chore: publish 2.0.0+0.35.2 release

Reviewed-on: coop-cloud/rauthy#17
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
Reviewed-by: Danny Groenewegen <mail@dannygroenewegen.nl>

.drone.yml

@@ -0,0 +1,44 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: rauthy
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: rauthy.swarm-test.autonomic.zone
+      STACK_NAME: rauthy
+      LETS_ENCRYPT_ENV: staging
+      CONFIG_TOML_VERSION: v2
+      SECRET_ENC_KEYS_A_VERSION: a1
+      SECRET_ENC_KEYS_B_VERSION: b1
+      SECRET_HQL_RAFT_VERSION: v1
+      SECRET_HQL_API_VERSION: v1
+
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,16 +1,20 @@
 TYPE=rauthy
 DOMAIN=rauthy.example.com
 LETS_ENCRYPT_ENV=production
+ENABLE_BACKUPS=true
 
 COMPOSE_FILE="compose.yml"
 
+# See https://sebadob.github.io/rauthy/config/config.html
+
 ADMIN_EMAIL=admin@example.org
 ADMIN_FORCE_MFA=true
 
 LOG_LEVEL=info
 
-SECRET_ENC_KEYS_VERSION=v1
-ENC_KEY_ACTIVE=""
+SECRET_ENC_KEYS_A_VERSION=a1  # generate=false
+SECRET_ENC_KEYS_B_VERSION=b1  # generate=false
+ENC_KEY_ACTIVE="a1"
 
 SECRET_HQL_RAFT_VERSION=v1
 SECRET_HQL_API_VERSION=v1
@@ -23,3 +27,25 @@ SECRET_HQL_API_VERSION=v1
 #SMTP_FROM=
 #SMTP_USERNAME=
 #SECRET_SMTP_PASSWORD_VERSION=v1
+#SMTP_STARTTLS_ONLY=true
+
+# Bootstrap admin account (only on first deploy)
+# Generate admin bootstrap hash: abra app cmd --local generate_bootstrap_admin_password
+#COMPOSE_FILE="$COMPOSE_FILE:compose.bootstrapadmin.yml"
+#SECRET_ADMIN_PWHASH_VERSION=v1 # generate=false
+
+# API key
+# When set before first deploy, rauthy will bootstrap an API key with the Base64 encoded JSON access rights.
+# After first deploy, api_secret is also used by abra.sh functions (create_clients, create_groups)
+#COMPOSE_FILE="$COMPOSE_FILE:compose.api.yml"
+#SECRET_API_SECRET_VERSION=v1 # length=64
+
+# Default value for API_BASE64_ACCESS (ewog...) is read and create rights on Clients, Roles and Groups. See file api.key.example.json and https://sebadob.github.io/rauthy/config/bootstrap.html#api-key
+# In rauthy this value is stored in the config as API_KEY
+#API_BASE64_ACCESS_RIGHTS="ewogICJuYW1lIjoiYm9vdHN0cmFwIiwKICAiZXhwIjpudWxsLAogICJhY2Nlc3MiOlt7CiAgICAgICJncm91cCI6IkNsaWVudHMiLAogICAgICAiYWNjZXNzX3JpZ2h0cyI6WyJyZWFkIiwiY3JlYXRlIl0KICAgIH0sewogICAgICAiZ3JvdXAiOiJSb2xlcyIsCiAgICAgICJhY2Nlc3NfcmlnaHRzIjpbInJlYWQiLCJjcmVhdGUiXQogICAgfSx7CiAgICAgICJncm91cCI6ICJHcm91cHMiLAogICAgICAiYWNjZXNzX3JpZ2h0cyI6WyJyZWFkIiwiY3JlYXRlIl0KICAgIH0sewogICAgICAiZ3JvdXAiOiAiU2VjcmV0cyIsCiAgICAgICJhY2Nlc3NfcmlnaHRzIjpbInJlYWQiXQogICAgfQogIF0KfQo="                   
+
+# Nextcloud OIDC integration
+#COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
+#SECRET_NEXTCLOUD_SEC_VERSION=v1 # length=5 prefix=Empty- This needs a value before deployment, but it will be set to the actual secret after the OIDC client is created.
+#NEXTCLOUD_CLIENT_NAME="Nextcloud"
+#NEXTCLOUD_REDIRECT_URI="https://nextcloud.example.com/apps/user_oidc/code"

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,16 @@
+---
+name: "Rauthy pull request template"
+about: "Rauthy pull request template"
+---
+
+<!-- 
+Thank you for doing recipe maintenance work!
+Please mark all checklist items which are relevant for your changes.
+Please remove the checklist items which are not relevant for your changes.
+Feel free to remove this comment.
+-->
+
+* [ ] I have deployed and tested my changes
+* [ ] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
+* [ ] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes)
+* [ ] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)

MAINTENANCE.md

@@ -0,0 +1,32 @@
+# Rauthy Recipe Maintenance
+
+All contributions should be made via a pull request. This is to ensure a
+certain quality and consistency, that others can rely on.
+
+## Maintainer Responsibilities
+
+A recipe maintainer has the following responsibilities:
+
+- Respond to pull requests / issues within a week
+- Make image security updates within a day
+- Make image patch / minor updates within a week
+- Make image major updates within a month
+
+In order to fullfill these responsibilities a recipe maintainer:
+
+- Has to watch the repository (to get notifications)
+- Needs to make sure renovate is configured properly
+
+## Pull Requests
+
+A pull request can be merged if it is approved by at least one maintainer. For
+pull requests opened by a maintainer they need to be approved by another
+maintainer. Even though it is okay to merge a pull request with one approval, it
+is always better if all maintainers looked at the pull request and approved it.
+
+## Become a maintainer
+
+Everyone can apply to be a recipe maintainer:
+1. Watch the repository to always get updates
+2. Simply add your self to the list in the [README.md](./README.md) and open a new pull request with the change.
+3. Once the pull request gets merged you will be added to the [rauthy maintainers team](https://git.coopcloud.tech/org/coop-cloud/teams/rauthy-maintainers).

README.md

@@ -4,6 +4,7 @@
 
 <!-- metadata -->
 
+* **Maintainer**: [@3wc](https://git.coopcloud.tech/3wordchant), [@decentral1se](https://git.coopcloud.tech/decentral1se), [@dannygroenewegen](https://git.coopcloud.tech/dannygroenewegen)
 * **Category**: Apps
 * **Status**: 0
 * **Image**: [`rauthy`](https://ghcr.io/sebadob/rauthy), 4, upstream
@@ -17,20 +18,16 @@
 
 ## Quick start
 
-* `abra app new rauthy`
+1. `abra app new rauthy`
+2. `abra app cmd --local <app> generate_enc_keys`
+3. `abra app secret generate <app> --all`
+4. `abra app deploy <app>`
+5. `abra app logs <app>`
+    - You'll see the automatically generated admin password in the initial logs.
+      Ensure that you reset this password after you log in. The `ADMIN_EMAIL` env
+      var controls the value of the admin login username.
 
-### Generate encryption keys
-
-* `echo "$(openssl rand -hex 4)/$(openssl rand -base64 32)"`
-* `abra app secret insert <app> enc_keys v1 <enc-key>`
-* `abra app config <app>`
-  * **N.B** you need to match the `ENC_KEY_ACTIVE` env var with the start of
-    the generated `enc_keys` value (everything before the `/`. See [the
-    docs](https://sebadob.github.io/rauthy/config/encryption.html) for more)
-
-### Generate secrets
-
-* `abra app secret generate <app> -a`
+For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
 
 ### Host mode networking
 
@@ -41,12 +38,93 @@ mistakenly rate limited  based on internal ipv4 addresses (e.g. `10.0.0.6`).
 COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
 ```
 
-### Deploy
+### Bootstrap admin password
 
-* `abra app deploy <app>`
-* `abra app logs <app>`
-  * You'll see the automatically generated admin password in the initial logs.
-    Ensure that you reset this password after you log in. The `ADMIN_EMAIL` env
-    var controls the value of the admin login username.
+By default, rauthy generates a random admin password and prints it to the logs on first deploy. If you want to set a known password upfront, you can bootstrap it before the first deploy.
 
-For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
+Requires `argon2` on your local machine.
+
+1. With  `abra app config <app>`, configure the following envs:
+   ```
+   COMPOSE_FILE="$COMPOSE_FILE:compose.bootstrapadmin.yml"
+   SECRET_ADMIN_PWHASH_VERSION=v1
+   ```
+2. Generate and insert the admin password hash:
+   ```
+   abra app cmd --local <app> generate_bootstrap_admin_password
+   ```
+3. Deploy: `abra app deploy <app>`
+
+Rauthy will use the bootstrapped hash instead of generating a password.
+
+### API key
+
+The API key allows access to the Rauthy API, used for creating OIDC clients, groups, and roles.
+
+#### Setup
+
+1. With  `abra app config <app>`, configure the following envs:
+   ```
+   COMPOSE_FILE="$COMPOSE_FILE:compose.api.yml"
+   SECRET_API_SECRET_VERSION=v1
+   ```
+2. Generate the secret:
+   ```
+   abra app secret generate <app> api_secret v1
+   ```
+3. When `API_BASE64_ACCESS_RIGHTS` and `api_secret` are set before first deployment, Rauthy will bootstrap an API key with the access rights as configured in `API_BASE64_ACCESS_RIGHTS`. The default value in `.env.sample` grants read and create rights on Clients, Roles, and Groups. See the [rauthy bootstrap docs](https://sebadob.github.io/rauthy/config/bootstrap.html#api-key) for the JSON schema. If `API_BASE64_ACCESS_RIGHTS` is empty or set after first deployment, no API key is bootstrapped and you'll need to create one manually in the admin UI with secret `api_secret` to be used by the abra.sh functions.
+
+#### Available commands
+
+All commands require the API key to be set up and the app to be running.
+
+**`create_client <client_id> [insertsecret]`** — Creates a confidential OIDC client. Reads configuration from env vars prefixed with the uppercased client ID:
+
+| Variable | Required | Default |
+|---|---|---|
+| `<ID>_CLIENT_NAME` | yes | — |
+| `<ID>_REDIRECT_URI` | yes | — |
+| `<ID>_ALLOWED_SCOPES` | no | `email openid profile groups` |
+
+Without `insertsecret`, prints the generated client secret. With `insertsecret`, it inserts Rauthy's client secret in the app secret `<ID>_sec` (undeploying and redeploying the app automatically).
+
+**`create_groups <group> [<group> ...]`** — Creates one or more groups.
+
+**`create_roles <role> [<role> ...]`** — Creates one or more roles.
+
+#### Example: Nextcloud OIDC integration
+
+This sets up rauthy as an OIDC provider for a Nextcloud app. Requires the API key to be set up first.
+
+1. With  `abra app config <app>`, configure the following envs:
+   ```
+   COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
+   SECRET_NEXTCLOUD_SEC_VERSION=v1
+   NEXTCLOUD_CLIENT_NAME="Nextcloud"
+   NEXTCLOUD_REDIRECT_URI="https://nextcloud.example.com/apps/user_oidc/code"
+   ```
+2. Generate a placeholder secret (required before deploy; it will be replaced after client creation):
+   ```
+   abra app secret generate <app> nextcloud_sec v1
+   ```
+3. Deploy: `abra app deploy <app>`
+4. Create the OIDC client in rauthy and insert the generated client secret:
+   ```
+   abra app cmd <app> create_client nextcloud insertsecret
+   ```
+   This undeploys the app, replaces the `nextcloud_sec` Docker secret with the real client secret, and redeploys.
+5. Configure Nextcloud's OIDC provider (via the `user_oidc` app, see [Nextcloud user_oidc docs](https://git.coopcloud.tech/coop-cloud/nextcloud#how-do-i-enable-openid-connect-oidc-providers)) with:
+   - **Discovery endpoint**: `https://<rauthy-domain>/.well-known/openid-configuration`
+   - **Client ID**: `nextcloud`
+   - **Client secret**: the value inserted above (can also be view in Rauthy Admin UI)
+
+### Encryption key rotation
+
+This recipe supports encryption key rotation as described in [the docs](https://sebadob.github.io/rauthy/config/encryption.html). To rotate keys the first time:
+
+1. Increment the version of `SECRET_ENC_KEYS_B_VERSION=b1` to `b2`
+2. `abra app secret insert <app> enc_keys_b b2 "$(openssl rand -base64 32)"`
+2. Change `ENC_KEY_ACTIVE="a1"` to `b2` (this tells rauthy to encrypt new secrets with the new key while still having access to `a1`)
+3. `abra app deploy <app>`
+
+To rotate keys any future time, follow the same pattern of incrementing the non-active secret version and changing the active secret to that newly generated secret.

abra.sh

@@ -1 +1,243 @@
-export CONFIG_TOML_VERSION=v2
+set -e
+
+export CONFIG_TOML_VERSION=v5
+
+generate_bootstrap_admin_password() {
+  if ! command -v argon2 &> /dev/null; then
+    echo "ERROR: 'argon2' CLI not found. Install it (e.g. 'apt install argon2')"
+    exit 1
+  fi
+
+  PASSWORD="$(openssl rand -base64 24)"  
+  SALT="$(openssl rand -base64 24)"
+  HASH="$(echo -n "$PASSWORD" | argon2 "$SALT" -id -t 3 -m 16 -p 2 -l 32 -e)"
+
+  if abra app secret insert -C "$APP_NAME" admin_pwhash v1 "$HASH"; then
+    echo "Generated admin password:"
+    echo "$PASSWORD"
+    echo "WARNING: password is NOT shown again, please save it NOW"
+  else
+    echo "Failed to insert admin hash."
+    exit 1
+  fi
+}
+
+generate_enc_keys() {
+  KEY_A="$(openssl rand -base64 32)"
+  KEY_B="$(openssl rand -base64 32)"
+  abra app secret insert "$APP_NAME" enc_keys_a a1 "$KEY_A" --chaos
+  abra app secret insert "$APP_NAME" enc_keys_b b1 "$KEY_B" --chaos
+  echo "WARNING: secrets are NOT shown again, please save them NOW"
+  echo "    enc_keys_a    $KEY_A"
+  echo "    enc_keys_b    $KEY_B"
+}
+
+# Reads a Docker Swarm secret value from the running container
+# Requires jq locally and SSH access to the server.
+# Usage: get_secret <secret_name>
+get_secret() {
+  local SECRET_NAME="$1"
+
+  if ! command -v jq &>/dev/null; then
+    echo "ERROR: jq is required. Install with: apt install jq" >&2
+    exit 1
+  fi
+
+  local SERVER
+  SERVER=$(abra app ls -m | jq -r --arg domain "$APP_NAME" '[.[].apps[] | select(.domain == $domain) | .server] | first' 2>/dev/null)
+
+  if [ -z "$SERVER" ] || [ "$SERVER" = "null" ]; then
+    echo "ERROR: could not determine server for app '$APP_NAME'" >&2
+    exit 1
+  fi
+
+  local MATCH
+  MATCH=$(ssh "$SERVER" "
+    docker stack services ${STACK_NAME} --format '{{.Name}}' | while read svc; do
+      CID=\$(docker ps --no-trunc -q --filter \"name=\${svc}\" | head -1)
+      [ -z \"\$CID\" ] && continue
+      docker service inspect \"\$svc\" --format '{{json .Spec.TaskTemplate.ContainerSpec.Secrets}}' | jq -r --arg cid \"\$CID\" '.[]? | .SecretID + \" \" + \$cid + \" \" + .SecretName'
+    done
+  " 2>/dev/null | grep " ${STACK_NAME}_${SECRET_NAME}_" | head -1)
+
+  if [ -z "$MATCH" ]; then
+    echo "ERROR: secret '$SECRET_NAME' not found in stack '$STACK_NAME'" >&2
+    exit 1
+  fi
+
+  local SECRET_ID CID
+  SECRET_ID=$(echo "$MATCH" | awk '{print $1}')
+  CID=$(echo "$MATCH" | awk '{print $2}')
+
+  local VALUE
+  VALUE=$(ssh "$SERVER" "cat /var/lib/docker/containers/${CID}/mounts/secrets/${SECRET_ID} 2>/dev/null || sudo cat /var/lib/docker/containers/${CID}/mounts/secrets/${SECRET_ID} 2>/dev/null")
+
+  if [ -z "$VALUE" ]; then
+    echo "ERROR: could not read value for secret '$SECRET_NAME'" >&2
+    exit 1
+  fi
+
+  printf '%s' "$VALUE"
+}
+
+# Usage: rauthy_api_request <method> <path> [json_body]
+# Sets globals API_HTTP_STATUS and API_BODY.
+rauthy_api_request() {
+  local METHOD="$1" ENDPOINT="$2" PAYLOAD="${3:-}"
+  if [ -z "$API_SECRET" ]; then
+    API_SECRET=$(get_secret api_secret)
+  fi
+  local AUTH_HEADER
+  AUTH_HEADER=$(printf 'Authorization: API-Key bootstrap$%s' "$API_SECRET")
+  local ARGS=(-s -w "\n%{http_code}" -X "$METHOD" -H "$AUTH_HEADER")
+  [ -n "$PAYLOAD" ] && ARGS+=(-H "Content-Type: application/json" -d "$PAYLOAD")
+  local RESPONSE
+  RESPONSE=$(curl "${ARGS[@]}" "https://${DOMAIN}/auth/v1${ENDPOINT}")
+  API_HTTP_STATUS=$(echo "$RESPONSE" | tail -1)
+  API_BODY=$(echo "$RESPONSE" | sed '$d')
+}
+
+# Creates an OIDC client in Rauthy and prints the client secret.
+# Usage: create_client <client_id> [insertsecret]
+#   Reads config from env vars prefixed with uppercased client_id:
+#     <ID>_CLIENT_NAME    (required)
+#     <ID>_REDIRECT_URI   (required)
+#     <ID>_ALLOWED_SCOPES (optional, default: 'email openid profile groups')
+#   With 'insertsecret': undeploys APP_NAME, replaces the Docker secret, then redeploys.
+# Example: NEXTCLOUD_CLIENT_NAME="Nextcloud" NEXTCLOUD_REDIRECT_URI="https://..." create_client nextcloud
+create_client() {
+  local CLIENT_ID="$1"
+  local MODE="$2"
+
+  if [ -z "$CLIENT_ID" ]; then
+    echo "ERROR: no client_id; Usage: create_client <client_id> [insertsecret]" >&2
+    exit 1
+  fi
+
+  local PREFIX
+  PREFIX=$(echo "$CLIENT_ID" | tr '[:lower:]' '[:upper:]')
+
+  local CLIENT_NAME REDIRECT_URI ALLOWED_SCOPES
+  CLIENT_NAME=$(eval "echo \"\${${PREFIX}_CLIENT_NAME}\"")
+  REDIRECT_URI=$(eval "echo \"\${${PREFIX}_REDIRECT_URI}\"")
+  ALLOWED_SCOPES=$(eval "echo \"\${${PREFIX}_ALLOWED_SCOPES:-email openid profile groups}\"")
+
+  if [ -z "$CLIENT_NAME" ] || [ -z "$REDIRECT_URI" ]; then
+    echo "ERROR: ${PREFIX}_CLIENT_NAME and ${PREFIX}_REDIRECT_URI must be set" >&2
+    exit 1
+  fi
+
+  if ! command -v jq &>/dev/null; then
+    echo "ERROR: jq is required. Install with: apt install jq" >&2
+    exit 1
+  fi
+
+  rauthy_api_request GET "/clients/${CLIENT_ID}"
+  if [ "$API_HTTP_STATUS" = "200" ]; then
+    echo "Client '${CLIENT_ID}' already exists, skipping creation."
+  else
+    local PAYLOAD
+    PAYLOAD=$(jq -n \
+      --arg id "$CLIENT_ID" \
+      --arg name "$CLIENT_NAME" \
+      --arg redirect_uris "$REDIRECT_URI" \
+      --arg allowed_scopes "$ALLOWED_SCOPES" \
+      '$ARGS.named | .redirect_uris = [.redirect_uris] | .allowed_scopes = (.allowed_scopes | split(" ")) | .confidential = true')
+
+    rauthy_api_request POST "/clients" "$PAYLOAD"
+    if [ "$API_HTTP_STATUS" != "200" ] && [ "$API_HTTP_STATUS" != "201" ]; then
+      echo "ERROR: failed to create client '${CLIENT_ID}' (HTTP ${API_HTTP_STATUS}): ${API_BODY}" >&2
+      exit 1
+    fi
+  fi
+
+  rauthy_api_request POST "/clients/${CLIENT_ID}/secret"
+  if [ "$API_HTTP_STATUS" != "200" ] && [ "$API_HTTP_STATUS" != "201" ]; then
+    echo "ERROR: failed to fetch secret for client '${CLIENT_ID}' (HTTP ${API_HTTP_STATUS}): ${API_BODY}" >&2
+    exit 1
+  fi
+
+  local CLIENT_SECRET
+  CLIENT_SECRET=$(echo "$API_BODY" | jq -r '.secret // empty')
+
+  if [ -z "$CLIENT_SECRET" ]; then
+    echo "ERROR: no secret in API response for '${CLIENT_ID}'" >&2
+    echo "Response was: ${API_BODY}" >&2
+    exit 1
+  fi
+
+  if [ "$MODE" = "insertsecret" ]; then
+    echo "Undeploying '${APP_NAME}' to replace secret '${CLIENT_ID}_sec'"
+    abra --no-input app undeploy "$APP_NAME" || true
+    abra app secret remove -C "$APP_NAME" "${CLIENT_ID}_sec" || true
+    if printf '%s' "$CLIENT_SECRET" | abra app secret insert -C "$APP_NAME" "${CLIENT_ID}_sec" v1; then
+      echo "Secret '${CLIENT_ID}_sec' inserted, redeploying '${APP_NAME}'..."
+    else
+      echo "ERROR: failed to insert secret '${CLIENT_ID}_sec'; redeploying app" >&2
+    fi
+    abra --no-input app deploy -C "$APP_NAME" || true
+    #rauthy doesn't have a healthcheck, wait 5 seconds for startup
+    sleep 5
+
+  else
+    echo "Client '${CLIENT_ID}' created. Secret: ${CLIENT_SECRET}"
+  fi
+}
+
+# Creates one or more groups in Rauthy.
+# Usage: create_groups <group_name> [<group_name> ...]
+create_groups() {
+  if ! command -v jq &>/dev/null; then
+    echo "ERROR: jq is required. Install with: apt install jq" >&2
+    exit 1
+  fi
+
+  rauthy_api_request GET "/groups"
+  local EXISTING_GROUPS
+  if [ "$API_HTTP_STATUS" = "200" ]; then
+    EXISTING_GROUPS=$(echo "$API_BODY" | jq -r '.[].name // empty')
+  fi
+
+  for GROUP_NAME in "$@"; do
+    if echo "$EXISTING_GROUPS" | grep -qx "$GROUP_NAME"; then
+      echo "Group '${GROUP_NAME}' already exists, skipping"
+      continue
+    fi
+
+    rauthy_api_request POST "/groups" "$(jq -n --arg group "$GROUP_NAME" '$ARGS.named')"
+    if [ "$API_HTTP_STATUS" != "200" ] && [ "$API_HTTP_STATUS" != "201" ]; then
+      echo "ERROR: failed to create group '${GROUP_NAME}' (HTTP ${API_HTTP_STATUS}): ${API_BODY}" >&2
+      exit 1
+    fi
+
+    echo "Created group '${GROUP_NAME}'"
+  done
+}
+
+# Creates one or more roles in Rauthy.
+# Usage: create_roles <role_name> [<role_name> ...]
+create_roles() {
+  if ! command -v jq &>/dev/null; then
+    echo "ERROR: jq is required. Install with: apt install jq" >&2
+    exit 1
+  fi
+
+  rauthy_api_request GET "/roles"
+  local EXISTING_ROLES
+  EXISTING_ROLES=$(echo "$API_BODY" | jq -r '.[].name // empty')
+
+  for ROLE_NAME in "$@"; do
+    if echo "$EXISTING_ROLES" | grep -qx "$ROLE_NAME"; then
+      echo "Role '${ROLE_NAME}' already exists, skipping"
+      continue
+    fi
+
+    rauthy_api_request POST "/roles" "$(jq -n --arg role "$ROLE_NAME" '$ARGS.named')"
+    if [ "$API_HTTP_STATUS" != "200" ] && [ "$API_HTTP_STATUS" != "201" ]; then
+      echo "ERROR: failed to create role '${ROLE_NAME}' (HTTP ${API_HTTP_STATUS}): ${API_BODY}" >&2
+      exit 1
+    fi
+
+    echo "Created role '${ROLE_NAME}'"
+  done
+}

alaconnect.yml

@@ -0,0 +1,10 @@
+nextcloud:
+  uncomment:
+      - compose.nextcloud.yml
+      - SECRET_NEXTCLOUD_SEC_VERSION
+      - NEXTCLOUD_REDIRECT_URI
+      - NEXTCLOUD_CLIENT_NAME
+  initial-hooks:
+      - local create_client nextcloud insertsecret
+  shared_secrets:
+      user_oidc_secret: nextcloud_sec

api.key.example.json

@@ -0,0 +1,18 @@
+{
+  "name":"bootstrap",
+  "exp":null,
+  "access":[{
+      "group":"Clients",
+      "access_rights":["read","create"]
+    },{
+      "group":"Roles",
+      "access_rights":["read","create"]
+    },{
+      "group": "Groups",
+      "access_rights":["read","create"]
+    },{
+      "group": "Secrets",
+      "access_rights":["read"]
+    }
+  ]
+}

compose.api.yml

@@ -0,0 +1,12 @@
+services:
+  app:
+    environment:
+      - API_KEY
+      - API_BOOTSTRAP=1
+    secrets:
+      - api_secret
+
+secrets:
+  api_secret:
+    name: ${STACK_NAME}_api_secret_${SECRET_API_SECRET_VERSION}
+    external: true

compose.bootstrapadmin.yml

@@ -0,0 +1,11 @@
+services:
+  app:
+    environment:
+      - ADMIN_BOOTSTRAP_PWHASH=1
+    secrets:
+      - admin_pwhash
+
+secrets:
+  admin_pwhash:
+    name: ${STACK_NAME}_admin_pwhash_${SECRET_ADMIN_PWHASH_VERSION}
+    external: true

compose.nextcloud.yml

@@ -0,0 +1,9 @@
+services:
+  app:
+    secrets:
+      - nextcloud_sec
+
+secrets:
+  nextcloud_sec:
+    name: ${STACK_NAME}_nextcloud_sec_${SECRET_NEXTCLOUD_SEC_VERSION}
+    external: true

compose.smtp.yml

@@ -1,6 +1,3 @@
----
-version: "3.13"
-
 services:
   app:
     environment:
@@ -8,7 +5,9 @@ services:
       - SMTP_ENABLED
       - SMTP_FROM
       - SMTP_URL
+      - SMTP_PORT
       - SMTP_USERNAME
+      - SMTP_STARTTLS_ONLY
     secrets:
       - smtp_password
 

compose.yml

@@ -1,9 +1,6 @@
----
-version: "3.13"
-
 services:
   app:
-    image: ghcr.io/sebadob/rauthy:0.31.3
+    image: ghcr.io/sebadob/rauthy:0.35.2
     environment:
       - ADMIN_EMAIL
       - ADMIN_FORCE_MFA
@@ -14,7 +11,8 @@ services:
       - source: config_toml
         target: /app/config.toml
     secrets:
-      - enc_keys
+      - enc_keys_a
+      - enc_keys_b
       - hql_api
       - hql_raft
     volumes:
@@ -30,7 +28,11 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.3.1+0.31.3"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
+        - "coop-cloud.${STACK_NAME}.version=2.0.0+0.35.2"
+        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
 
 networks:
   proxy:
@@ -43,8 +45,11 @@ configs:
     template_driver: golang
 
 secrets:
-  enc_keys:
-    name: ${STACK_NAME}_enc_keys_${SECRET_ENC_KEYS_VERSION}
+  enc_keys_a:
+    name: ${STACK_NAME}_enc_keys_a_${SECRET_ENC_KEYS_A_VERSION}
+    external: true
+  enc_keys_b:
+    name: ${STACK_NAME}_enc_keys_b_${SECRET_ENC_KEYS_B_VERSION}
     external: true
   hql_raft:
     name: ${STACK_NAME}_hql_raft_${SECRET_HQL_RAFT_VERSION}

config.toml.tmpl

@@ -3,6 +3,10 @@
 
 [bootstrap]
 admin_email = '{{ env "ADMIN_EMAIL" }}'
+{{ if eq (env "ADMIN_BOOTSTRAP_PWHASH") "1" }}pasword_argon2id = '{{ secret "admin_pwhash" }}'
+{{ end }}{{ if eq (env "API_BOOTSTRAP") "1" }}api_key = '{{ env "API_BASE64_ACCESS_RIGHTS" }}'
+api_key_secret = '{{ secret "api_secret" }}'
+{{ end }}
 
 [cluster]
 node_id = 1
@@ -17,6 +21,7 @@ smtp_url = '{{ env "SMTP_URL" }}'
 smtp_username = '{{ env "SMTP_USERNAME" }}'
 smtp_password = '{{ secret "smtp_password" }}'
 smtp_from = '{{ env "SMTP_FROM" }}'
+starttls_only = {{ or (env "SMTP_STARTTLS_ONLY") "false" }}
 {{ end }}
 
 [logging]
@@ -24,7 +29,8 @@ level = '{{ env "LOG_LEVEL" }}'
 
 [encryption]
 keys = [
-  '{{ secret "enc_keys" }}'
+  '{{ env "SECRET_ENC_KEYS_A_VERSION" }}/{{ secret "enc_keys_a" }}',
+  '{{ env "SECRET_ENC_KEYS_B_VERSION" }}/{{ secret "enc_keys_b" }}'
 ]
 key_active = '{{ env "ENC_KEY_ACTIVE" }}'
 

release/1.0.0+0.32.3

@@ -0,0 +1,22 @@
+WARNING! ⚠️
+This release supports encryption key rotation, which unfortunately requires some migration steps:
+
+1. Obtain your old encryption key (enc_keys) if you backed it up. If not, you can extract your current encryption key from the config file. This is pretty advanced and can only be done from the server itself:
+
+   docker secret list  # to obtain the secret's full name
+   docker service create --name temp-reader --secret <secret-name> --mode replicated-job alpine:latest sh -c "cat /run/secrets/<secret-name>" && docker service logs --raw temp-reader && echo && docker service rm temp-reader
+
+NOTE: the enc_keys secret has the format `<key_id>/<key_value>`; we'll refer to those two parts as $KEY_ID and $KEY_VALUE from here on.
+
+2. Add these lines to your config, overwriting the existing SECRET_ENC_KEYS_VERSION and ENC_KEY_ACTIVE values:
+
+    SECRET_ENC_KEYS_A_VERSION=$KEY_ID # generated=false
+    SECRET_ENC_KEYS_B_VERSION=b1 # generated=false
+    ENC_KEY_ACTIVE="$KEY_ID"
+
+3. Set key_a and generate key_b:
+
+    abra app secret insert $STACK_NAME enc_keys_a $KEY_ID "<your-existing-secret>" -C
+    abra app secret insert $STACK_NAME enc_keys_b b1 "$(openssl rand -base64 32)" -C
+
+Then you can deploy :)

release/1.2.0+0.34.3

@@ -0,0 +1,11 @@
+`backup-bot-2` is now officially supported with `ENABLE_BACKUPS=true` by
+default. Please see https://git.coopcloud.tech/coop-cloud/rauthy/pulls/14.
+
+This recipe release bundles 4 Rauthy upgrades:
+
+* https://github.com/sebadob/rauthy/releases/tag/v0.33.4
+* https://github.com/sebadob/rauthy/releases/tag/v0.34.0
+* https://github.com/sebadob/rauthy/releases/tag/v0.34.1
+* https://github.com/sebadob/rauthy/releases/tag/v0.34.2
+
+All changes: https://git.coopcloud.tech/coop-cloud/rauthy/compare/1.2.0+0.34.3...1.1.0+0.33.1

release/2.0.0+0.35.2

@@ -0,0 +1,7 @@
+Breaking: The Rauthy issuer URL now has a trailing slash (`https://rauthy.example.com/auth/v1/`). Most clients will pick this up automatically on restart, but clients with the issuer URL configured manually will need it updated to include the trailing slash.
+See https://github.com/sebadob/rauthy/releases/tag/v0.35.0
+
+* Updated Rauthy to 0.35.2
+* Added bootstrapping admin password and API key
+* Added abra.sh functions for creating clients, groups and roles with the Rauthy API
+* Documentation and example for Nextcloud integration

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}