Use AUTHENTIK_BOOTSTRAP_PASSWORD env instead of set_admin_pass function

2024-06-07 11:56:52 +02:00
14 changed files with 23 additions and 204 deletions
--- a/.env.sample
+++ b/.env.sample
@ -1,7 +1,7 @@
 TYPE=authentik
 TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
+# POST_DEPLOY_CMDS="worker worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production

 DOMAIN=authentik.example.com
@ -17,9 +17,6 @@ AUTHENTIK_LOG_LEVEL=info
 ## Outpost Integration
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"

-## ADMIN
-AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
-
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=587
@ -70,7 +67,6 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21

 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
-# MATRIX_DOMAIN=matrix-synapse.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
@ -97,17 +93,13 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 # KIMAI_DOMAIN=kimai.example.com
 # SECRET_KIMAI_ID_VERSION=v1
 # SECRET_KIMAI_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
-# ZAMMAD_DOMAIN=zammad.example.com
-# APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
+# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai.png"

 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
+# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"

 # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
 # RALLLY_DOMAIN=rallly.example.com
@ -123,4 +115,4 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21

 # APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
 # APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
-# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.png"
+# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"
--- a/README.md
+++ b/README.md
@ -35,7 +35,6 @@ abra app secret generate -a <app_name>
 abra app undeploy <app_name>
 abra app deploy <app_name>
 abra app cmd <app_name> db rotate_db_pass
-abra app cmd <app_name> app set_admin_pass
 ```

 ## Add SSO for Nextcloud
--- a/abra.sh
+++ b/abra.sh
@ -12,10 +12,9 @@ export WEKAN_CONFIG_VERSION=v3
 export VIKUNJA_CONFIG_VERSION=v1
 export OUTLINE_CONFIG_VERSION=v2
 export KIMAI_CONFIG_VERSION=v1
-export ZAMMAD_CONFIG_VERSION=v1
 export RALLLY_CONFIG_VERSION=v2
 export HEDGEDOC_CONFIG_VERSION=v1
-export MONITORING_CONFIG_VERSION=v2
+export MONITORING_CONFIG_VERSION=v1
 export DB_ENTRYPOINT_VERSION=v1

 customize() {
@ -74,30 +73,7 @@ with open('/tmp/$1', newline='') as file:
 }

 set_admin_pass() {
-password=$(cat /run/secrets/admin_pass)
-token=$(cat /run/secrets/admin_token)
-/manage.py shell -c """
-akadmin = User.objects.get(username='akadmin')
-akadmin.set_password('$password')
-akadmin.save()
-print('Changed akadmin password')
-
-from authentik.core.models import TokenIntents
-key='$token'
-if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
-    token.key=key
-    token.save()
-    print('Changed authentik-bootstrap-token')
-else:
-    Token.objects.create(
-        identifier='authentik-bootstrap-token',
-        user=akadmin,
-        intent=TokenIntents.INTENT_API,
-        expiring=False,
-        key=key,
-    )
-    print('Created authentik-bootstrap-token')
-""" 2>&1 | quieten
+echo "The set_admin_pass function is depricated"
 }

 rotate_db_pass() {
@ -243,9 +219,3 @@ cert = saml.signing_kp
 print(''.join(cert.certificate_data.splitlines()[1:-1]))
 """ 2>&1 | quieten
 }
-
-get_user_uid() {
-/manage.py shell -c """
-print(User.objects.filter(username='$1').first().uid)
-""" 2>&1 | quieten
-}
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -17,7 +17,6 @@ matrix-synapse:
    uncomment:
        - compose.matrix.yml
        - ELEMENT_DOMAIN
-        - MATRIX_DOMAIN
        - SECRET_MATRIX_ID_VERSION
        - SECRET_MATRIX_SECRET_VERSION
        - matrix.svg
@ -41,19 +40,7 @@ vikunja:
        - vikunja.svg
    secrets:
        vikunja_id: vikunja
-kimai:
-    uncomment:
-        - compose.kimai.yml
-        - KIMAI_DOMAIN
-        - SECRET_KIMAI_ID_VERSION
-        - SECRET_KIMAI_SECRET_VERSION
-        - kimai_logo.png
-zammad:
-    uncomment:
-        - compose.zammad.yml
-        - ZAMMAD_DOMAIN
-        - zammad.svg
-monitoring-ng:
+monitoring:
    uncomment:
        - compose.monitoring.yml
        - MONITORING_DOMAIN
--- a/compose.matrix.yml
+++ b/compose.matrix.yml
@ -1,11 +1,5 @@
 version: "3.8"
 services:
-  app:
-    deploy:
-      labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=redirect-matrix-well-known"
-        - "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
-        - "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
  worker:
    secrets:
      - matrix_id
--- a/compose.yml
+++ b/compose.yml
@ -8,6 +8,8 @@ x-env: &env
    - AUTHENTIK_REDIS__HOST=redis
    - AUTHENTIK_ERROR_REPORTING__ENABLED
    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
+    - AUTHENTIK_BOOTSTRAP_PASSWORD=file:///run/secrets/admin_pass
+    - AUTHENTIK_BOOTSTRAP_TOKEN=file:///run/secrets/admin_token
    - AUTHENTIK_EMAIL__HOST
    - AUTHENTIK_EMAIL__PORT
    - AUTHENTIK_EMAIL__USERNAME
@ -21,7 +23,6 @@ x-env: &env
    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
    - AUTHENTIK_FOOTER_LINKS
    - AUTHENTIK_IMPERSONATION
-    - AUTHENTIK_BOOTSTRAP_EMAIL
    - WELCOME_MESSAGE
    - DEFAULT_LANGUAGE
    - EMAIL_SUBJECT
@ -33,7 +34,7 @@ x-env: &env
 version: '3.8'
 services:
  app:
-    image: ghcr.io/goauthentik/server:2024.8.3
+    image: ghcr.io/goauthentik/server:2024.4.2
    command: server
    depends_on:
      - db
@ -52,13 +53,16 @@ services:
      - internal
      - proxy
    healthcheck:
-      test: "ak healthcheck"
+      test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'"
      interval: 30s
-      timeout: 30s
+      timeout: 10s
      retries: 10
      start_period: 5m
    environment: *env
    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
@ -71,11 +75,11 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=6.7.0+2024.8.3"
+        - "coop-cloud.${STACK_NAME}.version=6.1.1+2024.4.2"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"

  worker:
-    image: ghcr.io/goauthentik/server:2024.8.3
+    image: ghcr.io/goauthentik/server:2024.4.2
    command: worker
    depends_on:
      - db
@ -90,10 +94,10 @@ services:
      - internal
      - proxy
    volumes:
+      - backups:/backups
      - media:/media
      - /dev/null:/blueprints/default/flow-oobe.yaml
      - templates:/templates
-      - certs:/certs
    configs:
      - source: flow_recovery
        target: /blueprints/1_flow_recovery.yaml
@ -108,15 +112,9 @@ services:
      - source: flow_invalidation
        target: /blueprints/6_flow_invalidation.yaml
    environment: *env
-    healthcheck:
-      test: "ak healthcheck"
-      interval: 30s
-      timeout: 30s
-      retries: 10
-      start_period: 5m

  db:
-    image: postgres:15.8
+    image: postgres:15.7
    secrets:
      - db_password
    configs:
@ -144,13 +142,10 @@ services:
          backupbot.backup: "true"
          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
          backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.volumes.database.path: "backup.sql"
-          backupbot.backup.volumes.redis: "false"
-          backupbot.restore.post-hook: 'psql -U authentik -d postgres -c "DROP DATABASE authentik WITH (FORCE);" && createdb -U authentik authentik && psql -U authentik -d authentik -f /var/lib/postgresql/data/backup.sql'
+          backupbot.backup.path: "/var/lib/postgresql/data"

  redis:
-    image:  redis:7.4.0-alpine
-    command: --save 60 1 --loglevel warning
+    image:  redis:7.2.4-alpine
    networks:
      - internal
    healthcheck:
@ -159,8 +154,6 @@ services:
      timeout: 10s
      retries: 10
      start_period: 1m
-    volumes:
-        - redis:/data

 secrets:
  db_password:
@ -185,9 +178,8 @@ networks:
  internal:

 volumes:
+  backups:
  media:
-  certs:
-  redis:
  templates:
  assets:
  database:
--- a/compose.zammad.yml
+++ b/compose.zammad.yml
@ -1,14 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    environment:
-      - ZAMMAD_DOMAIN
-    configs:
-      - source: zammad
-        target: /blueprints/zammad.yaml
-
-configs:
-  zammad:
-    name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
-    file: zammad.yaml.tmpl
-    template_driver: golang
--- a/icons/bbb.jpg
+++ b/icons/bbb.jpg
--- a/icons/bbb.png
+++ b/icons/bbb.png
--- a/icons/zammad.svg
+++ b/icons/zammad.svg
@ -1,30 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
-    <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
-    <title>logo</title>
-    <desc>Created with Sketch.</desc>
-    <defs/>
-    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
-        <g id="logo" sketch:type="MSArtboardGroup">
-            <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
-                <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
-                <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
-                <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
-                <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
-                <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
-                <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
-                <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
-                <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
-                <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
-                <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
-                <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
-            </g>
-        </g>
-    </g>
-</svg>
--- a/monitoring.yaml.tmpl
+++ b/monitoring.yaml.tmpl
@ -25,7 +25,7 @@ entries:
  conditions: []
  id: monitoring_provider
  identifiers:
-    pk: 9990
+    pk: 9994
  model: authentik_providers_oauth2.oauth2provider
  state: present

--- a/release/6.6.0+2024.8.2
+++ b/release/6.6.0+2024.8.2
@ -1 +0,0 @@
-Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!
--- a/release/6.7.0+2024.8.3
+++ b/release/6.7.0+2024.8.3
@ -1,3 +0,0 @@
-Two critical vulnerabilities were closed:
-https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
-https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9
--- a/zammad.yaml.tmpl
+++ b/zammad.yaml.tmpl
@ -1,67 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: zammad
-
-entries:
- attrs:
-    expression: return request.user.name
-    managed: null
-    name: 'Zammad SAML Mapping: name'
-    saml_name: name
-  conditions: []
-  identifiers:
-    name: zammad_name_mapping
-  id: zammad_name_mapping
-  model: authentik_providers_saml.samlpropertymapping
-  state: present
-
- attrs:
-    expression: return request.user.email
-    managed: null
-    name: 'Zammad SAML Mapping: email'
-    saml_name: email
-  conditions: []
-  identifiers:
-    name: zammad_email_mapping
-  id: zammad_email_mapping
-  model: authentik_providers_saml.samlpropertymapping
-  state: present
-
- attrs:
-    acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback
-    assertion_valid_not_before: minutes=-5
-    assertion_valid_not_on_or_after: minutes=5
-    audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
-    issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
-    name: zammad
-    property_mappings:
-    - !KeyOf zammad_name_mapping
-    - !KeyOf zammad_email_mapping
-    session_valid_not_on_or_after: minutes=86400
-    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
-    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sp_binding: post
-  conditions: []
-  id: zammad_provider
-  identifiers:
-    pk: 9989
-  model: authentik_providers_saml.samlprovider
-  state: present
-
- attrs:
-    meta_launch_url: https://{{ env  "ZAMMAD_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf zammad_provider
-    slug: zammad
-  conditions: []
-  id: zammad_application
-  identifiers:
-    name: Zammad
-  model: authentik_core.application
-  state: present
				`@ -1 +0,0 @@`
				`Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!`