(authentik-source-build): impl add API client generation derivations Add Nix derivations for generating Go and TypeScript API client bindings from authentik's OpenAPI schema: - source.nix: shared version (2025.12.4) and source fetch - client-go.nix: Go client from goauthentik/client-go repo - client-ts.nix: TypeScript fetch client from main schema.yml - api-go-vendor-hook.nix: setup hook to inject Go client into vendor dir - client-go-config.patch: OpenAPI generator config fix Ported from nixpkgs pkgs/by-name/au/authentik/package.nix. Co-Authored-By: Claude Opus 4.6 --- containers/authentik/api-go-vendor-hook.nix | 29 ++++++++++ containers/authentik/client-go-config.patch | 9 +++ containers/authentik/client-go.nix | 64 +++++++++++++++++++++ containers/authentik/client-ts.nix | 44 ++++++++++++++ containers/authentik/source.nix | 23 ++++++++ 5 files changed, 169 insertions(+) create mode 100644 containers/authentik/api-go-vendor-hook.nix create mode 100644 containers/authentik/client-go-config.patch create mode 100644 containers/authentik/client-go.nix create mode 100644 containers/authentik/client-ts.nix create mode 100644 containers/authentik/source.nix diff --git a/containers/authentik/api-go-vendor-hook.nix b/containers/authentik/api-go-vendor-hook.nix new file mode 100644 index 0000000..2ef7369 --- /dev/null +++ b/containers/authentik/api-go-vendor-hook.nix @@ -0,0 +1,29 @@ +# Setup hook that injects generated Go API client into the vendor directory. +# Skips itself during fixed-output derivation (FOD) builds so the vendorHash +# only depends on go.sum, not on the generated client content. +{ + makeSetupHook, + writeShellScript, + client-go, +}: + +makeSetupHook + { + name = "authentik-api-go-vendor-hook"; + } + ( + writeShellScript "authentik-api-go-vendor-hook" '' + authentikApiGoVendorHook() { + chmod -R +w vendor/goauthentik.io/api + rm -rf vendor/goauthentik.io/api/v3 + cp -r ${client-go} vendor/goauthentik.io/api/v3 + + echo "Finished authentikApiGoVendorHook" + } + + # don't run for FOD, e.g. the goModules build + if [ -z ''${outputHash-} ]; then + postConfigureHooks+=(authentikApiGoVendorHook) + fi + '' + ) diff --git a/containers/authentik/client-go-config.patch b/containers/authentik/client-go-config.patch new file mode 100644 index 0000000..8398b16 --- /dev/null +++ b/containers/authentik/client-go-config.patch @@ -0,0 +1,9 @@ +diff --git a/config.yaml b/config.yaml +index 2f07ea7..0f90432 100644 +--- a/config.yaml ++++ b/config.yaml +@@ -4,3 +4,4 @@ additionalProperties: + packageName: api + enumClassPrefix: true + useOneOfDiscriminatorLookup: true ++ disallowAdditionalPropertiesIfNotPresent: false diff --git a/containers/authentik/client-go.nix b/containers/authentik/client-go.nix new file mode 100644 index 0000000..54dd08e --- /dev/null +++ b/containers/authentik/client-go.nix @@ -0,0 +1,64 @@ +# Generate Go API client bindings from authentik's OpenAPI schema. +# Fetches goauthentik/client-go (which has schema.yml + config.yaml + go.mod/go.sum), +# then runs openapi-generator-cli to produce Go code. +# Output is injected into the Go server's vendor directory via apiGoVendorHook. +{ + stdenvNoCC, + fetchFromGitHub, + openapi-generator-cli, + go, + version, + meta, +}: + +stdenvNoCC.mkDerivation { + pname = "authentik-client-go"; + version = "3.${version}"; + inherit meta; + + src = fetchFromGitHub { + owner = "goauthentik"; + repo = "client-go"; + tag = "v3.${version}"; + hash = "sha256-+/CfOE2HkBU+ZddvdXGenB/z8xNFk8cujpZpMXyh3cY="; + }; + + patches = [ + ./client-go-config.patch + ]; + + postPatch = '' + substituteInPlace ./config.yaml \ + --replace-fail '/local' "$(pwd)" + ''; + + nativeBuildInputs = [ + openapi-generator-cli + go + ]; + + buildPhase = '' + runHook preBuild + + openapi-generator-cli generate \ + -i ./schema.yml -o $out \ + -g go \ + -c ./config.yaml + + gofmt -w $out + + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + + cp go.mod go.sum $out + + cd $out + rm -rf test + rm -f .travis.yml git_push.sh + + runHook postInstall + ''; +} diff --git a/containers/authentik/client-ts.nix b/containers/authentik/client-ts.nix new file mode 100644 index 0000000..249b7bf --- /dev/null +++ b/containers/authentik/client-ts.nix @@ -0,0 +1,44 @@ +# Generate TypeScript fetch API client bindings from authentik's OpenAPI schema. +# Uses the main authentik source (schema.yml + scripts/api/ts-config.yaml). +# Output is patched into the web UI's node_modules/@goauthentik/api/. +{ + stdenvNoCC, + nodejs_24, + openapi-generator-cli, + typescript, + version, + src, + meta, +}: + +stdenvNoCC.mkDerivation { + pname = "authentik-client-ts"; + inherit version src meta; + + postPatch = '' + substituteInPlace ./scripts/api/ts-config.yaml \ + --replace-fail '/local' "$(pwd)" + ''; + + nativeBuildInputs = [ + nodejs_24 + openapi-generator-cli + typescript + ]; + + buildPhase = '' + runHook preBuild + + openapi-generator-cli generate \ + -i ./schema.yml -o $out \ + -g typescript-fetch \ + -c ./scripts/api/ts-config.yaml \ + --additional-properties=npmVersion=${version} \ + --git-repo-id authentik --git-user-id goauthentik + + cd $out + npm run build + + runHook postBuild + ''; +} diff --git a/containers/authentik/source.nix b/containers/authentik/source.nix new file mode 100644 index 0000000..6a0ba73 --- /dev/null +++ b/containers/authentik/source.nix @@ -0,0 +1,23 @@ +# Shared source and version for all authentik build components. +# Target version: 2025.12.4 (matching nixpkgs reference derivation). +# Forge mirror: https://forge.ops.eblu.me/mirrors/authentik +{ fetchFromGitHub }: + +let + version = "2025.12.4"; +in +{ + inherit version; + + src = fetchFromGitHub { + owner = "goauthentik"; + repo = "authentik"; + tag = "version/${version}"; + hash = "sha256-alTyrMBbjZbw4jhEna8saabf93sqSrZCu+Z5xH3pZ7M="; + }; + + meta = { + description = "Authentication glue you need"; + homepage = "https://goauthentik.io/"; + }; +}