From 2af7618f5265471f4048db49eb1353924cf322f6 Mon Sep 17 00:00:00 2001 From: Conrad Kramer Date: Sun, 19 Apr 2026 01:31:45 -0700 Subject: [PATCH] Fix tailscale landing and zulip bootstrap --- Scripts/authentik-sync-tailscale-oidc.sh | 16 +++++++++++++++- nixos/hosts/burrow-forge/default.nix | 2 +- nixos/modules/burrow-zulip.nix | 24 +++++++++++++++++------- 3 files changed, 33 insertions(+), 9 deletions(-) diff --git a/Scripts/authentik-sync-tailscale-oidc.sh b/Scripts/authentik-sync-tailscale-oidc.sh index fde1a01..58fe7e4 100755 --- a/Scripts/authentik-sync-tailscale-oidc.sh +++ b/Scripts/authentik-sync-tailscale-oidc.sh @@ -137,10 +137,24 @@ lookup_group_pk() { lookup_application_pk() { local slug="$1" + local application_pk lookup_result lookup_status - api GET "/api/v3/core/applications/?page_size=200" \ + application_pk="$( + api GET "/api/v3/core/applications/?page_size=200" \ | jq -r --arg slug "$slug" '.results[]? | select(.slug == $slug) | .pk // empty' \ | head -n1 + )" + + if [[ -n "$application_pk" ]]; then + printf '%s\n' "$application_pk" + return 0 + fi + + lookup_result="$(api_with_status GET "/api/v3/core/applications/${slug}/")" + lookup_status="$(printf '%s\n' "$lookup_result" | sed -n '1p')" + if [[ "$lookup_status" =~ ^20[01]$ ]]; then + printf '%s\n' "$lookup_result" | sed '1d' | jq -r '.pk // empty' + fi } ensure_application_group_binding() { diff --git a/nixos/hosts/burrow-forge/default.nix b/nixos/hosts/burrow-forge/default.nix index be97661..c4fc92e 100644 --- a/nixos/hosts/burrow-forge/default.nix +++ b/nixos/hosts/burrow-forge/default.nix @@ -237,7 +237,7 @@ in forgejoClientSecretFile = config.age.secrets.burrowForgejoOidcClientSecret.path; headscaleClientSecretFile = config.age.secrets.burrowHeadscaleOidcClientSecret.path; tailscaleClientSecretFile = config.age.secrets.burrowTailscaleOidcClientSecret.path; - defaultExternalApplicationSlug = "ts"; + defaultExternalApplicationSlug = "tailscale"; googleClientIDFile = config.age.secrets.burrowAuthentikGoogleClientId.path; googleClientSecretFile = config.age.secrets.burrowAuthentikGoogleClientSecret.path; googleAccountMapFile = config.age.secrets.burrowAuthentikGoogleAccountMap.path; diff --git a/nixos/modules/burrow-zulip.nix b/nixos/modules/burrow-zulip.nix index 7d93705..0096b65 100644 --- a/nixos/modules/burrow-zulip.nix +++ b/nixos/modules/burrow-zulip.nix @@ -404,7 +404,8 @@ EOF Group = "root"; WorkingDirectory = cfg.dataDir; RemainAfterExit = true; - ExecStop = "${pkgs.bash}/bin/bash -lc 'cd ${lib.escapeShellArg cfg.dataDir} && ${pkgs.podman-compose}/bin/podman-compose -p burrow-zulip down'"; + TimeoutStopSec = "20s"; + ExecStop = "${pkgs.bash}/bin/bash -lc 'set -euo pipefail; if ${pkgs.podman}/bin/podman container exists burrow-zulip_zulip_1; then ${pkgs.podman}/bin/podman stop --ignore --time 10 burrow-zulip_zulip_1 >/dev/null || true; ${pkgs.podman}/bin/podman rm -f --ignore burrow-zulip_zulip_1 >/dev/null || true; fi'"; }; script = '' set -euo pipefail @@ -452,13 +453,22 @@ EOF return 0 fi - export ZULIP_REALM_NAME=${lib.escapeShellArg cfg.realmName} - export ZULIP_ADMIN_EMAIL=${lib.escapeShellArg cfg.administratorEmail} - export ZULIP_OWNER_NAME=${lib.escapeShellArg cfg.realmOwnerName} + local realm_name=${lib.escapeShellArg cfg.realmName} + local admin_email=${lib.escapeShellArg cfg.administratorEmail} + local owner_name=${lib.escapeShellArg cfg.realmOwnerName} + local create_realm_cmd - podman exec burrow-zulip_zulip_1 bash -lc ' - su zulip -c "/home/zulip/deployments/current/manage.py create_realm --string-id= --password-file /data/secrets/bootstrap-owner-password --automated \"$ZULIP_REALM_NAME\" \"$ZULIP_ADMIN_EMAIL\" \"$ZULIP_OWNER_NAME\"" - ' + printf -v create_realm_cmd '%q ' \ + /home/zulip/deployments/current/manage.py \ + create_realm \ + --string-id= \ + --password-file /data/secrets/bootstrap-owner-password \ + --automated \ + "$realm_name" \ + "$admin_email" \ + "$owner_name" + + podman exec burrow-zulip_zulip_1 su zulip -c "$create_realm_cmd" } if [ ! -e .initialized ]; then