nix-community / authentik-nix Goto Github PK

Nix flake with package, NixOS module and basic VM test for authentik. Trying to provide an alternative deployment mode to the officially supported docker-compose approach. Not affiliated with or officially supported by the authentik project [maintainer=@willibutz]

License: MIT License

Nix 100.00%

authentik bare-metal idp ldap nix nixos oidc saml sso nix-community-buildbot

authentik-nix's Introduction

authentik-nix

A Nix flake providing a package, NixOS module and basic VM test for authentik

Important Note

Please note that this project is not directly affiliated with the official authentik project. Most importantly this means that there is no official support for this packaging and deployment approach. Therefore, please refrain from opening issues for the official project when running into problems with this flake. Feel free to open issues here. If in doubt, please open an issue here first so we can make sure that it's not directly related to this packaging/deployment approach before escalating to the official project.

Overview

flake.nix This flake provides packages (server, worker, outposts, ...) as outputs, a NixOS module and a simple VM integration test for the module.
module.nix The NixOS module configures authentik services, redis and (by default) a local postgres instance. The upstream default authentik configuration can be partially overridden by setting desired parameters under services.authentik.settings.
poetry2nix-python-overrides.nix contains overrides and fixes for building the python env
minimal-vmtest.nix A minimal NixOS VM test. Confirms that the services configured by the module start and manually goes through the initial setup flow. Some screenshots are taken during test execution to confirm that the frontend is rendered correctly.
components An overridable scope, including the individual authentik components. An example for how to create a custom scope is provided in override-scope.nix.

Usage

Example configuration:

{
  services.authentik = {
    enable = true;
    # The environmentFile needs to be on the target host!
    # Best use something like sops-nix or agenix to manage it
    environmentFile = "/run/secrets/authentik/authentik-env";
    settings = {
      email = {
        host = "smtp.example.com";
        port = 587;
        username = "[email protected]";
        use_tls = true;
        use_ssl = false;
        from = "[email protected]";
      };
      disable_startup_analytics = true;
      avatars = "initials";
    };
  };
}

EnvironmentFile for secrets

The environmentFile option references a systemd EnvironmentFile, that needs to be placed on the same host as authentik and should only be accessible to root. Secrets can be specified in this environment file without causing them to be placed in the world-readable /nix/store. Note that pkgs.writeText and similar tooling also causes secrets to be placed in the /nix/store.

After generating a secret key for authentik, for example using openssl rand -base64 32 the file's contents should look like this:

AUTHENTIK_SECRET_KEY=<generated secret key>
AUTHENTIK_EMAIL__PASSWORD=<smtp password>

Better alternatives to managing the environment file manually on the authentik host might be https://github.com/Mic92/sops-nix or https://github.com/ryantm/agenix , depending on your use case.

With flakes

Add authentik-nix to your flake, import the module and configure it. Relevant sections of the flake:

# flake.nix
{
  inputs.authentik-nix = {
    url = "github:nix-community/authentik-nix";

    ## optional overrides. Note that using a different version of nixpkgs can cause issues, especially with python dependencies
    # inputs.nixpkgs.follows = "nixpkgs"
    # inputs.flake-parts.follows = "flake-parts"
  };

  outputs = inputs@{ ... }: {

    ## regular NixOS example
    #
    # nixosConfigurations = {
    #   authentik-host = inputs.nixpkgs.lib.nixosSystem {
    #     system = "x86_64-linux";
    #     modules = [
    #       inputs.authentik-nix.nixosModules.default
    #       {
    #         services.authentik = {
    #           # ... further configuration; see example configuration above
    #         };
    #       }
    #     ];
    #   };
    # };

    ## Colmena example
    #
    # colmena = {
    #   meta.specialArgs.inputs = { inherit (inputs) authentik-nix; };
    #
    #   authentik-host = { inputs, ... }: {
    #     imports = [ inputs.authentik-nix.nixosModules.default ];
    #
    #     services.authentik = {
    #       # ... further configuration; see example configuration above
    #     };
    #   };
    # };
  };
}

Without flakes

All packages, modules and tests are available via flake-compat and may be used without flakes. This requires some extra work, but this example NixOS configuration may help you to get started:

# configuration.nix
{ ... }:
let
  authentik-version = "2024.2.3";
  authentik-nix-src = builtins.fetchTarball {
    url = "https://github.com/nix-community/authentik-nix/archive/version/${authentik-version}.tar.gz";
    sha256 = "15b9a2csd2m3vwhj3xc24nrqnj1hal60jrd69splln0ynbnd9ki4";
  };
  authentik-nix = import authentik-nix-src;
in
{
  imports = [
    authentik-nix.nixosModules.default
  ];

  services.authentik = {
    # ...
  };

  system.stateVersion = "23.11";
}

Nginx + Let's Encrypt

Example configuration:

{
  services.authentik = {
    # other authentik options as in the example configuration at the top
    nginx = {
      enable = true;
      enableACME = true;
      host = "auth.example.com";
    };
  };
}

The configuration above configures authentik to auto-discover the Let's Encrypt certificate and key. Initial auto-discovery might take a while because the authentik certificate discovery task runs once per hour.

Testing

To run the main integration test execute (one of) the following:

nix build .#checks.x86_64-linux.default --print-build-logs
nix build .#checks.aarch64-linux.default --print-build-logs

License

This project is released under the terms of the MIT License. See LICENSE. Consult the upstream project for information about authentik licensing.

authentik-nix's People

Stargazers

Watchers

Forkers

willibutz muccc marcelcoding xanderio ma27 shokinn hexchen quentinmit bonusplay fpletz

authentik-nix's Issues

How to set the SECRET_KEY

Whenever I'm trying to rebuild my nixOS flake the authentik-migrate.service keeps failing. I get the following error messages:

<module> SIGNING_HASH = sha512(settings.SECRET_KEY.encode()).hexdigest()
__getattr__ raise ImproperlyConfigured("The SECRET_KEY setting must not be empty.")

I tried to set the AUTHENTIK_SECRET_KEY variable in the configuration.nix by adding (keytemp contains the output of pwgen -s 50 1) :

  services.authentik = {
    enable = true;
    settings = {
      authentik_secret_key = "${lib.strings.fileContents ./keytemp}";
    };
  };

resulting in:

cat /etc/authentik/config.yml
authentik_secret_key: 6yrwkZywIBIsqoQ********************SnYdPDGkjQTC***
blueprints_dir: /nix/store/63hrzp6clrdsa7cx3vjlmky1x4fq37pv-authentik-static-workdir-deps/blueprints
postgresql:
  host: ''
  name: authentik
  user: authentik
template_dir: /nix/store/63hrzp6clrdsa7cx3vjlmky1x4fq37pv-authentik-static-workdir-deps/templates

Im puzzled on how to proceed and would really appreciate some help.

`authentik.service` is ordered after `network-online.target` but doesn't depend on it

Hi,
during evaluation nix/colmena is complaining about:

authentik.service is ordered after network-online.target but doesn't depend on it.

Here is the full output:

❯ COLMENAHOST=shel1sso00; colmena apply --on ${COLMENAHOST} --build-on-target --nix-option builders 'ssh-ng://${COLMENAHOST} aarch64-linux'
warning: Git tree '/Users/phg/workspace/privat/nix_config' is dirty
[INFO ] Using flake: git+file:///Users/phg/workspace/privat/nix_config
[INFO ] Enumerating nodes...
[INFO ] Selected 1 out of 5 hosts.
           ❌ 2s Failed: Child process exited with error code: 1
shel1sso00 ❌ 2s Evaluation failed: Child process exited with error code: 1                                                                                                                                                                                                                              
[ERROR] Failed to evaluate shel1sso00 - Last 20 lines of logs:
[ERROR]   stderr)           959|         || pred here (elemAt values 1) (head values) then
[ERROR]   stderr)           960|           head values
[ERROR]   stderr)              |           ^
[ERROR]   stderr)           961|         else
[ERROR]   stderr) 
[ERROR]   stderr)        … while evaluating the attribute 'value'
[ERROR]   stderr) 
[ERROR]   stderr)          at /nix/store/rqdf3gfjq8zh488msnv62h03kkzr308q-source/lib/modules.nix:809:9:
[ERROR]   stderr) 
[ERROR]   stderr)           808|     in warnDeprecation opt //
[ERROR]   stderr)           809|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
[ERROR]   stderr)              |         ^
[ERROR]   stderr)           810|         inherit (res.defsFinal') highestPrio;
[ERROR]   stderr) 
[ERROR]   stderr)        (stack trace truncated; use '--show-trace' to show the full trace)
[ERROR]   stderr) 
[ERROR]   stderr)        error:
[ERROR]   stderr)        Failed assertions:
[ERROR]   stderr)        - authentik.service is ordered after 'network-online.target' but doesn't depend on it
[ERROR]  failure) Child process exited with error code: 1
[ERROR] Failed to complete requested operation - Last 1 lines of logs:
[ERROR]  failure) Child process exited with error code: 1
[ERROR] -----
[ERROR] Operation failed with error: Child process exited with error code: 1
Hint: Backtrace available - Use `RUST_BACKTRACE=1` environment variable to display a backtrace

This can be simply fixed by adding the following patch where also a dependency via wants to network-online.target is established:

diff --git a/module.nix b/module.nix
index bc3ef58..99ca103 100644
--- a/module.nix
+++ b/module.nix
@@ -175,6 +175,7 @@ in
         };
         authentik = {
           wantedBy = [ "multi-user.target" ];
+          wants = [ "network-online.target" ];
           after = [
             "network-online.target"
             "postgresql.service"

ModuleNotFoundError in authentik-migrate

After updating from 2023.10.7 (497c207) to 2024.2.1 (5ed5c48), the authentik-migrate.service unit always fails with a ModuleNotFoundError: No module named 'https' error.

Starting authentik-migrate.service...
{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620785.7511833, "file": "/nix/store/mgkg473cmqr16nrvyc2v8p7pa94y54n1-patched-authentik-source/authentik/lib/default.yml"}
{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620785.7539692, "file": "/etc/authentik/config.yml"}
{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620785.7544122, "count": 2}
{"event": "'geoip' has been deprecated in favor of 'events.context_processors.geoip'! Please update your configuration.", "level": "warning", "logger": "authentik.lib.config", "timestamp": 1708620785.7545652}
2024-02-22 16:53:05 [info     ] applying django migrations
2024-02-22 16:53:05 [info     ] waiting to acquire database lock
{"event": "Booting authentik", "level": "info", "logger": "authentik.lib.config", "timestamp": 1708620787.3687036, "version": "2024.2.1"}
{"event": "Enabled authentik enterprise", "level": "info", "logger": "authentik.lib.config", "timestamp": 1708620787.3718634}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.373902, "path": "authentik.enterprise.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.3756738, "path": "authentik.blueprints.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.3779182, "path": "authentik.sources.plex.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.3801024, "path": "authentik.events.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.383519, "path": "authentik.admin.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.3864114, "path": "authentik.sources.ldap.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.3878176, "path": "authentik.stages.authenticator_totp.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.3919442, "path": "authentik.sources.oauth.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.3948407, "path": "authentik.policies.reputation.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.3983665, "path": "authentik.outposts.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.399911, "path": "authentik.enterprise.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.40456, "path": "authentik.providers.scim.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1708620787.4062092, "path": "authentik.crypto.settings"}
{"domain_url": null, "event": "Failed to load MMDB database", "exc": "FileNotFoundError(2, 'No such file or directory')", "level": "warning", "logger": "authentik.events.context_processors.mmdb", "path": "/geoip/GeoLite2-ASN.mmdb", "pid": 46355, "schema_name": "public", "timestamp": "2024-02-22T16:53:08.123038"}
{"domain_url": null, "event": "Loaded MMDB database", "file": "/nix/store/c3bynnmjcs51lykq58d620yrf1ci19ni-geoip/GeoLite2-City.mmdb", "last_write": 1.0, "level": "info", "logger": "authentik.events.context_processors.mmdb", "pid": 46355, "schema_name": "public", "timestamp": "2024-02-22T16:53:08.129146"}
{"app_name": "authentik.tenants", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.tenants.checks", "pid": 46355, "schema_name": "public", "timestamp": "2024-02-22T16:53:08.485095"}
/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/django/db/backends/utils.py:98: RuntimeWarning: Accessing the database during app initialization is discouraged. To fix this warning, avoid executing queries in AppConfig.ready() or when your app modules are imported.
  warnings.warn(self.APPS_NOT_READY_WARNING_MSG, category=RuntimeWarning)
{"app_name": "authentik.admin", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.admin.tasks", "pid": 46355, "schema_name": "public", "timestamp": "2024-02-22T16:53:08.563663"}
{"app_name": "authentik.admin", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.admin.signals", "pid": 46355, "schema_name": "public", "timestamp": "2024-02-22T16:53:08.564606"}
{"app_name": "authentik.crypto", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.crypto.tasks", "pid": 46355, "schema_name": "public", "timestamp": "2024-02-22T16:53:08.568064"}
{"app_name": "authentik.flows", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.flows.signals", "pid": 46355, "schema_name": "public", "timestamp": "2024-02-22T16:53:10.927531"}
{"app_name": "authentik.outposts", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.outposts.tasks", "pid": 46355, "schema_name": "public", "timestamp": "2024-02-22T16:53:11.006541"}
{"app_name": "authentik.outposts", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.outposts.signals", "pid": 46355, "schema_name": "public", "timestamp": "2024-02-22T16:53:11.007603"}
Traceback (most recent call last):
  File "/nix/store/4llq87n308rra4bcccmzn7pq95nb9qfq-authentik-migrate.py/bin/.migrate.py-wrapped", line 112, in <module>
    execute_from_command_line(["", "migrate_schemas"])
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
    utility.execute()
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/django/core/management/__init__.py", line 416, in execute
    django.setup()
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/django/__init__.py", line 24, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/django/apps/registry.py", line 124, in populate
    app_config.ready()
  File "/nix/store/yag32v0bhmh1jbnawbrwvfvp96kkw3q5-authentik-static-workdir-deps/authentik/blueprints/apps.py", line 26, in ready
    self.reconcile_tenant()
  File "/nix/store/yag32v0bhmh1jbnawbrwvfvp96kkw3q5-authentik-static-workdir-deps/authentik/blueprints/apps.py", line 75, in reconcile_tenant
    self._reconcile(self.RECONCILE_TENANT_PREFIX)
  File "/nix/store/yag32v0bhmh1jbnawbrwvfvp96kkw3q5-authentik-static-workdir-deps/authentik/blueprints/apps.py", line 59, in _reconcile
    meth()
  File "/nix/store/yag32v0bhmh1jbnawbrwvfvp96kkw3q5-authentik-static-workdir-deps/authentik/outposts/apps.py", line 47, in reconcile_tenant_embedded_outpost
    outpost, updated = Outpost.objects.update_or_create(
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/django/db/models/manager.py", line 87, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/django/db/models/query.py", line 1009, in update_or_create
    obj.save(using=self.db, update_fields=update_fields)
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/django/db/models/base.py", line 822, in save
    self.save_base(
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/django/db/models/base.py", line 924, in save_base
    post_save.send(
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/django/dispatch/dispatcher.py", line 189, in send
    response = receiver(signal=self, sender=sender, **named)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/yag32v0bhmh1jbnawbrwvfvp96kkw3q5-authentik-static-workdir-deps/authentik/outposts/signals.py", line 67, in post_save_update
    outpost_post_save.delay(class_to_path(instance.__class__), instance.pk)
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/celery/app/task.py", line 444, in delay
    return self.apply_async(args, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/celery/app/task.py", line 594, in apply_async
    return app.send_task(
           ^^^^^^^^^^^^^^
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/tenant_schemas_celery/app.py", line 97, in send_task
    return super(CeleryApp, self).send_task(name, args=args, kwargs=kwargs, **options)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/celery/app/base.py", line 798, in send_task
    self.backend.on_task_call(P, task_id)
    ^^^^^^^^^^^^
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/celery/app/base.py", line 1301, in backend
    self._backend = self._get_backend()
                    ^^^^^^^^^^^^^^^^^^^
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/celery/app/base.py", line 966, in _get_backend
    backend, url = backends.by_url(
                   ^^^^^^^^^^^^^^^^
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/celery/app/backends.py", line 68, in by_url
    return by_name(backend, loader), url
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/celery/app/backends.py", line 48, in by_name
    cls = symbol_by_name(backend, aliases)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/kfwha19i10v2lckc369j0bz93532vg9a-python3-3.11.6-env/lib/python3.11/site-packages/kombu/utils/imports.py", line 59, in symbol_by_name
    module = imp(module_name, package=package, **kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/p1zbyfrpj3hq50mxh5hmxl3kqpa2b1am-python3-3.11.6/lib/python3.11/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1204, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1176, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1140, in _find_and_load_unlocked
ModuleNotFoundError: No module named 'https'
authentik-migrate.service: Main process exited, code=exited, status=1/FAILURE
authentik-migrate.service: Failed with result 'exit-code'.
Failed to start authentik-migrate.service.
authentik-migrate.service: Consumed 4.993s CPU time, received 395B IP traffic, sent 735B IP traffic.

Media Upload

authentik currently only allows media files to be uploaded with /media is a mountpoint. This is do to authentik only supporting a containerized deployment with either docker or Kubernetes.

Relevant upstream code: https://github.com/goauthentik/authentik/blob/d71171378547f5a0c02aa5c6bd2e7dcd7a5db106/authentik/api/v3/config.py#L70-L71

I'm currently working on a simple patch to always add the Capabilities.CAN_SAVE_MEDIA for nix deployments, but this can't be upstreamed. We should contact upstream about this issue and see if they are interested in a real fix for this problem.

Propagation of certificates after acme-* renewal?

With setting nginx.enableAcme = true; on the day when initially discovered certificates expire, a configured ldap provider cannot be queried any longer because of outdated certificates.

In the admin GUI, we had to manually:

delete the discovered certificate (/admin/#/crypto/certificates)
run the certificate_discovery task (/admin/#/administration/system-tasks)
reassign the certificate to the tenant (/admin/#/core/tenants -> edit -> Other global settings)
reassign the certificate to the provider (/admin/#/core/providers -> edit -> Protocol settings)

This hit us by surprise, by any chance, do you see a way to automate this process?
At least i guess it would be worth of a warning in the README, right?

Build error with latest nixos-unstable

When attempting to build current main branch under current nixos-unstable I get the following error

error: evaluation aborted with the following error message: 'lib.customisation.callPackageWith: Function called without required argument "nodejs_21" at /nix/store/qs161vzi5kh527nyhfpjldkcshgh790y-source/components/frontend.nix:5, did you mean "nodejs_20", "nodejs_22" or "nodejs_14"?'

nodejs_21 was dropped recently (NixOS/nixpkgs@12c19fa). The fix should nicely tie-in with #18.

IFD error while deploying from x86_64 to arm64 with ` --build-on-target`

Hi,
I got some IFD issue while deploying with colmena from my local machine (x86_64) to an arm64 based server.

A friend of mine helped me to get this sorted, and since I'm actually still don't understand what she did, it works now.
But because of that I'm not comfortable to file a PR.
The changes she suggested are the following:
main...shokinn:authentik-nix:main

I kindly like to ask to add those to your repo as well.

ldap outpost is not independently deployable

Hi,
I just wanted to deploy the ldap outpost on another server than the main authentik instance.
It failed initially with the same error as #13.

After also applying the fix to the service, it fails with:

❯ COLMENAHOST=sbx0media00; colmena apply --on ${COLMENAHOST} --build-on-target --nix-option builders 'ssh-ng://${COLMENAHOST} x86_64-linux'
warning: Git tree '/Users/phg/workspace/privat/nix_config' is dirty
[INFO ] Using flake: git+file:///Users/phg/workspace/privat/nix_config
[INFO ] Enumerating nodes...
[INFO ] Selected 1 out of 5 hosts.
            ❌ 29s Failed: Child process exited with error code: 1
sbx0media00 ❌ 29s Evaluation failed: Child process exited with error code: 1                                                                                                                                                                                                                              
[ERROR] Failed to complete requested operation - Last 1 lines of logs:
[ERROR]  failure) Child process exited with error code: 1
[ERROR] Failed to evaluate sbx0media00 - Last 20 lines of logs:
[ERROR]   stderr)        … while evaluating the attribute 'value'
[ERROR]   stderr) 
[ERROR]   stderr)          at /nix/store/9s5qs4hni9fj88x79iw6im7amv7ghb76-source/lib/modules.nix:809:9:
[ERROR]   stderr) 
[ERROR]   stderr)           808|     in warnDeprecation opt //
[ERROR]   stderr)           809|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
[ERROR]   stderr)              |         ^
[ERROR]   stderr)           810|         inherit (res.defsFinal') highestPrio;
[ERROR]   stderr) 
[ERROR]   stderr)        (stack trace truncated; use '--show-trace' to show the full trace)
[ERROR]   stderr) 
[ERROR]   stderr)        error: attribute '"authentik/config.yml"' missing
[ERROR]   stderr) 
[ERROR]   stderr)        at /nix/store/d47k91v2219q8y4121vz1jblilckz12d-source/module.nix:234:29:
[ERROR]   stderr) 
[ERROR]   stderr)           233|         ];
[ERROR]   stderr)           234|         restartTriggers = [ config.environment.etc."authentik/config.yml".source ];
[ERROR]   stderr)              |                             ^
[ERROR]   stderr)           235|         serviceConfig = {
[ERROR]  failure) Child process exited with error code: 1
[ERROR] -----
[ERROR] Operation failed with error: Child process exited with error code: 1
Hint: Backtrace available - Use `RUST_BACKTRACE=1` environment variable to display a backtrace

It looks like based on the module.nix, that the ldap outpost is not independently deployable.

I would like to file a feature request to make the ldap outpost independently deployable.

Unable to get Embedded Outpost working

I've decided to open this here first because it might be the way we do things.

I've set up my authentik instance with the following configuration: https://github.com/GGG-KILLER/nixos-configs/blob/44250cae5dac622f8bc8490acdc05f45cd2e9405/hosts/shiro/containers/authentik.nix#L54-L70

And my nginx is using the following config: https://github.com/GGG-KILLER/nixos-configs/blob/44250cae5dac622f8bc8490acdc05f45cd2e9405/hosts/shiro/containers/authentik.nix#L72-L94

However, according to the docs, the embedded outpost should return a 204 when making a request to /outpost.goauthentik.io/ping, but in my case it's just resulting in a 404.
And also when using the Forward Authentication method, it also returning a 400 response even though the application and providers have been correctly configured.

In the outpost's authentik_host I've tried all of the following:

http://localhost:8000
http://localhost:9000
https://localhost:9443
http://sso.shiro.lan:9000
https://sso.shiro.lan:9443
http://sso.shiro.lan
https://sso.shiro.lan

Absolutely none of them seem to work.

How do I import this repository into my configuration?

Sorry for asking a beginner question: How do I import this repo into my nixos config so that services.authentik becomes available, and the example configuration builds?

NixOS, system.stateVersion = "23.11"
and I have not yet advanced to flakes.

Is there something like fetchTarball or fetchGit that I can prepend to pull this? Or do I need to read up on how to use flakes?

Errors wihle sending Emails, `FileNotFoundError`

Hi,
while sending emails I'll get those FileNotFoundError exception for web/dist:

Dec 10 19:34:56 shel1sso00 server[575814]: {"auth_via": "unauthenticated", "event": "/api/v3/flows/executor/s1q-recovery/?query=next%3D%252F", "host": "sso.example.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 575814, "remote": "aaa.xxx.yyy.zzz", "request_id": "0a9fdf11508f4ccfa9d5c0774ec64c>
Dec 10 19:34:56 shel1sso00 server[227267]: {"event":"/static/dist/flow/EmailStage-9Jhcx8Qm.js","host":"sso.example.tld","level":"info","logger":"authentik.router","method":"GET","remote":"aaa.xxx.yyy.zzz","runtime":"0.652","scheme":"https","size":9254,"status":200,"timestamp":"2023-12-10T19:34:56Z","user_agent":"Mozilla>
Dec 10 19:34:57 shel1sso00 celery[579432]: {"event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 579432, "task_id": "4c7403008a7544bbb8f7f9125bf23586", "task_name": "authentik.stages.email.tasks.send_mail", "timestamp": "2023-12-10T19:34:57.776696"}
Dec 10 19:34:57 shel1sso00 celery[579432]: {"event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 579432, "state": "RETRY", "task_id": "4c7403008a7544bbb8f7f9125bf23586", "task_name": "send_mail", "timestamp": "2023-12-10T19:34:57.784838"}
Dec 10 19:34:58 shel1sso00 celery[579503]: {"event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 579503, "task_id": "4c740300-8a75-44bb-b8f7-f9125bf23586", "task_name": "send_mail", "timestamp": "2023-12-10T19:34:58.202565"}
Dec 10 19:34:58 shel1sso00 celery[579503]: {"event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 579503, "task_id": "4c7403008a7544bbb8f7f9125bf23586", "task_name": "authentik.stages.email.tasks.send_mail", "timestamp": "2023-12-10T19:34:58.692401"}
Dec 10 19:34:58 shel1sso00 celery[579503]: {"event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 579503, "state": "RETRY", "task_id": "4c7403008a7544bbb8f7f9125bf23586", "task_name": "send_mail", "timestamp": "2023-12-10T19:34:58.698943"}
Dec 10 19:35:00 shel1sso00 celery[579506]: {"event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 579506, "task_id": "4c740300-8a75-44bb-b8f7-f9125bf23586", "task_name": "send_mail", "timestamp": "2023-12-10T19:35:00.684791"}
Dec 10 19:35:01 shel1sso00 celery[579506]: {"event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 579506, "task_id": "4c7403008a7544bbb8f7f9125bf23586", "task_name": "authentik.stages.email.tasks.send_mail", "timestamp": "2023-12-10T19:35:01.177277"}
Dec 10 19:35:01 shel1sso00 celery[579504]: {"event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 579504, "task_id": "4c740300-8a75-44bb-b8f7-f9125bf23586", "task_name": "send_mail", "timestamp": "2023-12-10T19:35:01.180210"}
Dec 10 19:35:01 shel1sso00 celery[579506]: {"event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 579506, "state": "RETRY", "task_id": "4c7403008a7544bbb8f7f9125bf23586", "task_name": "send_mail", "timestamp": "2023-12-10T19:35:01.185922"}
Dec 10 19:35:01 shel1sso00 celery[579504]: {"action": "system_task_exception", "client_ip": null, "context": {"message": "Task send_mail encountered an error: Traceback (most recent call last):\n  File \"/nix/store/nidrq7x9vg876i87fid81kacikwcbjli-python3-3.11.5-env/lib/python3.11/site-packages/celery/app/trace.py>
Dec 10 19:35:01 shel1sso00 celery[579504]: {"event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 579504, "task_id": "a708bf93b21542a5850895b031c4227a", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2023-12-10T19:35:01.652668"}
Dec 10 19:35:01 shel1sso00 celery[579504]: {"event": "Task failure", "exc": "FileNotFoundError(2, 'No such file or directory')", "level": "warning", "logger": "authentik.root.celery", "pid": 579504, "task_id": "task-4c7403008a7544bbb8f7f9125bf23586", "timestamp": "2023-12-10T19:35:01.653102"}
Dec 10 19:35:01 shel1sso00 celery[579504]: {"event": "Task authentik.stages.email.tasks.send_mail[4c740300-8a75-44bb-b8f7-f9125bf23586] raised unexpected: FileNotFoundError(2, 'No such file or directory')", "exception": [{"exc_type": "FileNotFoundError", "exc_value": "[Errno 2] No such file or directory: 'web/dist>

Best
Philip

provide a binary cache

Trying this out and it's taking over an hour to build. Is that expected? Is there a cache available for this?

Upstreaming this to nixpkgs?

What do you think about up streaming this to nixpkgs?