search

nix-community / authentik-nix

Nix flake with package, NixOS module and basic VM test for authentik. Trying to provide an alternative deployment mode to the officially supported docker-compose approach. Not affiliated with or officially supported by the authentik project [maintainer=@willibutz]
MIT License
74 stars 15 forks source link

ldap outpost is not independently deployable #15

Closed shokinn closed 8 months ago

shokinn commented 8 months ago

Hi, I just wanted to deploy the ldap outpost on another server than the main authentik instance. It failed initially with the same error as #13.

After also applying the fix to the service, it fails with: 

❯ COLMENAHOST=sbx0media00; colmena apply --on ${COLMENAHOST} --build-on-target --nix-option builders 'ssh-ng://${COLMENAHOST} x86_64-linux'
warning: Git tree '/Users/phg/workspace/privat/nix_config' is dirty
[INFO ] Using flake: git+file:///Users/phg/workspace/privat/nix_config
[INFO ] Enumerating nodes...
[INFO ] Selected 1 out of 5 hosts.
            ❌ 29s Failed: Child process exited with error code: 1
sbx0media00 ❌ 29s Evaluation failed: Child process exited with error code: 1                                                                                                                                                                                                                              
[ERROR] Failed to complete requested operation - Last 1 lines of logs:
[ERROR]  failure) Child process exited with error code: 1
[ERROR] Failed to evaluate sbx0media00 - Last 20 lines of logs:
[ERROR]   stderr)        … while evaluating the attribute 'value'
[ERROR]   stderr) 
[ERROR]   stderr)          at /nix/store/9s5qs4hni9fj88x79iw6im7amv7ghb76-source/lib/modules.nix:809:9:
[ERROR]   stderr) 
[ERROR]   stderr)           808|     in warnDeprecation opt //
[ERROR]   stderr)           809|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
[ERROR]   stderr)              |         ^
[ERROR]   stderr)           810|         inherit (res.defsFinal') highestPrio;
[ERROR]   stderr) 
[ERROR]   stderr)        (stack trace truncated; use '--show-trace' to show the full trace)
[ERROR]   stderr) 
[ERROR]   stderr)        error: attribute '"authentik/config.yml"' missing
[ERROR]   stderr) 
[ERROR]   stderr)        at /nix/store/d47k91v2219q8y4121vz1jblilckz12d-source/module.nix:234:29:
[ERROR]   stderr) 
[ERROR]   stderr)           233|         ];
[ERROR]   stderr)           234|         restartTriggers = [ config.environment.etc."authentik/config.yml".source ];
[ERROR]   stderr)              |                             ^
[ERROR]   stderr)           235|         serviceConfig = {
[ERROR]  failure) Child process exited with error code: 1
[ERROR] -----
[ERROR] Operation failed with error: Child process exited with error code: 1
Hint: Backtrace available - Use `RUST_BACKTRACE=1` environment variable to display a backtrace

It looks like based on the module.nix, that the ldap outpost is not independently deployable.

I would like to file a feature request to make the ldap outpost independently deployable.

WilliButz commented 8 months ago

This needs rework of how the outpost is configured, currently the outpost just uses the same config file as the main authentik services. Ideally, each of the outposts would get their own build output, keeping their closures small.

See https://github.com/nix-community/authentik-nix/blob/bc628c0094ae60620a0f8e94eb146790b883d366/TODO.md?plain=1#L3

shokinn commented 8 months ago

When I see it correctly neither the ldap, not the proxy outpost do need the config file.
https://goauthentik.io/docs/outposts/manual-deploy-docker-compose

Both only require 3 environment variables:

So this should be already sufficient, when you're fine with configuring the service only via it's environment variables through environmentFile. https://github.com/nix-community/authentik-nix/blob/4dd485a3660e650edc7f446e8243d7a41935394c/module.nix#L77-L99

Can we just drop the dependency here?:
https://github.com/nix-community/authentik-nix/blob/4dd485a3660e650edc7f446e8243d7a41935394c/module.nix#L234

WilliButz commented 8 months ago

There are some more options that can be configured via both config file and environment variable (see https://github.com/goauthentik/authentik/blob/main/internal/config/struct.go). Configuring a different metrics endpoint for the outposts is important when they run on the same host / network namespace.

But I agree that we could probably drop that reference in restartTriggers, given that the current behavior, i.e. the ldap outpost using the same config file as the main authentik services, is not very obvious from how it is configured in the nixos module. So I'd say we drop the reference now, to make this work. But for the future open tasks remain:

shokinn commented 8 months ago

Thanks! Just tested, works :)