Compare commits

...

13 Commits

Author SHA1 Message Date
cc3be7534e fix nextcloud integration 2025-01-03 20:02:45 -08:00
47793df102 chore: publish 6.11.0+2024.10.5 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2024-12-23 11:04:48 +01:00
52719f8d3a update readme on ldap outpost
All checks were successful
continuous-integration/drone/push Build is passing
2024-11-22 16:40:40 +01:00
0175c0b0f4 chore: publish 6.10.1+2024.10.4 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2024-11-22 16:10:07 +01:00
9db9d077ca chore: publish 6.10.0+2024.10.4 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2024-11-22 16:00:34 +01:00
66e31d8632 chore: publish 6.9.0+2024.10.0 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2024-11-22 15:56:55 +01:00
f1aec8ce90 add ldap outpost configuration 2024-11-22 15:54:52 +01:00
5e5da361e5 chore: publish 6.8.1+2024.10.0 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2024-11-04 17:38:10 +01:00
830214b1fd fix custom css version 2024-11-04 17:26:02 +01:00
6d46686a24 chore: publish 6.8.0+2024.10.0 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2024-11-04 17:09:21 +01:00
912691844e fix provider blueprints 2024-11-04 17:09:21 +01:00
84f8f5b165 fix traefik redirection for matrix well-known files 2024-11-04 13:13:30 +01:00
aa107d0ad4 fix drone runner
All checks were successful
continuous-integration/drone/push Build is passing
2024-10-30 15:49:57 +01:00
19 changed files with 79 additions and 19 deletions

View File

@ -31,6 +31,7 @@ steps:
SECRET_ADMIN_PASS_VERSION: v1
SECRET_EMAIL_PASS_VERSION: v1
DB_ENTRYPOINT_VERSION: v1
PG_BACKUP_VERSION: v2
trigger:
branch:
- main

View File

@ -18,6 +18,8 @@ AUTHENTIK_LOG_LEVEL=info
## Outpost Integration
# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
# SECRET_LDAP_TOKEN_VERSION=v1
## ADMIN
AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com

View File

@ -54,6 +54,14 @@ Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
## Add LDAP outpost
- Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
- Copy token under `Applications` -> `Outposts` `-> `View Deployment Info`
- Comment in envs for compose.outposts.ldap.yaml and secret version
- Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
- Update deployment -> Outpost should be up and running
## Import User from CSV
Users can be imported from a CSV file of the following format:

24
abra.sh
View File

@ -1,21 +1,21 @@
export CUSTOM_CSS_VERSION=v2
export CUSTOM_CSS_VERSION=v3
export FLOW_AUTHENTICATION_VERSION=v4
export FLOW_INVITATION_VERSION=v2
export FLOW_INVALIDATION_VERSION=v2
export FLOW_RECOVERY_VERSION=v1
export FLOW_TRANSLATION_VERSION=v3
export SYSTEM_BRAND_VERSION=v4
export NEXTCLOUD_CONFIG_VERSION=v1
export WORDPRESS_CONFIG_VERSION=v2
export MATRIX_CONFIG_VERSION=v1
export WEKAN_CONFIG_VERSION=v3
export VIKUNJA_CONFIG_VERSION=v1
export OUTLINE_CONFIG_VERSION=v2
export KIMAI_CONFIG_VERSION=v1
export ZAMMAD_CONFIG_VERSION=v2
export RALLLY_CONFIG_VERSION=v2
export HEDGEDOC_CONFIG_VERSION=v1
export MONITORING_CONFIG_VERSION=v2
export NEXTCLOUD_CONFIG_VERSION=v2
export WORDPRESS_CONFIG_VERSION=v3
export MATRIX_CONFIG_VERSION=v2
export WEKAN_CONFIG_VERSION=v4
export VIKUNJA_CONFIG_VERSION=v2
export OUTLINE_CONFIG_VERSION=v3
export KIMAI_CONFIG_VERSION=v2
export ZAMMAD_CONFIG_VERSION=v3
export RALLLY_CONFIG_VERSION=v3
export HEDGEDOC_CONFIG_VERSION=v2
export MONITORING_CONFIG_VERSION=v3
export DB_ENTRYPOINT_VERSION=v1
export PG_BACKUP_VERSION=v2

View File

@ -3,9 +3,9 @@ services:
app:
deploy:
labels:
- "traefik.http.routers.${STACK_NAME}.middlewares=redirect-matrix-well-known"
- "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
- "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
- "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
- "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
worker:
secrets:
- matrix_id

23
compose.outposts.ldap.yml Normal file
View File

@ -0,0 +1,23 @@
version: "3.8"
services:
authentik_ldap:
image: ghcr.io/goauthentik/ldap:2024.10.5
# Optionally specify which networks the container should be
# might be needed to reach the core authentik server
networks:
- internal
- proxy
ports:
- 389:3389
- 636:6636
secrets:
- ldap_token
environment:
- AUTHENTIK_HOST=https://${DOMAIN}
- AUTHENTIK_INSECURE=true
- AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
secrets:
ldap_token:
external: true
name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}

View File

@ -34,7 +34,7 @@ x-env: &env
version: '3.8'
services:
app:
image: ghcr.io/goauthentik/server:2024.8.3
image: ghcr.io/goauthentik/server:2024.10.5
command: server
depends_on:
- db
@ -72,11 +72,11 @@ services:
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
- "coop-cloud.${STACK_NAME}.version=6.7.1+2024.8.3"
- "coop-cloud.${STACK_NAME}.version=6.11.0+2024.10.5"
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
worker:
image: ghcr.io/goauthentik/server:2024.8.3
image: ghcr.io/goauthentik/server:2024.10.5
command: worker
depends_on:
- db

View File

@ -8,7 +8,9 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "hedgedoc_id" }}
client_secret: {{ secret "hedgedoc_secret" }}
client_type: confidential

View File

@ -12,6 +12,7 @@ entries:
audience: https://{{ env "KIMAI_DOMAIN" }}/auth/saml
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
issuer: https://{{ env "DOMAIN" }}
name: Kimai
@ -24,6 +25,7 @@ entries:
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
session_valid_not_on_or_after: minutes=86400
sign_assertion: true
signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
sp_binding: post
@ -45,4 +47,4 @@ entries:
identifiers:
name: Kimai
model: authentik_core.application
state: present
state: present

View File

@ -8,7 +8,9 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "matrix_id" }}
client_secret: {{ secret "matrix_secret" }}
client_type: confidential

View File

@ -8,7 +8,9 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "monitoring_id" }}
client_secret: {{ secret "monitoring_secret" }}
client_type: confidential

View File

@ -20,10 +20,15 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "nextcloud_id" }}
client_secret: {{ secret "nextcloud_secret" }}
client_type: confidential
redirect_uris:
- url: https://{{ env "NEXTCLOUD_DOMAIN" }}
matching_mode: strict
include_claims_in_id_token: true
issuer_mode: per_provider
name: Nextcloud

View File

@ -8,7 +8,9 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "outline_id" }}
client_secret: {{ secret "outline_secret" }}
client_type: confidential

View File

@ -8,7 +8,9 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "rallly_id" }}
client_secret: {{ secret "rallly_secret" }}
client_type: confidential

1
release/6.11.0+2024.10.5 Normal file
View File

@ -0,0 +1 @@
Fix Impersonate Bug

View File

@ -8,7 +8,9 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "vikunja_id" }}
client_secret: {{ secret "vikunja_secret" }}
client_type: confidential

View File

@ -25,7 +25,9 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "wekan_id" }}
client_secret: {{ secret "wekan_secret" }}
client_type: confidential

View File

@ -8,7 +8,9 @@ entries:
- attrs:
access_code_validity: minutes=1
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_id: {{ secret "wordpress_id" }}
client_secret: {{ secret "wordpress_secret" }}
client_type: confidential

View File

@ -36,6 +36,7 @@ entries:
audience: https://{{ env "ZAMMAD_DOMAIN" }}/auth/saml/metadata
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
issuer: https://{{ env "ZAMMAD_DOMAIN" }}/auth/saml/metadata
name: zammad
@ -43,6 +44,7 @@ entries:
- !KeyOf zammad_name_mapping
- !KeyOf zammad_email_mapping
session_valid_not_on_or_after: minutes=86400
sign_assertion: true
signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
sp_binding: post