add configurable auth_providers, min image overlay, bump to 0.1.9

- Add AUTH_PROVIDERS env var (comma-separated, default: file,atproto) to control which login methods are shown - Unified lichen.toml.tmpl with OIDC section gated on OIDC_ENABLED env - Entrypoint generates lichen.toml from base config only if not already present, preserving user customizations - Add compose.min.yml overlay for lichen-min image (without atproto/git/shell) - Entrypoint guards git commands for min image compatibility - Bump lichen-full and lichen-min images to 0.1.9 - Bump recipe version to 0.1.1+0.1.9
2026-04-07 04:40:06 +00:00
parent 7b7d7e075e
commit a8cee2f92d
6 changed files with 39 additions and 20 deletions
--- a/.env.sample
+++ b/.env.sample
@ -16,16 +16,21 @@ COMPOSE_FILE="compose.yml"
 # Extra domains for sites with custom domains (HostSNI backtick format)
 #EXTRA_DOMAINS=', `site1.example.com`, `site2.example.org`'

+# Minimal image without atproto/git/shell (uncomment to use)
+#COMPOSE_FILE="$COMPOSE_FILE:compose.min.yml"
+
 # SSO/OIDC (uncomment to enable)
 #COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
 #SECRET_OIDC_ISSUER_URL_VERSION=v1       # generate=false
 #SECRET_OIDC_CLIENT_ID_VERSION=v1        # generate=false
 #SECRET_OIDC_CLIENT_SECRET_VERSION=v1    # generate=false
-#LICHEN_TOML_VERSION=v1
-
 # Secrets
 SECRET_ADMIN_PASSWORD_VERSION=v1

 # Config versions
 ENTRYPOINT_VERSION=v4
 CADDYFILE_VERSION=v2
+LICHEN_TOML_VERSION=v1
+
+# Auth providers (comma-separated: file, atproto, oidc)
+#AUTH_PROVIDERS=file,atproto
--- a/compose.min.yml
+++ b/compose.min.yml
@ -0,0 +1,6 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: notplants/lichen-min:0.1.9
--- a/compose.oidc.yml
+++ b/compose.oidc.yml
@ -3,10 +3,8 @@ version: "3.8"

 services:
  app:
-    configs:
-      - source: lichen_toml
-        target: /data/lichen.toml
-        mode: 0444
+    environment:
+      - OIDC_ENABLED=true
    secrets:
      - oidc_issuer_url
      - oidc_client_id
@ -22,9 +20,3 @@ secrets:
  oidc_client_secret:
    external: true
    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
-
-configs:
-  lichen_toml:
-    name: ${STACK_NAME}_lichen_toml_${LICHEN_TOML_VERSION}
-    file: lichen.toml.tmpl
-    template_driver: golang
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"

 services:
  app:
-    image: notplants/lichen-full:0.1.6
+    image: notplants/lichen-full:0.1.9
    entrypoint: ["/entrypoint.sh"]
    networks:
      - internal
@ -13,11 +13,15 @@ services:
      - LM_USE_AUTH=true
      - LM_ROOT_DIR=/data
      - LM_PUBLIC_URL=https://${DOMAIN}
+      - AUTH_PROVIDERS=${AUTH_PROVIDERS:-file,atproto}
      - RUST_LOG=${RUST_LOG:-info}
    configs:
      - source: entrypoint
        target: /entrypoint.sh
        mode: 0555
+      - source: lichen_toml
+        target: /data/lichen-base.toml
+        mode: 0444
    secrets:
      - admin_password
    volumes:
@ -28,7 +32,7 @@ services:
        max_attempts: 5
      labels:
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+0.1.6"
+        - "coop-cloud.${STACK_NAME}.version=0.1.1+0.1.9"
        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
    healthcheck:
      test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:9000/tls-check"]
@ -83,3 +87,7 @@ configs:
  caddyfile:
    name: ${STACK_NAME}_caddyfile_${CADDYFILE_VERSION}
    file: Caddyfile
+  lichen_toml:
+    name: ${STACK_NAME}_lichen_toml_${LICHEN_TOML_VERSION}
+    file: lichen.toml.tmpl
+    template_driver: golang
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -7,9 +7,18 @@ rm -f /usr/bin/bwrap
 # Install bash for lichen shell feature
 apk add --no-cache bash > /dev/null 2>&1 || true

-# Set git identity for auto-commit
-git config --global user.email "lichen@${LM_DASHBOARD_DOMAIN:-localhost}"
-git config --global user.name "lichen"
+# Set git identity for auto-commit (git may not be present in min image)
+if command -v git > /dev/null 2>&1; then
+  git config --global user.email "lichen@${LM_DASHBOARD_DOMAIN:-localhost}"
+  git config --global user.name "lichen"
+fi
+
+# Copy base config to lichen.toml only if user hasn't customized it
+if [ ! -f /data/lichen.toml ]; then
+  # Convert comma-separated AUTH_PROVIDERS to TOML array
+  TOML_PROVIDERS=$(echo "${AUTH_PROVIDERS:-file,atproto}" | sed 's/[^,][^,]*/\"&\"/g')
+  { echo "auth_providers = [$TOML_PROVIDERS]"; echo; cat /data/lichen-base.toml; } > /data/lichen.toml
+fi

 ADMIN_PASSWORD=$(cat /run/secrets/admin_password)

--- a/lichen.toml.tmpl
+++ b/lichen.toml.tmpl
@ -1,7 +1,6 @@
-use_auth = true
-auth_providers = ["file", "oidc"]
-
+{{ if env "OIDC_ENABLED" }}
 [oidc]
 issuer_url = "{{ secret "oidc_issuer_url" }}"
 client_id = "{{ secret "oidc_client_id" }}"
 client_secret = "{{ secret "oidc_client_secret" }}"
+{{ end }}