default config sets POST_DEPLOY_CMDS, so that admin pass will get initialized

This reverts commit e07d57718a871dc0178e3e4047f017cc55d71d97.

.drone.yml

@@ -30,6 +30,7 @@ steps:
       SECRET_ADMIN_TOKEN_VERSION: v1
       SECRET_ADMIN_PASS_VERSION: v1
       SECRET_EMAIL_PASS_VERSION: v1
+      DB_ENTRYPOINT_VERSION: v1
 trigger:
   branch:
     - main

.env.sample

@@ -1,6 +1,7 @@
 TYPE=authentik
 TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
+POST_DEPLOY_CMDS="worker set_admin_pass"
 # POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
 
@@ -17,6 +18,9 @@ AUTHENTIK_LOG_LEVEL=info
 ## Outpost Integration
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
 
+## ADMIN
+AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
+
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=587
@@ -34,7 +38,6 @@ SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
-AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 
 ## FLOW OPTIONS
 # WELCOME_MESSAGE="Welcome to Authentik"
@@ -47,6 +50,12 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
+# Default CSS customisation, just background colour
+COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
+AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
+# Custommise the entire custom CSS file
+#COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
@@ -62,6 +71,7 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
+# MATRIX_DOMAIN=matrix-synapse.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
@@ -88,13 +98,17 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # KIMAI_DOMAIN=kimai.example.com
 # SECRET_KIMAI_ID_VERSION=v1
 # SECRET_KIMAI_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai.png"
+# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
+# ZAMMAD_DOMAIN=zammad.example.com
+# APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
+# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
 # RALLLY_DOMAIN=rallly.example.com
@@ -110,4 +124,4 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
 # APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
 # APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
-# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"
+# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.png"

abra.sh

@@ -12,9 +12,10 @@ export WEKAN_CONFIG_VERSION=v3
 export VIKUNJA_CONFIG_VERSION=v1
 export OUTLINE_CONFIG_VERSION=v2
 export KIMAI_CONFIG_VERSION=v1
+export ZAMMAD_CONFIG_VERSION=v1
 export RALLLY_CONFIG_VERSION=v2
 export HEDGEDOC_CONFIG_VERSION=v1
-export MONITORING_CONFIG_VERSION=v1
+export MONITORING_CONFIG_VERSION=v2
 export DB_ENTRYPOINT_VERSION=v1
 
 customize() {
@@ -56,15 +57,19 @@ with open('/tmp/$1', newline='') as file:
     email = row[2].strip()
     groups = row[3].split(';')
     if User.objects.filter(username=username):
+        print(f'{username} already exists')
         continue
     new_user = User.objects.create(name=name, username=username, email=email)
+    print(f'{username} created')
     for group_name in groups:
         group_name = group_name.strip()
         if Group.objects.filter(name=group_name):
             group = Group.objects.get(name=group_name)
         else:
             group = Group.objects.create(name=group_name)
+            print(f'{group_name} created')
         group.users.add(new_user)
+        print(f'add {username} to group {group_name}')
 """ 2>&1 | quieten
 }
 
@@ -172,7 +177,9 @@ for name, url in applications.items():
 
 
 quieten(){
-    grep -v -e '{"event"' -e '{"action"'
+    # 'SyntaxWarning|version_regex|"http\['
+    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
+    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
 }
 
 add_email_templates(){
@@ -223,3 +230,22 @@ Brand.objects.filter(default=True).delete()
 """ 2>&1 | quieten
 apply_blueprints
 }
+
+get_certificate() {
+/manage.py shell -c """
+provider_name='$1'
+if not provider_name:
+    print('no Provider Name given')
+    exit(1)
+provider = Provider.objects.filter(name=provider_name).first()
+saml = provider.samlprovider
+cert = saml.signing_kp
+print(''.join(cert.certificate_data.splitlines()[1:-1]))
+""" 2>&1 | quieten
+}
+
+get_user_uid() {
+/manage.py shell -c """
+print(User.objects.filter(username='$1').first().uid)
+""" 2>&1 | quieten
+}

alaconnect.yml

@@ -0,0 +1,89 @@
+nextcloud:
+    uncomment:
+        - compose.nextcloud.yml
+        - NEXTCLOUD_DOMAIN
+        - SECRET_NEXTCLOUD_ID_VERSION
+        - SECRET_NEXTCLOUD_SECRET_VERSION
+        - nextcloud.png
+wordpress:
+    uncomment:
+        - compose.wordpress.yml
+        - WORDPRESS_DOMAIN
+        - WORDPRESS_GROUP
+        - SECRET_WORDPRESS_ID_VERSION
+        - SECRET_WORDPRESS_SECRET_VERSION
+        - wordpress.png
+matrix-synapse:
+    uncomment:
+        - compose.matrix.yml
+        - ELEMENT_DOMAIN
+        - MATRIX_DOMAIN
+        - SECRET_MATRIX_ID_VERSION
+        - SECRET_MATRIX_SECRET_VERSION
+        - matrix.svg
+    secrets:
+        matrix_id: matrix
+wekan:
+    uncomment:
+        - compose.wekan.yml
+        - WEKAN_DOMAIN
+        - SECRET_WEKAN_ID_VERSION
+        - SECRET_WEKAN_SECRET_VERSION
+        - wekan.png
+    secrets:
+        wekan_id: wekan
+vikunja:
+    uncomment:
+        - compose.vikunja.yml
+        - VIKUNJA_DOMAIN
+        - SECRET_VIKUNJA_ID_VERSION
+        - SECRET_VIKUNJA_SECRET_VERSION
+        - vikunja.svg
+    secrets:
+        vikunja_id: vikunja
+kimai:
+    uncomment:
+        - compose.kimai.yml
+        - KIMAI_DOMAIN
+        - SECRET_KIMAI_ID_VERSION
+        - SECRET_KIMAI_SECRET_VERSION
+        - kimai_logo.png
+zammad:
+    uncomment:
+        - compose.zammad.yml
+        - ZAMMAD_DOMAIN
+        - zammad.svg
+monitoring-ng:
+    uncomment:
+        - compose.monitoring.yml
+        - MONITORING_DOMAIN
+        - SECRET_MONITORING_ID_VERSION
+        - SECRET_MONITORING_SECRET_VERSION
+        - monitoring.png
+outline:
+    uncomment:
+        - compose.outline.yml
+        - OUTLINE_DOMAIN
+        - SECRET_OUTLINE_ID_VERSION
+        - SECRET_OUTLINE_SECRET_VERSION
+        - outline.png
+    secrets:
+        outline_id: outline
+rallly:
+    uncomment:  
+        - compose.rallly.yml
+        - RALLLY_DOMAIN
+        - SECRET_RALLLY_ID_VERSION
+        - SECRET_RALLLY_SECRET_VERSION
+        - rallly.png
+    secrets:
+        rallly_id: rallly
+hedgedoc:
+    uncomment:  
+        - compose.hedgedoc.yml
+        - HEDGEDOC_DOMAIN
+        - SECRET_HEDGEDOC_ID_VERSION
+        - SECRET_HEDGEDOC_SECRET_VERSION
+        - hedgedoc.png
+    secrets:
+        hedgedoc_id: hedgedoc

compose.css.yml

@@ -0,0 +1,14 @@
+---
+version: '3.8'
+
+services:
+  app:
+    configs: 
+      - source: custom_css
+        target: /web/dist/custom.css
+
+configs:
+  custom_css:
+    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
+    file: custom.css.tmpl
+    template_driver: golang

compose.matrix.yml

@@ -1,5 +1,11 @@
 version: "3.8"
 services:
+  app:
+    deploy:
+      labels:
+        - "traefik.http.routers.${STACK_NAME}.middlewares=redirect-matrix-well-known"
+        - "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
+        - "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
   worker:
     secrets:
       - matrix_id

compose.yml

@@ -21,6 +21,7 @@ x-env: &env
     - AUTHENTIK_COLOR_BACKGROUND_LIGHT
     - AUTHENTIK_FOOTER_LINKS
     - AUTHENTIK_IMPERSONATION
+    - AUTHENTIK_BOOTSTRAP_EMAIL
     - WELCOME_MESSAGE
     - DEFAULT_LANGUAGE
     - EMAIL_SUBJECT
@@ -32,7 +33,7 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2024.2.3
+    image: ghcr.io/goauthentik/server:2024.6.3
     command: server
     depends_on:
       - db
@@ -47,23 +48,17 @@ services:
       - media:/media
       - assets:/web/dist/assets
       - templates:/templates
-    configs:
-      - source: custom_css
-        target: /web/dist/custom.css
     networks:
       - internal
       - proxy
     healthcheck:
-      test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'"
+      test: "ak healthcheck"
       interval: 30s
-      timeout: 10s
+      timeout: 30s
       retries: 10
       start_period: 5m
     environment: *env
     deploy:
-      update_config:
-        failure_action: rollback
-        order: start-first
       labels:
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
@@ -76,11 +71,11 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=5.1.2+2024.2.3"
+        - "coop-cloud.${STACK_NAME}.version=6.5.0+2024.6.3"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2024.2.3
+    image: ghcr.io/goauthentik/server:2024.6.3
     command: worker
     depends_on:
       - db
@@ -95,10 +90,10 @@ services:
       - internal
       - proxy
     volumes:
-      - backups:/backups
       - media:/media
       - /dev/null:/blueprints/default/flow-oobe.yaml
       - templates:/templates
+      - certs:/certs
     configs:
       - source: flow_recovery
         target: /blueprints/1_flow_recovery.yaml
@@ -113,9 +108,15 @@ services:
       - source: flow_invalidation
         target: /blueprints/6_flow_invalidation.yaml
     environment: *env
+    healthcheck:
+      test: "ak healthcheck"
+      interval: 30s
+      timeout: 30s
+      retries: 10
+      start_period: 5m
 
   db:
-    image: postgres:15.5
+    image: postgres:15.7
     secrets:
       - db_password
     configs:
@@ -143,10 +144,13 @@ services:
           backupbot.backup: "true"
           backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
           backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.path: "/var/lib/postgresql/data"
+          backupbot.backup.volumes.database.path: "backup.sql"
+          backupbot.backup.volumes.redis: "false"
+          backupbot.restore.post-hook: 'psql -U authentik -d postgres -c "DROP DATABASE authentik WITH (FORCE);" && createdb -U authentik authentik && psql -U authentik -d authentik -f /var/lib/postgresql/data/backup.sql'
 
   redis:
-    image:  redis:7.2.4-alpine
+    image:  redis:7.4.0-alpine
+    command: --save 60 1 --loglevel warning
     networks:
       - internal
     healthcheck:
@@ -155,6 +159,8 @@ services:
       timeout: 10s
       retries: 10
       start_period: 1m
+    volumes:
+        - redis:/data
 
 secrets:
   db_password:
@@ -179,17 +185,14 @@ networks:
   internal:
 
 volumes:
-  backups:
   media:
+  certs:
+  redis:
   templates:
   assets:
   database:
 
 configs:
-  custom_css:
-    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
-    file: custom.css.tmpl
-    template_driver: golang
   flow_authentication:
     name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
     file: flow_authentication.yaml.tmpl

compose.zammad.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  worker:
+    environment:
+      - ZAMMAD_DOMAIN
+    configs:
+      - source: zammad
+        target: /blueprints/zammad.yaml
+
+configs:
+  zammad:
+    name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
+    file: zammad.yaml.tmpl
+    template_driver: golang

icons/zammad.svg

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
+    <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
+    <title>logo</title>
+    <desc>Created with Sketch.</desc>
+    <defs/>
+    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
+        <g id="logo" sketch:type="MSArtboardGroup">
+            <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
+                <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
+                <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
+                <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
+                <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
+                <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
+                <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
+                <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
+                <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
+                <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
+                <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
+                <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
+                <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
+                <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
+            </g>
+        </g>
+    </g>
+</svg>

monitoring.yaml.tmpl

@@ -25,7 +25,7 @@ entries:
   conditions: []
   id: monitoring_provider
   identifiers:
-    pk: 9994
+    pk: 9990
   model: authentik_providers_oauth2.oauth2provider
   state: present
 

release/6.0.0+2024.4.0

@@ -0,0 +1 @@
+Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"

release/6.1.0+2024.4.2

@@ -0,0 +1 @@
+Blueprint for Kimai SSO integration added

zammad.yaml.tmpl

@@ -0,0 +1,67 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: zammad
+
+entries:
+- attrs:
+    expression: return request.user.name
+    managed: null
+    name: 'Zammad SAML Mapping: name'
+    saml_name: name
+  conditions: []
+  identifiers:
+    name: zammad_name_mapping
+  id: zammad_name_mapping
+  model: authentik_providers_saml.samlpropertymapping
+  state: present
+
+- attrs:
+    expression: return request.user.email
+    managed: null
+    name: 'Zammad SAML Mapping: email'
+    saml_name: email
+  conditions: []
+  identifiers:
+    name: zammad_email_mapping
+  id: zammad_email_mapping
+  model: authentik_providers_saml.samlpropertymapping
+  state: present
+
+- attrs:
+    acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback
+    assertion_valid_not_before: minutes=-5
+    assertion_valid_not_on_or_after: minutes=5
+    audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
+    issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
+    name: zammad
+    property_mappings:
+    - !KeyOf zammad_name_mapping
+    - !KeyOf zammad_email_mapping
+    session_valid_not_on_or_after: minutes=86400
+    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sp_binding: post
+  conditions: []
+  id: zammad_provider
+  identifiers:
+    pk: 9989
+  model: authentik_providers_saml.samlprovider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "ZAMMAD_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf zammad_provider
+    slug: zammad
+  conditions: []
+  id: zammad_application
+  identifiers:
+    name: Zammad
+  model: authentik_core.application
+  state: present