From 6a080328a3a79b7115f67df068cb86e6ea84212f Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Wed, 17 Sep 2025 10:16:05 +0200 Subject: [PATCH] module: override metrics & http address for worker Closes #72 So, #72 is about a segfault in the LDAP outpost, but this is the actual culprit[0]: * Both server & worker share the same configuration in this setup. * Since 2025.8 this means that both try to start a server for metrics at port 9300 and an HTTP server (in the worker case for healthchecks) at port 9000. * On upgrades, migrations are performed. Only the server waited for the migrations to finish, hence the worker started up earlier. As a result, it was quicker in binding port 9000 in ONLY this case (and thus, this was never reproducible on a second attempt!). Now, on port 9000 was NOT the authentik server, but something that returned an empty response for everything that's not the healthcheck. * As a result, the LDAP outpost got a response from what it believed was authentik, but actually `nil, nil` because of the empty response. Trying to dereference values from that response[1] caused the segfault. The fix is pretty easy, just override the listen ports via the environment. Unfortunately, the docs[2] are apparently not entirely correct[3], given the Python code it must be LISTEN__LISTEN_HTTP[4]. I added a test-case to ensure that the config is properly applied. [0] Reported as https://github.com/goauthentik/authentik/issues/16850 [1] https://github.com/goauthentik/authentik/blob/57e12cef068d655e3d55c7befd401c7e36f024b3/internal/outpost/ak/api.go#L95 [2] https://docs.goauthentik.io/install-config/configuration/#listen-settings [3] Reported as https://github.com/goauthentik/authentik/issues/16851 [4] https://github.com/goauthentik/authentik/blob/57e12cef068d655e3d55c7befd401c7e36f024b3/authentik/lib/config.py#L238 --- module.nix | 28 +++++++++++++++++++++++++++- tests/minimal-vmtest.nix | 7 +++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/module.nix b/module.nix index 2e76d69..b8c38cb 100644 --- a/module.nix +++ b/module.nix @@ -103,6 +103,25 @@ in ``` ''; }; + + worker = { + listenHTTP = mkOption { + type = types.str; + default = "[::1]:9001"; + description = '' + Listen address for the HTTP server of the worker. + Overrides the default listen setting that's also used by the server. + ''; + }; + listenMetrics = mkOption { + type = types.str; + default = "[::1]:9301"; + description = '' + Listen address for the metrics server of the worker. + Overrides the default listen setting that's also used by the server. + ''; + }; + }; }; # LDAP oupost @@ -295,7 +314,14 @@ in preStart = '' ln -svf ${config.services.authentik.authentikComponents.staticWorkdirDeps}/* /run/authentik/ ''; - environment = mkMerge [ environment { TZ = tz; } ]; + environment = mkMerge [ + environment + { + TZ = tz; + AUTHENTIK_LISTEN__LISTEN_HTTP = cfg.worker.listenHTTP; + AUTHENTIK_LISTEN__LISTEN_METRICS = cfg.worker.listenMetrics; + } + ]; serviceConfig = mkMerge [ serviceDefaults { diff --git a/tests/minimal-vmtest.nix b/tests/minimal-vmtest.nix index dfb7c52..12c35df 100644 --- a/tests/minimal-vmtest.nix +++ b/tests/minimal-vmtest.nix @@ -91,5 +91,12 @@ pkgs.nixosTest { machine.succeed("su - alice -c 'firefox http://localhost/' >&2 &") machine.wait_for_text("authentik") machine.screenshot("5_nginx_proxies_requests") + + with subtest("metrics & worker"): + machine.wait_for_open_port(9300) + machine.wait_for_open_port(9301) + + print(machine.succeed("curl -L localhost:9300/metrics | grep authentik_outpost_connection | grep 'Embedded'")) + print(machine.succeed("curl -L localhost:9301/metrics | grep authentik_tasks_total")) ''; }