We migrated `authentik-nix` a few weeks ago to another machine. Was real
painless.
Not too sure how helpful these considerations are written down into the
README but they might lower the stress levels for some though.
This is needed since 25.11 because the target is what makes sure that
PostgreSQL is not only up, but also in rw-mode (and ensure* being
applied).
Also adding this to `authentik-worker` to prevent situations where
postgresql.service stops before the worker on reboot and the worker
blocks shutdown while trying to reconnect to the database[1].
[1] https://github.com/nix-community/authentik-nix/pull/86#issuecomment-3794325343
Closes#83Closes#85
ChangeLog: https://docs.goauthentik.io/releases/2025.12⚠️ When using the Avatar upload, you'll have to make your users
re-upload their avatars due to changes in how media is served by
Authentik[1].
For now, we're using a branch from me that is 2025.12.1 with an update
of `@goauthentik/api` on top[2]. Without that change, `AdminFileListUsageEnum`
doesn't exist which breaks all usage of `AdminFileListUsageEnum.Media`:
TypeError: can't access property "Media", R.AdminFileListUsageEnum is undefined
renderForm ApplicationForm.ts:191
[...]
This made e.g. the modal to edit applications unusable which infinitely
hang on a loading spinner.
The media path now points to `/var/lib/authentik`. This path is only
used for media storage and Authentik now always appends the "usage name"
as directory behind the storage path, i.e. it already appends
`/var/lib/authentik/media`, so this is needed to make Authentik discover
existing media.
Finally, I added a `patches` attribute to the authentik scope that
applies patches to both the workdir-deps (which is the PYTHONPATH in the
end, i.e. where we load the authentik module from) and the gopkgs. We're
still missing patchability for frontend (since we directly build the
subdir in napalm), but I think that's a step in the right direction.
[1] https://github.com/goauthentik/authentik/discussions/6824#discussioncomment-15490793
[2] Upstream PR: https://github.com/goauthentik/authentik/pull/19542
Closes#12
The worker gets access to the ACME-managed certs via `LoadCredential`,
however that doesn't refresh files when the files in the credential
source change. Explicitly restart the worker to make sure these changes
are reflected in what the worker sees.
Closes#79
So apparently the Python-based server knew to use `/run/postgresql` if
`host` is empty, but the Go driver tripped over it. Use this explicitly
to fix both cases.
We kept nodejs_22 in 6dc84faaec because of
a bug in NPM preventing us from upgrading[1]. This got solved in the
meantime and seems to have landed in a nodejs release (these usually
bundle NPM versions), so we can use the nodejs version that upstream
also uses again.
[1] https://github.com/npm/cli/issues/8541
Closes#72
So, #72 is about a segfault in the LDAP outpost, but this is the actual
culprit[0]:
* Both server & worker share the same configuration in this setup.
* Since 2025.8 this means that both try to start a server for metrics at
port 9300 and an HTTP server (in the worker case for healthchecks) at
port 9000.
* On upgrades, migrations are performed. Only the server waited for the
migrations to finish, hence the worker started up earlier. As a
result, it was quicker in binding port 9000 in ONLY this case (and
thus, this was never reproducible on a second attempt!). Now, on port
9000 was NOT the authentik server, but something that returned an
empty response for everything that's not the healthcheck.
* As a result, the LDAP outpost got a response from what it believed was
authentik, but actually `nil, nil` because of the empty response.
Trying to dereference values from that response[1] caused the
segfault.
The fix is pretty easy, just override the listen ports via the
environment. Unfortunately, the docs[2] are apparently not entirely correct[3],
given the Python code it must be LISTEN__LISTEN_HTTP[4]. I added a
test-case to ensure that the config is properly applied.
[0] Reported as https://github.com/goauthentik/authentik/issues/16850
[1] 57e12cef06/internal/outpost/ak/api.go (L95)
[2] https://docs.goauthentik.io/install-config/configuration/#listen-settings
[3] Reported as https://github.com/goauthentik/authentik/issues/16851
[4] 57e12cef06/authentik/lib/config.py (L238)
This changes the "ak" script to contain all properties from the
authentik.service unit except the Exec* and Restart* properties. This allows the
script to work when the user has added additional properties to the unit (e.g.
the `SupplementaryGroups` property to connect to Redis over a Unix socket).
You're most likely not affected unless you override the Go part yourself
to enable the RAC provider.
See https://version-2025-4.goauthentik.io/docs/releases/2025.4#fixed-in-202543
Flake lock file updates:
• Updated input 'authentik-src':
'github:goauthentik/authentik/bda30c5ad5838fea36dc0a06f8580cca437f0fc0' (2025-06-04)
→ 'github:goauthentik/authentik/b34665fabd8d938d81ce871a4e86ca528c5f253b' (2025-06-27)
