Compare commits
29 Commits
WIP
...
feature/53
| Author | SHA1 | Date | |
|---|---|---|---|
| f47da0c1b8 | |||
| c15f2adcba | |||
| 08118088a8 | |||
| 14e1d61343 | |||
| 04a370699d | |||
| efd67032cf | |||
| 6b627c6db7 | |||
| c90b3c6881 | |||
| e7af2b541e | |||
ea9b0ebd55
|
|||
|
06aafce852
|
|||
| 3c2b248304 | |||
| bda409290e | |||
| 77d79b3a07 | |||
| ac7192e6ab | |||
| d6bd030880 | |||
| 7a2c45137f | |||
|
86ce0820bc
|
|||
| 6fcba9ff03 | |||
| 43700b2562 | |||
| 35d48cc4c4 | |||
| 64100ce3a4 | |||
| abc1ed307c | |||
| a5b5395bdf | |||
| 97ce2e451a | |||
| 98a5d4b726 | |||
| d0c924a864 | |||
| 5df1f34cd7 | |||
| bc62831e58 |
@ -62,7 +62,7 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
|
||||
# BACKGROUND_FONT_COLOR=white
|
||||
# BACKGROUND_BOX_COLOR='#eaeaeacf'
|
||||
# THEME_BACKGROUND="url('https://authentik.example.com/static/dist/assets/images/flow_background.jpg'); background-position: center; background-repeat: no-repeat; background-size: cover;"
|
||||
# THEME_BACKGROUND=""
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
|
||||
# NEXTCLOUD_DOMAIN=nextcloud.example.com
|
||||
@ -130,5 +130,5 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
|
||||
# SECRET_HEDGEDOC_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
|
||||
|
||||
# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
|
||||
# EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png"}
|
||||
# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Pretix": "https://pretix.example.com/control/"}'
|
||||
# EXTRA_ICONS={"Calendar": "~/.abra/recipes/authentik/icons/calendar.svg", "BBB": "~/.abra/recipes/authentik/icons/bbb.png", "Pretix": "~/.abra/recipes/authentik/icons/pretix.svg"}
|
||||
|
||||
41
README.md
41
README.md
@ -52,6 +52,16 @@ APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
|
||||
|
||||
Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
|
||||
|
||||
Generate OAuth client id and secret using `abra app secret generate <app_name> -a` (all secrets) or individually:
|
||||
- `abra app secret generate <app_name> nextcloud_id`
|
||||
- `abra app secret generate <app_name> nextcloud_secret`
|
||||
|
||||
Add the id and secret to nextcloud as secrets with:
|
||||
- `abra app secret insert <nextcloud_app_name> authentik_id v1 <id>`
|
||||
- `abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>`
|
||||
|
||||
Redeploy Authentik to enable the nextcloud client.
|
||||
|
||||
The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
|
||||
|
||||
## Add LDAP outpost
|
||||
@ -95,6 +105,25 @@ Run this command after every deploy/upgrade:
|
||||
|
||||
`abra app command --local <app-name> customize <assets_path>`
|
||||
|
||||
## Custom CSS
|
||||
|
||||
Uncomment the following env:
|
||||
|
||||
```
|
||||
COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
|
||||
```
|
||||
|
||||
Redeploy the app:
|
||||
```
|
||||
abra app deploy -f <app_name>
|
||||
```
|
||||
|
||||
Copy the CSS and restart the container:
|
||||
```
|
||||
abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
|
||||
abra app restart <app_name> app
|
||||
```
|
||||
|
||||
## Email templates
|
||||
|
||||
Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
|
||||
@ -105,15 +134,15 @@ Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#cust
|
||||
|
||||
These blueprints overwrite default blueprint values:
|
||||
|
||||
- flow_translation.yaml
|
||||
- flow_authentication.yaml
|
||||
- `flow_translation.yaml`
|
||||
- `flow_authentication.yaml`
|
||||
|
||||
The following default blueprints will be overwritten by customizations:
|
||||
|
||||
- flow-password-change.yaml
|
||||
- flow-default-authentication-flow.yaml
|
||||
- flow-default-user-settings-flow.yaml
|
||||
- flow-default-source-enrollment.yaml
|
||||
- `flow-password-change.yaml`
|
||||
- `flow-default-authentication-flow.yaml`
|
||||
- `flow-default-user-settings-flow.yaml`
|
||||
- `flow-default-source-enrollment.yaml`
|
||||
|
||||
The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
|
||||
|
||||
|
||||
41
abra.sh
41
abra.sh
@ -5,17 +5,17 @@ export FLOW_INVALIDATION_VERSION=v2
|
||||
export FLOW_RECOVERY_VERSION=v1
|
||||
export FLOW_TRANSLATION_VERSION=v3
|
||||
export SYSTEM_BRAND_VERSION=v4
|
||||
export NEXTCLOUD_CONFIG_VERSION=v2
|
||||
export WORDPRESS_CONFIG_VERSION=v3
|
||||
export MATRIX_CONFIG_VERSION=v2
|
||||
export WEKAN_CONFIG_VERSION=v4
|
||||
export VIKUNJA_CONFIG_VERSION=v2
|
||||
export OUTLINE_CONFIG_VERSION=v3
|
||||
export KIMAI_CONFIG_VERSION=v2
|
||||
export ZAMMAD_CONFIG_VERSION=v3
|
||||
export RALLLY_CONFIG_VERSION=v3
|
||||
export HEDGEDOC_CONFIG_VERSION=v2
|
||||
export MONITORING_CONFIG_VERSION=v3
|
||||
export NEXTCLOUD_CONFIG_VERSION=v3
|
||||
export WORDPRESS_CONFIG_VERSION=v4
|
||||
export MATRIX_CONFIG_VERSION=v3
|
||||
export WEKAN_CONFIG_VERSION=v5
|
||||
export VIKUNJA_CONFIG_VERSION=v3
|
||||
export OUTLINE_CONFIG_VERSION=v4
|
||||
export KIMAI_CONFIG_VERSION=v3
|
||||
export ZAMMAD_CONFIG_VERSION=v4
|
||||
export RALLLY_CONFIG_VERSION=v4
|
||||
export HEDGEDOC_CONFIG_VERSION=v3
|
||||
export MONITORING_CONFIG_VERSION=v4
|
||||
export DB_ENTRYPOINT_VERSION=v1
|
||||
export PG_BACKUP_VERSION=v2
|
||||
export ENTRYPOINT_CSS_VERSION=v1
|
||||
@ -35,6 +35,15 @@ customize() {
|
||||
done
|
||||
}
|
||||
|
||||
shell(){
|
||||
if [ -z "$1" ]
|
||||
then
|
||||
echo "Usage: ... shell <python code>"
|
||||
exit 1
|
||||
fi
|
||||
ak shell -c "$1" 2>&1 | quieten
|
||||
}
|
||||
|
||||
import_user() {
|
||||
if [ -z "$1" ]
|
||||
then
|
||||
@ -79,6 +88,16 @@ set_admin_pass() {
|
||||
password=$(cat /run/secrets/admin_pass)
|
||||
token=$(cat /run/secrets/admin_token)
|
||||
/manage.py shell -c """
|
||||
import time
|
||||
i = 0
|
||||
while (not User.objects.filter(username='akadmin')):
|
||||
print('Waiting for akadmin to be created...')
|
||||
time.sleep(10)
|
||||
i += 1
|
||||
if i > 6:
|
||||
print('Failed to find admin user!')
|
||||
exit()
|
||||
|
||||
akadmin = User.objects.get(username='akadmin')
|
||||
akadmin.set_password('$password')
|
||||
akadmin.save()
|
||||
|
||||
@ -12,6 +12,7 @@ services:
|
||||
- matrix_secret
|
||||
environment:
|
||||
- ELEMENT_DOMAIN
|
||||
- MATRIX_DOMAIN
|
||||
configs:
|
||||
- source: matrix
|
||||
target: /blueprints/matrix.yaml
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
authentik_ldap:
|
||||
image: ghcr.io/goauthentik/ldap:2024.10.5
|
||||
image: ghcr.io/goauthentik/ldap:2025.6.2
|
||||
# Optionally specify which networks the container should be
|
||||
# might be needed to reach the core authentik server
|
||||
networks:
|
||||
|
||||
10
compose.yml
10
compose.yml
@ -34,7 +34,7 @@ x-env: &env
|
||||
version: '3.8'
|
||||
services:
|
||||
app:
|
||||
image: ghcr.io/goauthentik/server:2024.10.5
|
||||
image: ghcr.io/goauthentik/server:2025.6.2
|
||||
command: server
|
||||
depends_on:
|
||||
- db
|
||||
@ -72,11 +72,11 @@ services:
|
||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
|
||||
- "coop-cloud.${STACK_NAME}.version=6.11.0+2024.10.5"
|
||||
- "coop-cloud.${STACK_NAME}.version=7.3.2+2025.6.2"
|
||||
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
|
||||
|
||||
worker:
|
||||
image: ghcr.io/goauthentik/server:2024.10.5
|
||||
image: ghcr.io/goauthentik/server:2025.6.2
|
||||
command: worker
|
||||
depends_on:
|
||||
- db
|
||||
@ -117,7 +117,7 @@ services:
|
||||
start_period: 5m
|
||||
|
||||
db:
|
||||
image: postgres:15.8
|
||||
image: postgres:15.13
|
||||
secrets:
|
||||
- db_password
|
||||
configs:
|
||||
@ -152,7 +152,7 @@ services:
|
||||
backupbot.restore.post-hook: '/pg_backup.sh restore'
|
||||
|
||||
redis:
|
||||
image: redis:7.4.1-alpine
|
||||
image: redis:8.0.2-alpine
|
||||
command: --save 60 1 --loglevel warning
|
||||
networks:
|
||||
- internal
|
||||
|
||||
@ -16,6 +16,9 @@ entries:
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
redirect_uris:
|
||||
- matching_mode: strict
|
||||
url: https://{{ env "HEDGEDOC_DOMAIN" }}/auth/oauth2/callback
|
||||
name: Hedgedoc
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
@ -32,7 +35,7 @@ entries:
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "HEDGEDOC_DOMAIN" }}
|
||||
meta_launch_url: https://{{ env "HEDGEDOC_DOMAIN" }}/auth/oauth2
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf hedgedoc_provider
|
||||
|
||||
1
icons/pretix.svg
Normal file
1
icons/pretix.svg
Normal file
@ -0,0 +1 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?><svg id="Ebene_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><defs><style>.cls-1{fill:#3b1c4a;}</style></defs><path class="cls-1" d="m50.67,56.95c-.72.1-1.22.3-1.66.5l2.38,16.91c.41.08.95.13,1.6.04,3.52-.5,4.61-3.64,3.81-9.39-.83-5.87-2.53-8.56-6.12-8.06Z"/><path class="cls-1" d="m116.04,35.05c.71-.17,1.16-.76,1.06-1.48L112.54,1.13c-.1-.72-.77-1.22-1.49-1.12l-37.5,5.27.73,5.22c.16,1.12-.62,2.15-1.74,2.31s-2.15-.62-2.31-1.74l-.73-5.22L1.13,15.46c-.72.1-1.22.77-1.12,1.49l4.56,32.44c.1.72.7,1.17,1.42,1.13,11.25-.92,21.43,7.1,23.03,18.46,1.6,11.36-5.99,21.81-17.07,23.96-.71.17-1.16.76-1.06,1.48l4.56,32.44c.1.72.77,1.22,1.49,1.12l68.37-9.61-.73-5.22c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l.73,5.22,37.5-5.27c.72-.1,1.22-.77,1.12-1.49l-4.56-32.44c-.1-.72-.7-1.17-1.42-1.13-11.25.92-21.42-7.04-23.02-18.4-1.6-11.36,5.98-21.87,17.06-24.03Zm-59.84,44.75c-1.76.25-3.29.26-4.04.17l1.59,11.29-9.92,1.39-5.3-37.73c2.5-1.62,5.96-3.03,11.38-3.8,8.68-1.22,15.27,2.58,16.66,12.44,1.25,8.88-3.12,15.21-10.36,16.23Zm30.73,20.71c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31,1.12-.16,2.15.62,2.31,1.74l1.47,10.44Zm-3.16-22.45c.16,1.12-.62,2.15-1.74,2.31-1.12.16-2.15-.62-2.31-1.74l-1.47-10.44c-.16-1.12.62-2.15,1.74-2.31s2.16.66,2.31,1.74l1.47,10.44Zm-3.17-22.58c.15,1.08-.66,2.16-1.74,2.31s-2.16-.66-2.31-1.74l-1.47-10.44c-.16-1.15.59-2.15,1.74-2.31s2.15.62,2.31,1.74l1.47,10.44Z"/></svg>
|
||||
|
After Width: | Height: | Size: 1.6 KiB |
6
icons/vaultwarden.svg
Normal file
6
icons/vaultwarden.svg
Normal file
File diff suppressed because one or more lines are too long
|
After Width: | Height: | Size: 6.8 KiB |
@ -37,7 +37,7 @@ entries:
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "KIMAI_DOMAIN" }}
|
||||
meta_launch_url: https://{{ env "KIMAI_DOMAIN" }}/auth/saml/login
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf kimai_provider
|
||||
|
||||
@ -16,6 +16,9 @@ entries:
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
redirect_uris:
|
||||
- matching_mode: strict
|
||||
url: https://{{ env "MATRIX_DOMAIN" }}/_synapse/client/oidc/callback
|
||||
name: Matrix
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
@ -36,10 +39,10 @@ entries:
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf matrix_provider
|
||||
slug: matrix
|
||||
name: Element
|
||||
conditions: []
|
||||
id: matrix_application
|
||||
identifiers:
|
||||
name: Matrix
|
||||
slug: matrix
|
||||
model: authentik_core.application
|
||||
state: present
|
||||
|
||||
@ -16,6 +16,9 @@ entries:
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
redirect_uris:
|
||||
- matching_mode: strict
|
||||
url: https://{{ env "MONITORING_DOMAIN" }}/login/generic_oauth
|
||||
name: Monitoring
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
|
||||
@ -28,6 +28,9 @@ entries:
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
redirect_uris:
|
||||
- matching_mode: strict
|
||||
url: https://{{ env "NEXTCLOUD_DOMAIN" }}/apps/sociallogin/custom_oidc/authentik
|
||||
name: Nextcloud
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
|
||||
@ -16,6 +16,9 @@ entries:
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
redirect_uris:
|
||||
- matching_mode: strict
|
||||
url: https://{{ env "OUTLINE_DOMAIN" }}/auth/oidc.callback
|
||||
name: Outline
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
@ -32,7 +35,7 @@ entries:
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "OUTLINE_DOMAIN" }}
|
||||
meta_launch_url: https://{{ env "OUTLINE_DOMAIN" }}/auth/oidc
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf outline_provider
|
||||
|
||||
@ -16,6 +16,9 @@ entries:
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
redirect_uris:
|
||||
- matching_mode: strict
|
||||
url: https://{{ env "RALLLY_DOMAIN" }}/api/auth/callback/oidc
|
||||
name: Rallly
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
|
||||
@ -16,6 +16,9 @@ entries:
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
redirect_uris:
|
||||
- matching_mode: strict
|
||||
url: https://{{ env "VIKUNJA_DOMAIN" }}/auth/openid/authentik
|
||||
name: Vikunja
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
|
||||
@ -33,6 +33,9 @@ entries:
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
redirect_uris:
|
||||
- matching_mode: strict
|
||||
url: https://{{ env "WEKAN_DOMAIN" }}/_oauth/oidc
|
||||
name: Wekan
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
|
||||
@ -16,6 +16,9 @@ entries:
|
||||
client_type: confidential
|
||||
include_claims_in_id_token: true
|
||||
issuer_mode: per_provider
|
||||
redirect_uris:
|
||||
- matching_mode: strict
|
||||
url: https://{{ env "WORDPRESS_DOMAIN" }}/openid-connect-authorize
|
||||
name: Wordpress
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
|
||||
Reference in New Issue
Block a user