Upstream unfortunately decided to deprecate the :latest tag

modules/authentik-ldap.nix

@@ -4,6 +4,7 @@ with lib;
 let
   cfg = config.services.authentik-ldap;
   conf = import ./vars.nix;
+  version = conf.authentik.version;
 in
 {
   options = {
@@ -17,7 +18,7 @@ in
 
   config = {
     virtualisation.oci-containers.containers."authentik-ldap" = {
-      image = "ghcr.io/goauthentik/ldap";
+      image = "ghcr.io/goauthentik/ldap:${version}";
       ports = [
         "389:3389"
         "636:6636"

modules/authentik-proxy.nix

@@ -4,6 +4,7 @@ with lib;
 let
   cfg = config.services.authentik-proxy;
   conf = import ./vars.nix;
+  version = conf.authentik.version;
 in
 {
   options = {
@@ -17,7 +18,7 @@ in
 
   config = {
     virtualisation.oci-containers.containers."authentik-proxy" = {
-      image = "ghcr.io/goauthentik/proxy";
+      image = "ghcr.io/goauthentik/proxy:${version}";
       ports = [ "9001:9000" ];
       environment = {
         AUTHENTIK_HOST = "https://${conf.authentik.domain}";

modules/authentik-server.nix

@@ -5,6 +5,7 @@ let
   domain = cfg.authentik.domain;
   redis = "6379";
   port = cfg.authentik.port;
+  version = conf.authentik.version;
   authentikEnvironment = {
     TZ = "Europe/Berlin";
     AUTHENTIK_REDIS__HOST = cfg.podman.hostIP;
@@ -57,7 +58,7 @@ in
   };
 
   virtualisation.oci-containers.containers.authentik-server = {
-    image = "ghcr.io/goauthentik/server";
+    image = "ghcr.io/goauthentik/server:${version}";
     extraOptions = cfg.podman.extraOptions;
     cmd = [ "server" ];
     dependsOn = [
@@ -75,7 +76,7 @@ in
   };
 
   virtualisation.oci-containers.containers.authentik-worker = {
-    image = "ghcr.io/goauthentik/server";
+    image = "ghcr.io/goauthentik/server:${version}";
     extraOptions = cfg.podman.extraOptions;
     cmd = [ "worker" ];
     dependsOn = [

modules/vars.nix

@@ -22,6 +22,7 @@
     domain = "auth.mc-fucker.cool";
     port = "9000";
     outpostPort = "9001";
+    version = "2025.4";
   };
 
   bookstack = {