From c178d820d7a69c499ab540e9b935e1aa6cd6f13b Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 15 Feb 2024 19:32:06 -0500 Subject: [PATCH 1/4] module: use TZ environment variable to set UTC timezone instead of overriding system zone --- module.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/module.nix b/module.nix index 31019ab..1227ed2 100644 --- a/module.nix +++ b/module.nix @@ -142,6 +142,9 @@ in (mkIf config.services.authentik.enable (let cfg = config.services.authentik; + # https://goauthentik.io/docs/installation/docker-compose#startup + tz = "UTC"; + # Passed to each service and to the `ak` wrapper using `systemd-run(1)` serviceDefaults = { DynamicUser = true; @@ -198,9 +201,6 @@ in '') ]; - # https://goauthentik.io/docs/installation/docker-compose#explanation - time.timeZone = "UTC"; - environment.etc."authentik/config.yml".source = settingsFormat.generate "authentik.yml" cfg.settings; systemd.services = { @@ -211,6 +211,7 @@ in after = [ "network-online.target" ] ++ lib.optionals cfg.createDatabase [ "postgresql.service" ]; before = [ "authentik.service" ]; restartTriggers = [ config.environment.etc."authentik/config.yml".source ]; + environment.TZ = tz; serviceConfig = mkMerge [ serviceDefaults { Type = "oneshot"; RemainAfterExit = true; @@ -233,6 +234,7 @@ in preStart = '' ln -svf ${config.services.authentik.authentikComponents.staticWorkdirDeps}/* /run/authentik/ ''; + environment.TZ = tz; serviceConfig = mkMerge [ serviceDefaults { RuntimeDirectory = "authentik"; WorkingDirectory = "%t/authentik"; @@ -257,6 +259,7 @@ in ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/* /var/lib/authentik/ mkdir -p ${cfg.settings.paths.media} ''; + environment.TZ = tz; serviceConfig = mkMerge [ serviceDefaults { Environment = [ "AUTHENTIK_ERROR_REPORTING__ENABLED=false" From 8bc790171faecb5da81a8ab45e5489ab6a288e72 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 15 Feb 2024 19:34:08 -0500 Subject: [PATCH 2/4] module: don't force Postgres 14 --- module.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/module.nix b/module.nix index 1227ed2..a59cbe5 100644 --- a/module.nix +++ b/module.nix @@ -184,7 +184,7 @@ in }; postgresql = mkIf cfg.createDatabase { enable = true; - package = pkgs.postgresql_14; + package = lib.mkDefault pkgs.postgresql_14; ensureDatabases = [ "authentik" ]; ensureUsers = [ { name = "authentik"; ensureDBOwnership = true; } From 876db63217276214c99c543454c4d1aa14e9605d Mon Sep 17 00:00:00 2001 From: WilliButz Date: Sun, 28 Apr 2024 13:22:22 +0200 Subject: [PATCH 3/4] module: don't set services.postgresql.package for new installations --- module.nix | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/module.nix b/module.nix index a59cbe5..f42e607 100644 --- a/module.nix +++ b/module.nix @@ -27,7 +27,8 @@ let mkOption; inherit (lib.strings) - concatStringsSep; + concatStringsSep + versionOlder; inherit (lib.trivial) boolToString @@ -184,7 +185,6 @@ in }; postgresql = mkIf cfg.createDatabase { enable = true; - package = lib.mkDefault pkgs.postgresql_14; ensureDatabases = [ "authentik" ]; ensureUsers = [ { name = "authentik"; ensureDBOwnership = true; } @@ -338,5 +338,29 @@ in }; }; })) + + # This is an attempt to solve a rather ugly problem that was + # caused by previously setting a default for the option + # `services.postgresql.package` in this module. + # + # The problem is that some installations with a state version other than + # 22.05, 22.11 or 23.05 may have used this module, meaning their postgresql + # version was overridden by this module. Merely removing the setting here, + # would cause their config to fall back to their respective default release, + # resulting in a (temporarily) broken installation. + # + # While recovering from this is relatively easy, i.e. they would need to + # override the posgresql package in their own config, it is not desirable + # to break those installations. + # + # The idea is to no longer set a default value for the package for new + # installations. Instead new installations use the sensible default provided + # by nixpkgs. At the same time this should keep the previous default + # for old installations. + # + # After postgresql_14 has been removed from nixpkgs, this workaround can be dropped. + (mkIf (versionOlder config.system.stateVersion "24.05") { + services.postgresql.package = lib.mkDefault pkgs.postgresql_14; + }) ]; } From 965f4d40126f829354defc3df19237496e4e9337 Mon Sep 17 00:00:00 2001 From: WilliButz Date: Sun, 28 Apr 2024 13:53:28 +0200 Subject: [PATCH 4/4] module: drop default settings for airgapped mode These settings were originally taken from https://docs.goauthentik.io/docs/installation/air-gapped but I think they should be configured by users themselves rather than being enforced by this module. Notes: * error reporting is already disabled by default * the update check setting obviously didn't do anthing as the update check was always running * "startup analytics" currently refers to a post request[1] to upstream authentik, that includes the running version and a SHA-512 digest of the unique installation id and an env string that refers to the environment in which authentik is running, that should be "custom"[2] for NixOS. [1]: https://github.com/goauthentik/authentik/blob/version/2024.4.1/lifecycle/gunicorn.conf.py#L122-L137 [2]: https://github.com/goauthentik/authentik/blob/version/2024.4.1/authentik/lib/utils/reflection.py#L52-L64 --- module.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/module.nix b/module.nix index f42e607..112a925 100644 --- a/module.nix +++ b/module.nix @@ -261,12 +261,6 @@ in ''; environment.TZ = tz; serviceConfig = mkMerge [ serviceDefaults { - Environment = [ - "AUTHENTIK_ERROR_REPORTING__ENABLED=false" - "AUTHENTIK_DISABLE_UPDATE_CHECK=true" - "AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true" - "AUTHENTIK_AVATARS=initials" - ]; StateDirectory = "authentik"; UMask = "0027"; # TODO /run might be sufficient