Closes#72
So, #72 is about a segfault in the LDAP outpost, but this is the actual
culprit[0]:
* Both server & worker share the same configuration in this setup.
* Since 2025.8 this means that both try to start a server for metrics at
port 9300 and an HTTP server (in the worker case for healthchecks) at
port 9000.
* On upgrades, migrations are performed. Only the server waited for the
migrations to finish, hence the worker started up earlier. As a
result, it was quicker in binding port 9000 in ONLY this case (and
thus, this was never reproducible on a second attempt!). Now, on port
9000 was NOT the authentik server, but something that returned an
empty response for everything that's not the healthcheck.
* As a result, the LDAP outpost got a response from what it believed was
authentik, but actually `nil, nil` because of the empty response.
Trying to dereference values from that response[1] caused the
segfault.
The fix is pretty easy, just override the listen ports via the
environment. Unfortunately, the docs[2] are apparently not entirely correct[3],
given the Python code it must be LISTEN__LISTEN_HTTP[4]. I added a
test-case to ensure that the config is properly applied.
[0] Reported as https://github.com/goauthentik/authentik/issues/16850
[1] 57e12cef06/internal/outpost/ak/api.go (L95)
[2] https://docs.goauthentik.io/install-config/configuration/#listen-settings
[3] Reported as https://github.com/goauthentik/authentik/issues/16851
[4] 57e12cef06/authentik/lib/config.py (L238)
The store is world-readable, so secrets shouldn't end up there in the
first place. On top, `types.path` has the following behavior:
* `toString foo` returns the absolute path
* `${foo}` copies the path silently into the store and returns the
store-path.
This happens without any real feedback, so this can be caused by an
innocent looking change.
To address this problem, `pathsWith` was introduced into <nixpkgs/lib>
which allows absolute paths represented as string, but rejects things
pointing to the store and path literals which may be copied later on.
`wait_for_text()` takes a regex and it seems that sometimes OCR fails to
recognize the dots in the version string. To make this more resilient,
zero or one symbol is not matched between the numerical components of
the version string.
