eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/authentik/build-authentik-from-source.md
Erich Blume 7094ea7d3e Start C2 Mikado chain: build authentik from source 
Create goal card and 4 prerequisite cards for building authentik from a
custom Nix derivation instead of using pkgs.authentik from nixpkgs. This
removes the dependency on the nixpkgs packaging timeline and gives full
version control over authentik releases.

Chain: mikado/authentik-source-build
Leaf nodes: authentik-api-client-generation, authentik-python-backend-derivation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 08:20:17 -08:00

2.5 KiB
Raw Blame History

title modified status branch requires tags
Build Authentik from Source 2026-02-28 active mikado/authentik-source-build
authentik-go-server-derivation
authentik-web-ui-derivation
authentik-python-backend-derivation
how-to
authentik
nix

Build Authentik from Source

Replace pkgs.authentik from nixpkgs with a custom Nix derivation that builds authentik from source. This removes the dependency on the nixpkgs packaging timeline and gives full version control.

Motivation

The nix-container-builder runner on ringtail resolves nixpkgs via the NixOS nix registry, which pins to nixos-25.11. That channel lags behind upstream authentik releases — e.g. nixos-25.11 has 2025.10.1 while upstream is at 2025.12.4+. Building from source lets us target any release.

This also serves as practice for packaging services from source using Nix, relying on nixpkgs only for satellite dependencies (Python interpreter, Node.js, Go toolchain, system libraries).

Architecture

Authentik has four build components that must be assembled:

  1. API client generation — Go and TypeScript bindings generated from schema.yml (OpenAPI)
  2. Python backend (authentik-django) — Django application with 60+ Python dependencies, including 4 in-tree packages and a forked djangorestframework
  3. Web UI — Lit-based TypeScript frontend built with Rollup
  4. Go server — HTTP server binary (cmd/server) that serves the web UI and spawns gunicorn for Django

The final package is the ak bash wrapper that orchestrates Go server + Python worker.

Source

Forge mirror: https://forge.ops.eblu.me/mirrors/authentik (upstream: goauthentik/authentik)

Reference derivation: nixpkgs pkgs/by-name/au/authentik/package.nix

What to Do

Once all prerequisites are complete:

  1. Assemble the component derivations into a final ak-wrapped package in containers/authentik/
  2. Update containers/authentik/default.nix to use the custom derivation instead of pkgs.authentik
  3. Build and push the container: mise run container-build-and-release authentik
  4. Update argocd/manifests/authentik/kustomization.yaml with the new image tag
  5. Update service-versions.yaml with the new version
  6. Verify deployment: ArgoCD sync, UI login, OAuth2 flows

Related