eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 65 Packages Wiki Activity Actions

C2: Build authentik from source (Mikado chain) #274

Merged
eblume merged 16 commits from mikado/authentik-source-build into main 2026-03-01 13:45:01 -08:00
Conversation 2 Commits 16 Files changed 21 +868 -85
eblume commented 2026-02-28 09:10:38 -08:00
Owner
Copy link

Mikado Chain: build-authentik-from-source

Replace pkgs.authentik from nixpkgs with a custom Nix derivation built from source.
This removes the dependency on the nixpkgs packaging timeline and gives full version control.

Target version: 2025.12.4 (nixpkgs reference, upgrading from deployed 2025.10.1).

Dependency Graph

build-authentik-from-source (goal)
├── authentik-go-server-derivation
│   ├── authentik-api-client-generation  ← IN PROGRESS
│   └── authentik-python-backend-derivation
├── authentik-web-ui-derivation
│   └── authentik-api-client-generation  ← IN PROGRESS
└── authentik-python-backend-derivation

Ready Leaves

  • authentik-api-client-generation — Go + TypeScript client generation from OpenAPI schema
  • authentik-python-backend-derivation — Django backend with 60+ deps, 4 in-tree packages

Architecture

Ported from nixpkgs pkgs/by-name/au/authentik/package.nix:

  • source.nix — shared version/source fetch
  • client-go.nix — Go API client generation
  • client-ts.nix — TypeScript API client generation
  • api-go-vendor-hook.nix — Go vendor directory injection hook
  • (more components to follow as leaves are closed)

Related Cards

## Mikado Chain: build-authentik-from-source Replace `pkgs.authentik` from nixpkgs with a custom Nix derivation built from source. This removes the dependency on the nixpkgs packaging timeline and gives full version control. Target version: **2025.12.4** (nixpkgs reference, upgrading from deployed 2025.10.1). ### Dependency Graph ``` build-authentik-from-source (goal) ├── authentik-go-server-derivation │ ├── authentik-api-client-generation ← IN PROGRESS │ └── authentik-python-backend-derivation ├── authentik-web-ui-derivation │ └── authentik-api-client-generation ← IN PROGRESS └── authentik-python-backend-derivation ``` ### Ready Leaves - `authentik-api-client-generation` — Go + TypeScript client generation from OpenAPI schema - `authentik-python-backend-derivation` — Django backend with 60+ deps, 4 in-tree packages ### Architecture Ported from [nixpkgs `pkgs/by-name/au/authentik/package.nix`](https://github.com/NixOS/nixpkgs/tree/master/pkgs/by-name/au/authentik): - `source.nix` — shared version/source fetch - `client-go.nix` — Go API client generation - `client-ts.nix` — TypeScript API client generation - `api-go-vendor-hook.nix` — Go vendor directory injection hook - (more components to follow as leaves are closed) ### Related Cards - [[build-authentik-from-source]] — Goal card - [[authentik-api-client-generation]] - [[authentik-python-backend-derivation]] - [[authentik-web-ui-derivation]] - [[authentik-go-server-derivation]]
Add Nix derivations for generating Go and TypeScript API client bindings
from authentik's OpenAPI schema:

- source.nix: shared version (2025.12.4) and source fetch
- client-go.nix: Go client from goauthentik/client-go repo
- client-ts.nix: TypeScript fetch client from main schema.yml
- api-go-vendor-hook.nix: setup hook to inject Go client into vendor dir
- client-go-config.patch: OpenAPI generator config fix

Ported from nixpkgs pkgs/by-name/au/authentik/package.nix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume reviewed 2026-02-28 09:24:40 -08:00
containers/authentik/client-go-config.patch Outdated
@ -0,0 +6,4 @@
packageName: api
enumClassPrefix: true
useOneOfDiscriminatorLookup: true
+ disallowAdditionalPropertiesIfNotPresent: false
eblume commented 2026-02-28 09:20:17 -08:00
Author
Owner
Copy link

Can you please explain to me what this patch is for? It might merit a comment in client-go.nix as well.

Can you please explain to me what this patch is for? It might merit a comment in client-go.nix as well.
eblume marked this conversation as resolved
containers/authentik/source.nix Outdated
@ -0,0 +4,4 @@
{ fetchFromGitHub }:
let
version = "2025.12.4";
eblume commented 2026-02-28 09:24:37 -08:00
Author
Owner
Copy link

Ah no the whole point of this is to get the new version from 2026 that was released just a few days ago. If we've lost it in the process of starting this mikado chain, please update the card accordingly... we did some research and I believe the upgrade path is clear of blockers.

Ah no the whole point of this is to get the new version from 2026 that was released just a few days ago. If we've lost it in the process of starting this mikado chain, please update the card accordingly... we did some research and I believe the upgrade path is clear of blockers.
eblume marked this conversation as resolved
containers/authentik/source.nix Outdated
@ -0,0 +9,4 @@
{
inherit version;
src = fetchFromGitHub {
eblume commented 2026-02-28 09:23:36 -08:00
Author
Owner
Copy link

Woops, not github! Please use the forge mirror.

Woops, not github! Please use the forge mirror.
eblume marked this conversation as resolved 
All three derivations verified on ringtail (nixos-25.11):
- client-go: Go API client generated and formatted with gofmt
- client-ts: TypeScript fetch client generated and compiled with tsc
- api-go-vendor-hook: setup hook built successfully

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume force-pushed mikado/authentik-source-build from 591d9dd958 to 2495ad01c6 2026-02-28 09:35:35 -08:00 Compare 
Created two forge mirrors via mirror-create:
- mirrors/authentik-client-go (goauthentik/client-go) — Go API client
- mirrors/authentik-django-rest-framework (authentik-community/django-rest-framework) — DRF fork

Both verified synced with tags from upstream GitHub.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add Nix derivations for generating Go and TypeScript API client
bindings from authentik's OpenAPI schema. Verified on ringtail:
- client-go: 886 .go files from openapi-generator-cli, with go.mod/go.sum
- client-ts: TypeScript fetch client with src/ and dist/ (tsc compiled)
- api-go-vendor-hook: setup hook to inject client-go into Go vendor dir

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume reviewed 2026-02-28 19:59:31 -08:00
containers/authentik/test-build.nix Outdated
@ -0,0 +1,11 @@
# Test harness for building authentik components on ringtail
eblume commented 2026-02-28 19:59:31 -08:00
Author
Owner
Copy link

I dont think this needs to be in the pr; maybe in the mikado cards?

I dont think this needs to be in the pr; maybe in the mikado cards?
eblume marked this conversation as resolved 
Move the ad-hoc test harness out of the repo and into the Mikado card
documentation where it belongs — it's a testing recipe, not shipped code.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All deliverables verified on ringtail:
- client-go: 886 .go files, go.mod/go.sum, no test/
- client-ts: src/ + dist/ (tsc compiled)
- api-go-vendor-hook: setup hook with FOD guard

Also clarify card closure semantics in agent-change-process: "works"
means the card's own deliverables are met, not that downstream consumers
have integrated them.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume force-pushed mikado/authentik-source-build from dff21536f9 to 75c7c5358a 2026-02-28 21:41:30 -08:00 Compare
eblume force-pushed mikado/authentik-source-build from 75c7c5358a to 34bdf5a806 2026-02-28 21:54:22 -08:00 Compare 
WIP: authentik-django.nix with python314 overrides (django_5, astor
patch, dacite test skip, exceptiongroup test skip). Build not yet
passing — pydantic-core 2.33.2 fails because PyO3 0.24.1 caps at
Python 3.13. Needs either PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1 env
var or a newer nixpkgs snapshot with PyO3 >= 0.25.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume force-pushed mikado/authentik-source-build from e4b3b1202f to f750dd4365 2026-02-28 22:17:37 -08:00 Compare 
Document approach pivot from uv pip download (doesn't exist in uv 0.9.29)
to uv sync FOD + autoPatchelfHook. Record build issue fixes: pg_config,
gssapi S4U headers, xmlsec libltdl, FOD store reference stripping.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Two-phase build: FOD (uv sync + strip store refs) and main derivation
(autoPatchelfHook + workspace packages + patches). uv sync completes
successfully; 6 residual store refs remain in FOD output to fix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume force-pushed mikado/authentik-source-build from 216f03eeb5 to 11995f8d4e 2026-03-01 11:49:00 -08:00 Compare 
buildGoModule derivation for cmd/server with:
- apiGoVendorHook for generated Go API client injection
- substituteInPlace patches for lifecycle (authentik-django) and web
  asset paths (3 files: gounicorn.go, web/static.go, internal/web/static.go)
- overrideModAttrs.postPatch="" to keep vendorHash stable
- Parameterized webui input with placeholder for pre-webui-derivation builds
- CGO_ENABLED=0, binary renamed from server to authentik
- Verified on ringtail: builds in ~32s, --help works

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Go server binary builds successfully on ringtail:
- buildGoModule with apiGoVendorHook and overrideModAttrs
- Lifecycle paths patched to authentik-django store path
- Web asset paths use placeholder (resolved when webui derivation is built)
- authentik --help verified working

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Two-stage Nix build for the authentik web frontend:
- webui-deps.nix: FOD for npm dependencies (platform-specific hash)
- webui.nix: esbuild/wireit build + rollup SFE, outputs dist/ and authentik/

Verified on ringtail: build completes in ~33s, output has correct structure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Web UI derivation verified on ringtail: esbuild/wireit main build + rollup SFE,
outputs dist/ and authentik/ directories in ~33s.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wire webui → authentik-django → authentik-server and replace
pkgs.authentik with custom source-built derivations. The ak wrapper
sets PATH/VIRTUAL_ENV and delegates to lifecycle/ak. Tested on
ringtail with nix-build test-build.nix -A assembled.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All components assembled into default.nix: webui → authentik-django
→ authentik-server, with ak wrapper and container entrypoint. Tested
on ringtail via test-build.nix -A assembled. The chain is complete.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add version = "2026.2.0" to default.nix for CI workflow version extraction
- Update service-versions.yaml to 2026.2.0
- Update changelog entry to reflect completed work
- Rewrite goal card as historical how-to documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume force-pushed mikado/authentik-source-build from 405fe59bf7 to 6612c3febc 2026-03-01 13:44:37 -08:00 Compare
eblume merged commit efa9806bfa into main 2026-03-01 13:45:01 -08:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!274
No description provided.