pkgs/by-name/au/authentik/package.nix

   1 { lib
   2 , stdenvNoCC
   3 , callPackages
   4 , fetchFromGitHub
   5 , fetchpatch
   6 , fetchzip
   7 , buildNpmPackage
   8 , buildGoModule
   9 , runCommand
  10 , openapi-generator-cli
  11 , nodejs
  12 , python312
  13 , codespell
  14 , makeWrapper }:
  15
  16 let
  17   version = "2024.6.4";
  18
  19   src = fetchFromGitHub {
  20     owner = "goauthentik";
  21     repo = "authentik";
  22     rev = "version/${version}";
  23     hash = "sha256-QwK/auMLCJEHHtyexFnO+adCq/u0fezHQ90fXW9J4c4=";
  24   };
  25
  26   meta = with lib; {
  27     description = "Authentication glue you need";
  28     changelog = "https://github.com/goauthentik/authentik/releases/tag/version%2F${version}";
  29     homepage = "https://goauthentik.io/";
  30     license = licenses.mit;
  31     platforms = platforms.linux;
  32     maintainers = with maintainers; [ jvanbruegge risson ];
  33     knownVulnerabilities = [
  34       "CVE-2024-52307"
  35       "CVE-2024-52287"
  36       "CVE-2024-52289"
  37       "Authentik 2024.6.x is end-of-life, consider using https://github.com/nix-community/authentik-nix for an up-to-date alternative"
  38     ];
  39   };
  40
  41   website = buildNpmPackage {
  42     pname = "authentik-website";
  43     inherit version src meta;
  44     npmDepsHash = "sha256-JM+ae+zDsMdvovd2p4IJIH89KlMeDU7HOZjFbDCyehw=";
  45
  46     NODE_ENV = "production";
  47     NODE_OPTIONS = "--openssl-legacy-provider";
  48
  49     postPatch = ''
  50       cd website
  51     '';
  52
  53     installPhase = ''
  54       mkdir $out
  55       cp -r build $out/help
  56     '';
  57
  58     npmBuildScript = "build-bundled";
  59     npmFlags = [ "--ignore-scripts" ];
  60   };
  61
  62   clientapi = stdenvNoCC.mkDerivation {
  63     pname = "authentik-client-api";
  64     inherit version src meta;
  65
  66     postPatch = ''
  67       rm Makefile
  68
  69       substituteInPlace ./scripts/api-ts-config.yaml \
  70         --replace-fail '/local' "$(pwd)/"
  71     '';
  72
  73     nativeBuildInputs = [ openapi-generator-cli ];
  74     buildPhase = ''
  75       runHook preBuild
  76       openapi-generator-cli generate -i ./schema.yml \
  77       -g typescript-fetch -o $out \
  78       -c ./scripts/api-ts-config.yaml \
  79         --additional-properties=npmVersion="$(${lib.getExe' nodejs "npm"} --version)" \
  80         --git-repo-id authentik --git-user-id goauthentik
  81       runHook postBuild
  82     '';
  83   };
  84
  85   webui = buildNpmPackage {
  86     pname = "authentik-webui";
  87     inherit version meta;
  88
  89     src = runCommand "authentik-webui-source" {} ''
  90       mkdir -p $out/web/node_modules/@goauthentik/
  91       cp -r ${src}/web $out/
  92       ln -s ${src}/package.json $out/
  93       ln -s ${src}/website $out/
  94       ln -s ${clientapi} $out/web/node_modules/@goauthentik/api
  95     '';
  96     npmDepsHash = "sha256-8TzB3ylZzVLePD86of8E/lGgIQCciWMQF9m1Iqv9ZTY=";
  97
  98     postPatch = ''
  99       cd web
 100     '';
 101
 102     installPhase = ''
 103       runHook preInstall
 104       mkdir $out
 105       cp -r dist $out/dist
 106       cp -r authentik $out/authentik
 107       runHook postInstall
 108     '';
 109
 110     NODE_ENV = "production";
 111     NODE_OPTIONS = "--openssl-legacy-provider";
 112
 113     npmInstallFlags = [ "--include=dev" ];
 114   };
 115
 116   python = python312.override {
 117     self = python;
 118     packageOverrides = final: prev: {
 119       django-tenants = prev.django-tenants.overrideAttrs {
 120         version = "3.6.1-unstable-2024-01-11";
 121         src = fetchFromGitHub {
 122           owner = "rissson";
 123           repo = "django-tenants";
 124           rev = "a7f37c53f62f355a00142473ff1e3451bb794eca";
 125           hash = "sha256-YBT0kcCfETXZe0j7/f1YipNIuRrcppRVh1ecFS3cvNo=";
 126         };
 127       };
 128       # Use 3.14.0 until https://github.com/encode/django-rest-framework/issues/9358 is fixed.
 129       # Otherwise applying blueprints/default/default-brand.yaml fails with:
 130       #   authentik.flows.models.RelatedObjectDoesNotExist: FlowStageBinding has no target.
 131       djangorestframework = prev.buildPythonPackage rec {
 132         pname = "djangorestframework";
 133         version = "3.14.0";
 134         format = "setuptools";
 135
 136         src = fetchFromGitHub {
 137           owner = "encode";
 138           repo = "django-rest-framework";
 139           rev = version;
 140           hash = "sha256-Fnj0n3NS3SetOlwSmGkLE979vNJnYE6i6xwVBslpNz4=";
 141         };
 142
 143         propagatedBuildInputs = with final; [
 144           django
 145           pytz
 146         ];
 147
 148         nativeCheckInputs = with final; [
 149           pytest-django
 150           pytest7CheckHook
 151
 152           # optional tests
 153           coreapi
 154           django-guardian
 155           pyyaml
 156           uritemplate
 157         ];
 158
 159         pythonImportsCheck = [ "rest_framework" ];
 160       };
 161
 162       authentik-django = prev.buildPythonPackage {
 163         pname = "authentik-django";
 164         inherit version src meta;
 165         pyproject = true;
 166
 167         patches = [
 168           (fetchpatch {
 169             name = "scim-schema-load.patch";
 170             url = "https://github.com/goauthentik/authentik/commit/f3640bd3c0ee2f43efcfd506bb71d2b7b6761017.patch";
 171             hash = "sha256-4AC7Dc4TM7ok964ztc+XdHvoU/DKyi9yJoz5u1dljEM=";
 172           })
 173         ];
 174
 175         postPatch = ''
 176           rm lifecycle/system_migrations/tenant_files.py
 177           substituteInPlace authentik/root/settings.py \
 178             --replace-fail 'Path(__file__).absolute().parent.parent.parent' "Path(\"$out\")"
 179           substituteInPlace authentik/lib/default.yml \
 180             --replace-fail '/blueprints' "$out/blueprints" \
 181             --replace-fail './media' '/var/lib/authentik/media'
 182           substituteInPlace pyproject.toml \
 183             --replace-fail 'dumb-init = "*"' "" \
 184             --replace-fail 'djangorestframework-guardian' 'djangorestframework-guardian2'
 185           substituteInPlace authentik/stages/email/utils.py \
 186             --replace-fail 'web/' '${webui}/'
 187         '';
 188
 189         nativeBuildInputs = [ prev.poetry-core ];
 190
 191         propagatedBuildInputs = with final; [
 192           argon2-cffi
 193           celery
 194           channels
 195           channels-redis
 196           codespell
 197           colorama
 198           dacite
 199           deepmerge
 200           defusedxml
 201           django
 202           django-cte
 203           django-filter
 204           django-guardian
 205           django-model-utils
 206           django-pglock
 207           django-prometheus
 208           django-redis
 209           django-storages
 210           django-tenants
 211           djangorestframework
 212           djangorestframework-guardian2
 213           docker
 214           drf-spectacular
 215           duo-client
 216           facebook-sdk
 217           fido2
 218           flower
 219           geoip2
 220           google-api-python-client
 221           gunicorn
 222           jsonpatch
 223           kubernetes
 224           ldap3
 225           lxml
 226           msgraph-sdk
 227           opencontainers
 228           packaging
 229           paramiko
 230           psycopg
 231           pydantic
 232           pydantic-scim
 233           pyjwt
 234           pyyaml
 235           requests-oauthlib
 236           scim2-filter-parser
 237           sentry-sdk
 238           service-identity
 239           setproctitle
 240           structlog
 241           swagger-spec-validator
 242           tenant-schemas-celery
 243           twilio
 244           twisted
 245           ua-parser
 246           urllib3
 247           uvicorn
 248           watchdog
 249           webauthn
 250           wsproto
 251           xmlsec
 252           zxcvbn
 253         ]
 254         ++ channels.optional-dependencies.daphne
 255         ++ django-storages.optional-dependencies.s3
 256         ++ opencontainers.optional-dependencies.reggie
 257         ++ psycopg.optional-dependencies.c
 258         ++ uvicorn.optional-dependencies.standard;
 259
 260         postInstall = ''
 261           mkdir -p $out/web $out/website
 262           cp -r lifecycle manage.py $out/${prev.python.sitePackages}/
 263           cp -r blueprints $out/
 264           cp -r ${webui}/dist ${webui}/authentik $out/web/
 265           cp -r ${website} $out/website/help
 266           ln -s $out/${prev.python.sitePackages}/authentik $out/authentik
 267           ln -s $out/${prev.python.sitePackages}/lifecycle $out/lifecycle
 268         '';
 269       };
 270     };
 271   };
 272
 273   inherit (python.pkgs) authentik-django;
 274
 275   proxy = buildGoModule {
 276     pname = "authentik-proxy";
 277     inherit version src meta;
 278
 279     postPatch = ''
 280       substituteInPlace internal/gounicorn/gounicorn.go \
 281         --replace-fail './lifecycle' "${authentik-django}/lifecycle"
 282       substituteInPlace web/static.go \
 283         --replace-fail './web' "${authentik-django}/web"
 284       substituteInPlace internal/web/static.go \
 285         --replace-fail './web' "${authentik-django}/web"
 286     '';
 287
 288     CGO_ENABLED = 0;
 289
 290     vendorHash = "sha256-BcL9QAc2jJqoPaQImJIFtCiu176nxmVcCLPjXjNBwqI=";
 291
 292     postInstall = ''
 293       mv $out/bin/server $out/bin/authentik
 294     '';
 295
 296     subPackages = [ "cmd/server" ];
 297   };
 298
 299 in stdenvNoCC.mkDerivation {
 300   pname = "authentik";
 301   inherit src version;
 302
 303   postPatch = ''
 304     rm Makefile
 305     patchShebangs lifecycle/ak
 306
 307     # This causes issues in systemd services
 308     substituteInPlace lifecycle/ak \
 309       --replace-fail 'printf' '>&2 printf' \
 310       --replace-fail '> /dev/stderr' ""
 311   '';
 312
 313   installPhase = ''
 314     runHook preInstall
 315     mkdir -p $out/bin
 316     cp -r lifecycle/ak $out/bin/
 317
 318     wrapProgram $out/bin/ak \
 319       --prefix PATH : ${lib.makeBinPath [ (python.withPackages (ps: [ps.authentik-django])) proxy ]} \
 320       --set TMPDIR /dev/shm \
 321       --set PYTHONDONTWRITEBYTECODE 1 \
 322       --set PYTHONUNBUFFERED 1
 323     runHook postInstall
 324   '';
 325
 326   passthru.outposts = callPackages ./outposts.nix { };
 327
 328   nativeBuildInputs = [ makeWrapper ];
 329
 330   meta = meta // {
 331     mainProgram = "ak";
 332   };
 333 }