diff --git a/containers/authentik/authentik-django.nix b/containers/authentik/authentik-django.nix index 0844769..58bb5bf 100644 --- a/containers/authentik/authentik-django.nix +++ b/containers/authentik/authentik-django.nix @@ -25,7 +25,7 @@ let owner = "vsoch"; repo = "oci-python"; rev = "ceb4fcc090851717a3069d78e85ceb1e86c2740c"; - hash = pkgs.lib.fakeHash; + hash = "sha256-Q6SJed0K6eIrqQ9mNAD4RGx+YCJvnI5E+0KGp5fBtTU="; }; sp = "$out/lib/python3.14/site-packages"; diff --git a/containers/authentik/python-deps.nix b/containers/authentik/python-deps.nix index 3530265..17d557c 100644 --- a/containers/authentik/python-deps.nix +++ b/containers/authentik/python-deps.nix @@ -14,39 +14,6 @@ # get the correct hash from the error message, then update. { pkgs ? import { }, sources ? import ./sources.nix { inherit pkgs; } }: -let - # All store paths that may end up referenced in the venv output. - # remove-references-to will replace each hash with 'eeee...' bytes. - refTargets = with pkgs; [ - python314 - stdenv.cc.cc.lib - libxml2.out - libxml2.dev - libxslt.out - libxslt.dev - xmlsec.out - openssl.out - openssl.dev - libpq.out - libpq.dev - krb5.out - krb5.dev - krb5.lib - libtool.out - libtool.lib - libffi.out - libffi.dev - zlib.out - zlib.dev - readline.out - ncurses.out - glibc.out - ]; - - removeRefsArgs = builtins.concatStringsSep " " - (map (t: "-t ${t}") refTargets); -in - pkgs.stdenv.mkDerivation { pname = "authentik-python-deps"; version = sources.version; @@ -115,19 +82,44 @@ pkgs.stdenv.mkDerivation { # Remove bin/ entirely — main derivation recreates it rm -rf $out/bin - # Strip store path references from shared objects - find $out -type f \( -name '*.so' -o -name '*.so.*' \) \ - -exec remove-references-to ${removeRefsArgs} {} + 2>/dev/null || true - # Strip store refs from .pyc files (contain embedded paths) find $out -type f -name '*.pyc' -delete + # Dynamically discover ALL remaining Nix store paths in the output. + # This is more robust than a static list of store paths — any new + # build/runtime dependency is automatically handled. + # Note: || true needed because xargs returns 123 if grep returns 1 + # (no match) on any batch, and pipefail propagates that. + { find $out -type f -print0 \ + | xargs -0 grep -aohE '/nix/store/[a-z0-9]{32}-[^/"[:space:]]+' 2>/dev/null \ + || true; } | sort -u > $TMPDIR/store-refs.txt + echo "Found $(wc -l < $TMPDIR/store-refs.txt) unique store path references to strip" + + # Build remove-references-to args from discovered paths + refs_args="" + while IFS= read -r ref; do + refs_args="$refs_args -t $ref" + done < $TMPDIR/store-refs.txt + + # Strip all discovered references from all files + if [ -n "$refs_args" ]; then + find $out -type f -exec remove-references-to $refs_args {} + 2>/dev/null || true + fi + + # Verify — report any remaining references + remaining=$({ find $out -type f -print0 | xargs -0 grep -cl '/nix/store/' 2>/dev/null || true; } | wc -l) + echo "Files with remaining store references: $remaining" + if [ "$remaining" -gt 0 ]; then + echo "WARNING: Files still containing store references:" + { find $out -type f -print0 | xargs -0 grep -l '/nix/store/' 2>/dev/null || true; } + fi + runHook postInstall ''; outputHashMode = "recursive"; outputHashAlgo = "sha256"; - outputHash = pkgs.lib.fakeHash; + outputHash = "sha256-DtpcYQyI07m7v84D/UC28Tj35R9wye6IX+1D0gMZPgY="; dontFixup = true; } diff --git a/containers/authentik/test-build.nix b/containers/authentik/test-build.nix new file mode 100644 index 0000000..6ece8df --- /dev/null +++ b/containers/authentik/test-build.nix @@ -0,0 +1,18 @@ +# Test harness for building authentik components on ringtail +# Uses builtins.getFlake instead of (ringtail has flakes, no NIX_PATH) +# +# Usage: +# nix-build test-build.nix -A python-deps --extra-experimental-features 'nix-command flakes' +# nix-build test-build.nix -A authentik-django --extra-experimental-features 'nix-command flakes' +# nix-build test-build.nix -A client-go --extra-experimental-features 'nix-command flakes' +# nix-build test-build.nix -A client-ts --extra-experimental-features 'nix-command flakes' +let + pkgs = (builtins.getFlake "nixpkgs").legacyPackages.x86_64-linux; + sources = import ./sources.nix { inherit pkgs; }; +in +{ + python-deps = import ./python-deps.nix { inherit pkgs sources; }; + authentik-django = import ./authentik-django.nix { inherit pkgs sources; }; + client-go = import ./client-go.nix { inherit pkgs sources; }; + client-ts = import ./client-ts.nix { inherit pkgs sources; }; +}