coop-cloud/lichen
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11 Commits 1 Branch 3 Tags
main
Go to file
Clone
Open with vscodium://vscode.git/clone?url
Download ZIP Download TAR.GZ Download BUNDLE
notplants 4d0448fa76 move oidc issuer_url and client_id to env vars, rename secret to oidc_secret 
Only oidc_client_secret is actually sensitive — issuer_url and client_id
are now plain env vars. Renamed oidc_client_secret to oidc_secret to
pass abra lint. Updated README with accurate quickstart and OIDC setup.
Entrypoint guards git commands for min image compatibility.
2026-04-07 05:09:27 +00:00
.env.sample
move oidc issuer_url and client_id to env vars, rename secret to oidc_secret
2026-04-07 05:09:27 +00:00
abra.sh
add bash, git identity, RUST_LOG env var, OIDC overlay, entrypoint fixes
2026-04-05 07:52:45 +00:00
Caddyfile
fix: use 0.1.6 image, on-demand TLS with ask endpoint, healthcheck on /tls-check
2026-04-05 07:20:01 +00:00
compose.min.yml
add configurable auth_providers, min image overlay, bump to 0.1.9
2026-04-07 04:40:06 +00:00
compose.oidc.yml
move oidc issuer_url and client_id to env vars, rename secret to oidc_secret
2026-04-07 05:09:27 +00:00
compose.yml
move oidc issuer_url and client_id to env vars, rename secret to oidc_secret
2026-04-07 05:09:27 +00:00
entrypoint.sh
add configurable auth_providers, min image overlay, bump to 0.1.9
2026-04-07 04:40:06 +00:00
lichen.toml.tmpl
move oidc issuer_url and client_id to env vars, rename secret to oidc_secret
2026-04-07 05:09:27 +00:00
README.md
move oidc issuer_url and client_id to env vars, rename secret to oidc_secret
2026-04-07 05:09:27 +00:00

README.md

lichen

  • Category: Apps
  • Status: 0
  • Image: notplants/lichen-full
  • Healthcheck: Yes
  • Backups: Yes
  • Email: No
  • Tests: No
  • SSO: Yes (OIDC)

Basic usage

  1. Set up Docker Swarm and abra
  2. Deploy coop-cloud/traefik
  3. abra app new lichen
  4. abra app config YOURAPPDOMAIN — set DOMAIN to something that resolves to your Docker Swarm box
  5. abra app secret generate YOURAPPDOMAIN --all
  6. abra app deploy YOURAPPDOMAIN

Auth providers

The AUTH_PROVIDERS env var controls which login methods are available (comma-separated). The default is file,atproto.

Valid providers: file (username/password), atproto (Bluesky), oidc (OpenID Connect).

Minimal image

A lighter image without atproto/git/shell support is available. Enable it by uncommenting the min overlay in your app config:

COMPOSE_FILE="$COMPOSE_FILE:compose.min.yml"

When using the minimal image, set AUTH_PROVIDERS=file (or file,oidc with OIDC).

SSO/OIDC

To enable OIDC login, uncomment the OIDC overlay and set your provider details in your app config:

COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
OIDC_ISSUER_URL=https://keycloak.example.com/realms/myrealm
OIDC_CLIENT_ID=lichen
SECRET_OIDC_SECRET_VERSION=v1

Then insert the client secret:

abra app secret insert YOURAPPDOMAIN oidc_secret v1 YOUR_CLIENT_SECRET

Add oidc to your AUTH_PROVIDERS (e.g. AUTH_PROVIDERS=file,oidc) and redeploy.

TLS architecture (Caddy sidecar)

This recipe uses a Caddy sidecar for TLS instead of letting Traefik terminate TLS directly.

  1. Traefik receives TLS connections on port 443 and does TCP passthrough (no TLS termination) for traffic matching DOMAIN and *.DOMAIN, forwarding the raw TLS stream to Caddy.
  2. Caddy terminates TLS using on-demand certificates — it automatically obtains a Let's Encrypt certificate for each subdomain the first time a connection arrives.
  3. Caddy reverse proxies the decrypted HTTP traffic to lichen on port 9000.

The first request to a new subdomain may take 10-30 seconds while Caddy obtains the TLS certificate. Subsequent requests are instant.

No changes to the Traefik recipe are needed — the TCP passthrough is configured entirely via deploy labels in this recipe's compose.yml.

Recipe maintained by @notplants

Description
No description provided
Readme 51 KiB
Languages
Shell 100%