Two-stage Nix build for the authentik web frontend:
- webui-deps.nix: FOD for npm dependencies (platform-specific hash)
- webui.nix: esbuild/wireit build + rollup SFE, outputs dist/ and authentik/
Verified on ringtail: build completes in ~33s, output has correct structure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
buildGoModule derivation for cmd/server with:
- apiGoVendorHook for generated Go API client injection
- substituteInPlace patches for lifecycle (authentik-django) and web
asset paths (3 files: gounicorn.go, web/static.go, internal/web/static.go)
- overrideModAttrs.postPatch="" to keep vendorHash stable
- Parameterized webui input with placeholder for pre-webui-derivation builds
- CGO_ENABLED=0, binary renamed from server to authentik
- Verified on ringtail: builds in ~32s, --help works
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace static refTargets list with dynamic store-path discovery in
python-deps.nix FOD. Add real output hashes for both python-deps and
opencontainers fetchFromGitHub. Add test-build.nix harness for ringtail.
Both python-deps FOD and authentik-django build successfully on ringtail.
autoPatchelfHook resolves all .so dependencies with 0 unsatisfied.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Two-phase build: FOD (uv sync + strip store refs) and main derivation
(autoPatchelfHook + workspace packages + patches). uv sync completes
successfully; 6 residual store refs remain in FOD output to fix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
## Summary
C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex.
This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved.
## Current Mikado State
- **Goal:** `deploy-authentik` (active)
- **Leaf prerequisites:**
- `build-authentik-container` — Build Nix container image
- `provision-authentik-database` — Create PostgreSQL database on CNPG cluster
- `create-authentik-secrets` — Create 1Password item with credentials
## Process refinements
- Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early
## Test plan
- [ ] `mise run docs-mikado` shows correct dependency chain
- [ ] Leaf nodes can be worked independently
- [ ] Container builds on ringtail
- [ ] Authentik starts and reaches healthy state
- [ ] Forgejo OAuth2 connector works
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227
