From 32d5db0b7965e5c7409ecfbc9ac6f1d51e74c020 Mon Sep 17 00:00:00 2001
From: Philipp Rothmann <philipprothmann@posteo.de>
Date: Wed, 13 Apr 2022 12:04:03 +0200
Subject: [PATCH] init

---
 .env.sample |  33 +++++++++++++
 .gitignore  |   1 +
 README.md   |  27 ++++++++++
 compose.yml | 138 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 199 insertions(+)
 create mode 100644 .env.sample
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 compose.yml

diff --git a/.env.sample b/.env.sample
new file mode 100644
index 0000000..2c75e0e
--- /dev/null
+++ b/.env.sample
@@ -0,0 +1,33 @@
+TYPE=authentik
+LETS_ENCRYPT_ENV=production
+
+DOMAIN=sso.example.com
+POSTGRES_PASSWORD=secret
+AUTHENTIK_POSTGRESQL__PASSWORD=secret
+POSTGRES_USER=authentik
+AUTHENTIK_POSTGRESQL__USER=authentik
+POSTGRES_DB=authentik
+AUTHENTIK_POSTGRESQL__NAME=authentik
+AUTHENTIK_POSTGRESQL__HOST=db
+AUTHENTIK_REDIS__HOST=redis
+AUTHENTIK_ERROR_REPORTING__ENABLED=true
+# WORKERS=1
+AUTHENTIK_SECRET_KEY=secret
+AK_ADMIN_TOKEN=secret
+AK_ADMIN_PASS=secret
+
+# EMAIL
+AUTHENTIK_EMAIL__HOST=smtp
+AUTHENTIK_EMAIL__PORT=25
+# AUTHENTIK_EMAIL__USERNAME=""
+# AUTHENTIK_EMAIL__PASSWORD=""
+AUTHENTIK_EMAIL__USE_TLS=false
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+AUTHENTIK_EMAIL__FROM=noreply@example.com
+AUTHENTIK_LOG_LEVEL=info
+
+# Secret Versions
+# SECRET_SECRET_KEY_VERSION=v1
+# SECRET_ADMIN_TOKEN_VERSION=v1
+# SECRET_ADMIN_PASS_VERSION=v1
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7a6353d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.envrc
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..23b4446
--- /dev/null
+++ b/README.md
@@ -0,0 +1,27 @@
+# authentik
+
+[authentik](https://goauthentik.io/) is an open-source Identity Provider focused on flexibility and versatility
+
+
+[List of all possible environment variables](https://goauthentik.io/docs/installation/configuration)
+
+<!-- metadata -->
+
+* **Category**: * **Category**: Apps
+* **Status**: 0, work-in-progress
+* **Image**: [ghcr/goauthentik/server](ghcr.io/goauthentik/server)
+* **Healthcheck**: Yes
+* **Backups**: Yes
+* **Email**: Yes
+* **Tests**: No
+* **SSO**: Yes
+
+<!-- endmetadata -->
+
+## Quick start
+
+* `abra app new {{ .Name }} --secrets`
+* `abra app config <app-name>`
+* `abra app deploy <app-name>`
+
+For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
diff --git a/compose.yml b/compose.yml
new file mode 100644
index 0000000..614fe1c
--- /dev/null
+++ b/compose.yml
@@ -0,0 +1,138 @@
+---
+
+x-env: &env
+    - AUTHENTIK_POSTGRESQL__PASSWORD
+    - AUTHENTIK_POSTGRESQL__USER
+    - AUTHENTIK_POSTGRESQL__NAME
+    - AUTHENTIK_POSTGRESQL__HOST
+    - AUTHENTIK_REDIS__HOST
+    - AUTHENTIK_ERROR_REPORTING__ENABLED
+    - AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
+    - AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
+    - AK_ADMIN_PASS= #file:///run/secrets/admin_pass
+    - AUTHENTIK_EMAIL__HOST
+    - AUTHENTIK_EMAIL__PORT
+    - AUTHENTIK_EMAIL__USERNAME
+    - AUTHENTIK_EMAIL__PASSWORD
+    - AUTHENTIK_EMAIL__USE_TLS
+    - AUTHENTIK_EMAIL__USE_SSL
+    - AUTHENTIK_EMAIL__TIMEOUT
+    - AUTHENTIK_EMAIL__FROM
+    - AUTHENTIK_LOG_LEVEL
+
+
+version: '3.8'
+services:
+  app:
+    image: ghcr.io/goauthentik/server:2022.4.1
+    command: server
+    # secrets:
+    #   - db_password
+    #   - admin_pass
+    #   - admin_token
+    #   - secret_key
+    volumes:
+      - media:/media
+      - custom-templates:/templates
+    networks:
+      - internal
+      - proxy
+    healthcheck:
+      test: ["CMD", "curl", "-f", "localhost:9000/-/health/live/"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
+    environment: *env
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+2022.4.1"
+
+  worker:
+    image: ghcr.io/goauthentik/server:2022.4.1
+    command: worker
+    # secrets:
+      # - db_password
+      # - admin_pass
+      # - admin_token
+      # - secret_key
+    networks:
+      - internal
+      - proxy
+    user: root
+    volumes:
+      - backups:/backups
+      - media:/media
+      - /var/run/docker.sock:/var/run/docker.sock
+      - custom-templates:/templates
+    environment: *env
+
+  db:
+    image: postgres:12.8-alpine
+    # secrets:
+      # - db_password
+    volumes:
+      - database:/var/lib/postgresql/data
+    networks:
+      - internal
+    healthcheck:
+      test: ["CMD", "pg_isready"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
+    environment:
+      - POSTGRES_PASSWORD
+      - POSTGRES_USER
+      - POSTGRES_DB
+    deploy:
+      labels:
+          backupbot.backup: "true"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.post-hook: "rm -rf /tmp/backup"
+          backupbot.backup.path: "/tmp/backup/"
+
+  redis:
+    image:  redis:6.2.6-alpine
+    networks:
+      - internal
+    healthcheck:
+      test: ["CMD", "redis-cli","ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
+
+# secrets:
+  # db_password:
+  #   external: true
+  #   name: ${STACK_NAME}_db_password
+  # secret_key:
+  #   external: true
+  #   name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  # admin_token:
+  #   external: true
+  #   name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
+  # admin_pass:
+  #   external: true
+  #   name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
+
+networks:
+  proxy:
+    external: true
+  internal:
+
+volumes:
+  backups:
+  media:
+  custom-templates:
+  database: