Compare commits
52 Commits
3.2.0+2023
...
main
Author | SHA1 | Date |
---|---|---|
Moritz | 0be7e95f48 | |
3wc | 4fe52c1e5f | |
3wc | 248a09c594 | |
Simon | b957425981 | |
Moritz | 20f99b13ad | |
Moritz | c42017839f | |
Moritz | cdabec1b18 | |
Moritz | a606a84a98 | |
Simon | a0505e0dec | |
Simon | 17d40711e0 | |
Moritz | fc33f285f4 | |
3wc | d1f091da62 | |
3wc | 3e339228f5 | |
3wc | c39b6ad25a | |
3wc | 1ffb62d74a | |
3wc | 03f8810462 | |
3wc | d19bf17781 | |
3wc | 5086df24fb | |
knoflook | e07d57718a | |
Simon | 553b97ba21 | |
Simon | 75f42db773 | |
Simon | d115d5ce38 | |
Simon | 68eda3e2d7 | |
Moritz | 91756202c2 | |
Moritz | bf2397b0e9 | |
Moritz | c3b01c1d27 | |
Simon | 8d32814219 | |
Simon | 78cfd95198 | |
Simon | 4593eb6340 | |
Simon | 0419ed279d | |
Simon | abb49e7019 | |
Simon | 74f654c192 | |
Simon | 7a4daaf475 | |
Simon | b7605f6a87 | |
3wc | 01ca1b4d5c | |
Simon | 287426b06a | |
iexos | b311cadc4c | |
Moritz | d01c539c4f | |
Moritz | 427644df38 | |
iexos | f4172f2a64 | |
iexos | 126b50d4bd | |
Moritz | 3e7ceaaf25 | |
Moritz | a0ee0a357d | |
Moritz | 1b74a88809 | |
Moritz | 905fbdb69a | |
Moritz | fcf76aeba0 | |
Moritz | 03743063df | |
Moritz | 080ccae2ab | |
Moritz | 7d17f104f1 | |
Moritz | dcf74287c5 | |
iexos | 4972e3b141 | |
Moritz | 566bffb7af |
|
@ -23,13 +23,14 @@ steps:
|
|||
FLOW_INVALIDATION_VERSION: v1
|
||||
FLOW_RECOVERY_VERSION: v1
|
||||
FLOW_TRANSLATION_VERSION: v1
|
||||
SYSTEM_TENANT_VERSION: v1
|
||||
SYSTEM_BRAND_VERSION: v1
|
||||
NEXTCLOUD_CONFIG_VERSION: v1
|
||||
SECRET_SECRET_KEY_VERSION: v1
|
||||
SECRET_DB_PASSWORD_VERSION: v1
|
||||
SECRET_ADMIN_TOKEN_VERSION: v1
|
||||
SECRET_ADMIN_PASS_VERSION: v1
|
||||
SECRET_EMAIL_PASS_VERSION: v1
|
||||
DB_ENTRYPOINT_VERSION: v1
|
||||
trigger:
|
||||
branch:
|
||||
- main
|
||||
|
|
40
.env.sample
40
.env.sample
|
@ -1,10 +1,12 @@
|
|||
TYPE=authentik
|
||||
TIMEOUT=300
|
||||
TIMEOUT=900
|
||||
ENABLE_AUTO_UPDATE=true
|
||||
# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
|
||||
LETS_ENCRYPT_ENV=production
|
||||
|
||||
DOMAIN=authentik.example.com
|
||||
## Domain aliases
|
||||
#EXTRA_DOMAINS=', `www.authentik.example.com`'
|
||||
COMPOSE_FILE="compose.yml"
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
|
||||
AUTHENTIK_LOG_LEVEL=info
|
||||
|
@ -32,7 +34,6 @@ SECRET_ADMIN_PASS_VERSION=v1
|
|||
SECRET_EMAIL_PASS_VERSION=v1
|
||||
|
||||
# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
|
||||
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
||||
|
||||
## FLOW OPTIONS
|
||||
# WELCOME_MESSAGE="Welcome to Authentik"
|
||||
|
@ -45,6 +46,12 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
|
|||
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
|
||||
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
|
||||
|
||||
# Default CSS customisation, just background colour
|
||||
COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
|
||||
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
||||
# Custommise the entire custom CSS file
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
|
||||
# NEXTCLOUD_DOMAIN=nextcloud.example.com
|
||||
# SECRET_NEXTCLOUD_ID_VERSION=v1
|
||||
|
@ -76,13 +83,36 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
|
|||
# SECRET_VIKUNJA_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
|
||||
# OUTLINE_DOMAIN=outline.example.com
|
||||
# SECRET_OUTLINE_ID_VERSION=v1
|
||||
# SECRET_OUTLINE_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
|
||||
# KIMAI_DOMAIN=kimai.example.com
|
||||
# SECRET_KIMAI_ID_VERSION=v1
|
||||
# SECRET_KIMAI_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai.png"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
|
||||
# MONITORING_DOMAIN=monitoring.example.com
|
||||
# SECRET_MONITORING_ID_VERSION=v1
|
||||
# SECRET_MONITORING_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
|
||||
|
||||
# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "Rallly":"https://rallly.example.cloud/"}'
|
||||
# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
|
||||
# APP_ICONS="$APP_ICONS Rallly:~/.abra/recipes/authentik/icons/rallly.png"
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
|
||||
# RALLLY_DOMAIN=rallly.example.com
|
||||
# SECRET_RALLLY_ID_VERSION=v1
|
||||
# SECRET_RALLLY_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
|
||||
# HEDGEDOC_DOMAIN=hedgedoc.example.com
|
||||
# SECRET_HEDGEDOC_ID_VERSION=v1
|
||||
# SECRET_HEDGEDOC_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
|
||||
|
||||
# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
|
||||
# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
|
||||
# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"
|
||||
|
|
96
README.md
96
README.md
|
@ -87,44 +87,112 @@ Run this command after every deploy/upgrade:
|
|||
|
||||
`abra app command --local <app-name> customize <assets_path>`
|
||||
|
||||
## Email templates
|
||||
|
||||
Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
|
||||
|
||||
`abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html`
|
||||
|
||||
## Blueprints
|
||||
|
||||
Blueprint Dependency Requirements:
|
||||
These blueprints overwrite default blueprint values:
|
||||
|
||||
- flow_translation.yaml
|
||||
- flow_authentication.yaml
|
||||
|
||||
The following default blueprints will be overwritten by customizations:
|
||||
|
||||
- flow-password-change.yaml
|
||||
- flow-default-authentication-flow.yaml
|
||||
- flow-default-user-settings-flow.yaml
|
||||
- flow-default-source-enrollment.yaml
|
||||
|
||||
The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
|
||||
|
||||
|
||||
### Blueprint Overwrite/Use Dependencies
|
||||
|
||||
- Recovery with email verification
|
||||
- Default - Password change flow
|
||||
- USE:
|
||||
- `default-password-change-prompt`
|
||||
- `default-password-change-write`
|
||||
- Default - Authentication flow
|
||||
- USE:
|
||||
- `default-authentication-login`
|
||||
- Custom Authentication Flow
|
||||
- Default - Authentication flow
|
||||
- USE:
|
||||
- `default-authentication-password`
|
||||
- OVERWRITE:
|
||||
- `default-authentication-flow`
|
||||
- APPEND:
|
||||
- `default-authentication-identification`
|
||||
- `default-authentication-login`
|
||||
- REMOVE: `authentik_flows.flowstagebinding order:20`
|
||||
- Recovery with email verification
|
||||
- USE:
|
||||
- `default-recovery-flow`
|
||||
- Invitation Enrollment Flow
|
||||
- Default - User settings flow
|
||||
- USE:
|
||||
- `default-user-settings-field-name`
|
||||
- `default-user-settings-field-email`
|
||||
- Default - Password change flow
|
||||
- USE:
|
||||
- `default-password-change-field-password`
|
||||
- `default-password-change-field-password-repeat`
|
||||
- Default - Authentication flow
|
||||
- USE:
|
||||
- `default-authentication-login`
|
||||
- Default - Source enrollment flow
|
||||
- USE:
|
||||
- `default-source-enrollment-field-username`
|
||||
- `default-source-enrollment-write`
|
||||
- Custom Invalidation Flow
|
||||
- Default - Invalidation flow
|
||||
- APPEND_ATTR:
|
||||
- `authentik_flows.flowstagebinding order: 0`
|
||||
- Flow Translations
|
||||
- Recovery with email verification
|
||||
- APPEND: `default-recovery-flow`
|
||||
- Default - Password change flow
|
||||
- OVERWRITE:
|
||||
- `default-password-change-field-password`
|
||||
- `default-password-change-field-password-repeat`
|
||||
- Default - User settings flow
|
||||
- OVERWRITE:
|
||||
- `default-user-settings-field-username`
|
||||
- `default-user-settings-field-name`
|
||||
- Default - Source enrollment flow
|
||||
- Custom System Tenant
|
||||
- Default - Tenant
|
||||
- OVERWRITE:
|
||||
- `default-source-enrollment-field-username`
|
||||
- Custom System Brand
|
||||
- Default - Brand
|
||||
- APPEND: `authentik_brands.brand domain: authentik-default`
|
||||
- Recovery with email verification
|
||||
- USE:
|
||||
- `default-recovery-flow`
|
||||
|
||||
|
||||
Blueprint Dependency Graph:
|
||||
### Blueprint Dependency Execution Order
|
||||
|
||||
5. Custom System Tenant
|
||||
- Default - Tenant
|
||||
4. Invitation Enrollment Flow
|
||||
3. Flow Translations
|
||||
- Default - User settings flow
|
||||
- Default - Source enrollment flow
|
||||
2. Custom Authentication Flow
|
||||
1. Recovery with email verification
|
||||
- Default - Authentication flow
|
||||
- Default - Password change flow
|
||||
5. Custom System Brand
|
||||
- Default - Brand
|
||||
1. Recovery with email verification
|
||||
- Default - Authentication flow
|
||||
- Default - Password change flow
|
||||
4. Invitation Enrollment Flow
|
||||
3. Flow Translations
|
||||
- Default - User settings flow
|
||||
- Default - Source enrollment flow
|
||||
1. Recovery with email verification
|
||||
- Default - Authentication flow
|
||||
- Default - Password change flow
|
||||
2. Custom Authentication Flow
|
||||
1. Recovery with email verification
|
||||
- Default - Authentication flow
|
||||
- Default - Password change flow
|
||||
6. Custom Invalidation Flow
|
||||
- Default - Invalidation flow
|
||||
|
||||
|
|
82
abra.sh
82
abra.sh
|
@ -1,16 +1,21 @@
|
|||
export CUSTOM_CSS_VERSION=v2
|
||||
export FLOW_AUTHENTICATION_VERSION=v2
|
||||
export FLOW_INVITATION_VERSION=v1
|
||||
export FLOW_INVALIDATION_VERSION=v1
|
||||
export FLOW_AUTHENTICATION_VERSION=v4
|
||||
export FLOW_INVITATION_VERSION=v2
|
||||
export FLOW_INVALIDATION_VERSION=v2
|
||||
export FLOW_RECOVERY_VERSION=v1
|
||||
export FLOW_TRANSLATION_VERSION=v1
|
||||
export SYSTEM_TENANT_VERSION=v1
|
||||
export FLOW_TRANSLATION_VERSION=v3
|
||||
export SYSTEM_BRAND_VERSION=v3
|
||||
export NEXTCLOUD_CONFIG_VERSION=v1
|
||||
export WORDPRESS_CONFIG_VERSION=v2
|
||||
export MATRIX_CONFIG_VERSION=v1
|
||||
export WEKAN_CONFIG_VERSION=v3
|
||||
export VIKUNJA_CONFIG_VERSION=v1
|
||||
export OUTLINE_CONFIG_VERSION=v2
|
||||
export KIMAI_CONFIG_VERSION=v1
|
||||
export RALLLY_CONFIG_VERSION=v2
|
||||
export HEDGEDOC_CONFIG_VERSION=v1
|
||||
export MONITORING_CONFIG_VERSION=v1
|
||||
export DB_ENTRYPOINT_VERSION=v1
|
||||
|
||||
customize() {
|
||||
if [ -z "$1" ]
|
||||
|
@ -51,15 +56,19 @@ with open('/tmp/$1', newline='') as file:
|
|||
email = row[2].strip()
|
||||
groups = row[3].split(';')
|
||||
if User.objects.filter(username=username):
|
||||
print(f'{username} already exists')
|
||||
continue
|
||||
new_user = User.objects.create(name=name, username=username, email=email)
|
||||
print(f'{username} created')
|
||||
for group_name in groups:
|
||||
group_name = group_name.strip()
|
||||
if Group.objects.filter(name=group_name):
|
||||
group = Group.objects.get(name=group_name)
|
||||
else:
|
||||
group = Group.objects.create(name=group_name)
|
||||
print(f'{group_name} created')
|
||||
group.users.add(new_user)
|
||||
print(f'add {username} to group {group_name}')
|
||||
""" 2>&1 | quieten
|
||||
}
|
||||
|
||||
|
@ -95,15 +104,24 @@ rotate_db_pass() {
|
|||
psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
|
||||
}
|
||||
|
||||
# This function is for blueprints that are overwriting custom blueprints
|
||||
# It deactivates the affected custom blueprints to avoid changes to be reverted
|
||||
apply_blueprints() {
|
||||
enable_blueprint default/flow-default-authentication-flow.yaml
|
||||
enable_blueprint default/flow-default-user-settings-flow.yaml
|
||||
enable_blueprint default/flow-password-change.yaml
|
||||
ak apply_blueprint 6_flow_invalidation.yaml 2>&1 | quieten
|
||||
ak apply_blueprint 5_system_tenant.yaml 2>&1 | quieten
|
||||
disable_blueprint default/flow-default-authentication-flow.yaml
|
||||
disable_blueprint default/flow-default-user-settings-flow.yaml
|
||||
disable_blueprint default/flow-password-change.yaml
|
||||
update_and_disable_blueprint default/flow-password-change.yaml
|
||||
update_and_disable_blueprint default/flow-default-authentication-flow.yaml
|
||||
update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
|
||||
update_and_disable_blueprint default/flow-default-source-enrollment.yaml
|
||||
|
||||
apply_blueprint 3_flow_translation.yaml
|
||||
apply_blueprint 2_flow_authentication.yaml
|
||||
}
|
||||
|
||||
update_and_disable_blueprint() {
|
||||
enable_blueprint $@ 2>&1 | quieten
|
||||
sleep 1
|
||||
apply_blueprint $@
|
||||
sleep 1
|
||||
disable_blueprint $@ 2>&1 | quieten
|
||||
}
|
||||
|
||||
disable_blueprint() {
|
||||
|
@ -114,12 +132,24 @@ enable_blueprint() {
|
|||
blueprint_state True $@
|
||||
}
|
||||
|
||||
apply_blueprint() {
|
||||
echo apply blueprint $@
|
||||
ak apply_blueprint $@ 2>&1 | quieten
|
||||
}
|
||||
|
||||
blueprint_state() {
|
||||
/manage.py shell -c """
|
||||
import time
|
||||
blueprint_state=$1
|
||||
blueprint_path='$2'
|
||||
blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
|
||||
blueprint.enabled = blueprint_state
|
||||
# Hacky workaround to reduce chance of a race condition
|
||||
blueprint.save()
|
||||
time.sleep(1)
|
||||
blueprint.save()
|
||||
time.sleep(1)
|
||||
blueprint.save()
|
||||
print(f'{blueprint.name} enabled: {blueprint.enabled}')
|
||||
""" 2>&1 | quieten
|
||||
|
||||
|
@ -146,7 +176,16 @@ for name, url in applications.items():
|
|||
|
||||
|
||||
quieten(){
|
||||
grep -v '{"event"'
|
||||
# 'SyntaxWarning|version_regex|"http\['
|
||||
# is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
|
||||
grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
|
||||
}
|
||||
|
||||
add_email_templates(){
|
||||
for file_path in "$@"; do
|
||||
echo copy template $file_path
|
||||
abra app cp $APP_NAME $file_path app:/templates/
|
||||
done
|
||||
}
|
||||
|
||||
set_icons(){
|
||||
|
@ -186,7 +225,20 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
|
|||
Flow.objects.filter(slug__in=delete_flows).delete()
|
||||
Stage.objects.filter(flow=None).delete()
|
||||
Prompt.objects.filter(promptstage=None).delete()
|
||||
Tenant.objects.filter(default=True).delete()
|
||||
Brand.objects.filter(default=True).delete()
|
||||
""" 2>&1 | quieten
|
||||
apply_blueprints
|
||||
}
|
||||
|
||||
get_certificate() {
|
||||
/manage.py shell -c """
|
||||
provider_name='$1'
|
||||
if not provider_name:
|
||||
print('no Provider Name given')
|
||||
exit(1)
|
||||
provider = Provider.objects.filter(name=provider_name).first()
|
||||
saml = provider.samlprovider
|
||||
cert = saml.signing_kp
|
||||
print(''.join(cert.certificate_data.splitlines()[1:-1]))
|
||||
""" 2>&1 | quieten
|
||||
}
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
nextcloud:
|
||||
uncomment:
|
||||
- compose.nextcloud.yml
|
||||
- NEXTCLOUD_DOMAIN
|
||||
- SECRET_NEXTCLOUD_ID_VERSION
|
||||
- SECRET_NEXTCLOUD_SECRET_VERSION
|
||||
- nextcloud.png
|
||||
wordpress:
|
||||
uncomment:
|
||||
- compose.wordpress.yml
|
||||
- WORDPRESS_DOMAIN
|
||||
- WORDPRESS_GROUP
|
||||
- SECRET_WORDPRESS_ID_VERSION
|
||||
- SECRET_WORDPRESS_SECRET_VERSION
|
||||
- wordpress.png
|
||||
matrix-synapse:
|
||||
uncomment:
|
||||
- compose.matrix.yml
|
||||
- ELEMENT_DOMAIN
|
||||
- SECRET_MATRIX_ID_VERSION
|
||||
- SECRET_MATRIX_SECRET_VERSION
|
||||
- matrix.svg
|
||||
secrets:
|
||||
matrix_id: matrix
|
||||
wekan:
|
||||
uncomment:
|
||||
- compose.wekan.yml
|
||||
- WEKAN_DOMAIN
|
||||
- SECRET_WEKAN_ID_VERSION
|
||||
- SECRET_WEKAN_SECRET_VERSION
|
||||
- wekan.png
|
||||
secrets:
|
||||
wekan_id: wekan
|
||||
vikunja:
|
||||
uncomment:
|
||||
- compose.vikunja.yml
|
||||
- VIKUNJA_DOMAIN
|
||||
- SECRET_VIKUNJA_ID_VERSION
|
||||
- SECRET_VIKUNJA_SECRET_VERSION
|
||||
- vikunja.svg
|
||||
secrets:
|
||||
vikunja_id: vikunja
|
||||
monitoring:
|
||||
uncomment:
|
||||
- compose.monitoring.yml
|
||||
- MONITORING_DOMAIN
|
||||
- SECRET_MONITORING_ID_VERSION
|
||||
- SECRET_MONITORING_SECRET_VERSION
|
||||
- monitoring.png
|
||||
outline:
|
||||
uncomment:
|
||||
- compose.outline.yml
|
||||
- OUTLINE_DOMAIN
|
||||
- SECRET_OUTLINE_ID_VERSION
|
||||
- SECRET_OUTLINE_SECRET_VERSION
|
||||
- outline.png
|
||||
secrets:
|
||||
outline_id: outline
|
||||
rallly:
|
||||
uncomment:
|
||||
- compose.rallly.yml
|
||||
- RALLLY_DOMAIN
|
||||
- SECRET_RALLLY_ID_VERSION
|
||||
- SECRET_RALLLY_SECRET_VERSION
|
||||
- rallly.png
|
||||
secrets:
|
||||
rallly_id: rallly
|
||||
hedgedoc:
|
||||
uncomment:
|
||||
- compose.hedgedoc.yml
|
||||
- HEDGEDOC_DOMAIN
|
||||
- SECRET_HEDGEDOC_ID_VERSION
|
||||
- SECRET_HEDGEDOC_SECRET_VERSION
|
||||
- hedgedoc.png
|
||||
secrets:
|
||||
hedgedoc_id: hedgedoc
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
version: '3.8'
|
||||
|
||||
services:
|
||||
app:
|
||||
configs:
|
||||
- source: custom_css
|
||||
target: /web/dist/custom.css
|
||||
|
||||
configs:
|
||||
custom_css:
|
||||
name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
|
||||
file: custom.css.tmpl
|
||||
template_driver: golang
|
|
@ -0,0 +1,26 @@
|
|||
version: "3.8"
|
||||
services:
|
||||
worker:
|
||||
secrets:
|
||||
- hedgedoc_id
|
||||
- hedgedoc_secret
|
||||
environment:
|
||||
- HEDGEDOC_DOMAIN
|
||||
configs:
|
||||
- source: hedgedoc
|
||||
target: /blueprints/hedgedoc.yaml
|
||||
|
||||
secrets:
|
||||
hedgedoc_id:
|
||||
external: true
|
||||
name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
|
||||
hedgedoc_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
|
||||
|
||||
|
||||
configs:
|
||||
hedgedoc:
|
||||
name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
|
||||
file: hedgedoc.yaml.tmpl
|
||||
template_driver: golang
|
|
@ -0,0 +1,14 @@
|
|||
version: "3.8"
|
||||
services:
|
||||
worker:
|
||||
environment:
|
||||
- KIMAI_DOMAIN
|
||||
configs:
|
||||
- source: kimai
|
||||
target: /blueprints/kimai.yaml
|
||||
|
||||
configs:
|
||||
kimai:
|
||||
name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
|
||||
file: kimai.yaml.tmpl
|
||||
template_driver: golang
|
|
@ -0,0 +1,26 @@
|
|||
version: "3.8"
|
||||
services:
|
||||
worker:
|
||||
secrets:
|
||||
- outline_id
|
||||
- outline_secret
|
||||
environment:
|
||||
- OUTLINE_DOMAIN
|
||||
configs:
|
||||
- source: outline
|
||||
target: /blueprints/outline.yaml
|
||||
|
||||
secrets:
|
||||
outline_id:
|
||||
external: true
|
||||
name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
|
||||
outline_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
|
||||
|
||||
|
||||
configs:
|
||||
outline:
|
||||
name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
|
||||
file: outline.yaml.tmpl
|
||||
template_driver: golang
|
|
@ -0,0 +1,26 @@
|
|||
version: "3.8"
|
||||
services:
|
||||
worker:
|
||||
secrets:
|
||||
- rallly_id
|
||||
- rallly_secret
|
||||
environment:
|
||||
- RALLLY_DOMAIN
|
||||
configs:
|
||||
- source: rallly
|
||||
target: /blueprints/rallly.yaml
|
||||
|
||||
secrets:
|
||||
rallly_id:
|
||||
external: true
|
||||
name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
|
||||
rallly_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
|
||||
|
||||
|
||||
configs:
|
||||
rallly:
|
||||
name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
|
||||
file: rallly.yaml.tmpl
|
||||
template_driver: golang
|
50
compose.yml
50
compose.yml
|
@ -32,8 +32,11 @@ x-env: &env
|
|||
version: '3.8'
|
||||
services:
|
||||
app:
|
||||
image: ghcr.io/goauthentik/server:2023.6.1
|
||||
image: ghcr.io/goauthentik/server:2024.4.2
|
||||
command: server
|
||||
depends_on:
|
||||
- db
|
||||
- redis
|
||||
secrets:
|
||||
- db_password
|
||||
- admin_pass
|
||||
|
@ -43,9 +46,7 @@ services:
|
|||
volumes:
|
||||
- media:/media
|
||||
- assets:/web/dist/assets
|
||||
configs:
|
||||
- source: custom_css
|
||||
target: /web/dist/custom.css
|
||||
- templates:/templates
|
||||
networks:
|
||||
- internal
|
||||
- proxy
|
||||
|
@ -64,7 +65,7 @@ services:
|
|||
- "traefik.enable=true"
|
||||
- "traefik.docker.network=proxy"
|
||||
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
|
||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
|
||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
|
||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
|
||||
|
@ -72,12 +73,15 @@ services:
|
|||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
|
||||
- "coop-cloud.${STACK_NAME}.version=3.2.0+2023.6.1"
|
||||
- "coop-cloud.${STACK_NAME}.version=6.1.1+2024.4.2"
|
||||
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
|
||||
|
||||
worker:
|
||||
image: ghcr.io/goauthentik/server:2023.6.1
|
||||
image: ghcr.io/goauthentik/server:2024.4.2
|
||||
command: worker
|
||||
depends_on:
|
||||
- db
|
||||
- redis
|
||||
secrets:
|
||||
- db_password
|
||||
- admin_pass
|
||||
|
@ -91,6 +95,7 @@ services:
|
|||
- backups:/backups
|
||||
- media:/media
|
||||
- /dev/null:/blueprints/default/flow-oobe.yaml
|
||||
- templates:/templates
|
||||
configs:
|
||||
- source: flow_recovery
|
||||
target: /blueprints/1_flow_recovery.yaml
|
||||
|
@ -100,16 +105,22 @@ services:
|
|||
target: /blueprints/3_flow_translation.yaml
|
||||
- source: flow_invitation
|
||||
target: /blueprints/4_flow_invitation.yaml
|
||||
- source: system_tenant
|
||||
target: /blueprints/5_system_tenant.yaml
|
||||
- source: system_brand
|
||||
target: /blueprints/5_system_brand.yaml
|
||||
- source: flow_invalidation
|
||||
target: /blueprints/6_flow_invalidation.yaml
|
||||
environment: *env
|
||||
|
||||
db:
|
||||
image: postgres:12.15-alpine
|
||||
image: postgres:15.7
|
||||
secrets:
|
||||
- db_password
|
||||
configs:
|
||||
- source: db_entrypoint
|
||||
target: /docker-entrypoint.sh
|
||||
mode: 0555
|
||||
entrypoint:
|
||||
/docker-entrypoint.sh
|
||||
volumes:
|
||||
- database:/var/lib/postgresql/data
|
||||
networks:
|
||||
|
@ -132,11 +143,11 @@ services:
|
|||
backupbot.backup.path: "/var/lib/postgresql/data"
|
||||
|
||||
redis:
|
||||
image: redis:7.0.12-alpine
|
||||
image: redis:7.2.4-alpine
|
||||
networks:
|
||||
- internal
|
||||
healthcheck:
|
||||
test: ["CMD", "redis-cli","ping"]
|
||||
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 10
|
||||
|
@ -167,14 +178,11 @@ networks:
|
|||
volumes:
|
||||
backups:
|
||||
media:
|
||||
templates:
|
||||
assets:
|
||||
database:
|
||||
|
||||
configs:
|
||||
custom_css:
|
||||
name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
|
||||
file: custom.css.tmpl
|
||||
template_driver: golang
|
||||
flow_authentication:
|
||||
name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
|
||||
file: flow_authentication.yaml.tmpl
|
||||
|
@ -195,7 +203,11 @@ configs:
|
|||
name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
|
||||
file: flow_translation.yaml.tmpl
|
||||
template_driver: golang
|
||||
system_tenant:
|
||||
name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
|
||||
file: system_tenant.yaml.tmpl
|
||||
system_brand:
|
||||
name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
|
||||
file: system_brand.yaml.tmpl
|
||||
template_driver: golang
|
||||
db_entrypoint:
|
||||
name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
|
||||
file: entrypoint.postgres.sh.tmpl
|
||||
template_driver: golang
|
||||
|
|
|
@ -384,7 +384,7 @@ entries:
|
|||
enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
|
||||
timeout: 30
|
||||
|
||||
######## System Tenant ##########
|
||||
######## System Brand ##########
|
||||
- attrs:
|
||||
attributes:
|
||||
settings:
|
||||
|
@ -401,5 +401,5 @@ entries:
|
|||
flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
|
||||
identifiers:
|
||||
pk: 047cce25-aae2-4b02-9f96-078e155f803d
|
||||
id: system_tenant
|
||||
model: authentik_tenants.tenant
|
||||
id: system_brand
|
||||
model: authentik_brands.brand
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
MIGRATION_MARKER=$PGDATA/migration_in_progress
|
||||
OLDDATA=$PGDATA/old_data
|
||||
NEWDATA=$PGDATA/new_data
|
||||
|
||||
if [ -e $MIGRATION_MARKER ]; then
|
||||
echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -f $PGDATA/PG_VERSION ]; then
|
||||
DATA_VERSION=$(cat $PGDATA/PG_VERSION)
|
||||
|
||||
if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
|
||||
echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
|
||||
echo "Installing postgres $DATA_VERSION"
|
||||
sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
|
||||
apt-get update && apt-get install -y --no-install-recommends \
|
||||
postgresql-$DATA_VERSION \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
echo "shuffling around"
|
||||
chown -R postgres:postgres $PGDATA
|
||||
gosu postgres mkdir $OLDDATA $NEWDATA
|
||||
chmod 700 $OLDDATA $NEWDATA
|
||||
mv $PGDATA/* $OLDDATA/ || true
|
||||
touch $MIGRATION_MARKER
|
||||
echo "running initdb"
|
||||
# abuse entrypoint script for initdb by making server error out
|
||||
gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
|
||||
echo "running pg_upgrade"
|
||||
cd /tmp
|
||||
gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
|
||||
cp $OLDDATA/pg_hba.conf $NEWDATA/
|
||||
mv $NEWDATA/* $PGDATA
|
||||
rm -rf $OLDDATA
|
||||
rmdir $NEWDATA
|
||||
rm $MIGRATION_MARKER
|
||||
echo "migration complete"
|
||||
fi
|
||||
fi
|
||||
|
||||
/usr/local/bin/docker-entrypoint.sh postgres
|
|
@ -22,9 +22,6 @@ entries:
|
|||
attrs:
|
||||
name: !Context welcome_message
|
||||
title: !Context welcome_message
|
||||
user_fields:
|
||||
- email
|
||||
- username
|
||||
### STAGES
|
||||
- identifiers:
|
||||
name: default-authentication-identification
|
||||
|
@ -40,8 +37,9 @@ entries:
|
|||
name: default-authentication-login
|
||||
model: authentik_stages_user_login.userloginstage
|
||||
attrs:
|
||||
session_duration: seconds=0
|
||||
session_duration: days=30
|
||||
|
||||
# After the first run this will produce a RelatedObjectDoesNotExist error
|
||||
- identifiers:
|
||||
order: 20
|
||||
stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
|
||||
|
|
|
@ -13,6 +13,7 @@ entries:
|
|||
|
||||
### STAGE BINDINGS
|
||||
|
||||
# This is specified only for setting an id (this stagebinding does not have an identifier)
|
||||
- identifiers:
|
||||
order: 0
|
||||
stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]
|
||||
|
|
|
@ -24,6 +24,18 @@ entries:
|
|||
id: invitation-enrollment-flow
|
||||
model: authentik_flows.flow
|
||||
|
||||
### POLICIES
|
||||
- attrs:
|
||||
expression: |
|
||||
if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
|
||||
return True
|
||||
ak_message("Username must not contain any whitespace!")
|
||||
return False
|
||||
id: username-without-spaces-policy
|
||||
identifiers:
|
||||
name: username-without-spaces-policy
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
|
||||
### STAGES
|
||||
- identifiers:
|
||||
name: invitation-stage
|
||||
|
@ -41,6 +53,8 @@ entries:
|
|||
- !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
|
||||
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
|
||||
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
|
||||
validation_policies:
|
||||
- !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
|
||||
|
||||
### STAGE BINDINGS
|
||||
- identifiers:
|
||||
|
|
|
@ -4,7 +4,7 @@ metadata:
|
|||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: Flow Translations
|
||||
context:
|
||||
transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
|
||||
transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
|
||||
transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
|
||||
transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
|
||||
transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
|
||||
|
@ -15,7 +15,7 @@ entries:
|
|||
- model: authentik_blueprints.metaapplyblueprint
|
||||
attrs:
|
||||
identifiers:
|
||||
name: Custom Authentication Flow
|
||||
name: Recovery with email verification
|
||||
required: true
|
||||
- model: authentik_blueprints.metaapplyblueprint
|
||||
attrs:
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
version: 1
|
||||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: hedgedoc
|
||||
|
||||
entries:
|
||||
|
||||
- attrs:
|
||||
access_code_validity: minutes=1
|
||||
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||
client_id: {{ secret "hedgedoc_id" }}
|
||||
client_secret: {{ secret "hedgedoc_secret" }}
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
name: Hedgedoc
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||
sub_mode: hashed_user_id
|
||||
token_validity: days=30
|
||||
conditions: []
|
||||
id: hedgedoc_provider
|
||||
identifiers:
|
||||
pk: 9992
|
||||
model: authentik_providers_oauth2.oauth2provider
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "HEDGEDOC_DOMAIN" }}
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf hedgedoc_provider
|
||||
slug: hedgedoc
|
||||
conditions: []
|
||||
id: hedgedoc_application
|
||||
identifiers:
|
||||
name: Hedgedoc
|
||||
model: authentik_core.application
|
||||
state: present
|
Binary file not shown.
After Width: | Height: | Size: 6.7 KiB |
Binary file not shown.
After Width: | Height: | Size: 9.2 KiB |
Binary file not shown.
After Width: | Height: | Size: 30 KiB |
Binary file not shown.
After Width: | Height: | Size: 6.9 KiB |
|
@ -0,0 +1,48 @@
|
|||
version: 1
|
||||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: kimai
|
||||
|
||||
entries:
|
||||
- attrs:
|
||||
acs_url: https://{{ env "KIMAI_DOMAIN" }}/auth/saml/acs
|
||||
assertion_valid_not_before: minutes=-5
|
||||
assertion_valid_not_on_or_after: minutes=5
|
||||
audience: https://{{ env "KIMAI_DOMAIN" }}/auth/saml
|
||||
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
|
||||
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||
digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
|
||||
issuer: https://{{ env "DOMAIN" }}
|
||||
name: Kimai
|
||||
name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
|
||||
session_valid_not_on_or_after: minutes=86400
|
||||
signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
|
||||
signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||
sp_binding: post
|
||||
conditions: []
|
||||
id: kimai_provider
|
||||
identifiers:
|
||||
pk: 9991
|
||||
model: authentik_providers_saml.samlprovider
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "KIMAI_DOMAIN" }}
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf kimai_provider
|
||||
slug: kimai
|
||||
conditions: []
|
||||
id: kimai_application
|
||||
identifiers:
|
||||
name: Kimai
|
||||
model: authentik_core.application
|
||||
state: present
|
|
@ -0,0 +1,43 @@
|
|||
version: 1
|
||||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: outline
|
||||
|
||||
entries:
|
||||
|
||||
- attrs:
|
||||
access_code_validity: minutes=1
|
||||
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||
client_id: {{ secret "outline_id" }}
|
||||
client_secret: {{ secret "outline_secret" }}
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
name: Outline
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||
sub_mode: hashed_user_id
|
||||
token_validity: days=30
|
||||
conditions: []
|
||||
id: outline_provider
|
||||
identifiers:
|
||||
pk: 9994
|
||||
model: authentik_providers_oauth2.oauth2provider
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "OUTLINE_DOMAIN" }}
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf outline_provider
|
||||
slug: outline
|
||||
conditions: []
|
||||
id: outline_application
|
||||
identifiers:
|
||||
name: Outline
|
||||
model: authentik_core.application
|
||||
state: present
|
|
@ -0,0 +1,43 @@
|
|||
version: 1
|
||||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: rallly
|
||||
|
||||
entries:
|
||||
|
||||
- attrs:
|
||||
access_code_validity: minutes=1
|
||||
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||
client_id: {{ secret "rallly_id" }}
|
||||
client_secret: {{ secret "rallly_secret" }}
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
name: Rallly
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||
sub_mode: hashed_user_id
|
||||
token_validity: days=30
|
||||
conditions: []
|
||||
id: rallly_provider
|
||||
identifiers:
|
||||
pk: 9993
|
||||
model: authentik_providers_oauth2.oauth2provider
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "RALLLY_DOMAIN" }}
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf rallly_provider
|
||||
slug: rallly
|
||||
conditions: []
|
||||
id: rallly_application
|
||||
identifiers:
|
||||
name: Rallly
|
||||
model: authentik_core.application
|
||||
state: present
|
|
@ -0,0 +1 @@
|
|||
It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update
|
|
@ -0,0 +1 @@
|
|||
Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2
|
|
@ -0,0 +1 @@
|
|||
Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints
|
|
@ -0,0 +1 @@
|
|||
Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
|
|
@ -0,0 +1 @@
|
|||
Blueprint for Kimai SSO integration added
|
|
@ -2,26 +2,26 @@ version: 1
|
|||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: Custom System Tenant
|
||||
name: Custom System brand
|
||||
entries:
|
||||
### DEPENDENCIES
|
||||
- model: authentik_blueprints.metaapplyblueprint
|
||||
attrs:
|
||||
identifiers:
|
||||
name: Default - Tenant
|
||||
name: Default - Brand
|
||||
required: true
|
||||
- model: authentik_blueprints.metaapplyblueprint
|
||||
attrs:
|
||||
identifiers:
|
||||
name: Invitation Enrollment Flow
|
||||
name: Recovery with email verification
|
||||
required: true
|
||||
|
||||
|
||||
### SYSTEM TENANT
|
||||
# remove custom tenant from old recipe
|
||||
### SYSTEM BRAND
|
||||
# remove custom brand from old recipe
|
||||
- identifiers:
|
||||
domain: {{ env "DOMAIN" }}
|
||||
model: authentik_tenants.tenant
|
||||
model: authentik_brands.brand
|
||||
state: absent
|
||||
|
||||
- attrs:
|
||||
|
@ -32,4 +32,4 @@ entries:
|
|||
identifiers:
|
||||
default: true
|
||||
domain: authentik-default
|
||||
model: authentik_tenants.tenant
|
||||
model: authentik_brands.brand
|
Loading…
Reference in New Issue