Compare commits
39 Commits
3.3.1+2023
...
main
Author | SHA1 | Date |
---|---|---|
Moritz | 0be7e95f48 | |
3wc | 4fe52c1e5f | |
3wc | 248a09c594 | |
Simon | b957425981 | |
Moritz | 20f99b13ad | |
Moritz | c42017839f | |
Moritz | cdabec1b18 | |
Moritz | a606a84a98 | |
Simon | a0505e0dec | |
Simon | 17d40711e0 | |
Moritz | fc33f285f4 | |
3wc | d1f091da62 | |
3wc | 3e339228f5 | |
3wc | c39b6ad25a | |
3wc | 1ffb62d74a | |
3wc | 03f8810462 | |
3wc | d19bf17781 | |
3wc | 5086df24fb | |
knoflook | e07d57718a | |
Simon | 553b97ba21 | |
Simon | 75f42db773 | |
Simon | d115d5ce38 | |
Simon | 68eda3e2d7 | |
Moritz | 91756202c2 | |
Moritz | bf2397b0e9 | |
Moritz | c3b01c1d27 | |
Simon | 8d32814219 | |
Simon | 78cfd95198 | |
Simon | 4593eb6340 | |
Simon | 0419ed279d | |
Simon | abb49e7019 | |
Simon | 74f654c192 | |
Simon | 7a4daaf475 | |
Simon | b7605f6a87 | |
3wc | 01ca1b4d5c | |
Simon | 287426b06a | |
iexos | b311cadc4c | |
Moritz | d01c539c4f | |
Moritz | 427644df38 |
|
@ -23,13 +23,14 @@ steps:
|
||||||
FLOW_INVALIDATION_VERSION: v1
|
FLOW_INVALIDATION_VERSION: v1
|
||||||
FLOW_RECOVERY_VERSION: v1
|
FLOW_RECOVERY_VERSION: v1
|
||||||
FLOW_TRANSLATION_VERSION: v1
|
FLOW_TRANSLATION_VERSION: v1
|
||||||
SYSTEM_TENANT_VERSION: v1
|
SYSTEM_BRAND_VERSION: v1
|
||||||
NEXTCLOUD_CONFIG_VERSION: v1
|
NEXTCLOUD_CONFIG_VERSION: v1
|
||||||
SECRET_SECRET_KEY_VERSION: v1
|
SECRET_SECRET_KEY_VERSION: v1
|
||||||
SECRET_DB_PASSWORD_VERSION: v1
|
SECRET_DB_PASSWORD_VERSION: v1
|
||||||
SECRET_ADMIN_TOKEN_VERSION: v1
|
SECRET_ADMIN_TOKEN_VERSION: v1
|
||||||
SECRET_ADMIN_PASS_VERSION: v1
|
SECRET_ADMIN_PASS_VERSION: v1
|
||||||
SECRET_EMAIL_PASS_VERSION: v1
|
SECRET_EMAIL_PASS_VERSION: v1
|
||||||
|
DB_ENTRYPOINT_VERSION: v1
|
||||||
trigger:
|
trigger:
|
||||||
branch:
|
branch:
|
||||||
- main
|
- main
|
||||||
|
|
36
.env.sample
36
.env.sample
|
@ -1,5 +1,5 @@
|
||||||
TYPE=authentik
|
TYPE=authentik
|
||||||
TIMEOUT=300
|
TIMEOUT=900
|
||||||
ENABLE_AUTO_UPDATE=true
|
ENABLE_AUTO_UPDATE=true
|
||||||
# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
|
# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
|
||||||
LETS_ENCRYPT_ENV=production
|
LETS_ENCRYPT_ENV=production
|
||||||
|
@ -34,7 +34,6 @@ SECRET_ADMIN_PASS_VERSION=v1
|
||||||
SECRET_EMAIL_PASS_VERSION=v1
|
SECRET_EMAIL_PASS_VERSION=v1
|
||||||
|
|
||||||
# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
|
# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
|
||||||
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
|
||||||
|
|
||||||
## FLOW OPTIONS
|
## FLOW OPTIONS
|
||||||
# WELCOME_MESSAGE="Welcome to Authentik"
|
# WELCOME_MESSAGE="Welcome to Authentik"
|
||||||
|
@ -47,6 +46,12 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
|
||||||
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
|
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
|
||||||
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
|
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
|
||||||
|
|
||||||
|
# Default CSS customisation, just background colour
|
||||||
|
COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
|
||||||
|
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
||||||
|
# Custommise the entire custom CSS file
|
||||||
|
#COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
|
||||||
|
|
||||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
|
# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
|
||||||
# NEXTCLOUD_DOMAIN=nextcloud.example.com
|
# NEXTCLOUD_DOMAIN=nextcloud.example.com
|
||||||
# SECRET_NEXTCLOUD_ID_VERSION=v1
|
# SECRET_NEXTCLOUD_ID_VERSION=v1
|
||||||
|
@ -78,13 +83,36 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
|
||||||
# SECRET_VIKUNJA_SECRET_VERSION=v1
|
# SECRET_VIKUNJA_SECRET_VERSION=v1
|
||||||
# APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
|
# APP_ICONS="$APP_ICONS vikunja:~/.abra/recipes/authentik/icons/vikunja.svg"
|
||||||
|
|
||||||
|
# COMPOSE_FILE="$COMPOSE_FILE:compose.outline.yml"
|
||||||
|
# OUTLINE_DOMAIN=outline.example.com
|
||||||
|
# SECRET_OUTLINE_ID_VERSION=v1
|
||||||
|
# SECRET_OUTLINE_SECRET_VERSION=v1
|
||||||
|
# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
|
||||||
|
|
||||||
|
# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
|
||||||
|
# KIMAI_DOMAIN=kimai.example.com
|
||||||
|
# SECRET_KIMAI_ID_VERSION=v1
|
||||||
|
# SECRET_KIMAI_SECRET_VERSION=v1
|
||||||
|
# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai.png"
|
||||||
|
|
||||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
|
# COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
|
||||||
# MONITORING_DOMAIN=monitoring.example.com
|
# MONITORING_DOMAIN=monitoring.example.com
|
||||||
# SECRET_MONITORING_ID_VERSION=v1
|
# SECRET_MONITORING_ID_VERSION=v1
|
||||||
# SECRET_MONITORING_SECRET_VERSION=v1
|
# SECRET_MONITORING_SECRET_VERSION=v1
|
||||||
# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
|
# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
|
||||||
|
|
||||||
# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Rallly":"https://rallly.example.cloud/"}'
|
# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
|
||||||
|
# RALLLY_DOMAIN=rallly.example.com
|
||||||
|
# SECRET_RALLLY_ID_VERSION=v1
|
||||||
|
# SECRET_RALLLY_SECRET_VERSION=v1
|
||||||
|
# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
|
||||||
|
|
||||||
|
# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
|
||||||
|
# HEDGEDOC_DOMAIN=hedgedoc.example.com
|
||||||
|
# SECRET_HEDGEDOC_ID_VERSION=v1
|
||||||
|
# SECRET_HEDGEDOC_SECRET_VERSION=v1
|
||||||
|
# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
|
||||||
|
|
||||||
|
# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
|
||||||
# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
|
# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
|
||||||
# APP_ICONS="$APP_ICONS Rallly:~/.abra/recipes/authentik/icons/rallly.png"
|
|
||||||
# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"
|
# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"
|
||||||
|
|
10
README.md
10
README.md
|
@ -167,9 +167,9 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
|
||||||
- Default - Source enrollment flow
|
- Default - Source enrollment flow
|
||||||
- OVERWRITE:
|
- OVERWRITE:
|
||||||
- `default-source-enrollment-field-username`
|
- `default-source-enrollment-field-username`
|
||||||
- Custom System Tenant
|
- Custom System Brand
|
||||||
- Default - Tenant
|
- Default - Brand
|
||||||
- APPEND: `authentik_tenants.tenant domain: authentik-default`
|
- APPEND: `authentik_brands.brand domain: authentik-default`
|
||||||
- Recovery with email verification
|
- Recovery with email verification
|
||||||
- USE:
|
- USE:
|
||||||
- `default-recovery-flow`
|
- `default-recovery-flow`
|
||||||
|
@ -177,8 +177,8 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
|
||||||
|
|
||||||
### Blueprint Dependency Execution Order
|
### Blueprint Dependency Execution Order
|
||||||
|
|
||||||
5. Custom System Tenant
|
5. Custom System Brand
|
||||||
- Default - Tenant
|
- Default - Brand
|
||||||
1. Recovery with email verification
|
1. Recovery with email verification
|
||||||
- Default - Authentication flow
|
- Default - Authentication flow
|
||||||
- Default - Password change flow
|
- Default - Password change flow
|
||||||
|
|
35
abra.sh
35
abra.sh
|
@ -1,15 +1,19 @@
|
||||||
export CUSTOM_CSS_VERSION=v2
|
export CUSTOM_CSS_VERSION=v2
|
||||||
export FLOW_AUTHENTICATION_VERSION=v3
|
export FLOW_AUTHENTICATION_VERSION=v4
|
||||||
export FLOW_INVITATION_VERSION=v1
|
export FLOW_INVITATION_VERSION=v2
|
||||||
export FLOW_INVALIDATION_VERSION=v2
|
export FLOW_INVALIDATION_VERSION=v2
|
||||||
export FLOW_RECOVERY_VERSION=v1
|
export FLOW_RECOVERY_VERSION=v1
|
||||||
export FLOW_TRANSLATION_VERSION=v2
|
export FLOW_TRANSLATION_VERSION=v3
|
||||||
export SYSTEM_TENANT_VERSION=v2
|
export SYSTEM_BRAND_VERSION=v3
|
||||||
export NEXTCLOUD_CONFIG_VERSION=v1
|
export NEXTCLOUD_CONFIG_VERSION=v1
|
||||||
export WORDPRESS_CONFIG_VERSION=v2
|
export WORDPRESS_CONFIG_VERSION=v2
|
||||||
export MATRIX_CONFIG_VERSION=v1
|
export MATRIX_CONFIG_VERSION=v1
|
||||||
export WEKAN_CONFIG_VERSION=v3
|
export WEKAN_CONFIG_VERSION=v3
|
||||||
export VIKUNJA_CONFIG_VERSION=v1
|
export VIKUNJA_CONFIG_VERSION=v1
|
||||||
|
export OUTLINE_CONFIG_VERSION=v2
|
||||||
|
export KIMAI_CONFIG_VERSION=v1
|
||||||
|
export RALLLY_CONFIG_VERSION=v2
|
||||||
|
export HEDGEDOC_CONFIG_VERSION=v1
|
||||||
export MONITORING_CONFIG_VERSION=v1
|
export MONITORING_CONFIG_VERSION=v1
|
||||||
export DB_ENTRYPOINT_VERSION=v1
|
export DB_ENTRYPOINT_VERSION=v1
|
||||||
|
|
||||||
|
@ -52,15 +56,19 @@ with open('/tmp/$1', newline='') as file:
|
||||||
email = row[2].strip()
|
email = row[2].strip()
|
||||||
groups = row[3].split(';')
|
groups = row[3].split(';')
|
||||||
if User.objects.filter(username=username):
|
if User.objects.filter(username=username):
|
||||||
|
print(f'{username} already exists')
|
||||||
continue
|
continue
|
||||||
new_user = User.objects.create(name=name, username=username, email=email)
|
new_user = User.objects.create(name=name, username=username, email=email)
|
||||||
|
print(f'{username} created')
|
||||||
for group_name in groups:
|
for group_name in groups:
|
||||||
group_name = group_name.strip()
|
group_name = group_name.strip()
|
||||||
if Group.objects.filter(name=group_name):
|
if Group.objects.filter(name=group_name):
|
||||||
group = Group.objects.get(name=group_name)
|
group = Group.objects.get(name=group_name)
|
||||||
else:
|
else:
|
||||||
group = Group.objects.create(name=group_name)
|
group = Group.objects.create(name=group_name)
|
||||||
|
print(f'{group_name} created')
|
||||||
group.users.add(new_user)
|
group.users.add(new_user)
|
||||||
|
print(f'add {username} to group {group_name}')
|
||||||
""" 2>&1 | quieten
|
""" 2>&1 | quieten
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -168,7 +176,9 @@ for name, url in applications.items():
|
||||||
|
|
||||||
|
|
||||||
quieten(){
|
quieten(){
|
||||||
grep -v -e '{"event"' -e '{"action"'
|
# 'SyntaxWarning|version_regex|"http\['
|
||||||
|
# is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
|
||||||
|
grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
|
||||||
}
|
}
|
||||||
|
|
||||||
add_email_templates(){
|
add_email_templates(){
|
||||||
|
@ -215,7 +225,20 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
|
||||||
Flow.objects.filter(slug__in=delete_flows).delete()
|
Flow.objects.filter(slug__in=delete_flows).delete()
|
||||||
Stage.objects.filter(flow=None).delete()
|
Stage.objects.filter(flow=None).delete()
|
||||||
Prompt.objects.filter(promptstage=None).delete()
|
Prompt.objects.filter(promptstage=None).delete()
|
||||||
Tenant.objects.filter(default=True).delete()
|
Brand.objects.filter(default=True).delete()
|
||||||
""" 2>&1 | quieten
|
""" 2>&1 | quieten
|
||||||
apply_blueprints
|
apply_blueprints
|
||||||
}
|
}
|
||||||
|
|
||||||
|
get_certificate() {
|
||||||
|
/manage.py shell -c """
|
||||||
|
provider_name='$1'
|
||||||
|
if not provider_name:
|
||||||
|
print('no Provider Name given')
|
||||||
|
exit(1)
|
||||||
|
provider = Provider.objects.filter(name=provider_name).first()
|
||||||
|
saml = provider.samlprovider
|
||||||
|
cert = saml.signing_kp
|
||||||
|
print(''.join(cert.certificate_data.splitlines()[1:-1]))
|
||||||
|
""" 2>&1 | quieten
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,76 @@
|
||||||
|
nextcloud:
|
||||||
|
uncomment:
|
||||||
|
- compose.nextcloud.yml
|
||||||
|
- NEXTCLOUD_DOMAIN
|
||||||
|
- SECRET_NEXTCLOUD_ID_VERSION
|
||||||
|
- SECRET_NEXTCLOUD_SECRET_VERSION
|
||||||
|
- nextcloud.png
|
||||||
|
wordpress:
|
||||||
|
uncomment:
|
||||||
|
- compose.wordpress.yml
|
||||||
|
- WORDPRESS_DOMAIN
|
||||||
|
- WORDPRESS_GROUP
|
||||||
|
- SECRET_WORDPRESS_ID_VERSION
|
||||||
|
- SECRET_WORDPRESS_SECRET_VERSION
|
||||||
|
- wordpress.png
|
||||||
|
matrix-synapse:
|
||||||
|
uncomment:
|
||||||
|
- compose.matrix.yml
|
||||||
|
- ELEMENT_DOMAIN
|
||||||
|
- SECRET_MATRIX_ID_VERSION
|
||||||
|
- SECRET_MATRIX_SECRET_VERSION
|
||||||
|
- matrix.svg
|
||||||
|
secrets:
|
||||||
|
matrix_id: matrix
|
||||||
|
wekan:
|
||||||
|
uncomment:
|
||||||
|
- compose.wekan.yml
|
||||||
|
- WEKAN_DOMAIN
|
||||||
|
- SECRET_WEKAN_ID_VERSION
|
||||||
|
- SECRET_WEKAN_SECRET_VERSION
|
||||||
|
- wekan.png
|
||||||
|
secrets:
|
||||||
|
wekan_id: wekan
|
||||||
|
vikunja:
|
||||||
|
uncomment:
|
||||||
|
- compose.vikunja.yml
|
||||||
|
- VIKUNJA_DOMAIN
|
||||||
|
- SECRET_VIKUNJA_ID_VERSION
|
||||||
|
- SECRET_VIKUNJA_SECRET_VERSION
|
||||||
|
- vikunja.svg
|
||||||
|
secrets:
|
||||||
|
vikunja_id: vikunja
|
||||||
|
monitoring:
|
||||||
|
uncomment:
|
||||||
|
- compose.monitoring.yml
|
||||||
|
- MONITORING_DOMAIN
|
||||||
|
- SECRET_MONITORING_ID_VERSION
|
||||||
|
- SECRET_MONITORING_SECRET_VERSION
|
||||||
|
- monitoring.png
|
||||||
|
outline:
|
||||||
|
uncomment:
|
||||||
|
- compose.outline.yml
|
||||||
|
- OUTLINE_DOMAIN
|
||||||
|
- SECRET_OUTLINE_ID_VERSION
|
||||||
|
- SECRET_OUTLINE_SECRET_VERSION
|
||||||
|
- outline.png
|
||||||
|
secrets:
|
||||||
|
outline_id: outline
|
||||||
|
rallly:
|
||||||
|
uncomment:
|
||||||
|
- compose.rallly.yml
|
||||||
|
- RALLLY_DOMAIN
|
||||||
|
- SECRET_RALLLY_ID_VERSION
|
||||||
|
- SECRET_RALLLY_SECRET_VERSION
|
||||||
|
- rallly.png
|
||||||
|
secrets:
|
||||||
|
rallly_id: rallly
|
||||||
|
hedgedoc:
|
||||||
|
uncomment:
|
||||||
|
- compose.hedgedoc.yml
|
||||||
|
- HEDGEDOC_DOMAIN
|
||||||
|
- SECRET_HEDGEDOC_ID_VERSION
|
||||||
|
- SECRET_HEDGEDOC_SECRET_VERSION
|
||||||
|
- hedgedoc.png
|
||||||
|
secrets:
|
||||||
|
hedgedoc_id: hedgedoc
|
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
version: '3.8'
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
configs:
|
||||||
|
- source: custom_css
|
||||||
|
target: /web/dist/custom.css
|
||||||
|
|
||||||
|
configs:
|
||||||
|
custom_css:
|
||||||
|
name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
|
||||||
|
file: custom.css.tmpl
|
||||||
|
template_driver: golang
|
|
@ -0,0 +1,26 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
worker:
|
||||||
|
secrets:
|
||||||
|
- hedgedoc_id
|
||||||
|
- hedgedoc_secret
|
||||||
|
environment:
|
||||||
|
- HEDGEDOC_DOMAIN
|
||||||
|
configs:
|
||||||
|
- source: hedgedoc
|
||||||
|
target: /blueprints/hedgedoc.yaml
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
hedgedoc_id:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
|
||||||
|
hedgedoc_secret:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
|
||||||
|
|
||||||
|
|
||||||
|
configs:
|
||||||
|
hedgedoc:
|
||||||
|
name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
|
||||||
|
file: hedgedoc.yaml.tmpl
|
||||||
|
template_driver: golang
|
|
@ -0,0 +1,14 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
worker:
|
||||||
|
environment:
|
||||||
|
- KIMAI_DOMAIN
|
||||||
|
configs:
|
||||||
|
- source: kimai
|
||||||
|
target: /blueprints/kimai.yaml
|
||||||
|
|
||||||
|
configs:
|
||||||
|
kimai:
|
||||||
|
name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
|
||||||
|
file: kimai.yaml.tmpl
|
||||||
|
template_driver: golang
|
|
@ -0,0 +1,26 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
worker:
|
||||||
|
secrets:
|
||||||
|
- outline_id
|
||||||
|
- outline_secret
|
||||||
|
environment:
|
||||||
|
- OUTLINE_DOMAIN
|
||||||
|
configs:
|
||||||
|
- source: outline
|
||||||
|
target: /blueprints/outline.yaml
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
outline_id:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_outline_id_${SECRET_OUTLINE_ID_VERSION}
|
||||||
|
outline_secret:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_outline_secret_${SECRET_OUTLINE_SECRET_VERSION}
|
||||||
|
|
||||||
|
|
||||||
|
configs:
|
||||||
|
outline:
|
||||||
|
name: ${STACK_NAME}_outline_${OUTLINE_CONFIG_VERSION}
|
||||||
|
file: outline.yaml.tmpl
|
||||||
|
template_driver: golang
|
|
@ -0,0 +1,26 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
worker:
|
||||||
|
secrets:
|
||||||
|
- rallly_id
|
||||||
|
- rallly_secret
|
||||||
|
environment:
|
||||||
|
- RALLLY_DOMAIN
|
||||||
|
configs:
|
||||||
|
- source: rallly
|
||||||
|
target: /blueprints/rallly.yaml
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
rallly_id:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
|
||||||
|
rallly_secret:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
|
||||||
|
|
||||||
|
|
||||||
|
configs:
|
||||||
|
rallly:
|
||||||
|
name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
|
||||||
|
file: rallly.yaml.tmpl
|
||||||
|
template_driver: golang
|
35
compose.yml
35
compose.yml
|
@ -32,8 +32,11 @@ x-env: &env
|
||||||
version: '3.8'
|
version: '3.8'
|
||||||
services:
|
services:
|
||||||
app:
|
app:
|
||||||
image: ghcr.io/goauthentik/server:2023.8.5
|
image: ghcr.io/goauthentik/server:2024.4.2
|
||||||
command: server
|
command: server
|
||||||
|
depends_on:
|
||||||
|
- db
|
||||||
|
- redis
|
||||||
secrets:
|
secrets:
|
||||||
- db_password
|
- db_password
|
||||||
- admin_pass
|
- admin_pass
|
||||||
|
@ -44,9 +47,6 @@ services:
|
||||||
- media:/media
|
- media:/media
|
||||||
- assets:/web/dist/assets
|
- assets:/web/dist/assets
|
||||||
- templates:/templates
|
- templates:/templates
|
||||||
configs:
|
|
||||||
- source: custom_css
|
|
||||||
target: /web/dist/custom.css
|
|
||||||
networks:
|
networks:
|
||||||
- internal
|
- internal
|
||||||
- proxy
|
- proxy
|
||||||
|
@ -73,12 +73,15 @@ services:
|
||||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
|
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
|
||||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
|
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
|
||||||
- "coop-cloud.${STACK_NAME}.version=3.3.1+2023.8.5"
|
- "coop-cloud.${STACK_NAME}.version=6.1.1+2024.4.2"
|
||||||
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
|
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
|
||||||
|
|
||||||
worker:
|
worker:
|
||||||
image: ghcr.io/goauthentik/server:2023.8.5
|
image: ghcr.io/goauthentik/server:2024.4.2
|
||||||
command: worker
|
command: worker
|
||||||
|
depends_on:
|
||||||
|
- db
|
||||||
|
- redis
|
||||||
secrets:
|
secrets:
|
||||||
- db_password
|
- db_password
|
||||||
- admin_pass
|
- admin_pass
|
||||||
|
@ -102,14 +105,14 @@ services:
|
||||||
target: /blueprints/3_flow_translation.yaml
|
target: /blueprints/3_flow_translation.yaml
|
||||||
- source: flow_invitation
|
- source: flow_invitation
|
||||||
target: /blueprints/4_flow_invitation.yaml
|
target: /blueprints/4_flow_invitation.yaml
|
||||||
- source: system_tenant
|
- source: system_brand
|
||||||
target: /blueprints/5_system_tenant.yaml
|
target: /blueprints/5_system_brand.yaml
|
||||||
- source: flow_invalidation
|
- source: flow_invalidation
|
||||||
target: /blueprints/6_flow_invalidation.yaml
|
target: /blueprints/6_flow_invalidation.yaml
|
||||||
environment: *env
|
environment: *env
|
||||||
|
|
||||||
db:
|
db:
|
||||||
image: postgres:15.5
|
image: postgres:15.7
|
||||||
secrets:
|
secrets:
|
||||||
- db_password
|
- db_password
|
||||||
configs:
|
configs:
|
||||||
|
@ -140,11 +143,11 @@ services:
|
||||||
backupbot.backup.path: "/var/lib/postgresql/data"
|
backupbot.backup.path: "/var/lib/postgresql/data"
|
||||||
|
|
||||||
redis:
|
redis:
|
||||||
image: redis:7.2.3-alpine
|
image: redis:7.2.4-alpine
|
||||||
networks:
|
networks:
|
||||||
- internal
|
- internal
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD", "redis-cli","ping"]
|
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
|
||||||
interval: 30s
|
interval: 30s
|
||||||
timeout: 10s
|
timeout: 10s
|
||||||
retries: 10
|
retries: 10
|
||||||
|
@ -180,10 +183,6 @@ volumes:
|
||||||
database:
|
database:
|
||||||
|
|
||||||
configs:
|
configs:
|
||||||
custom_css:
|
|
||||||
name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
|
|
||||||
file: custom.css.tmpl
|
|
||||||
template_driver: golang
|
|
||||||
flow_authentication:
|
flow_authentication:
|
||||||
name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
|
name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
|
||||||
file: flow_authentication.yaml.tmpl
|
file: flow_authentication.yaml.tmpl
|
||||||
|
@ -204,9 +203,9 @@ configs:
|
||||||
name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
|
name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
|
||||||
file: flow_translation.yaml.tmpl
|
file: flow_translation.yaml.tmpl
|
||||||
template_driver: golang
|
template_driver: golang
|
||||||
system_tenant:
|
system_brand:
|
||||||
name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
|
name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
|
||||||
file: system_tenant.yaml.tmpl
|
file: system_brand.yaml.tmpl
|
||||||
template_driver: golang
|
template_driver: golang
|
||||||
db_entrypoint:
|
db_entrypoint:
|
||||||
name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
|
name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
|
||||||
|
|
|
@ -384,7 +384,7 @@ entries:
|
||||||
enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
|
enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
|
||||||
timeout: 30
|
timeout: 30
|
||||||
|
|
||||||
######## System Tenant ##########
|
######## System Brand ##########
|
||||||
- attrs:
|
- attrs:
|
||||||
attributes:
|
attributes:
|
||||||
settings:
|
settings:
|
||||||
|
@ -401,5 +401,5 @@ entries:
|
||||||
flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
|
flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
|
||||||
identifiers:
|
identifiers:
|
||||||
pk: 047cce25-aae2-4b02-9f96-078e155f803d
|
pk: 047cce25-aae2-4b02-9f96-078e155f803d
|
||||||
id: system_tenant
|
id: system_brand
|
||||||
model: authentik_tenants.tenant
|
model: authentik_brands.brand
|
||||||
|
|
|
@ -37,7 +37,7 @@ entries:
|
||||||
name: default-authentication-login
|
name: default-authentication-login
|
||||||
model: authentik_stages_user_login.userloginstage
|
model: authentik_stages_user_login.userloginstage
|
||||||
attrs:
|
attrs:
|
||||||
session_duration: seconds=0
|
session_duration: days=30
|
||||||
|
|
||||||
# After the first run this will produce a RelatedObjectDoesNotExist error
|
# After the first run this will produce a RelatedObjectDoesNotExist error
|
||||||
- identifiers:
|
- identifiers:
|
||||||
|
|
|
@ -24,6 +24,18 @@ entries:
|
||||||
id: invitation-enrollment-flow
|
id: invitation-enrollment-flow
|
||||||
model: authentik_flows.flow
|
model: authentik_flows.flow
|
||||||
|
|
||||||
|
### POLICIES
|
||||||
|
- attrs:
|
||||||
|
expression: |
|
||||||
|
if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
|
||||||
|
return True
|
||||||
|
ak_message("Username must not contain any whitespace!")
|
||||||
|
return False
|
||||||
|
id: username-without-spaces-policy
|
||||||
|
identifiers:
|
||||||
|
name: username-without-spaces-policy
|
||||||
|
model: authentik_policies_expression.expressionpolicy
|
||||||
|
|
||||||
### STAGES
|
### STAGES
|
||||||
- identifiers:
|
- identifiers:
|
||||||
name: invitation-stage
|
name: invitation-stage
|
||||||
|
@ -41,6 +53,8 @@ entries:
|
||||||
- !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
|
- !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
|
||||||
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
|
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
|
||||||
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
|
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
|
||||||
|
validation_policies:
|
||||||
|
- !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
|
||||||
|
|
||||||
### STAGE BINDINGS
|
### STAGE BINDINGS
|
||||||
- identifiers:
|
- identifiers:
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
version: 1
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
blueprints.goauthentik.io/instantiate: "true"
|
||||||
|
name: hedgedoc
|
||||||
|
|
||||||
|
entries:
|
||||||
|
|
||||||
|
- attrs:
|
||||||
|
access_code_validity: minutes=1
|
||||||
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||||
|
client_id: {{ secret "hedgedoc_id" }}
|
||||||
|
client_secret: {{ secret "hedgedoc_secret" }}
|
||||||
|
client_type: confidential
|
||||||
|
include_claims_in_id_token: true
|
||||||
|
issuer_mode: per_provider
|
||||||
|
name: Hedgedoc
|
||||||
|
property_mappings:
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||||
|
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||||
|
sub_mode: hashed_user_id
|
||||||
|
token_validity: days=30
|
||||||
|
conditions: []
|
||||||
|
id: hedgedoc_provider
|
||||||
|
identifiers:
|
||||||
|
pk: 9992
|
||||||
|
model: authentik_providers_oauth2.oauth2provider
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- attrs:
|
||||||
|
meta_launch_url: https://{{ env "HEDGEDOC_DOMAIN" }}
|
||||||
|
open_in_new_tab: true
|
||||||
|
policy_engine_mode: any
|
||||||
|
provider: !KeyOf hedgedoc_provider
|
||||||
|
slug: hedgedoc
|
||||||
|
conditions: []
|
||||||
|
id: hedgedoc_application
|
||||||
|
identifiers:
|
||||||
|
name: Hedgedoc
|
||||||
|
model: authentik_core.application
|
||||||
|
state: present
|
Binary file not shown.
After Width: | Height: | Size: 9.2 KiB |
Binary file not shown.
After Width: | Height: | Size: 30 KiB |
Binary file not shown.
After Width: | Height: | Size: 6.9 KiB |
|
@ -0,0 +1,48 @@
|
||||||
|
version: 1
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
blueprints.goauthentik.io/instantiate: "true"
|
||||||
|
name: kimai
|
||||||
|
|
||||||
|
entries:
|
||||||
|
- attrs:
|
||||||
|
acs_url: https://{{ env "KIMAI_DOMAIN" }}/auth/saml/acs
|
||||||
|
assertion_valid_not_before: minutes=-5
|
||||||
|
assertion_valid_not_on_or_after: minutes=5
|
||||||
|
audience: https://{{ env "KIMAI_DOMAIN" }}/auth/saml
|
||||||
|
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
|
||||||
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||||
|
digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
|
||||||
|
issuer: https://{{ env "DOMAIN" }}
|
||||||
|
name: Kimai
|
||||||
|
name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
|
||||||
|
property_mappings:
|
||||||
|
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
|
||||||
|
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
|
||||||
|
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
|
||||||
|
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
|
||||||
|
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
|
||||||
|
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
|
||||||
|
session_valid_not_on_or_after: minutes=86400
|
||||||
|
signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
|
||||||
|
signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||||
|
sp_binding: post
|
||||||
|
conditions: []
|
||||||
|
id: kimai_provider
|
||||||
|
identifiers:
|
||||||
|
pk: 9991
|
||||||
|
model: authentik_providers_saml.samlprovider
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- attrs:
|
||||||
|
meta_launch_url: https://{{ env "KIMAI_DOMAIN" }}
|
||||||
|
open_in_new_tab: true
|
||||||
|
policy_engine_mode: any
|
||||||
|
provider: !KeyOf kimai_provider
|
||||||
|
slug: kimai
|
||||||
|
conditions: []
|
||||||
|
id: kimai_application
|
||||||
|
identifiers:
|
||||||
|
name: Kimai
|
||||||
|
model: authentik_core.application
|
||||||
|
state: present
|
|
@ -0,0 +1,43 @@
|
||||||
|
version: 1
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
blueprints.goauthentik.io/instantiate: "true"
|
||||||
|
name: outline
|
||||||
|
|
||||||
|
entries:
|
||||||
|
|
||||||
|
- attrs:
|
||||||
|
access_code_validity: minutes=1
|
||||||
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||||
|
client_id: {{ secret "outline_id" }}
|
||||||
|
client_secret: {{ secret "outline_secret" }}
|
||||||
|
client_type: confidential
|
||||||
|
include_claims_in_id_token: true
|
||||||
|
issuer_mode: per_provider
|
||||||
|
name: Outline
|
||||||
|
property_mappings:
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||||
|
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||||
|
sub_mode: hashed_user_id
|
||||||
|
token_validity: days=30
|
||||||
|
conditions: []
|
||||||
|
id: outline_provider
|
||||||
|
identifiers:
|
||||||
|
pk: 9994
|
||||||
|
model: authentik_providers_oauth2.oauth2provider
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- attrs:
|
||||||
|
meta_launch_url: https://{{ env "OUTLINE_DOMAIN" }}
|
||||||
|
open_in_new_tab: true
|
||||||
|
policy_engine_mode: any
|
||||||
|
provider: !KeyOf outline_provider
|
||||||
|
slug: outline
|
||||||
|
conditions: []
|
||||||
|
id: outline_application
|
||||||
|
identifiers:
|
||||||
|
name: Outline
|
||||||
|
model: authentik_core.application
|
||||||
|
state: present
|
|
@ -0,0 +1,43 @@
|
||||||
|
version: 1
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
blueprints.goauthentik.io/instantiate: "true"
|
||||||
|
name: rallly
|
||||||
|
|
||||||
|
entries:
|
||||||
|
|
||||||
|
- attrs:
|
||||||
|
access_code_validity: minutes=1
|
||||||
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||||
|
client_id: {{ secret "rallly_id" }}
|
||||||
|
client_secret: {{ secret "rallly_secret" }}
|
||||||
|
client_type: confidential
|
||||||
|
include_claims_in_id_token: true
|
||||||
|
issuer_mode: per_provider
|
||||||
|
name: Rallly
|
||||||
|
property_mappings:
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||||
|
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||||
|
sub_mode: hashed_user_id
|
||||||
|
token_validity: days=30
|
||||||
|
conditions: []
|
||||||
|
id: rallly_provider
|
||||||
|
identifiers:
|
||||||
|
pk: 9993
|
||||||
|
model: authentik_providers_oauth2.oauth2provider
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- attrs:
|
||||||
|
meta_launch_url: https://{{ env "RALLLY_DOMAIN" }}
|
||||||
|
open_in_new_tab: true
|
||||||
|
policy_engine_mode: any
|
||||||
|
provider: !KeyOf rallly_provider
|
||||||
|
slug: rallly
|
||||||
|
conditions: []
|
||||||
|
id: rallly_application
|
||||||
|
identifiers:
|
||||||
|
name: Rallly
|
||||||
|
model: authentik_core.application
|
||||||
|
state: present
|
|
@ -0,0 +1 @@
|
||||||
|
It is only possible to upgrade to 2023.10 from 2023.8, you need to update to 2023.8.x before applying this update
|
|
@ -0,0 +1 @@
|
||||||
|
Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2
|
|
@ -0,0 +1 @@
|
||||||
|
Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints
|
|
@ -0,0 +1 @@
|
||||||
|
Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
|
|
@ -0,0 +1 @@
|
||||||
|
Blueprint for Kimai SSO integration added
|
|
@ -2,13 +2,13 @@ version: 1
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
blueprints.goauthentik.io/instantiate: "true"
|
blueprints.goauthentik.io/instantiate: "true"
|
||||||
name: Custom System Tenant
|
name: Custom System brand
|
||||||
entries:
|
entries:
|
||||||
### DEPENDENCIES
|
### DEPENDENCIES
|
||||||
- model: authentik_blueprints.metaapplyblueprint
|
- model: authentik_blueprints.metaapplyblueprint
|
||||||
attrs:
|
attrs:
|
||||||
identifiers:
|
identifiers:
|
||||||
name: Default - Tenant
|
name: Default - Brand
|
||||||
required: true
|
required: true
|
||||||
- model: authentik_blueprints.metaapplyblueprint
|
- model: authentik_blueprints.metaapplyblueprint
|
||||||
attrs:
|
attrs:
|
||||||
|
@ -17,11 +17,11 @@ entries:
|
||||||
required: true
|
required: true
|
||||||
|
|
||||||
|
|
||||||
### SYSTEM TENANT
|
### SYSTEM BRAND
|
||||||
# remove custom tenant from old recipe
|
# remove custom brand from old recipe
|
||||||
- identifiers:
|
- identifiers:
|
||||||
domain: {{ env "DOMAIN" }}
|
domain: {{ env "DOMAIN" }}
|
||||||
model: authentik_tenants.tenant
|
model: authentik_brands.brand
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- attrs:
|
- attrs:
|
||||||
|
@ -32,4 +32,4 @@ entries:
|
||||||
identifiers:
|
identifiers:
|
||||||
default: true
|
default: true
|
||||||
domain: authentik-default
|
domain: authentik-default
|
||||||
model: authentik_tenants.tenant
|
model: authentik_brands.brand
|
Loading…
Reference in New Issue