fix nextcloud integration

.env.sample

@@ -18,6 +18,8 @@ AUTHENTIK_LOG_LEVEL=info
 
 ## Outpost Integration
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
+# SECRET_LDAP_TOKEN_VERSION=v1
 
 ## ADMIN
 AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com

README.md

@@ -54,6 +54,14 @@ Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
+## Add LDAP outpost
+
+- Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
+- Copy token under `Applications` -> `Outposts` `-> `View Deployment Info` 
+- Comment in envs for compose.outposts.ldap.yaml and secret version
+- Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
+- Update deployment -> Outpost should be up and running
+
 ## Import User from CSV
 
 Users can be imported from a CSV file of the following format:

compose.outposts.ldap.yml

@@ -0,0 +1,23 @@
+version: "3.8"
+services:
+  authentik_ldap:
+      image: ghcr.io/goauthentik/ldap:2024.10.5
+      # Optionally specify which networks the container should be
+      # might be needed to reach the core authentik server
+      networks:
+        - internal
+        - proxy
+      ports:
+        - 389:3389
+        - 636:6636
+      secrets:
+        - ldap_token
+      environment:
+        - AUTHENTIK_HOST=https://${DOMAIN}
+        - AUTHENTIK_INSECURE=true
+        - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
+
+secrets:
+  ldap_token:
+    external: true
+    name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}

compose.yml

@@ -34,7 +34,7 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2024.10.0
+    image: ghcr.io/goauthentik/server:2024.10.5
     command: server
     depends_on:
       - db
@@ -72,11 +72,11 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=6.8.1+2024.10.0"
+        - "coop-cloud.${STACK_NAME}.version=6.11.0+2024.10.5"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2024.10.0
+    image: ghcr.io/goauthentik/server:2024.10.5
     command: worker
     depends_on:
       - db

nextcloud.yaml.tmpl

@@ -26,6 +26,9 @@ entries:
     client_id: {{ secret  "nextcloud_id" }}
     client_secret: {{ secret  "nextcloud_secret" }}
     client_type: confidential
+    redirect_uris:
+    - url: https://{{ env  "NEXTCLOUD_DOMAIN" }}
+      matching_mode: strict
     include_claims_in_id_token: true
     issuer_mode: per_provider
     name: Nextcloud

release/6.11.0+2024.10.5

@@ -0,0 +1 @@
+Fix Impersonate Bug