Fix tailscale landing and zulip bootstrap

Scripts/authentik-sync-tailscale-oidc.sh

@@ -137,10 +137,24 @@ lookup_group_pk() {
 
 lookup_application_pk() {
   local slug="$1"
+  local application_pk lookup_result lookup_status
 
+  application_pk="$(
     api GET "/api/v3/core/applications/?page_size=200" \
     | jq -r --arg slug "$slug" '.results[]? | select(.slug == $slug) | .pk // empty' \
     | head -n1
+  )"
+
+  if [[ -n "$application_pk" ]]; then
+    printf '%s\n' "$application_pk"
+    return 0
+  fi
+
+  lookup_result="$(api_with_status GET "/api/v3/core/applications/${slug}/")"
+  lookup_status="$(printf '%s\n' "$lookup_result" | sed -n '1p')"
+  if [[ "$lookup_status" =~ ^20[01]$ ]]; then
+    printf '%s\n' "$lookup_result" | sed '1d' | jq -r '.pk // empty'
+  fi
 }
 
 ensure_application_group_binding() {

nixos/hosts/burrow-forge/default.nix

@@ -237,7 +237,7 @@ in
     forgejoClientSecretFile = config.age.secrets.burrowForgejoOidcClientSecret.path;
     headscaleClientSecretFile = config.age.secrets.burrowHeadscaleOidcClientSecret.path;
     tailscaleClientSecretFile = config.age.secrets.burrowTailscaleOidcClientSecret.path;
-    defaultExternalApplicationSlug = "ts";
+    defaultExternalApplicationSlug = "tailscale";
     googleClientIDFile = config.age.secrets.burrowAuthentikGoogleClientId.path;
     googleClientSecretFile = config.age.secrets.burrowAuthentikGoogleClientSecret.path;
     googleAccountMapFile = config.age.secrets.burrowAuthentikGoogleAccountMap.path;

nixos/modules/burrow-zulip.nix

@@ -404,7 +404,8 @@ EOF
         Group = "root";
         WorkingDirectory = cfg.dataDir;
         RemainAfterExit = true;
-        ExecStop = "${pkgs.bash}/bin/bash -lc 'cd ${lib.escapeShellArg cfg.dataDir} && ${pkgs.podman-compose}/bin/podman-compose -p burrow-zulip down'";
+        TimeoutStopSec = "20s";
+        ExecStop = "${pkgs.bash}/bin/bash -lc 'set -euo pipefail; if ${pkgs.podman}/bin/podman container exists burrow-zulip_zulip_1; then ${pkgs.podman}/bin/podman stop --ignore --time 10 burrow-zulip_zulip_1 >/dev/null || true; ${pkgs.podman}/bin/podman rm -f --ignore burrow-zulip_zulip_1 >/dev/null || true; fi'";
       };
       script = ''
         set -euo pipefail
@@ -452,13 +453,22 @@ EOF
             return 0
           fi
 
-          export ZULIP_REALM_NAME=${lib.escapeShellArg cfg.realmName}
+          local realm_name=${lib.escapeShellArg cfg.realmName}
-          export ZULIP_ADMIN_EMAIL=${lib.escapeShellArg cfg.administratorEmail}
+          local admin_email=${lib.escapeShellArg cfg.administratorEmail}
-          export ZULIP_OWNER_NAME=${lib.escapeShellArg cfg.realmOwnerName}
+          local owner_name=${lib.escapeShellArg cfg.realmOwnerName}
+          local create_realm_cmd
 
-          podman exec burrow-zulip_zulip_1 bash -lc '
+          printf -v create_realm_cmd '%q ' \
-            su zulip -c "/home/zulip/deployments/current/manage.py create_realm --string-id= --password-file /data/secrets/bootstrap-owner-password --automated \"$ZULIP_REALM_NAME\" \"$ZULIP_ADMIN_EMAIL\" \"$ZULIP_OWNER_NAME\""
+            /home/zulip/deployments/current/manage.py \
-          '
+            create_realm \
+            --string-id= \
+            --password-file /data/secrets/bootstrap-owner-password \
+            --automated \
+            "$realm_name" \
+            "$admin_email" \
+            "$owner_name"
+
+          podman exec burrow-zulip_zulip_1 su zulip -c "$create_realm_cmd"
         }
 
         if [ ! -e .initialized ]; then