Compare commits
1 Commits
1.0.0+2022
...
copy_asset
Author | SHA1 | Date | |
---|---|---|---|
63e8cffa5e |
17
.env.sample
17
.env.sample
@ -2,17 +2,25 @@ TYPE=authentik
|
|||||||
LETS_ENCRYPT_ENV=production
|
LETS_ENCRYPT_ENV=production
|
||||||
|
|
||||||
DOMAIN={{ .Domain }}
|
DOMAIN={{ .Domain }}
|
||||||
|
POSTGRES_PASSWORD=secret
|
||||||
|
AUTHENTIK_POSTGRESQL__PASSWORD=secret
|
||||||
|
POSTGRES_USER=authentik
|
||||||
AUTHENTIK_POSTGRESQL__USER=authentik
|
AUTHENTIK_POSTGRESQL__USER=authentik
|
||||||
|
POSTGRES_DB=authentik
|
||||||
AUTHENTIK_POSTGRESQL__NAME=authentik
|
AUTHENTIK_POSTGRESQL__NAME=authentik
|
||||||
AUTHENTIK_POSTGRESQL__HOST=db
|
AUTHENTIK_POSTGRESQL__HOST=db
|
||||||
AUTHENTIK_REDIS__HOST=redis
|
AUTHENTIK_REDIS__HOST=redis
|
||||||
AUTHENTIK_ERROR_REPORTING__ENABLED=true
|
AUTHENTIK_ERROR_REPORTING__ENABLED=true
|
||||||
# WORKERS=1
|
# WORKERS=1
|
||||||
|
AUTHENTIK_SECRET_KEY=secret
|
||||||
|
AK_ADMIN_TOKEN=secret
|
||||||
|
AK_ADMIN_PASS=secret
|
||||||
|
|
||||||
# EMAIL
|
# EMAIL
|
||||||
AUTHENTIK_EMAIL__HOST=smtp
|
AUTHENTIK_EMAIL__HOST=smtp
|
||||||
AUTHENTIK_EMAIL__PORT=25
|
AUTHENTIK_EMAIL__PORT=25
|
||||||
# AUTHENTIK_EMAIL__USERNAME=""
|
# AUTHENTIK_EMAIL__USERNAME=""
|
||||||
|
# AUTHENTIK_EMAIL__PASSWORD=""
|
||||||
AUTHENTIK_EMAIL__USE_TLS=false
|
AUTHENTIK_EMAIL__USE_TLS=false
|
||||||
AUTHENTIK_EMAIL__USE_SSL=false
|
AUTHENTIK_EMAIL__USE_SSL=false
|
||||||
AUTHENTIK_EMAIL__TIMEOUT=10
|
AUTHENTIK_EMAIL__TIMEOUT=10
|
||||||
@ -20,11 +28,9 @@ AUTHENTIK_EMAIL__FROM=noreply@example.com
|
|||||||
AUTHENTIK_LOG_LEVEL=info
|
AUTHENTIK_LOG_LEVEL=info
|
||||||
|
|
||||||
# Secret Versions
|
# Secret Versions
|
||||||
SECRET_SECRET_KEY_VERSION=v1
|
# SECRET_SECRET_KEY_VERSION=v1
|
||||||
SECRET_DB_PASSWORD_VERSION=V1
|
# SECRET_ADMIN_TOKEN_VERSION=v1
|
||||||
SECRET_ADMIN_TOKEN_VERSION=v1
|
# SECRET_ADMIN_PASS_VERSION=v1
|
||||||
SECRET_ADMIN_PASS_VERSION=v1
|
|
||||||
SECRET_EMAIL_PASS_VERSION=v1
|
|
||||||
|
|
||||||
# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
|
# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
|
||||||
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
||||||
@ -33,3 +39,4 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
|||||||
WELCOME_MESSAGE="Welcome to Authentik"
|
WELCOME_MESSAGE="Welcome to Authentik"
|
||||||
DEFAULT_LANGUAGE=en
|
DEFAULT_LANGUAGE=en
|
||||||
AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
|
AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
|
||||||
|
COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/ icon_left_brand.svg|app:/web/dist/assets/icons/ icon.png|app:/web/dist/assets/icons/"
|
||||||
|
13
README.md
13
README.md
@ -22,20 +22,7 @@
|
|||||||
|
|
||||||
* `abra app new authentik --secrets`
|
* `abra app new authentik --secrets`
|
||||||
* `abra app config <app-name>`
|
* `abra app config <app-name>`
|
||||||
* `abra app secret insert <app_name> email_pass v1 <password>`
|
|
||||||
* `abra app secret generate -a <app_name>
|
|
||||||
* `abra app deploy <app-name>`
|
* `abra app deploy <app-name>`
|
||||||
* `abra app cmd <app_name> app set_admin_pass`
|
|
||||||
|
|
||||||
## Rotate Secrets
|
|
||||||
|
|
||||||
```
|
|
||||||
abra app secret generate -a <app_name>
|
|
||||||
abra app undeploy <app_name>
|
|
||||||
abra app deploy <app_name>
|
|
||||||
abra app cmd <app_name> db rotate_db_pass
|
|
||||||
abra app cmd <app_name> app set_admin_pass
|
|
||||||
```
|
|
||||||
|
|
||||||
## Customization
|
## Customization
|
||||||
|
|
||||||
|
55
abra.sh
55
abra.sh
@ -8,52 +8,11 @@ customize() {
|
|||||||
echo "Usage: ... customize <assets_path>"
|
echo "Usage: ... customize <assets_path>"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
# TODO: use env to specify source and target files
|
asset_dir=$1
|
||||||
if [ -e $1/flow_background.jpg ]
|
for asset in $COPY_ASSETS; do
|
||||||
then
|
source=$(echo $asset | cut -d "|" -f1)
|
||||||
echo copy flow_background.jpg
|
target=$(echo $asset | cut -d "|" -f2)
|
||||||
abra app cp $APP_NAME $1/flow_background.jpg app:/web/dist/assets/images/
|
echo copy $source to $target
|
||||||
fi
|
abra app cp $APP_NAME $asset_dir/$source $target
|
||||||
if [ -e $1/icon_left_brand.svg ]
|
done
|
||||||
then
|
|
||||||
echo copy icon_left_brand.svg
|
|
||||||
abra app cp $APP_NAME $1/icon_left_brand.svg app:/web/dist/assets/icons/
|
|
||||||
fi
|
|
||||||
if [ -e $1/icon.png ]
|
|
||||||
then
|
|
||||||
echo copy icon.png
|
|
||||||
abra app cp $APP_NAME $1/icon.png app:/web/dist/assets/icons/
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
set_admin_pass() {
|
|
||||||
password=$(cat /run/secrets/admin_pass)
|
|
||||||
token=$(cat /run/secrets/admin_token)
|
|
||||||
/manage.py shell -c """
|
|
||||||
akadmin = User.objects.get(username='akadmin')
|
|
||||||
akadmin.set_password('$password')
|
|
||||||
akadmin.save()
|
|
||||||
print('Changed akadmin password')
|
|
||||||
|
|
||||||
from authentik.core.models import TokenIntents
|
|
||||||
key='$token'
|
|
||||||
if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
|
|
||||||
token.key=key
|
|
||||||
token.save()
|
|
||||||
print('Changed authentik-bootstrap-token')
|
|
||||||
else:
|
|
||||||
Token.objects.create(
|
|
||||||
identifier='authentik-bootstrap-token',
|
|
||||||
user=akadmin,
|
|
||||||
intent=TokenIntents.INTENT_API,
|
|
||||||
expiring=False,
|
|
||||||
key=key,
|
|
||||||
)
|
|
||||||
print('Created authentik-bootstrap-token')
|
|
||||||
"""
|
|
||||||
}
|
|
||||||
|
|
||||||
rotate_db_pass() {
|
|
||||||
db_password=$(cat /run/secrets/db_password)
|
|
||||||
psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
|
|
||||||
}
|
}
|
||||||
|
@ -1,158 +0,0 @@
|
|||||||
version: 1
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
blueprints.goauthentik.io/instantiate: "true"
|
|
||||||
name: Example - Recovery with email verification
|
|
||||||
entries:
|
|
||||||
- identifiers:
|
|
||||||
slug: default-recovery-flow
|
|
||||||
id: flow
|
|
||||||
model: authentik_flows.flow
|
|
||||||
attrs:
|
|
||||||
name: Default recovery flow
|
|
||||||
title: Reset your password
|
|
||||||
designation: recovery
|
|
||||||
- identifiers:
|
|
||||||
field_key: password
|
|
||||||
label: Password
|
|
||||||
id: prompt-field-password
|
|
||||||
model: authentik_stages_prompt.prompt
|
|
||||||
attrs:
|
|
||||||
type: password
|
|
||||||
required: true
|
|
||||||
placeholder: Password
|
|
||||||
order: 0
|
|
||||||
placeholder_expression: false
|
|
||||||
- identifiers:
|
|
||||||
field_key: password_repeat
|
|
||||||
label: Password (repeat)
|
|
||||||
id: prompt-field-password-repeat
|
|
||||||
model: authentik_stages_prompt.prompt
|
|
||||||
attrs:
|
|
||||||
type: password
|
|
||||||
required: true
|
|
||||||
placeholder: Password (repeat)
|
|
||||||
order: 1
|
|
||||||
placeholder_expression: false
|
|
||||||
- identifiers:
|
|
||||||
name: default-recovery-skip-if-restored
|
|
||||||
id: default-recovery-skip-if-restored
|
|
||||||
model: authentik_policies_expression.expressionpolicy
|
|
||||||
attrs:
|
|
||||||
expression: |
|
|
||||||
return request.context.get('is_restored', False)
|
|
||||||
- identifiers:
|
|
||||||
name: default-recovery-email
|
|
||||||
id: default-recovery-email
|
|
||||||
model: authentik_stages_email.emailstage
|
|
||||||
attrs:
|
|
||||||
use_global_settings: true
|
|
||||||
host: localhost
|
|
||||||
port: 25
|
|
||||||
username: ""
|
|
||||||
use_tls: false
|
|
||||||
use_ssl: false
|
|
||||||
timeout: 10
|
|
||||||
from_address: system@authentik.local
|
|
||||||
token_expiry: 30
|
|
||||||
subject: authentik
|
|
||||||
template: email/password_reset.html
|
|
||||||
activate_user_on_success: true
|
|
||||||
- identifiers:
|
|
||||||
name: default-recovery-user-write
|
|
||||||
id: default-recovery-user-write
|
|
||||||
model: authentik_stages_user_write.userwritestage
|
|
||||||
- identifiers:
|
|
||||||
name: default-recovery-identification
|
|
||||||
id: default-recovery-identification
|
|
||||||
model: authentik_stages_identification.identificationstage
|
|
||||||
attrs:
|
|
||||||
user_fields:
|
|
||||||
- email
|
|
||||||
- username
|
|
||||||
- identifiers:
|
|
||||||
name: default-recovery-user-login
|
|
||||||
id: default-recovery-user-login
|
|
||||||
model: authentik_stages_user_login.userloginstage
|
|
||||||
attrs:
|
|
||||||
session_duration: seconds=0
|
|
||||||
- identifiers:
|
|
||||||
name: Change your password
|
|
||||||
id: stages-prompt-password
|
|
||||||
model: authentik_stages_prompt.promptstage
|
|
||||||
attrs:
|
|
||||||
fields:
|
|
||||||
- !KeyOf prompt-field-password
|
|
||||||
- !KeyOf prompt-field-password-repeat
|
|
||||||
validation_policies: []
|
|
||||||
- identifiers:
|
|
||||||
target: !KeyOf flow
|
|
||||||
stage: !KeyOf default-recovery-identification
|
|
||||||
order: 10
|
|
||||||
model: authentik_flows.flowstagebinding
|
|
||||||
id: flow-binding-identification
|
|
||||||
attrs:
|
|
||||||
evaluate_on_plan: true
|
|
||||||
re_evaluate_policies: true
|
|
||||||
policy_engine_mode: any
|
|
||||||
invalid_response_action: retry
|
|
||||||
- identifiers:
|
|
||||||
target: !KeyOf flow
|
|
||||||
stage: !KeyOf default-recovery-email
|
|
||||||
order: 20
|
|
||||||
model: authentik_flows.flowstagebinding
|
|
||||||
id: flow-binding-email
|
|
||||||
attrs:
|
|
||||||
evaluate_on_plan: true
|
|
||||||
re_evaluate_policies: true
|
|
||||||
policy_engine_mode: any
|
|
||||||
invalid_response_action: retry
|
|
||||||
- identifiers:
|
|
||||||
pk: 1219d06e-2c06-4c5b-a162-78e3959c6cf0
|
|
||||||
target: !KeyOf flow
|
|
||||||
stage: !KeyOf stages-prompt-password
|
|
||||||
order: 30
|
|
||||||
model: authentik_flows.flowstagebinding
|
|
||||||
attrs:
|
|
||||||
evaluate_on_plan: true
|
|
||||||
re_evaluate_policies: false
|
|
||||||
policy_engine_mode: any
|
|
||||||
invalid_response_action: retry
|
|
||||||
- identifiers:
|
|
||||||
target: !KeyOf flow
|
|
||||||
stage: !KeyOf default-recovery-user-write
|
|
||||||
order: 40
|
|
||||||
model: authentik_flows.flowstagebinding
|
|
||||||
attrs:
|
|
||||||
evaluate_on_plan: true
|
|
||||||
re_evaluate_policies: false
|
|
||||||
policy_engine_mode: any
|
|
||||||
invalid_response_action: retry
|
|
||||||
- identifiers:
|
|
||||||
target: !KeyOf flow
|
|
||||||
stage: !KeyOf default-recovery-user-login
|
|
||||||
order: 100
|
|
||||||
model: authentik_flows.flowstagebinding
|
|
||||||
attrs:
|
|
||||||
evaluate_on_plan: true
|
|
||||||
re_evaluate_policies: false
|
|
||||||
policy_engine_mode: any
|
|
||||||
invalid_response_action: retry
|
|
||||||
- identifiers:
|
|
||||||
policy: !KeyOf default-recovery-skip-if-restored
|
|
||||||
target: !KeyOf flow-binding-identification
|
|
||||||
order: 0
|
|
||||||
model: authentik_policies.policybinding
|
|
||||||
attrs:
|
|
||||||
negate: false
|
|
||||||
enabled: true
|
|
||||||
timeout: 30
|
|
||||||
- identifiers:
|
|
||||||
policy: !KeyOf default-recovery-skip-if-restored
|
|
||||||
target: !KeyOf flow-binding-email
|
|
||||||
order: 0
|
|
||||||
model: authentik_policies.policybinding
|
|
||||||
attrs:
|
|
||||||
negate: false
|
|
||||||
enabled: true
|
|
||||||
timeout: 30
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,151 +0,0 @@
|
|||||||
context: {}
|
|
||||||
entries:
|
|
||||||
- attrs:
|
|
||||||
compatibility_mode: true
|
|
||||||
denied_action: message_continue
|
|
||||||
designation: enrollment
|
|
||||||
layout: stacked
|
|
||||||
name: Willkommen zur Heimatbund Cloud!
|
|
||||||
policy_engine_mode: any
|
|
||||||
title: Willkommen zur Heimatbund Cloud!
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
pk: 235f1d35-302e-426f-8875-bb75c40e8a96
|
|
||||||
slug: invitation-enrollment
|
|
||||||
model: authentik_flows.flow
|
|
||||||
- attrs:
|
|
||||||
field_key: password
|
|
||||||
label: Passwort
|
|
||||||
order: 300
|
|
||||||
placeholder: Passwort
|
|
||||||
required: true
|
|
||||||
type: password
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
pk: 872c7220-0c42-4cef-b21c-9896820d86a3
|
|
||||||
model: authentik_stages_prompt.prompt
|
|
||||||
- attrs:
|
|
||||||
field_key: username
|
|
||||||
label: Benutzername
|
|
||||||
order: 0
|
|
||||||
placeholder: Benutzername
|
|
||||||
required: true
|
|
||||||
type: username
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
pk: 8c7cca12-afd7-42f9-92b2-df06d29bc0b5
|
|
||||||
model: authentik_stages_prompt.prompt
|
|
||||||
- attrs:
|
|
||||||
field_key: name
|
|
||||||
label: Vor- und Nachname
|
|
||||||
order: 0
|
|
||||||
placeholder: Name
|
|
||||||
required: true
|
|
||||||
type: text
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
pk: 52777e44-cbe7-4187-abc3-7f44327e4577
|
|
||||||
model: authentik_stages_prompt.prompt
|
|
||||||
- attrs:
|
|
||||||
field_key: password_repeat
|
|
||||||
label: Passwort (wiederholung)
|
|
||||||
order: 301
|
|
||||||
placeholder: Passwort (wiederholung)
|
|
||||||
required: true
|
|
||||||
type: password
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
pk: 4c6820c2-711d-4450-b977-70d225c6cbd1
|
|
||||||
model: authentik_stages_prompt.prompt
|
|
||||||
- attrs:
|
|
||||||
field_key: email
|
|
||||||
label: Email
|
|
||||||
order: 1
|
|
||||||
placeholder: Email
|
|
||||||
required: true
|
|
||||||
type: email
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
pk: 0fd026ab-228a-4aff-adde-e566f1dcee6a
|
|
||||||
model: authentik_stages_prompt.prompt
|
|
||||||
|
|
||||||
- attrs:
|
|
||||||
fields:
|
|
||||||
- 872c7220-0c42-4cef-b21c-9896820d86a3
|
|
||||||
- 8c7cca12-afd7-42f9-92b2-df06d29bc0b5
|
|
||||||
- 52777e44-cbe7-4187-abc3-7f44327e4577
|
|
||||||
- 4c6820c2-711d-4450-b977-70d225c6cbd1
|
|
||||||
- 0fd026ab-228a-4aff-adde-e566f1dcee6a
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
name: default-enrollment-prompt-first
|
|
||||||
pk: b96f518c-6313-4091-8b52-20dd7557e868
|
|
||||||
model: authentik_stages_prompt.promptstage
|
|
||||||
- attrs: {}
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
name: invitation
|
|
||||||
pk: 9780069a-0f1d-4f0f-b7c4-4592a9cdb333
|
|
||||||
model: authentik_stages_invitation.invitationstage
|
|
||||||
- attrs: {}
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
name: default-enrollment-user-write
|
|
||||||
pk: 21667fc4-05b2-4b2f-8861-c8b40a6331b1
|
|
||||||
model: authentik_stages_user_write.userwritestage
|
|
||||||
- attrs:
|
|
||||||
session_duration: seconds=0
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
name: default-enrollment-user-login
|
|
||||||
pk: 6cdec92f-cd1f-40b1-b808-d6a5d50877ed
|
|
||||||
model: authentik_stages_user_login.userloginstage
|
|
||||||
- attrs:
|
|
||||||
evaluate_on_plan: true
|
|
||||||
invalid_response_action: retry
|
|
||||||
policy_engine_mode: any
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
order: 1
|
|
||||||
pk: eac283e8-2342-405e-a592-72b950f307c0
|
|
||||||
stage: 9780069a-0f1d-4f0f-b7c4-4592a9cdb333
|
|
||||||
target: 235f1d35-302e-426f-8875-bb75c40e8a96
|
|
||||||
model: authentik_flows.flowstagebinding
|
|
||||||
- attrs:
|
|
||||||
evaluate_on_plan: true
|
|
||||||
invalid_response_action: retry
|
|
||||||
policy_engine_mode: any
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
order: 10
|
|
||||||
pk: 56276785-e6f5-42c7-9201-e63ec44281aa
|
|
||||||
stage: b96f518c-6313-4091-8b52-20dd7557e868
|
|
||||||
target: 235f1d35-302e-426f-8875-bb75c40e8a96
|
|
||||||
model: authentik_flows.flowstagebinding
|
|
||||||
- attrs:
|
|
||||||
evaluate_on_plan: true
|
|
||||||
invalid_response_action: retry
|
|
||||||
policy_engine_mode: any
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
order: 20
|
|
||||||
pk: 471de0f4-3e03-4bc8-873d-689860dc9efb
|
|
||||||
stage: 21667fc4-05b2-4b2f-8861-c8b40a6331b1
|
|
||||||
target: 235f1d35-302e-426f-8875-bb75c40e8a96
|
|
||||||
model: authentik_flows.flowstagebinding
|
|
||||||
- attrs:
|
|
||||||
evaluate_on_plan: true
|
|
||||||
invalid_response_action: retry
|
|
||||||
policy_engine_mode: any
|
|
||||||
id: null
|
|
||||||
identifiers:
|
|
||||||
order: 100
|
|
||||||
pk: 58903955-e33a-4d9a-b882-edd93f4261f9
|
|
||||||
stage: 6cdec92f-cd1f-40b1-b808-d6a5d50877ed
|
|
||||||
target: 235f1d35-302e-426f-8875-bb75c40e8a96
|
|
||||||
model: authentik_flows.flowstagebinding
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
blueprints.goauthentik.io/generated: 'true'
|
|
||||||
name: authentik Export - 2022-10-19 12:52:52.154491+00:00
|
|
||||||
version: 1
|
|
73
compose.yml
73
compose.yml
@ -1,17 +1,19 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
x-env: &env
|
x-env: &env
|
||||||
- AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
|
- AUTHENTIK_POSTGRESQL__PASSWORD
|
||||||
- AUTHENTIK_POSTGRESQL__USER
|
- AUTHENTIK_POSTGRESQL__USER
|
||||||
- AUTHENTIK_POSTGRESQL__NAME
|
- AUTHENTIK_POSTGRESQL__NAME
|
||||||
- AUTHENTIK_POSTGRESQL__HOST
|
- AUTHENTIK_POSTGRESQL__HOST
|
||||||
- AUTHENTIK_REDIS__HOST
|
- AUTHENTIK_REDIS__HOST
|
||||||
- AUTHENTIK_ERROR_REPORTING__ENABLED
|
- AUTHENTIK_ERROR_REPORTING__ENABLED
|
||||||
- AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
|
- AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
|
||||||
|
- AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
|
||||||
|
- AK_ADMIN_PASS= #file:///run/secrets/admin_pass
|
||||||
- AUTHENTIK_EMAIL__HOST
|
- AUTHENTIK_EMAIL__HOST
|
||||||
- AUTHENTIK_EMAIL__PORT
|
- AUTHENTIK_EMAIL__PORT
|
||||||
- AUTHENTIK_EMAIL__USERNAME
|
- AUTHENTIK_EMAIL__USERNAME
|
||||||
- AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
|
- AUTHENTIK_EMAIL__PASSWORD
|
||||||
- AUTHENTIK_EMAIL__USE_TLS
|
- AUTHENTIK_EMAIL__USE_TLS
|
||||||
- AUTHENTIK_EMAIL__USE_SSL
|
- AUTHENTIK_EMAIL__USE_SSL
|
||||||
- AUTHENTIK_EMAIL__TIMEOUT
|
- AUTHENTIK_EMAIL__TIMEOUT
|
||||||
@ -29,12 +31,11 @@ services:
|
|||||||
app:
|
app:
|
||||||
image: ghcr.io/goauthentik/server:2022.10.1
|
image: ghcr.io/goauthentik/server:2022.10.1
|
||||||
command: server
|
command: server
|
||||||
secrets:
|
# secrets:
|
||||||
- db_password
|
# - db_password
|
||||||
- admin_pass
|
# - admin_pass
|
||||||
- admin_token
|
# - admin_token
|
||||||
- secret_key
|
# - secret_key
|
||||||
- email_pass
|
|
||||||
volumes:
|
volumes:
|
||||||
- media:/media
|
- media:/media
|
||||||
- custom-templates:/templates
|
- custom-templates:/templates
|
||||||
@ -69,17 +70,16 @@ services:
|
|||||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
|
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
|
||||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
|
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
|
||||||
- "coop-cloud.${STACK_NAME}.version=1.0.0+2022.10.1"
|
- "coop-cloud.${STACK_NAME}.version=0.6.0+2022.10.1"
|
||||||
|
|
||||||
worker:
|
worker:
|
||||||
image: ghcr.io/goauthentik/server:2022.10.1
|
image: ghcr.io/goauthentik/server:2022.10.1
|
||||||
command: worker
|
command: worker
|
||||||
secrets:
|
# secrets:
|
||||||
- db_password
|
# - db_password
|
||||||
- admin_pass
|
# - admin_pass
|
||||||
- admin_token
|
# - admin_token
|
||||||
- secret_key
|
# - secret_key
|
||||||
- email_pass
|
|
||||||
networks:
|
networks:
|
||||||
- internal
|
- internal
|
||||||
- proxy
|
- proxy
|
||||||
@ -97,8 +97,8 @@ services:
|
|||||||
|
|
||||||
db:
|
db:
|
||||||
image: postgres:12.12-alpine
|
image: postgres:12.12-alpine
|
||||||
secrets:
|
# secrets:
|
||||||
- db_password
|
# - db_password
|
||||||
volumes:
|
volumes:
|
||||||
- database:/var/lib/postgresql/data
|
- database:/var/lib/postgresql/data
|
||||||
networks:
|
networks:
|
||||||
@ -110,13 +110,13 @@ services:
|
|||||||
retries: 10
|
retries: 10
|
||||||
start_period: 1m
|
start_period: 1m
|
||||||
environment:
|
environment:
|
||||||
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
|
- POSTGRES_PASSWORD
|
||||||
- POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER}
|
- POSTGRES_USER
|
||||||
- POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME}
|
- POSTGRES_DB
|
||||||
deploy:
|
deploy:
|
||||||
labels:
|
labels:
|
||||||
backupbot.backup: "true"
|
backupbot.backup: "true"
|
||||||
backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$(cat /run/secrets/db_password) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
|
backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
|
||||||
backupbot.backup.post-hook: "rm -rf /tmp/backup"
|
backupbot.backup.post-hook: "rm -rf /tmp/backup"
|
||||||
backupbot.backup.path: "/tmp/backup/"
|
backupbot.backup.path: "/tmp/backup/"
|
||||||
|
|
||||||
@ -131,22 +131,19 @@ services:
|
|||||||
retries: 10
|
retries: 10
|
||||||
start_period: 1m
|
start_period: 1m
|
||||||
|
|
||||||
secrets:
|
# secrets:
|
||||||
db_password:
|
# db_password:
|
||||||
external: true
|
# external: true
|
||||||
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
|
# name: ${STACK_NAME}_db_password
|
||||||
secret_key:
|
# secret_key:
|
||||||
external: true
|
# external: true
|
||||||
name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
|
# name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
|
||||||
admin_token:
|
# admin_token:
|
||||||
external: true
|
# external: true
|
||||||
name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
|
# name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
|
||||||
admin_pass:
|
# admin_pass:
|
||||||
external: true
|
# external: true
|
||||||
name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
|
# name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
|
||||||
email_pass:
|
|
||||||
external: true
|
|
||||||
name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
|
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
proxy:
|
proxy:
|
||||||
|
@ -1,15 +0,0 @@
|
|||||||
This upgrade replaces the passwords stored in env variables by docker secrets.
|
|
||||||
You need to insert the following passwords as secret:
|
|
||||||
|
|
||||||
`POSTGRES_PASSWORD` / `AUTHENTIK_POSTGRESQL__PASSWORD`:
|
|
||||||
`abra app secret insert <app_name> db_password v1 <password>`
|
|
||||||
`AUTHENTIK_SECRET_KEY`:
|
|
||||||
`abra app secret insert <app_name> secret_key v1 <password>`
|
|
||||||
`AK_ADMIN_TOKEN`:
|
|
||||||
`abra app secret insert <app_name> admin_token v1 <password>`
|
|
||||||
`AK_ADMIN_PASS`:
|
|
||||||
`abra app secret insert <app_name> admin_pass v1 <password>`
|
|
||||||
`AUTHENTIK_EMAIL__PASSWORD`:
|
|
||||||
`abra app secret insert <app_name> email_pass v1 <password>`
|
|
||||||
|
|
||||||
These variables should be removed from the .env file.
|
|
Reference in New Issue
Block a user