Erich Blume
efa9806bfa
## Mikado Chain: build-authentik-from-source Replace `pkgs.authentik` from nixpkgs with a custom Nix derivation built from source. This removes the dependency on the nixpkgs packaging timeline and gives full version control. Target version: **2025.12.4** (nixpkgs reference, upgrading from deployed 2025.10.1). ### Dependency Graph ``` build-authentik-from-source (goal) ├── authentik-go-server-derivation │ ├── authentik-api-client-generation ← IN PROGRESS │ └── authentik-python-backend-derivation ├── authentik-web-ui-derivation │ └── authentik-api-client-generation ← IN PROGRESS └── authentik-python-backend-derivation ``` ### Ready Leaves - `authentik-api-client-generation` — Go + TypeScript client generation from OpenAPI schema - `authentik-python-backend-derivation` — Django backend with 60+ deps, 4 in-tree packages ### Architecture Ported from [nixpkgs `pkgs/by-name/au/authentik/package.nix`](https://github.com/NixOS/nixpkgs/tree/master/pkgs/by-name/au/authentik): - `source.nix` — shared version/source fetch - `client-go.nix` — Go API client generation - `client-ts.nix` — TypeScript API client generation - `api-go-vendor-hook.nix` — Go vendor directory injection hook - (more components to follow as leaves are closed) ### Related Cards - [[build-authentik-from-source]] — Goal card - [[authentik-api-client-generation]] - [[authentik-python-backend-derivation]] - [[authentik-web-ui-derivation]] - [[authentik-go-server-derivation]] Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/274
51 lines
1.6 KiB
Nix
51 lines
1.6 KiB
Nix
# Fixed-output derivation for authentik web UI npm dependencies
|
|
#
|
|
# Runs `npm ci` in the web/ directory to fetch all Node.js dependencies.
|
|
# This is a FOD (fixed-output derivation) so it has network access during build
|
|
# but the output hash must match exactly.
|
|
#
|
|
# The output hash is platform-specific because npm downloads platform-specific
|
|
# native binaries for esbuild, rollup, and SWC.
|
|
#
|
|
# Workspace packages (under web/packages/*) have their own node_modules,
|
|
# so we collect all node_modules directories via find.
|
|
#
|
|
# Output: all node_modules directories from the web/ tree
|
|
{ pkgs ? import <nixpkgs> { }, sources ? import ./sources.nix { inherit pkgs; } }:
|
|
|
|
pkgs.stdenvNoCC.mkDerivation {
|
|
pname = "authentik-webui-deps";
|
|
inherit (sources) version src meta;
|
|
|
|
sourceRoot = "${sources.src.name}/web";
|
|
|
|
outputHash =
|
|
{
|
|
"x86_64-linux" = "sha256-+4cWvFuixCcO7P+z701/0H+Ah/Z5sbLNsdx2Uowqwf4=";
|
|
}
|
|
.${pkgs.stdenvNoCC.hostPlatform.system}
|
|
or (throw "authentik-webui-deps: unsupported host platform ${pkgs.stdenvNoCC.hostPlatform.system}");
|
|
outputHashMode = "recursive";
|
|
|
|
nativeBuildInputs = with pkgs; [
|
|
nodejs_24
|
|
cacert
|
|
];
|
|
|
|
buildPhase = ''
|
|
npm ci --cache ./cache --ignore-scripts
|
|
rm -r ./cache node_modules/.package-lock.json
|
|
'';
|
|
|
|
# Workspace packages install dependencies into separate node_modules
|
|
# directories with symlinks between them — copy all of them
|
|
installPhase = ''
|
|
mkdir $out
|
|
find -type d -name node_modules -prune -print \
|
|
-exec mkdir -p $out/{} \; \
|
|
-exec cp -rT {} $out/{} \;
|
|
'';
|
|
|
|
dontCheckForBrokenSymlinks = true;
|
|
dontPatchShebangs = true;
|
|
}
|