Skip to content

nixos/authentik: init #375509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

nixos/authentik: init #375509

wants to merge 1 commit into from

Conversation

pathob
Copy link
Member

@pathob pathob commented Jan 21, 2025

Hi,

I've been working quite a while on this authentik service module and now want to share it with the NixOS community. I'm aware of https://github.com/nix-community/authentik-nix/ but I've done a couple of things a bit different.

Things that imho are solved better compared to authentik-nix:

  1. This module provides high-level config options for the most important settings while still allowing to set config based on environment variables, so that starting a simple authentik instance is literally possible within seconds (authentik-nix requires providing an environment file for all settings).
  2. This module per default uses Unix sockets for Redis which helps to prevent collisions with other services using Redis (authentik-nix uses a port).
  3. This module does NOT include Nginx to provide a reverse proxy with TLS certs (authentik-nix does)
  4. This module configures the service solely based on environment variables (authentik-nix additionally generates a config file based on the passed environment variables).

Things that are missing compared to authentik-nix:

  1. authentik-nix allows configuring authentik outposts also, which could be added to this module later.
  2. authentik-nix provides a pre-configured CLI wrapper, which would be nice to have for this module also, but which is not so easy to implement in a clean way. So I think it's okay that it's missing.
  3. authentik-nix has a dedicated oneshot service to run migrations. This module oriented more on the official docker-compose file which just runs migrations with either the authentik-core or authentik-worker service.

In general I would say this module is more implemented the NixOS-way. But I also know that the 8 contributors of authentik-nix have invested a lot of brainpower and might have more experience with authentik and Linux / NixOS in general. And I may also have oversimplified things.

That being said, I'm looking forward for your reviews! Thanks!

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 8.has: changelog This PR adds or changes release notes 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Jan 21, 2025
@pathob pathob force-pushed the authentik-service branch 2 times, most recently from a633cda to ec4bc0e Compare January 21, 2025 12:10
@pathob pathob marked this pull request as ready for review January 21, 2025 12:19
@pathob pathob requested review from getchoo and drupol January 21, 2025 12:20
drupol
drupol reviewed Jan 21, 2025
View reviewed changes
@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one person. label Jan 22, 2025
@pathob
Copy link
Member Author

pathob commented Jan 24, 2025

Hi @getchoo sorry, I just added you silently as a reviewer because GitHub suggested you. Would you be available for a review? Respectively could you recommend someone who would be a good fit for a review? Thanks!

@h7x4 h7x4 added 8.has: module (new) This PR adds a module in `nixos/` 8.has: tests This PR has tests labels Jan 26, 2025
@pathob
Copy link
Member Author

pathob commented Feb 3, 2025

Hi @wegank and @h7x4, since you two added labels, would you maybe be available for reviews also?

@pathob pathob force-pushed the authentik-service branch from ec4bc0e to 196dfec Compare February 8, 2025 13:45
@pathob pathob removed the request for review from getchoo February 8, 2025 13:47
@pathob
Copy link
Member Author

pathob commented Feb 8, 2025

Today I figured out how to run the test and actually the test was not working. I've now changed the test itself and the locally created database to be connected to via a Unix socket rather than a port and now the test is running.

@wegank wegank removed the 12.approvals: 1 This PR was reviewed and approved by one person. label Feb 9, 2025
@pathob pathob requested a review from drupol February 13, 2025 06:06
drupol
drupol requested changes Feb 13, 2025
View reviewed changes
@pathob pathob requested a review from drupol February 17, 2025 14:49
@pathob
Copy link
Member Author

pathob commented Feb 17, 2025

@drupol Thanks for reviewing again and sorry for doing the wrong change back to handleTest, it's using runTest now.

Do you maybe have someone in mind that could do a second review + merge?

@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Mar 16, 2025
@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Jun 25, 2025
@nixpkgs-ci nixpkgs-ci bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Aug 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drupol drupol Awaiting requested review from drupol

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
2.status: merge conflict This PR has merge conflicts with the target branch 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (new) This PR adds a module in `nixos/` 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: tests This PR has tests 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pathob @drupol @wegank @h7x4