diff --git a/.env.sample b/.env.sample index cc1b436..7155dba 100644 --- a/.env.sample +++ b/.env.sample @@ -1,5 +1,6 @@ TYPE=cryptpad +COMPOSE_FILE="compose.yml" DOMAIN=cryptpad.example.com @@ -17,7 +18,8 @@ SANDBOX_DOMAIN=sandbox.cryptpad.example.com #EXTRA_DOMAINS=', `www.cryptpad.example.com`' LETS_ENCRYPT_ENV=production -## SSO / OIDC (optional — defaults to false) +## SSO / OIDC (optional — uncomment below and add compose.sso.yml to COMPOSE_FILE to enable) +# COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml" #SSO_ENABLED=true #SSO_ENFORCED=false #SSO_PROVIDER_NAME=Authentik diff --git a/README.md b/README.md index 75df51f..6280da3 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,14 @@ you should be able to access the admin interface for this cryptpad instance. ## SSO -To enable SSO, run `abra app config YOURAPPDOMAIN` and set `SSO_ENABLED=true`. On the next deploy, the [CryptPad SSO plugin](https://github.com/cryptpad/sso) will be installed automatically. +SSO support is provided by `compose.sso.yml`. To enable it, add the SSO compose file and set the SSO variables in your app config: + +``` +COMPOSE_FILE="compose.yml:compose.sso.yml" +SSO_ENABLED=true +``` + +On the next deploy, the [CryptPad SSO plugin](https://github.com/cryptpad/sso) will be installed automatically. You also need to configure the remaining SSO environment variables for your OIDC provider: diff --git a/compose.sso.yml b/compose.sso.yml new file mode 100644 index 0000000..3a295b8 --- /dev/null +++ b/compose.sso.yml @@ -0,0 +1,41 @@ +--- +version: "3.8" + +services: + app: + entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"] + environment: + - SSO_PLUGIN_VERSION + - "SSO_ENABLED=${SSO_ENABLED:-false}" + - SSO_ENFORCED + - SSO_PROVIDER_NAME + - SSO_OIDC_URL + - SSO_CLIENT_ID + - SSO_JWT_ALG + secrets: + - sso_client_s + volumes: + - cryptpad_plugins:/cryptpad/lib/plugins + configs: + - source: sso_entrypoint + target: /sso-entrypoint.sh + mode: 0755 + - source: sso_js + target: /sso.js + +volumes: + cryptpad_plugins: + +secrets: + sso_client_s: + external: true + name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION} + +configs: + sso_entrypoint: + name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION} + file: sso-entrypoint.sh + sso_js: + name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION} + file: sso.js.tmpl + template_driver: golang diff --git a/compose.yml b/compose.yml index 4edf046..e19fd85 100644 --- a/compose.yml +++ b/compose.yml @@ -4,7 +4,6 @@ version: "3.8" services: app: image: cryptpad/cryptpad:version-2026.2.0 - entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"] command: ["npm", "start"] networks: - backend @@ -17,16 +16,6 @@ services: - "CPAD_HTTP2_DISABLE=true" - "CPAD_TRUST_PROXY=1" - "CPAD_CONF=/cryptpad/config/config.js" - # SSO plugin - - SSO_PLUGIN_VERSION - - "SSO_ENABLED=${SSO_ENABLED:-false}" - - SSO_ENFORCED - - SSO_PROVIDER_NAME - - SSO_OIDC_URL - - SSO_CLIENT_ID - - SSO_JWT_ALG - secrets: - - sso_client_s volumes: - cryptpad_blob:/cryptpad/blob - cryptpad_block:/cryptpad/block @@ -34,15 +23,9 @@ services: - cryptpad_data:/cryptpad/data - cryptpad_files:/cryptpad/datastore - cryptpad_config:/cryptpad/config/ - - cryptpad_plugins:/cryptpad/lib/plugins configs: - source: config_js target: /cryptpad/config/config.js - - source: sso_entrypoint - target: /sso-entrypoint.sh - mode: 0755 - - source: sso_js - target: /sso.js deploy: restart_policy: @@ -93,12 +76,6 @@ volumes: cryptpad_data: cryptpad_files: cryptpad_config: - cryptpad_plugins: - -secrets: - sso_client_s: - external: true - name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION} configs: config_js: @@ -109,10 +86,3 @@ configs: name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION} file: nginx.conf.tmpl template_driver: golang - sso_entrypoint: - name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION} - file: sso-entrypoint.sh - sso_js: - name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION} - file: sso.js.tmpl - template_driver: golang