From 61b41e2866441867e0b975febbaf731ff2460f6b Mon Sep 17 00:00:00 2001 From: notplants Date: Sat, 28 Feb 2026 16:52:32 -0500 Subject: [PATCH 1/4] working on sso --- .env.sample | 10 ++++++++++ abra.sh | 2 ++ compose.yml | 25 +++++++++++++++++++++++++ sso-entrypoint.sh | 31 +++++++++++++++++++++++++++++++ sso.js.tmpl | 15 +++++++++++++++ 5 files changed, 83 insertions(+) create mode 100644 sso-entrypoint.sh create mode 100644 sso.js.tmpl diff --git a/.env.sample b/.env.sample index fd1bb24..4eca4ae 100644 --- a/.env.sample +++ b/.env.sample @@ -16,3 +16,13 @@ SANDBOX_DOMAIN=sandbox.cryptpad.example.com ## Domain aliases #EXTRA_DOMAINS=', `www.cryptpad.example.com`' LETS_ENCRYPT_ENV=production + +## SSO / OIDC (optional — requires SSO_ENABLED=true) +SSO_ENABLED=false +SSO_ENFORCED=false +SSO_PROVIDER_NAME=Authentik +SSO_OIDC_URL=https://authentik.example.com/application/o/cryptpad +SSO_CLIENT_ID=cryptpad +SSO_CLIENT_SECRET= +SSO_JWT_ALG=RS256 +SSO_PLUGIN_VERSION=0.4.0 diff --git a/abra.sh b/abra.sh index c38f188..bf63893 100644 --- a/abra.sh +++ b/abra.sh @@ -1,3 +1,5 @@ export CONFIG_VERSION=v2 export CONFIG_JS_VERSION=v2 export NGINX_CONF_VERSION=v1 +export SSO_ENTRYPOINT_VERSION=v2 +export SSO_JS_VERSION=v1 diff --git a/compose.yml b/compose.yml index 6a48081..bb6519f 100644 --- a/compose.yml +++ b/compose.yml @@ -4,6 +4,8 @@ version: "3.8" services: app: image: cryptpad/cryptpad:version-2026.2.0 + entrypoint: ["/bin/bash", "/sso-entrypoint.sh"] + command: ["npm", "start"] networks: - backend environment: @@ -15,6 +17,15 @@ services: - "CPAD_HTTP2_DISABLE=true" - "CPAD_TRUST_PROXY=1" - "CPAD_CONF=/cryptpad/config/config.js" + # SSO plugin + - SSO_PLUGIN_VERSION + - SSO_ENABLED + - SSO_ENFORCED + - SSO_PROVIDER_NAME + - SSO_OIDC_URL + - SSO_CLIENT_ID + - SSO_CLIENT_SECRET + - SSO_JWT_ALG volumes: - cryptpad_blob:/cryptpad/blob @@ -23,9 +34,15 @@ services: - cryptpad_data:/cryptpad/data - cryptpad_files:/cryptpad/datastore - cryptpad_config:/cryptpad/config/ + - cryptpad_plugins:/cryptpad/lib/plugins configs: - source: config_js target: /cryptpad/config/config.js + - source: sso_entrypoint + target: /sso-entrypoint.sh + mode: 0755 + - source: sso_js + target: /sso.js.tmpl deploy: restart_policy: @@ -77,6 +94,7 @@ volumes: cryptpad_data: cryptpad_files: cryptpad_config: + cryptpad_plugins: configs: config_js: @@ -87,3 +105,10 @@ configs: name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION} file: nginx.conf.tmpl template_driver: golang + sso_entrypoint: + name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION} + file: sso-entrypoint.sh + sso_js: + name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION} + file: sso.js.tmpl + template_driver: golang diff --git a/sso-entrypoint.sh b/sso-entrypoint.sh new file mode 100644 index 0000000..750c515 --- /dev/null +++ b/sso-entrypoint.sh @@ -0,0 +1,31 @@ +#!/bin/bash +set -e + +# SSO plugin installer — runs before the original CryptPad entrypoint. +# Clones the cryptpad/sso plugin into the plugins volume if not already present +# or if the version has changed, then delegates to the real entrypoint. + +PLUGIN_DIR="/cryptpad/lib/plugins/sso" +VERSION_FILE="${PLUGIN_DIR}/.version" +SSO_PLUGIN_VERSION="${SSO_PLUGIN_VERSION:-0.4.0}" + +# Copy SSO config template into place (mounted as Docker config) +if [ -f /sso.js.tmpl ]; then + cp /sso.js.tmpl /cryptpad/config/sso.js + echo "[sso-entrypoint] Copied sso.js config into /cryptpad/config/sso.js" +fi + +# Install/update the SSO plugin +if [ -f "${VERSION_FILE}" ] && [ "$(cat "${VERSION_FILE}")" = "${SSO_PLUGIN_VERSION}" ]; then + echo "[sso-entrypoint] SSO plugin ${SSO_PLUGIN_VERSION} already installed" +else + echo "[sso-entrypoint] Installing SSO plugin ${SSO_PLUGIN_VERSION} ..." + rm -rf "${PLUGIN_DIR}" + git clone --depth 1 --branch "${SSO_PLUGIN_VERSION}" \ + https://github.com/cryptpad/sso.git "${PLUGIN_DIR}" + echo "${SSO_PLUGIN_VERSION}" > "${VERSION_FILE}" + echo "[sso-entrypoint] SSO plugin installed" +fi + +# Hand off to the original CryptPad entrypoint +exec /bin/bash /cryptpad/docker-entrypoint.sh "$@" diff --git a/sso.js.tmpl b/sso.js.tmpl new file mode 100644 index 0000000..74d983d --- /dev/null +++ b/sso.js.tmpl @@ -0,0 +1,15 @@ +// CryptPad SSO configuration — generated from environment variables +// See https://github.com/cryptpad/sso for documentation + +module.exports = { + enabled: "{{ env "SSO_ENABLED" }}" === "true", + enforced: "{{ env "SSO_ENFORCED" }}" === "true", + protocol: "oidc", + providerName: "{{ env "SSO_PROVIDER_NAME" }}", + oidcConfig: { + url: "{{ env "SSO_OIDC_URL" }}", + clientID: "{{ env "SSO_CLIENT_ID" }}", + clientSecret: "{{ env "SSO_CLIENT_SECRET" }}", + algorithm: "{{ env "SSO_JWT_ALG" }}" + } +}; -- 2.49.0 From bd2488ffead9db864956b24bf02cb00f934d02c6 Mon Sep 17 00:00:00 2001 From: notplants Date: Sat, 28 Feb 2026 21:01:52 -0500 Subject: [PATCH 2/4] working sso --- .env.sample | 18 +++++++++--------- abra.sh | 4 ++-- sso.js.tmpl | 22 ++++++++++++++-------- 3 files changed, 25 insertions(+), 19 deletions(-) diff --git a/.env.sample b/.env.sample index 4eca4ae..c984e03 100644 --- a/.env.sample +++ b/.env.sample @@ -17,12 +17,12 @@ SANDBOX_DOMAIN=sandbox.cryptpad.example.com #EXTRA_DOMAINS=', `www.cryptpad.example.com`' LETS_ENCRYPT_ENV=production -## SSO / OIDC (optional — requires SSO_ENABLED=true) -SSO_ENABLED=false -SSO_ENFORCED=false -SSO_PROVIDER_NAME=Authentik -SSO_OIDC_URL=https://authentik.example.com/application/o/cryptpad -SSO_CLIENT_ID=cryptpad -SSO_CLIENT_SECRET= -SSO_JWT_ALG=RS256 -SSO_PLUGIN_VERSION=0.4.0 +## SSO / OIDC (optional — defaults to false) +#SSO_ENABLED=true +#SSO_ENFORCED=false +#SSO_PROVIDER_NAME=Authentik +#SSO_OIDC_URL=https://authentik.example.com/application/o/cryptpad +#SSO_CLIENT_ID=cryptpad +#SSO_CLIENT_SECRET= +#SSO_JWT_ALG=RS256 +#SSO_PLUGIN_VERSION=0.4.0 diff --git a/abra.sh b/abra.sh index bf63893..136b414 100644 --- a/abra.sh +++ b/abra.sh @@ -1,5 +1,5 @@ export CONFIG_VERSION=v2 export CONFIG_JS_VERSION=v2 export NGINX_CONF_VERSION=v1 -export SSO_ENTRYPOINT_VERSION=v2 -export SSO_JS_VERSION=v1 +export SSO_ENTRYPOINT_VERSION=v4 +export SSO_JS_VERSION=v2 diff --git a/sso.js.tmpl b/sso.js.tmpl index 74d983d..5509aee 100644 --- a/sso.js.tmpl +++ b/sso.js.tmpl @@ -4,12 +4,18 @@ module.exports = { enabled: "{{ env "SSO_ENABLED" }}" === "true", enforced: "{{ env "SSO_ENFORCED" }}" === "true", - protocol: "oidc", - providerName: "{{ env "SSO_PROVIDER_NAME" }}", - oidcConfig: { - url: "{{ env "SSO_OIDC_URL" }}", - clientID: "{{ env "SSO_CLIENT_ID" }}", - clientSecret: "{{ env "SSO_CLIENT_SECRET" }}", - algorithm: "{{ env "SSO_JWT_ALG" }}" - } + cpPassword: true, + forceCpPassword: false, + list: [ + { + name: "{{ env "SSO_PROVIDER_NAME" }}", + type: "oidc", + url: "{{ env "SSO_OIDC_URL" }}", + client_id: "{{ env "SSO_CLIENT_ID" }}", + client_secret: "{{ env "SSO_CLIENT_SECRET" }}", + id_token_alg: "{{ env "SSO_JWT_ALG" }}", + use_pkce: true, + use_nonce: true + } + ] }; -- 2.49.0 From b8f074e0a749312efe84cc25958d3a97fa353ff8 Mon Sep 17 00:00:00 2001 From: notplants Date: Sun, 1 Mar 2026 02:48:46 +0000 Subject: [PATCH 3/4] move SSO client secret to Docker secret, gate SSO entrypoint on SSO_ENABLED --- .env.sample | 2 +- abra.sh | 4 ++-- compose.yml | 14 +++++++++----- sso-entrypoint.sh | 10 ++++++++-- sso.js.tmpl | 2 +- 5 files changed, 21 insertions(+), 11 deletions(-) diff --git a/.env.sample b/.env.sample index c984e03..cc1b436 100644 --- a/.env.sample +++ b/.env.sample @@ -23,6 +23,6 @@ LETS_ENCRYPT_ENV=production #SSO_PROVIDER_NAME=Authentik #SSO_OIDC_URL=https://authentik.example.com/application/o/cryptpad #SSO_CLIENT_ID=cryptpad -#SSO_CLIENT_SECRET= +#SSO_CLIENT_SECRET_VERSION=v1 #SSO_JWT_ALG=RS256 #SSO_PLUGIN_VERSION=0.4.0 diff --git a/abra.sh b/abra.sh index 136b414..0e1ced5 100644 --- a/abra.sh +++ b/abra.sh @@ -1,5 +1,5 @@ export CONFIG_VERSION=v2 export CONFIG_JS_VERSION=v2 export NGINX_CONF_VERSION=v1 -export SSO_ENTRYPOINT_VERSION=v4 -export SSO_JS_VERSION=v2 +export SSO_ENTRYPOINT_VERSION=v5 +export SSO_JS_VERSION=v3 diff --git a/compose.yml b/compose.yml index bb6519f..e270577 100644 --- a/compose.yml +++ b/compose.yml @@ -4,7 +4,7 @@ version: "3.8" services: app: image: cryptpad/cryptpad:version-2026.2.0 - entrypoint: ["/bin/bash", "/sso-entrypoint.sh"] + entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"] command: ["npm", "start"] networks: - backend @@ -19,14 +19,14 @@ services: - "CPAD_CONF=/cryptpad/config/config.js" # SSO plugin - SSO_PLUGIN_VERSION - - SSO_ENABLED + - "SSO_ENABLED=${SSO_ENABLED:-false}" - SSO_ENFORCED - SSO_PROVIDER_NAME - SSO_OIDC_URL - SSO_CLIENT_ID - - SSO_CLIENT_SECRET - SSO_JWT_ALG - + secrets: + - sso_client_s volumes: - cryptpad_blob:/cryptpad/blob - cryptpad_block:/cryptpad/block @@ -52,7 +52,6 @@ services: - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" - "coop-cloud.${STACK_NAME}.version=0.5.0+v2026.2.0" - "backupbot.backup=true" - - "backupbot.backup.volumes.cryptpad_config=false" healthcheck: test: ["CMD", "curl", "-f", "http://localhost:3000"] interval: 30s @@ -96,6 +95,11 @@ volumes: cryptpad_config: cryptpad_plugins: +secrets: + sso_client_s: + external: true + name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION} + configs: config_js: name: ${STACK_NAME}_config_${CONFIG_VERSION} diff --git a/sso-entrypoint.sh b/sso-entrypoint.sh index 750c515..460ff46 100644 --- a/sso-entrypoint.sh +++ b/sso-entrypoint.sh @@ -3,7 +3,13 @@ set -e # SSO plugin installer — runs before the original CryptPad entrypoint. # Clones the cryptpad/sso plugin into the plugins volume if not already present -# or if the version has changed, then delegates to the real entrypoint. +# or if the version has changed. + +# Skips SSO setup entirely when SSO_ENABLED is not "true". +if [ "${SSO_ENABLED}" != "true" ]; then + echo "[sso-entrypoint] SSO not enabled, skipping plugin install" + exec "$@" +fi PLUGIN_DIR="/cryptpad/lib/plugins/sso" VERSION_FILE="${PLUGIN_DIR}/.version" @@ -28,4 +34,4 @@ else fi # Hand off to the original CryptPad entrypoint -exec /bin/bash /cryptpad/docker-entrypoint.sh "$@" +exec "$@" diff --git a/sso.js.tmpl b/sso.js.tmpl index 5509aee..7e6926e 100644 --- a/sso.js.tmpl +++ b/sso.js.tmpl @@ -12,7 +12,7 @@ module.exports = { type: "oidc", url: "{{ env "SSO_OIDC_URL" }}", client_id: "{{ env "SSO_CLIENT_ID" }}", - client_secret: "{{ env "SSO_CLIENT_SECRET" }}", + client_secret: "{{ secret "sso_client_s" }}", id_token_alg: "{{ env "SSO_JWT_ALG" }}", use_pkce: true, use_nonce: true -- 2.49.0 From f31c12299d533f58b690c4dd73eb7f49618348e9 Mon Sep 17 00:00:00 2001 From: notplants Date: Sun, 1 Mar 2026 02:48:59 +0000 Subject: [PATCH 4/4] bump to 0.5.1+v2026.2.0 --- compose.yml | 4 ++-- sso-entrypoint.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/compose.yml b/compose.yml index e270577..4edf046 100644 --- a/compose.yml +++ b/compose.yml @@ -42,7 +42,7 @@ services: target: /sso-entrypoint.sh mode: 0755 - source: sso_js - target: /sso.js.tmpl + target: /sso.js deploy: restart_policy: @@ -50,7 +50,7 @@ services: labels: - "traefik.enable=false" - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" - - "coop-cloud.${STACK_NAME}.version=0.5.0+v2026.2.0" + - "coop-cloud.${STACK_NAME}.version=0.5.1+v2026.2.0" - "backupbot.backup=true" healthcheck: test: ["CMD", "curl", "-f", "http://localhost:3000"] diff --git a/sso-entrypoint.sh b/sso-entrypoint.sh index 460ff46..015976e 100644 --- a/sso-entrypoint.sh +++ b/sso-entrypoint.sh @@ -16,8 +16,8 @@ VERSION_FILE="${PLUGIN_DIR}/.version" SSO_PLUGIN_VERSION="${SSO_PLUGIN_VERSION:-0.4.0}" # Copy SSO config template into place (mounted as Docker config) -if [ -f /sso.js.tmpl ]; then - cp /sso.js.tmpl /cryptpad/config/sso.js +if [ -f /sso.js ]; then + cp /sso.js /cryptpad/config/sso.js echo "[sso-entrypoint] Copied sso.js config into /cryptpad/config/sso.js" fi -- 2.49.0