wip

Always restart the container

.drone.yml

@@ -0,0 +1,43 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: vikunja
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: authentik.swarm-test.autonomic.zone
+      STACK_NAME: authentik
+      LETS_ENCRYPT_ENV: production
+      CONFIG_YML_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_JWT_SECRET_VERSION: v1
+
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag
+

.env.sample

@@ -1,6 +1,8 @@
 TYPE=vikunja
+TIMEOUT=300
+ENABLE_AUTO_UPDATE=true
 
-DOMAIN={{ .Domain }}
+DOMAIN=vikunja.example.com
 
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.vikunja.example.com`'
@@ -14,13 +16,16 @@ LOG_LEVEL=INFO
 
 COMPOSE_FILE=compose.yml
 
+#VIKUNJA_RATELIMIT_NOAUTHLIMIT=10
+
 # SSO OAUTH
 # e.g. see https://goauthentik.io/integrations/services/vikunja/
 # COMPOSE_FILE="${COMPOSE_FILE}:compose.oauth.yml"
 # OAUTH_ENABLED=true
-# OAUTH_NAME
-# OAUTH_URL
-# OAUTH_CLIENT_ID
+# OAUTH_NAME=authentik
+# OAUTH_URL=https://login.example.com/application/o/vikunja/
+# OAUTH_CLIENT_ID=vikunja
+# OAUTH_LOGOUT_URL=https://login.example.com/application/o/vikunja/end-session/
 # SECRET_OAUTH_SECRET_VERSION=v1
 
 # E-MAIL

abra.sh

@@ -1 +1 @@
-export CONFIG_YML_VERSION=v2
+export CONFIG_YML_VERSION=v7

alaconnect.yml

@@ -0,0 +1,12 @@
+authentik:
+    env:
+        OAUTH_NAME: authentik
+        OAUTH_URL: https://authentik.example.com/application/o/vikunja/
+        OAUTH_LOGOUT_URL: https://authentik.example.com/application/o/vikunja/end-session/
+        OAUTH_CLIENT_ID: vikunja
+    uncomment:
+        - compose.oauth.yml
+        - OAUTH_ENABLED
+        - SECRET_OAUTH_SECRET_VERSION
+    shared_secrets:
+        vikunja_secret: oauth_secret

compose.oauth.yml

@@ -1,12 +1,13 @@
 version: '3.8'
 
 services:
-  api:
+  app:
     environment:
       - OAUTH_ENABLED
       - OAUTH_NAME
       - OAUTH_URL
       - OAUTH_CLIENT_ID
+      - OAUTH_LOGOUT_URL
       - SECRET_OAUTH_SECRET_VERSION=V1
     secrets:
       - oauth_secret

compose.yml

@@ -2,12 +2,24 @@
 version: "3.8"
 
 services:
-  api:
-    image: vikunja/api:0.19.2
+  app:
+    image: vikunja/vikunja:0.24.0
     environment:
       - DOMAIN
       - LOG_LEVEL
-    volumes:
+      - VIKUNJA_RATELIMIT_NOAUTHLIMIT
+      - VIKUNJA_SERVICE_PUBLICURL=${DOMAIN}
+      - VIKUNJA_DATABASE_HOST=db
+      - VIKUNJA_DATABASE_PASSWORD_FILE=/run/secrets/db_password
+      - VIKUNJA_DATABASE_TYPE=postgres
+      - VIKUNJA_DATABASE_USER=vikunja
+      - VIKUNJA_DATABASE_DATABASE=vikunja
+      - VIKUNJA_SERVICE_JWTSECRET_FILE=/run/secrets/jwt_secret
+      - VIKUNJA_REDIS_ENABLED=0
+      # - VIKUNJA_REDIS_HOST='${STACK_NAME}_redis:6379'
+      - VIKUNJA_CACHE_ENABLED=1
+      - VIKUNJA_CACHE_TYPE=memory
+    volumes: 
       - files:/app/vikunja/files
     networks:
       - proxy
@@ -17,31 +29,17 @@ services:
       - db_password
     configs:
       - source: config_yml
-        target: /app/vikunja/config.yml
+        target: /etc/vikunja/config.yml
     deploy:
-      restart_policy:
-        condition: on-failure
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}_api.loadbalancer.server.port=3456"
-        - "traefik.http.routers.${STACK_NAME}_api.rule=Host(`${DOMAIN}`) && PathPrefix(`/api/v1`, `/dav/`, `/.well-known/`)"
-        - "traefik.http.routers.${STACK_NAME}_api.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}_api.tls.certresolver=${LETS_ENCRYPT_ENV}"
-
-  app:
-    image: vikunja/frontend:0.19.1
-    networks:
-      - proxy
-    deploy:
-      restart_policy:
-        condition: on-failure
       labels:
         - "traefik.enable=true"
+        # - "traefik.docker.network=web"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+0.19.1"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+0.24.0"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
     healthcheck:
       test: [ "CMD", "curl", "-f", "http://localhost" ]
       interval: 30s
@@ -49,10 +47,13 @@ services:
       retries: 10
       start_period: 1m
 
-  redis:
-    image: redis
-    networks:
-      - internal
+  # redis:
+  #   image: redis
+  #   networks:
+  #     - internal
+  #   ports:
+  #     - "6379:6379"
+
 
   db:
     image: postgres:13
@@ -63,19 +64,18 @@ services:
     volumes:
       - db:/var/lib/postgresql/data
     healthcheck:
-      test: [ "CMD", "pg_isready", "-U", "vikunja" ]
+      test: ["CMD-SHELL", "pg_isready -h localhost -U $$POSTGRES_USER"]
+      interval: 2s
     networks:
       - internal
     secrets:
       - db_password
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
         backupbot.backup: "true"
-        backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
-        backupbot.backup.post-hook: "rm -rf /tmp/backup"
-        backupbot.backup.path: "/tmp/backup/"
+        backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.path: "/var/lib/postgresql/data/backup.sql"
 
 volumes:
   files:

config.yml.tmpl

@@ -1,127 +1,41 @@
 service:
   # This token is used to verify issued JWT tokens.
-  # Default is a random token which will be generated at each startup of vikunja.
-  # (This means all already issued tokens will be invalid once you restart vikunja)
+  # Default is a random token which will be generated at each startup of Vikunja.
+  # (This means all already issued tokens will be invalid once you restart Vikunja)
   JWTSecret: {{ secret "jwt_secret" }}
-#   # The duration of the issed JWT tokens in seconds.
-#   # The default is 259200 seconds (3 Days).
-#   jwtttl: 259200
-#   # The duration of the "remember me" time in seconds. When the login request is made with 
-#   # the long param set, the token returned will be valid for this period.
-#   # The default is 2592000 seconds (30 Days).
-#   jwtttllong: 2592000
-#   # The interface on which to run the webserver
-#   interface: ":3456"
-#   # Path to Unix socket. If set, it will be created and used instead of tcp
-#   unixsocket:
-#   # Permission bits for the Unix socket. Note that octal values must be prefixed by "0o", e.g. 0o660
-#   unixsocketmode:
-#   # The URL of the frontend, used to send password reset emails.
-  frontendurl: https://{{ env "DOMAIN" }}
-#   # The base path on the file system where the binary and assets are.
-#   # Vikunja will also look in this path for a config file, so you could provide only this variable to point to a folder
-#   # with a config file which will then be used.
-#   rootpath: <rootpath>
-#   # Path on the file system to serve static files from. Set to the path of the frontend files to host frontend alongside the api.
-#   staticpath: ""
-#   # The max number of items which can be returned per page
-#   maxitemsperpage: 50
-#   # Enable the caldav endpoint, see the docs for more details
-#   enablecaldav: true
-#   # Set the motd message, available from the /info endpoint
-#   motd: ""
-#   # Enable sharing of lists via a link
-#   enablelinksharing: true
-#   # Whether to let new users registering themselves or not
-#   enableregistration: true
-#   # Whether to enable task attachments or not
-#   enabletaskattachments: true
-#   # The time zone all timestamps are in. Please note that time zones have to use [the official tz database names](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). UTC or GMT offsets won't work.
-#   timezone: GMT
-#   # Whether task comments should be enabled or not
-#   enabletaskcomments: true
-#   # Whether totp is enabled. In most cases you want to leave that enabled.
-#   enabletotp: true
-#   # If not empty, enables logging of crashes and unhandled errors in sentry.
-#   sentrydsn: ''
-#   # If not empty, this will enable `/test/{table}` endpoints which allow to put any content in the database.
-#   # Used to reset the db before frontend tests. Because this is quite a dangerous feature allowing for lots of harm,
-#   # each request made to this endpoint neefs to provide an `Authorization: <token>` header with the token from below. <br/>
-#   # **You should never use this unless you know exactly what you're doing**
-#   testingtoken: ''
-#   # If enabled, vikunja will send an email to everyone who is either assigned to a task or created it when a task reminder
-#   # is due.
-#   enableemailreminders: true
-#   # If true, will allow users to request the complete deletion of their account. When using external authentication methods 
-#   # it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
-#   # for user deletion.
-#   enableuserdeletion: true
-#   # The maximum size clients will be able to request for user avatars.
-#   # If clients request a size bigger than this, it will be changed on the fly.
-#   maxavatarsize: 1024
-# 
+  # The public facing URL where your users can reach Vikunja. Used in emails and for the communication between api and frontend.
+  publicurl: "https://{{ env "DOMAIN" }}"
+  
 database:
-  # Database type to use. Supported types are mysql, postgres and sqlite.
+  # Database type to use. Supported values are mysql, postgres and sqlite. Vikunja is able to run with MySQL 8.0+, Mariadb 10.2+, PostgreSQL 12+, and sqlite.
   type: "postgres"
   # Database user which is used to connect to the database.
   user: "vikunja"
   # Database password
-  password: {{ secret "db_password" }}
+  password: "{{ secret "db_password" }}"
   # Database host
-  host: "db"
+  host: "localhost"
   # Database to use
   database: "vikunja"
-#   # When using sqlite, this is the path where to store the data
-#   path: "./vikunja.db"
-#   # Sets the max open connections to the database. Only used when using mysql and postgres.
-#   maxopenconnections: 100
-#   # Sets the maximum number of idle connections to the db.
-#   maxidleconnections: 50
-#   # The maximum lifetime of a single db connection in miliseconds.
-#   maxconnectionlifetime: 10000
-#   # Secure connection mode. Only used with postgres.
-#   # (see https://pkg.go.dev/github.com/lib/pq?tab=doc#hdr-Connection_String_Parameters)
-#   sslmode: disable
-#   # The path to the client cert. Only used with postgres.
-#   sslcert: ""
-#   # The path to the client key. Only used with postgres.
-#   sslkey: ""
-#   # The path to the ca cert. Only used with postgres.
-#   sslrootcert: ""
-#   # Enable SSL/TLS for mysql connections. Options: false, true, skip-verify, preferred
-#   tls: false
-# 
-cache:
-  # If cache is enabled or not
-  enabled: true
-  # Cache type. Possible values are "keyvalue", "memory" or "redis".
-  # When choosing "keyvalue" this setting follows the one configured in the "keyvalue" section.
-  # When choosing "redis" you will need to configure the redis connection seperately.
-  type: redis
-  # When using memory this defines the maximum size an element can take
-  # maxelementsize: 1000
-
-redis:
-  # Whether to enable redis or not
-  enabled: true
-  # The host of the redis server including its port.
-  host: 'redis:6379'
-  # The password used to authenicate against the redis server
-  password: ''
-  # 0 means default database
-  db: 0
-# 
-# cors:
-#   # Whether to enable or disable cors headers.
-#   # Note: If you want to put the frontend and the api on seperate domains or ports, you will need to enable this.
-#   #       Otherwise the frontend won't be able to make requests to the api through the browser.
-#   enable: true
-#   # A list of origins which may access the api. These need to include the protocol (`http://` or `https://`) and port, if any.
-#   origins:
-#     - "*"
-#   # How long (in seconds) the results of a preflight request can be cached.
-#   maxage: 0
-# 
+  # When using sqlite, this is the path where to store the data
+  path: "./vikunja.db"
+  # Sets the max open connections to the database. Only used when using mysql and postgres.
+  maxopenconnections: 100
+  # Sets the maximum number of idle connections to the db.
+  maxidleconnections: 50
+  # The maximum lifetime of a single db connection in milliseconds.
+  maxconnectionlifetime: 10000
+  # Secure connection mode. Only used with postgres.
+  # (see https://pkg.go.dev/github.com/lib/pq?tab=doc#hdr-Connection_String_Parameters)
+  sslmode: disable
+  # The path to the client cert. Only used with postgres.
+  sslcert: ""
+  # The path to the client key. Only used with postgres.
+  sslkey: ""
+  # The path to the ca cert. Only used with postgres.
+  sslrootcert: ""
+  # Enable SSL/TLS for mysql connections. Options: false, true, skip-verify, preferred
+  tls: false
 
 {{ if eq (env "SMTP_ENABLED") "true" }}
 mailer:
@@ -129,7 +43,8 @@ mailer:
   enabled: {{ env "SMTP_ENABLED" }}
   # SMTP Host
   host: {{ env "SMTP_HOST" }}
-  # SMTP Host port
+  # SMTP Host port.
+  # **NOTE:** If you're unable to send mail and the only error you see in the logs is an `EOF`, try setting the port to `25`.
   port: 587
   # SMTP Auth Type. Can be either `plain`, `login` or `cram-md5`.
   authtype: {{ env "SMTP_AUTHTYPE" }}
@@ -137,7 +52,7 @@ mailer:
   username: {{ env "SMTP_USER" }}
   # SMTP password
   password: {{ secret "smtp_password" }}
-  # Wether to skip verification of the tls certificate on the server
+  # Whether to skip verification of the tls certificate on the server
   skiptlsverify: false
   # The default from address when sending emails
   fromemail: {{ env "SMTP_FROM_EMAIL" }}
@@ -145,146 +60,36 @@ mailer:
   queuelength: 100
   # The timeout in seconds after which the current open connection to the mailserver will be closed.
   queuetimeout: 30
-  # By default, vikunja will try to connect with starttls, use this option to force it to use ssl.
+  # By default, Vikunja will try to connect with starttls, use this option to force it to use ssl.
   forcessl: false
 {{ end }}
 
 log:
-#   # A folder where all the logfiles should go.
-#   path: <rootpath>logs
-#   # Whether to show any logging at all or none
+  # A folder where all the logfiles should go.
+  path: <rootpath>logs
+  # Whether to show any logging at all or none
   enabled: true
-#   # Where the normal log should go. Possible values are stdout, stderr, file or off to disable standard logging.
+  # Where the normal log should go. Possible values are stdout, stderr, file or off to disable standard logging.
   standard: "stdout"
-#   # Change the log level. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
+  # Change the log level. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
   level: {{ env "LOG_LEVEL" }}
-#   # Whether or not to log database queries. Useful for debugging. Possible values are stdout, stderr, file or off to disable database logging.
-#  database: "stdout"
-#   # The log level for database log messages. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
-#  databaselevel: "DEBUG"
-#   # Whether to log http requests or not. Possible values are stdout, stderr, file or off to disable http logging.
-#  http: "stdout"
-#   # Echo has its own logging which usually is unnessecary, which is why it is disabled by default. Possible values are stdout, stderr, file or off to disable standard logging.
-#   echo: "off"
-#   # Whether or not to log events. Useful for debugging. Possible values are stdout, stderr, file or off to disable events logging.
-#   events: "stdout"
-#   # The log level for event log messages. Possible values (case-insensitive) are ERROR, INFO, DEBUG.
-#  eventslevel: "DEBUG"
-# 
-# ratelimit:
-#   # whether or not to enable the rate limit
-#   enabled: false
-#   # The kind on which rates are based. Can be either "user" for a rate limit per user or "ip" for an ip-based rate limit.
-#   kind: user
-#   # The time period in seconds for the limit
-#   period: 60
-#   # The max number of requests a user is allowed to do in the configured time period
-#   limit: 100
-#   # The store where the limit counter for each user is stored.
-#   # Possible values are "keyvalue", "memory" or "redis".
-#   # When choosing "keyvalue" this setting follows the one configured in the "keyvalue" section.
-#   store: keyvalue
-# 
-# files:
-#   # The path where files are stored
-#   basepath: ./files # relative to the binary
-#   # The maximum size of a file, as a human-readable string.
-#   # Warning: The max size is limited 2^64-1 bytes due to the underlying datatype
-#   maxsize: 20MB
-# 
-# migration:
-#   # These are the settings for the wunderlist migrator
-#   wunderlist:
-#     # Wheter to enable the wunderlist migrator or not
-#     enable: false
-#     # The client id, required for making requests to the wunderlist api
-#     # You need to register your vikunja instance at https://developer.wunderlist.com/apps/new to get this
-#     clientid:
-#     # The client secret, also required for making requests to the wunderlist api
-#     clientsecret:
-#     # The url where clients are redirected after they authorized Vikunja to access their wunderlist stuff.
-#     # This needs to match the url you entered when registering your Vikunja instance at wunderlist.
-#     # This is usually the frontend url where the frontend then makes a request to /migration/wunderlist/migrate
-#     # with the code obtained from the wunderlist api.
-#     # Note that the vikunja frontend expects this to be /migrate/wunderlist
-#     redirecturl:
-#   todoist:
-#     # Wheter to enable the todoist migrator or not
-#     enable: false
-#     # The client id, required for making requests to the todoist api
-#     # You need to register your vikunja instance at https://developer.todoist.com/appconsole.html to get this
-#     clientid:
-#     # The client secret, also required for making requests to the todoist api
-#     clientsecret:
-#     # The url where clients are redirected after they authorized Vikunja to access their todoist items.
-#     # This needs to match the url you entered when registering your Vikunja instance at todoist.
-#     # This is usually the frontend url where the frontend then makes a request to /migration/todoist/migrate
-#     # with the code obtained from the todoist api.
-#     # Note that the vikunja frontend expects this to be /migrate/todoist
-#     redirecturl: <frontend url>/migrate/todoist
-#   trello:
-#     # Wheter to enable the trello migrator or not
-#     enable: false
-#     # The client id, required for making requests to the trello api
-#     # You need to register your vikunja instance at https://trello.com/app-key (log in before you visit that link) to get this
-#     key:
-#     # The url where clients are redirected after they authorized Vikunja to access their trello cards.
-#     # This needs to match the url you entered when registering your Vikunja instance at trello.
-#     # This is usually the frontend url where the frontend then makes a request to /migration/trello/migrate
-#     # with the code obtained from the trello api.
-#     # Note that the vikunja frontend expects this to end on /migrate/trello.
-#     redirecturl: <frontend url>/migrate/trello
-#   microsofttodo:
-#     # Wheter to enable the microsoft todo migrator or not
-#     enable: false
-#     # The client id, required for making requests to the microsoft graph api
-#     # See https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application
-#     # for information about how to register your vikuinja instance.
-#     clientid:
-#     # The client secret, also required for making requests to the microsoft graph api
-#     clientsecret:
-#     # The url where clients are redirected after they authorized Vikunja to access their microsoft todo tasks.
-#     # This needs to match the url you entered when registering your Vikunja instance at microsoft.
-#     # This is usually the frontend url where the frontend then makes a request to /migration/microsoft-todo/migrate
-#     # with the code obtained from the microsoft graph api.
-#     # Note that the vikunja frontend expects this to be /migrate/microsoft-todo
-#     redirecturl: <frontend url>/migrate/microsoft-todo
-# 
-# avatar:
-#   # When using gravatar, this is the duration in seconds until a cached gravatar user avatar expires
-#   gravatarexpiration: 3600
-# 
-# backgrounds:
-#   # Whether to enable backgrounds for lists at all.
-#   enabled: true
-#   providers:
-#     upload:
-#       # Whethere to enable uploaded list backgrounds
-#       enabled: true
-#     unsplash:
-#       # Whether to enable setting backgrounds from unsplash as list backgrounds
-#       enabled: false
-#       # You need to create an application for your installation at https://unsplash.com/oauth/applications/new
-#       # and set the access token below.
-#       accesstoken:
-#       # The unsplash application id is only used for pingback and required as per their api guidelines.
-#       # You can find the Application ID in the dashboard for your API application. It should be a numeric ID.
-#       # It will only show in the UI if your application has been approved for Enterprise usage, therefore if
-#       # you’re in Demo mode, you can also find the ID in the URL at the end: https://unsplash.com/oauth/applications/:application_id
-#       applicationid:
-# 
-# # Legal urls
-# # Will be shown in the frontend if configured here
-# legal:
-#   imprinturl:
-#   privacyurl:
-# 
-# # Key Value Storage settings
-# # The Key Value Storage is used for different kinds of things like metrics and a few cache systems.
-# keyvalue:
-#   # The type of the storage backend. Can be either "memory" or "redis". If "redis" is chosen it needs to be configured seperately.
-#   type: "memory"
-# 
+  # Whether or not to log database queries. Useful for debugging. Possible values are stdout, stderr, file or off to disable database logging.
+  database: "stdout"
+  # The log level for database log messages. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
+  databaselevel: "INFO"
+  # Whether to log http requests or not. Possible values are stdout, stderr, file or off to disable http logging.
+  http: "stdout"
+  # Echo has its own logging which usually is unnecessary, which is why it is disabled by default. Possible values are stdout, stderr, file or off to disable standard logging.
+  echo: "off"
+  # Whether or not to log events. Useful for debugging. Possible values are stdout, stderr, file or off to disable events logging.
+  events: "stdout"
+  # The log level for event log messages. Possible values (case-insensitive) are ERROR, INFO, DEBUG.
+  eventslevel: "info"
+  # Whether or not to log mail log messages. This will not log mail contents. Possible values are stdout, stderr, file or off to disable mail-related logging.
+  mail: "stdout"
+  # The log level for mail log messages. Possible values (case-insensitive) are ERROR, WARNING, INFO, DEBUG.
+  maillevel: "info"
+
 auth:
   # Local authentication will let users log in and register (if enabled) through the db.
   # This is the default auth mechanism and does not require any additional configuration.
@@ -293,36 +98,34 @@ auth:
     enabled: false
   # OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
   # The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
-  # **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
+  # **Note:** Some openid providers (like Gitlab) only make the email of the user available through OpenID if they have set it to be publicly visible.
   # If the email is not public in those cases, authenticating will fail.
-  # **Note 2:** The frontend expects to be redirected after authentication by the third party
-  # to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url with your third party
-  # auth service accordingy if you're using the default vikunja frontend.
-  # Take a look at the [default config file](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) for more information about how to configure openid authentication.
+  # +**Note 2:** The frontend expects the third party to redirect the user <frontend-url>/auth/openid/<auth key> after authentication. Please make sure to configure the redirect url in your third party auth service accordingly if you're using the default Vikunja frontend.    
+  # The frontend will automatically provide the API with the redirect url, composed from the current url where it's hosted.
+  # If you want to use the desktop client with OpenID, make sure to allow redirects to `127.0.0.1`.
+  # Take a look at the [default config file](https://kolaente.dev/vikunja/vikunja/src/branch/main/config.yml.sample) for more information about how to configure openid authentication.
 {{ if eq (env "OAUTH_ENABLED") "true" }}
   openid:
     # Enable or disable OpenID Connect authentication
-    enabled: {{ env "OAUTH_ENABLED" }} 
+    enabled: {{ env "OAUTH_ENABLED" }}
     # The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official
     # frontend, you don't need to change this value.
-    # redirecturl: <frontend url>
+    redirecturl: https://{{ env "DOMAIN" }}/auth/openid/
     # A list of enabled providers
     providers:
       # The name of the provider as it will appear in the frontend.
       - name: {{ env "OAUTH_NAME" }}
         # The auth url to send users to if they want to authenticate using OpenID Connect.
         authurl: {{ env "OAUTH_URL" }}
+        # The oidc logouturl that users will be redirected to on logout.
+        # Leave empty or delete key, if you do not want to be redirected.
+        logouturl: {{ env "OAUTH_LOGOUT_URL" }}
         # The client ID used to authenticate Vikunja at the OpenID Connect provider.
         clientid: {{ env "OAUTH_CLIENT_ID" }}
         # The client secret used to authenticate Vikunja at the OpenID Connect provider.
         clientsecret: {{ secret "oauth_secret" }}
+        # The scope necessary to use oidc.
+        # If you want to use the Feature to create and assign to Vikunja teams via oidc, you have to add the custom "vikunja_scope" and check [openid.md](https://vikunja.io/docs/openid/).
+        # e.g. scope: openid email profile vikunja_scope
+        scope: openid email profile
 {{ end }}
-# # Prometheus metrics endpoint
-# metrics:
-#   # If set to true, enables a /metrics endpoint for prometheus to collect metrics about Vikunja.
-#   enabled: false
-#   # If set to a non-empty value the /metrics endpoint will require this as a username via basic auth in combination with the password below.
-#   username:
-#   # If set to a non-empty value the /metrics endpoint will require this as a password via basic auth in combination with the username below.
-#   password:
-#