add sso to readme

Reviewed-on: #5

.drone.yml

@@ -0,0 +1,39 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: cryptpad
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: cryptpad.swarm-test.autonomic.zone
+      STACK_NAME: cryptpad
+      LETS_ENCRYPT_ENV: production
+      CONFIG_VERSION: v1
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,7 +1,28 @@
 TYPE=cryptpad
 
+
 DOMAIN=cryptpad.example.com
 
+# This is a separate domain for the secure side of Cryptpad. It can be any other domain (subdomain or separate domain)
+SANDBOX_DOMAIN=sandbox.cryptpad.example.com
+
+# CRYPTPAD_ADMIN_KEYS
+## here is an example of the format for one single key
+# CRYPTPAD_ADMIN_KEYS= '"[user1@cryptpad.cctest.autonomic.zone/zew-WaKZimxhNSL3iiVL8SCzVzPB8KhIxZNrRKn+uRo=]",'
+## here is an example of the format for multiple keys (including here because it was confusing to me)
+# CRYPTPAD_ADMIN_KEYS='"[user1@cryptpad.cctest.autonomic.zone/zew-WaKZimxhNSL3iiVL8SCzVzPB8KhIxZNrRKn+uRo=]","[user2@cryptpad.cctest.autonomic.zone/Z7agNvwPXHm9xuEYOYV2YY53fSofgzum86xvhUxJ4nU=]",'
+
+
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.cryptpad.example.com`'
 LETS_ENCRYPT_ENV=production
+
+## SSO / OIDC (optional — defaults to false)
+#SSO_ENABLED=true
+#SSO_ENFORCED=false
+#SSO_PROVIDER_NAME=Authentik
+#SSO_OIDC_URL=https://authentik.example.com/application/o/cryptpad
+#SSO_CLIENT_ID=cryptpad
+#SSO_CLIENT_SECRET_VERSION=v1
+#SSO_JWT_ALG=RS256
+#SSO_PLUGIN_VERSION=0.4.0

.gitignore

@@ -1 +1,2 @@
 .envrc
+.idea

README.md

@@ -1,17 +1,17 @@
 # cryptpad
 
-TODO
+[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/cryptpad/status.svg)](https://build.coopcloud.tech/coop-cloud/cryptpad)
 
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**:
-* **Image**:
-* **Healthcheck**:
-* **Backups**:
-* **Email**:
-* **Tests**:
-* **SSO**:
+* **Status**: 3
+* **Image**: cryptpad/cryptpad
+* **Healthcheck**: Yes
+* **Backups**: Yes
+* **Email**: No
+* **Tests**: No
+* **SSO**: Yes
 
 <!-- endmetadata -->
 
@@ -21,10 +21,43 @@ TODO
 2. Deploy [`coop-cloud/traefik`]
 3. `abra app new cryptpad --secrets` (optionally with `--pass` if you'd like
    to save secrets in `pass`)
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
+4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app YOURAPPDOMAIN deploy`
+5. `abra app deploy YOURAPPDOMAIN`
 6. Open the configured domain in your browser to finish set-up
 
+At this point, anyone with this domain can register new users with this cryptpad instance.
+
+After you have registered a first user, here is how you can make this user into an admin.
+After logging in as your user, go to: https://cryptpad.cctest.autonomic.zone/profile/
+
+Click "Copy Public Key". This will copy your public key into your clipboard. 
+Then run `abra app config YOURAPPDOMAIN` and set the value of CRYPTPAD_ADMIN_KEYS
+to include your public key. The example in .env.sample shows the required format. 
+
+Then redeploy with `abra app deploy YOURAPPDOMAIN --force`. 
+
+Now when you login as your user, and visit https://cryptpad.cctest.autonomic.zone/admin/,
+you should be able to access the admin interface for this cryptpad instance. 
+
+## SSO
+
+To enable SSO, run `abra app config YOURAPPDOMAIN` and set `SSO_ENABLED=true`. On the next deploy, the [CryptPad SSO plugin](https://github.com/cryptpad/sso) will be installed automatically.
+
+You also need to configure the remaining SSO environment variables for your OIDC provider:
+
+- `SSO_PROVIDER_NAME` — display name shown on the login button (e.g. `Keycloak`, `Authentik`)
+- `SSO_OIDC_URL` — OIDC discovery URL for your provider
+- `SSO_CLIENT_ID` — OAuth2 client ID
+- `SSO_JWT_ALG` — JWT signing algorithm (e.g. `RS256`)
+
+The client secret is stored as a Docker secret. Insert it with:
+
+```
+abra app secret insert YOURAPPDOMAIN sso_client_s v1 YOUR_CLIENT_SECRET
+```
+
+Then deploy (or redeploy) to apply: `abra app deploy YOURAPPDOMAIN --force`.
+
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
-[`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
+[`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik

abra.sh

@@ -0,0 +1,5 @@
+export CONFIG_VERSION=v2
+export CONFIG_JS_VERSION=v2
+export NGINX_CONF_VERSION=v1
+export SSO_ENTRYPOINT_VERSION=v6
+export SSO_JS_VERSION=v3

compose.yml

@@ -3,16 +3,30 @@ version: "3.8"
 
 services:
   app:
-    image: promasu/cryptpad:v4.12.1-nginx
+    image: cryptpad/cryptpad:version-2026.2.0
+    entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"]
+    command: ["npm", "start"]
     networks:
-      - proxy
+      - backend
     environment:
+      - CRYPTPAD_ADMIN_KEYS
       - "CPAD_MAIN_DOMAIN=${DOMAIN}"
-      - "CPAD_SANDBOX_DOMAIN=sandbox.${DOMAIN}"
-      # Traefik can't use HTTP2 to communicate with cryptpat_websocket
+      - "CPAD_SANDBOX_DOMAIN=${SANDBOX_DOMAIN}"
+      # Traefik can't use HTTP2 to communicate with cryptpad_websocket
       # A workaroung is disabling HTTP2 in Nginx
-      - CPAD_HTTP2_DISABLE=true
-
+      - "CPAD_HTTP2_DISABLE=true"
+      - "CPAD_TRUST_PROXY=1"
+      - "CPAD_CONF=/cryptpad/config/config.js"
+      # SSO plugin
+      - SSO_PLUGIN_VERSION
+      - "SSO_ENABLED=${SSO_ENABLED:-false}"
+      - SSO_ENFORCED
+      - SSO_PROVIDER_NAME
+      - SSO_OIDC_URL
+      - SSO_CLIENT_ID
+      - SSO_JWT_ALG
+    secrets:
+      - sso_client_s
     volumes:
       - cryptpad_blob:/cryptpad/blob
       - cryptpad_block:/cryptpad/block
@@ -20,33 +34,57 @@ services:
       - cryptpad_data:/cryptpad/data
       - cryptpad_files:/cryptpad/datastore
       - cryptpad_config:/cryptpad/config/
+      - cryptpad_plugins:/cryptpad/lib/plugins
+    configs:
+      - source: config_js
+        target: /cryptpad/config/config.js
+      - source: sso_entrypoint
+        target: /sso-entrypoint.sh
+        mode: 0755
+      - source: sso_js
+        target: /sso.js
 
     deploy:
       restart_policy:
         condition: on-failure
+      labels:
+        - "traefik.enable=false"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=0.5.1+v2026.2.0"
+        - "backupbot.backup=true"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
+
+  web:
+    image: nginx:1.29
+    configs:
+      - source: nginx_conf
+        target: /etc/nginx/conf.d/default.conf
+    networks:
+      proxy:
+      backend:
+    depends_on:
+      - app
+    environment:
+      - STACK_NAME
+    deploy:
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `sandbox.${DOMAIN}`${EXTRA_DOMAINS})"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.routers.${STACK_NAME}.tls=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8083"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `${SANDBOX_DOMAIN}` ${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.tls.domains[0].main=${DOMAIN}"
-        - "traefik.http.routers.${STACK_NAME}.tls.domains[0].sans=sandbox.${DOMAIN}"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=0.2.0+v4.12.1-nginx"
-    # healthcheck:
-    #   test: ["CMD", "curl", "-f", "http://localhost"]
-    #   interval: 30s
-    #   timeout: 10s
-    #   retries: 10
-    #   start_period: 1m
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
 
 networks:
   proxy:
     external: true
+  backend:
 
 volumes:
   cryptpad_blob:
@@ -55,3 +93,26 @@ volumes:
   cryptpad_data:
   cryptpad_files:
   cryptpad_config:
+  cryptpad_plugins:
+
+secrets:
+  sso_client_s:
+    external: true
+    name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION}
+
+configs:
+  config_js:
+    name: ${STACK_NAME}_config_${CONFIG_VERSION}
+    file: config.js.tmpl
+    template_driver: golang
+  nginx_conf:
+    name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
+    file: nginx.conf.tmpl
+    template_driver: golang
+  sso_entrypoint:
+    name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION}
+    file: sso-entrypoint.sh
+  sso_js:
+    name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION}
+    file: sso.js.tmpl
+    template_driver: golang

config.js.tmpl

@@ -0,0 +1,282 @@
+/* globals module */
+
+/*  DISCLAIMER:
+
+    There are two recommended methods of running a CryptPad instance:
+
+    1. Using a standalone nodejs server without HTTPS (suitable for local development)
+    2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic
+
+    We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration.
+    Support requests for such setups should be directed to their authors.
+
+    If you're having difficulty difficulty configuring your instance
+    we suggest that you join the project's Matrix channel.
+
+    If you don't have any difficulty configuring your instance and you'd like to
+    support us for the work that went into making it pain-free we are quite happy
+    to accept donations via our opencollective page: https://opencollective.com/cryptpad
+
+*/
+module.exports = {
+/*  CryptPad is designed to serve its content over two domains.
+ *  Account passwords and cryptographic content is handled on the 'main' domain,
+ *  while the user interface is loaded on a 'sandbox' domain
+ *  which can only access information which the main domain willingly shares.
+ *
+ *  In the event of an XSS vulnerability in the UI (that's bad)
+ *  this system prevents attackers from gaining access to your account (that's good).
+ *
+ *  Most problems with new instances are related to this system blocking access
+ *  because of incorrectly configured sandboxes. If you only see a white screen
+ *  when you try to load CryptPad, this is probably the cause.
+ *
+ *  PLEASE READ THE FOLLOWING COMMENTS CAREFULLY.
+ *
+ */
+
+/*  httpUnsafeOrigin is the URL that clients will enter to load your instance.
+ *  Any other URL that somehow points to your instance is supposed to be blocked.
+ *  The default provided below assumes you are loading CryptPad from a server
+ *  which is running on the same machine, using port 3000.
+ *
+ *  In a production instance this should be available ONLY over HTTPS
+ *  using the default port for HTTPS (443) ie. https://cryptpad.fr
+ *  In such a case this should be also handled by NGINX, as documented in
+ *  cryptpad/docs/example.nginx.conf (see the $main_domain variable)
+ *
+ */
+    httpUnsafeOrigin: 'https://{{ env "CPAD_MAIN_DOMAIN" }}',
+
+/*  httpSafeOrigin is the URL that is used for the 'sandbox' described above.
+ *  If you're testing or developing with CryptPad on your local machine then
+ *  it is appropriate to leave this blank. The default behaviour is to serve
+ *  the main domain over port 3000 and to serve the sandbox content over port 3001.
+ *
+ *  This is not appropriate in a production environment where invasive networks
+ *  may filter traffic going over abnormal ports.
+ *  To correctly configure your production instance you must provide a URL
+ *  with a different domain (a subdomain is sufficient).
+ *  It will be used to load the UI in our 'sandbox' system.
+ *
+ *  This value corresponds to the $sandbox_domain variable
+ *  in the example nginx file.
+ *
+ *  Note that in order for the sandboxing system to be effective
+ *  httpSafeOrigin must be different from httpUnsafeOrigin.
+ *
+ *  CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
+ */
+    httpSafeOrigin: 'https://{{ env "CPAD_SANDBOX_DOMAIN" }}',
+
+/*  httpAddress specifies the address on which the nodejs server
+ *  should be accessible. By default it will listen on 127.0.0.1
+ *  (IPv4 localhost on most systems). If you want it to listen on
+ *  all addresses, including IPv6, set this to '::'.
+ *
+ */
+    httpAddress: '::',
+
+/*  httpPort specifies on which port the nodejs server should listen.
+ *  By default it will serve content over port 3000, which is suitable
+ *  for both local development and for use with the provided nginx example,
+ *  which will proxy websocket traffic to your node server.
+ *
+ */
+    //httpPort: 3000,
+
+/*  httpSafePort allows you to specify an alternative port from which
+ *  the node process should serve sandboxed assets. The default value is
+ *  that of your httpPort + 1. You probably don't need to change this.
+ *
+ */
+    //httpSafePort: 3001,
+
+/*  CryptPad will launch a child process for every core available
+ *  in order to perform CPU-intensive tasks in parallel.
+ *  Some host environments may have a very large number of cores available
+ *  or you may want to limit how much computing power CryptPad can take.
+ *  If so, set 'maxWorkers' to a positive integer.
+ */
+    // maxWorkers: 4,
+
+    /* =====================
+     *         Admin
+     * ===================== */
+
+    /*
+     *  CryptPad contains an administration panel. Its access is restricted to specific
+     *  users using the following list.
+     *  To give access to the admin panel to a user account, just add their public signing
+     *  key, which can be found on the settings page for registered users.
+     *  Entries should be strings separated by a comma.
+     */
+    adminKeys: [
+        {{ env "CRYPTPAD_ADMIN_KEYS" }}
+    ],
+
+    /* =====================
+     *        STORAGE
+     * ===================== */
+
+    /*  Pads that are not 'pinned' by any registered user can be set to expire
+     *  after a configurable number of days of inactivity (default 90 days).
+     *  The value can be changed or set to false to remove expiration.
+     *  Expired pads can then be removed using a cron job calling the
+     *  `evict-inactive.js` script with node
+     *
+     *  defaults to 90 days if nothing is provided
+     */
+    //inactiveTime: 90, // days
+
+    /*  CryptPad archives some data instead of deleting it outright.
+     *  This archived data still takes up space and so you'll probably still want to
+     *  remove these files after a brief period.
+     *
+     *  cryptpad/scripts/evict-inactive.js is intended to be run daily
+     *  from a crontab or similar scheduling service.
+     *
+     *  The intent with this feature is to provide a safety net in case of accidental
+     *  deletion. Set this value to the number of days you'd like to retain
+     *  archived data before it's removed permanently.
+     *
+     *  defaults to 15 days if nothing is provided
+     */
+    //archiveRetentionTime: 15,
+
+    /*  It's possible to configure your instance to remove data
+     *  stored on behalf of inactive accounts. Set 'accountRetentionTime'
+     *  to the number of days an account can remain idle before its
+     *  documents and other account data is removed.
+     *
+     *  Leave this value commented out to preserve all data stored
+     *  by user accounts regardless of inactivity.
+     */
+     //accountRetentionTime: 365,
+
+    /*  Starting with CryptPad 3.23.0, the server automatically runs
+     *  the script responsible for removing inactive data according to
+     *  your configured definition of inactivity. Set this value to `true`
+     *  if you prefer not to remove inactive data, or if you prefer to
+     *  do so manually using `scripts/evict-inactive.js`.
+     */
+    //disableIntegratedEviction: true,
+
+
+    /*  Max Upload Size (bytes)
+     *  this sets the maximum size of any one file uploaded to the server.
+     *  anything larger than this size will be rejected
+     *  defaults to 20MB if no value is provided
+     */
+    //maxUploadSize: 20 * 1024 * 1024,
+
+    /*  Users with premium accounts (those with a plan included in their customLimit)
+     *  can benefit from an increased upload size limit. By default they are restricted to the same
+     *  upload size as any other registered user.
+     *
+     */
+    //premiumUploadSize: 100 * 1024 * 1024,
+
+    /* =====================
+     *   DATABASE VOLUMES
+     * ===================== */
+
+    /*
+     *  CryptPad stores each document in an individual file on your hard drive.
+     *  Specify a directory where files should be stored.
+     *  It will be created automatically if it does not already exist.
+     */
+    filePath: './datastore/',
+
+    /*  CryptPad offers the ability to archive data for a configurable period
+     *  before deleting it, allowing a means of recovering data in the event
+     *  that it was deleted accidentally.
+     *
+     *  To set the location of this archive directory to a custom value, change
+     *  the path below:
+     */
+    archivePath: './data/archive',
+
+    /*  CryptPad allows logged in users to request that particular documents be
+     *  stored by the server indefinitely. This is called 'pinning'.
+     *  Pin requests are stored in a pin-store. The location of this store is
+     *  defined here.
+     */
+    pinPath: './data/pins',
+
+    /*  if you would like the list of scheduled tasks to be stored in
+        a custom location, change the path below:
+    */
+    taskPath: './data/tasks',
+
+    /*  if you would like users' authenticated blocks to be stored in
+        a custom location, change the path below:
+    */
+    blockPath: './block',
+
+    /*  CryptPad allows logged in users to upload encrypted files. Files/blobs
+     *  are stored in a 'blob-store'. Set its location here.
+     */
+    blobPath: './blob',
+
+    /*  CryptPad stores incomplete blobs in a 'staging' area until they are
+     *  fully uploaded. Set its location here.
+     */
+    blobStagingPath: './data/blobstage',
+
+    decreePath: './data/decrees',
+
+    /* CryptPad supports logging events directly to the disk in a 'logs' directory
+     * Set its location here, or set it to false (or nothing) if you'd rather not log
+     */
+    logPath: './data/logs',
+
+    /* =====================
+     *       Debugging
+     * ===================== */
+
+    /*  CryptPad can log activity to stdout
+     *  This may be useful for debugging
+     */
+    logToStdout: true,
+
+    /* CryptPad can be configured to log more or less
+     * the various settings are listed below by order of importance
+     *
+     * silly, verbose, debug, feedback, info, warn, error
+     *
+     * Choose the least important level of logging you wish to see.
+     * For example, a 'silly' logLevel will display everything,
+     * while 'info' will display 'info', 'warn', and 'error' logs
+     *
+     * This will affect both logging to the console and the disk.
+     */
+    logLevel: 'info',
+
+    /*  clients can use the /settings/ app to opt out of usage feedback
+     *  which informs the server of things like how much each app is being
+     *  used, and whether certain clientside features are supported by
+     *  the client's browser. The intent is to provide feedback to the admin
+     *  such that the service can be improved. Enable this with `true`
+     *  and ignore feedback with `false` or by commenting the attribute
+     *
+     *  You will need to set your logLevel to include 'feedback'. Set this
+     *  to false if you'd like to exclude feedback from your logs.
+     */
+    logFeedback: false,
+
+    /*  CryptPad supports verbose logging
+     *  (false by default)
+     */
+    verbose: false,
+
+    /*  Surplus information:
+     *
+     *  'installMethod' is included in server telemetry to voluntarily
+     *  indicate how many instances are using unofficial installation methods
+     *  such as Docker.
+     *
+     */
+    installMethod: 'unspecified',
+};
+

nginx.conf.tmpl

@@ -0,0 +1,39 @@
+server {
+    listen 8083;
+    server_name localhost;
+
+    access_log /var/log/cpad.log;
+    error_log /var/log/cpad-error.log;
+    #access_log /dev/null;
+    #error_log /dev/null emerg;
+
+    # Main CryptPad app
+    location / {
+        proxy_pass http://{{ env "STACK_NAME" }}_app:3000;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        client_max_body_size 150m;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection upgrade;
+    }
+
+    # WebSocket endpoint
+    location ^~ /cryptpad_websocket {
+        proxy_pass http://{{ env "STACK_NAME" }}_app:3003;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection upgrade;
+    }
+}

sso-entrypoint.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+set -e
+
+# SSO plugin installer — runs before the original CryptPad entrypoint.
+# Clones the cryptpad/sso plugin into the plugins volume if not already present
+# or if the version has changed.
+
+# Skips SSO setup entirely when SSO_ENABLED is not "true".
+if [ "${SSO_ENABLED}" != "true" ]; then
+  echo "[sso-entrypoint] SSO not enabled, skipping plugin install"
+  exec "$@"
+fi
+
+PLUGIN_DIR="/cryptpad/lib/plugins/sso"
+VERSION_FILE="${PLUGIN_DIR}/.version"
+SSO_PLUGIN_VERSION="${SSO_PLUGIN_VERSION:-0.4.0}"
+
+# Copy SSO config template into place (mounted as Docker config)
+if [ -f /sso.js ]; then
+  cp /sso.js /cryptpad/config/sso.js
+  echo "[sso-entrypoint] Copied sso.js config into /cryptpad/config/sso.js"
+fi
+
+# Install/update the SSO plugin
+if [ -f "${VERSION_FILE}" ] && [ "$(cat "${VERSION_FILE}")" = "${SSO_PLUGIN_VERSION}" ]; then
+  echo "[sso-entrypoint] SSO plugin ${SSO_PLUGIN_VERSION} already installed"
+else
+  echo "[sso-entrypoint] Installing SSO plugin ${SSO_PLUGIN_VERSION} ..."
+  rm -rf "${PLUGIN_DIR}"
+  git clone --depth 1 --branch "${SSO_PLUGIN_VERSION}" \
+    https://github.com/cryptpad/sso.git "${PLUGIN_DIR}"
+  echo "${SSO_PLUGIN_VERSION}" > "${VERSION_FILE}"
+  echo "[sso-entrypoint] SSO plugin installed"
+fi
+
+# Hand off to the original CryptPad entrypoint
+exec "$@"

sso.js.tmpl

@@ -0,0 +1,21 @@
+// CryptPad SSO configuration — generated from environment variables
+// See https://github.com/cryptpad/sso for documentation
+
+module.exports = {
+    enabled: "{{ env "SSO_ENABLED" }}" === "true",
+    enforced: "{{ env "SSO_ENFORCED" }}" === "true",
+    cpPassword: true,
+    forceCpPassword: false,
+    list: [
+        {
+            name: "{{ env "SSO_PROVIDER_NAME" }}",
+            type: "oidc",
+            url: "{{ env "SSO_OIDC_URL" }}",
+            client_id: "{{ env "SSO_CLIENT_ID" }}",
+            client_secret: "{{ secret "sso_client_s" }}",
+            id_token_alg: "{{ env "SSO_JWT_ALG" }}",
+            use_pkce: true,
+            use_nonce: true
+        }
+    ]
+};