Add support for local authentication.

Always restart the container

.drone.yml

@@ -0,0 +1,43 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: vikunja
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: authentik.swarm-test.autonomic.zone
+      STACK_NAME: authentik
+      LETS_ENCRYPT_ENV: production
+      CONFIG_YML_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_JWT_SECRET_VERSION: v1
+
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag
+

.env.sample

@@ -1,4 +1,6 @@
 TYPE=vikunja
+TIMEOUT=300
+ENABLE_AUTO_UPDATE=true
 
 DOMAIN=vikunja.example.com
 
@@ -14,13 +16,22 @@ LOG_LEVEL=INFO
 
 COMPOSE_FILE=compose.yml
 
+#VIKUNJA_RATELIMIT_NOAUTHLIMIT=10
+
+# uncomment to enable local authentication
+# LOCAL_AUTH_ENABLED=true
+# uncomment to enable self-registration (if disabled, can be done via
+# command line in the api container with vikunja user command)
+# LOCAL_REGISTRATION_ENABLED=true
+
 # SSO OAUTH
 # e.g. see https://goauthentik.io/integrations/services/vikunja/
 # COMPOSE_FILE="${COMPOSE_FILE}:compose.oauth.yml"
 # OAUTH_ENABLED=true
-# OAUTH_NAME
+# OAUTH_NAME=authentik
-# OAUTH_URL
+# OAUTH_URL=https://login.example.com/application/o/vikunja/
-# OAUTH_CLIENT_ID
+# OAUTH_CLIENT_ID=vikunja
+# OAUTH_LOGOUT_URL=https://login.example.com/application/o/vikunja/end-session/
 # SECRET_OAUTH_SECRET_VERSION=v1
 
 # E-MAIL

README.md

@@ -1,17 +1,18 @@
 # vikunja
 
-> One line description of the recipe
+>  The open-source, self-hostable to-do app.
+Organize everything, on all platforms
 
 <!-- metadata -->
 
 * **Category**: Apps
 * **Status**: 0
 * **Image**: [`vikunja`](https://hub.docker.com/r/vikunja), 4, upstream
-* **Healthcheck**: No
+* **Healthcheck**: Almost 
-* **Backups**: No
+* **Backups**: Yes
-* **Email**: No
+* **Email**: Yes
 * **Tests**: No
-* **SSO**: No
+* **SSO**: Yes
 
 <!-- endmetadata -->
 

abra.sh

@@ -1 +1 @@
-export CONFIG_YML_VERSION=v2
+export CONFIG_YML_VERSION=v6

compose.oauth.yml

@@ -7,6 +7,7 @@ services:
       - OAUTH_NAME
       - OAUTH_URL
       - OAUTH_CLIENT_ID
+      - OAUTH_LOGOUT_URL
       - SECRET_OAUTH_SECRET_VERSION=V1
     secrets:
       - oauth_secret

compose.yml

@@ -3,10 +3,13 @@ version: "3.8"
 
 services:
   api:
-    image: vikunja/api:0.19.2
+    image: vikunja/api:0.22.1
     environment:
       - DOMAIN
       - LOG_LEVEL
+      - VIKUNJA_RATELIMIT_NOAUTHLIMIT
+      - LOCAL_AUTH_ENABLED
+      - LOCAL_REGISTRATION_ENABLED
     volumes:
       - files:/app/vikunja/files
     networks:
@@ -17,10 +20,8 @@ services:
       - db_password
     configs:
       - source: config_yml
-        target: /app/vikunja/config.yml
+        target: /etc/vikunja/config.yml
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}_api.loadbalancer.server.port=3456"
@@ -29,19 +30,18 @@ services:
         - "traefik.http.routers.${STACK_NAME}_api.tls.certresolver=${LETS_ENCRYPT_ENV}"
 
   app:
-    image: vikunja/frontend:0.19.1
+    image: vikunja/frontend:0.22.1
     networks:
       - proxy
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+0.19.1"
+        - "coop-cloud.${STACK_NAME}.version=0.4.0+0.22.1"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
     healthcheck:
       test: [ "CMD", "curl", "-f", "http://localhost" ]
       interval: 30s
@@ -69,13 +69,11 @@ services:
     secrets:
       - db_password
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
         backupbot.backup: "true"
-        backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
+        backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
-        backupbot.backup.post-hook: "rm -rf /tmp/backup"
+        backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
-        backupbot.backup.path: "/tmp/backup/"
+        backupbot.backup.path: "/var/lib/postgresql/data/backup.sql"
 
 volumes:
   files:

config.yml.tmpl

@@ -5,7 +5,7 @@ service:
   JWTSecret: {{ secret "jwt_secret" }}
 #   # The duration of the issed JWT tokens in seconds.
 #   # The default is 259200 seconds (3 Days).
-#   jwtttl: 259200
+#   jwtttl: 604800
 #   # The duration of the "remember me" time in seconds. When the login request is made with
 #   # the long param set, the token returned will be valid for this period.
 #   # The default is 2592000 seconds (30 Days).
@@ -33,7 +33,11 @@ service:
 #   # Enable sharing of lists via a link
 #   enablelinksharing: true
 #   # Whether to let new users registering themselves or not
-#   enableregistration: true
+{{ if eq (env "LOCAL_REGISTRATION_ENABLED") "true" }}
+  enableregistration: true
+{{ else }}
+  enableregistration: false
+{{ end }}
 #   # Whether to enable task attachments or not
 #   enabletaskattachments: true
 #   # The time zone all timestamps are in. Please note that time zones have to use [the official tz database names](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). UTC or GMT offsets won't work.
@@ -281,16 +285,20 @@ log:
 #
 # # Key Value Storage settings
 # # The Key Value Storage is used for different kinds of things like metrics and a few cache systems.
-# keyvalue:
+keyvalue:
-#   # The type of the storage backend. Can be either "memory" or "redis". If "redis" is chosen it needs to be configured seperately.
+  # The type of the storage backend. Can be either "memory" or "redis". If "redis" is chosen it needs to be configured seperately.
-#   type: "memory"
+  type: "redis"
 #
 auth:
   # Local authentication will let users log in and register (if enabled) through the db.
   # This is the default auth mechanism and does not require any additional configuration.
   local:
     # Enable or disable local authentication
+{{ if eq (env "LOCAL_AUTH_ENABLED") "true" }}
+    enabled: true
+{{ else }}
     enabled: false
+{{ end }}
   # OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
   # The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
   # **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
@@ -305,13 +313,16 @@ auth:
     enabled: {{ env "OAUTH_ENABLED" }}
     # The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official
     # frontend, you don't need to change this value.
-    # redirecturl: <frontend url>
+    redirecturl: https://{{ env "DOMAIN" }}/auth/openid/
     # A list of enabled providers
     providers:
       # The name of the provider as it will appear in the frontend.
       - name: {{ env "OAUTH_NAME" }}
         # The auth url to send users to if they want to authenticate using OpenID Connect.
         authurl: {{ env "OAUTH_URL" }}
+        # The oidc logouturl that users will be redirected to on logout.
+        # Leave empty or delete key, if you do not want to be redirected.
+        logouturl: {{ env "OAUTH_LOGOUT_URL" }}
         # The client ID used to authenticate Vikunja at the OpenID Connect provider.
         clientid: {{ env "OAUTH_CLIENT_ID" }}
         # The client secret used to authenticate Vikunja at the OpenID Connect provider.
@@ -326,3 +337,28 @@ auth:
 #   # If set to a non-empty value the /metrics endpoint will require this as a password via basic auth in combination with the username below.
 #   password:
 #
+
+# Provide default settings for new users. When a new user is created, these settings will automatically be set for the user. If you change them in the config file afterwards they will not be changed back for existing users.
+defaultsettings:
+  # The avatar source for the user. Can be `gravatar`, `initials`, `upload` or `marble`. If you set this to `upload` you'll also need to specify `defaultsettings.avatar_file_id`.
+  # avatar_provider: initials
+  # The id of the file used as avatar.
+  # avatar_file_id: 0
+  # If set to true users will get task reminders via email.
+  # email_reminders_enabled: false
+  # If set to true will allow other users to find this user when searching for parts of their name.
+  discoverable_by_name: true
+  # If set to true will allow other users to find this user when searching for their exact email.
+  discoverable_by_email: true
+  # If set to true will send an email every day with all overdue tasks at a configured time.
+  # overdue_tasks_reminders_enabled: true
+  # When to send the overdue task reminder email.
+  # overdue_tasks_reminders_time: 9:00
+  # The id of the default list. Make sure users actually have access to this list when setting this value.
+  # default_list_id: 0
+  # Start of the week for the user. `0` is sunday, `1` is monday and so on.
+  # week_start: 0
+  # The language of the user interface. Must be an ISO 639-1 language code. Will default to the browser language the user uses when signing up.
+  # language: <unset>
+  # The time zone of each individual user. This will affect when users get reminders and overdue task emails.
+  # timezone: <time zone set at service.timezone>