From 5ccda654597ad106dc9c21aaf69162180dfc163e Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Wed, 22 Mar 2023 17:47:06 +0100
Subject: [PATCH] feat: authentik autoconfiguration

---
 .env.sample           |  6 +++
 README.md             | 88 ++++++++++++++++++++++++++++---------------
 abra.sh               | 38 ++++++++++++++++++-
 compose.authentik.yml | 14 +++++++
 4 files changed, 114 insertions(+), 32 deletions(-)
 create mode 100644 compose.authentik.yml

diff --git a/.env.sample b/.env.sample
index bd1be81..e49be66 100644
--- a/.env.sample
+++ b/.env.sample
@@ -51,3 +51,9 @@ DEFAULT_QUOTA="10 GB"
 # OCC_CMDS="app:disable dashboard"
 # OCC_CMDS="$OCC_CMDS|config:app:set sociallogin auto_create_groups --value 1"
 # OCC_CMDS="$OCC_CMDS|config:app:set sociallogin hide_default_login --value 1"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+# AUTHENTIK_USER_PREFIX=authentik
+# AUTHENTIK_DOMAIN=authentik.example.com
+# AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik
+# AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik
diff --git a/README.md b/README.md
index ac59618..4ce21f2 100644
--- a/README.md
+++ b/README.md
@@ -15,34 +15,18 @@ Fully automated luxury Nextcloud via docker-swarm.
 * **SSO**: 1 (OAuth)
 <!-- endmetadata -->
 
-## Basic usage
-
-1. Set up Docker Swarm and [`abra`]
-2. Deploy [`coop-cloud/traefik`]
-3. `abra app new nextcloud --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
-4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
-   your Docker swarm box
-5. `abra app deploy YOURAPPDOMAIN`
-
-## How do I customise the default home page when logging in?
-
-- Delete the dashboard app since it is so corporate
-- Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app
-- Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder)
-
-## Running `occ`
-
-`abra app cmd YOURAPPDOMAIN app run_occ '"user:list --help"'`
-
-## Upgrading Nextcloud apps
-
-`abra app cmd YOURAPPDOMAIN app run_occ '"app:update --all"'`
+## Quick start
 
 
-## Onlyoffice Integrating
+* `abra app new nextcloud`
+* `abra app config <app-name>`
+* `abra app secret insert <app-name> smtp_password v1 <SMTP_PASSWORD>`
+* `abra app secret generate -a <app-name>`
+* `abra app deploy <app-name>`
 
-`abra app config <nextcloud_domain>` 
+### Onlyoffice Integration
+
+`abra app config <app-name>` 
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
@@ -50,12 +34,12 @@ ONLYOFFICE_URL=https://onlyoffice.example.com
 SECRET_ONLYOFFICE_JWT_VERSION=v1
 ```
 
-`abra app secret insert <nextcloud_domain> onlyoffice_jwt v1 <jwt_secret>`
-`abra app cmd <nextcloud_domain> app install_onlyoffice`
+`abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
+`abra app cmd <app-name> app install_onlyoffice`
 
-## BBB Integrating
+### BBB Integration
 
-`abra app config <nextcloud_domain>` 
+`abra app config <app-name>` 
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
@@ -63,8 +47,50 @@ BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 SECRET_BBB_SECRET_VERSION=v1
 ```
 
-`abra app secret insert <nextcloud_domain> bbb_secret v1 <bbb_secret>`
-`abra app cmd <nextcloud_domain> app install_bbb`
+`abra app secret insert <app-name> bbb_secret v1 <bbb_secret>`
+`abra app cmd <app-name> app install_bbb`
+
+### Authentik Integration
+
+
+`abra app config <app-name>` 
+Configure the following envs:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+AUTHENTIK_USER_PREFIX=authentik
+AUTHENTIK_DOMAIN=authentik.example.com
+AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik
+AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik
+```
+
+`abra app cmd <app-name> app set_authentik`
+
+### Disable Dashboard
+
+Disable dashboard app since it is so corporate:
+
+`abra app config <app-name>` 
+Configure the following envs:
+```
+OCC_CMDS="app:disable dashboard"
+```
+`abra app cmd <app-name> app post_install_occ`
+
+## Running `occ`
+
+`abra app cmd <app-name> app run_occ '"user:list --help"'`
+
+## Default user files
+
+- Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app
+
+## Default App
+
+- Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder)
+
+## Upgrading Nextcloud apps
+
+`abra app cmd <app-name> app run_occ '"app:update --all"'`
 
 
 ## How do I fix a Nextcloud version snafu?
diff --git a/abra.sh b/abra.sh
index 11569be..31c14cf 100644
--- a/abra.sh
+++ b/abra.sh
@@ -32,7 +32,7 @@ set_app_config(){
     APP=$1
     KEY=$2
     VALUE=$3
-    run_occ "config:app:set $APP $KEY --value $VALUE"
+    run_occ "config:app:set $APP $KEY --value '$VALUE'"
 }
 
 install_bbb(){
@@ -52,3 +52,39 @@ install_onlyoffice(){
 set_default_quota(){
     set_app_config files default_quota '"$DEFAULT_QUOTA"'
 }
+
+set_authentik(){
+install_apps sociallogin
+AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
+AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
+set_app_config sociallogin custom_providers "
+{
+    \"custom_oidc\":[
+    {
+        \"name\":\"$AUTHENTIK_USER_PREFIX\",
+        \"title\":\"authentik\",
+        \"authorizeUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/authorize/\",
+        \"tokenUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/token/\",
+        \"displayNameClaim\":\"preferred_username\",
+        \"userInfoUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
+        \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/if/session-end/nextcloud/\",
+        \"clientId\":\"$AUTHENTIK_ID\",
+        \"clientSecret\":\"$AUTHENTIK_SECRET\",
+        \"scope\":\"openid profile email nextcloud\",
+        \"groupsClaim\":\"nextcloud_groups\",
+        \"style\":\"openid\",
+        \"defaultGroup\":\"\",
+        \"groupMapping\": {
+          \"admin\": \"admin\"
+        }
+    }
+]
+}"
+
+set_app_config sociallogin update_profile_on_login 1
+set_app_config sociallogin auto_create_groups 1
+set_app_config sociallogin hide_default_login 1
+run_occ 'config:system:set social_login_auto_redirect --value true'
+run_occ 'config:system:set allow_user_to_change_display_name --value=false'
+run_occ 'config:system:set lost_password_link --value=disabled'
+}
diff --git a/compose.authentik.yml b/compose.authentik.yml
new file mode 100644
index 0000000..a2969b8
--- /dev/null
+++ b/compose.authentik.yml
@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - authentik_secret
+      - authentik_id
+
+secrets:
+  authentik_secret:
+    external: true
+    name: ${AUTHENTIK_SECRET_NAME}
+  authentik_id:
+    external: true
+    name: ${AUTHENTIK_ID_NAME}