forked from caprover/one-click-apps
-
Notifications
You must be signed in to change notification settings - Fork 1
/
caprover-authentik.yml
199 lines (180 loc) · 8.26 KB
/
caprover-authentik.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
---
captainVersion: 4
services:
# Server
$$cap_appname:
image: $$cap_authentik_image:$$cap_authentik_tag
restart: unless-stopped
command: ['dumb-init', '--', 'ak', 'server']
environment:
AUTHENTIK_BOOTSTRAP_PASSWORD: $$cap_authentik_password
AUTHENTIK_BOOTSTRAP_TOKEN: $$cap_authentik_token
AUTHENTIK_BOOTSTRAP_EMAIL: $$cap_authentik_email
AUTHENTIK_SECRET_KEY: $$cap_secret_key
AUTHENTIK_REDIS__HOST: srv-captain--$$cap_appname-redis
#AUTHENTIK_REDIS__PORT:
#AUTHENTIK_REDIS__DB:
#AUTHENTIK_REDIS__PASSWORD:
AUTHENTIK_POSTGRESQL__HOST: srv-captain--$$cap_appname-postgres
AUTHENTIK_POSTGRESQL__USER: $$cap_pg_user
AUTHENTIK_POSTGRESQL__NAME: $$cap_pg_db
AUTHENTIK_POSTGRESQL__PASSWORD: $$cap_pg_pass
# SMTP Host Emails are sent to
#AUTHENTIK_EMAIL__HOST:
#AUTHENTIK_EMAIL__PORT:
# Optionally authenticate (don't add quotation marks to your password)
#AUTHENTIK_EMAIL__USERNAME:
#AUTHENTIK_EMAIL__PASSWORD:
# Use StartTLS
#AUTHENTIK_EMAIL__USE_TLS:
# Use SSL
#AUTHENTIK_EMAIL__USE_SSL:
#AUTHENTIK_EMAIL__TIMEOUT:
# Email address authentik will send from, should have a correct @domain
#AUTHENTIK_EMAIL__FROM:
# volumes:
# - $$cap_appname-media:/media
# - $$cap_appname-custom-templates:/templates
depends_on:
- $$cap_appname-postgres
- $$cap_appname-redis
- $$cap_appname-worker
caproverExtra:
containerHttpPort: '9000'
websocketSupport: 'true'
# Worker
$$cap_appname-worker:
image: $$cap_authentik_image:$$cap_authentik_tag
restart: unless-stopped
command: ['dumb-init', '--', 'ak', 'worker']
environment:
AUTHENTIK_BOOTSTRAP_PASSWORD: $$cap_authentik_password
AUTHENTIK_BOOTSTRAP_TOKEN: $$cap_authentik_token
AUTHENTIK_BOOTSTRAP_EMAIL: $$cap_authentik_email
AUTHENTIK_SECRET_KEY: $$cap_secret_key
AUTHENTIK_REDIS__HOST: srv-captain--$$cap_appname-redis
#AUTHENTIK_REDIS__PORT:
#AUTHENTIK_REDIS__DB:
#AUTHENTIK_REDIS__PASSWORD:
AUTHENTIK_POSTGRESQL__HOST: srv-captain--$$cap_appname-postgres
AUTHENTIK_POSTGRESQL__USER: $$cap_pg_user
AUTHENTIK_POSTGRESQL__NAME: $$cap_pg_db
AUTHENTIK_POSTGRESQL__PASSWORD: $$cap_pg_pass
# SMTP Host Emails are sent to
#AUTHENTIK_EMAIL__HOST:
#AUTHENTIK_EMAIL__PORT:
# Optionally authenticate (don't add quotation marks to your password)
#AUTHENTIK_EMAIL__USERNAME:
#AUTHENTIK_EMAIL__PASSWORD:
# Use StartTLS
#AUTHENTIK_EMAIL__USE_TLS:
# Use SSL
#AUTHENTIK_EMAIL__USE_SSL:
#AUTHENTIK_EMAIL__TIMEOUT:
# Email address authentik will send from, should have a correct @domain
#AUTHENTIK_EMAIL__FROM:
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root #Looks like it doesn't work
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# - $$cap_appname-media:/media
# - $$cap_appname-certs:/certs
# - $$cap_appname-custom-templates:/templates
depends_on:
- $$cap_appname-postgres
- $$cap_appname-redis
caproverExtra:
notExposeAsWebApp: 'true'
# DB
$$cap_appname-postgres:
image: postgres:$$cap_pg_image
volumes:
- $$cap_appname-postgres-data:/var/lib/postgresql/data
restart: always
environment:
POSTGRES_USER: $$cap_pg_user
POSTGRES_PASSWORD: $$cap_pg_pass
POSTGRES_DB: $$cap_pg_db
caproverExtra:
notExposeAsWebApp: 'true'
# Redis
$$cap_appname-redis:
volumes:
- $$cap_appname-redis-data:/data
restart: always
caproverExtra:
dockerfileLines:
- FROM redis:$$cap_redis_version
- CMD exec redis-server --save 60 1 --loglevel warning
notExposeAsWebApp: 'true'
caproverOneClickApp:
displayName: Authentik (by alex-gph1)
description: Open-source authentication and authorization system. Works with CapRover 1.12+
isOfficial: true
documentation: https://docs.goauthentik.io/docs/installation/
instructions:
start: |-
Please note, this app is compatible with CapRover 1.12+.
Authentik will start after the PostgreSQL and Redis services are successfully deployed.
end: |-
Authentik has been successfully deployed. Now wait up to 2-3 mins, before it initializes.
IMPORTANT! To finish the setup and enable access to Authentik at `http://$$cap_appname.$$cap_root_domain`, you need to configure NGINX.
Before proceeding please wait 2 to 3 minutes to let Authentik finalize initialization process.
Copy the configuration from here https://github.com/alex-gph1/one-click-apps/blob/eed06fbaec5cebfafafa7c19778b7446e67efa81/misc/caprover-nginx-authentik.conf
In another browser tab open your new Authentik app in Caprover and click on Edit Default Nginx Configurations. Paste the configuration there instead of the default one.
Click Save & Restart. Now everything should be ready. Login using AKADMIN username and the password you set up earlier.
variables:
- id: $$cap_authentik_image
label: Authentik Image
defaultValue: 'ghcr.io/goauthentik/server'
validRegex: /.{1,}/
- id: $$cap_authentik_tag
label: Authentik Tag
description: Set the tag to use for the Authentik image. View the available tags here https://github.com/goauthentik/authentik/pkgs/container/server
defaultValue: '2024.8.0'
validRegex: /.{1,}/
- id: $$cap_secret_key
label: Authentik Secret Key
description: Secret key used for cookie signing. Changing this will invalidate active sessions.
defaultValue: $$cap_gen_random_hex(80)
validRegex: /.{1,}/
- id: $$cap_authentik_password
label: Authentik Bootstrap Admin Password
description: Configure the default password for the AKADMIN user. Only read on the first startup. Can be used for any flow executor.
defaultValue: $$cap_gen_random_hex(32)
validRegex: /.{1,}/
- id: $$cap_authentik_token
label: Authentik Bootstrap API Token
description: Create a token for the default AKADMIN user. Only read on the first startup. The string you specify for this variable is the token key you can use to authenticate yourself to the API.
defaultValue: $$cap_gen_random_hex(32)
validRegex: /.{1,}/
- id: $$cap_authentik_email
label: Authentik Bootstrap Email
description: Set the email address for the default AKADMIN user.
defaultValue:
validRegex: /^([_a-z0-9]+[\._a-z0-9]*)(\+[a-z0-9]+)?@(([a-z0-9-]+\.)*[a-z]{2,4})$/
- id: $$cap_pg_pass
label: PostgreSQL Password
defaultValue: $$cap_gen_random_hex(40)
validRegex: /^[a-f0-9]{40}$/
- id: $$cap_pg_user
label: PostgreSQL User
defaultValue: 'authentik'
validRegex: /.{1,}/
- id: $$cap_pg_db
label: PostgreSQL Database
defaultValue: 'authentik'
validRegex: /.{1,}/
- id: $$cap_pg_image
label: Postgres Version
defaultValue: '16'
validRegex: /^([0-9]{1,2})$/
- id: $$cap_redis_version
label: Redis Version
defaultValue: '7.4'
validRegex: /.{1,}/