Compare commits
35 Commits
4.1.0+2023
...
main
Author | SHA1 | Date |
---|---|---|
Moritz | 0be7e95f48 | |
3wc | 4fe52c1e5f | |
3wc | 248a09c594 | |
Simon | b957425981 | |
Moritz | 20f99b13ad | |
Moritz | c42017839f | |
Moritz | cdabec1b18 | |
Moritz | a606a84a98 | |
Simon | a0505e0dec | |
Simon | 17d40711e0 | |
Moritz | fc33f285f4 | |
3wc | d1f091da62 | |
3wc | 3e339228f5 | |
3wc | c39b6ad25a | |
3wc | 1ffb62d74a | |
3wc | 03f8810462 | |
3wc | d19bf17781 | |
3wc | 5086df24fb | |
knoflook | e07d57718a | |
Simon | 553b97ba21 | |
Simon | 75f42db773 | |
Simon | d115d5ce38 | |
Simon | 68eda3e2d7 | |
Moritz | 91756202c2 | |
Moritz | bf2397b0e9 | |
Moritz | c3b01c1d27 | |
Simon | 8d32814219 | |
Simon | 78cfd95198 | |
Simon | 4593eb6340 | |
Simon | 0419ed279d | |
Simon | abb49e7019 | |
Simon | 74f654c192 | |
Simon | 7a4daaf475 | |
Simon | b7605f6a87 | |
3wc | 01ca1b4d5c |
|
@ -23,13 +23,14 @@ steps:
|
|||
FLOW_INVALIDATION_VERSION: v1
|
||||
FLOW_RECOVERY_VERSION: v1
|
||||
FLOW_TRANSLATION_VERSION: v1
|
||||
SYSTEM_TENANT_VERSION: v1
|
||||
SYSTEM_BRAND_VERSION: v1
|
||||
NEXTCLOUD_CONFIG_VERSION: v1
|
||||
SECRET_SECRET_KEY_VERSION: v1
|
||||
SECRET_DB_PASSWORD_VERSION: v1
|
||||
SECRET_ADMIN_TOKEN_VERSION: v1
|
||||
SECRET_ADMIN_PASS_VERSION: v1
|
||||
SECRET_EMAIL_PASS_VERSION: v1
|
||||
DB_ENTRYPOINT_VERSION: v1
|
||||
trigger:
|
||||
branch:
|
||||
- main
|
||||
|
|
28
.env.sample
28
.env.sample
|
@ -34,7 +34,6 @@ SECRET_ADMIN_PASS_VERSION=v1
|
|||
SECRET_EMAIL_PASS_VERSION=v1
|
||||
|
||||
# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
|
||||
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
||||
|
||||
## FLOW OPTIONS
|
||||
# WELCOME_MESSAGE="Welcome to Authentik"
|
||||
|
@ -47,6 +46,12 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
|
|||
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
|
||||
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
|
||||
|
||||
# Default CSS customisation, just background colour
|
||||
COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
|
||||
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
||||
# Custommise the entire custom CSS file
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
|
||||
# NEXTCLOUD_DOMAIN=nextcloud.example.com
|
||||
# SECRET_NEXTCLOUD_ID_VERSION=v1
|
||||
|
@ -84,13 +89,30 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
|
|||
# SECRET_OUTLINE_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
|
||||
# KIMAI_DOMAIN=kimai.example.com
|
||||
# SECRET_KIMAI_ID_VERSION=v1
|
||||
# SECRET_KIMAI_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai.png"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
|
||||
# MONITORING_DOMAIN=monitoring.example.com
|
||||
# SECRET_MONITORING_ID_VERSION=v1
|
||||
# SECRET_MONITORING_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
|
||||
|
||||
# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Rallly":"https://rallly.example.cloud/"}'
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
|
||||
# RALLLY_DOMAIN=rallly.example.com
|
||||
# SECRET_RALLLY_ID_VERSION=v1
|
||||
# SECRET_RALLLY_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
|
||||
# HEDGEDOC_DOMAIN=hedgedoc.example.com
|
||||
# SECRET_HEDGEDOC_ID_VERSION=v1
|
||||
# SECRET_HEDGEDOC_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
|
||||
|
||||
# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
|
||||
# APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
|
||||
# APP_ICONS="$APP_ICONS Rallly:~/.abra/recipes/authentik/icons/rallly.png"
|
||||
# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"
|
||||
|
|
10
README.md
10
README.md
|
@ -167,9 +167,9 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
|
|||
- Default - Source enrollment flow
|
||||
- OVERWRITE:
|
||||
- `default-source-enrollment-field-username`
|
||||
- Custom System Tenant
|
||||
- Default - Tenant
|
||||
- APPEND: `authentik_tenants.tenant domain: authentik-default`
|
||||
- Custom System Brand
|
||||
- Default - Brand
|
||||
- APPEND: `authentik_brands.brand domain: authentik-default`
|
||||
- Recovery with email verification
|
||||
- USE:
|
||||
- `default-recovery-flow`
|
||||
|
@ -177,8 +177,8 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
|
|||
|
||||
### Blueprint Dependency Execution Order
|
||||
|
||||
5. Custom System Tenant
|
||||
- Default - Tenant
|
||||
5. Custom System Brand
|
||||
- Default - Brand
|
||||
1. Recovery with email verification
|
||||
- Default - Authentication flow
|
||||
- Default - Password change flow
|
||||
|
|
36
abra.sh
36
abra.sh
|
@ -1,16 +1,19 @@
|
|||
export CUSTOM_CSS_VERSION=v2
|
||||
export FLOW_AUTHENTICATION_VERSION=v3
|
||||
export FLOW_INVITATION_VERSION=v1
|
||||
export FLOW_AUTHENTICATION_VERSION=v4
|
||||
export FLOW_INVITATION_VERSION=v2
|
||||
export FLOW_INVALIDATION_VERSION=v2
|
||||
export FLOW_RECOVERY_VERSION=v1
|
||||
export FLOW_TRANSLATION_VERSION=v2
|
||||
export SYSTEM_TENANT_VERSION=v2
|
||||
export FLOW_TRANSLATION_VERSION=v3
|
||||
export SYSTEM_BRAND_VERSION=v3
|
||||
export NEXTCLOUD_CONFIG_VERSION=v1
|
||||
export WORDPRESS_CONFIG_VERSION=v2
|
||||
export MATRIX_CONFIG_VERSION=v1
|
||||
export WEKAN_CONFIG_VERSION=v3
|
||||
export VIKUNJA_CONFIG_VERSION=v1
|
||||
export OUTLINE_CONFIG_VERSION=v1
|
||||
export OUTLINE_CONFIG_VERSION=v2
|
||||
export KIMAI_CONFIG_VERSION=v1
|
||||
export RALLLY_CONFIG_VERSION=v2
|
||||
export HEDGEDOC_CONFIG_VERSION=v1
|
||||
export MONITORING_CONFIG_VERSION=v1
|
||||
export DB_ENTRYPOINT_VERSION=v1
|
||||
|
||||
|
@ -53,15 +56,19 @@ with open('/tmp/$1', newline='') as file:
|
|||
email = row[2].strip()
|
||||
groups = row[3].split(';')
|
||||
if User.objects.filter(username=username):
|
||||
print(f'{username} already exists')
|
||||
continue
|
||||
new_user = User.objects.create(name=name, username=username, email=email)
|
||||
print(f'{username} created')
|
||||
for group_name in groups:
|
||||
group_name = group_name.strip()
|
||||
if Group.objects.filter(name=group_name):
|
||||
group = Group.objects.get(name=group_name)
|
||||
else:
|
||||
group = Group.objects.create(name=group_name)
|
||||
print(f'{group_name} created')
|
||||
group.users.add(new_user)
|
||||
print(f'add {username} to group {group_name}')
|
||||
""" 2>&1 | quieten
|
||||
}
|
||||
|
||||
|
@ -169,7 +176,9 @@ for name, url in applications.items():
|
|||
|
||||
|
||||
quieten(){
|
||||
grep -v -e '{"event"' -e '{"action"'
|
||||
# 'SyntaxWarning|version_regex|"http\['
|
||||
# is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
|
||||
grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
|
||||
}
|
||||
|
||||
add_email_templates(){
|
||||
|
@ -216,7 +225,20 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
|
|||
Flow.objects.filter(slug__in=delete_flows).delete()
|
||||
Stage.objects.filter(flow=None).delete()
|
||||
Prompt.objects.filter(promptstage=None).delete()
|
||||
Tenant.objects.filter(default=True).delete()
|
||||
Brand.objects.filter(default=True).delete()
|
||||
""" 2>&1 | quieten
|
||||
apply_blueprints
|
||||
}
|
||||
|
||||
get_certificate() {
|
||||
/manage.py shell -c """
|
||||
provider_name='$1'
|
||||
if not provider_name:
|
||||
print('no Provider Name given')
|
||||
exit(1)
|
||||
provider = Provider.objects.filter(name=provider_name).first()
|
||||
saml = provider.samlprovider
|
||||
cert = saml.signing_kp
|
||||
print(''.join(cert.certificate_data.splitlines()[1:-1]))
|
||||
""" 2>&1 | quieten
|
||||
}
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
nextcloud:
|
||||
uncomment:
|
||||
- compose.nextcloud.yml
|
||||
- NEXTCLOUD_DOMAIN
|
||||
- SECRET_NEXTCLOUD_ID_VERSION
|
||||
- SECRET_NEXTCLOUD_SECRET_VERSION
|
||||
- nextcloud.png
|
||||
wordpress:
|
||||
uncomment:
|
||||
- compose.wordpress.yml
|
||||
- WORDPRESS_DOMAIN
|
||||
- WORDPRESS_GROUP
|
||||
- SECRET_WORDPRESS_ID_VERSION
|
||||
- SECRET_WORDPRESS_SECRET_VERSION
|
||||
- wordpress.png
|
||||
matrix-synapse:
|
||||
uncomment:
|
||||
- compose.matrix.yml
|
||||
- ELEMENT_DOMAIN
|
||||
- SECRET_MATRIX_ID_VERSION
|
||||
- SECRET_MATRIX_SECRET_VERSION
|
||||
- matrix.svg
|
||||
secrets:
|
||||
matrix_id: matrix
|
||||
wekan:
|
||||
uncomment:
|
||||
- compose.wekan.yml
|
||||
- WEKAN_DOMAIN
|
||||
- SECRET_WEKAN_ID_VERSION
|
||||
- SECRET_WEKAN_SECRET_VERSION
|
||||
- wekan.png
|
||||
secrets:
|
||||
wekan_id: wekan
|
||||
vikunja:
|
||||
uncomment:
|
||||
- compose.vikunja.yml
|
||||
- VIKUNJA_DOMAIN
|
||||
- SECRET_VIKUNJA_ID_VERSION
|
||||
- SECRET_VIKUNJA_SECRET_VERSION
|
||||
- vikunja.svg
|
||||
secrets:
|
||||
vikunja_id: vikunja
|
||||
monitoring:
|
||||
uncomment:
|
||||
- compose.monitoring.yml
|
||||
- MONITORING_DOMAIN
|
||||
- SECRET_MONITORING_ID_VERSION
|
||||
- SECRET_MONITORING_SECRET_VERSION
|
||||
- monitoring.png
|
||||
outline:
|
||||
uncomment:
|
||||
- compose.outline.yml
|
||||
- OUTLINE_DOMAIN
|
||||
- SECRET_OUTLINE_ID_VERSION
|
||||
- SECRET_OUTLINE_SECRET_VERSION
|
||||
- outline.png
|
||||
secrets:
|
||||
outline_id: outline
|
||||
rallly:
|
||||
uncomment:
|
||||
- compose.rallly.yml
|
||||
- RALLLY_DOMAIN
|
||||
- SECRET_RALLLY_ID_VERSION
|
||||
- SECRET_RALLLY_SECRET_VERSION
|
||||
- rallly.png
|
||||
secrets:
|
||||
rallly_id: rallly
|
||||
hedgedoc:
|
||||
uncomment:
|
||||
- compose.hedgedoc.yml
|
||||
- HEDGEDOC_DOMAIN
|
||||
- SECRET_HEDGEDOC_ID_VERSION
|
||||
- SECRET_HEDGEDOC_SECRET_VERSION
|
||||
- hedgedoc.png
|
||||
secrets:
|
||||
hedgedoc_id: hedgedoc
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
version: '3.8'
|
||||
|
||||
services:
|
||||
app:
|
||||
configs:
|
||||
- source: custom_css
|
||||
target: /web/dist/custom.css
|
||||
|
||||
configs:
|
||||
custom_css:
|
||||
name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
|
||||
file: custom.css.tmpl
|
||||
template_driver: golang
|
|
@ -0,0 +1,26 @@
|
|||
version: "3.8"
|
||||
services:
|
||||
worker:
|
||||
secrets:
|
||||
- hedgedoc_id
|
||||
- hedgedoc_secret
|
||||
environment:
|
||||
- HEDGEDOC_DOMAIN
|
||||
configs:
|
||||
- source: hedgedoc
|
||||
target: /blueprints/hedgedoc.yaml
|
||||
|
||||
secrets:
|
||||
hedgedoc_id:
|
||||
external: true
|
||||
name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
|
||||
hedgedoc_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
|
||||
|
||||
|
||||
configs:
|
||||
hedgedoc:
|
||||
name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
|
||||
file: hedgedoc.yaml.tmpl
|
||||
template_driver: golang
|
|
@ -0,0 +1,14 @@
|
|||
version: "3.8"
|
||||
services:
|
||||
worker:
|
||||
environment:
|
||||
- KIMAI_DOMAIN
|
||||
configs:
|
||||
- source: kimai
|
||||
target: /blueprints/kimai.yaml
|
||||
|
||||
configs:
|
||||
kimai:
|
||||
name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
|
||||
file: kimai.yaml.tmpl
|
||||
template_driver: golang
|
|
@ -0,0 +1,26 @@
|
|||
version: "3.8"
|
||||
services:
|
||||
worker:
|
||||
secrets:
|
||||
- rallly_id
|
||||
- rallly_secret
|
||||
environment:
|
||||
- RALLLY_DOMAIN
|
||||
configs:
|
||||
- source: rallly
|
||||
target: /blueprints/rallly.yaml
|
||||
|
||||
secrets:
|
||||
rallly_id:
|
||||
external: true
|
||||
name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
|
||||
rallly_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
|
||||
|
||||
|
||||
configs:
|
||||
rallly:
|
||||
name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
|
||||
file: rallly.yaml.tmpl
|
||||
template_driver: golang
|
27
compose.yml
27
compose.yml
|
@ -32,7 +32,7 @@ x-env: &env
|
|||
version: '3.8'
|
||||
services:
|
||||
app:
|
||||
image: ghcr.io/goauthentik/server:2023.10.5
|
||||
image: ghcr.io/goauthentik/server:2024.4.2
|
||||
command: server
|
||||
depends_on:
|
||||
- db
|
||||
|
@ -47,9 +47,6 @@ services:
|
|||
- media:/media
|
||||
- assets:/web/dist/assets
|
||||
- templates:/templates
|
||||
configs:
|
||||
- source: custom_css
|
||||
target: /web/dist/custom.css
|
||||
networks:
|
||||
- internal
|
||||
- proxy
|
||||
|
@ -76,11 +73,11 @@ services:
|
|||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
|
||||
- "coop-cloud.${STACK_NAME}.version=4.1.0+2023.10.5"
|
||||
- "coop-cloud.${STACK_NAME}.version=6.1.1+2024.4.2"
|
||||
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
|
||||
|
||||
worker:
|
||||
image: ghcr.io/goauthentik/server:2023.10.5
|
||||
image: ghcr.io/goauthentik/server:2024.4.2
|
||||
command: worker
|
||||
depends_on:
|
||||
- db
|
||||
|
@ -108,14 +105,14 @@ services:
|
|||
target: /blueprints/3_flow_translation.yaml
|
||||
- source: flow_invitation
|
||||
target: /blueprints/4_flow_invitation.yaml
|
||||
- source: system_tenant
|
||||
target: /blueprints/5_system_tenant.yaml
|
||||
- source: system_brand
|
||||
target: /blueprints/5_system_brand.yaml
|
||||
- source: flow_invalidation
|
||||
target: /blueprints/6_flow_invalidation.yaml
|
||||
environment: *env
|
||||
|
||||
db:
|
||||
image: postgres:15.5
|
||||
image: postgres:15.7
|
||||
secrets:
|
||||
- db_password
|
||||
configs:
|
||||
|
@ -146,7 +143,7 @@ services:
|
|||
backupbot.backup.path: "/var/lib/postgresql/data"
|
||||
|
||||
redis:
|
||||
image: redis:7.2.3-alpine
|
||||
image: redis:7.2.4-alpine
|
||||
networks:
|
||||
- internal
|
||||
healthcheck:
|
||||
|
@ -186,10 +183,6 @@ volumes:
|
|||
database:
|
||||
|
||||
configs:
|
||||
custom_css:
|
||||
name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
|
||||
file: custom.css.tmpl
|
||||
template_driver: golang
|
||||
flow_authentication:
|
||||
name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
|
||||
file: flow_authentication.yaml.tmpl
|
||||
|
@ -210,9 +203,9 @@ configs:
|
|||
name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
|
||||
file: flow_translation.yaml.tmpl
|
||||
template_driver: golang
|
||||
system_tenant:
|
||||
name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
|
||||
file: system_tenant.yaml.tmpl
|
||||
system_brand:
|
||||
name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
|
||||
file: system_brand.yaml.tmpl
|
||||
template_driver: golang
|
||||
db_entrypoint:
|
||||
name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
|
||||
|
|
|
@ -384,7 +384,7 @@ entries:
|
|||
enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
|
||||
timeout: 30
|
||||
|
||||
######## System Tenant ##########
|
||||
######## System Brand ##########
|
||||
- attrs:
|
||||
attributes:
|
||||
settings:
|
||||
|
@ -401,5 +401,5 @@ entries:
|
|||
flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
|
||||
identifiers:
|
||||
pk: 047cce25-aae2-4b02-9f96-078e155f803d
|
||||
id: system_tenant
|
||||
model: authentik_tenants.tenant
|
||||
id: system_brand
|
||||
model: authentik_brands.brand
|
||||
|
|
|
@ -37,7 +37,7 @@ entries:
|
|||
name: default-authentication-login
|
||||
model: authentik_stages_user_login.userloginstage
|
||||
attrs:
|
||||
session_duration: seconds=0
|
||||
session_duration: days=30
|
||||
|
||||
# After the first run this will produce a RelatedObjectDoesNotExist error
|
||||
- identifiers:
|
||||
|
|
|
@ -24,6 +24,18 @@ entries:
|
|||
id: invitation-enrollment-flow
|
||||
model: authentik_flows.flow
|
||||
|
||||
### POLICIES
|
||||
- attrs:
|
||||
expression: |
|
||||
if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
|
||||
return True
|
||||
ak_message("Username must not contain any whitespace!")
|
||||
return False
|
||||
id: username-without-spaces-policy
|
||||
identifiers:
|
||||
name: username-without-spaces-policy
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
|
||||
### STAGES
|
||||
- identifiers:
|
||||
name: invitation-stage
|
||||
|
@ -41,6 +53,8 @@ entries:
|
|||
- !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
|
||||
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
|
||||
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
|
||||
validation_policies:
|
||||
- !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
|
||||
|
||||
### STAGE BINDINGS
|
||||
- identifiers:
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
version: 1
|
||||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: hedgedoc
|
||||
|
||||
entries:
|
||||
|
||||
- attrs:
|
||||
access_code_validity: minutes=1
|
||||
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||
client_id: {{ secret "hedgedoc_id" }}
|
||||
client_secret: {{ secret "hedgedoc_secret" }}
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
name: Hedgedoc
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||
sub_mode: hashed_user_id
|
||||
token_validity: days=30
|
||||
conditions: []
|
||||
id: hedgedoc_provider
|
||||
identifiers:
|
||||
pk: 9992
|
||||
model: authentik_providers_oauth2.oauth2provider
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "HEDGEDOC_DOMAIN" }}
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf hedgedoc_provider
|
||||
slug: hedgedoc
|
||||
conditions: []
|
||||
id: hedgedoc_application
|
||||
identifiers:
|
||||
name: Hedgedoc
|
||||
model: authentik_core.application
|
||||
state: present
|
Binary file not shown.
After Width: | Height: | Size: 9.2 KiB |
Binary file not shown.
After Width: | Height: | Size: 30 KiB |
|
@ -0,0 +1,48 @@
|
|||
version: 1
|
||||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: kimai
|
||||
|
||||
entries:
|
||||
- attrs:
|
||||
acs_url: https://{{ env "KIMAI_DOMAIN" }}/auth/saml/acs
|
||||
assertion_valid_not_before: minutes=-5
|
||||
assertion_valid_not_on_or_after: minutes=5
|
||||
audience: https://{{ env "KIMAI_DOMAIN" }}/auth/saml
|
||||
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
|
||||
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||
digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
|
||||
issuer: https://{{ env "DOMAIN" }}
|
||||
name: Kimai
|
||||
name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
|
||||
session_valid_not_on_or_after: minutes=86400
|
||||
signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
|
||||
signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||
sp_binding: post
|
||||
conditions: []
|
||||
id: kimai_provider
|
||||
identifiers:
|
||||
pk: 9991
|
||||
model: authentik_providers_saml.samlprovider
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "KIMAI_DOMAIN" }}
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf kimai_provider
|
||||
slug: kimai
|
||||
conditions: []
|
||||
id: kimai_application
|
||||
identifiers:
|
||||
name: Kimai
|
||||
model: authentik_core.application
|
||||
state: present
|
|
@ -25,7 +25,7 @@ entries:
|
|||
conditions: []
|
||||
id: outline_provider
|
||||
identifiers:
|
||||
pk: 9995
|
||||
pk: 9994
|
||||
model: authentik_providers_oauth2.oauth2provider
|
||||
state: present
|
||||
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
version: 1
|
||||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: rallly
|
||||
|
||||
entries:
|
||||
|
||||
- attrs:
|
||||
access_code_validity: minutes=1
|
||||
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||
client_id: {{ secret "rallly_id" }}
|
||||
client_secret: {{ secret "rallly_secret" }}
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
name: Rallly
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||
sub_mode: hashed_user_id
|
||||
token_validity: days=30
|
||||
conditions: []
|
||||
id: rallly_provider
|
||||
identifiers:
|
||||
pk: 9993
|
||||
model: authentik_providers_oauth2.oauth2provider
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "RALLLY_DOMAIN" }}
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf rallly_provider
|
||||
slug: rallly
|
||||
conditions: []
|
||||
id: rallly_application
|
||||
identifiers:
|
||||
name: Rallly
|
||||
model: authentik_core.application
|
||||
state: present
|
|
@ -0,0 +1 @@
|
|||
Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2
|
|
@ -0,0 +1 @@
|
|||
Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints
|
|
@ -0,0 +1 @@
|
|||
Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
|
|
@ -0,0 +1 @@
|
|||
Blueprint for Kimai SSO integration added
|
|
@ -2,13 +2,13 @@ version: 1
|
|||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: Custom System Tenant
|
||||
name: Custom System brand
|
||||
entries:
|
||||
### DEPENDENCIES
|
||||
- model: authentik_blueprints.metaapplyblueprint
|
||||
attrs:
|
||||
identifiers:
|
||||
name: Default - Tenant
|
||||
name: Default - Brand
|
||||
required: true
|
||||
- model: authentik_blueprints.metaapplyblueprint
|
||||
attrs:
|
||||
|
@ -17,11 +17,11 @@ entries:
|
|||
required: true
|
||||
|
||||
|
||||
### SYSTEM TENANT
|
||||
# remove custom tenant from old recipe
|
||||
### SYSTEM BRAND
|
||||
# remove custom brand from old recipe
|
||||
- identifiers:
|
||||
domain: {{ env "DOMAIN" }}
|
||||
model: authentik_tenants.tenant
|
||||
model: authentik_brands.brand
|
||||
state: absent
|
||||
|
||||
- attrs:
|
||||
|
@ -32,4 +32,4 @@ entries:
|
|||
identifiers:
|
||||
default: true
|
||||
domain: authentik-default
|
||||
model: authentik_tenants.tenant
|
||||
model: authentik_brands.brand
|
Loading…
Reference in New Issue