general way to copy assets using env variables

2022-11-16 16:15:00 +01:00
6 changed files with 73 additions and 139 deletions
--- a/.env.sample
+++ b/.env.sample
@ -1,18 +1,26 @@
 TYPE=authentik
 LETS_ENCRYPT_ENV=production
-DOMAIN=authentik.example.com
+DOMAIN={{ .Domain }}
 POSTGRES_PASSWORD=secret
 AUTHENTIK_POSTGRESQL__PASSWORD=secret
 POSTGRES_USER=authentik
 AUTHENTIK_POSTGRESQL__USER=authentik
 POSTGRES_DB=authentik
 AUTHENTIK_POSTGRESQL__NAME=authentik
 AUTHENTIK_POSTGRESQL__HOST=db
 AUTHENTIK_REDIS__HOST=redis
 AUTHENTIK_ERROR_REPORTING__ENABLED=true
 # WORKERS=1
 AUTHENTIK_SECRET_KEY=secret
 AK_ADMIN_TOKEN=secret
 AK_ADMIN_PASS=secret
 # EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=25
 # AUTHENTIK_EMAIL__USERNAME=""
 # AUTHENTIK_EMAIL__PASSWORD=""
 AUTHENTIK_EMAIL__USE_TLS=false
 AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
@ -20,21 +28,15 @@ AUTHENTIK_EMAIL__FROM=noreply@example.com
 AUTHENTIK_LOG_LEVEL=info
 # Secret Versions
-SECRET_SECRET_KEY_VERSION=v1
+# SECRET_SECRET_KEY_VERSION=v1
-SECRET_DB_PASSWORD_VERSION=v1
+# SECRET_ADMIN_TOKEN_VERSION=v1
-SECRET_ADMIN_TOKEN_VERSION=v1
+# SECRET_ADMIN_PASS_VERSION=v1
 SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
 AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 AUTHENTIK_IMPERSONATION=true
 ## FLOW OPTIONS
 WELCOME_MESSAGE="Welcome to Authentik"
 DEFAULT_LANGUAGE=en
 AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/ icon_left_brand.svg|app:/web/dist/assets/icons/ icon.png|app:/web/dist/assets/icons/"
 EMAIL_SUBJECT="Account Recovery"
 EMAIL_TOKEN_EXPIRY_MINUTES=30
--- a/README.md
+++ b/README.md
@ -9,7 +9,7 @@
 * **Category**: Apps
 * **Status**: 0, work-in-progress
-* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server), 4, upstream
+* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server)
 * **Healthcheck**: Yes
 * **Backups**: Yes
 * **Email**: Yes
@ -20,42 +20,20 @@
 ## Quick start
-* `abra app new authentik`
+* `abra app new authentik --secrets`
 * `abra app config <app-name>`
 * `abra app secret insert <app_name> email_pass v1 <password>`
 * `abra app secret generate -a <app_name>`
 * `abra app deploy <app-name>`
 * `abra app cmd <app_name> app set_admin_pass`
 ## Rotate Secrets
 Increment the secret versions using `abra app config <app_name>`
 ```
 abra app secret generate -a <app_name>
 abra app undeploy <app_name>
 abra app deploy <app_name>
 abra app cmd <app_name> db rotate_db_pass
 abra app cmd <app_name> app set_admin_pass
 ```
 ## Customization
 Place the files you want to overwrite in a directory `<assets_path>`.
 Run `abra app config <app_name>` and define the env variable `COPY_ASSETS` in the following format:
 ```
 "<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...
 ```
 For example:
 ```
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/ icon_left_brand.svg|app:/web/dist/assets/icons/ icon.png|app:/web/dist/assets/icons/"
 ```
 Run this command after every deploy/upgrade:
 `abra app command --local <app-name> customize <assets_path>`
 This command replaces the background image, the logo and the favicon with the following files placed in the `<assets_path>` directory:
 * `flow_background.jpg`
 * `icon_left_brand.svg`
 * `icon.png`
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
--- a/abra.sh
+++ b/abra.sh
@ -1,5 +1,6 @@
 export CUSTOM_CSS_VERSION=v2
-export CUSTOM_FLOWS_VERSION=v3
+export CUSTOM_FLOWS_VERSION=v2
 export RECOVERY_TEMPLATE_DE_VERSION=v1
 customize() {
    if [ -z "$1" ]
@ -15,35 +16,3 @@ customize() {
        abra app cp $APP_NAME $asset_dir/$source $target
    done
 }
 set_admin_pass() {
 password=$(cat /run/secrets/admin_pass)
 token=$(cat /run/secrets/admin_token)
 /manage.py shell -c """
 akadmin = User.objects.get(username='akadmin')
 akadmin.set_password('$password')
 akadmin.save()
 print('Changed akadmin password')
 from authentik.core.models import TokenIntents
 key='$token'
 if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
    token.key=key
    token.save()
    print('Changed authentik-bootstrap-token')
 else:
    Token.objects.create(
        identifier='authentik-bootstrap-token',
        user=akadmin,
        intent=TokenIntents.INTENT_API,
        expiring=False,
        key=key,
    )
    print('Created authentik-bootstrap-token')
 """
 }
 rotate_db_pass() {
    db_password=$(cat /run/secrets/db_password)
    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
--- a/compose.yml
+++ b/compose.yml
@ -1,17 +1,19 @@
 ---
 x-env: &env
-    - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
+    - AUTHENTIK_POSTGRESQL__PASSWORD
    - AUTHENTIK_POSTGRESQL__USER
    - AUTHENTIK_POSTGRESQL__NAME
    - AUTHENTIK_POSTGRESQL__HOST
    - AUTHENTIK_REDIS__HOST
    - AUTHENTIK_ERROR_REPORTING__ENABLED
-    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
+    - AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
    - AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
    - AK_ADMIN_PASS= #file:///run/secrets/admin_pass
    - AUTHENTIK_EMAIL__HOST
    - AUTHENTIK_EMAIL__PORT
    - AUTHENTIK_EMAIL__USERNAME
-    - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
+    - AUTHENTIK_EMAIL__PASSWORD
    - AUTHENTIK_EMAIL__USE_TLS
    - AUTHENTIK_EMAIL__USE_SSL
    - AUTHENTIK_EMAIL__TIMEOUT
@ -20,30 +22,28 @@ x-env: &env
    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
    - AUTHENTIK_FOOTER_LINKS
    - AUTHENTIK_IMPERSONATION
    - WELCOME_MESSAGE
    - DEFAULT_LANGUAGE
    - EMAIL_SUBJECT
    - EMAIL_TOKEN_EXPIRY_MINUTES
    - DOMAIN
 version: '3.8'
 services:
  app:
-    image: ghcr.io/goauthentik/server:2022.12.2
+    image: ghcr.io/goauthentik/server:2022.10.1
    command: server
-    secrets:
+    # secrets:
-      - db_password
+    #   - db_password
-      - admin_pass
+    #   - admin_pass
-      - admin_token
+    #   - admin_token
-      - secret_key
+    #   - secret_key
      - email_pass
    volumes:
      - media:/media
      - custom-templates:/templates
    configs:
      - source: custom_css
        target: /web/dist/custom.css
      - source: recovery_template_de
        target: /templates/password_reset_de.html
    networks:
      - internal
      - proxy
@ -70,17 +70,16 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=1.3.0+2022.12.2"
+        - "coop-cloud.${STACK_NAME}.version=0.6.0+2022.10.1"
  worker:
-    image: ghcr.io/goauthentik/server:2022.12.2
+    image: ghcr.io/goauthentik/server:2022.10.1
    command: worker
-    secrets:
+    # secrets:
-      - db_password
+      # - db_password
-      - admin_pass
+      # - admin_pass
-      - admin_token
+      # - admin_token
-      - secret_key
+      # - secret_key
      - email_pass
    networks:
      - internal
      - proxy
@ -97,9 +96,9 @@ services:
    environment: *env
  db:
-    image: postgres:12.13-alpine
+    image: postgres:12.12-alpine
-    secrets:
+    # secrets:
-      - db_password
+      # - db_password
    volumes:
      - database:/var/lib/postgresql/data
    networks:
@ -111,13 +110,13 @@ services:
      retries: 10
      start_period: 1m
    environment:
-      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_PASSWORD
-      - POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER}
+      - POSTGRES_USER
-      - POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME}
+      - POSTGRES_DB
    deploy:
      labels:
          backupbot.backup: "true"
-          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$(cat /run/secrets/db_password) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
          backupbot.backup.post-hook: "rm -rf /tmp/backup"
          backupbot.backup.path: "/tmp/backup/"
@ -132,22 +131,19 @@ services:
      retries: 10
      start_period: 1m
-secrets:
+# secrets:
-  db_password:
+  # db_password:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  #   name: ${STACK_NAME}_db_password
-  secret_key:
+  # secret_key:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  #   name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  admin_token:
+  # admin_token:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
+  #   name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
-  admin_pass:
+  # admin_pass:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
+  #   name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
  email_pass:
    external: true
    name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
 networks:
  proxy:
@ -165,6 +161,9 @@ configs:
    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
    file: custom.css.tmpl
    template_driver: golang
  recovery_template_de:
    name: ${STACK_NAME}_recovery_template_de_${RECOVERY_TEMPLATE_DE_VERSION}
    file: password_reset_de.html
  custom_flows:
    name: ${STACK_NAME}_custom_flows_${CUSTOM_FLOWS_VERSION}
    file: custom_flows.yaml.tmpl
--- a/custom_flows.yaml.tmpl
+++ b/custom_flows.yaml.tmpl
@ -10,9 +10,10 @@ context:
  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort (wiederholen) {{ else }} Password (repeat) {{ end }}
  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Benutzername {{ else }} Username {{ end }}
  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Vor- und Nachname {{ else }} Full name {{ end }}
  transl_template_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} password_reset_de.html {{ else }} email/password_reset.html {{ end }}
 entries:
-######## Email Recovery Flow ########
+######## Email Recovery Flow ######## 
 - identifiers:
    slug: default-recovery-flow
  id: recovery_flow
@ -54,9 +55,9 @@ entries:
  model: authentik_stages_email.emailstage
  attrs:
    use_global_settings: true
-    token_expiry: {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }}
+    token_expiry: 30
-    subject: "{{ env "EMAIL_SUBJECT" }}"
+    subject: authentik
-    template: email/password_reset.html
+    template: !Context transl_template_recovery
    activate_user_on_success: true
 - identifiers:
    name: default-recovery-user-write
@ -174,7 +175,7 @@ entries:
-######## Authentication Flow ########
+######## Authentication Flow ######## 
 - attrs:
    designation: authentication
    name: custom-authentication-flow
@ -236,7 +237,7 @@ entries:
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
-######## Invitation Enrollment Flow ########
+######## Invitation Enrollment Flow ######## 
 - attrs:
    designation: enrollment
    name: invitation-enrollment-flow
@ -336,7 +337,7 @@ entries:
 ######## System Tenant ##########
 - attrs:
-    attributes:
+    attributes: 
      settings:
        locale: {{ env "DEFAULT_LANGUAGE" }}
    # branding_favicon: /static/dist/assets/icons/icon.png
--- a/releases/1.0.0+2022.10.1
+++ b/releases/1.0.0+2022.10.1
@ -1,15 +0,0 @@
 This upgrade replaces the passwords stored in env variables by docker secrets.
 You need to insert the following passwords as secret:
 `POSTGRES_PASSWORD` / `AUTHENTIK_POSTGRESQL__PASSWORD`:
    `abra app secret insert <app_name> db_password v1 <password>`
 `AUTHENTIK_SECRET_KEY`:
    `abra app secret insert <app_name> secret_key v1 <password>`
 `AK_ADMIN_TOKEN`:
    `abra app secret insert <app_name> admin_token v1 <password>`
 `AK_ADMIN_PASS`:
    `abra app secret insert <app_name> admin_pass v1 <password>`
 `AUTHENTIK_EMAIL__PASSWORD`:
    `abra app secret insert <app_name> email_pass v1 <password>`
 These variables should be removed from the .env file.