201 lines
6.3 KiB
Markdown
201 lines
6.3 KiB
Markdown
# authentik
|
|
|
|
[authentik](https://goauthentik.io/) is an open-source Identity Provider focused on flexibility and versatility
|
|
|
|
|
|
[List of all possible environment variables](https://goauthentik.io/docs/installation/configuration)
|
|
|
|
<!-- metadata -->
|
|
|
|
* **Category**: Apps
|
|
* **Status**: 0, work-in-progress
|
|
* **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server), 4, upstream
|
|
* **Healthcheck**: Yes
|
|
* **Backups**: Yes
|
|
* **Email**: Yes
|
|
* **Tests**: No
|
|
* **SSO**: Yes
|
|
|
|
<!-- endmetadata -->
|
|
|
|
## Quick start
|
|
|
|
* `abra app new authentik`
|
|
* `abra app config <app-name>`
|
|
* `abra app secret insert <app_name> email_pass v1 <password>`
|
|
* `abra app secret generate -a <app_name>`
|
|
* `abra app deploy <app-name>`
|
|
|
|
## Rotate Secrets
|
|
|
|
Increment the secret versions using `abra app config <app_name>`
|
|
|
|
```
|
|
abra app secret generate -a <app_name>
|
|
abra app undeploy <app_name>
|
|
abra app deploy <app_name>
|
|
abra app cmd <app_name> db rotate_db_pass
|
|
abra app cmd <app_name> app set_admin_pass
|
|
```
|
|
|
|
## Add SSO for Nextcloud
|
|
|
|
Uncomment Nextcloud configuration and set `NEXTCLOUD_DOMAIN` the using `abra app config <app_name>`:
|
|
|
|
```
|
|
COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
|
|
NEXTCLOUD_DOMAIN=nextcloud.example.com
|
|
SECRET_NEXTCLOUD_ID_VERSION=v1
|
|
SECRET_NEXTCLOUD_SECRET_VERSION=v1
|
|
APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
|
|
```
|
|
|
|
Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
|
|
|
|
The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
|
|
|
|
## Import User from CSV
|
|
|
|
Users can be imported from a CSV file of the following format:
|
|
|
|
`First and last name, username, email@example.com, group1;group2;group3`
|
|
|
|
Run the following command to import the file `users.csv`:
|
|
|
|
`abra app cmd -l <app_name> import_user users.csv`
|
|
|
|
Users will only be created if the username does not exits. I a group does not exists it will be created.
|
|
|
|
## Customization
|
|
|
|
Place the files you want to overwrite in a directory `<assets_path>`.
|
|
Run `abra app config <app_name>` and define the env variable `COPY_ASSETS` in the following format:
|
|
|
|
```
|
|
"<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...
|
|
```
|
|
|
|
For example:
|
|
|
|
```
|
|
COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
|
|
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
|
|
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
|
|
```
|
|
|
|
Run this command after every deploy/upgrade:
|
|
|
|
`abra app command --local <app-name> customize <assets_path>`
|
|
|
|
## Email templates
|
|
|
|
Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates):
|
|
|
|
`abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html`
|
|
|
|
## Blueprints
|
|
|
|
These blueprints overwrite default blueprint values:
|
|
|
|
- flow_translation.yaml
|
|
- flow_authentication.yaml
|
|
|
|
The following default blueprints will be overwritten by customizations:
|
|
|
|
- flow-password-change.yaml
|
|
- flow-default-authentication-flow.yaml
|
|
- flow-default-user-settings-flow.yaml
|
|
- flow-default-source-enrollment.yaml
|
|
|
|
The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
|
|
|
|
|
|
### Blueprint Overwrite/Use Dependencies
|
|
|
|
- Recovery with email verification
|
|
- Default - Password change flow
|
|
- USE:
|
|
- `default-password-change-prompt`
|
|
- `default-password-change-write`
|
|
- Default - Authentication flow
|
|
- USE:
|
|
- `default-authentication-login`
|
|
- Custom Authentication Flow
|
|
- Default - Authentication flow
|
|
- USE:
|
|
- `default-authentication-password`
|
|
- OVERWRITE:
|
|
- `default-authentication-flow`
|
|
- APPEND:
|
|
- `default-authentication-identification`
|
|
- `default-authentication-login`
|
|
- REMOVE: `authentik_flows.flowstagebinding order:20`
|
|
- Recovery with email verification
|
|
- USE:
|
|
- `default-recovery-flow`
|
|
- Invitation Enrollment Flow
|
|
- Default - User settings flow
|
|
- USE:
|
|
- `default-user-settings-field-name`
|
|
- `default-user-settings-field-email`
|
|
- Default - Password change flow
|
|
- USE:
|
|
- `default-password-change-field-password`
|
|
- `default-password-change-field-password-repeat`
|
|
- Default - Authentication flow
|
|
- USE:
|
|
- `default-authentication-login`
|
|
- Default - Source enrollment flow
|
|
- USE:
|
|
- `default-source-enrollment-field-username`
|
|
- `default-source-enrollment-write`
|
|
- Custom Invalidation Flow
|
|
- Default - Invalidation flow
|
|
- APPEND_ATTR:
|
|
- `authentik_flows.flowstagebinding order: 0`
|
|
- Flow Translations
|
|
- Recovery with email verification
|
|
- APPEND: `default-recovery-flow`
|
|
- Default - Password change flow
|
|
- OVERWRITE:
|
|
- `default-password-change-field-password`
|
|
- `default-password-change-field-password-repeat`
|
|
- Default - User settings flow
|
|
- OVERWRITE:
|
|
- `default-user-settings-field-username`
|
|
- `default-user-settings-field-name`
|
|
- Default - Source enrollment flow
|
|
- OVERWRITE:
|
|
- `default-source-enrollment-field-username`
|
|
- Custom System Tenant
|
|
- Default - Tenant
|
|
- APPEND: `authentik_tenants.tenant domain: authentik-default`
|
|
- Recovery with email verification
|
|
- USE:
|
|
- `default-recovery-flow`
|
|
|
|
|
|
### Blueprint Dependency Execution Order
|
|
|
|
5. Custom System Tenant
|
|
- Default - Tenant
|
|
1. Recovery with email verification
|
|
- Default - Authentication flow
|
|
- Default - Password change flow
|
|
4. Invitation Enrollment Flow
|
|
3. Flow Translations
|
|
- Default - User settings flow
|
|
- Default - Source enrollment flow
|
|
1. Recovery with email verification
|
|
- Default - Authentication flow
|
|
- Default - Password change flow
|
|
2. Custom Authentication Flow
|
|
1. Recovery with email verification
|
|
- Default - Authentication flow
|
|
- Default - Password change flow
|
|
6. Custom Invalidation Flow
|
|
- Default - Invalidation flow
|
|
|
|
|
|
For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
|