Compare commits

..

1 Commits

Author SHA1 Message Date
63e8cffa5e general way to copy assets using env variables 2022-11-16 16:15:00 +01:00
6 changed files with 66 additions and 124 deletions

View File

@ -1,18 +1,26 @@
TYPE=authentik TYPE=authentik
LETS_ENCRYPT_ENV=production LETS_ENCRYPT_ENV=production
DOMAIN=authentik.example.com DOMAIN={{ .Domain }}
POSTGRES_PASSWORD=secret
AUTHENTIK_POSTGRESQL__PASSWORD=secret
POSTGRES_USER=authentik
AUTHENTIK_POSTGRESQL__USER=authentik AUTHENTIK_POSTGRESQL__USER=authentik
POSTGRES_DB=authentik
AUTHENTIK_POSTGRESQL__NAME=authentik AUTHENTIK_POSTGRESQL__NAME=authentik
AUTHENTIK_POSTGRESQL__HOST=db AUTHENTIK_POSTGRESQL__HOST=db
AUTHENTIK_REDIS__HOST=redis AUTHENTIK_REDIS__HOST=redis
AUTHENTIK_ERROR_REPORTING__ENABLED=true AUTHENTIK_ERROR_REPORTING__ENABLED=true
# WORKERS=1 # WORKERS=1
AUTHENTIK_SECRET_KEY=secret
AK_ADMIN_TOKEN=secret
AK_ADMIN_PASS=secret
# EMAIL # EMAIL
AUTHENTIK_EMAIL__HOST=smtp AUTHENTIK_EMAIL__HOST=smtp
AUTHENTIK_EMAIL__PORT=25 AUTHENTIK_EMAIL__PORT=25
# AUTHENTIK_EMAIL__USERNAME="" # AUTHENTIK_EMAIL__USERNAME=""
# AUTHENTIK_EMAIL__PASSWORD=""
AUTHENTIK_EMAIL__USE_TLS=false AUTHENTIK_EMAIL__USE_TLS=false
AUTHENTIK_EMAIL__USE_SSL=false AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10 AUTHENTIK_EMAIL__TIMEOUT=10
@ -20,11 +28,9 @@ AUTHENTIK_EMAIL__FROM=noreply@example.com
AUTHENTIK_LOG_LEVEL=info AUTHENTIK_LOG_LEVEL=info
# Secret Versions # Secret Versions
SECRET_SECRET_KEY_VERSION=v1 # SECRET_SECRET_KEY_VERSION=v1
SECRET_DB_PASSWORD_VERSION=v1 # SECRET_ADMIN_TOKEN_VERSION=v1
SECRET_ADMIN_TOKEN_VERSION=v1 # SECRET_ADMIN_PASS_VERSION=v1
SECRET_ADMIN_PASS_VERSION=v1
SECRET_EMAIL_PASS_VERSION=v1
# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21 AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
@ -33,3 +39,4 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
WELCOME_MESSAGE="Welcome to Authentik" WELCOME_MESSAGE="Welcome to Authentik"
DEFAULT_LANGUAGE=en DEFAULT_LANGUAGE=en
AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]' AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/ icon_left_brand.svg|app:/web/dist/assets/icons/ icon.png|app:/web/dist/assets/icons/"

View File

@ -22,20 +22,7 @@
* `abra app new authentik --secrets` * `abra app new authentik --secrets`
* `abra app config <app-name>` * `abra app config <app-name>`
* `abra app secret insert <app_name> email_pass v1 <password>`
* `abra app secret generate -a <app_name>
* `abra app deploy <app-name>` * `abra app deploy <app-name>`
* `abra app cmd <app_name> app set_admin_pass`
## Rotate Secrets
```
abra app secret generate -a <app_name>
abra app undeploy <app_name>
abra app deploy <app_name>
abra app cmd <app_name> db rotate_db_pass
abra app cmd <app_name> app set_admin_pass
```
## Customization ## Customization

56
abra.sh
View File

@ -1,5 +1,6 @@
export CUSTOM_CSS_VERSION=v2 export CUSTOM_CSS_VERSION=v2
export CUSTOM_FLOWS_VERSION=v2 export CUSTOM_FLOWS_VERSION=v2
export RECOVERY_TEMPLATE_DE_VERSION=v1
customize() { customize() {
if [ -z "$1" ] if [ -z "$1" ]
@ -7,52 +8,11 @@ customize() {
echo "Usage: ... customize <assets_path>" echo "Usage: ... customize <assets_path>"
exit 1 exit 1
fi fi
# TODO: use env to specify source and target files asset_dir=$1
if [ -e $1/flow_background.jpg ] for asset in $COPY_ASSETS; do
then source=$(echo $asset | cut -d "|" -f1)
echo copy flow_background.jpg target=$(echo $asset | cut -d "|" -f2)
abra app cp $APP_NAME $1/flow_background.jpg app:/web/dist/assets/images/ echo copy $source to $target
fi abra app cp $APP_NAME $asset_dir/$source $target
if [ -e $1/icon_left_brand.svg ] done
then
echo copy icon_left_brand.svg
abra app cp $APP_NAME $1/icon_left_brand.svg app:/web/dist/assets/icons/
fi
if [ -e $1/icon.png ]
then
echo copy icon.png
abra app cp $APP_NAME $1/icon.png app:/web/dist/assets/icons/
fi
}
set_admin_pass() {
password=$(cat /run/secrets/admin_pass)
token=$(cat /run/secrets/admin_token)
/manage.py shell -c """
akadmin = User.objects.get(username='akadmin')
akadmin.set_password('$password')
akadmin.save()
print('Changed akadmin password')
from authentik.core.models import TokenIntents
key='$token'
if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
token.key=key
token.save()
print('Changed authentik-bootstrap-token')
else:
Token.objects.create(
identifier='authentik-bootstrap-token',
user=akadmin,
intent=TokenIntents.INTENT_API,
expiring=False,
key=key,
)
print('Created authentik-bootstrap-token')
"""
}
rotate_db_pass() {
db_password=$(cat /run/secrets/db_password)
psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
} }

View File

@ -1,17 +1,19 @@
--- ---
x-env: &env x-env: &env
- AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password - AUTHENTIK_POSTGRESQL__PASSWORD
- AUTHENTIK_POSTGRESQL__USER - AUTHENTIK_POSTGRESQL__USER
- AUTHENTIK_POSTGRESQL__NAME - AUTHENTIK_POSTGRESQL__NAME
- AUTHENTIK_POSTGRESQL__HOST - AUTHENTIK_POSTGRESQL__HOST
- AUTHENTIK_REDIS__HOST - AUTHENTIK_REDIS__HOST
- AUTHENTIK_ERROR_REPORTING__ENABLED - AUTHENTIK_ERROR_REPORTING__ENABLED
- AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key - AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
- AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
- AK_ADMIN_PASS= #file:///run/secrets/admin_pass
- AUTHENTIK_EMAIL__HOST - AUTHENTIK_EMAIL__HOST
- AUTHENTIK_EMAIL__PORT - AUTHENTIK_EMAIL__PORT
- AUTHENTIK_EMAIL__USERNAME - AUTHENTIK_EMAIL__USERNAME
- AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass - AUTHENTIK_EMAIL__PASSWORD
- AUTHENTIK_EMAIL__USE_TLS - AUTHENTIK_EMAIL__USE_TLS
- AUTHENTIK_EMAIL__USE_SSL - AUTHENTIK_EMAIL__USE_SSL
- AUTHENTIK_EMAIL__TIMEOUT - AUTHENTIK_EMAIL__TIMEOUT
@ -27,20 +29,21 @@ x-env: &env
version: '3.8' version: '3.8'
services: services:
app: app:
image: ghcr.io/goauthentik/server:2022.11.1 image: ghcr.io/goauthentik/server:2022.10.1
command: server command: server
secrets: # secrets:
- db_password # - db_password
- admin_pass # - admin_pass
- admin_token # - admin_token
- secret_key # - secret_key
- email_pass
volumes: volumes:
- media:/media - media:/media
- custom-templates:/templates - custom-templates:/templates
configs: configs:
- source: custom_css - source: custom_css
target: /web/dist/custom.css target: /web/dist/custom.css
- source: recovery_template_de
target: /templates/password_reset_de.html
networks: networks:
- internal - internal
- proxy - proxy
@ -67,17 +70,16 @@ services:
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN" - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}" - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
- "coop-cloud.${STACK_NAME}.version=1.1.1+2022.11.1" - "coop-cloud.${STACK_NAME}.version=0.6.0+2022.10.1"
worker: worker:
image: ghcr.io/goauthentik/server:2022.11.1 image: ghcr.io/goauthentik/server:2022.10.1
command: worker command: worker
secrets: # secrets:
- db_password # - db_password
- admin_pass # - admin_pass
- admin_token # - admin_token
- secret_key # - secret_key
- email_pass
networks: networks:
- internal - internal
- proxy - proxy
@ -94,9 +96,9 @@ services:
environment: *env environment: *env
db: db:
image: postgres:12.13-alpine image: postgres:12.12-alpine
secrets: # secrets:
- db_password # - db_password
volumes: volumes:
- database:/var/lib/postgresql/data - database:/var/lib/postgresql/data
networks: networks:
@ -108,13 +110,13 @@ services:
retries: 10 retries: 10
start_period: 1m start_period: 1m
environment: environment:
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password - POSTGRES_PASSWORD
- POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER} - POSTGRES_USER
- POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME} - POSTGRES_DB
deploy: deploy:
labels: labels:
backupbot.backup: "true" backupbot.backup: "true"
backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$(cat /run/secrets/db_password) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql" backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
backupbot.backup.post-hook: "rm -rf /tmp/backup" backupbot.backup.post-hook: "rm -rf /tmp/backup"
backupbot.backup.path: "/tmp/backup/" backupbot.backup.path: "/tmp/backup/"
@ -129,22 +131,19 @@ services:
retries: 10 retries: 10
start_period: 1m start_period: 1m
secrets: # secrets:
db_password: # db_password:
external: true # external: true
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} # name: ${STACK_NAME}_db_password
secret_key: # secret_key:
external: true # external: true
name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION} # name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
admin_token: # admin_token:
external: true # external: true
name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION} # name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
admin_pass: # admin_pass:
external: true # external: true
name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION} # name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
email_pass:
external: true
name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
networks: networks:
proxy: proxy:
@ -162,6 +161,9 @@ configs:
name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION} name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
file: custom.css.tmpl file: custom.css.tmpl
template_driver: golang template_driver: golang
recovery_template_de:
name: ${STACK_NAME}_recovery_template_de_${RECOVERY_TEMPLATE_DE_VERSION}
file: password_reset_de.html
custom_flows: custom_flows:
name: ${STACK_NAME}_custom_flows_${CUSTOM_FLOWS_VERSION} name: ${STACK_NAME}_custom_flows_${CUSTOM_FLOWS_VERSION}
file: custom_flows.yaml.tmpl file: custom_flows.yaml.tmpl

View File

@ -10,6 +10,7 @@ context:
transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort (wiederholen) {{ else }} Password (repeat) {{ end }} transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort (wiederholen) {{ else }} Password (repeat) {{ end }}
transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Benutzername {{ else }} Username {{ end }} transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Benutzername {{ else }} Username {{ end }}
transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Vor- und Nachname {{ else }} Full name {{ end }} transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Vor- und Nachname {{ else }} Full name {{ end }}
transl_template_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} password_reset_de.html {{ else }} email/password_reset.html {{ end }}
entries: entries:
######## Email Recovery Flow ######## ######## Email Recovery Flow ########
@ -56,7 +57,7 @@ entries:
use_global_settings: true use_global_settings: true
token_expiry: 30 token_expiry: 30
subject: authentik subject: authentik
template: email/password_reset.html template: !Context transl_template_recovery
activate_user_on_success: true activate_user_on_success: true
- identifiers: - identifiers:
name: default-recovery-user-write name: default-recovery-user-write

View File

@ -1,15 +0,0 @@
This upgrade replaces the passwords stored in env variables by docker secrets.
You need to insert the following passwords as secret:
`POSTGRES_PASSWORD` / `AUTHENTIK_POSTGRESQL__PASSWORD`:
`abra app secret insert <app_name> db_password v1 <password>`
`AUTHENTIK_SECRET_KEY`:
`abra app secret insert <app_name> secret_key v1 <password>`
`AK_ADMIN_TOKEN`:
`abra app secret insert <app_name> admin_token v1 <password>`
`AK_ADMIN_PASS`:
`abra app secret insert <app_name> admin_pass v1 <password>`
`AUTHENTIK_EMAIL__PASSWORD`:
`abra app secret insert <app_name> email_pass v1 <password>`
These variables should be removed from the .env file.