C2(authentik-source-build): impl complete Python backend derivation

Replace static refTargets list with dynamic store-path discovery in
python-deps.nix FOD. Add real output hashes for both python-deps and
opencontainers fetchFromGitHub. Add test-build.nix harness for ringtail.

Both python-deps FOD and authentik-django build successfully on ringtail.
autoPatchelfHook resolves all .so dependencies with 0 unsatisfied.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

containers/authentik/authentik-django.nix

@@ -25,7 +25,7 @@ let
     owner = "vsoch";
     repo = "oci-python";
     rev = "ceb4fcc090851717a3069d78e85ceb1e86c2740c";
-    hash = pkgs.lib.fakeHash;
+    hash = "sha256-Q6SJed0K6eIrqQ9mNAD4RGx+YCJvnI5E+0KGp5fBtTU=";
   };
 
   sp = "$out/lib/python3.14/site-packages";

containers/authentik/python-deps.nix

@@ -14,39 +14,6 @@
 # get the correct hash from the error message, then update.
 { pkgs ? import <nixpkgs> { }, sources ? import ./sources.nix { inherit pkgs; } }:
 
-let
-  # All store paths that may end up referenced in the venv output.
-  # remove-references-to will replace each hash with 'eeee...' bytes.
-  refTargets = with pkgs; [
-    python314
-    stdenv.cc.cc.lib
-    libxml2.out
-    libxml2.dev
-    libxslt.out
-    libxslt.dev
-    xmlsec.out
-    openssl.out
-    openssl.dev
-    libpq.out
-    libpq.dev
-    krb5.out
-    krb5.dev
-    krb5.lib
-    libtool.out
-    libtool.lib
-    libffi.out
-    libffi.dev
-    zlib.out
-    zlib.dev
-    readline.out
-    ncurses.out
-    glibc.out
-  ];
-
-  removeRefsArgs = builtins.concatStringsSep " "
-    (map (t: "-t ${t}") refTargets);
-in
-
 pkgs.stdenv.mkDerivation {
   pname = "authentik-python-deps";
   version = sources.version;
@@ -115,19 +82,44 @@ pkgs.stdenv.mkDerivation {
     # Remove bin/ entirely — main derivation recreates it
     rm -rf $out/bin
 
-    # Strip store path references from shared objects
-    find $out -type f \( -name '*.so' -o -name '*.so.*' \) \
-      -exec remove-references-to ${removeRefsArgs} {} + 2>/dev/null || true
-
     # Strip store refs from .pyc files (contain embedded paths)
     find $out -type f -name '*.pyc' -delete
 
+    # Dynamically discover ALL remaining Nix store paths in the output.
+    # This is more robust than a static list of store paths — any new
+    # build/runtime dependency is automatically handled.
+    # Note: || true needed because xargs returns 123 if grep returns 1
+    # (no match) on any batch, and pipefail propagates that.
+    { find $out -type f -print0 \
+        | xargs -0 grep -aohE '/nix/store/[a-z0-9]{32}-[^/"[:space:]]+' 2>/dev/null \
+        || true; } | sort -u > $TMPDIR/store-refs.txt
+    echo "Found $(wc -l < $TMPDIR/store-refs.txt) unique store path references to strip"
+
+    # Build remove-references-to args from discovered paths
+    refs_args=""
+    while IFS= read -r ref; do
+      refs_args="$refs_args -t $ref"
+    done < $TMPDIR/store-refs.txt
+
+    # Strip all discovered references from all files
+    if [ -n "$refs_args" ]; then
+      find $out -type f -exec remove-references-to $refs_args {} + 2>/dev/null || true
+    fi
+
+    # Verify — report any remaining references
+    remaining=$({ find $out -type f -print0 | xargs -0 grep -cl '/nix/store/' 2>/dev/null || true; } | wc -l)
+    echo "Files with remaining store references: $remaining"
+    if [ "$remaining" -gt 0 ]; then
+      echo "WARNING: Files still containing store references:"
+      { find $out -type f -print0 | xargs -0 grep -l '/nix/store/' 2>/dev/null || true; }
+    fi
+
     runHook postInstall
   '';
 
   outputHashMode = "recursive";
   outputHashAlgo = "sha256";
-  outputHash = pkgs.lib.fakeHash;
+  outputHash = "sha256-DtpcYQyI07m7v84D/UC28Tj35R9wye6IX+1D0gMZPgY=";
 
   dontFixup = true;
 }

containers/authentik/test-build.nix

@@ -0,0 +1,18 @@
+# Test harness for building authentik components on ringtail
+# Uses builtins.getFlake instead of <nixpkgs> (ringtail has flakes, no NIX_PATH)
+#
+# Usage:
+#   nix-build test-build.nix -A python-deps --extra-experimental-features 'nix-command flakes'
+#   nix-build test-build.nix -A authentik-django --extra-experimental-features 'nix-command flakes'
+#   nix-build test-build.nix -A client-go --extra-experimental-features 'nix-command flakes'
+#   nix-build test-build.nix -A client-ts --extra-experimental-features 'nix-command flakes'
+let
+  pkgs = (builtins.getFlake "nixpkgs").legacyPackages.x86_64-linux;
+  sources = import ./sources.nix { inherit pkgs; };
+in
+{
+  python-deps = import ./python-deps.nix { inherit pkgs sources; };
+  authentik-django = import ./authentik-django.nix { inherit pkgs sources; };
+  client-go = import ./client-go.nix { inherit pkgs sources; };
+  client-ts = import ./client-ts.nix { inherit pkgs sources; };
+}