nextcloud sso blueprint

This commit is contained in:
Moritz 2023-03-22 17:29:34 +01:00
parent deb953a94f
commit 8b8fddf1e4
5 changed files with 104 additions and 0 deletions

View File

@ -2,6 +2,7 @@ TYPE=authentik
LETS_ENCRYPT_ENV=production
DOMAIN=authentik.example.com
COMPOSE_FILE="compose.yml"
AUTHENTIK_ERROR_REPORTING__ENABLED=true
AUTHENTIK_LOG_LEVEL=info
# AUTHENTIK_IMPERSONATION=true
@ -38,3 +39,7 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
# NEXTCLOUD_DOMAIN=nextcloud.example.com
# SECRET_NEXTCLOUD_ID_VERSION=v1
# SECRET_NEXTCLOUD_SECRET_VERSION=v1

View File

@ -5,6 +5,7 @@ export FLOW_INVALIDATION_VERSION=v1
export FLOW_RECOVERY_VERSION=v1
export FLOW_TRANSLATION_VERSION=v1
export SYSTEM_TENANT_VERSION=v1
export NEXTCLOUD_CONFIG_VERSION=v1
customize() {
if [ -z "$1" ]
@ -102,6 +103,7 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
Flow.objects.filter(slug__in=delete_flows).delete()
Stage.objects.filter(flow=None).delete()
Prompt.objects.filter(promptstage=None).delete()
Tenant.objects.filter(default=True).delete()
"""
apply_blueprints
}

26
compose.nextcloud.yml Normal file
View File

@ -0,0 +1,26 @@
version: "3.8"
services:
worker:
secrets:
- nextcloud_id
- nextcloud_secret
environment:
- NEXTCLOUD_DOMAIN
configs:
- source: nextcloud
target: /blueprints/nextcloud.yaml
secrets:
nextcloud_id:
external: true
name: ${STACK_NAME}_nextcloud_id_${SECRET_NEXTCLOUD_ID_VERSION}
nextcloud_secret:
external: true
name: ${STACK_NAME}_nextcloud_secret_${SECRET_NEXTCLOUD_SECRET_VERSION}
configs:
nextcloud:
name: ${STACK_NAME}_nextcloud_${NEXTCLOUD_CONFIG_VERSION}
file: nextcloud.yaml.tmpl
template_driver: golang

56
nextcloud.yaml.tmpl Normal file
View File

@ -0,0 +1,56 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: Nextcloud
entries:
- attrs:
description: nextcloud
expression: 'return { "nextcloud_groups": [{"gid": group.name, "displayName":
group.name} for group in request.user.ak_groups.all()], }'
managed: null
scope_name: nextcloud
conditions: []
id: nextcloud_group_mapping
identifiers:
name: nextcloud
model: authentik_providers_oauth2.scopemapping
state: present
- attrs:
access_code_validity: minutes=1
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
client_id: {{ secret "nextcloud_id" }}
client_secret: {{ secret "nextcloud_secret" }}
client_type: confidential
include_claims_in_id_token: true
issuer_mode: per_provider
name: Nextcloud
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
- !KeyOf nextcloud_group_mapping
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
sub_mode: user_username
token_validity: days=30
conditions: []
id: nextcloud_provider
identifiers:
pk: 9999
model: authentik_providers_oauth2.oauth2provider
state: present
- attrs:
meta_launch_url: https://{{ env "NEXTCLOUD_DOMAIN" }}
open_in_new_tab: true
policy_engine_mode: any
provider: !KeyOf nextcloud_provider
slug: nextcloud
conditions: []
id: nextcloud_application
identifiers:
name: Nextcloud
model: authentik_core.application
state: present

View File

@ -1 +1,16 @@
Run `abra app cmd <app_name> worker blueprint_cleanup` to apply the new blueprint configuration and delete the old configuration.
If the nextcloud provider should be managed by abra add the following to the env:
COMPOSE_FILE="compose.yml:compose.nextcloud.yml"
NEXTCLOUD_DOMAIN=nextcloud.example.com
SECRET_NEXTCLOUD_ID_VERSION=v1
SECRET_NEXTCLOUD_SECRET_VERSION=v1
and generate the secrets:
abra app secret generate -a <app_name>
Eventuelly you need to manually remove the old nextcloud provider and application
Don't forget to update the nextcloud config for authentik as well.