Add support for local authentication.

Always restart the container

.drone.yml

@@ -0,0 +1,43 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: vikunja
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: authentik.swarm-test.autonomic.zone
+      STACK_NAME: authentik
+      LETS_ENCRYPT_ENV: production
+      CONFIG_YML_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_JWT_SECRET_VERSION: v1
+
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag
+

.env.sample

@@ -1,4 +1,6 @@
 TYPE=vikunja
+TIMEOUT=300
+ENABLE_AUTO_UPDATE=true
 
 DOMAIN=vikunja.example.com
 
@@ -14,13 +16,22 @@ LOG_LEVEL=INFO
 
 COMPOSE_FILE=compose.yml
 
+#VIKUNJA_RATELIMIT_NOAUTHLIMIT=10
+
+# uncomment to enable local authentication
+# LOCAL_AUTH_ENABLED=true
+# uncomment to enable self-registration (if disabled, can be done via
+# command line in the api container with vikunja user command)
+# LOCAL_REGISTRATION_ENABLED=true
+
 # SSO OAUTH
 # e.g. see https://goauthentik.io/integrations/services/vikunja/
 # COMPOSE_FILE="${COMPOSE_FILE}:compose.oauth.yml"
 # OAUTH_ENABLED=true
-# OAUTH_NAME
-# OAUTH_URL
-# OAUTH_CLIENT_ID
+# OAUTH_NAME=authentik
+# OAUTH_URL=https://login.example.com/application/o/vikunja/
+# OAUTH_CLIENT_ID=vikunja
+# OAUTH_LOGOUT_URL=https://login.example.com/application/o/vikunja/end-session/
 # SECRET_OAUTH_SECRET_VERSION=v1
 
 # E-MAIL

README.md

@@ -1,17 +1,18 @@
 # vikunja
 
-> One line description of the recipe
+>  The open-source, self-hostable to-do app.
+Organize everything, on all platforms
 
 <!-- metadata -->
 
 * **Category**: Apps
 * **Status**: 0
 * **Image**: [`vikunja`](https://hub.docker.com/r/vikunja), 4, upstream
-* **Healthcheck**: No
-* **Backups**: No
-* **Email**: No
+* **Healthcheck**: Almost 
+* **Backups**: Yes
+* **Email**: Yes
 * **Tests**: No
-* **SSO**: No
+* **SSO**: Yes
 
 <!-- endmetadata -->
 

abra.sh

@@ -1 +1 @@
-export CONFIG_YML_VERSION=v2
+export CONFIG_YML_VERSION=v6

compose.oauth.yml

@@ -7,6 +7,7 @@ services:
       - OAUTH_NAME
       - OAUTH_URL
       - OAUTH_CLIENT_ID
+      - OAUTH_LOGOUT_URL
       - SECRET_OAUTH_SECRET_VERSION=V1
     secrets:
       - oauth_secret

compose.yml

@@ -3,10 +3,13 @@ version: "3.8"
 
 services:
   api:
-    image: vikunja/api:0.19.2
+    image: vikunja/api:0.22.1
     environment:
       - DOMAIN
       - LOG_LEVEL
+      - VIKUNJA_RATELIMIT_NOAUTHLIMIT
+      - LOCAL_AUTH_ENABLED
+      - LOCAL_REGISTRATION_ENABLED
     volumes:
       - files:/app/vikunja/files
     networks:
@@ -17,10 +20,8 @@ services:
       - db_password
     configs:
       - source: config_yml
-        target: /app/vikunja/config.yml
+        target: /etc/vikunja/config.yml
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}_api.loadbalancer.server.port=3456"
@@ -29,19 +30,18 @@ services:
         - "traefik.http.routers.${STACK_NAME}_api.tls.certresolver=${LETS_ENCRYPT_ENV}"
 
   app:
-    image: vikunja/frontend:0.19.1
+    image: vikunja/frontend:0.22.1
     networks:
       - proxy
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+0.19.1"
+        - "coop-cloud.${STACK_NAME}.version=0.4.0+0.22.1"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
     healthcheck:
       test: [ "CMD", "curl", "-f", "http://localhost" ]
       interval: 30s
@@ -69,13 +69,11 @@ services:
     secrets:
       - db_password
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
         backupbot.backup: "true"
-        backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
-        backupbot.backup.post-hook: "rm -rf /tmp/backup"
-        backupbot.backup.path: "/tmp/backup/"
+        backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.path: "/var/lib/postgresql/data/backup.sql"
 
 volumes:
   files:

config.yml.tmpl

@@ -5,8 +5,8 @@ service:
   JWTSecret: {{ secret "jwt_secret" }}
 #   # The duration of the issed JWT tokens in seconds.
 #   # The default is 259200 seconds (3 Days).
-#   jwtttl: 259200
-#   # The duration of the "remember me" time in seconds. When the login request is made with 
+#   jwtttl: 604800
+#   # The duration of the "remember me" time in seconds. When the login request is made with
 #   # the long param set, the token returned will be valid for this period.
 #   # The default is 2592000 seconds (30 Days).
 #   jwtttllong: 2592000
@@ -33,7 +33,11 @@ service:
 #   # Enable sharing of lists via a link
 #   enablelinksharing: true
 #   # Whether to let new users registering themselves or not
-#   enableregistration: true
+{{ if eq (env "LOCAL_REGISTRATION_ENABLED") "true" }}
+  enableregistration: true
+{{ else }}
+  enableregistration: false
+{{ end }}
 #   # Whether to enable task attachments or not
 #   enabletaskattachments: true
 #   # The time zone all timestamps are in. Please note that time zones have to use [the official tz database names](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). UTC or GMT offsets won't work.
@@ -52,14 +56,14 @@ service:
 #   # If enabled, vikunja will send an email to everyone who is either assigned to a task or created it when a task reminder
 #   # is due.
 #   enableemailreminders: true
-#   # If true, will allow users to request the complete deletion of their account. When using external authentication methods 
+#   # If true, will allow users to request the complete deletion of their account. When using external authentication methods
 #   # it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
 #   # for user deletion.
 #   enableuserdeletion: true
 #   # The maximum size clients will be able to request for user avatars.
 #   # If clients request a size bigger than this, it will be changed on the fly.
 #   maxavatarsize: 1024
-# 
+#
 database:
   # Database type to use. Supported types are mysql, postgres and sqlite.
   type: "postgres"
@@ -90,7 +94,7 @@ database:
 #   sslrootcert: ""
 #   # Enable SSL/TLS for mysql connections. Options: false, true, skip-verify, preferred
 #   tls: false
-# 
+#
 cache:
   # If cache is enabled or not
   enabled: true
@@ -110,7 +114,7 @@ redis:
   password: ''
   # 0 means default database
   db: 0
-# 
+#
 # cors:
 #   # Whether to enable or disable cors headers.
 #   # Note: If you want to put the frontend and the api on seperate domains or ports, you will need to enable this.
@@ -121,7 +125,7 @@ redis:
 #     - "*"
 #   # How long (in seconds) the results of a preflight request can be cached.
 #   maxage: 0
-# 
+#
 
 {{ if eq (env "SMTP_ENABLED") "true" }}
 mailer:
@@ -170,7 +174,7 @@ log:
 #   events: "stdout"
 #   # The log level for event log messages. Possible values (case-insensitive) are ERROR, INFO, DEBUG.
 #  eventslevel: "DEBUG"
-# 
+#
 # ratelimit:
 #   # whether or not to enable the rate limit
 #   enabled: false
@@ -184,14 +188,14 @@ log:
 #   # Possible values are "keyvalue", "memory" or "redis".
 #   # When choosing "keyvalue" this setting follows the one configured in the "keyvalue" section.
 #   store: keyvalue
-# 
+#
 # files:
 #   # The path where files are stored
 #   basepath: ./files # relative to the binary
 #   # The maximum size of a file, as a human-readable string.
 #   # Warning: The max size is limited 2^64-1 bytes due to the underlying datatype
 #   maxsize: 20MB
-# 
+#
 # migration:
 #   # These are the settings for the wunderlist migrator
 #   wunderlist:
@@ -249,11 +253,11 @@ log:
 #     # with the code obtained from the microsoft graph api.
 #     # Note that the vikunja frontend expects this to be /migrate/microsoft-todo
 #     redirecturl: <frontend url>/migrate/microsoft-todo
-# 
+#
 # avatar:
 #   # When using gravatar, this is the duration in seconds until a cached gravatar user avatar expires
 #   gravatarexpiration: 3600
-# 
+#
 # backgrounds:
 #   # Whether to enable backgrounds for lists at all.
 #   enabled: true
@@ -272,25 +276,29 @@ log:
 #       # It will only show in the UI if your application has been approved for Enterprise usage, therefore if
 #       # you’re in Demo mode, you can also find the ID in the URL at the end: https://unsplash.com/oauth/applications/:application_id
 #       applicationid:
-# 
+#
 # # Legal urls
 # # Will be shown in the frontend if configured here
 # legal:
 #   imprinturl:
 #   privacyurl:
-# 
+#
 # # Key Value Storage settings
 # # The Key Value Storage is used for different kinds of things like metrics and a few cache systems.
-# keyvalue:
-#   # The type of the storage backend. Can be either "memory" or "redis". If "redis" is chosen it needs to be configured seperately.
-#   type: "memory"
-# 
+keyvalue:
+  # The type of the storage backend. Can be either "memory" or "redis". If "redis" is chosen it needs to be configured seperately.
+  type: "redis"
+#
 auth:
   # Local authentication will let users log in and register (if enabled) through the db.
   # This is the default auth mechanism and does not require any additional configuration.
   local:
     # Enable or disable local authentication
+{{ if eq (env "LOCAL_AUTH_ENABLED") "true" }}
+    enabled: true
+{{ else }}
     enabled: false
+{{ end }}
   # OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
   # The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
   # **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
@@ -302,16 +310,19 @@ auth:
 {{ if eq (env "OAUTH_ENABLED") "true" }}
   openid:
     # Enable or disable OpenID Connect authentication
-    enabled: {{ env "OAUTH_ENABLED" }} 
+    enabled: {{ env "OAUTH_ENABLED" }}
     # The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official
     # frontend, you don't need to change this value.
-    # redirecturl: <frontend url>
+    redirecturl: https://{{ env "DOMAIN" }}/auth/openid/
     # A list of enabled providers
     providers:
       # The name of the provider as it will appear in the frontend.
       - name: {{ env "OAUTH_NAME" }}
         # The auth url to send users to if they want to authenticate using OpenID Connect.
         authurl: {{ env "OAUTH_URL" }}
+        # The oidc logouturl that users will be redirected to on logout.
+        # Leave empty or delete key, if you do not want to be redirected.
+        logouturl: {{ env "OAUTH_LOGOUT_URL" }}
         # The client ID used to authenticate Vikunja at the OpenID Connect provider.
         clientid: {{ env "OAUTH_CLIENT_ID" }}
         # The client secret used to authenticate Vikunja at the OpenID Connect provider.
@@ -325,4 +336,29 @@ auth:
 #   username:
 #   # If set to a non-empty value the /metrics endpoint will require this as a password via basic auth in combination with the username below.
 #   password:
-# 
+#
+
+# Provide default settings for new users. When a new user is created, these settings will automatically be set for the user. If you change them in the config file afterwards they will not be changed back for existing users.
+defaultsettings:
+  # The avatar source for the user. Can be `gravatar`, `initials`, `upload` or `marble`. If you set this to `upload` you'll also need to specify `defaultsettings.avatar_file_id`.
+  # avatar_provider: initials
+  # The id of the file used as avatar.
+  # avatar_file_id: 0
+  # If set to true users will get task reminders via email.
+  # email_reminders_enabled: false
+  # If set to true will allow other users to find this user when searching for parts of their name.
+  discoverable_by_name: true
+  # If set to true will allow other users to find this user when searching for their exact email.
+  discoverable_by_email: true
+  # If set to true will send an email every day with all overdue tasks at a configured time.
+  # overdue_tasks_reminders_enabled: true
+  # When to send the overdue task reminder email.
+  # overdue_tasks_reminders_time: 9:00
+  # The id of the default list. Make sure users actually have access to this list when setting this value.
+  # default_list_id: 0
+  # Start of the week for the user. `0` is sunday, `1` is monday and so on.
+  # week_start: 0
+  # The language of the user interface. Must be an ISO 639-1 language code. Will default to the browser language the user uses when signing up.
+  # language: <unset>
+  # The time zone of each individual user. This will affect when users get reminders and overdue task emails.
+  # timezone: <time zone set at service.timezone>