Merge branch 'main' into feature/authentik-integration

feat: integrate authentik
Merge pull request 'chore: Configure Renovate' (#4 ) from renovate/configure into main
2026-05-14 15:41:31 +00:00 · 2026-05-14 12:36:39 -03:00 · 2025-09-14 16:29:35 +00:00 · 2025-09-14 16:27:14 +00:00 · 2025-09-11 18:07:27 -04:00 · 2025-09-11 18:00:49 -04:00
8 changed files with 91 additions and 6 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -7,7 +7,6 @@ steps:
    settings:
      host: swarm-test.autonomic.zone
      stack: writefreely
-      generate_secrets: true
      purge: true
      deploy_key:
        from_secret: drone_ssh_swarm_test
@ -16,11 +15,11 @@ steps:
    environment:
      DOMAIN: writefreely.swarm-test.autonomic.zone
      STACK_NAME: writefreely
+      ASSETS_PATH: /usr/share/writefreely
+      DATA_PATH: /data
      LETS_ENCRYPT_ENV: production
-      CONFIG_WRITEFREELY_VERSION: v1
-      CONFIG_ENTRYPOINT_VERSION: v1
-      SECRET_DB_ROOT_PASSWORD_VERSION: v1
-      SECRET_DB_PASSWORD_VERSION: v1
+      CONFIG_INI_VERSION: v1
+      WRITEFREELY_ENTRYPOINT_VERSION: v1
 trigger:
  branch:
    - main
--- a/.env.sample
+++ b/.env.sample
@ -48,3 +48,12 @@ LETS_ENCRYPT_ENV=production
 #OAUTH_HOST=https://<your domain>/realms/<your realm>/protocol/openid-connect
 #OAUTH_DISPLAY_NAME=Keycloak
 #OAUTH_CLIENT_SECRET_VERSION=v1
+
+## Uncomment to use Authentik. This only works if Keycloak is disabled.
+## See README.md for explanation.
+#AUTHENTIK_ENABLED=1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+#OAUTH_HOST=https://<your domain>
+#OAUTH_DISPLAY_NAME=Authentik
+#OAUTH_CLIENT_ID_VERSION=v1
+#OAUTH_CLIENT_SECRET_VERSION=v1
--- a/README.md
+++ b/README.md
@ -36,6 +36,44 @@ For the **OAUTH_HOST** config, it uses this format: `https://keycloak.example.co

 To set the client secret: `abra app secret insert <domain> oauth_client_secret v1`

+## Authentik setup
+
+If you've set up Authentik for SSO, you can integrate it into Writefreely by running the following steps:
+
+1. In the Authentik app, uncomment the Writefreely configuration to enable the associated blueprint:
+
+   ```
+   COMPOSE_FILE="$COMPOSE_FILE:compose.writefreely.yml"
+   WRITEFREELY_DOMAIN=writefreely.example.com
+   SECRET_WRITEFREELY_ID_VERSION=v1
+   SECRET_WRITEFREELY_SECRET_VERSION=v1
+   APP_ICONS="writefreely:~/.abra/recipes/authentik/icons/writefreely.png"
+   WRITEFREELY_APPGROUP="$GROUP_DOCUMENTATION"
+    ```
+
+2. Also in Authentik, generate the client id/secret pair.
+
+    ```
+    abra app secret generate <authentik_app_name> writefreely_id v1
+    ```
+
+    ```
+    abra app secret generate <authentik_app_name> writefreely_secret v1
+    ```
+
+3. Uncomment and properly set the configs for Authentik in `abra app config <domain>`.
+
+4. Set the client id/secret that were generated previously, by running:
+
+    ```
+    abra app secret insert <domain> oauth_client_id v1
+    ```
+
+    ```
+    abra app secret insert <domain> oauth_client_secret v1
+    ```
+
+
 ## MariaDB

 By default, this recipe uses sqlite. If you wish to use MariaDB instead:
--- a/compose.authentik.yml
+++ b/compose.authentik.yml
@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - oauth_client_id
+      - oauth_client_secret
+
+secrets:
+  oauth_client_id:
+    external: true
+    name: ${STACK_NAME}_oauth_client_id_${OAUTH_CLIENT_ID_VERSION}
+  oauth_client_secret:
+    external: true
+    name: ${STACK_NAME}_oauth_client_secret_${OAUTH_CLIENT_SECRET_VERSION}
--- a/compose.yml
+++ b/compose.yml
@ -30,7 +30,7 @@ services:
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+latest"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+v0.16.0"

 volumes:
  local-data:
--- a/config.ini.tmpl
+++ b/config.ini.tmpl
@ -69,4 +69,21 @@ map_user_id        = sub
 map_username       = preferred_username
 map_display_name   =
 map_email          = email
+{{ else if eq (env "AUTHENTIK_ENABLED") "1" }}
+[oauth.generic]
+client_id          = {{ secret "oauth_client_id" }}
+client_secret      = {{ secret "oauth_client_secret" }}
+host               = {{ env "OAUTH_HOST" }}
+display_name       = {{ env "OAUTH_DISPLAY_NAME" }}
+callback_proxy     =
+callback_proxy_api =
+token_endpoint     = /application/o/token/
+inspect_endpoint   = /application/o/userinfo/
+auth_endpoint      = /application/o/authorize/
+scope              = openid profile email
+allow_disconnect   = false
+map_user_id        = sub
+map_username       = preferred_username
+map_display_name   =
+map_email          = email
 {{ end }}
--- a/release/1.0.0+v0.16.0
+++ b/release/1.0.0+v0.16.0
--- a/renovate.json
+++ b/renovate.json
@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}
Author	SHA1	Message	Date
luisb	d39892feaa	Merge branch 'main' into feature/authentik-integration	2026-05-14 15:41:31 +00:00
Luis Barrueco	d5d3c1e553	feat: integrate authentik	2026-05-14 12:36:39 -03:00
cyrnel	4661b61938	Merge pull request 'chore: Configure Renovate' (#4 ) from renovate/configure into main Reviewed-on: coop-cloud/writefreely#4	2025-09-14 16:29:35 +00:00
Renovate Bot	e6aa5518c6	Add renovate.json	2025-09-14 16:27:14 +00:00
Mac Chaffee	20d883f772	chore: publish 1.0.0+v0.16.0 release	2025-09-11 18:07:27 -04:00
Mac Chaffee	972cdf6c91	fix: add more envs to drone, remove secret gen	2025-09-11 18:00:49 -04:00
Mac Chaffee	3f1c985dc6	fix: update config versions in .drone.yml	2025-09-11 17:52:07 -04:00
mac-chaffee	fdea96d548	Merge pull request 'feat: use sqlite by default' (#3 ) from default-sqlite into main Reviewed-on: coop-cloud/writefreely#3	2025-09-11 21:46:12 +00:00