eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/authentik/python314-nixpkgs-compat.md
Erich Blume 4168827390 C2(authentik-source-build): plan add python314-nixpkgs-compat prerequisite 
During initial attempt to build authentik-django on ringtail, discovered
that nixos-25.11's python314 package set has two compat gaps: astor 0.8.1
fails its test suite (uses ast.Num/ast.Str removed in 3.14), and django
defaults to 4.2.x (which doesn't support 3.14). New card documents the
issue and the fix (carry the same overrides nixpkgs uses upstream).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 21:29:10 -08:00

2.9 KiB
Raw Blame History

title modified status requires tags
Python 3.14 Nixpkgs Compatibility Overrides 2026-02-28 active
mirror-authentik-build-deps
how-to
authentik
nix

Python 3.14 Nixpkgs Compatibility Overrides

Document and implement the packageOverrides needed to build authentik's Python dependency tree under python314 on nixos-25.11.

Problem

Authentik 2026.2.0 requires Python 3.14 (requires-python = "==3.14.*"). The nixos-25.11 channel's python314 package set has two issues:

  1. astor 0.8.1 — test suite uses ast.Num, ast.Str, and ast.NameConstant, which were removed in Python 3.14. Build fails during pytestCheckPhase.
  2. django defaults to 4.2.x — Django 4.2 does not support Python 3.14. The python314.pkgs.django attribute points to django_4 (4.2.28), not django_5.

Both failures cascade through the dependency graph, breaking trioanyiohttpcore/azure-core/etc. and ultimately authentik-django.

Research Findings

astor

Current nixpkgs (unstable/newer 25.11 snapshots) already fixes this:

  • Uses an unstable git snapshot df09001112f079db54e7c5358fa143e1e63e74c4 (2024-03-30), not the 0.8.1 release
  • Carries python314-compat.patch from upstream PR #233
  • The patch replaces removed ast.Num/ast.Str/ast.NameConstant with ast.Constant and guards affected tests with version checks
  • Hash: sha256-VF+harl/q2yRU2yqN1Txud3YBNSeedQNw2SZNYQFsno=

Ringtail's nixos-25.11 registry pin predates this fix. Rather than updating the system-wide nixpkgs (which has broader implications), we carry the override in our derivation.

django

The nixpkgs authentik package.nix (2025.12.4) includes django = final.django_5; in its packageOverrides. This is still needed for 2026.2.0 — python314 does not default to Django 5.x.

Dependency chain (astor failure cascade)

astor (test failure)
├── trio (nativeCheckInputs)
│   └── anyio
│       ├── httpcore → httpx → msgraph-sdk, azure-core, ...
│       └── azure-core → azure-identity, azure-storage-blob
├── djangoql (runtime dep of authentik)
└── django 4.2.28 (also broken, separate issue)
    └── authentik-django (1 dependency failed)

What to Do

Add these overrides to authentik-django.nix's packageOverrides block:

  1. django = final.django_5; — same as nixpkgs authentik does
  2. astor — override to use the patched git snapshot with the python314-compat.patch, matching what current nixpkgs does (NOT just disabling tests)

The override for astor should use fetchFromGitHub with owner berkerpeksag, repo astor, rev df09001112f079db54e7c5358fa143e1e63e74c4, and carry the patch from nixpkgs PR #233. This is a proper fix, not a test skip.

Related