Erich Blume
efa9806bfa
## Mikado Chain: build-authentik-from-source Replace `pkgs.authentik` from nixpkgs with a custom Nix derivation built from source. This removes the dependency on the nixpkgs packaging timeline and gives full version control. Target version: **2025.12.4** (nixpkgs reference, upgrading from deployed 2025.10.1). ### Dependency Graph ``` build-authentik-from-source (goal) ├── authentik-go-server-derivation │ ├── authentik-api-client-generation ← IN PROGRESS │ └── authentik-python-backend-derivation ├── authentik-web-ui-derivation │ └── authentik-api-client-generation ← IN PROGRESS └── authentik-python-backend-derivation ``` ### Ready Leaves - `authentik-api-client-generation` — Go + TypeScript client generation from OpenAPI schema - `authentik-python-backend-derivation` — Django backend with 60+ deps, 4 in-tree packages ### Architecture Ported from [nixpkgs `pkgs/by-name/au/authentik/package.nix`](https://github.com/NixOS/nixpkgs/tree/master/pkgs/by-name/au/authentik): - `source.nix` — shared version/source fetch - `client-go.nix` — Go API client generation - `client-ts.nix` — TypeScript API client generation - `api-go-vendor-hook.nix` — Go vendor directory injection hook - (more components to follow as leaves are closed) ### Related Cards - [[build-authentik-from-source]] — Goal card - [[authentik-api-client-generation]] - [[authentik-python-backend-derivation]] - [[authentik-web-ui-derivation]] - [[authentik-go-server-derivation]] Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/274
80 lines
2.3 KiB
Nix
80 lines
2.3 KiB
Nix
# Authentik web UI build
|
|
#
|
|
# Builds the Lit-based TypeScript frontend from the web/ directory.
|
|
# Uses esbuild (via wireit) for the main build and rollup for the SFE
|
|
# (Standalone Frontend Engine) sub-package.
|
|
#
|
|
# Inputs:
|
|
# - webui-deps: FOD with npm dependencies (node_modules trees)
|
|
# - client-ts: generated TypeScript API client from schema.yml
|
|
#
|
|
# Output:
|
|
# $out/dist/ esbuild bundle (admin, user, flow, rac, etc.)
|
|
# $out/authentik/ static icons for authentication sources/connectors
|
|
{ pkgs ? import <nixpkgs> { }
|
|
, sources ? import ./sources.nix { inherit pkgs; }
|
|
, webui-deps ? import ./webui-deps.nix { inherit pkgs sources; }
|
|
, client-ts ? import ./client-ts.nix { inherit pkgs sources; }
|
|
}:
|
|
|
|
pkgs.stdenvNoCC.mkDerivation {
|
|
pname = "authentik-webui";
|
|
inherit (sources) version src meta;
|
|
|
|
sourceRoot = "${sources.src.name}/web";
|
|
|
|
nativeBuildInputs = with pkgs; [
|
|
nodejs_24
|
|
];
|
|
|
|
# Hardcode version string instead of importing from package.json
|
|
# (the JSON import-with-assertion may not resolve in the Nix build sandbox)
|
|
postPatch = ''
|
|
substituteInPlace packages/core/version/node.js \
|
|
--replace-fail \
|
|
'import PackageJSON from "../../../../package.json" with { type: "json" };' \
|
|
"" \
|
|
--replace-fail \
|
|
'(PackageJSON.version);' \
|
|
'"${sources.version}";'
|
|
'';
|
|
|
|
buildPhase = ''
|
|
runHook preBuild
|
|
|
|
# Copy node_modules from the FOD into the build tree
|
|
buildRoot=$PWD
|
|
pushd ${webui-deps}
|
|
find -type d -name node_modules -prune -print \
|
|
-exec cp -rT {} $buildRoot/{} \;
|
|
popd
|
|
|
|
# Replace the npm-published @goauthentik/api with our generated client
|
|
chmod -R +w node_modules/@goauthentik
|
|
rm -rf node_modules/@goauthentik/api
|
|
ln -sn ${client-ts} node_modules/@goauthentik/api
|
|
|
|
# Patch shebangs on build tool binaries so they can run in the sandbox
|
|
pushd node_modules/.bin
|
|
for tool in rollup wireit lit-localize esbuild; do
|
|
[ -L "$tool" ] && patchShebangs "$(readlink "$tool")" 2>/dev/null || true
|
|
done
|
|
popd
|
|
|
|
npm run build
|
|
npm run build:sfe
|
|
|
|
runHook postBuild
|
|
'';
|
|
|
|
installPhase = ''
|
|
runHook preInstall
|
|
mkdir $out
|
|
cp -r dist $out/dist
|
|
cp -r authentik $out/authentik
|
|
runHook postInstall
|
|
'';
|
|
|
|
NODE_ENV = "production";
|
|
NODE_OPTIONS = "--openssl-legacy-provider";
|
|
}
|