Compare commits
16 Commits
custom-css
...
password_b
| Author | SHA1 | Date | |
|---|---|---|---|
| 632449ece8 | |||
| 0be7e95f48 | |||
| 4fe52c1e5f | |||
| 248a09c594 | |||
| b957425981 | |||
| 20f99b13ad | |||
| c42017839f | |||
| cdabec1b18 | |||
| a606a84a98 | |||
| a0505e0dec | |||
| 17d40711e0 | |||
| fc33f285f4 | |||
| d1f091da62 | |||
| 3e339228f5 | |||
| 03f8810462 | |||
| d19bf17781 |
@ -30,6 +30,7 @@ steps:
|
||||
SECRET_ADMIN_TOKEN_VERSION: v1
|
||||
SECRET_ADMIN_PASS_VERSION: v1
|
||||
SECRET_EMAIL_PASS_VERSION: v1
|
||||
DB_ENTRYPOINT_VERSION: v1
|
||||
trigger:
|
||||
branch:
|
||||
- main
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
TYPE=authentik
|
||||
TIMEOUT=900
|
||||
ENABLE_AUTO_UPDATE=true
|
||||
# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
|
||||
# POST_DEPLOY_CMDS="worker worker apply_blueprints|worker add_applications"
|
||||
LETS_ENCRYPT_ENV=production
|
||||
|
||||
DOMAIN=authentik.example.com
|
||||
@ -89,6 +89,12 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
||||
# SECRET_OUTLINE_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
|
||||
# KIMAI_DOMAIN=kimai.example.com
|
||||
# SECRET_KIMAI_ID_VERSION=v1
|
||||
# SECRET_KIMAI_SECRET_VERSION=v1
|
||||
# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai.png"
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
|
||||
# MONITORING_DOMAIN=monitoring.example.com
|
||||
# SECRET_MONITORING_ID_VERSION=v1
|
||||
|
||||
@ -35,7 +35,6 @@ abra app secret generate -a <app_name>
|
||||
abra app undeploy <app_name>
|
||||
abra app deploy <app_name>
|
||||
abra app cmd <app_name> db rotate_db_pass
|
||||
abra app cmd <app_name> app set_admin_pass
|
||||
```
|
||||
|
||||
## Add SSO for Nextcloud
|
||||
|
||||
47
abra.sh
47
abra.sh
@ -11,6 +11,7 @@ export MATRIX_CONFIG_VERSION=v1
|
||||
export WEKAN_CONFIG_VERSION=v3
|
||||
export VIKUNJA_CONFIG_VERSION=v1
|
||||
export OUTLINE_CONFIG_VERSION=v2
|
||||
export KIMAI_CONFIG_VERSION=v1
|
||||
export RALLLY_CONFIG_VERSION=v2
|
||||
export HEDGEDOC_CONFIG_VERSION=v1
|
||||
export MONITORING_CONFIG_VERSION=v1
|
||||
@ -55,43 +56,24 @@ with open('/tmp/$1', newline='') as file:
|
||||
email = row[2].strip()
|
||||
groups = row[3].split(';')
|
||||
if User.objects.filter(username=username):
|
||||
print(f'{username} already exists')
|
||||
continue
|
||||
new_user = User.objects.create(name=name, username=username, email=email)
|
||||
print(f'{username} created')
|
||||
for group_name in groups:
|
||||
group_name = group_name.strip()
|
||||
if Group.objects.filter(name=group_name):
|
||||
group = Group.objects.get(name=group_name)
|
||||
else:
|
||||
group = Group.objects.create(name=group_name)
|
||||
print(f'{group_name} created')
|
||||
group.users.add(new_user)
|
||||
print(f'add {username} to group {group_name}')
|
||||
""" 2>&1 | quieten
|
||||
}
|
||||
|
||||
set_admin_pass() {
|
||||
password=$(cat /run/secrets/admin_pass)
|
||||
token=$(cat /run/secrets/admin_token)
|
||||
/manage.py shell -c """
|
||||
akadmin = User.objects.get(username='akadmin')
|
||||
akadmin.set_password('$password')
|
||||
akadmin.save()
|
||||
print('Changed akadmin password')
|
||||
|
||||
from authentik.core.models import TokenIntents
|
||||
key='$token'
|
||||
if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
|
||||
token.key=key
|
||||
token.save()
|
||||
print('Changed authentik-bootstrap-token')
|
||||
else:
|
||||
Token.objects.create(
|
||||
identifier='authentik-bootstrap-token',
|
||||
user=akadmin,
|
||||
intent=TokenIntents.INTENT_API,
|
||||
expiring=False,
|
||||
key=key,
|
||||
)
|
||||
print('Created authentik-bootstrap-token')
|
||||
""" 2>&1 | quieten
|
||||
echo "The set_admin_pass function is depricated"
|
||||
}
|
||||
|
||||
rotate_db_pass() {
|
||||
@ -171,7 +153,9 @@ for name, url in applications.items():
|
||||
|
||||
|
||||
quieten(){
|
||||
grep -v -e '{"event"' -e '{"action"'
|
||||
# 'SyntaxWarning|version_regex|"http\['
|
||||
# is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
|
||||
grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
|
||||
}
|
||||
|
||||
add_email_templates(){
|
||||
@ -222,3 +206,16 @@ Brand.objects.filter(default=True).delete()
|
||||
""" 2>&1 | quieten
|
||||
apply_blueprints
|
||||
}
|
||||
|
||||
get_certificate() {
|
||||
/manage.py shell -c """
|
||||
provider_name='$1'
|
||||
if not provider_name:
|
||||
print('no Provider Name given')
|
||||
exit(1)
|
||||
provider = Provider.objects.filter(name=provider_name).first()
|
||||
saml = provider.samlprovider
|
||||
cert = saml.signing_kp
|
||||
print(''.join(cert.certificate_data.splitlines()[1:-1]))
|
||||
""" 2>&1 | quieten
|
||||
}
|
||||
|
||||
76
alaconnect.yml
Normal file
76
alaconnect.yml
Normal file
@ -0,0 +1,76 @@
|
||||
nextcloud:
|
||||
uncomment:
|
||||
- compose.nextcloud.yml
|
||||
- NEXTCLOUD_DOMAIN
|
||||
- SECRET_NEXTCLOUD_ID_VERSION
|
||||
- SECRET_NEXTCLOUD_SECRET_VERSION
|
||||
- nextcloud.png
|
||||
wordpress:
|
||||
uncomment:
|
||||
- compose.wordpress.yml
|
||||
- WORDPRESS_DOMAIN
|
||||
- WORDPRESS_GROUP
|
||||
- SECRET_WORDPRESS_ID_VERSION
|
||||
- SECRET_WORDPRESS_SECRET_VERSION
|
||||
- wordpress.png
|
||||
matrix-synapse:
|
||||
uncomment:
|
||||
- compose.matrix.yml
|
||||
- ELEMENT_DOMAIN
|
||||
- SECRET_MATRIX_ID_VERSION
|
||||
- SECRET_MATRIX_SECRET_VERSION
|
||||
- matrix.svg
|
||||
secrets:
|
||||
matrix_id: matrix
|
||||
wekan:
|
||||
uncomment:
|
||||
- compose.wekan.yml
|
||||
- WEKAN_DOMAIN
|
||||
- SECRET_WEKAN_ID_VERSION
|
||||
- SECRET_WEKAN_SECRET_VERSION
|
||||
- wekan.png
|
||||
secrets:
|
||||
wekan_id: wekan
|
||||
vikunja:
|
||||
uncomment:
|
||||
- compose.vikunja.yml
|
||||
- VIKUNJA_DOMAIN
|
||||
- SECRET_VIKUNJA_ID_VERSION
|
||||
- SECRET_VIKUNJA_SECRET_VERSION
|
||||
- vikunja.svg
|
||||
secrets:
|
||||
vikunja_id: vikunja
|
||||
monitoring:
|
||||
uncomment:
|
||||
- compose.monitoring.yml
|
||||
- MONITORING_DOMAIN
|
||||
- SECRET_MONITORING_ID_VERSION
|
||||
- SECRET_MONITORING_SECRET_VERSION
|
||||
- monitoring.png
|
||||
outline:
|
||||
uncomment:
|
||||
- compose.outline.yml
|
||||
- OUTLINE_DOMAIN
|
||||
- SECRET_OUTLINE_ID_VERSION
|
||||
- SECRET_OUTLINE_SECRET_VERSION
|
||||
- outline.png
|
||||
secrets:
|
||||
outline_id: outline
|
||||
rallly:
|
||||
uncomment:
|
||||
- compose.rallly.yml
|
||||
- RALLLY_DOMAIN
|
||||
- SECRET_RALLLY_ID_VERSION
|
||||
- SECRET_RALLLY_SECRET_VERSION
|
||||
- rallly.png
|
||||
secrets:
|
||||
rallly_id: rallly
|
||||
hedgedoc:
|
||||
uncomment:
|
||||
- compose.hedgedoc.yml
|
||||
- HEDGEDOC_DOMAIN
|
||||
- SECRET_HEDGEDOC_ID_VERSION
|
||||
- SECRET_HEDGEDOC_SECRET_VERSION
|
||||
- hedgedoc.png
|
||||
secrets:
|
||||
hedgedoc_id: hedgedoc
|
||||
14
compose.kimai.yml
Normal file
14
compose.kimai.yml
Normal file
@ -0,0 +1,14 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
worker:
|
||||
environment:
|
||||
- KIMAI_DOMAIN
|
||||
configs:
|
||||
- source: kimai
|
||||
target: /blueprints/kimai.yaml
|
||||
|
||||
configs:
|
||||
kimai:
|
||||
name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
|
||||
file: kimai.yaml.tmpl
|
||||
template_driver: golang
|
||||
10
compose.yml
10
compose.yml
@ -8,6 +8,8 @@ x-env: &env
|
||||
- AUTHENTIK_REDIS__HOST=redis
|
||||
- AUTHENTIK_ERROR_REPORTING__ENABLED
|
||||
- AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
|
||||
- AUTHENTIK_BOOTSTRAP_PASSWORD=file:///run/secrets/admin_pass
|
||||
- AUTHENTIK_BOOTSTRAP_TOKEN=file:///run/secrets/admin_token
|
||||
- AUTHENTIK_EMAIL__HOST
|
||||
- AUTHENTIK_EMAIL__PORT
|
||||
- AUTHENTIK_EMAIL__USERNAME
|
||||
@ -32,7 +34,7 @@ x-env: &env
|
||||
version: '3.8'
|
||||
services:
|
||||
app:
|
||||
image: ghcr.io/goauthentik/server:2024.4.0
|
||||
image: ghcr.io/goauthentik/server:2024.4.2
|
||||
command: server
|
||||
depends_on:
|
||||
- db
|
||||
@ -73,11 +75,11 @@ services:
|
||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
|
||||
- "coop-cloud.${STACK_NAME}.version=5.2.1+2024.4.0"
|
||||
- "coop-cloud.${STACK_NAME}.version=6.1.1+2024.4.2"
|
||||
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
|
||||
|
||||
worker:
|
||||
image: ghcr.io/goauthentik/server:2024.4.0
|
||||
image: ghcr.io/goauthentik/server:2024.4.2
|
||||
command: worker
|
||||
depends_on:
|
||||
- db
|
||||
@ -112,7 +114,7 @@ services:
|
||||
environment: *env
|
||||
|
||||
db:
|
||||
image: postgres:15.5
|
||||
image: postgres:15.7
|
||||
secrets:
|
||||
- db_password
|
||||
configs:
|
||||
|
||||
BIN
icons/kimai_logo.png
Normal file
BIN
icons/kimai_logo.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 30 KiB |
48
kimai.yaml.tmpl
Normal file
48
kimai.yaml.tmpl
Normal file
@ -0,0 +1,48 @@
|
||||
version: 1
|
||||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: kimai
|
||||
|
||||
entries:
|
||||
- attrs:
|
||||
acs_url: https://{{ env "KIMAI_DOMAIN" }}/auth/saml/acs
|
||||
assertion_valid_not_before: minutes=-5
|
||||
assertion_valid_not_on_or_after: minutes=5
|
||||
audience: https://{{ env "KIMAI_DOMAIN" }}/auth/saml
|
||||
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
|
||||
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||
digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
|
||||
issuer: https://{{ env "DOMAIN" }}
|
||||
name: Kimai
|
||||
name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
|
||||
- !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
|
||||
session_valid_not_on_or_after: minutes=86400
|
||||
signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
|
||||
signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||
sp_binding: post
|
||||
conditions: []
|
||||
id: kimai_provider
|
||||
identifiers:
|
||||
pk: 9991
|
||||
model: authentik_providers_saml.samlprovider
|
||||
state: present
|
||||
|
||||
- attrs:
|
||||
meta_launch_url: https://{{ env "KIMAI_DOMAIN" }}
|
||||
open_in_new_tab: true
|
||||
policy_engine_mode: any
|
||||
provider: !KeyOf kimai_provider
|
||||
slug: kimai
|
||||
conditions: []
|
||||
id: kimai_application
|
||||
identifiers:
|
||||
name: Kimai
|
||||
model: authentik_core.application
|
||||
state: present
|
||||
1
release/6.0.0+2024.4.0
Normal file
1
release/6.0.0+2024.4.0
Normal file
@ -0,0 +1 @@
|
||||
Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
|
||||
1
release/6.1.0+2024.4.2
Normal file
1
release/6.1.0+2024.4.2
Normal file
@ -0,0 +1 @@
|
||||
Blueprint for Kimai SSO integration added
|
||||
Reference in New Issue
Block a user