chore: publish 1.3.0+apache-2.26.0 release

.drone.yml

@@ -17,11 +17,12 @@ steps:
       DOMAIN: kimai.swarm-test.autonomic.zone
       STACK_NAME: kimai
       LETS_ENCRYPT_ENV: production
-      ENTRYPOINT_CONF_VERSION: v1
+      ENTRYPOINT_CONF_VERSION: v2
       LOCAL_CONF_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_DB_ROOT_PASSWORD_VERSION: v1
       SECRET_ADMIN_PASSWORD_VERSION: v1
+      SECRET_SSO_CERT_VERSION: v1
 trigger:
   branch:
     - main

.env.sample

@@ -5,12 +5,17 @@ DOMAIN=kimai.example.com
 #EXTRA_DOMAINS=', `www.kimai.example.com`'
 LETS_ENCRYPT_ENV=production
 
+ENABLE_BACKUPS=true
+
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
+SECRET_SSO_CERT_VERSION=v1
 
-# SSO_ENABLED=0
-# SSO_PROVIDER_URL=https://sso.example.org/
-# SSO_SAML_URL=https://sso.example.org/application/saml/<application-slug>/sso/binding/redirect/
-# SSO_LOGOUT_URL=https://sso.example.org/if/session-end/<application-slug>/
-# SSO_CERT="muchmuchbase64certificatefoobar=="
+# SSO_ENABLED=1
+# SSO_PROVIDER_URL=https://authentik.example.com/
+# SSO_SAML_URL=https://authentik.example.com/application/saml/kimai/sso/binding/redirect/
+# SSO_LOGOUT_URL=https://authentik.example.com/application/saml/kimai/slo/binding/redirect/
+
+# MAILER_URL="smtp://<from>:<password>%3F@<mailserver>:587"
+# MAILER_FROM="Kimai Notifications noreply@example.com"

README.md

@@ -8,11 +8,11 @@ CoöpCloud [Kimai] ✊⏰
 * **Category**: Apps
 * **Status**: ?
 * **Image**: [`kimai/kimai2`](https://hub.docker.com/kimai/kimai2), 4, upstream
-* **Healthcheck**: No
-* **Backups**: No
-* **Email**: No
+* **Healthcheck**: Yes
+* **Backups**: Yes
+* **Email**: Yes
 * **Tests**: 2
-* **SSO**: No
+* **SSO**: Yes
 <!-- endmetadata -->
 
 Based on the recommended [`tobybatch/kimai2`] compose file.
@@ -29,3 +29,8 @@ Based on the recommended [`tobybatch/kimai2`] compose file.
 [`tobybatch/kimai2`]: https://tobybatch.github.io/kimai2/docker-compose.html#docker-compose
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
 [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
+
+## SSO
+
+To enable SSO, after running the blueprint in Authentik and before deploying Kimai, you need to add the Authentik Self-Signed-Certificate as secret in Kimai via the following command:
+`abra app cmd -l YOURAPPDOMAIN insert_authentik_certificate`

abra.sh

@@ -1,7 +1,13 @@
-export ENTRYPOINT_CONF_VERSION=v1
-export LOCAL_CONF_VERSION=v1
+export ENTRYPOINT_CONF_VERSION=v2
+export LOCAL_CONF_VERSION=v2
 
 create_admin () {
     export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$(cat /run/secrets/db_password)@$DATABASE_HOST/$DATABASE_NAME"
     /opt/kimai/bin/console kimai:create-user admin admin@example.org ROLE_SUPER_ADMIN 
 }
+
+insert_authentik_certificate() {
+    SSO_PROVIDER_DOMAIN=$(echo $SSO_PROVIDER_URL | cut -d '/' -f 3)
+    CERT=$(abra app cmd -T $SSO_PROVIDER_DOMAIN worker get_certificate Kimai)
+    abra app secret insert $APP_NAME sso_cert v1 $CERT
+}

alaconnect.yml

@@ -0,0 +1,8 @@
+authentik:
+    uncomment:
+        - SSO_ENABLED
+        - SSO_PROVIDER_URL
+        - SSO_SAML_URL
+        - SSO_LOGOUT_URL
+    secret_hooks:
+        - insert_authentik_certificate

compose.yml

@@ -1,7 +1,7 @@
 version: '3.8'
 services:
   app:
-    image: kimai/kimai2:apache-2.15.0-prod
+    image: kimai/kimai2:apache-2.26.0
     environment:
       - APP_ENV=prod
       - TRUSTED_HOSTS=localhost,traefik,${DOMAIN},127.0.0.1
@@ -18,7 +18,8 @@ services:
       - SSO_PROVIDER_URL
       - SSO_SAML_URL
       - SSO_LOGOUT_URL
-      - SSO_CERT
+      - MAILER_URL
+      - MAILER_FROM
     volumes:
       - kimai_public:/opt/kimai/public
       - kimai_var:/opt/kimai/var
@@ -34,15 +35,16 @@ services:
     secrets:
       - db_password
       - admin_password
+      - sso_cert
     depends_on:
       - db
     entrypoint: /docker-entrypoint.sh
-    #healthcheck:
-    #  test: curl -s -o /dev/null http://localhost:8001 || exit 1
-    #  interval: 20s
-    #  start_period: 10s
-    #  timeout: 10s
-    #  retries: 3
+    healthcheck:
+     test: curl -s -o /dev/null http://localhost:8001 || exit 1
+     interval: 30s
+     start_period: 3m
+     timeout: 10s
+     retries: 10
     deploy:
       restart_policy:
         condition: on-failure
@@ -56,7 +58,8 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=1.0.0+apache-2.15.0-prod"
+        - "coop-cloud.${STACK_NAME}.version=1.3.0+apache-2.26.0"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
   db:
     image: mysql:5.7
     environment:
@@ -72,18 +75,18 @@ services:
       - db_password
       - db_root_password
     command: --default-storage-engine innodb
-    #healthcheck:
-    #  test: mysqladmin -pchangemeplease ping -h localhost
-    #  interval: 20s
-    #  start_period: 10s
-    #  timeout: 10s
-    #  retries: 3
+    healthcheck:
+      test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping -h localhost']
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
     deploy:
       labels:
-        - "backupbot.backup=true"
-        - "backupbot.backup.pre-hook=sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" kimai > /var/lib/mysql/backup.sql'"
-        - "backupbot.backup.post-hook=rm -f /var/lib/mysql/backup.sql"
-        - "backupbot.backup.path=/var/lib/mysql/backup.sql"
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" kimai > /var/lib/mysql/backup.sql'
+        backupbot.backup.volumes.mariadb.path: "backup.sql"
+        backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" kimai < /var/lib/mysql/backup.sql'
 
 volumes:
   kimai_var:
@@ -101,6 +104,9 @@ secrets:
   admin_password:
     external: true
     name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
+  sso_cert:
+    external: true
+    name: ${STACK_NAME}_sso_cert_${SECRET_SSO_CERT_VERSION}
 
 networks:
   proxy:

entrypoint.sh.tmpl

@@ -38,8 +38,8 @@ export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$DATABASE_PASSWORD@$DATABAS
 
 if [ ! "${1-}" == "-e" ]; then
 	# 3wc: upstream ENTRYPOINT
-	# https://github.com/tobybatch/kimai2/blob/main/Dockerfile#L226
-	/startup.sh
+	# https://github.com/kimai/kimai/blob/main/Dockerfile#L278
+	/entrypoint.sh
 fi
 
 set +eu

local.yaml.tmpl

@@ -7,10 +7,12 @@ kimai:
       - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
       - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
     roles:
+      resetOnLogin: true
       attribute: http://schemas.xmlsoap.org/claims/Group
       mapping:
       # Insert your roles here (ROLE_USER is added automatically)
         - { saml: admin.group, kimai: ROLE_ADMIN }
+        - { saml: "authentik Admins", kimai: ROLE_ADMIN }
     connection:
       # You SAML provider
       # Your Authentik instance, replace https://authentik.company with your authentik URL
@@ -19,12 +21,11 @@ kimai:
         singleSignOnService:
           url: "{{ env "SSO_SAML_URL" }}"
           binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-        # the "single logout" feature was not yet tested, if you want to help, please let me know!
         singleLogoutService:
           url: "{{ env "SSO_LOGOUT_URL" }}"
           binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         # Signing certificate from *Advanced protocol settings*
-        x509cert: "{{ env "SSO_CERT" }}"
+        x509cert: "{{ secret "sso_cert" }}"
       # Service Provider Data that we are deploying.
       # Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL
       sp:

release/1.0.0+apache-2.15.0-prod

@@ -0,0 +1 @@
+Make sure to have have a working backup before upgrading!