Compare commits
3 Commits
Author | SHA1 | Date |
---|---|---|
knoflook | 915a3e83e7 | |
knoflook | 0c691d8f40 | |
knoflook | 9e087bda4a |
16
.env.sample
16
.env.sample
|
@ -8,12 +8,12 @@ LETS_ENCRYPT_ENV=production
|
||||||
SECRET_DB_PASSWORD_VERSION=v1
|
SECRET_DB_PASSWORD_VERSION=v1
|
||||||
SECRET_DB_ROOT_PASSWORD_VERSION=v1
|
SECRET_DB_ROOT_PASSWORD_VERSION=v1
|
||||||
SECRET_ADMIN_PASSWORD_VERSION=v1
|
SECRET_ADMIN_PASSWORD_VERSION=v1
|
||||||
SECRET_SSO_CERT_VERSION=v1
|
|
||||||
|
|
||||||
# SSO_ENABLED=1
|
# SSO_ENABLED=0
|
||||||
# SSO_PROVIDER_URL=https://authentik.example.com/
|
## only set one of those depending on which SSO you're using
|
||||||
# SSO_SAML_URL=https://authentik.example.com/application/saml/kimai/sso/binding/redirect/
|
# SSO_AUTHENTIK=1
|
||||||
# SSO_LOGOUT_URL=https://authentik.example.com/application/saml/kimai/slo/binding/redirect/
|
# SSO_KEYCLOAK=0
|
||||||
|
# SSO_PROVIDER_URL=https://sso.example.org/
|
||||||
# MAILER_URL="smtp://<from>:<password>%3F@<mailserver>:587"
|
# SSO_SAML_URL=https://sso.example.org/application/saml/<application-slug>/sso/binding/redirect/
|
||||||
# MAILER_FROM="Kimai Notifications noreply@example.com"
|
# SSO_LOGOUT_URL=https://sso.example.org/if/session-end/<application-slug>/
|
||||||
|
# SSO_CERT="muchmuchbase64certificatefoobar=="
|
||||||
|
|
13
README.md
13
README.md
|
@ -8,11 +8,11 @@ CoöpCloud [Kimai] ✊⏰
|
||||||
* **Category**: Apps
|
* **Category**: Apps
|
||||||
* **Status**: ?
|
* **Status**: ?
|
||||||
* **Image**: [`kimai/kimai2`](https://hub.docker.com/kimai/kimai2), 4, upstream
|
* **Image**: [`kimai/kimai2`](https://hub.docker.com/kimai/kimai2), 4, upstream
|
||||||
* **Healthcheck**: Yes
|
* **Healthcheck**: No
|
||||||
* **Backups**: Yes
|
* **Backups**: No
|
||||||
* **Email**: Yes
|
* **Email**: No
|
||||||
* **Tests**: 2
|
* **Tests**: 2
|
||||||
* **SSO**: Yes
|
* **SSO**: No
|
||||||
<!-- endmetadata -->
|
<!-- endmetadata -->
|
||||||
|
|
||||||
Based on the recommended [`tobybatch/kimai2`] compose file.
|
Based on the recommended [`tobybatch/kimai2`] compose file.
|
||||||
|
@ -29,8 +29,3 @@ Based on the recommended [`tobybatch/kimai2`] compose file.
|
||||||
[`tobybatch/kimai2`]: https://tobybatch.github.io/kimai2/docker-compose.html#docker-compose
|
[`tobybatch/kimai2`]: https://tobybatch.github.io/kimai2/docker-compose.html#docker-compose
|
||||||
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
|
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||||
[`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
|
[`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
|
||||||
|
|
||||||
## SSO
|
|
||||||
|
|
||||||
To enable SSO, after running the blueprint in Authentik and before deploying Kimai, you need to add the Authentik Self-Signed-Certificate as secret in Kimai via the following command:
|
|
||||||
`abra app cmd -l kimai.tmp.dev.local-it.cloud insert_authentik_certificate`
|
|
||||||
|
|
10
abra.sh
10
abra.sh
|
@ -1,13 +1,7 @@
|
||||||
export ENTRYPOINT_CONF_VERSION=v1
|
export ENTRYPOINT_CONF_VERSION=v1
|
||||||
export LOCAL_CONF_VERSION=v2
|
export LOCAL_CONF_VERSION=v3
|
||||||
|
|
||||||
create_admin () {
|
create_admin () {
|
||||||
export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$(cat /run/secrets/db_password)@$DATABASE_HOST/$DATABASE_NAME"
|
export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$(cat /run/secrets/db_password)@$DATABASE_HOST/$DATABASE_NAME"
|
||||||
/opt/kimai/bin/console kimai:create-user admin admin@example.org ROLE_SUPER_ADMIN
|
/opt/kimai/bin/console kimai:create-user admin admin@example.org ROLE_SUPER_ADMIN
|
||||||
}
|
|
||||||
|
|
||||||
insert_authentik_certificate() {
|
|
||||||
SSO_PROVIDER_DOMAIN=$(echo $SSO_PROVIDER_URL | cut -d '/' -f 3)
|
|
||||||
CERT=$(abra app cmd -T $SSO_PROVIDER_DOMAIN worker get_certificate Kimai)
|
|
||||||
abra app secret insert $APP_NAME sso_cert v1 $CERT
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
authentik:
|
|
||||||
uncomment:
|
|
||||||
- SSO_ENABLED
|
|
||||||
- SSO_PROVIDER_URL
|
|
||||||
- SSO_SAML_URL
|
|
||||||
- SSO_LOGOUT_URL
|
|
||||||
secret_hooks:
|
|
||||||
- insert_authentik_certificate
|
|
55
compose.yml
55
compose.yml
|
@ -1,7 +1,7 @@
|
||||||
version: '3.8'
|
version: '3.8'
|
||||||
services:
|
services:
|
||||||
app:
|
app:
|
||||||
image: kimai/kimai2:apache-2.19.1-prod
|
image: kimai/kimai2:apache-1.29.1-prod
|
||||||
environment:
|
environment:
|
||||||
- APP_ENV=prod
|
- APP_ENV=prod
|
||||||
- TRUSTED_HOSTS=localhost,traefik,${DOMAIN},127.0.0.1
|
- TRUSTED_HOSTS=localhost,traefik,${DOMAIN},127.0.0.1
|
||||||
|
@ -10,16 +10,17 @@ services:
|
||||||
- ADMINPASS_FILE=/run/secrets/admin_password
|
- ADMINPASS_FILE=/run/secrets/admin_password
|
||||||
- DATABASE_TYPE=mysql
|
- DATABASE_TYPE=mysql
|
||||||
- DATABASE_HOST=db
|
- DATABASE_HOST=db
|
||||||
- DATABASE_NAME=kimai?charset=utf8mb4&serverVersion=5.7
|
- DATABASE_NAME=kimai
|
||||||
- DATABASE_USER=kimai
|
- DATABASE_USER=kimai
|
||||||
- DATABASE_PASSWORD_FILE=/run/secrets/db_password
|
- DATABASE_PASSWORD_FILE=/run/secrets/db_password
|
||||||
- DOMAIN
|
- DOMAIN
|
||||||
- SSO_ENABLED
|
- SSO_ENABLED
|
||||||
|
- SSO_KEYCLOAK
|
||||||
|
- SSO_AUTHENTIK
|
||||||
- SSO_PROVIDER_URL
|
- SSO_PROVIDER_URL
|
||||||
- SSO_SAML_URL
|
- SSO_SAML_URL
|
||||||
- SSO_LOGOUT_URL
|
- SSO_LOGOUT_URL
|
||||||
- MAILER_URL
|
- SSO_CERT
|
||||||
- MAILER_FROM
|
|
||||||
volumes:
|
volumes:
|
||||||
- kimai_public:/opt/kimai/public
|
- kimai_public:/opt/kimai/public
|
||||||
- kimai_var:/opt/kimai/var
|
- kimai_var:/opt/kimai/var
|
||||||
|
@ -35,16 +36,16 @@ services:
|
||||||
secrets:
|
secrets:
|
||||||
- db_password
|
- db_password
|
||||||
- admin_password
|
- admin_password
|
||||||
- sso_cert
|
|
||||||
depends_on:
|
depends_on:
|
||||||
- db
|
- db
|
||||||
|
#entrypoint: ['tail', '-f', '/dev/null']
|
||||||
entrypoint: /docker-entrypoint.sh
|
entrypoint: /docker-entrypoint.sh
|
||||||
healthcheck:
|
#healthcheck:
|
||||||
test: curl -s -o /dev/null http://localhost:8001 || exit 1
|
# test: curl -s -o /dev/null http://localhost:8001 || exit 1
|
||||||
interval: 30s
|
# interval: 20s
|
||||||
start_period: 3m
|
# start_period: 10s
|
||||||
timeout: 10s
|
# timeout: 10s
|
||||||
retries: 10
|
# retries: 3
|
||||||
deploy:
|
deploy:
|
||||||
restart_policy:
|
restart_policy:
|
||||||
condition: on-failure
|
condition: on-failure
|
||||||
|
@ -58,8 +59,7 @@ services:
|
||||||
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||||
- "coop-cloud.${STACK_NAME}.version=1.2.0+apache-2.19.1-prod"
|
- "coop-cloud.${STACK_NAME}.version=0.3.0+apache-1.29.1-prod"
|
||||||
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
|
|
||||||
db:
|
db:
|
||||||
image: mysql:5.7
|
image: mysql:5.7
|
||||||
environment:
|
environment:
|
||||||
|
@ -75,25 +75,24 @@ services:
|
||||||
- db_password
|
- db_password
|
||||||
- db_root_password
|
- db_root_password
|
||||||
command: --default-storage-engine innodb
|
command: --default-storage-engine innodb
|
||||||
healthcheck:
|
#healthcheck:
|
||||||
test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)" ping -h localhost']
|
# test: mysqladmin -pchangemeplease ping -h localhost
|
||||||
interval: 30s
|
# interval: 20s
|
||||||
timeout: 10s
|
# start_period: 10s
|
||||||
retries: 10
|
# timeout: 10s
|
||||||
start_period: 1m
|
# retries: 3
|
||||||
|
|
||||||
deploy:
|
deploy:
|
||||||
labels:
|
labels:
|
||||||
- "backupbot.backup=true"
|
- backupbot.backup="true"
|
||||||
- "backupbot.backup.pre-hook=sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" kimai > /var/lib/mysql/backup.sql'"
|
- backupbot.backup.pre-hook='mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" kimai > /tmp/backup/backup.sql'
|
||||||
- "backupbot.backup.post-hook=rm -f /var/lib/mysql/backup.sql"
|
- backupbot.backup.post-hook="rm -rf /tmp/backup"
|
||||||
- "backupbot.backup.path=/var/lib/mysql/backup.sql"
|
- backupbot.backup.path="/tmp/backup/"
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
kimai_var:
|
kimai_var:
|
||||||
kimai_public:
|
kimai_public:
|
||||||
mariadb:
|
mariadb:
|
||||||
|
|
||||||
|
|
||||||
secrets:
|
secrets:
|
||||||
db_password:
|
db_password:
|
||||||
external: true
|
external: true
|
||||||
|
@ -104,16 +103,10 @@ secrets:
|
||||||
admin_password:
|
admin_password:
|
||||||
external: true
|
external: true
|
||||||
name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
|
name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
|
||||||
sso_cert:
|
|
||||||
external: true
|
|
||||||
name: ${STACK_NAME}_sso_cert_${SECRET_SSO_CERT_VERSION}
|
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
proxy:
|
proxy:
|
||||||
external: true
|
external: true
|
||||||
internal:
|
internal:
|
||||||
|
|
||||||
|
|
||||||
configs:
|
configs:
|
||||||
entrypoint_conf:
|
entrypoint_conf:
|
||||||
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
|
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
|
||||||
|
|
|
@ -3,16 +3,27 @@ kimai:
|
||||||
saml:
|
saml:
|
||||||
activate: true
|
activate: true
|
||||||
title: Login with SAML
|
title: Login with SAML
|
||||||
|
{{ if eq (env "SSO_AUTHENTIK") "1" }}
|
||||||
mapping:
|
mapping:
|
||||||
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
|
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
|
||||||
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
|
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
|
||||||
roles:
|
roles:
|
||||||
resetOnLogin: true
|
|
||||||
attribute: http://schemas.xmlsoap.org/claims/Group
|
attribute: http://schemas.xmlsoap.org/claims/Group
|
||||||
|
resetOnLogin: true
|
||||||
|
attribute: Roles
|
||||||
mapping:
|
mapping:
|
||||||
# Insert your roles here (ROLE_USER is added automatically)
|
|
||||||
- { saml: admin.group, kimai: ROLE_ADMIN }
|
- { saml: admin.group, kimai: ROLE_ADMIN }
|
||||||
- { saml: "authentik Admins", kimai: ROLE_ADMIN }
|
{{ else if eq (env "SSO_KEYCLOAK") "1" }}
|
||||||
|
mapping:
|
||||||
|
- { saml: $Email, kimai: email }
|
||||||
|
- { saml: $FirstName $LastName, kimai: alias }
|
||||||
|
roles:
|
||||||
|
resetOnLogin: true
|
||||||
|
attribute: Roles
|
||||||
|
mapping:
|
||||||
|
- { saml: Admins, kimai: ROLE_ADMIN }
|
||||||
|
- { saml: Management, kimai: ROLE_TEAMLEAD }
|
||||||
|
{{ end }}
|
||||||
connection:
|
connection:
|
||||||
# You SAML provider
|
# You SAML provider
|
||||||
# Your Authentik instance, replace https://authentik.company with your authentik URL
|
# Your Authentik instance, replace https://authentik.company with your authentik URL
|
||||||
|
@ -21,11 +32,12 @@ kimai:
|
||||||
singleSignOnService:
|
singleSignOnService:
|
||||||
url: "{{ env "SSO_SAML_URL" }}"
|
url: "{{ env "SSO_SAML_URL" }}"
|
||||||
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||||
|
# the "single logout" feature was not yet tested, if you want to help, please let me know!
|
||||||
singleLogoutService:
|
singleLogoutService:
|
||||||
url: "{{ env "SSO_LOGOUT_URL" }}"
|
url: "{{ env "SSO_LOGOUT_URL" }}"
|
||||||
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||||
# Signing certificate from *Advanced protocol settings*
|
# Signing certificate from *Advanced protocol settings*
|
||||||
x509cert: "{{ secret "sso_cert" }}"
|
x509cert: "{{ env "SSO_CERT" }}"
|
||||||
# Service Provider Data that we are deploying.
|
# Service Provider Data that we are deploying.
|
||||||
# Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL
|
# Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL
|
||||||
sp:
|
sp:
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
If you have SSO enabled this upgrade will break unless you add
|
||||||
|
`SSO_KEYCLOAK=1` or `SSO_AUTHENTIK=1` in your env file for kimai!
|
||||||
|
This allows us to support both SSO methods
|
||||||
|
|
||||||
|
knoflook @ kotec.pl
|
|
@ -1 +0,0 @@
|
||||||
Make sure to have have a working backup before upgrading!
|
|
Loading…
Reference in New Issue