Merge branch 'main' into feature/authentik-integration

Reviewed-on: #4

.drone.yml

@@ -7,7 +7,6 @@ steps:
     settings:
       host: swarm-test.autonomic.zone
       stack: writefreely
-      generate_secrets: true
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
@@ -16,11 +15,11 @@ steps:
     environment:
       DOMAIN: writefreely.swarm-test.autonomic.zone
       STACK_NAME: writefreely
+      ASSETS_PATH: /usr/share/writefreely
+      DATA_PATH: /data
       LETS_ENCRYPT_ENV: production
-      CONFIG_WRITEFREELY_VERSION: v1
+      CONFIG_INI_VERSION: v1
-      CONFIG_ENTRYPOINT_VERSION: v1
+      WRITEFREELY_ENTRYPOINT_VERSION: v1
-      SECRET_DB_ROOT_PASSWORD_VERSION: v1
-      SECRET_DB_PASSWORD_VERSION: v1
 trigger:
   branch:
     - main

.env.sample

@@ -48,3 +48,12 @@ LETS_ENCRYPT_ENV=production
 #OAUTH_HOST=https://<your domain>/realms/<your realm>/protocol/openid-connect
 #OAUTH_DISPLAY_NAME=Keycloak
 #OAUTH_CLIENT_SECRET_VERSION=v1
+
+## Uncomment to use Authentik. This only works if Keycloak is disabled.
+## See README.md for explanation.
+#AUTHENTIK_ENABLED=1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+#OAUTH_HOST=https://<your domain>
+#OAUTH_DISPLAY_NAME=Authentik
+#OAUTH_CLIENT_ID_VERSION=v1
+#OAUTH_CLIENT_SECRET_VERSION=v1

README.md

@@ -36,6 +36,44 @@ For the **OAUTH_HOST** config, it uses this format: `https://keycloak.example.co
 
 To set the client secret: `abra app secret insert <domain> oauth_client_secret v1`
 
+## Authentik setup
+
+If you've set up Authentik for SSO, you can integrate it into Writefreely by running the following steps:
+
+1. In the Authentik app, uncomment the Writefreely configuration to enable the associated blueprint:
+
+   ```
+   COMPOSE_FILE="$COMPOSE_FILE:compose.writefreely.yml"
+   WRITEFREELY_DOMAIN=writefreely.example.com
+   SECRET_WRITEFREELY_ID_VERSION=v1
+   SECRET_WRITEFREELY_SECRET_VERSION=v1
+   APP_ICONS="writefreely:~/.abra/recipes/authentik/icons/writefreely.png"
+   WRITEFREELY_APPGROUP="$GROUP_DOCUMENTATION"
+    ```
+
+2. Also in Authentik, generate the client id/secret pair.
+
+    ```
+    abra app secret generate <authentik_app_name> writefreely_id v1
+    ```
+
+    ```
+    abra app secret generate <authentik_app_name> writefreely_secret v1
+    ```
+
+3. Uncomment and properly set the configs for Authentik in `abra app config <domain>`.
+
+4. Set the client id/secret that were generated previously, by running:
+
+    ```
+    abra app secret insert <domain> oauth_client_id v1
+    ```
+
+    ```
+    abra app secret insert <domain> oauth_client_secret v1
+    ```
+
+
 ## MariaDB
 
 By default, this recipe uses sqlite. If you wish to use MariaDB instead:

compose.authentik.yml

@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - oauth_client_id
+      - oauth_client_secret
+
+secrets:
+  oauth_client_id:
+    external: true
+    name: ${STACK_NAME}_oauth_client_id_${OAUTH_CLIENT_ID_VERSION}
+  oauth_client_secret:
+    external: true
+    name: ${STACK_NAME}_oauth_client_secret_${OAUTH_CLIENT_SECRET_VERSION}

compose.yml

@@ -30,7 +30,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+latest"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+v0.16.0"
 
 volumes:
   local-data:

config.ini.tmpl

@@ -69,4 +69,21 @@ map_user_id        = sub
 map_username       = preferred_username
 map_display_name   =
 map_email          = email
+{{ else if eq (env "AUTHENTIK_ENABLED") "1" }}
+[oauth.generic]
+client_id          = {{ secret "oauth_client_id" }}
+client_secret      = {{ secret "oauth_client_secret" }}
+host               = {{ env "OAUTH_HOST" }}
+display_name       = {{ env "OAUTH_DISPLAY_NAME" }}
+callback_proxy     =
+callback_proxy_api =
+token_endpoint     = /application/o/token/
+inspect_endpoint   = /application/o/userinfo/
+auth_endpoint      = /application/o/authorize/
+scope              = openid profile email
+allow_disconnect   = false
+map_user_id        = sub
+map_username       = preferred_username
+map_display_name   =
+map_email          = email
 {{ end }}

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}