From 107bc2fca91851cc4b5d737773e1a621aa6703e3 Mon Sep 17 00:00:00 2001
From: marlon <marlon@riseup.net>
Date: Mon, 10 Feb 2025 17:48:48 -0500
Subject: [PATCH] SSO and email support added

---
 README.md         | 53 +++++++++++++++++++++++++++++++++++++++++++++++
 compose.email.yml | 11 ++++++++++
 config.json.tmpl  | 28 ++++++++++++-------------
 3 files changed, 78 insertions(+), 14 deletions(-)
 create mode 100644 compose.email.yml

diff --git a/README.md b/README.md
index 3acc87c..a58bb46 100644
--- a/README.md
+++ b/README.md
@@ -24,5 +24,58 @@
 5. `abra app deploy YOURAPPNAME`
 6. Open the configured domain in your browser to finish set-up
 
+## Enable Email
+- `abra app config YOURAPPNAME`
+- Uncomment the section starting with **Email Support**
+- `abra app secret i chat.justiceexchange.org smtp_pass v1 'yourSMTPpassword'`
+- `abra app undeploy YOURAPPNAME`
+- `abra app deploy YOURAPPNAME`
+
+## Enable SSO with Authentik
+This is how to configure your Mattermost server to accept logins from your Authentik SSO provider.
+
+### Configure Authentik
+#### Create a property mapping
+- Log in as administrator of your Authentik instance
+- Go to https://authentik.yourserver.org/if/admin/#/core/property-mappings and choose **Create**
+- Choose Scope Mapping
+   - Name: `Mattermost ID`
+   - Scope Name: `id`
+   - Description: *optional own description*
+   - Expression: `return { "id": request.user.id }`
+- Create another Scope Mapping
+   - Name: `Mattermost Username`
+   - Scope Name: `username`
+   - Description: *optional own description*
+   - Expression: `return { "username": request.user.username }`
+#### Create Application and Provider
+- Go to https://authentik.yourserver.org/if/admin/#/core/applications and choose **Create With Wizard**
+   - Application Name: mattermost
+   - **Next**
+   - Choose OAuth2/OIDC
+   - Set Authorization flow: `default-provider-authorization-implicit-consent (Authorize Application)`
+   - Copy the **Client ID** and **Client Secret**, you'll need them later
+   - Add Redirect URIs:
+      - https://mattermost.yourserver.org/login/gitlab/complete
+      - https://mattermost.yourserver.org/signup/gitlab/complete
+   - Expand Advanced Protocol Settings
+   - Under Scopes, select `Mattermost ID` and `Mattermost Username`, and click the > to add them to **Selected Scopes**
+   - **Submit**
+
+### Configure Mattermost
+**WARNING: Following these steps will overwrite the configuration of your Mattermost instance**
+- `abra app configure YOURAPPNAME`
+   - Uncomment the section starting with `## SSO config`
+   - Set `SSO_ID` to the value you saved when configuring Authentik
+- `abra app secret insert YOURAPPNAME mattermost_sso_secret v1 <the authentik provider secret you saved>`
+- `abra app undeploy YOURAPPNAME`
+- `abra app deploy YOURAPPNAME`
+
+### Disable non-SSO login (Optional)
+- Ensure that your SSO user has the **System Admin** role: https://YOURAPPNAME/admin_console/user_management/users
+- Go to https://YOURAPPNAME/admin_console/authentication/email
+- Set **Enable sign-in with email** and **Enable sign-in with username** to `false`
+
+
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
diff --git a/compose.email.yml b/compose.email.yml
new file mode 100644
index 0000000..bbd6c65
--- /dev/null
+++ b/compose.email.yml
@@ -0,0 +1,11 @@
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - smtp_pass
+
+secrets:
+  smtp_pass:
+    external: true
+    name: ${STACK_NAME}_smtp_pass_${SECRET_SMTP_PASS_VERSION}
\ No newline at end of file
diff --git a/config.json.tmpl b/config.json.tmpl
index 6fd45db..38fa8c1 100644
--- a/config.json.tmpl
+++ b/config.json.tmpl
@@ -256,22 +256,22 @@
     },
     "EmailSettings": {
         "EnableSignUpWithEmail": true,
-        "EnableSignInWithEmail": false,
-        "EnableSignInWithUsername": false,
-        "SendEmailNotifications": false,
+        "EnableSignInWithEmail": true,
+        "EnableSignInWithUsername": true,
+        "SendEmailNotifications": true,
         "UseChannelInEmailNotifications": false,
         "RequireEmailVerification": false,
-        "FeedbackName": "",
-        "FeedbackEmail": "",
-        "ReplyToAddress": "",
+        "FeedbackName": "{{ env "ORG_NAME" }}",
+        "FeedbackEmail": "{{ env "ORG_EMAIL_ADDRESS" }}",
+        "ReplyToAddress": "{{ env "ORG_EMAIL_ADDRESS" }}",
         "FeedbackOrganization": "",
-        "EnableSMTPAuth": false,
-        "SMTPUsername": "",
-        "SMTPPassword": "",
-        "SMTPServer": "localhost",
-        "SMTPPort": "10025",
+        "EnableSMTPAuth": true,
+        "SMTPUsername": "{{ env "SMTP_USER" }}",
+        "SMTPPassword": "{{ secret "smtp_pass" }}",
+        "SMTPServer": "{{ env "SMTP_HOST" }}",
+        "SMTPPort": "{{ env "SMTP_PORT" }}",
         "SMTPServerTimeout": 10,
-        "ConnectionSecurity": "",
+        "ConnectionSecurity": "{{ env "SMTP_SECURITY" }}",
         "SendPushNotifications": true,
         "PushNotificationServer": "https://push-test.mattermost.com",
         "PushNotificationContents": "full",
@@ -279,7 +279,7 @@
         "EnableEmailBatching": false,
         "EmailBatchingBufferSize": 256,
         "EmailBatchingInterval": 30,
-        "EnablePreviewModeBanner": true,
+        "EnablePreviewModeBanner": false,
         "SkipServerCertificateVerification": false,
         "EmailNotificationContentsType": "full",
         "LoginButtonColor": "#0000",
@@ -306,7 +306,7 @@
         "HelpLink": "https://mattermost.com/pl/help/",
         "ReportAProblemLink": "https://mattermost.com/pl/report-a-bug",
         "ForgotPasswordLink": "",
-        "SupportEmail": "",
+        "SupportEmail": "{{ env "ORG_EMAIL_ADDRESS" }}",
         "CustomTermsOfServiceEnabled": false,
         "CustomTermsOfServiceReAcceptancePeriod": 365,
         "EnableAskCommunityLink": true