bump to 0.5.2+v2026.2.0

Merge pull request 'split sso compose into two compose' (#6 ) from two-compose into main
Reviewed-on: #6
2026-03-01 19:50:02 -05:00 · 2026-03-02 00:49:32 +00:00 · 2026-03-01 19:47:47 -05:00 · 2026-02-28 22:05:44 -05:00 · 2026-02-28 22:05:44 -05:00 · 2026-03-01 03:02:35 +00:00
7 changed files with 154 additions and 14 deletions
--- a/.env.sample
+++ b/.env.sample
@ -1,5 +1,6 @@
 TYPE=cryptpad

+COMPOSE_FILE="compose.yml"

 DOMAIN=cryptpad.example.com

@ -16,3 +17,14 @@ SANDBOX_DOMAIN=sandbox.cryptpad.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.cryptpad.example.com`'
 LETS_ENCRYPT_ENV=production
+
+## SSO / OIDC (optional — uncomment below and add compose.sso.yml to COMPOSE_FILE to enable)
+# COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml"
+#SSO_ENABLED=true
+#SSO_ENFORCED=false
+#SSO_PROVIDER_NAME=Authentik
+#SSO_OIDC_URL=https://authentik.example.com/application/o/cryptpad
+#SSO_CLIENT_ID=cryptpad
+#SSO_CLIENT_SECRET_VERSION=v1
+#SSO_JWT_ALG=RS256
+#SSO_PLUGIN_VERSION=0.4.0
--- a/README.md
+++ b/README.md
@ -5,13 +5,13 @@
 <!-- metadata -->

 * **Category**: Apps
-* **Status**: 0
+* **Status**: 3
 * **Image**: cryptpad/cryptpad
-* **Healthcheck**: No
-* **Backups**: No
+* **Healthcheck**: Yes
+* **Backups**: Yes
 * **Email**: No
 * **Tests**: No
-* **SSO**: No
+* **SSO**: Yes

 <!-- endmetadata -->

@ -40,5 +40,31 @@ Then redeploy with `abra app deploy YOURAPPDOMAIN --force`.
 Now when you login as your user, and visit https://cryptpad.cctest.autonomic.zone/admin/,
 you should be able to access the admin interface for this cryptpad instance. 

+## SSO
+
+SSO support is provided by `compose.sso.yml`. To enable it, add the SSO compose file and set the SSO variables in your app config:
+
+```
+COMPOSE_FILE="compose.yml:compose.sso.yml"
+SSO_ENABLED=true
+```
+
+On the next deploy, the [CryptPad SSO plugin](https://github.com/cryptpad/sso) will be installed automatically.
+
+You also need to configure the remaining SSO environment variables for your OIDC provider:
+
+- `SSO_PROVIDER_NAME` — display name shown on the login button (e.g. `Keycloak`, `Authentik`)
+- `SSO_OIDC_URL` — OIDC discovery URL for your provider
+- `SSO_CLIENT_ID` — OAuth2 client ID
+- `SSO_JWT_ALG` — JWT signing algorithm (e.g. `RS256`)
+
+The client secret is stored as a Docker secret. Insert it with:
+
+```
+abra app secret insert YOURAPPDOMAIN sso_client_s v1 YOUR_CLIENT_SECRET
+```
+
+Then deploy (or redeploy) to apply: `abra app deploy YOURAPPDOMAIN --force`.
+
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
--- a/abra.sh
+++ b/abra.sh
@ -1,3 +1,5 @@
 export CONFIG_VERSION=v2
 export CONFIG_JS_VERSION=v2
 export NGINX_CONF_VERSION=v1
+export SSO_ENTRYPOINT_VERSION=v6
+export SSO_JS_VERSION=v3
--- a/compose.sso.yml
+++ b/compose.sso.yml
@ -0,0 +1,41 @@
+---
+version: "3.8"
+
+services:
+  app:
+    entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"]
+    environment:
+      - SSO_PLUGIN_VERSION
+      - "SSO_ENABLED=${SSO_ENABLED:-false}"
+      - SSO_ENFORCED
+      - SSO_PROVIDER_NAME
+      - SSO_OIDC_URL
+      - SSO_CLIENT_ID
+      - SSO_JWT_ALG
+    secrets:
+      - sso_client_s
+    volumes:
+      - cryptpad_plugins:/cryptpad/lib/plugins
+    configs:
+      - source: sso_entrypoint
+        target: /sso-entrypoint.sh
+        mode: 0755
+      - source: sso_js
+        target: /sso.js
+
+volumes:
+  cryptpad_plugins:
+
+secrets:
+  sso_client_s:
+    external: true
+    name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION}
+
+configs:
+  sso_entrypoint:
+    name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION}
+    file: sso-entrypoint.sh
+  sso_js:
+    name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION}
+    file: sso.js.tmpl
+    template_driver: golang
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,8 @@ version: "3.8"

 services:
  app:
-    image: cryptpad/cryptpad:version-2025.9.0
+    image: cryptpad/cryptpad:version-2026.2.0
+    command: ["npm", "start"]
    networks:
      - backend
    environment:
@ -15,7 +16,6 @@ services:
      - "CPAD_HTTP2_DISABLE=true"
      - "CPAD_TRUST_PROXY=1"
      - "CPAD_CONF=/cryptpad/config/config.js"
-
    volumes:
      - cryptpad_blob:/cryptpad/blob
      - cryptpad_block:/cryptpad/block
@ -33,16 +33,17 @@ services:
      labels:
        - "traefik.enable=false"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=0.4.1+version-2025.9.0"
-    # healthcheck:
-    #   test: ["CMD", "curl", "-f", "http://localhost"]
-    #   interval: 30s
-    #   timeout: 10s
-    #   retries: 10
-    #   start_period: 1m
+        - "coop-cloud.${STACK_NAME}.version=0.5.2+v2026.2.0"
+        - "backupbot.backup=true"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m

  web:
-    image: nginx:1.25
+    image: nginx:1.29
    configs:
      - source: nginx_conf
        target: /etc/nginx/conf.d/default.conf
--- a/sso-entrypoint.sh
+++ b/sso-entrypoint.sh
@ -0,0 +1,37 @@
+#!/bin/bash
+set -e
+
+# SSO plugin installer — runs before the original CryptPad entrypoint.
+# Clones the cryptpad/sso plugin into the plugins volume if not already present
+# or if the version has changed.
+
+# Skips SSO setup entirely when SSO_ENABLED is not "true".
+if [ "${SSO_ENABLED}" != "true" ]; then
+  echo "[sso-entrypoint] SSO not enabled, skipping plugin install"
+  exec "$@"
+fi
+
+PLUGIN_DIR="/cryptpad/lib/plugins/sso"
+VERSION_FILE="${PLUGIN_DIR}/.version"
+SSO_PLUGIN_VERSION="${SSO_PLUGIN_VERSION:-0.4.0}"
+
+# Copy SSO config template into place (mounted as Docker config)
+if [ -f /sso.js ]; then
+  cp /sso.js /cryptpad/config/sso.js
+  echo "[sso-entrypoint] Copied sso.js config into /cryptpad/config/sso.js"
+fi
+
+# Install/update the SSO plugin
+if [ -f "${VERSION_FILE}" ] && [ "$(cat "${VERSION_FILE}")" = "${SSO_PLUGIN_VERSION}" ]; then
+  echo "[sso-entrypoint] SSO plugin ${SSO_PLUGIN_VERSION} already installed"
+else
+  echo "[sso-entrypoint] Installing SSO plugin ${SSO_PLUGIN_VERSION} ..."
+  rm -rf "${PLUGIN_DIR}"
+  git clone --depth 1 --branch "${SSO_PLUGIN_VERSION}" \
+    https://github.com/cryptpad/sso.git "${PLUGIN_DIR}"
+  echo "${SSO_PLUGIN_VERSION}" > "${VERSION_FILE}"
+  echo "[sso-entrypoint] SSO plugin installed"
+fi
+
+# Hand off to the original CryptPad entrypoint
+exec "$@"
--- a/sso.js.tmpl
+++ b/sso.js.tmpl
@ -0,0 +1,21 @@
+// CryptPad SSO configuration — generated from environment variables
+// See https://github.com/cryptpad/sso for documentation
+
+module.exports = {
+    enabled: "{{ env "SSO_ENABLED" }}" === "true",
+    enforced: "{{ env "SSO_ENFORCED" }}" === "true",
+    cpPassword: true,
+    forceCpPassword: false,
+    list: [
+        {
+            name: "{{ env "SSO_PROVIDER_NAME" }}",
+            type: "oidc",
+            url: "{{ env "SSO_OIDC_URL" }}",
+            client_id: "{{ env "SSO_CLIENT_ID" }}",
+            client_secret: "{{ secret "sso_client_s" }}",
+            id_token_alg: "{{ env "SSO_JWT_ALG" }}",
+            use_pkce: true,
+            use_nonce: true
+        }
+    ]
+};
Author	SHA1	Message	Date
notplants	9922390ce3	bump to 0.5.2+v2026.2.0 Some checks failed continuous-integration/drone/push Build is failing Details	2026-03-01 19:50:02 -05:00
notplants	c1ee1d9817	Merge pull request 'split sso compose into two compose' (#6 ) from two-compose into main Some checks failed continuous-integration/drone/push Build is failing Details Reviewed-on: #6	2026-03-02 00:49:32 +00:00
notplants	d3b1bb4f29	split sso compose into two compose	2026-03-01 19:47:47 -05:00
notplants	800e8426ce	add sso to readme Some checks failed continuous-integration/drone/push Build is failing Details	2026-02-28 22:05:44 -05:00
notplants	97209123e0	bump to 0.5.1+v2026.2.0	2026-02-28 22:05:44 -05:00
notplants	899f9d9da0	Merge pull request 'Add SSO Plugin' (#5 ) from sso into main Some checks failed continuous-integration/drone/push Build is failing Details Reviewed-on: #5	2026-03-01 03:02:35 +00:00
notplants	f31c12299d	bump to 0.5.1+v2026.2.0	2026-03-01 02:54:27 +00:00
notplants	b8f074e0a7	move SSO client secret to Docker secret, gate SSO entrypoint on SSO_ENABLED	2026-03-01 02:48:46 +00:00
notplants	bd2488ffea	working sso	2026-02-28 21:01:52 -05:00
notplants	61b41e2866	working on sso	2026-02-28 16:52:32 -05:00
notplants	db049838e9	Merge pull request 'upgrade to 0.5.0+version-2026.2.0' (#4 ) from update into main Some checks failed continuous-integration/drone/push Build is failing Details Reviewed-on: #4	2026-02-17 16:44:22 +00:00
notplants	694e6b1a72	chore: upgrade to 0.5.0+v2026.2.0 All checks were successful continuous-integration/drone/tag Build is passing Details Upgrade CryptPad from version-2025.9.0 to version-2026.2.0 and nginx from 1.25 to 1.29. Enable healthcheck on the app service. Update README metadata for healthcheck and backup status.	2026-02-17 16:29:41 +00:00
notplants	3d92f35437	update	2026-02-17 11:03:48 -05:00
notplants	738f1af43e	Add backup functionality	2026-02-17 10:32:54 -05:00
notplants	157f439441	Merge pull request 'Modify recipe to use nginx' (#3 ) from with-nginx into main Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/tag Build is passing Details Reviewed-on: #3	2026-01-13 18:15:46 +00:00