packaging: add nix

.github/actions/apt/action.yml

@@ -191,6 +191,19 @@ runs:
           Content-Type: application/vnd.debian.binary-package
           Cache-Control: public, max-age=86400
 
+        # Nix binary cache headers
+        /nix/nix-cache-info
+          Content-Type: text/plain
+          Cache-Control: public, max-age=300
+
+        /nix/*.narinfo
+          Content-Type: text/x-nix-narinfo
+          Cache-Control: public, max-age=3600
+
+        /nix/nar/*
+          Content-Type: application/x-nix-archive
+          Cache-Control: public, max-age=604800
+
         # Security headers
         /*
           X-Frame-Options: DENY

.github/actions/nix/action.yml

@@ -0,0 +1,161 @@
+name: 'Build Nix Packages'
+description: 'Builds Nix packages and creates a binary cache'
+
+inputs:
+  signing-key:
+    description: 'Nix signing private key (plain text)'
+    required: false
+  output-path:
+    description: 'Output path for binary cache'
+    required: false
+    default: './nix-cache'
+  packages:
+    description: 'Space-separated list of cross-platform packages to build'
+    required: false
+    default: 'ak-cli ak-agent ak-browser-support'
+  linux-only-packages:
+    description: 'Space-separated list of Linux-only packages to build'
+    required: false
+    default: 'ak-sysd libpam-authentik libnss-authentik'
+
+outputs:
+  cache-path:
+    description: 'Path to generated binary cache'
+    value: ${{ steps.build.outputs.cache-path }}
+  cache-size:
+    description: 'Size of the generated cache'
+    value: ${{ steps.stats.outputs.size }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup output directory
+      id: setup
+      shell: bash
+      run: |
+        set -xeuo pipefail
+        mkdir -p "${{ inputs.output-path }}/nar"
+        CACHE_PATH=$(realpath "${{ inputs.output-path }}")
+        echo "cache-path=$CACHE_PATH" >> $GITHUB_OUTPUT
+        echo "CACHE_PATH=$CACHE_PATH" >> $GITHUB_ENV
+
+    - name: Setup signing key
+      if: ${{ inputs.signing-key != '' }}
+      shell: bash
+      run: |
+        set -xeuo pipefail
+        SIGNING_KEY_FILE="${{ runner.temp }}/nix-signing-key.pem"
+        echo "${{ inputs.signing-key }}" > "$SIGNING_KEY_FILE"
+        chmod 600 "$SIGNING_KEY_FILE"
+        echo "SIGNING_KEY_FILE=$SIGNING_KEY_FILE" >> $GITHUB_ENV
+
+    - name: Detect platform
+      id: platform
+      shell: bash
+      run: |
+        set -xeuo pipefail
+        case "$(uname -s)" in
+          Linux)  PLATFORM="linux" ;;
+          Darwin) PLATFORM="darwin" ;;
+          *)      PLATFORM="unknown" ;;
+        esac
+        echo "platform=$PLATFORM" >> $GITHUB_OUTPUT
+
+    - name: Build packages
+      id: build
+      shell: bash
+      run: |
+        set -xeuo pipefail
+
+        PACKAGES="${{ inputs.packages }}"
+        LINUX_ONLY_PACKAGES="${{ inputs.linux-only-packages }}"
+
+        # Build cross-platform packages
+        for pkg in $PACKAGES; do
+          echo "Building $pkg..."
+          nix build ".#$pkg" --no-link --print-out-paths
+        done
+
+        # Build Linux-only packages
+        if [ "${{ steps.platform.outputs.platform }}" = "linux" ]; then
+          for pkg in $LINUX_ONLY_PACKAGES; do
+            echo "Building $pkg..."
+            nix build ".#$pkg" --no-link --print-out-paths
+          done
+        fi
+
+        echo "cache-path=$CACHE_PATH" >> $GITHUB_OUTPUT
+
+    - name: Copy to binary cache
+      shell: bash
+      run: |
+        set -xeuo pipefail
+
+        PACKAGES="${{ inputs.packages }}"
+        LINUX_ONLY_PACKAGES="${{ inputs.linux-only-packages }}"
+
+        # Determine signing args
+        SIGN_ARGS=""
+        if [ -n "${SIGNING_KEY_FILE:-}" ]; then
+          SIGN_ARGS="--secret-key-files $SIGNING_KEY_FILE"
+        fi
+
+        # Copy cross-platform packages
+        for pkg in $PACKAGES; do
+          echo "Copying $pkg to cache..."
+          nix copy --to "file://$CACHE_PATH" ".#$pkg" $SIGN_ARGS
+        done
+
+        # Copy Linux-only packages
+        if [ "${{ steps.platform.outputs.platform }}" = "linux" ]; then
+          for pkg in $LINUX_ONLY_PACKAGES; do
+            echo "Copying $pkg to cache..."
+            nix copy --to "file://$CACHE_PATH" ".#$pkg" $SIGN_ARGS
+          done
+        fi
+
+    - name: Create cache metadata
+      shell: bash
+      run: |
+        set -xeuo pipefail
+        cat > "$CACHE_PATH/nix-cache-info" << EOF
+        StoreDir: /nix/store
+        WantMassQuery: 1
+        Priority: 40
+        EOF
+
+    - name: Generate cache statistics
+      id: stats
+      shell: bash
+      run: |
+        set -xeuo pipefail
+        cd "$CACHE_PATH"
+
+        size=$(du -sh . | cut -f1)
+        echo "Cache size: $size"
+        echo "size=$size" >> $GITHUB_OUTPUT
+
+        # Count files
+        narinfo_count=$(find . -name "*.narinfo" 2>/dev/null | wc -l | tr -d ' ')
+        nar_count=$(find ./nar -name "*.nar*" 2>/dev/null | wc -l | tr -d ' ')
+        echo "NAR info files: $narinfo_count"
+        echo "NAR archives: $nar_count"
+        echo "narinfo-count=$narinfo_count" >> $GITHUB_OUTPUT
+        echo "nar-count=$nar_count" >> $GITHUB_OUTPUT
+
+        echo "Cache structure:"
+        find . -type f | head -20
+
+    - name: Validate cache structure
+      shell: bash
+      run: |
+        set -xeuo pipefail
+        cd "$CACHE_PATH"
+
+        # Check required files exist
+        if [ ! -f "nix-cache-info" ]; then
+          echo "Error: nix-cache-info missing"
+          exit 1
+        fi
+
+        echo "Cache validation passed"

.github/actions/repo/index.html

@@ -57,6 +57,67 @@ <h3>Step 2: Install</h3>
         </div>
     </div>
     <div class="section-b">
+        <h2>Nix/NixOS Setup</h2>
+        <div class="step">
+            <h3>Option 1: Direct Installation</h3>
+            <pre class="command"># Install with binary cache
+nix profile install github:goauthentik/platform#ak-cli \
+  --extra-substituters "${REPOSITORY_URL}nix" \
+  --extra-trusted-public-keys "authentik-pkg:ZZHUD/9SkS8T1BVVoksE/+QjIo0s3F8/AM/h0J3ckaw="
+
+# Available packages: ak-cli, ak-sysd, ak-agent, ak-browser-support
+# Linux only: libpam-authentik, libnss-authentik</pre>
+        </div>
+        <div class="step">
+            <h3>Option 2: Permanent Cache Configuration</h3>
+            <p>Add to <code>/etc/nix/nix.conf</code> or <code>~/.config/nix/nix.conf</code>:</p>
+            <pre class="command">extra-substituters = ${REPOSITORY_URL}nix
+extra-trusted-public-keys = authentik-pkg:ZZHUD/9SkS8T1BVVoksE/+QjIo0s3F8/AM/h0J3ckaw=</pre>
+            <p>Then install normally:</p>
+            <pre class="command">nix profile install github:goauthentik/platform#ak-cli</pre>
+        </div>
+        <div class="step">
+            <h3>Option 3: NixOS Configuration</h3>
+            <pre class="command"># In your flake.nix inputs:
+authentik.url = "github:goauthentik/platform";
+
+# In your NixOS configuration:
+{ authentik, ... }: {
+  imports = [ authentik.nixosModules.default ];
+  services.authentik = {
+    enable = true;
+    enablePAM = true;
+    enableNSS = true;
+  };
+}</pre>
+        </div>
+        <div class="step">
+            <h3>Option 4: nix-darwin Configuration (macOS)</h3>
+            <pre class="command"># In your flake.nix inputs:
+authentik.url = "github:goauthentik/platform";
+
+# In your darwin configuration:
+{ authentik, ... }: {
+  imports = [ authentik.darwinModules.default ];
+  nixpkgs.overlays = [ authentik.overlays.default ];
+  services.authentik.enable = true;
+}</pre>
+            <p>This installs the .app bundle to <code>/Applications/</code> and configures launchd to run ak-sysd.</p>
+        </div>
+        <div class="step">
+            <h3>Available Nix Packages</h3>
+            <table style="width: 100%; border-collapse: collapse;">
+                <tr style="background: #e0e0e0;"><th style="padding: 8px; text-align: left;">Package</th><th style="padding: 8px; text-align: left;">Description</th><th style="padding: 8px; text-align: left;">Platforms</th></tr>
+                <tr><td style="padding: 8px;"><code>ak-cli</code></td><td style="padding: 8px;">Command-line interface</td><td style="padding: 8px;">Linux, macOS</td></tr>
+                <tr><td style="padding: 8px;"><code>ak-sysd</code></td><td style="padding: 8px;">System daemon</td><td style="padding: 8px;">Linux, macOS</td></tr>
+                <tr><td style="padding: 8px;"><code>ak-agent</code></td><td style="padding: 8px;">Local agent (includes all binaries on macOS)</td><td style="padding: 8px;">Linux, macOS</td></tr>
+                <tr><td style="padding: 8px;"><code>ak-browser-support</code></td><td style="padding: 8px;">Browser extension support</td><td style="padding: 8px;">Linux, macOS</td></tr>
+                <tr><td style="padding: 8px;"><code>libpam-authentik</code></td><td style="padding: 8px;">PAM authentication module</td><td style="padding: 8px;">Linux</td></tr>
+                <tr><td style="padding: 8px;"><code>libnss-authentik</code></td><td style="padding: 8px;">NSS name resolution module</td><td style="padding: 8px;">Linux</td></tr>
+            </table>
+        </div>
+    </div>
+    <div class="section-a">
         <h2>Repository Information</h2>
         <p><strong>Built from:</strong> ${REF} (<a href="https://github.com/goauthentik/platform/commit/${SHA}">${SHA}</a>)</p>
         <p><strong>GPG Key fingerprint:</strong> <code>82EE AAD5 531A 856A 9C72 6132 2217 2AF2 AAE3 A237</code></p>

.github/workflows/build.yml

@@ -132,11 +132,41 @@ jobs:
         with:
           name: authentik_${{ matrix.platform }}_${{ matrix.target }}
           path: bin/
+  build_nix:
+    name: Build (Nix)
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+          - macos-15
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: DeterminateSystems/nix-installer-action@v21
+      - uses: DeterminateSystems/magic-nix-cache-action@v13
+      - uses: ./.github/actions/nix
+        id: nix-build
+        with:
+          signing-key: ${{ secrets.NIX_SIGNING_KEY }}
+          output-path: ./nix-cache
+      - name: Show build info
+        shell: bash
+        run: |
+          echo "Cache size: $NIX_CACHE_SIZE"
+        env:
+          NIX_CACHE_SIZE: ${{ steps.nix-build.outputs.cache-size }}
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v5
+        with:
+          name: nix-cache-${{ matrix.platform }}
+          path: ./nix-cache/
   deploy:
     needs:
       - build_go
       - build_js
       - build_rs
+      - build_nix
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
@@ -150,6 +180,37 @@ jobs:
         with:
           package-path: bin/
           gpg-private-key: "${{ secrets.GPG_PRIVATE }}"
+      - name: Merge Nix caches
+        shell: bash
+        run: |
+          set -xeuo pipefail
+          mkdir -p ./repo/nix/nar
+
+          # Merge all platform caches
+          for cache_dir in ./bin/nix-cache-*/; do
+            if [ -d "$cache_dir" ]; then
+              echo "Merging cache from: $cache_dir"
+              # Copy narinfo files (don't overwrite existing)
+              find "$cache_dir" -maxdepth 1 -name "*.narinfo" -exec cp -n {} ./repo/nix/ \; 2>/dev/null || true
+              # Copy nar archives
+              if [ -d "$cache_dir/nar" ]; then
+                find "$cache_dir/nar" -name "*.nar*" -exec cp -n {} ./repo/nix/nar/ \; 2>/dev/null || true
+              fi
+            fi
+          done
+
+          # Create unified nix-cache-info
+          cat > ./repo/nix/nix-cache-info << EOF
+          StoreDir: /nix/store
+          WantMassQuery: 1
+          Priority: 40
+          EOF
+
+          # Show cache stats
+          echo "Merged Nix cache:"
+          du -sh ./repo/nix
+          echo "NAR info files: $(find ./repo/nix -maxdepth 1 -name '*.narinfo' | wc -l)"
+          echo "NAR archives: $(find ./repo/nix/nar -name '*.nar*' 2>/dev/null | wc -l)"
       - name: Upload repository
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v5
         with:
@@ -171,12 +232,16 @@ jobs:
     steps:
       - name: Determine component name
         id: component
+        shell: bash
         run: |
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            echo "component=pr-${{ github.event.number }}" >> $GITHUB_OUTPUT
+          if [ "$EVENT_NAME" = "pull_request" ]; then
+            echo "component=pr-$EVENT_NUMBER" >> $GITHUB_OUTPUT
           else
             echo "component=main" >> $GITHUB_OUTPUT
           fi
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          EVENT_NUMBER: ${{ github.event.number }}
       - name: Download repository
         uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v6
         with:
@@ -187,6 +252,11 @@ jobs:
         with:
           name: all-packages
           path: ./deploy/packages
+      - name: Show deployment structure
+        shell: bash
+        run: |
+          echo "APT repo size: $(du -sh ./deploy/dists 2>/dev/null | cut -f1 || echo 'N/A')"
+          echo "Nix cache size: $(du -sh ./deploy/nix 2>/dev/null | cut -f1 || echo 'N/A')"
       - id: app-token
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:

.gitignore

@@ -106,3 +106,6 @@ target/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+# Nix symlink
+result