From 96540561ec5c85fadfd06d00f300c699ff59abbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 19 Apr 2023 12:29:15 +0200 Subject: [PATCH 1/7] Add authentik --- docs/services/authentik.md | 228 +++++++++++++++++++++++++++++++++++++ docs/supported-services.md | 1 + group_vars/mash_servers | 58 ++++++++++ requirements.yml | 3 + setup.yml | 2 + 5 files changed, 292 insertions(+) create mode 100644 docs/services/authentik.md diff --git a/docs/services/authentik.md b/docs/services/authentik.md new file mode 100644 index 0000000..72efa9d --- /dev/null +++ b/docs/services/authentik.md @@ -0,0 +1,228 @@ +# Authentik + +[authentik](https://goauthentik.io/) is an open-source Identity Provider focused on flexibility and versatility. MASH can install authentik with the [`mother-of-all-self-hosting/ansible-role-authentik`](https://github.com/mother-of-all-self-hosting/ansible-role-authentik) ansible role. + +## Dependencies + +This service requires the following other services: + +- a [Postgres](postgres.md) database +- a [Redis](redis.md) data-store, installation details [below](#redis) +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# authentik # +# # +######################################################################## + +authentik_enabled: true +authentik_hostname: authentik.example.com +authentik_secret_key: 'verysecret' + +######################################################################## +# # +# /authentik # +# # +######################################################################## +``` + +### Redis + +As described on the [Redis](redis.md) documentation page, if you're hosting additional services which require Redis on the same server, you'd better go for installing a separate Redis instance for each service. See [Creating a Redis instance dedicated to authentik](#creating-a-redis-instance-dedicated-to-authentik). + +If you're only running authentik on this server and don't need to use Redis for anything else, you can [use a single Redis instance](#using-the-shared-redis-instance-for-authentik). + +#### Using the shared Redis instance for authentik + +To install a single (non-dedicated) Redis instance (`mash-redis`) and hook authentik to it, add the following **additional** configuration: + +```yaml +######################################################################## +# # +# redis # +# # +######################################################################## + +redis_enabled: true + +######################################################################## +# # +# /redis # +# # +######################################################################## + + +######################################################################## +# # +# authentik # +# # +######################################################################## + +# Base configuration as shown above + +# Point authentik to the shared Redis instance +authentik_config_redis_hostname: "{{ redis_identifier }}" + +# Make sure the authentik service (mash-authentik.service) starts after the shared Redis service (mash-redis.service) +authentik_systemd_required_services_list_custom: + - "{{ redis_identifier }}.service" + +# Make sure the authentik container is connected to the container network of the shared Redis service (mash-redis) +authentik_container_additional_networks_custom: + - "{{ redis_identifier }}" + +######################################################################## +# # +# /authentik # +# # +######################################################################## +``` + +This will create a `mash-redis` Redis instance on this host. + +This is only recommended if you won't be installing other services which require Redis. Alternatively, go for [Creating a Redis instance dedicated to authentik](#creating-a-redis-instance-dedicated-to-authentik). + + +#### Creating a Redis instance dedicated to authentik + +The following instructions are based on the [Running multiple instances of the same service on the same host](../running-multiple-instances.md) documentation. + +Adjust your `inventory/hosts` file as described in [Re-do your inventory to add supplementary hosts](../running-multiple-instances.md#re-do-your-inventory-to-add-supplementary-hosts), adding a new supplementary host (e.g. if `authentik.example.com` is your main one, create `authentik.example.com-deps`). + +Then, create a new `vars.yml` file for the + +`inventory/host_vars/authentik.example.com-deps/vars.yml`: + +```yaml +--- + +######################################################################## +# # +# Playbook # +# # +######################################################################## + +# Put a strong secret below, generated with `pwgen -s 64 1` or in another way +# Various other secrets will be derived from this secret automatically. +mash_playbook_generic_secret_key: '' + +# Override service names and directory path prefixes +mash_playbook_service_identifier_prefix: 'mash-authentik-' +mash_playbook_service_base_directory_name_prefix: 'authentik-' + +######################################################################## +# # +# /Playbook # +# # +######################################################################## + + +######################################################################## +# # +# redis # +# # +######################################################################## + +redis_enabled: true + +######################################################################## +# # +# /redis # +# # +######################################################################## +``` + +This will create a `mash-authentik-redis` instance on this host with its data in `/mash/authentik-redis`. + +Then, adjust your main inventory host's variables file (`inventory/host_vars/authentik.example.com/vars.yml`) like this: + +```yaml +######################################################################## +# # +# authentik # +# # +######################################################################## + +# Base configuration as shown above + + +# Point authentik to its dedicated Redis instance +authentik_environment_variable_redis_host: mash-authentik-redis +authentik_environment_variable_redis_cache_host: mash-authentik-redis + +# Make sure the authentik service (mash-authentik.service) starts after its dedicated Redis service (mash-authentik-redis.service) +authentik_systemd_required_services_list_custom: + - "mash-authentik-redis.service" + +# Make sure the authentik container is connected to the container network of its dedicated Redis service (mash-authentik-redis) +authentik_container_additional_networks_custom: + - "mash-authentik-redis" + +######################################################################## +# # +# /authentik # +# # +######################################################################## +``` + + +## Installation + +If you've decided to install a dedicated Redis instance for authentik, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `authentik.example.com-deps`), before running installation for the main one (e.g. `authentik.example.com`). + + +## Usage + +After installation, you can go to the authentik URL, as defined in `authentik_hostname`. Set the admin password there and start adding applications and users! Refer to the [official documentation]() to learn how to integrate services. Below are some tested examples + +### Grafana + +To enable SSO for Grafana you should + +* Create a new OAUTH provider in authentik called `grafana` +* Create an application also named `grafana` in authentik using this provider +* Add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process (make sure to adjust `authentik.example.com`) + +```yaml +grafana_environment_variables_additional_variables: | + GF_AUTH_GENERIC_OAUTH_ENABLED=true + GF_AUTH_GENERIC_OAUTH_NAME=authentik + GF_AUTH_GENERIC_OAUTH_CLIENT_ID=COPIED-CLIENTID + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=COPIED-CLIENTSECRET + GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email + GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://authentik.example.com/application/o/authorize/ + GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://authentik.example.com/application/o/token/ + GF_AUTH_GENERIC_OAUTH_API_URL=https://authentik.example.com/application/o/userinfo/ + GF_AUTH_SIGNOUT_REDIRECT_URL=https://authentik.example.com/application/o/grafana/end-session/ + # Optionally enable auto-login (bypasses Grafana login screen) + #GF_AUTH_OAUTH_AUTO_LOGIN="true" + GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true + # Optionally map user groups to Grafana roles + GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" + +``` + +### Nextcloud + +**The official documentation of authentik to connect nextcloud via SAML seems broken** + +MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation. + +In short you shoudl + +* Create a new provider in authentik and trimm the client secret to <64 characters +* Create an application in authentik using this provider +* Install the app `user_oidc` in Nextcloud +* Fill in the details from authentik in the app settings + +**Troubleshooting** + +If you encounter problems during login check (error message containes `SHA1 mismatch`) that +* Nextcloud users and authentik users do not have the same name -> if they do check `Use unique user ID` in the OIDC App settings diff --git a/docs/supported-services.md b/docs/supported-services.md index 1176c34..41ae8b2 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -4,6 +4,7 @@ | ------------------------------ | ------------------------------------- | ------------- | | [AUX](https://github.com/mother-of-all-self-hosting/ansible-role-aux) | Auxiliary file/directory management on your server via Ansible | [Link](services/auxiliary.md) | | [AdGuard Home](https://adguard.com/en/adguard-home/overview.html/) | A network-wide DNS software for blocking ads & tracking | [Link](services/adguard-home.md) | +| [authentik](https://goauthentik.io/) | An open-source Identity Provider focused on flexibility and versatility. | [Link](services/authentik.md) | | [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) | | [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) | | [Docker Registry](https://docs.docker.com/registry/) | A container image distribution registry | [Link](services/docker-registry.md) | diff --git a/group_vars/mash_servers b/group_vars/mash_servers index f54f5c4..6932989 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -65,6 +65,10 @@ devture_systemd_service_manager_services_list_auto: | {{ ([{'name': (adguard_home_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'adguard-home']}] if adguard_home_enabled else []) + + ([{'name': (authentik_server_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'authentik']}] if authentik_enabled else []) + + + ([{'name': (authentik_worker_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'authentik']}] if authentik_enabled else []) + + ([{'name': (collabora_online_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'collabora-online']}] if collabora_online_enabled else []) + ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'postgres']}] if devture_postgres_enabled else []) @@ -209,6 +213,11 @@ devture_postgres_systemd_services_to_stop_for_maintenance_list: | devture_postgres_managed_databases_auto: | {{ ([{ + 'name': authentik_database_name, + 'username': authentik_database_username, + 'password': authentik_database_password, + }] if authentik_enabled and authentik_database_hostname == devture_postgres_identifier else []) + +([{ 'name': focalboard_database_name, 'username': focalboard_database_username, 'password': focalboard_database_password, @@ -501,6 +510,55 @@ adguard_home_container_labels_traefik_tls_certResolver: "{{ devture_traefik_cert # # ######################################################################## +######################################################################## +# # +# authentik # +# # +######################################################################## + +authentik_enabled: false + +authentik_identifier: "{{ mash_playbook_service_identifier_prefix }}authentik" + +authentik_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}authentik" + +authentik_uid: "{{ mash_playbook_uid }}" +authentik_gid: "{{ mash_playbook_gid }}" + +authentik_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +authentik_database_port: "{{ '5432' if devture_postgres_enabled else '' }}" +authentik_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.authentik', rounds=655555) | to_uuid }}" +authentik_database_username: "{{ authentik_identifier }}" + +authentik_server_systemd_required_services_list_auto: | + {{ + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier else []) + }} + +authentik_server_container_additional_networks_auto: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_server_container_network != devture_postgres_container_network else []) + }} + +authentik_frontend_container_additional_networks_auto: | + {{ + ([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_frontend_container_network != devture_postgres_container_network else []) + + + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +authentik_server_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +authentik_server_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +authentik_server_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +authentik_server_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +######################################################################## +# # +# /funkwhale # +# # +######################################################################## ######################################################################## diff --git a/requirements.yml b/requirements.yml index d448b53..9306f6f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,6 +3,9 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-adguard-home.git version: v0.107.26-1 name: adguard_home +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git + version: v2023.4.0-1 + name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 name: aux diff --git a/setup.yml b/setup.yml index 79cfa34..5a99bfb 100644 --- a/setup.yml +++ b/setup.yml @@ -56,6 +56,8 @@ - role: galaxy/adguard_home + - role: galaxy/authentik + - role: galaxy/collabora_online - role: galaxy/docker_registry From f56c4b2c7e624c4d9bd2f92eb32c0f29e47279a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 19 Apr 2023 12:32:08 +0200 Subject: [PATCH 2/7] Bump version --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 9306f6f..53ca98b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v0.107.26-1 name: adguard_home - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.4.0-1 + version: v2023.4.1-1 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 From b841006d431de3f4eada1e6a89814a74d424b64a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 19 Apr 2023 12:49:10 +0200 Subject: [PATCH 3/7] Add warning on testing status --- docs/services/authentik.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/services/authentik.md b/docs/services/authentik.md index 72efa9d..43f1a27 100644 --- a/docs/services/authentik.md +++ b/docs/services/authentik.md @@ -2,6 +2,9 @@ [authentik](https://goauthentik.io/) is an open-source Identity Provider focused on flexibility and versatility. MASH can install authentik with the [`mother-of-all-self-hosting/ansible-role-authentik`](https://github.com/mother-of-all-self-hosting/ansible-role-authentik) ansible role. + +**Warning:** SSO is pretty complex and while this role will install authentik for you we only tested OIDC and OAUTH integration. There is a high probability that using outposts/LDAP would need further configuration efforts. Make sure you test before using this in production and feel free to provide feedback! + ## Dependencies This service requires the following other services: From b6e6ea24f7b2591d585678b8b944d841dc066a7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 22 Apr 2023 12:55:52 +0200 Subject: [PATCH 4/7] MAke authentik use single container --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 948ec6a..f4821d7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.9.16-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.4.1-1 + version: v2023.4.1-2 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 From 86f8a05e478616a1ad87d3d94464182f863c8431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 22 Apr 2023 13:29:51 +0200 Subject: [PATCH 5/7] Rework documentation SSO configuration is now described in the respective services --- docs/services/authentik.md | 46 +++----------------------------------- docs/services/grafana.md | 29 ++++++++++++++++++++++++ docs/services/nextcloud.md | 21 +++++++++++++++++ 3 files changed, 53 insertions(+), 43 deletions(-) diff --git a/docs/services/authentik.md b/docs/services/authentik.md index 43f1a27..912a04a 100644 --- a/docs/services/authentik.md +++ b/docs/services/authentik.md @@ -183,49 +183,9 @@ If you've decided to install a dedicated Redis instance for authentik, make sure ## Usage -After installation, you can go to the authentik URL, as defined in `authentik_hostname`. Set the admin password there and start adding applications and users! Refer to the [official documentation]() to learn how to integrate services. Below are some tested examples +After installation, you can set the admin password at `https:///if/flow/initial-setup/`. Set the admin password there and start adding applications and users! Refer to the [official documentation](https://goauthentik.io/docs/) to learn how to integrate services. For this playbook tested examples are described in the respective service documentation. See -### Grafana +* [Grafana](./grafana.md) +* [Nextcloud](./nextcloud.md) -To enable SSO for Grafana you should -* Create a new OAUTH provider in authentik called `grafana` -* Create an application also named `grafana` in authentik using this provider -* Add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process (make sure to adjust `authentik.example.com`) - -```yaml -grafana_environment_variables_additional_variables: | - GF_AUTH_GENERIC_OAUTH_ENABLED=true - GF_AUTH_GENERIC_OAUTH_NAME=authentik - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=COPIED-CLIENTID - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=COPIED-CLIENTSECRET - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://authentik.example.com/application/o/authorize/ - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://authentik.example.com/application/o/token/ - GF_AUTH_GENERIC_OAUTH_API_URL=https://authentik.example.com/application/o/userinfo/ - GF_AUTH_SIGNOUT_REDIRECT_URL=https://authentik.example.com/application/o/grafana/end-session/ - # Optionally enable auto-login (bypasses Grafana login screen) - #GF_AUTH_OAUTH_AUTO_LOGIN="true" - GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true - # Optionally map user groups to Grafana roles - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" - -``` - -### Nextcloud - -**The official documentation of authentik to connect nextcloud via SAML seems broken** - -MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation. - -In short you shoudl - -* Create a new provider in authentik and trimm the client secret to <64 characters -* Create an application in authentik using this provider -* Install the app `user_oidc` in Nextcloud -* Fill in the details from authentik in the app settings - -**Troubleshooting** - -If you encounter problems during login check (error message containes `SHA1 mismatch`) that -* Nextcloud users and authentik users do not have the same name -> if they do check `Use unique user ID` in the OIDC App settings diff --git a/docs/services/grafana.md b/docs/services/grafana.md index 4fd97ba..8fa0ef7 100644 --- a/docs/services/grafana.md +++ b/docs/services/grafana.md @@ -82,6 +82,35 @@ grafana_dashboard_download_urls: | ``` +#### Single-Sign-On / Authentik + +Grafana supports Single-Sign-On (SSO) via OAUTH. To make use of this you'll need a Identity Provider like [authentik](./authentik.md) or [Keycloak](./keycloak.md). Using authentik you can connect and Authentik like this: + +* Create a new OAUTH provider in authentik called `grafana` +* Create an application also named `grafana` in authentik using this provider +* Add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process (make sure to adjust `authentik.example.com`) + +```yaml +grafana_environment_variables_additional_variables: | + GF_AUTH_GENERIC_OAUTH_ENABLED=true + GF_AUTH_GENERIC_OAUTH_NAME=authentik + GF_AUTH_GENERIC_OAUTH_CLIENT_ID=COPIED-CLIENTID + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=COPIED-CLIENTSECRET + GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email + GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://authentik.example.com/application/o/authorize/ + GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://authentik.example.com/application/o/token/ + GF_AUTH_GENERIC_OAUTH_API_URL=https://authentik.example.com/application/o/userinfo/ + GF_AUTH_SIGNOUT_REDIRECT_URL=https://authentik.example.com/application/o/grafana/end-session/ + # Optionally enable auto-login (bypasses Grafana login screen) + #GF_AUTH_OAUTH_AUTO_LOGIN="true" + GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true + # Optionally map user groups to Grafana roles + GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" +``` + +Make sure the user you want to login as has an email address in authentik, otherwise there will be an error. + + ## Usage After installation, you should be able to access your new Gitea instance at the configured URL (see above). diff --git a/docs/services/nextcloud.md b/docs/services/nextcloud.md index ad2bdd4..26fa166 100644 --- a/docs/services/nextcloud.md +++ b/docs/services/nextcloud.md @@ -198,6 +198,27 @@ nextcloud_container_additional_networks_custom: ######################################################################## ``` +### Single-Sign-On / Authentik + +Nextcloud supports Single-Sign-On (SSO) via LDAP, SAML, and OIDC. To make use of this you'll need a Identity Provider like [authentik](./authentik.md) or [Keycloak](./keycloak.md). The following assumes you use authentik. + + +**The official documentation of authentik to connect nextcloud via SAML seems broken** + +MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation. + +In short you should + +* Create a new provider in authentik and trimm the client secret to <64 characters +* Create an application in authentik using this provider +* Install the app `user_oidc` in Nextcloud +* Fill in the details from authentik in the app settings + +**Troubleshooting** + +If you encounter problems during login check (error message containes `SHA1 mismatch`) that +* Nextcloud users and authentik users do not have the same name -> if they do check `Use unique user ID` in the OIDC App settings + ## Installation If you've decided to install a dedicated Redis instance for Nextcloud, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `nextcloud.example.com-deps`), before running installation for the main one (e.g. `nextcloud.example.com`). From 8f72a895529e69384e373e22463d495411ec1381 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 22 Apr 2023 13:30:57 +0200 Subject: [PATCH 6/7] Remove unused var, typo --- group_vars/mash_servers | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 32f8591..91ea21c 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -514,7 +514,7 @@ adguard_home_container_labels_traefik_tls_certResolver: "{{ devture_traefik_cert -####################################################################### +######################################################################## # # # appsmith # # # @@ -579,13 +579,6 @@ authentik_server_container_additional_networks_auto: | ([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_server_container_network != devture_postgres_container_network else []) }} -authentik_frontend_container_additional_networks_auto: | - {{ - ([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_frontend_container_network != devture_postgres_container_network else []) - + - ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) - }} - authentik_server_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" authentik_server_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" authentik_server_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" From a447f82e60155d400d269e6c2611fc50c78cff6c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 22 Apr 2023 15:03:28 +0300 Subject: [PATCH 7/7] Fix typo --- docs/services/nextcloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/services/nextcloud.md b/docs/services/nextcloud.md index 26fa166..25f009a 100644 --- a/docs/services/nextcloud.md +++ b/docs/services/nextcloud.md @@ -207,9 +207,9 @@ Nextcloud supports Single-Sign-On (SSO) via LDAP, SAML, and OIDC. To make use of MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation. -In short you should +In short you should: -* Create a new provider in authentik and trimm the client secret to <64 characters +* Create a new provider in authentik and trim the client secret to <64 characters * Create an application in authentik using this provider * Install the app `user_oidc` in Nextcloud * Fill in the details from authentik in the app settings