Add support for local authentication.

Always restart the container

.drone.yml

@@ -0,0 +1,43 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: vikunja
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: authentik.swarm-test.autonomic.zone
+      STACK_NAME: authentik
+      LETS_ENCRYPT_ENV: production
+      CONFIG_YML_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_JWT_SECRET_VERSION: v1
+
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag
+

.env.sample

@@ -1,6 +1,8 @@
 TYPE=vikunja
+TIMEOUT=300
+ENABLE_AUTO_UPDATE=true
 
-DOMAIN={{ .Domain }}
+DOMAIN=vikunja.example.com
 
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.vikunja.example.com`'
@@ -14,13 +16,22 @@ LOG_LEVEL=INFO
 
 COMPOSE_FILE=compose.yml
 
+#VIKUNJA_RATELIMIT_NOAUTHLIMIT=10
+
+# uncomment to enable local authentication
+# LOCAL_AUTH_ENABLED=true
+# uncomment to enable self-registration (if disabled, can be done via
+# command line in the api container with vikunja user command)
+# LOCAL_REGISTRATION_ENABLED=true
+
 # SSO OAUTH
 # e.g. see https://goauthentik.io/integrations/services/vikunja/
 # COMPOSE_FILE="${COMPOSE_FILE}:compose.oauth.yml"
 # OAUTH_ENABLED=true
-# OAUTH_NAME
-# OAUTH_URL
-# OAUTH_CLIENT_ID
+# OAUTH_NAME=authentik
+# OAUTH_URL=https://login.example.com/application/o/vikunja/
+# OAUTH_CLIENT_ID=vikunja
+# OAUTH_LOGOUT_URL=https://login.example.com/application/o/vikunja/end-session/
 # SECRET_OAUTH_SECRET_VERSION=v1
 
 # E-MAIL

abra.sh

@@ -1 +1 @@
-export CONFIG_YML_VERSION=v3
+export CONFIG_YML_VERSION=v6

compose.oauth.yml

@@ -7,6 +7,7 @@ services:
       - OAUTH_NAME
       - OAUTH_URL
       - OAUTH_CLIENT_ID
+      - OAUTH_LOGOUT_URL
       - SECRET_OAUTH_SECRET_VERSION=V1
     secrets:
       - oauth_secret

compose.yml

@@ -3,10 +3,13 @@ version: "3.8"
 
 services:
   api:
-    image: vikunja/api:0.19.2
+    image: vikunja/api:0.22.1
     environment:
       - DOMAIN
       - LOG_LEVEL
+      - VIKUNJA_RATELIMIT_NOAUTHLIMIT
+      - LOCAL_AUTH_ENABLED
+      - LOCAL_REGISTRATION_ENABLED
     volumes:
       - files:/app/vikunja/files
     networks:
@@ -17,10 +20,8 @@ services:
       - db_password
     configs:
       - source: config_yml
-        target: /app/vikunja/config.yml
+        target: /etc/vikunja/config.yml
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}_api.loadbalancer.server.port=3456"
@@ -29,19 +30,18 @@ services:
         - "traefik.http.routers.${STACK_NAME}_api.tls.certresolver=${LETS_ENCRYPT_ENV}"
 
   app:
-    image: vikunja/frontend:0.19.1
+    image: vikunja/frontend:0.22.1
     networks:
       - proxy
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+0.19.1"
+        - "coop-cloud.${STACK_NAME}.version=0.4.0+0.22.1"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
     healthcheck:
       test: [ "CMD", "curl", "-f", "http://localhost" ]
       interval: 30s
@@ -69,13 +69,11 @@ services:
     secrets:
       - db_password
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
         backupbot.backup: "true"
-        backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
-        backupbot.backup.post-hook: "rm -rf /tmp/backup"
-        backupbot.backup.path: "/tmp/backup/"
+        backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.path: "/var/lib/postgresql/data/backup.sql"
 
 volumes:
   files:

config.yml.tmpl

@@ -5,7 +5,7 @@ service:
   JWTSecret: {{ secret "jwt_secret" }}
 #   # The duration of the issed JWT tokens in seconds.
 #   # The default is 259200 seconds (3 Days).
-#   jwtttl: 259200
+#   jwtttl: 604800
 #   # The duration of the "remember me" time in seconds. When the login request is made with
 #   # the long param set, the token returned will be valid for this period.
 #   # The default is 2592000 seconds (30 Days).
@@ -33,7 +33,11 @@ service:
 #   # Enable sharing of lists via a link
 #   enablelinksharing: true
 #   # Whether to let new users registering themselves or not
-#   enableregistration: true
+{{ if eq (env "LOCAL_REGISTRATION_ENABLED") "true" }}
+  enableregistration: true
+{{ else }}
+  enableregistration: false
+{{ end }}
 #   # Whether to enable task attachments or not
 #   enabletaskattachments: true
 #   # The time zone all timestamps are in. Please note that time zones have to use [the official tz database names](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). UTC or GMT offsets won't work.
@@ -281,16 +285,20 @@ log:
 #
 # # Key Value Storage settings
 # # The Key Value Storage is used for different kinds of things like metrics and a few cache systems.
-# keyvalue:
-#   # The type of the storage backend. Can be either "memory" or "redis". If "redis" is chosen it needs to be configured seperately.
-#   type: "memory"
+keyvalue:
+  # The type of the storage backend. Can be either "memory" or "redis". If "redis" is chosen it needs to be configured seperately.
+  type: "redis"
 #
 auth:
   # Local authentication will let users log in and register (if enabled) through the db.
   # This is the default auth mechanism and does not require any additional configuration.
   local:
     # Enable or disable local authentication
+{{ if eq (env "LOCAL_AUTH_ENABLED") "true" }}
+    enabled: true
+{{ else }}
     enabled: false
+{{ end }}
   # OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
   # The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
   # **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
@@ -305,13 +313,16 @@ auth:
     enabled: {{ env "OAUTH_ENABLED" }}
     # The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official
     # frontend, you don't need to change this value.
-    # redirecturl: <frontend url>
+    redirecturl: https://{{ env "DOMAIN" }}/auth/openid/
     # A list of enabled providers
     providers:
       # The name of the provider as it will appear in the frontend.
       - name: {{ env "OAUTH_NAME" }}
         # The auth url to send users to if they want to authenticate using OpenID Connect.
         authurl: {{ env "OAUTH_URL" }}
+        # The oidc logouturl that users will be redirected to on logout.
+        # Leave empty or delete key, if you do not want to be redirected.
+        logouturl: {{ env "OAUTH_LOGOUT_URL" }}
         # The client ID used to authenticate Vikunja at the OpenID Connect provider.
         clientid: {{ env "OAUTH_CLIENT_ID" }}
         # The client secret used to authenticate Vikunja at the OpenID Connect provider.