nextcloud sso blueprint
This commit is contained in:
parent
deb953a94f
commit
8b8fddf1e4
|
@ -2,6 +2,7 @@ TYPE=authentik
|
|||
LETS_ENCRYPT_ENV=production
|
||||
|
||||
DOMAIN=authentik.example.com
|
||||
COMPOSE_FILE="compose.yml"
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED=true
|
||||
AUTHENTIK_LOG_LEVEL=info
|
||||
# AUTHENTIK_IMPERSONATION=true
|
||||
|
@ -38,3 +39,7 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
|
|||
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
|
||||
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
|
||||
# NEXTCLOUD_DOMAIN=nextcloud.example.com
|
||||
# SECRET_NEXTCLOUD_ID_VERSION=v1
|
||||
# SECRET_NEXTCLOUD_SECRET_VERSION=v1
|
||||
|
|
2
abra.sh
2
abra.sh
|
@ -5,6 +5,7 @@ export FLOW_INVALIDATION_VERSION=v1
|
|||
export FLOW_RECOVERY_VERSION=v1
|
||||
export FLOW_TRANSLATION_VERSION=v1
|
||||
export SYSTEM_TENANT_VERSION=v1
|
||||
export NEXTCLOUD_CONFIG_VERSION=v1
|
||||
|
||||
customize() {
|
||||
if [ -z "$1" ]
|
||||
|
@ -102,6 +103,7 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
|
|||
Flow.objects.filter(slug__in=delete_flows).delete()
|
||||
Stage.objects.filter(flow=None).delete()
|
||||
Prompt.objects.filter(promptstage=None).delete()
|
||||
Tenant.objects.filter(default=True).delete()
|
||||
"""
|
||||
apply_blueprints
|
||||
}
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
version: "3.8"
|
||||
services:
|
||||
worker:
|
||||
secrets:
|
||||
- nextcloud_id
|
||||
- nextcloud_secret
|
||||
environment:
|
||||
- NEXTCLOUD_DOMAIN
|
||||
configs:
|
||||
- source: nextcloud
|
||||
target: /blueprints/nextcloud.yaml
|
||||
|
||||
secrets:
|
||||
nextcloud_id:
|
||||
external: true
|
||||
name: ${STACK_NAME}_nextcloud_id_${SECRET_NEXTCLOUD_ID_VERSION}
|
||||
nextcloud_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_nextcloud_secret_${SECRET_NEXTCLOUD_SECRET_VERSION}
|
||||
|
||||
|
||||
configs:
|
||||
nextcloud:
|
||||
name: ${STACK_NAME}_nextcloud_${NEXTCLOUD_CONFIG_VERSION}
|
||||
file: nextcloud.yaml.tmpl
|
||||
template_driver: golang
|
|
@ -0,0 +1,56 @@
|
|||
version: 1
|
||||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: Nextcloud
|
||||
|
||||
entries:
|
||||
- attrs:
|
||||
description: nextcloud
|
||||
expression: 'return { "nextcloud_groups": [{"gid": group.name, "displayName":
|
||||
group.name} for group in request.user.ak_groups.all()], }'
|
||||
managed: null
|
||||
scope_name: nextcloud
|
||||
conditions: []
|
||||
id: nextcloud_group_mapping
|
||||
identifiers:
|
||||
name: nextcloud
|
||||
model: authentik_providers_oauth2.scopemapping
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
access_code_validity: minutes=1
|
||||
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||
client_id: {{ secret "nextcloud_id" }}
|
||||
client_secret: {{ secret "nextcloud_secret" }}
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
name: Nextcloud
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||
- !KeyOf nextcloud_group_mapping
|
||||
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||
sub_mode: user_username
|
||||
token_validity: days=30
|
||||
conditions: []
|
||||
id: nextcloud_provider
|
||||
identifiers:
|
||||
pk: 9999
|
||||
model: authentik_providers_oauth2.oauth2provider
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "NEXTCLOUD_DOMAIN" }}
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf nextcloud_provider
|
||||
slug: nextcloud
|
||||
conditions: []
|
||||
id: nextcloud_application
|
||||
identifiers:
|
||||
name: Nextcloud
|
||||
model: authentik_core.application
|
||||
state: present
|
15
release/next
15
release/next
|
@ -1 +1,16 @@
|
|||
Run `abra app cmd <app_name> worker blueprint_cleanup` to apply the new blueprint configuration and delete the old configuration.
|
||||
|
||||
If the nextcloud provider should be managed by abra add the following to the env:
|
||||
|
||||
COMPOSE_FILE="compose.yml:compose.nextcloud.yml"
|
||||
NEXTCLOUD_DOMAIN=nextcloud.example.com
|
||||
SECRET_NEXTCLOUD_ID_VERSION=v1
|
||||
SECRET_NEXTCLOUD_SECRET_VERSION=v1
|
||||
|
||||
and generate the secrets:
|
||||
|
||||
abra app secret generate -a <app_name>
|
||||
|
||||
Eventuelly you need to manually remove the old nextcloud provider and application
|
||||
|
||||
Don't forget to update the nextcloud config for authentik as well.
|
||||
|
|
Loading…
Reference in New Issue