package authentik for nixos

8 files changed, 230 insertions, 0 deletions

diff --git a/modules/authentik/authentik-outpost-ldap.nix b/modules/authentik/authentik-outpost-ldap.nix
new file mode 100644
index 0000000..e2031cc
--- /dev/null
+++ b/modules/authentik/authentik-outpost-ldap.nix
@@ -0,0 +1,17 @@
+{ lib, stdenv, buildGoModule, fetchFromGitHub, ... }:
+
+buildGoModule rec {
+  pname = "authentik-outpost-ldap";
+  version = "2023.8.3";
+
+  src = fetchFromGitHub {
+    owner = "goauthentik";
+    repo = "authentik";
+    rev = "version/${version}";
+    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
+  };
+
+  vendorHash = "sha256-F3JzzL6Gg9H4qdmp4MbQFupccATYIUIFL05is6xzoZY=";
+
+  subPackages = [ "cmd/ldap" ];
+}
diff --git a/modules/authentik/authentik-outpost-proxy.nix b/modules/authentik/authentik-outpost-proxy.nix
new file mode 100644
index 0000000..ee19267
--- /dev/null
+++ b/modules/authentik/authentik-outpost-proxy.nix
@@ -0,0 +1,17 @@
+{ lib, stdenv, buildGoModule, fetchFromGitHub, ... }:
+
+buildGoModule rec {
+  pname = "authentik-outpost-proxy";
+  version = "2023.8.3";
+
+  src = fetchFromGitHub {
+    owner = "goauthentik";
+    repo = "authentik";
+    rev = "version/${version}";
+    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
+  };
+
+  vendorHash = "sha256-F3JzzL6Gg9H4qdmp4MbQFupccATYIUIFL05is6xzoZY=";
+
+  subPackages = [ "cmd/proxy" ];
+}
diff --git a/modules/authentik/authentik-server.nix b/modules/authentik/authentik-server.nix
new file mode 100644
index 0000000..8fefc95
--- /dev/null
+++ b/modules/authentik/authentik-server.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, buildGoModule, fetchFromGitHub, python3Packages, makeWrapper, callPackage, ... }:
+
+let authentik = callPackage ./authentik.nix { };
+in
+buildGoModule rec {
+  pname = "authentik-server";
+  version = "2023.8.3";
+
+  src = fetchFromGitHub {
+    owner = "goauthentik";
+    repo = "authentik";
+    rev = "version/${version}";
+    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
+  };
+
+  vendorHash = "sha256-F3JzzL6Gg9H4qdmp4MbQFupccATYIUIFL05is6xzoZY=";
+
+  subPackages = [ "cmd/server" ];
+
+  postPatch = ''
+    substituteInPlace internal/gounicorn/gounicorn.go \
+      --replace "./manage.py" "${authentik}/bin/manage.py"
+
+    substituteInPlace internal/gounicorn/gounicorn.go \
+      --replace "./lifecycle" "${authentik}/bin"
+  '';
+
+  postInstall = ''
+    wrapProgram "$out/bin/server" --set PATH ${python3Packages.gunicorn}/bin
+  '';
+
+  nativeBuildInputs = [ makeWrapper ];
+}
diff --git a/modules/authentik/authentik-web.nix b/modules/authentik/authentik-web.nix
new file mode 100644
index 0000000..3fbf416
--- /dev/null
+++ b/modules/authentik/authentik-web.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, buildNpmPackage, fetchFromGitHub, python3, ... }:
+
+buildNpmPackage rec {
+  pname = "authentik-web";
+  version = "2023.8.3";
+
+  src = fetchFromGitHub {
+    owner = "goauthentik";
+    repo = "authentik";
+    rev = "version/${version}";
+    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
+  };
+
+  sourceRoot = "source/web";
+
+  npmDepsHash = "sha256-kCKtrsUA7VLHzf9SR/UW1z3RCpQc5r5sa/f4dxonTZ0=";
+  npmPackFlags = [ "--ignore-scripts" ];
+  npmBuildScript = "build";
+
+  nativeBuildInputs = [ python3 ];
+
+  installPhase = ''
+    mkdir $out
+    cp -r dist/ $out/
+    cp -r authentik/ $out/
+  '';
+}
diff --git a/modules/authentik/authentik.nix b/modules/authentik/authentik.nix
new file mode 100644
index 0000000..5b87de7
--- /dev/null
+++ b/modules/authentik/authentik.nix
@@ -0,0 +1,102 @@
+{ lib, stdenv, python3Packages, poetry, codespell, callPackage, ... }:
+
+with python3Packages;
+
+let
+  server = callPackage ./authentik-server.nix { };
+  web = callPackage ./authentik-web.nix { };
+in
+buildPythonPackage rec {
+  pname = "authentik";
+  version = "2023.8.3";
+
+  format = "pyproject";
+  src = pkgs.fetchFromGitHub {
+    owner = "goauthentik";
+    repo = pname;
+    rev = "version/${version}";
+    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
+  };
+
+  patches = [ ./pyproject.diff ];
+
+  postPatch = ''
+    substituteInPlace pyproject.toml \
+      --replace "psycopg2-binary" "psycopg2"
+
+    substituteInPlace lifecycle/ak \
+      --replace "python -m manage" "${placeholder "out"}/bin/manage.py"
+    patchShebangs lifecycle/ak
+  '';
+
+  postInstall = ''
+    cp -a ./lifecycle $out/${python.sitePackages}
+    cp -a ./lifecycle/gunicorn.conf.py $out/bin/gunicorn.py
+    chmod +x $out/bin/gunicorn.py
+    cp -a ./manage.py $out/bin/manage.py
+  '';
+
+  passthru.proxy = callPackage ./authentik-outpost-proxy.nix { };
+
+  propagatedBuildInputs = [
+    poetry
+    poetry-core
+
+    psycopg2
+    argon2-cffi
+    celery
+    channels
+    channels-redis
+    codespell
+    colorama
+    dacite
+    deepmerge
+    defusedxml
+    django
+    django-filter
+    django-guardian
+    django-model-utils
+    django-otp
+    django-prometheus
+    django-redis
+    djangorestframework
+    djangorestframework-guardian
+    docker
+    drf-spectacular
+    duo-client
+    facebook-sdk
+    flower
+    geoip2
+    gunicorn
+    kubernetes
+    ldap3
+    lxml
+    opencontainers
+    packaging
+    paramiko
+    psycopg
+    pycryptodome
+    pydantic
+    pydantic-scim
+    pyjwt
+    pyyaml
+    requests-oauthlib
+    sentry-sdk
+    service-identity
+    structlog
+    swagger-spec-validator
+    twilio
+    twisted
+    ua-parser
+    urllib3
+    uvicorn
+    watchdog
+    webauthn
+    wsproto
+    xmlsec
+    zxcvbn
+    jsonpatch
+  ]
+  ++ channels.optional-dependencies.daphne
+  ++ uvicorn.optional-dependencies.standard;
+}
diff --git a/modules/authentik/default.nix b/modules/authentik/default.nix
new file mode 100644
index 0000000..865d469
--- /dev/null
+++ b/modules/authentik/default.nix
@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+}
diff --git a/modules/authentik/pyproject.diff b/modules/authentik/pyproject.diff
new file mode 100644
index 0000000..1a92468
--- /dev/null
+++ b/modules/authentik/pyproject.diff
@@ -0,0 +1,28 @@
+--- a/pyproject.toml	2023-10-13 10:23:10.097492489 +0200
++++ b/pyproject.toml	2023-10-13 10:28:17.249270967 +0200
+@@ -137,7 +137,6 @@
+ djangorestframework-guardian = "*"
+ docker = "*"
+ drf-spectacular = "*"
+-dumb-init = "*"
+ duo-client = "*"
+ facebook-sdk = "*"
+ flower = "*"
+@@ -154,7 +153,7 @@
+ pydantic = "<3.0.0"
+ pydantic-scim = "^0.0.7"
+ pyjwt = "*"
+-python = "^3.11"
++python = "^3.10"
+ pyyaml = "*"
+ requests-oauthlib = "*"
+ sentry-sdk = "*"
+@@ -164,7 +163,7 @@
+ twilio = "*"
+ twisted = "*"
+ ua-parser = "*"
+-urllib3 = { extras = ["secure"], version = "*" }
++urllib3 = "*"
+ uvicorn = { extras = ["standard"], version = "*" }
+ watchdog = "*"
+ webauthn = "*"
diff --git a/modules/authentik/result b/modules/authentik/result
new file mode 120000
index 0000000..8b5b976
--- /dev/null
+++ b/modules/authentik/result
@@ -0,0 +1 @@
+/nix/store/s6d9g5p5kjzfxilajmwqsdzcs8l5i5zw-python3.10-authentik-2023.8.3
\ No newline at end of file