The authentication glue you need.
Go to file
3wc 4fe52c1e5f
continuous-integration/drone/push Build is passing Details
Fix Drone CI
2024-05-16 15:18:09 -03:00
icons add kimai saml integration 2024-05-08 12:34:07 +02:00
release chore: publish 6.1.0+2024.4.2 release 2024-05-15 16:42:35 +02:00
.drone.yml Fix Drone CI 2024-05-16 15:18:09 -03:00
.env.sample add kimai saml integration 2024-05-08 12:34:07 +02:00
.gitignore init 2022-04-13 12:51:04 +02:00
README.md WIP upgrade 2024-04-17 14:59:23 +02:00
abra.sh update quieten() function to make output less verbose 2024-05-08 21:50:39 +02:00
alaconnect.yml add alakazam integration file alaconnect.yml 2024-05-13 17:28:58 +02:00
compose.css.yml New approach to custom CSS relying on COPY_ASSETS 2024-04-27 13:55:42 -03:00
compose.hedgedoc.yml fix hedgedoc 2024-04-01 18:40:26 +02:00
compose.kimai.yml add kimai saml integration 2024-05-08 12:34:07 +02:00
compose.matrix.yml matrix/element sso blueprint 2023-04-06 18:30:21 +02:00
compose.monitoring.yml fix: copypasta 2023-05-23 16:31:12 +02:00
compose.nextcloud.yml nextcloud sso blueprint 2023-03-22 18:38:17 +01:00
compose.outline.yml chore: publish 4.1.0+2023.10.5 release 2024-02-08 00:22:17 +01:00
compose.outposts.yml security: don't expose docker socket by default 2023-07-06 15:15:02 +02:00
compose.rallly.yml add rallly oidc 2024-02-13 15:58:58 +01:00
compose.vikunja.yml vikunja sso blueprint 2023-04-26 10:19:47 +02:00
compose.wekan.yml wekan sso blueprint 2023-04-13 20:47:54 +02:00
compose.wordpress.yml feat: add wordpress group per env 2023-06-08 15:55:25 +02:00
compose.yml chore: publish 6.1.1+2024.4.2 release 2024-05-16 15:09:40 -03:00
custom.css.tmpl New approach to custom CSS relying on COPY_ASSETS 2024-04-27 13:55:42 -03:00
custom_flows.yaml.tmpl WIP upgrade 2024-04-17 14:59:23 +02:00
entrypoint.postgres.sh.tmpl chore: publish 3.3.1+2023.8.5 release 2023-11-22 21:36:27 +01:00
flow_authentication.yaml.tmpl WIP upgrade 2024-04-17 14:59:23 +02:00
flow_invalidation.yaml.tmpl Fix nondeterministic blueprint behaviour 2023-08-01 02:32:24 +02:00
flow_invitation.yaml.tmpl WIP upgrade 2024-03-06 14:28:51 +01:00
flow_recovery.yaml.tmpl Authentik update resillience: overwrite default blueprints 2023-03-22 17:26:25 +01:00
flow_translation.yaml.tmpl Fix nondeterministic blueprint behaviour 2023-08-01 02:32:24 +02:00
hedgedoc.yaml.tmpl add hedgedoc 2024-04-01 16:43:43 +02:00
kimai.yaml.tmpl add kimai saml integration 2024-05-08 12:34:07 +02:00
matrix.yaml.tmpl matrix/element sso blueprint 2023-04-06 18:30:21 +02:00
monitoring.yaml.tmpl fix: copypasta 2023-05-23 16:31:12 +02:00
nextcloud.yaml.tmpl nextcloud sso blueprint 2023-03-22 18:38:17 +01:00
outline.yaml.tmpl fix primary keys for outline and rallly 2024-04-01 16:36:34 +02:00
rallly.yaml.tmpl fix primary keys for outline and rallly 2024-04-01 16:36:34 +02:00
system_brand.yaml.tmpl WIP upgrade 2024-04-17 14:59:23 +02:00
vikunja.yaml.tmpl vikunja sso blueprint 2023-04-26 10:19:47 +02:00
wekan.yaml.tmpl fix wekan sso 2023-05-03 13:15:38 +02:00
wordpress.yaml.tmpl feat: add wordpress group per env 2023-06-08 15:55:25 +02:00

README.md

authentik

authentik is an open-source Identity Provider focused on flexibility and versatility

List of all possible environment variables

  • Category: Apps
  • Status: 0, work-in-progress
  • Image: ghcr/goauthentik/server, 4, upstream
  • Healthcheck: Yes
  • Backups: Yes
  • Email: Yes
  • Tests: No
  • SSO: Yes

Quick start

  • abra app new authentik
  • abra app config <app-name>
  • abra app secret insert <app_name> email_pass v1 <password>
  • abra app secret generate -a <app_name>
  • abra app deploy <app-name>

Rotate Secrets

Increment the secret versions using abra app config <app_name>

abra app secret generate -a <app_name>
abra app undeploy <app_name>
abra app deploy <app_name>
abra app cmd <app_name> db rotate_db_pass
abra app cmd <app_name> app set_admin_pass

Add SSO for Nextcloud

Uncomment Nextcloud configuration and set NEXTCLOUD_DOMAIN the using abra app config <app_name>:

COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
NEXTCLOUD_DOMAIN=nextcloud.example.com
SECRET_NEXTCLOUD_ID_VERSION=v1
SECRET_NEXTCLOUD_SECRET_VERSION=v1
APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"

Set the nextcloud Icon using abra app cmd -l -d <app_name> set_icons

The configuration inside Nextcloud can be found in the nextcloud recipe

Import User from CSV

Users can be imported from a CSV file of the following format:

First and last name, username, email@example.com, group1;group2;group3

Run the following command to import the file users.csv:

abra app cmd -l <app_name> import_user users.csv

Users will only be created if the username does not exits. I a group does not exists it will be created.

Customization

Place the files you want to overwrite in a directory <assets_path>. Run abra app config <app_name> and define the env variable COPY_ASSETS in the following format:

"<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...

For example:

COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"

Run this command after every deploy/upgrade:

abra app command --local <app-name> customize <assets_path>

Email templates

Add custom email templates:

abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html

Blueprints

These blueprints overwrite default blueprint values:

  • flow_translation.yaml
  • flow_authentication.yaml

The following default blueprints will be overwritten by customizations:

  • flow-password-change.yaml
  • flow-default-authentication-flow.yaml
  • flow-default-user-settings-flow.yaml
  • flow-default-source-enrollment.yaml

The abra.sh function apply_blueprints needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.

Blueprint Overwrite/Use Dependencies

  • Recovery with email verification
    • Default - Password change flow
      • USE:
        • default-password-change-prompt
        • default-password-change-write
    • Default - Authentication flow
      • USE:
        • default-authentication-login
  • Custom Authentication Flow
    • Default - Authentication flow
      • USE:
        • default-authentication-password
      • OVERWRITE:
        • default-authentication-flow
      • APPEND:
        • default-authentication-identification
        • default-authentication-login
      • REMOVE: authentik_flows.flowstagebinding order:20
    • Recovery with email verification
      • USE:
        • default-recovery-flow
  • Invitation Enrollment Flow
    • Default - User settings flow
      • USE:
        • default-user-settings-field-name
        • default-user-settings-field-email
    • Default - Password change flow
      • USE:
        • default-password-change-field-password
        • default-password-change-field-password-repeat
    • Default - Authentication flow
      • USE:
        • default-authentication-login
    • Default - Source enrollment flow
      • USE:
        • default-source-enrollment-field-username
        • default-source-enrollment-write
  • Custom Invalidation Flow
    • Default - Invalidation flow
      • APPEND_ATTR:
        • authentik_flows.flowstagebinding order: 0
  • Flow Translations
    • Recovery with email verification
      • APPEND: default-recovery-flow
    • Default - Password change flow
      • OVERWRITE:
        • default-password-change-field-password
        • default-password-change-field-password-repeat
    • Default - User settings flow
      • OVERWRITE:
        • default-user-settings-field-username
        • default-user-settings-field-name
    • Default - Source enrollment flow
      • OVERWRITE:
        • default-source-enrollment-field-username
  • Custom System Brand
    • Default - Brand
      • APPEND: authentik_brands.brand domain: authentik-default
    • Recovery with email verification
      • USE:
        • default-recovery-flow

Blueprint Dependency Execution Order

  1. Custom System Brand
    • Default - Brand
    1. Recovery with email verification
      • Default - Authentication flow
        • Default - Password change flow
  2. Invitation Enrollment Flow 3. Flow Translations - Default - User settings flow - Default - Source enrollment flow 1. Recovery with email verification - Default - Authentication flow - Default - Password change flow
  3. Custom Authentication Flow
    1. Recovery with email verification
      • Default - Authentication flow
        • Default - Password change flow
  4. Custom Invalidation Flow
    • Default - Invalidation flow

For more, see docs.coopcloud.tech.