eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/authentik/python314-nixpkgs-compat.md
Erich Blume 4168827390 C2(authentik-source-build): plan add python314-nixpkgs-compat prerequisite 
During initial attempt to build authentik-django on ringtail, discovered
that nixos-25.11's python314 package set has two compat gaps: astor 0.8.1
fails its test suite (uses ast.Num/ast.Str removed in 3.14), and django
defaults to 4.2.x (which doesn't support 3.14). New card documents the
issue and the fix (carry the same overrides nixpkgs uses upstream).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 21:29:10 -08:00

68 lines
2.9 KiB
Markdown
Raw Blame History

---
title: Python 3.14 Nixpkgs Compatibility Overrides
modified: 2026-02-28
status: active
requires:
- mirror-authentik-build-deps
tags:
- how-to
- authentik
- nix
---
# Python 3.14 Nixpkgs Compatibility Overrides
Document and implement the `packageOverrides` needed to build authentik's Python dependency tree under `python314` on nixos-25.11.
## Problem
Authentik 2026.2.0 requires Python 3.14 (`requires-python = "==3.14.*"`). The nixos-25.11 channel's `python314` package set has two issues:
1. **`astor` 0.8.1** — test suite uses `ast.Num`, `ast.Str`, and `ast.NameConstant`, which were removed in Python 3.14. Build fails during `pytestCheckPhase`.
2. **`django` defaults to 4.2.x** — Django 4.2 does not support Python 3.14. The `python314.pkgs.django` attribute points to `django_4` (4.2.28), not `django_5`.
Both failures cascade through the dependency graph, breaking `trio``anyio``httpcore`/`azure-core`/etc. and ultimately `authentik-django`.
## Research Findings
### astor
Current nixpkgs (unstable/newer 25.11 snapshots) already fixes this:
- Uses an **unstable git snapshot** `df09001112f079db54e7c5358fa143e1e63e74c4` (2024-03-30), not the 0.8.1 release
- Carries `python314-compat.patch` from upstream PR [#233](https://github.com/berkerpeksag/astor/pull/233)
- The patch replaces removed `ast.Num`/`ast.Str`/`ast.NameConstant` with `ast.Constant` and guards affected tests with version checks
- Hash: `sha256-VF+harl/q2yRU2yqN1Txud3YBNSeedQNw2SZNYQFsno=`
Ringtail's nixos-25.11 registry pin predates this fix. Rather than updating the system-wide nixpkgs (which has broader implications), we carry the override in our derivation.
### django
The nixpkgs authentik `package.nix` (2025.12.4) includes `django = final.django_5;` in its `packageOverrides`. This is still needed for 2026.2.0 — `python314` does not default to Django 5.x.
### Dependency chain (astor failure cascade)
```
astor (test failure)
├── trio (nativeCheckInputs)
│ └── anyio
│ ├── httpcore → httpx → msgraph-sdk, azure-core, ...
│ └── azure-core → azure-identity, azure-storage-blob
├── djangoql (runtime dep of authentik)
└── django 4.2.28 (also broken, separate issue)
└── authentik-django (1 dependency failed)
```
## What to Do
Add these overrides to `authentik-django.nix`'s `packageOverrides` block:
1. **`django = final.django_5;`** — same as nixpkgs authentik does
2. **`astor`** — override to use the patched git snapshot with the python314-compat.patch, matching what current nixpkgs does (NOT just disabling tests)
The override for astor should use `fetchFromGitHub` with owner `berkerpeksag`, repo `astor`, rev `df09001112f079db54e7c5358fa143e1e63e74c4`, and carry the patch from nixpkgs PR #233. This is a proper fix, not a test skip.
## Related
- [[authentik-python-backend-derivation]] — Parent card (depends on this)
- [[build-authentik-from-source]] — Root goal
Reference in a new issue View git blame Copy permalink