general way to copy assets using env variables

.env.sample

@@ -1,18 +1,26 @@
 TYPE=authentik
 LETS_ENCRYPT_ENV=production
 
-DOMAIN=authentik.example.com
+DOMAIN={{ .Domain }}
+POSTGRES_PASSWORD=secret
+AUTHENTIK_POSTGRESQL__PASSWORD=secret
+POSTGRES_USER=authentik
 AUTHENTIK_POSTGRESQL__USER=authentik
+POSTGRES_DB=authentik
 AUTHENTIK_POSTGRESQL__NAME=authentik
 AUTHENTIK_POSTGRESQL__HOST=db
 AUTHENTIK_REDIS__HOST=redis
 AUTHENTIK_ERROR_REPORTING__ENABLED=true
 # WORKERS=1
+AUTHENTIK_SECRET_KEY=secret
+AK_ADMIN_TOKEN=secret
+AK_ADMIN_PASS=secret
 
 # EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=25
 # AUTHENTIK_EMAIL__USERNAME=""
+# AUTHENTIK_EMAIL__PASSWORD=""
 AUTHENTIK_EMAIL__USE_TLS=false
 AUTHENTIK_EMAIL__USE_SSL=false
 AUTHENTIK_EMAIL__TIMEOUT=10
@@ -20,11 +28,9 @@ AUTHENTIK_EMAIL__FROM=noreply@example.com
 AUTHENTIK_LOG_LEVEL=info
 
 # Secret Versions
-SECRET_SECRET_KEY_VERSION=v1
+# SECRET_SECRET_KEY_VERSION=v1
-SECRET_DB_PASSWORD_VERSION=v1
+# SECRET_ADMIN_TOKEN_VERSION=v1
-SECRET_ADMIN_TOKEN_VERSION=v1
+# SECRET_ADMIN_PASS_VERSION=v1
-SECRET_ADMIN_PASS_VERSION=v1
-SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
 AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
@@ -33,3 +39,4 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 WELCOME_MESSAGE="Welcome to Authentik"
 DEFAULT_LANGUAGE=en
 AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
+COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/ icon_left_brand.svg|app:/web/dist/assets/icons/ icon.png|app:/web/dist/assets/icons/"

README.md

@@ -22,20 +22,7 @@
 
 * `abra app new authentik --secrets`
 * `abra app config <app-name>`
-* `abra app secret insert <app_name> email_pass v1 <password>`
-* `abra app secret generate -a <app_name>
 * `abra app deploy <app-name>`
-* `abra app cmd <app_name> app set_admin_pass`
-
-## Rotate Secrets
-
-```
-abra app secret generate -a <app_name>
-abra app undeploy <app_name>
-abra app deploy <app_name>
-abra app cmd <app_name> db rotate_db_pass
-abra app cmd <app_name> app set_admin_pass
-```
 
 ## Customization
 

abra.sh

@@ -1,5 +1,6 @@
 export CUSTOM_CSS_VERSION=v2
 export CUSTOM_FLOWS_VERSION=v2
+export RECOVERY_TEMPLATE_DE_VERSION=v1
 
 customize() {
     if [ -z "$1" ]
@@ -7,52 +8,11 @@ customize() {
             echo "Usage: ... customize <assets_path>"
             exit 1
     fi
-    # TODO: use env to specify source and target files
+    asset_dir=$1
-    if [ -e $1/flow_background.jpg ]
+    for asset in $COPY_ASSETS; do
-    then
+        source=$(echo $asset | cut -d "|" -f1)
-        echo copy flow_background.jpg
+        target=$(echo $asset | cut -d "|" -f2)
-        abra app cp $APP_NAME $1/flow_background.jpg app:/web/dist/assets/images/
+        echo copy $source to $target
-    fi
+        abra app cp $APP_NAME $asset_dir/$source $target
-    if [ -e $1/icon_left_brand.svg ]
+    done
-    then
-        echo copy icon_left_brand.svg
-        abra app cp $APP_NAME $1/icon_left_brand.svg app:/web/dist/assets/icons/
-    fi
-    if [ -e $1/icon.png ]
-    then
-        echo copy icon.png
-        abra app cp $APP_NAME $1/icon.png app:/web/dist/assets/icons/
-    fi
-}
-
-set_admin_pass() {
-password=$(cat /run/secrets/admin_pass)
-token=$(cat /run/secrets/admin_token)
-/manage.py shell -c """
-akadmin = User.objects.get(username='akadmin')
-akadmin.set_password('$password')
-akadmin.save()
-print('Changed akadmin password')
-
-from authentik.core.models import TokenIntents
-key='$token'
-if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
-    token.key=key
-    token.save()
-    print('Changed authentik-bootstrap-token')
-else: 
-    Token.objects.create(
-        identifier='authentik-bootstrap-token',
-        user=akadmin,
-        intent=TokenIntents.INTENT_API,
-        expiring=False,
-        key=key,
-    )
-    print('Created authentik-bootstrap-token')
-"""
-}
-
-rotate_db_pass() {
-    db_password=$(cat /run/secrets/db_password)
-    psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }

compose.yml

@@ -1,17 +1,19 @@
 ---
 
 x-env: &env
-    - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
+    - AUTHENTIK_POSTGRESQL__PASSWORD
     - AUTHENTIK_POSTGRESQL__USER
     - AUTHENTIK_POSTGRESQL__NAME
     - AUTHENTIK_POSTGRESQL__HOST
     - AUTHENTIK_REDIS__HOST
     - AUTHENTIK_ERROR_REPORTING__ENABLED
-    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
+    - AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
+    - AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
+    - AK_ADMIN_PASS= #file:///run/secrets/admin_pass
     - AUTHENTIK_EMAIL__HOST
     - AUTHENTIK_EMAIL__PORT
     - AUTHENTIK_EMAIL__USERNAME
-    - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
+    - AUTHENTIK_EMAIL__PASSWORD
     - AUTHENTIK_EMAIL__USE_TLS
     - AUTHENTIK_EMAIL__USE_SSL
     - AUTHENTIK_EMAIL__TIMEOUT
@@ -27,20 +29,21 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2022.11.1
+    image: ghcr.io/goauthentik/server:2022.10.1
     command: server
-    secrets:
+    # secrets:
-      - db_password
+    #   - db_password
-      - admin_pass
+    #   - admin_pass
-      - admin_token
+    #   - admin_token
-      - secret_key
+    #   - secret_key
-      - email_pass
     volumes:
       - media:/media
       - custom-templates:/templates
     configs:
       - source: custom_css
         target: /web/dist/custom.css
+      - source: recovery_template_de
+        target: /templates/password_reset_de.html
     networks:
       - internal
       - proxy
@@ -67,17 +70,16 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=1.1.1+2022.11.1"
+        - "coop-cloud.${STACK_NAME}.version=0.6.0+2022.10.1"
 
   worker:
-    image: ghcr.io/goauthentik/server:2022.11.1
+    image: ghcr.io/goauthentik/server:2022.10.1
     command: worker
-    secrets:
+    # secrets:
-      - db_password
+      # - db_password
-      - admin_pass
+      # - admin_pass
-      - admin_token
+      # - admin_token
-      - secret_key
+      # - secret_key
-      - email_pass
     networks:
       - internal
       - proxy
@@ -94,9 +96,9 @@ services:
     environment: *env
 
   db:
-    image: postgres:12.13-alpine
+    image: postgres:12.12-alpine
-    secrets:
+    # secrets:
-      - db_password
+      # - db_password
     volumes:
       - database:/var/lib/postgresql/data
     networks:
@@ -108,13 +110,13 @@ services:
       retries: 10
       start_period: 1m
     environment:
-      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_PASSWORD
-      - POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER}
+      - POSTGRES_USER
-      - POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME}
+      - POSTGRES_DB
     deploy:
       labels:
           backupbot.backup: "true"
-          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$(cat /run/secrets/db_password) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
           backupbot.backup.post-hook: "rm -rf /tmp/backup"
           backupbot.backup.path: "/tmp/backup/"
 
@@ -129,22 +131,19 @@ services:
       retries: 10
       start_period: 1m
 
-secrets:
+# secrets:
-  db_password:
+  # db_password:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  #   name: ${STACK_NAME}_db_password
-  secret_key:
+  # secret_key:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  #   name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  admin_token:
+  # admin_token:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
+  #   name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
-  admin_pass:
+  # admin_pass:
-    external: true
+  #   external: true
-    name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
+  #   name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
-  email_pass:
-    external: true
-    name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
 
 networks:
   proxy:
@@ -162,6 +161,9 @@ configs:
     name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
     file: custom.css.tmpl
     template_driver: golang
+  recovery_template_de:
+    name: ${STACK_NAME}_recovery_template_de_${RECOVERY_TEMPLATE_DE_VERSION}
+    file: password_reset_de.html
   custom_flows:
     name: ${STACK_NAME}_custom_flows_${CUSTOM_FLOWS_VERSION}
     file: custom_flows.yaml.tmpl

custom_flows.yaml.tmpl

@@ -10,6 +10,7 @@ context:
   transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Passwort (wiederholen) {{ else }} Password (repeat) {{ end }}
   transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Benutzername {{ else }} Username {{ end }}
   transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} Vor- und Nachname {{ else }} Full name {{ end }}
+  transl_template_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} password_reset_de.html {{ else }} email/password_reset.html {{ end }}
 
 entries:
 ######## Email Recovery Flow ######## 
@@ -56,7 +57,7 @@ entries:
     use_global_settings: true
     token_expiry: 30
     subject: authentik
-    template: email/password_reset.html
+    template: !Context transl_template_recovery
     activate_user_on_success: true
 - identifiers:
     name: default-recovery-user-write

releases/1.0.0+2022.10.1

@@ -1,15 +0,0 @@
-This upgrade replaces the passwords stored in env variables by docker secrets.
-You need to insert the following passwords as secret:
-
-`POSTGRES_PASSWORD` / `AUTHENTIK_POSTGRESQL__PASSWORD`:
-    `abra app secret insert <app_name> db_password v1 <password>`
-`AUTHENTIK_SECRET_KEY`:
-    `abra app secret insert <app_name> secret_key v1 <password>`
-`AK_ADMIN_TOKEN`:
-    `abra app secret insert <app_name> admin_token v1 <password>`
-`AK_ADMIN_PASS`:
-    `abra app secret insert <app_name> admin_pass v1 <password>`
-`AUTHENTIK_EMAIL__PASSWORD`:
-    `abra app secret insert <app_name> email_pass v1 <password>`
-
-These variables should be removed from the .env file.