chore: publish 1.0.0+2022.10.1 release

.env.sample

@@ -2,25 +2,17 @@ TYPE=authentik
 LETS_ENCRYPT_ENV=production
 
 DOMAIN={{ .Domain }}
-POSTGRES_PASSWORD=secret
-AUTHENTIK_POSTGRESQL__PASSWORD=secret
-POSTGRES_USER=authentik
 AUTHENTIK_POSTGRESQL__USER=authentik
-POSTGRES_DB=authentik
 AUTHENTIK_POSTGRESQL__NAME=authentik
 AUTHENTIK_POSTGRESQL__HOST=db
 AUTHENTIK_REDIS__HOST=redis
 AUTHENTIK_ERROR_REPORTING__ENABLED=true
 # WORKERS=1
-AUTHENTIK_SECRET_KEY=secret
-AK_ADMIN_TOKEN=secret
-AK_ADMIN_PASS=secret
 
 # EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=25
 # AUTHENTIK_EMAIL__USERNAME=""
-# AUTHENTIK_EMAIL__PASSWORD=""
 AUTHENTIK_EMAIL__USE_TLS=false
 AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
@@ -28,9 +20,11 @@ AUTHENTIK_EMAIL__FROM=noreply@example.com
 AUTHENTIK_LOG_LEVEL=info
 
 # Secret Versions
-# SECRET_SECRET_KEY_VERSION=v1
+SECRET_SECRET_KEY_VERSION=v1
-# SECRET_ADMIN_TOKEN_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=V1
-# SECRET_ADMIN_PASS_VERSION=v1
+SECRET_ADMIN_TOKEN_VERSION=v1
+SECRET_ADMIN_PASS_VERSION=v1
+SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
 AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21

README.md

@@ -22,7 +22,20 @@
 
 * `abra app new authentik --secrets`
 * `abra app config <app-name>`
+* `abra app secret insert <app_name> email_pass v1 <password>`
+* `abra app secret generate -a <app_name>
 * `abra app deploy <app-name>`
+* `abra app cmd <app_name> app set_admin_pass`
+
+## Rotate Secrets
+
+```
+abra app secret generate -a <app_name>
+abra app undeploy <app_name>
+abra app deploy <app_name>
+abra app cmd <app_name> db rotate_db_pass
+abra app cmd <app_name> app set_admin_pass
+```
 
 ## Customization
 

abra.sh

@@ -25,3 +25,35 @@ customize() {
         abra app cp $APP_NAME $1/icon.png app:/web/dist/assets/icons/
     fi
 }
+
+set_admin_pass() {
+password=$(cat /run/secrets/admin_pass)
+token=$(cat /run/secrets/admin_token)
+/manage.py shell -c """
+akadmin = User.objects.get(username='akadmin')
+akadmin.set_password('$password')
+akadmin.save()
+print('Changed akadmin password')
+
+from authentik.core.models import TokenIntents
+key='$token'
+if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
+    token.key=key
+    token.save()
+    print('Changed authentik-bootstrap-token')
+else: 
+    Token.objects.create(
+        identifier='authentik-bootstrap-token',
+        user=akadmin,
+        intent=TokenIntents.INTENT_API,
+        expiring=False,
+        key=key,
+    )
+    print('Created authentik-bootstrap-token')
+"""
+}
+
+rotate_db_pass() {
+    db_password=$(cat /run/secrets/db_password)
+    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
+}

blueprints/email-recovery.yaml

@@ -0,0 +1,158 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Example - Recovery with email verification
+entries:
+  - identifiers:
+      slug: default-recovery-flow
+    id: flow
+    model: authentik_flows.flow
+    attrs:
+      name: Default recovery flow
+      title: Reset your password
+      designation: recovery
+  - identifiers:
+      field_key: password
+      label: Password
+    id: prompt-field-password
+    model: authentik_stages_prompt.prompt
+    attrs:
+      type: password
+      required: true
+      placeholder: Password
+      order: 0
+      placeholder_expression: false
+  - identifiers:
+      field_key: password_repeat
+      label: Password (repeat)
+    id: prompt-field-password-repeat
+    model: authentik_stages_prompt.prompt
+    attrs:
+      type: password
+      required: true
+      placeholder: Password (repeat)
+      order: 1
+      placeholder_expression: false
+  - identifiers:
+      name: default-recovery-skip-if-restored
+    id: default-recovery-skip-if-restored
+    model: authentik_policies_expression.expressionpolicy
+    attrs:
+      expression: |
+        return request.context.get('is_restored', False)
+  - identifiers:
+      name: default-recovery-email
+    id: default-recovery-email
+    model: authentik_stages_email.emailstage
+    attrs:
+      use_global_settings: true
+      host: localhost
+      port: 25
+      username: ""
+      use_tls: false
+      use_ssl: false
+      timeout: 10
+      from_address: system@authentik.local
+      token_expiry: 30
+      subject: authentik
+      template: email/password_reset.html
+      activate_user_on_success: true
+  - identifiers:
+      name: default-recovery-user-write
+    id: default-recovery-user-write
+    model: authentik_stages_user_write.userwritestage
+  - identifiers:
+      name: default-recovery-identification
+    id: default-recovery-identification
+    model: authentik_stages_identification.identificationstage
+    attrs:
+      user_fields:
+        - email
+        - username
+  - identifiers:
+      name: default-recovery-user-login
+    id: default-recovery-user-login
+    model: authentik_stages_user_login.userloginstage
+    attrs:
+      session_duration: seconds=0
+  - identifiers:
+      name: Change your password
+    id: stages-prompt-password
+    model: authentik_stages_prompt.promptstage
+    attrs:
+      fields:
+        - !KeyOf prompt-field-password
+        - !KeyOf prompt-field-password-repeat
+      validation_policies: []
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-recovery-identification
+      order: 10
+    model: authentik_flows.flowstagebinding
+    id: flow-binding-identification
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: true
+      policy_engine_mode: any
+      invalid_response_action: retry
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-recovery-email
+      order: 20
+    model: authentik_flows.flowstagebinding
+    id: flow-binding-email
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: true
+      policy_engine_mode: any
+      invalid_response_action: retry
+  - identifiers:
+      pk: 1219d06e-2c06-4c5b-a162-78e3959c6cf0
+      target: !KeyOf flow
+      stage: !KeyOf stages-prompt-password
+      order: 30
+    model: authentik_flows.flowstagebinding
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      policy_engine_mode: any
+      invalid_response_action: retry
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-recovery-user-write
+      order: 40
+    model: authentik_flows.flowstagebinding
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      policy_engine_mode: any
+      invalid_response_action: retry
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-recovery-user-login
+      order: 100
+    model: authentik_flows.flowstagebinding
+    attrs:
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+      policy_engine_mode: any
+      invalid_response_action: retry
+  - identifiers:
+      policy: !KeyOf default-recovery-skip-if-restored
+      target: !KeyOf flow-binding-identification
+      order: 0
+    model: authentik_policies.policybinding
+    attrs:
+      negate: false
+      enabled: true
+      timeout: 30
+  - identifiers:
+      policy: !KeyOf default-recovery-skip-if-restored
+      target: !KeyOf flow-binding-email
+      order: 0
+    model: authentik_policies.policybinding
+    attrs:
+      negate: false
+      enabled: true
+      timeout: 30

blueprints/invitation-enrollment.yaml

@@ -0,0 +1,151 @@
+context: {}
+entries:
+- attrs:
+    compatibility_mode: true
+    denied_action: message_continue
+    designation: enrollment
+    layout: stacked
+    name: Willkommen zur Heimatbund Cloud!
+    policy_engine_mode: any
+    title: Willkommen zur Heimatbund Cloud!
+  id: null
+  identifiers:
+    pk: 235f1d35-302e-426f-8875-bb75c40e8a96
+    slug: invitation-enrollment
+  model: authentik_flows.flow
+- attrs:
+    field_key: password
+    label: Passwort
+    order: 300
+    placeholder: Passwort
+    required: true
+    type: password
+  id: null
+  identifiers:
+    pk: 872c7220-0c42-4cef-b21c-9896820d86a3
+  model: authentik_stages_prompt.prompt
+- attrs:
+    field_key: username
+    label: Benutzername
+    order: 0
+    placeholder: Benutzername
+    required: true
+    type: username
+  id: null
+  identifiers:
+    pk: 8c7cca12-afd7-42f9-92b2-df06d29bc0b5
+  model: authentik_stages_prompt.prompt
+- attrs:
+    field_key: name
+    label: Vor- und Nachname
+    order: 0
+    placeholder: Name
+    required: true
+    type: text
+  id: null
+  identifiers:
+    pk: 52777e44-cbe7-4187-abc3-7f44327e4577
+  model: authentik_stages_prompt.prompt
+- attrs:
+    field_key: password_repeat
+    label: Passwort (wiederholung)
+    order: 301
+    placeholder: Passwort (wiederholung)
+    required: true
+    type: password
+  id: null
+  identifiers:
+    pk: 4c6820c2-711d-4450-b977-70d225c6cbd1
+  model: authentik_stages_prompt.prompt
+- attrs:
+    field_key: email
+    label: Email
+    order: 1
+    placeholder: Email
+    required: true
+    type: email
+  id: null
+  identifiers:
+    pk: 0fd026ab-228a-4aff-adde-e566f1dcee6a
+  model: authentik_stages_prompt.prompt
+
+- attrs:
+    fields:
+    - 872c7220-0c42-4cef-b21c-9896820d86a3
+    - 8c7cca12-afd7-42f9-92b2-df06d29bc0b5
+    - 52777e44-cbe7-4187-abc3-7f44327e4577
+    - 4c6820c2-711d-4450-b977-70d225c6cbd1
+    - 0fd026ab-228a-4aff-adde-e566f1dcee6a
+  id: null
+  identifiers:
+    name: default-enrollment-prompt-first
+    pk: b96f518c-6313-4091-8b52-20dd7557e868
+  model: authentik_stages_prompt.promptstage
+- attrs: {}
+  id: null
+  identifiers:
+    name: invitation
+    pk: 9780069a-0f1d-4f0f-b7c4-4592a9cdb333
+  model: authentik_stages_invitation.invitationstage
+- attrs: {}
+  id: null
+  identifiers:
+    name: default-enrollment-user-write
+    pk: 21667fc4-05b2-4b2f-8861-c8b40a6331b1
+  model: authentik_stages_user_write.userwritestage
+- attrs:
+    session_duration: seconds=0
+  id: null
+  identifiers:
+    name: default-enrollment-user-login
+    pk: 6cdec92f-cd1f-40b1-b808-d6a5d50877ed
+  model: authentik_stages_user_login.userloginstage
+- attrs:
+    evaluate_on_plan: true
+    invalid_response_action: retry
+    policy_engine_mode: any
+  id: null
+  identifiers:
+    order: 1
+    pk: eac283e8-2342-405e-a592-72b950f307c0
+    stage: 9780069a-0f1d-4f0f-b7c4-4592a9cdb333
+    target: 235f1d35-302e-426f-8875-bb75c40e8a96
+  model: authentik_flows.flowstagebinding
+- attrs:
+    evaluate_on_plan: true
+    invalid_response_action: retry
+    policy_engine_mode: any
+  id: null
+  identifiers:
+    order: 10
+    pk: 56276785-e6f5-42c7-9201-e63ec44281aa
+    stage: b96f518c-6313-4091-8b52-20dd7557e868
+    target: 235f1d35-302e-426f-8875-bb75c40e8a96
+  model: authentik_flows.flowstagebinding
+- attrs:
+    evaluate_on_plan: true
+    invalid_response_action: retry
+    policy_engine_mode: any
+  id: null
+  identifiers:
+    order: 20
+    pk: 471de0f4-3e03-4bc8-873d-689860dc9efb
+    stage: 21667fc4-05b2-4b2f-8861-c8b40a6331b1
+    target: 235f1d35-302e-426f-8875-bb75c40e8a96
+  model: authentik_flows.flowstagebinding
+- attrs:
+    evaluate_on_plan: true
+    invalid_response_action: retry
+    policy_engine_mode: any
+  id: null
+  identifiers:
+    order: 100
+    pk: 58903955-e33a-4d9a-b882-edd93f4261f9
+    stage: 6cdec92f-cd1f-40b1-b808-d6a5d50877ed
+    target: 235f1d35-302e-426f-8875-bb75c40e8a96
+  model: authentik_flows.flowstagebinding
+metadata:
+  labels:
+    blueprints.goauthentik.io/generated: 'true'
+  name: authentik Export - 2022-10-19 12:52:52.154491+00:00
+version: 1

compose.yml

@@ -1,19 +1,17 @@
 ---
 
 x-env: &env
-    - AUTHENTIK_POSTGRESQL__PASSWORD
+    - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
     - AUTHENTIK_POSTGRESQL__USER
     - AUTHENTIK_POSTGRESQL__NAME
     - AUTHENTIK_POSTGRESQL__HOST
     - AUTHENTIK_REDIS__HOST
     - AUTHENTIK_ERROR_REPORTING__ENABLED
-    - AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
+    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
-    - AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
-    - AK_ADMIN_PASS= #file:///run/secrets/admin_pass
     - AUTHENTIK_EMAIL__HOST
     - AUTHENTIK_EMAIL__PORT
     - AUTHENTIK_EMAIL__USERNAME
-    - AUTHENTIK_EMAIL__PASSWORD
+    - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
     - AUTHENTIK_EMAIL__USE_TLS
     - AUTHENTIK_EMAIL__USE_SSL
     - AUTHENTIK_EMAIL__TIMEOUT
@@ -31,11 +29,12 @@ services:
   app:
     image: ghcr.io/goauthentik/server:2022.10.1
     command: server
-    # secrets:
+    secrets:
-    #   - db_password
+      - db_password
-    #   - admin_pass
+      - admin_pass
-    #   - admin_token
+      - admin_token
-    #   - secret_key
+      - secret_key
+      - email_pass
     volumes:
       - media:/media
       - custom-templates:/templates
@@ -70,16 +69,17 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=0.6.0+2022.10.1"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+2022.10.1"
 
   worker:
     image: ghcr.io/goauthentik/server:2022.10.1
     command: worker
-    # secrets:
+    secrets:
-      # - db_password
+      - db_password
-      # - admin_pass
+      - admin_pass
-      # - admin_token
+      - admin_token
-      # - secret_key
+      - secret_key
+      - email_pass
     networks:
       - internal
       - proxy
@@ -97,8 +97,8 @@ services:
 
   db:
     image: postgres:12.12-alpine
-    # secrets:
+    secrets:
-      # - db_password
+      - db_password
     volumes:
       - database:/var/lib/postgresql/data
     networks:
@@ -110,13 +110,13 @@ services:
       retries: 10
       start_period: 1m
     environment:
-      - POSTGRES_PASSWORD
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
-      - POSTGRES_USER
+      - POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER}
-      - POSTGRES_DB
+      - POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME}
     deploy:
       labels:
           backupbot.backup: "true"
-          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$(cat /run/secrets/db_password) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
           backupbot.backup.post-hook: "rm -rf /tmp/backup"
           backupbot.backup.path: "/tmp/backup/"
 
@@ -131,19 +131,22 @@ services:
       retries: 10
       start_period: 1m
 
-# secrets:
+secrets:
-  # db_password:
+  db_password:
-  #   external: true
+    external: true
-  #   name: ${STACK_NAME}_db_password
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-  # secret_key:
+  secret_key:
-  #   external: true
+    external: true
-  #   name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  # admin_token:
+  admin_token:
-  #   external: true
+    external: true
-  #   name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
+    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
-  # admin_pass:
+  admin_pass:
-  #   external: true
+    external: true
-  #   name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
+    name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
+  email_pass:
+    external: true
+    name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
 
 networks:
   proxy:

releases/1.0.0+2022.10.1

@@ -0,0 +1,15 @@
+This upgrade replaces the passwords stored in env variables by docker secrets.
+You need to insert the following passwords as secret:
+
+`POSTGRES_PASSWORD` / `AUTHENTIK_POSTGRESQL__PASSWORD`:
+    `abra app secret insert <app_name> db_password v1 <password>`
+`AUTHENTIK_SECRET_KEY`:
+    `abra app secret insert <app_name> secret_key v1 <password>`
+`AK_ADMIN_TOKEN`:
+    `abra app secret insert <app_name> admin_token v1 <password>`
+`AK_ADMIN_PASS`:
+    `abra app secret insert <app_name> admin_pass v1 <password>`
+`AUTHENTIK_EMAIL__PASSWORD`:
+    `abra app secret insert <app_name> email_pass v1 <password>`
+
+These variables should be removed from the .env file.