Erich Blume
f65106dcef
Drop the nixpkgs packageOverrides approach for Python deps. Instead, use uv + fixed-output derivation to install from PyPI where cp314 wheels already exist. Eliminates the entire class of Python 3.14 nixpkgs compat issues (astor, dacite, exceptiongroup, pydantic-core). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
4.3 KiB
| title | modified | status | branch | requires | tags | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Build Authentik from Source | 2026-02-28 | active | mikado/authentik-source-build |
|
|
Build Authentik from Source
Replace pkgs.authentik from nixpkgs with a custom Nix derivation that builds authentik from source. This removes the dependency on the nixpkgs packaging timeline and gives full version control.
Motivation
The nix-container-builder runner on ringtail resolves nixpkgs via the NixOS nix registry, which pins to nixos-25.11. That channel lags behind upstream authentik releases — e.g. nixos-25.11 has 2025.10.1 while upstream is at 2026.2.0. Building from source lets us target any release.
Target version: 2026.2.0 (latest stable, released 2026-02-24). Notable changes from the nixpkgs reference (2025.12.4): requires Python 3.14, Go 1.25.5.
This also serves as practice for packaging services from source using Nix, relying on nixpkgs only for satellite dependencies (Python interpreter, Node.js, Go toolchain, system libraries).
Architecture
Authentik has four build components that must be assembled:
- API client generation — Go and TypeScript bindings generated from
schema.yml(OpenAPI) - Python backend (
authentik-django) — Django application with 60+ Python dependencies, installed viauvfrom PyPI rather than nixpkgs (see authentik-python-backend-derivation) - Web UI — Lit-based TypeScript frontend built with Rollup
- Go server — HTTP server binary (
cmd/server) that serves the web UI and spawns gunicorn for Django
The final package is the ak bash wrapper that orchestrates Go server + Python worker.
Python packaging strategy: Nix provides the Python 3.14 interpreter and system libraries. Python packages are installed from PyPI using uv, locked by authentik's uv.lock. This avoids nixpkgs' Python 3.14 compatibility issues (many packages in nixos-25.11's python314 set fail to build) and aligns with upstream's build process.
Source
Forge mirrors (all derivations should fetch from forge, not GitHub):
- https://forge.ops.eblu.me/mirrors/authentik (upstream:
goauthentik/authentik) - https://forge.ops.eblu.me/mirrors/authentik-client-go (upstream:
goauthentik/client-go) - https://forge.ops.eblu.me/mirrors/authentik-django-rest-framework (upstream:
authentik-community/django-rest-framework)
Reference derivation: nixpkgs pkgs/by-name/au/authentik/package.nix — targets 2025.12.4, we are porting to 2026.2.0 so hashes and some deps will differ.
Testing
Nix derivations target x86_64-linux and can't be built on macOS. Test incrementally on ringtail:
# Copy derivation files to a temp dir on ringtail
set tmpdir (ssh ringtail 'mktemp -d /tmp/authentik-test.XXXXXX')
scp containers/authentik/*.nix containers/authentik/*.patch ringtail:$tmpdir/
# Write a test-build.nix that instantiates components, then:
ssh ringtail "cd $tmpdir && nix-build test-build.nix -A <component> --extra-experimental-features 'nix-command flakes'"
# Clean up
ssh ringtail "rm -rf $tmpdir"
Use builtins.getFlake "nixpkgs" instead of <nixpkgs> (ringtail uses flakes, no NIX_PATH).
Prefetch hashes for fetchgit sources:
ssh ringtail 'nix shell nixpkgs#nix-prefetch-git --extra-experimental-features "nix-command flakes" -c nix-prefetch-git --url <url> --rev <tag> --quiet'
What to Do
Once all prerequisites are complete:
- Assemble the component derivations into a final
ak-wrapped package incontainers/authentik/ - Update
containers/authentik/default.nixto use the custom derivation instead ofpkgs.authentik - Test locally via Dagger before pushing to CI:
dagger call build-nix --src=. --container-name=authentik - Build and push the container:
mise run container-build-and-release authentik - Update
argocd/manifests/authentik/kustomization.yamlwith the new image tag - Update
service-versions.yamlwith the new version - Verify deployment: ArgoCD sync, UI login, OAuth2 flows
Related
- build-authentik-container — Current nixpkgs-based build (to be replaced)
- deploy-authentik — Parent deployment goal
- agent-change-process — C2 methodology