decentral1se efd67032cf
All checks were successful
continuous-integration/drone/push Build is passing
Merge pull request 'add commands to generate client id and secret' (#15) from benjaminlyng/authentik:docs/generating_nextcloud_SSO_secrets into main
Reviewed-on: #15
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
2025-04-19 07:15:05 +00:00
2025-02-24 15:22:15 +01:00
2025-01-08 10:09:12 -08:00
2025-02-13 14:45:32 +01:00
2022-04-13 12:51:04 +02:00
2024-04-01 18:40:26 +02:00
2024-05-08 12:34:07 +02:00
2023-05-23 16:31:12 +02:00
2023-03-22 18:38:17 +01:00
2024-02-13 15:58:58 +01:00
2023-04-26 10:19:47 +02:00
2023-04-13 20:47:54 +02:00
2024-08-22 00:46:37 +02:00
2024-10-01 22:57:54 +02:00
2024-04-17 14:59:23 +02:00
2024-03-06 14:28:51 +01:00
2025-01-20 22:28:24 +01:00
2024-10-22 21:32:26 +02:00
2024-10-01 22:57:54 +02:00
2024-11-04 17:09:21 +01:00

authentik

authentik is an open-source Identity Provider focused on flexibility and versatility

List of all possible environment variables

  • Category: Apps
  • Status: 0, work-in-progress
  • Image: ghcr/goauthentik/server, 4, upstream
  • Healthcheck: Yes
  • Backups: Yes
  • Email: Yes
  • Tests: No
  • SSO: Yes

Quick start

  • abra app new authentik
  • abra app config <app-name>
  • abra app secret insert <app_name> email_pass v1 <password>
  • abra app secret generate -a <app_name>
  • abra app deploy <app-name>

Rotate Secrets

Increment the secret versions using abra app config <app_name>

abra app secret generate -a <app_name>
abra app undeploy <app_name>
abra app deploy <app_name>
abra app cmd <app_name> db rotate_db_pass
abra app cmd <app_name> app set_admin_pass

Add SSO for Nextcloud

Uncomment Nextcloud configuration and set NEXTCLOUD_DOMAIN the using abra app config <app_name>:

COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
NEXTCLOUD_DOMAIN=nextcloud.example.com
SECRET_NEXTCLOUD_ID_VERSION=v1
SECRET_NEXTCLOUD_SECRET_VERSION=v1
APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"

Set the nextcloud Icon using abra app cmd -l -d <app_name> set_icons

Generate OAuth client id and secret using abra app secret generate <app_name> -a (all secrets) or individually:

  • abra app secret generate <app_name> nextcloud_id
  • abra app secret generate <app_name> nextcloud_secret

Add the id and secret to nextcloud as secrets with:

  • abra app secret insert <nextcloud_app_name> authentik_id v1 <id>
  • abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>

Redeploy Authentik to enable the nextcloud client.

The configuration inside Nextcloud can be found in the nextcloud recipe

Add LDAP outpost

  • Follow this official guide and skip the LDAP Flow as we don't need it.
  • Copy token under Applications -> Outposts -> View Deployment Info`
  • Comment in envs for compose.outposts.ldap.yaml and secret version
  • Insert token as secret abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>
  • Update deployment -> Outpost should be up and running

Import User from CSV

Users can be imported from a CSV file of the following format:

First and last name, username, email@example.com, group1;group2;group3

Run the following command to import the file users.csv:

abra app cmd -l <app_name> import_user users.csv

Users will only be created if the username does not exits. I a group does not exists it will be created.

Customization

Place the files you want to overwrite in a directory <assets_path>. Run abra app config <app_name> and define the env variable COPY_ASSETS in the following format:

"<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...

For example:

COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"

Run this command after every deploy/upgrade:

abra app command --local <app-name> customize <assets_path>

Custom CSS

Uncomment the following env:

COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"

Redeploy the app:

abra app deploy -f <app_name>

Copy the CSS and restart the container:

abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
abra app restart <app_name> app

Email templates

Add custom email templates:

abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html

Blueprints

These blueprints overwrite default blueprint values:

  • flow_translation.yaml
  • flow_authentication.yaml

The following default blueprints will be overwritten by customizations:

  • flow-password-change.yaml
  • flow-default-authentication-flow.yaml
  • flow-default-user-settings-flow.yaml
  • flow-default-source-enrollment.yaml

The abra.sh function apply_blueprints needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.

Blueprint Overwrite/Use Dependencies

  • Recovery with email verification
    • Default - Password change flow
      • USE:
        • default-password-change-prompt
        • default-password-change-write
    • Default - Authentication flow
      • USE:
        • default-authentication-login
  • Custom Authentication Flow
    • Default - Authentication flow
      • USE:
        • default-authentication-password
      • OVERWRITE:
        • default-authentication-flow
      • APPEND:
        • default-authentication-identification
        • default-authentication-login
      • REMOVE: authentik_flows.flowstagebinding order:20
    • Recovery with email verification
      • USE:
        • default-recovery-flow
  • Invitation Enrollment Flow
    • Default - User settings flow
      • USE:
        • default-user-settings-field-name
        • default-user-settings-field-email
    • Default - Password change flow
      • USE:
        • default-password-change-field-password
        • default-password-change-field-password-repeat
    • Default - Authentication flow
      • USE:
        • default-authentication-login
    • Default - Source enrollment flow
      • USE:
        • default-source-enrollment-field-username
        • default-source-enrollment-write
  • Custom Invalidation Flow
    • Default - Invalidation flow
      • APPEND_ATTR:
        • authentik_flows.flowstagebinding order: 0
  • Flow Translations
    • Recovery with email verification
      • APPEND: default-recovery-flow
    • Default - Password change flow
      • OVERWRITE:
        • default-password-change-field-password
        • default-password-change-field-password-repeat
    • Default - User settings flow
      • OVERWRITE:
        • default-user-settings-field-username
        • default-user-settings-field-name
    • Default - Source enrollment flow
      • OVERWRITE:
        • default-source-enrollment-field-username
  • Custom System Brand
    • Default - Brand
      • APPEND: authentik_brands.brand domain: authentik-default
    • Recovery with email verification
      • USE:
        • default-recovery-flow

Blueprint Dependency Execution Order

  1. Custom System Brand
    • Default - Brand
    1. Recovery with email verification
      • Default - Authentication flow
        • Default - Password change flow
  2. Invitation Enrollment Flow 3. Flow Translations - Default - User settings flow - Default - Source enrollment flow 1. Recovery with email verification - Default - Authentication flow - Default - Password change flow
  3. Custom Authentication Flow
    1. Recovery with email verification
      • Default - Authentication flow
        • Default - Password change flow
  4. Custom Invalidation Flow
    • Default - Invalidation flow

For more, see docs.coopcloud.tech.

Description
The authentication glue you need.
Readme 1.1 MiB
Languages
Shell 80.5%
Roff 19.5%