- Add version = "2026.2.0" to default.nix for CI workflow version extraction
- Update service-versions.yaml to 2026.2.0, mark reviewed 2026-03-01
- Update changelog entry to reflect completed work
- Rewrite goal card as historical how-to documentation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All components assembled into default.nix: webui → authentik-django
→ authentik-server, with ak wrapper and container entrypoint. Tested
on ringtail via test-build.nix -A assembled. The chain is complete.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wire webui → authentik-django → authentik-server and replace
pkgs.authentik with custom source-built derivations. The ak wrapper
sets PATH/VIRTUAL_ENV and delegates to lifecycle/ak. Tested on
ringtail with nix-build test-build.nix -A assembled.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Web UI derivation verified on ringtail: esbuild/wireit main build + rollup SFE,
outputs dist/ and authentik/ directories in ~33s.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Two-stage Nix build for the authentik web frontend:
- webui-deps.nix: FOD for npm dependencies (platform-specific hash)
- webui.nix: esbuild/wireit build + rollup SFE, outputs dist/ and authentik/
Verified on ringtail: build completes in ~33s, output has correct structure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Go server binary builds successfully on ringtail:
- buildGoModule with apiGoVendorHook and overrideModAttrs
- Lifecycle paths patched to authentik-django store path
- Web asset paths use placeholder (resolved when webui derivation is built)
- authentik --help verified working
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
buildGoModule derivation for cmd/server with:
- apiGoVendorHook for generated Go API client injection
- substituteInPlace patches for lifecycle (authentik-django) and web
asset paths (3 files: gounicorn.go, web/static.go, internal/web/static.go)
- overrideModAttrs.postPatch="" to keep vendorHash stable
- Parameterized webui input with placeholder for pre-webui-derivation builds
- CGO_ENABLED=0, binary renamed from server to authentik
- Verified on ringtail: builds in ~32s, --help works
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Python backend builds and verifies on ringtail. Updated lessons learned
with dynamic store-ref discovery, pipefail/grep fixes, and build results.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace static refTargets list with dynamic store-path discovery in
python-deps.nix FOD. Add real output hashes for both python-deps and
opencontainers fetchFromGitHub. Add test-build.nix harness for ringtail.
Both python-deps FOD and authentik-django build successfully on ringtail.
autoPatchelfHook resolves all .so dependencies with 0 unsatisfied.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Two-phase build: FOD (uv sync + strip store refs) and main derivation
(autoPatchelfHook + workspace packages + patches). uv sync completes
successfully; 6 residual store refs remain in FOD output to fix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Document approach pivot from uv pip download (doesn't exist in uv 0.9.29)
to uv sync FOD + autoPatchelfHook. Record build issue fixes: pg_config,
gssapi S4U headers, xmlsec libltdl, FOD store reference stripping.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Drop the nixpkgs packageOverrides approach for Python deps. Instead, use
uv + fixed-output derivation to install from PyPI where cp314 wheels
already exist. Eliminates the entire class of Python 3.14 nixpkgs compat
issues (astor, dacite, exceptiongroup, pydantic-core).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
