chore: publish 0.4.0+11 release

Reviewed-on: #1

.env.sample

@@ -1,7 +1,6 @@
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
 SECRET_SIGNING_SECRET_VERSION=v1
-SECRET_SMTP_PASSWORD_VERSION=v1
 
 TYPE=directus
 
@@ -14,14 +13,39 @@ DOMAIN=directus.example.com
 
 LETS_ENCRYPT_ENV=production
 
+COMPOSE_FILE="compose.yml"
+
 ENABLE_BACKUPS=true
 
 ADMIN_EMAIL=mail@example.com
 
 # if you don't use smtp, sendmail is used
-# EMAIL_TRANSPORT=smtp
-#EMAIL_FROM=noreply@example.com
+# COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+# SECRET_SMTP_PASSWORD_VERSION=v1
+# EMAIL_FROM=noreply@example.com
 # EMAIL_SMTP_USER=
 # EMAIL_SMTP_HOST=mailhost.com
 # EMAIL_SMTP_PORT=465
-# EMAIL_SMTP_SECURE=true
+# EMAIL_SMTP_SECURE=true
+
+
+## SSO (via OpenId)
+ 
+# Details about env-vars, the once below are necessary, others can be used as well: 
+# https://directus.io/docs/configuration/auth-sso#openid-connect
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
+#SECRET_OIDC_SECRET_VERSION=v1
+
+#AUTH_DISABLE_DEFAULT="false"
+#AUTH_SSO_LABEL="Single-Sign On"
+#AUTH_SSO_CLIENT_ID="<your-client-id>"
+#AUTH_SSO_ISSUER_URL="<your-.wellknown-issuer-url"
+#AUTH_SSO_ALLOW_PUBLIC_REGISTRATION="true"
+#AUTH_SSO_DEFAULT_ROLE_ID="<UUID-of-a-user-role>"
+#AUTH_SSO_SYNC_USER_INFO="true"
+#AUTH_SSO_SCOPE="openid profile email"
+
+# https://directus.io/docs/configuration/auth-sso
+# if you need more/other provider(s), consult docs on how to override compose.yml:
+# https://docs.coopcloud.tech/operators/handbook/#how-can-i-modifyoverride-the-composeyml-file

abra.sh

@@ -1,6 +1,6 @@
 # Set any config versions here
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
-export DIRECTUS_ENTRYPOINT_VERSION=v3
+export DIRECTUS_ENTRYPOINT_VERSION=v4
 export PG_BACKUP_VERSION=v1
 
 # essentially a wrapper for directus-template-cli apply:

compose.oidc.yml

@@ -0,0 +1,31 @@
+---
+services:
+  app:
+    environment:
+      AUTH_PROVIDERS: "sso"
+      AUTH_DISABLE_DEFAULT: "${AUTH_DISABLE_DEFAULT:-false}"
+      AUTH_SSO_DRIVER: "openid"
+      AUTH_SSO_CLIENT_ID: ${AUTH_SSO_CLIENT_ID}
+      AUTH_SSO_CLIENT_SECRET_FILE: /run/secrets/oidc_secret
+      AUTH_SSO_ISSUER_URL: ${AUTH_SSO_ISSUER_URL}
+      AUTH_SSO_SCOPE: ${AUTH_SSO_SCOPE:-"openid profile email"}
+      AUTH_SSO_IDENTIFIER_KEY: ${AUTH_SSO_IDENTIFIER_KEY}
+      AUTH_SSO_ALLOW_PUBLIC_REGISTRATION: ${AUTH_SSO_ALLOW_PUBLIC_REGISTRATION:-false}
+      AUTH_SSO_REQUIRE_VERIFIED_EMAIL: ${AUTH_SSO_REQUIRE_VERIFIED_EMAIL:-false}
+      AUTH_SSO_DEFAULT_ROLE_ID: ${AUTH_SSO_DEFAULT_ROLE_ID}
+      AUTH_SSO_SYNC_USER_INFO: ${AUTH_SSO_SYNC_USER_INFO:-true}
+      AUTH_SSO_ROLE_MAPPING: ${AUTH_SSO_ROLE_MAPPING:-{}}"
+      AUTH_SSO_GROUP_CLAIM_NAME: ${AUTH_SSO_GROUP_CLAIM_NAME:-groups}
+      AUTH_SSO_ICON: ${AUTH_SSO_ICON:-account_circle}
+      AUTH_SSO_LABEL: ${AUTH_SSO_LABEL:-"Single Sign On"}
+      AUTH_SSO_PARAMS: ${AUTH_SSO_PARAMS:-{}}
+      AUTH_SSO_REDIRECT_ALLOW_LIST: ${AUTH_SSO_REDIRECT_ALLOW_LIST}
+
+    secrets:
+      - oidc_secret
+      
+secrets:
+  oidc_secret:
+    name: ${STACK_NAME}_oidc_secret_${SECRET_OIDC_SECRET_VERSION}
+    external: true
+

compose.smtp.yml

@@ -0,0 +1,20 @@
+---
+services:
+  app:
+    environment:
+      EMAIL_TRANSPORT: "smtp"
+      EMAIL_FROM: ${EMAIL_FROM}
+      EMAIL_SMTP_USER: ${EMAIL_SMTP_USER}
+      EMAIL_SMTP_HOST: ${EMAIL_SMTP_HOST}
+      EMAIL_SMTP_PORT: ${EMAIL_SMTP_PORT:-465}
+      EMAIL_SMTP_SECURE: ${EMAIL_SMTP_SECURE:-true}
+      EMAIL_SMTP_PASSWORD_FILE: /run/secrets/smtp_password
+
+    secrets:
+      - smtp_password
+
+secrets:
+  smtp_password:
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
+    external: true
+

compose.yml

@@ -24,13 +24,6 @@ services:
 
       PUBLIC_URL: https://${DOMAIN}
 
-      EMAIL_TRANSPORT: ${EMAIL_TRANSPORT}
-      EMAIL_FROM: ${EMAIL_FROM}
-      EMAIL_SMTP_USER: ${EMAIL_SMTP_USER}
-      EMAIL_SMTP_HOST: ${EMAIL_SMTP_HOST}
-      EMAIL_SMTP_PORT: ${EMAIL_SMTP_PORT}
-      EMAIL_SMTP_SECURE: ${EMAIL_SMTP_SECURE}
-
     networks:
       - proxy
       - internal
@@ -54,7 +47,6 @@ services:
       - db_password
       - admin_password
       - signing_secret
-      - smtp_password
       
     deploy:
       restart_policy:
@@ -70,7 +62,7 @@ services:
         ## Redirect HTTP to HTTPS
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
-        - "coop-cloud.${STACK_NAME}.version=0.2.0+11"
+        - "coop-cloud.${STACK_NAME}.version=0.4.0+11"
 
     healthcheck:
       test: ["CMD-SHELL", "wget -qO- http://0.0.0.0:8055/server/health | grep -q '\"status\":\"ok\"'"]
@@ -143,9 +135,6 @@ secrets:
   signing_secret:
     name: ${STACK_NAME}_signing_secret_${SECRET_SIGNING_SECRET_VERSION}
     external: true
-  smtp_password:
-    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
-    external: true
 
 configs:
   directus_entrypoint:

entrypoint.sh

@@ -14,8 +14,7 @@ load_secret() {
         fi
         export "$env_var"="$value"
     else
-        echo >&2 "error: $secret_file does not exist"
-        exit 1
+        echo >&2 "info: $secret_file does not exist, if you don't use the secret it shouldn't be a problem"
     fi
 }
 
@@ -23,6 +22,7 @@ load_secret "DB_PASSWORD" "/run/secrets/db_password"
 load_secret "ADMIN_PASSWORD" "/run/secrets/admin_password"
 load_secret "SIGNING_SECRET" "/run/secrets/signing_secret"
 load_secret "EMAIL_SMTP_PASSWORD" "/run/secrets/smtp_password"
+load_secret "OIDC_SECRET" "/run/secrets/oidc_secret"
 
 # upstream has no entrypoint https://github.com/directus/directus/blob/main/Dockerfile
 node cli.js bootstrap && pm2-runtime start ecosystem.config.cjs

release/0.3.0+11

@@ -0,0 +1 @@
+added sso and smtp, two secrets are now optional

release/0.3.1+11

@@ -0,0 +1 @@
+added example env for sso

release/0.4.0+11

@@ -0,0 +1 @@
+compare release notes of 0.3.0 – some recipe upgrading issues