eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/authentik/build-authentik-container.md
Erich Blume ffa8727660 Adopt commit-based container tags (#232) 
## Summary
- Replace git-tag-triggered container builds with path-based triggers on main and workflow_dispatch
- Image tags now encode upstream app version + commit SHA (`vX.Y.Z-<sha>`) for full traceability
- Replace `container-tag-and-release` task with `container-build-and-release` (dispatches workflows via Forgejo API)
- Update dagger `publish()` to accept `commit_sha` parameter
- Update all docs and references to the new workflow

## Deployment and Testing
- [ ] Merge to main
- [ ] `mise run container-build-and-release <name>` for each container to populate new-format tags
- [ ] Verify tags in registry via `mise run container-list`
- [ ] Existing images untouched — old tags remain available

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/232
2026-02-20 22:56:20 -08:00

1.4 KiB
Raw Blame History

title modified tags
Build Authentik Container Image 2026-02-20
how-to
authentik

Build Authentik Container Image

Build and publish a Nix-based container image for Authentik to the local registry.

Context

Discovered while attempting deploy-authentik: the deployment references registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix which doesn't exist. Authentik's nixpkgs package (pkgs.authentik) provides the ak wrapper which orchestrates a Go server binary and Python Django worker.

What to Do

  1. Verify containers/authentik/default.nix builds — locally via Dagger (dagger call build-nix --src=. --container-name=authentik) or on ringtail (the CI nix builder runs there)
  2. The ak entrypoint needs bash (included via bashInteractive) and orchestrates both server and worker subcommands
  3. Trigger build: mise run container-build-and-release authentik
  4. Verify the -nix tagged image appears in the registry

What We Learned

  • The entrypoint is ak (bash wrapper), not authentik (Go binary)
  • ak server runs the Go HTTP server, ak worker runs the Python Django worker
  • pkgs.authentik bundles Go binary, Python environment, and static assets via wrapProgram
  • nixpkgs has v2025.10.1, upstream latest is 2025.12.4 — acceptable for initial deployment
  • Container needs bashInteractive since ak is a bash script

Related