Fix authentik migration ordering: ensure 0056 runs before 0010

Django migration ordering bug in authentik 2026.2.0 — rbac/0010 (drops Role.group_id) can execute before core/0056 (data migration that reads Role.group_id), causing FieldError on startup. Add explicit dependency via substituteInPlace. Upstream: goauthentik/authentik#19616 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-01 16:28:37 -08:00 · 2026-03-01 16:25:25 -08:00 · 2026-03-01 16:25:25 -08:00
commit f024efb4da
3 changed files with 10 additions and 0 deletions
--- a/containers/authentik/authentik-django.nix
+++ b/containers/authentik/authentik-django.nix
@ -136,6 +136,14 @@ pkgs.stdenv.mkDerivation {
      --replace-fail 'Path("web/dist/assets/icons/icon_left_brand.png")' \
                     'Path("${webuiPath}/dist/assets/icons/icon_left_brand.png")'

+    # Migration ordering: 0010 removes Role.group_id, but 0056 needs it
+    # for data migration. Upstream bug in authentik 2026.2.0.
+    # https://github.com/goauthentik/authentik/issues/19616
+    substituteInPlace ${sp}/authentik/rbac/migrations/0010_remove_role_group_alter_role_name.py \
+      --replace-fail \
+        '("authentik_rbac", "0009_remove_initialpermissions_mode"),' \
+        '("authentik_rbac", "0009_remove_initialpermissions_mode"), ("authentik_core", "0056_user_roles"),'
+
    # Lifecycle bash script: use Nix store bash (no /usr/bin/env in containers)
    substituteInPlace ${sp}/lifecycle/ak \
      --replace-fail '#!/usr/bin/env -S bash' '#!${pkgs.bash}/bin/bash'
--- a/docs/changelog.d/fix-authentik-migration-ordering.bugfix.md
+++ b/docs/changelog.d/fix-authentik-migration-ordering.bugfix.md
@ -0,0 +1 @@
+Fix authentik 2026.2.0 startup crash caused by Django migration ordering bug (`FieldError: Cannot resolve keyword 'group_id'`). Patch ensures `authentik_core/0056` runs before `authentik_rbac/0010`.
--- a/docs/how-to/authentik/authentik-python-backend-derivation.md
+++ b/docs/how-to/authentik/authentik-python-backend-derivation.md
@ -65,6 +65,7 @@ Build issues encountered and resolved:
 | `xargs grep` exit code 123 under `pipefail` | Wrap pipeline in `{ ... \|\| true; }` — grep returning 1 (no match) causes xargs to return 123 |
 | `grep -aoE` includes filename prefix in output | Use `grep -aohE` (`-h` suppresses filenames) to get clean store paths |
 | autoPatchelfHook can't find libraries | `buildInputs` in main derivation must include all libraries that `.so` files link against |
+| `FieldError: Cannot resolve keyword 'group_id'` on startup | Django migration ordering bug: `authentik_rbac/0010` (drops `Role.group_id`) can run before `authentik_core/0056` (reads it). Add explicit dependency via `substituteInPlace` on the migration file. Upstream [#19616](https://github.com/goauthentik/authentik/issues/19616) |

 The `uv sync` completes in ~3.5 minutes. Dynamic reference discovery finds 19 unique store paths and strips all of them. After stripping, `remove-references-to` mangles hashes to `eeee...` bytes — about 40 files still "contain" `/nix/store/` strings but with invalid hashes, which is expected and harmless. `autoPatchelfHook` in the main derivation resolves all NEEDED entries with 0 unsatisfied dependencies.
				`@ -0,0 +1 @@`
				Fix authentik 2026.2.0 startup crash caused by Django migration ordering bug (`FieldError: Cannot resolve keyword 'group_id'`). Patch ensures `authentik_core/0056` runs before `authentik_rbac/0010`.