Merge pull request 'Shorten config name to fit char limits' (#10) from shorten into main

Reviewed-on: #10

.env.sample

@@ -1,5 +1,6 @@
 TYPE=cryptpad
 
+COMPOSE_FILE="compose.yml"
 
 DOMAIN=cryptpad.example.com
 
@@ -17,7 +18,12 @@ SANDBOX_DOMAIN=sandbox.cryptpad.example.com
 #EXTRA_DOMAINS=', `www.cryptpad.example.com`'
 LETS_ENCRYPT_ENV=production
 
-## SSO / OIDC (optional — defaults to false)
+## Set to true to block unregistered users from accessing any CryptPad applications
+## See https://docs.cryptpad.org/en/admin_guide/customization.html#restricting-guest-access
+#RESTRICT_GUEST_ACCESS=false
+
+## SSO / OIDC (optional — uncomment below and add compose.sso.yml to COMPOSE_FILE to enable)
+# COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml"
 #SSO_ENABLED=true
 #SSO_ENFORCED=false
 #SSO_PROVIDER_NAME=Authentik

README.md

@@ -42,7 +42,14 @@ you should be able to access the admin interface for this cryptpad instance.
 
 ## SSO
 
-To enable SSO, run `abra app config YOURAPPDOMAIN` and set `SSO_ENABLED=true`. On the next deploy, the [CryptPad SSO plugin](https://github.com/cryptpad/sso) will be installed automatically.
+SSO support is provided by `compose.sso.yml`. To enable it, add the SSO compose file and set the SSO variables in your app config:
+
+```
+COMPOSE_FILE="compose.yml:compose.sso.yml"
+SSO_ENABLED=true
+```
+
+On the next deploy, the [CryptPad SSO plugin](https://github.com/cryptpad/sso) will be installed automatically.
 
 You also need to configure the remaining SSO environment variables for your OIDC provider:
 

abra.sh

@@ -3,3 +3,4 @@ export CONFIG_JS_VERSION=v2
 export NGINX_CONF_VERSION=v1
 export SSO_ENTRYPOINT_VERSION=v6
 export SSO_JS_VERSION=v3
+export APP_CONFIG_JS_VERSION=v1

application_config.js.tmpl

@@ -0,0 +1,24 @@
+// CryptPad application customization — generated from environment variables
+// See https://docs.cryptpad.org/en/admin_guide/customization.html
+// For default file, see: https://github.com/cryptpad/cryptpad/blob/main/customize.dist/application_config.js
+
+(() => {
+const factory = (AppConfig) => {
+    {{ if eq (env "RESTRICT_GUEST_ACCESS") "true" }}
+    // Block unregistered users from accessing any applications
+    AppConfig.registeredOnlyTypes = AppConfig.availablePadTypes.slice();
+    {{ end }}
+
+    return AppConfig;
+};
+
+// Do not change code below
+if (typeof(module) !== 'undefined' && module.exports) {
+    module.exports = factory(
+        require('../www/common/application_config_internal.js')
+    );
+} else if ((typeof(define) !== 'undefined' && define !== null) && (define.amd !== null)) {
+    define(['/common/application_config_internal.js'], factory);
+}
+
+})();

compose.sso.yml

@@ -0,0 +1,41 @@
+---
+version: "3.8"
+
+services:
+  app:
+    entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"]
+    environment:
+      - SSO_PLUGIN_VERSION
+      - "SSO_ENABLED=${SSO_ENABLED:-false}"
+      - SSO_ENFORCED
+      - SSO_PROVIDER_NAME
+      - SSO_OIDC_URL
+      - SSO_CLIENT_ID
+      - SSO_JWT_ALG
+    secrets:
+      - sso_client_s
+    volumes:
+      - cryptpad_plugins:/cryptpad/lib/plugins
+    configs:
+      - source: sso_entrypoint
+        target: /sso-entrypoint.sh
+        mode: 0755
+      - source: sso_js
+        target: /sso.js
+
+volumes:
+  cryptpad_plugins:
+
+secrets:
+  sso_client_s:
+    external: true
+    name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION}
+
+configs:
+  sso_entrypoint:
+    name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION}
+    file: sso-entrypoint.sh
+  sso_js:
+    name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION}
+    file: sso.js.tmpl
+    template_driver: golang

compose.yml

@@ -4,7 +4,6 @@ version: "3.8"
 services:
   app:
     image: cryptpad/cryptpad:version-2026.2.0
-    entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"]
     command: ["npm", "start"]
     networks:
       - backend
@@ -17,16 +16,7 @@ services:
       - "CPAD_HTTP2_DISABLE=true"
       - "CPAD_TRUST_PROXY=1"
       - "CPAD_CONF=/cryptpad/config/config.js"
-      # SSO plugin
+      - "RESTRICT_GUEST_ACCESS=${RESTRICT_GUEST_ACCESS:-false}"
-      - SSO_PLUGIN_VERSION
-      - "SSO_ENABLED=${SSO_ENABLED:-false}"
-      - SSO_ENFORCED
-      - SSO_PROVIDER_NAME
-      - SSO_OIDC_URL
-      - SSO_CLIENT_ID
-      - SSO_JWT_ALG
-    secrets:
-      - sso_client_s
     volumes:
       - cryptpad_blob:/cryptpad/blob
       - cryptpad_block:/cryptpad/block
@@ -34,15 +24,11 @@ services:
       - cryptpad_data:/cryptpad/data
       - cryptpad_files:/cryptpad/datastore
       - cryptpad_config:/cryptpad/config/
-      - cryptpad_plugins:/cryptpad/lib/plugins
     configs:
       - source: config_js
         target: /cryptpad/config/config.js
-      - source: sso_entrypoint
+      - source: app_config_js
-        target: /sso-entrypoint.sh
+        target: /cryptpad/customize/application_config.js
-        mode: 0755
-      - source: sso_js
-        target: /sso.js
 
     deploy:
       restart_policy:
@@ -50,7 +36,7 @@ services:
       labels:
         - "traefik.enable=false"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=0.5.1+v2026.2.0"
+        - "coop-cloud.${STACK_NAME}.version=0.5.4+v2026.2.0"
         - "backupbot.backup=true"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3000"]
@@ -93,12 +79,6 @@ volumes:
   cryptpad_data:
   cryptpad_files:
   cryptpad_config:
-  cryptpad_plugins:
-
-secrets:
-  sso_client_s:
-    external: true
-    name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION}
 
 configs:
   config_js:
@@ -109,10 +89,7 @@ configs:
     name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
     file: nginx.conf.tmpl
     template_driver: golang
-  sso_entrypoint:
+  app_config_js:
-    name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION}
+    name: ${STACK_NAME}_app_config_js_${APP_CONFIG_JS_VERSION}
-    file: sso-entrypoint.sh
+    file: application_config.js.tmpl
-  sso_js:
-    name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION}
-    file: sso.js.tmpl
     template_driver: golang