diff --git a/flake.lock b/flake.lock index 60b3187..0694271 100644 --- a/flake.lock +++ b/flake.lock @@ -3,16 +3,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1757951234, - "narHash": "sha256-4RU/mllgqoykXqeO67iodmhsgIrJqow0LitaQGLKS8Q=", + "lastModified": 1758035356, + "narHash": "sha256-DkvxDwHCfSqEpZ9rRXNR8MP0Mz/y1kHAr38exrHQ39c=", "owner": "goauthentik", "repo": "authentik", - "rev": "28ff5614006ceea21b2633da8c675eb75c6bacdd", + "rev": "680feaefa17934471a6b33ebc35caf5b64120404", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2025.8.2", + "ref": "version/2025.8.3", "repo": "authentik", "type": "github" } diff --git a/flake.nix b/flake.nix index 3821f73..8d7627d 100644 --- a/flake.nix +++ b/flake.nix @@ -42,7 +42,7 @@ }; authentik-src = { # change version string in outputs as well when updating - url = "github:goauthentik/authentik/version/2025.8.2"; + url = "github:goauthentik/authentik/version/2025.8.3"; flake = false; }; }; @@ -67,7 +67,7 @@ ... }: let - authentik-version = "2025.8.2"; # to pass to the drvs of some components + authentik-version = "2025.8.3"; # to pass to the drvs of some components in { systems = import inputs.systems; diff --git a/module.nix b/module.nix index 07ec79f..39620d0 100644 --- a/module.nix +++ b/module.nix @@ -103,12 +103,40 @@ in ``` ''; }; + + worker = { + listenHTTP = mkOption { + type = types.str; + default = "[::1]:9001"; + description = '' + Listen address for the HTTP server of the worker. + Overrides the default listen setting that's also used by the server. + ''; + }; + listenMetrics = mkOption { + type = types.str; + default = "[::1]:9301"; + description = '' + Listen address for the metrics server of the worker. + Overrides the default listen setting that's also used by the server. + ''; + }; + }; }; # LDAP oupost authentik-ldap = { enable = mkEnableOption "authentik LDAP outpost"; + listenMetrics = mkOption { + type = types.str; + default = "[::1]:9302"; + description = '' + Listen address for the metrics server of the LDAP outpost. + Overrides the default listen setting that's also used by the server. + ''; + }; + environmentFile = mkOption { type = types.nullOr pathToSecret; default = null; @@ -132,6 +160,31 @@ in authentik-proxy = { enable = mkEnableOption "authentik Proxy outpost"; + listenMetrics = mkOption { + type = types.str; + default = "[::1]:9303"; + description = '' + Listen address for the metrics server of the proxy outpost. + Overrides the default listen setting that's also used by the server. + ''; + }; + listenHTTPS = mkOption { + type = types.str; + default = "[::1]:9004"; + description = '' + Listen address for the HTTPS server of the proxy outpost. + Overrides the default listen setting that's also used by the server. + ''; + }; + listenHTTP = mkOption { + type = types.str; + default = "[::1]:9005"; + description = '' + Listen address for the HTTP server of the proxy outpost. + Overrides the default listen setting that's also used by the server. + ''; + }; + environmentFile = mkOption { type = types.nullOr pathToSecret; default = null; @@ -155,6 +208,15 @@ in authentik-radius = { enable = mkEnableOption "authentik RADIUS outpost"; + listenMetrics = mkOption { + type = types.str; + default = "[::1]:9306"; + description = '' + Listen address for the metrics server of the RADIUS outpost. + Overrides the default listen setting that's also used by the server. + ''; + }; + environmentFile = mkOption { type = types.nullOr pathToSecret; default = null; @@ -263,13 +325,15 @@ in systemd.services = { authentik-migrate = { - requiredBy = [ "authentik.service" ]; requires = lib.optionals cfg.createDatabase [ "postgresql.service" ]; wants = [ "network-online.target" ]; after = [ "network-online.target" ] ++ lib.optionals cfg.createDatabase [ "postgresql.service" ]; - before = [ "authentik.service" ]; + before = [ "authentik.service" "authentik-migrate.service" ]; restartTriggers = [ config.environment.etc."authentik/config.yml".source ]; - environment = mkMerge [ environment { TZ = tz; } ]; + environment = mkMerge [ + environment + { TZ = tz; } + ]; serviceConfig = mkMerge [ serviceDefaults { @@ -289,7 +353,6 @@ in ]; }; authentik-worker = { - requiredBy = [ "authentik.service" ]; wants = [ "network-online.target" ]; after = [ "network-online.target" ]; before = [ "authentik.service" ]; @@ -297,7 +360,14 @@ in preStart = '' ln -svf ${config.services.authentik.authentikComponents.staticWorkdirDeps}/* /run/authentik/ ''; - environment = mkMerge [ environment { TZ = tz; } ]; + environment = mkMerge [ + environment + { + TZ = tz; + AUTHENTIK_LISTEN__LISTEN_HTTP = cfg.worker.listenHTTP; + AUTHENTIK_LISTEN__LISTEN_METRICS = cfg.worker.listenMetrics; + } + ]; serviceConfig = mkMerge [ serviceDefaults { @@ -318,10 +388,15 @@ in authentik = { wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ]; + requires = [ + "authentik-migrate.service" + "authentik-worker.service" + ]; after = [ "network-online.target" "redis-authentik.service" - ] ++ (lib.optionals cfg.createDatabase [ "postgresql.service" ]); + ] + ++ (lib.optionals cfg.createDatabase [ "postgresql.service" ]); restartTriggers = [ config.environment.etc."authentik/config.yml".source ]; preStart = '' ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/* /var/lib/authentik/ @@ -329,7 +404,10 @@ in mkdir -p ${cfg.settings.storage.media.file.path} ''} ''; - environment = mkMerge [ environment { TZ = tz; } ]; + environment = mkMerge [ + environment + { TZ = tz; } + ]; serviceConfig = mkMerge [ serviceDefaults { @@ -374,6 +452,7 @@ in "network-online.target" "authentik.service" ]; + environment.AUTHENTIK_LISTEN__METRICS = cfg.listenMetrics; serviceConfig = { RuntimeDirectory = "authentik-ldap"; UMask = "0027"; @@ -400,6 +479,11 @@ in "network-online.target" "authentik.service" ]; + environment = { + AUTHENTIK_LISTEN__METRICS = cfg.listenMetrics; + AUTHENTIK_LISTEN__HTTP = cfg.listenHTTP; + AUTHENTIK_LISTEN__HTTPS = cfg.listenHTTPS; + }; serviceConfig = { RuntimeDirectory = "authentik-proxy"; UMask = "0027"; @@ -426,6 +510,7 @@ in "network-online.target" "authentik.service" ]; + environment.AUTHENTIK_LISTEN__METRICS = cfg.listenMetrics; serviceConfig = { RuntimeDirectory = "authentik-radius"; UMask = "0027"; diff --git a/tests/minimal-vmtest.nix b/tests/minimal-vmtest.nix index dfb7c52..12c35df 100644 --- a/tests/minimal-vmtest.nix +++ b/tests/minimal-vmtest.nix @@ -91,5 +91,12 @@ pkgs.nixosTest { machine.succeed("su - alice -c 'firefox http://localhost/' >&2 &") machine.wait_for_text("authentik") machine.screenshot("5_nginx_proxies_requests") + + with subtest("metrics & worker"): + machine.wait_for_open_port(9300) + machine.wait_for_open_port(9301) + + print(machine.succeed("curl -L localhost:9300/metrics | grep authentik_outpost_connection | grep 'Embedded'")) + print(machine.succeed("curl -L localhost:9301/metrics | grep authentik_tasks_total")) ''; }