fix nextcloud integration

Reviewed-on: coop-cloud/authentik#8

.drone.yml

@@ -31,6 +31,7 @@ steps:
       SECRET_ADMIN_PASS_VERSION: v1
       SECRET_EMAIL_PASS_VERSION: v1
       DB_ENTRYPOINT_VERSION: v1
+      PG_BACKUP_VERSION: v2
 trigger:
   branch:
     - main

.env.sample

@@ -1,8 +1,10 @@
 TYPE=authentik
 TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
+POST_DEPLOY_CMDS="worker set_admin_pass"
+# Example values for post deploy cmds: "worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production
+ENABLE_BACKUPS=true
 
 DOMAIN=authentik.example.com
 ## Domain aliases
@@ -16,6 +18,8 @@ AUTHENTIK_LOG_LEVEL=info
 
 ## Outpost Integration
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.ldap.yml"
+# SECRET_LDAP_TOKEN_VERSION=v1
 
 ## ADMIN
 AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com

README.md

@@ -54,6 +54,14 @@ Set the nextcloud Icon using `abra app cmd -l -d <app_name> set_icons`
 
 The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration)
 
+## Add LDAP outpost
+
+- Follow [this official guide](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) and skip the LDAP Flow as we don't need it.
+- Copy token under `Applications` -> `Outposts` `-> `View Deployment Info` 
+- Comment in envs for compose.outposts.ldap.yaml and secret version
+- Insert token as secret `abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>`
+- Update deployment -> Outpost should be up and running
+
 ## Import User from CSV
 
 Users can be imported from a CSV file of the following format:

abra.sh

@@ -1,22 +1,23 @@
-export CUSTOM_CSS_VERSION=v2
+export CUSTOM_CSS_VERSION=v3
 export FLOW_AUTHENTICATION_VERSION=v4
 export FLOW_INVITATION_VERSION=v2
 export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
 export FLOW_TRANSLATION_VERSION=v3
 export SYSTEM_BRAND_VERSION=v4
-export NEXTCLOUD_CONFIG_VERSION=v1
-export WORDPRESS_CONFIG_VERSION=v2
-export MATRIX_CONFIG_VERSION=v1
-export WEKAN_CONFIG_VERSION=v3
-export VIKUNJA_CONFIG_VERSION=v1
-export OUTLINE_CONFIG_VERSION=v2
-export KIMAI_CONFIG_VERSION=v1
-export ZAMMAD_CONFIG_VERSION=v1
-export RALLLY_CONFIG_VERSION=v2
-export HEDGEDOC_CONFIG_VERSION=v1
-export MONITORING_CONFIG_VERSION=v2
+export NEXTCLOUD_CONFIG_VERSION=v2
+export WORDPRESS_CONFIG_VERSION=v3
+export MATRIX_CONFIG_VERSION=v2
+export WEKAN_CONFIG_VERSION=v4
+export VIKUNJA_CONFIG_VERSION=v2
+export OUTLINE_CONFIG_VERSION=v3
+export KIMAI_CONFIG_VERSION=v2
+export ZAMMAD_CONFIG_VERSION=v3
+export RALLLY_CONFIG_VERSION=v3
+export HEDGEDOC_CONFIG_VERSION=v2
+export MONITORING_CONFIG_VERSION=v3
 export DB_ENTRYPOINT_VERSION=v1
+export PG_BACKUP_VERSION=v2
 
 customize() {
     if [ -z "$1" ]

compose.matrix.yml

@@ -3,9 +3,9 @@ services:
   app:
     deploy:
       labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=redirect-matrix-well-known"
-        - "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
-        - "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
   worker:
     secrets:
       - matrix_id

compose.outposts.ldap.yml

@@ -0,0 +1,23 @@
+version: "3.8"
+services:
+  authentik_ldap:
+      image: ghcr.io/goauthentik/ldap:2024.10.5
+      # Optionally specify which networks the container should be
+      # might be needed to reach the core authentik server
+      networks:
+        - internal
+        - proxy
+      ports:
+        - 389:3389
+        - 636:6636
+      secrets:
+        - ldap_token
+      environment:
+        - AUTHENTIK_HOST=https://${DOMAIN}
+        - AUTHENTIK_INSECURE=true
+        - AUTHENTIK_TOKEN=file:///run/secrets/ldap_token
+
+secrets:
+  ldap_token:
+    external: true
+    name: ${STACK_NAME}_ldap_token_${SECRET_LDAP_TOKEN_VERSION}

compose.yml

@@ -34,7 +34,7 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2024.6.5
+    image: ghcr.io/goauthentik/server:2024.10.5
     command: server
     depends_on:
       - db
@@ -72,11 +72,11 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=6.5.2+2024.6.5"
+        - "coop-cloud.${STACK_NAME}.version=6.11.0+2024.10.5"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2024.6.5
+    image: ghcr.io/goauthentik/server:2024.10.5
     command: worker
     depends_on:
       - db
@@ -117,13 +117,16 @@ services:
       start_period: 5m
 
   db:
-    image: postgres:15.7
+    image: postgres:15.8
     secrets:
       - db_password
     configs:
       - source: db_entrypoint
         target: /docker-entrypoint.sh
         mode: 0555
+      - source: pg_backup
+        target: /pg_backup.sh
+        mode: 0555
     entrypoint:
       /docker-entrypoint.sh
     volumes:
@@ -142,15 +145,14 @@ services:
       - POSTGRES_DB=authentik
     deploy:
       labels:
-          backupbot.backup: "true"
-          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
+          backupbot.backup: "${ENABLE_BACKUPS:-true}"
+          backupbot.backup.pre-hook: "/pg_backup.sh backup"
           backupbot.backup.volumes.database.path: "backup.sql"
           backupbot.backup.volumes.redis: "false"
-          backupbot.restore.post-hook: 'psql -U authentik -d postgres -c "DROP DATABASE authentik WITH (FORCE);" && createdb -U authentik authentik && psql -U authentik -d authentik -f /var/lib/postgresql/data/backup.sql'
+          backupbot.restore.post-hook: '/pg_backup.sh restore'
 
   redis:
-    image:  redis:7.4.0-alpine
+    image:  redis:7.4.1-alpine
     command: --save 60 1 --loglevel warning
     networks:
       - internal
@@ -222,3 +224,6 @@ configs:
     name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
     file: entrypoint.postgres.sh.tmpl
     template_driver: golang
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh

hedgedoc.yaml.tmpl

@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "hedgedoc_id" }}
     client_secret: {{ secret  "hedgedoc_secret" }}
     client_type: confidential

kimai.yaml.tmpl

@@ -12,6 +12,7 @@ entries:
     audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
     issuer: https://{{ env  "DOMAIN" }}
     name: Kimai
@@ -24,6 +25,7 @@ entries:
     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
     - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
     session_valid_not_on_or_after: minutes=86400
+    sign_assertion: true
     signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
     signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sp_binding: post
@@ -45,4 +47,4 @@ entries:
   identifiers:
     name: Kimai
   model: authentik_core.application
-  state: present
+  state: present

matrix.yaml.tmpl

@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "matrix_id" }}
     client_secret: {{ secret  "matrix_secret" }}
     client_type: confidential

monitoring.yaml.tmpl

@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "monitoring_id" }}
     client_secret: {{ secret  "monitoring_secret" }}
     client_type: confidential

nextcloud.yaml.tmpl

@@ -20,10 +20,15 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "nextcloud_id" }}
     client_secret: {{ secret  "nextcloud_secret" }}
     client_type: confidential
+    redirect_uris:
+    - url: https://{{ env  "NEXTCLOUD_DOMAIN" }}
+      matching_mode: strict
     include_claims_in_id_token: true
     issuer_mode: per_provider
     name: Nextcloud

outline.yaml.tmpl

@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "outline_id" }}
     client_secret: {{ secret  "outline_secret" }}
     client_type: confidential

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat /run/secrets/db_password)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

rallly.yaml.tmpl

@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "rallly_id" }}
     client_secret: {{ secret  "rallly_secret" }}
     client_type: confidential

release/6.11.0+2024.10.5

@@ -0,0 +1 @@
+Fix Impersonate Bug

release/6.6.0+2024.8.2

@@ -0,0 +1 @@
+Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!

release/6.7.0+2024.8.3

@@ -1,5 +1,3 @@
-Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!
-
 Two critical vulnerabilities were closed:
 https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
 https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9

vikunja.yaml.tmpl

@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "vikunja_id" }}
     client_secret: {{ secret  "vikunja_secret" }}
     client_type: confidential

wekan.yaml.tmpl

@@ -25,7 +25,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wekan_id" }}
     client_secret: {{ secret  "wekan_secret" }}
     client_type: confidential

wordpress.yaml.tmpl

@@ -8,7 +8,9 @@ entries:
 
 - attrs:
     access_code_validity: minutes=1
+    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     client_id: {{ secret  "wordpress_id" }}
     client_secret: {{ secret  "wordpress_secret" }}
     client_type: confidential

zammad.yaml.tmpl

@@ -36,6 +36,7 @@ entries:
     audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
     authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
     authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
     digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
     issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
     name: zammad
@@ -43,6 +44,7 @@ entries:
     - !KeyOf zammad_name_mapping
     - !KeyOf zammad_email_mapping
     session_valid_not_on_or_after: minutes=86400
+    sign_assertion: true
     signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
     signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
     sp_binding: post
@@ -54,7 +56,7 @@ entries:
   state: present
 
 - attrs:
-    meta_launch_url: https://{{ env  "ZAMMAD_DOMAIN" }}
+    meta_launch_url: ""
     open_in_new_tab: true
     policy_engine_mode: any
     provider: !KeyOf zammad_provider