feat: add SSO env options for compose file

Reviewed-on: #11

.drone.yml

@@ -34,7 +34,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -15,6 +15,8 @@ LOG_LEVEL=warn
 
 SECRET_ADMIN_TOKEN_VERSION=v1 # length=48
 
+TX="Europe/Berlin"
+
 ## DB settings
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
 #SECRET_DB_PASSWORD_VERSION=v1
@@ -23,8 +25,35 @@ SECRET_ADMIN_TOKEN_VERSION=v1 # length=48
 ## SMTP settings
 #COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 #SECRET_SMTP_PASSWORD_VERSION=v1
+#SMTP_ENABLED=1
 #SMTP_FROM=noreply@example.com
 #SMTP_USERNAME=noreply@example.com
 #SMTP_HOST=mail.example.com
 #SMTP_PORT=587
 #SMTP_SECURITY=starttls
+
+## SSO Setup Start ##
+
+## SSO Required Setup
+#COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml"
+#SSO_ENABLED=false ## Activate the SSO
+
+## the OpenID Connect Discovery endpoint of your SSO. Should not include the /.well-known/openid-configuration part and no trailing / ${SSO_AUTHORITY}/.well-known/openid-configuration must return a JSON document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse (with an HTTP status code 200 OK!)
+#SSO_AUTHORITY=
+#SSO_CLIENT_ID=             
+#SSO_CLIENT_SECRET= 
+#SSO_ONLY=false ## disable email+Master password authentication
+
+## SSO Optional Setup
+#SSO_SIGNUPS_MATCH_EMAIL=true ##: On SSO Signup if a user with a matching email already exists make the association (default true)
+#SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false ## Allow unknown email verification status (default false). Allowing this with SSO_SIGNUPS_MATCH_EMAIL open potential account takeover.
+#SSO_SCOPES= ##Optional, allow to override scopes if needed (default "email profile")
+#SSO_AUTHORIZE_EXTRA_PARAMS= ## Optional, allow to add extra parameter to the authorize redirection (default "")
+#SSO_PKCE=true ## Activate PKCE for the Auth Code flow (default true).
+#SSO_AUDIENCE_TRUSTED= ##Optional, Regex to trust additional audience for the IdToken (client_id is always trusted). Use single quote when writing the regex: '^$'.
+#SSO_MASTER_PASSWORD_POLICY ## Optional Master password policy (enforceOnLogin is not supported).
+#SSO_AUTH_ONLY_NOT_SESSION ## Enable to use SSO only for authentication not session lifecycle
+#SSO_CLIENT_CACHE_EXPIRATION=0 ## Cache calls to the discovery endpoint, duration in seconds, 0 to disable (default 0);
+#SSO_DEBUG_TOKENS=false ## Log all tokens for easier debugging (default false, LOG_LEVEL=debug or LOG_LEVEL=info,vaultwarden::sso=debug need to be set)
+
+## SSO Setup End ##

abra.sh

@@ -1,9 +1,11 @@
-export APP_ENTRYPOINT_VERSION=v2
+export APP_ENTRYPOINT_VERSION=v4
 APP_DIR="app:/data"
 
 insert_vaultwarden_admin_token() {
   if ! command -v argon2 &> /dev/null; then
-    echo "argon2 could not be found, please install it to proceed."
+    echo "argon2 is required on your local machine to hash the admin token."
+    echo "It could not be found in your PATH, please install argon2 to proceed."
+    echo "For example: On a debian/ubuntu system, run `apt install argon2`"
     exit 1
   fi
   PASS=$(openssl rand 64 | openssl enc -A -base64)

compose.mariadb.yml

@@ -13,7 +13,7 @@ services:
       - db_password
 
   db:
-    image: "mariadb:10.6" # or "mysql"
+    image: "mariadb:10.11" # or "mysql"
     environment:
       - MYSQL_DATABASE=vaultwarden
       - MYSQL_USER=vaultwarden
@@ -34,9 +34,9 @@ services:
         backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} < /var/lib/mysql/backup.sql'
     healthcheck:
       test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping']
-      interval: 5s
+      interval: 30s
       timeout: 10s
-      retries: 0
+      retries: 30
       start_period: 1m
 
 secrets:

compose.smtp.yml

@@ -6,6 +6,7 @@ services:
     secrets:
       - smtp_password
     environment:
+      - "SMTP_ENABLED"
       - "SMTP_PASSWORD_FILE=/run/secrets/smtp_password"
       - "SMTP_FROM"
       - "SMTP_USERNAME"

compose.sso.yml

@@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - SSO_ENABLED
+      - SSO_AUTHORITY
+      - SSO_CLIENT_ID
+      - SSO_CLIENT_SECRET
+      - SSO_ONLY
+      - SSO_SIGNUPS_MATCH_EMAIL
+      - SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
+      - SSO_SCOPES
+      - SSO_AUTHORIZE_EXTRA_PARAMS
+      - SSO_PKCE
+      - SSO_AUDIENCE_TRUSTED
+      - SSO_MASTER_PASSWORD_POLICY
+      - SSO_AUTH_ONLY_NOT_SESSION
+      - SSO_CLIENT_CACHE_EXPIRATION
+      - SSO_DEBUG_TOKENS

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: vaultwarden/server:1.32.5
+    image: vaultwarden/server:1.35.2
     networks:
       - proxy
       - internal
@@ -16,6 +16,7 @@ services:
       - "EXTENDED_LOGGING=$EXTENDED_LOGGING"
       - "LOG_FILE=$LOG_FILE"
       - "LOG_LEVEL=$LOG_LEVEL"
+      - "TX=${TX:-Europe/Berlin}"
     configs:
       - source: app_entrypoint
         target: /docker-entrypoint.sh
@@ -29,9 +30,10 @@ services:
       - vaultwarden_data:/data
     healthcheck:
       test: curl -f http://localhost/alive || exit 1
-      interval: 5s
-      timeout: 3s
-      retries: 10
+      interval: 30s
+      timeout: 10s
+      retries: 30
+      start_period: 1m
     deploy:
       restart_policy:
         condition: on-failure
@@ -41,7 +43,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=1.0.3+1.32.5"
+        - "coop-cloud.${STACK_NAME}.version=3.0.0+1.35.2"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/data"
 

entrypoint.sh.tmpl

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 set -e
+umask 027
 
 # set DATABASE_URL with db_password
 set_db_url() {
@@ -46,7 +47,13 @@ if [ -n "${MYSQL_HOST}" ]; then
 fi
 
 file_env "ADMIN_TOKEN"
+
+{{ if eq (env "SMTP_ENABLED") "1" }}
 file_env "SMTP_PASSWORD"
+{{ end }}
+
+# remove world permissions on data
+chmod -R o= /data
 
 # upstream startup command
 # https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254

release/1.0.0+1.32.3

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.1+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.2+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.3+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.4+1.32.7

@@ -0,0 +1 @@
+bugfix release for missing increase of entrypoint version for the last 4 releases. Also upgraded vaultwarden bugfix release.

release/2.0.0+1.33.2

@@ -0,0 +1,15 @@
+=== SMTP SETTINGS ===
+This release contains a *breaking change* if you use SMTP with vaultwarden.
+
+See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/9 for more.
+
+TLDR; Please add `SMTP_ENABLED=1` to your .env to continue using SMTP.
+
+=== PERMISSIONS ===
+
+Previously, the data directory including the main private key had read
+permissions enabled for all host users. This release fixes that. Please review
+your Vaultwarden keys if other users on your Co-op Cloud host may have had
+access to these files.
+
+See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/7 for more.

release/3.0.0+1.35.2

@@ -0,0 +1,4 @@
+Allows support for 2026.1+ clients.
+
+This release includes options for SSO. Check out the release notes for
+more infomation.