coop-cloud/authentik
coop-cloud/authentik
1
2
Fork 4
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

Custom CSS in volume #9

Merged
3wordchant merged 4 commits from custom-css-volume into main 2025-01-07 15:16:21 +00:00
Conversation 2 Commits 4 Files Changed 4 +27
4 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.env.sample
View File

@ -47,10 +47,15 @@ SECRET_EMAIL_PASS_VERSION=v1
# EMAIL_SUBJECT="Account Recovery"
# EMAIL_TOKEN_EXPIRY_MINUTES=30
## assets
decentral1se marked this conversation as resolved Outdated
decentral1se commented 2024-12-25 09:07:34 +00:00
Outdated
Review
Copy Link

Requires some release notes for this change in behaviour?

Requires some release notes for this change in behaviour?
3wordchant commented 2025-01-03 02:32:30 +00:00
Outdated
Review
Copy Link

I cannot remember why these were commented out, again I don't think it will affect existing deployments but unless @knoflook remembers more context I say we just revert the commenting-out change.

I cannot remember why these were commented out, again I don't think it will affect existing deployments but unless @knoflook remembers more context I say we just revert the commenting-out change.
👍 1
COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
# store custom CSS in a css-volume
#COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
# NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution!
# Default CSS customisation
# COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
# BACKGROUND_FONT_COLOR=white

1
abra.sh
View File

@ -18,6 +18,7 @@ export HEDGEDOC_CONFIG_VERSION=v1
export MONITORING_CONFIG_VERSION=v2
export DB_ENTRYPOINT_VERSION=v1
export PG_BACKUP_VERSION=v2
export ENTRYPOINT_CSS_VERSION=v1
customize() {
if [ -z "$1" ]

16
compose.css-volume.yml Normal file
View File

@ -0,0 +1,16 @@
---
version: "3.8"
services:
app:
user: root
decentral1se marked this conversation as resolved
decentral1se commented 2024-12-25 09:09:13 +00:00
Review
Copy Link

Not sure if this changes the attack surface but in case it does, might be worth signalling in release notes and/or docs that a user: root is introduced into the stack deployment? Might be a consideration point since it's usually a central point of infra.

Not sure if this changes the attack surface but in case it does, might be worth signalling in release notes and/or docs that a `user: root` is introduced into the stack deployment? Might be a consideration point since it's usually a central point of infra.
3wordchant commented 2025-01-03 02:31:38 +00:00
Review
Copy Link

I don't think it changes anything about existing deployments, unless someone opts-in to the extra .yml file.

It's hard for me to imagine how there could be a security hole in either cp, or su, but I don't claim to be an expert.

Happy to add a comment in .env.sample to warn about this, either way.

I don't think it changes anything about existing deployments, unless someone opts-in to the extra `.yml` file. It's hard for me to imagine how there could be a security hole in either `cp`, or `su`, but I don't claim to be an expert. Happy to add a comment in `.env.sample` to warn about this, either way.
🎉 1
entrypoint: /docker-entrypoint.sh
configs:
- source: entrypoint_css
target: /docker-entrypoint.sh
mode: 0555
configs:
entrypoint_css:
name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION}
file: entrypoint-css-volume.sh

5
entrypoint-css-volume.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/sh
cp -f /web/dist/assets/custom.css /web/dist/custom.css
su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server'