working on sso
This commit is contained in:
notplants
10
.env.sample
10
.env.sample
@ -16,3 +16,13 @@ SANDBOX_DOMAIN=sandbox.cryptpad.example.com
|
|||||||
## Domain aliases
|
## Domain aliases
|
||||||
#EXTRA_DOMAINS=', `www.cryptpad.example.com`'
|
#EXTRA_DOMAINS=', `www.cryptpad.example.com`'
|
||||||
LETS_ENCRYPT_ENV=production
|
LETS_ENCRYPT_ENV=production
|
||||||
|
|
||||||
|
## SSO / OIDC (optional — requires SSO_ENABLED=true)
|
||||||
|
SSO_ENABLED=false
|
||||||
|
SSO_ENFORCED=false
|
||||||
|
SSO_PROVIDER_NAME=Authentik
|
||||||
|
SSO_OIDC_URL=https://authentik.example.com/application/o/cryptpad
|
||||||
|
SSO_CLIENT_ID=cryptpad
|
||||||
|
SSO_CLIENT_SECRET=
|
||||||
|
SSO_JWT_ALG=RS256
|
||||||
|
SSO_PLUGIN_VERSION=0.4.0
|
||||||
|
|||||||
2
abra.sh
2
abra.sh
@ -1,3 +1,5 @@
|
|||||||
export CONFIG_VERSION=v2
|
export CONFIG_VERSION=v2
|
||||||
export CONFIG_JS_VERSION=v2
|
export CONFIG_JS_VERSION=v2
|
||||||
export NGINX_CONF_VERSION=v1
|
export NGINX_CONF_VERSION=v1
|
||||||
|
export SSO_ENTRYPOINT_VERSION=v2
|
||||||
|
export SSO_JS_VERSION=v1
|
||||||
|
|||||||
25
compose.yml
25
compose.yml
@ -4,6 +4,8 @@ version: "3.8"
|
|||||||
services:
|
services:
|
||||||
app:
|
app:
|
||||||
image: cryptpad/cryptpad:version-2026.2.0
|
image: cryptpad/cryptpad:version-2026.2.0
|
||||||
|
entrypoint: ["/bin/bash", "/sso-entrypoint.sh"]
|
||||||
|
command: ["npm", "start"]
|
||||||
networks:
|
networks:
|
||||||
- backend
|
- backend
|
||||||
environment:
|
environment:
|
||||||
@ -15,6 +17,15 @@ services:
|
|||||||
- "CPAD_HTTP2_DISABLE=true"
|
- "CPAD_HTTP2_DISABLE=true"
|
||||||
- "CPAD_TRUST_PROXY=1"
|
- "CPAD_TRUST_PROXY=1"
|
||||||
- "CPAD_CONF=/cryptpad/config/config.js"
|
- "CPAD_CONF=/cryptpad/config/config.js"
|
||||||
|
# SSO plugin
|
||||||
|
- SSO_PLUGIN_VERSION
|
||||||
|
- SSO_ENABLED
|
||||||
|
- SSO_ENFORCED
|
||||||
|
- SSO_PROVIDER_NAME
|
||||||
|
- SSO_OIDC_URL
|
||||||
|
- SSO_CLIENT_ID
|
||||||
|
- SSO_CLIENT_SECRET
|
||||||
|
- SSO_JWT_ALG
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
- cryptpad_blob:/cryptpad/blob
|
- cryptpad_blob:/cryptpad/blob
|
||||||
@ -23,9 +34,15 @@ services:
|
|||||||
- cryptpad_data:/cryptpad/data
|
- cryptpad_data:/cryptpad/data
|
||||||
- cryptpad_files:/cryptpad/datastore
|
- cryptpad_files:/cryptpad/datastore
|
||||||
- cryptpad_config:/cryptpad/config/
|
- cryptpad_config:/cryptpad/config/
|
||||||
|
- cryptpad_plugins:/cryptpad/lib/plugins
|
||||||
configs:
|
configs:
|
||||||
- source: config_js
|
- source: config_js
|
||||||
target: /cryptpad/config/config.js
|
target: /cryptpad/config/config.js
|
||||||
|
- source: sso_entrypoint
|
||||||
|
target: /sso-entrypoint.sh
|
||||||
|
mode: 0755
|
||||||
|
- source: sso_js
|
||||||
|
target: /sso.js.tmpl
|
||||||
|
|
||||||
deploy:
|
deploy:
|
||||||
restart_policy:
|
restart_policy:
|
||||||
@ -77,6 +94,7 @@ volumes:
|
|||||||
cryptpad_data:
|
cryptpad_data:
|
||||||
cryptpad_files:
|
cryptpad_files:
|
||||||
cryptpad_config:
|
cryptpad_config:
|
||||||
|
cryptpad_plugins:
|
||||||
|
|
||||||
configs:
|
configs:
|
||||||
config_js:
|
config_js:
|
||||||
@ -87,3 +105,10 @@ configs:
|
|||||||
name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
|
name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
|
||||||
file: nginx.conf.tmpl
|
file: nginx.conf.tmpl
|
||||||
template_driver: golang
|
template_driver: golang
|
||||||
|
sso_entrypoint:
|
||||||
|
name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION}
|
||||||
|
file: sso-entrypoint.sh
|
||||||
|
sso_js:
|
||||||
|
name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION}
|
||||||
|
file: sso.js.tmpl
|
||||||
|
template_driver: golang
|
||||||
|
|||||||
31
sso-entrypoint.sh
Normal file
31
sso-entrypoint.sh
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# SSO plugin installer — runs before the original CryptPad entrypoint.
|
||||||
|
# Clones the cryptpad/sso plugin into the plugins volume if not already present
|
||||||
|
# or if the version has changed, then delegates to the real entrypoint.
|
||||||
|
|
||||||
|
PLUGIN_DIR="/cryptpad/lib/plugins/sso"
|
||||||
|
VERSION_FILE="${PLUGIN_DIR}/.version"
|
||||||
|
SSO_PLUGIN_VERSION="${SSO_PLUGIN_VERSION:-0.4.0}"
|
||||||
|
|
||||||
|
# Copy SSO config template into place (mounted as Docker config)
|
||||||
|
if [ -f /sso.js.tmpl ]; then
|
||||||
|
cp /sso.js.tmpl /cryptpad/config/sso.js
|
||||||
|
echo "[sso-entrypoint] Copied sso.js config into /cryptpad/config/sso.js"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Install/update the SSO plugin
|
||||||
|
if [ -f "${VERSION_FILE}" ] && [ "$(cat "${VERSION_FILE}")" = "${SSO_PLUGIN_VERSION}" ]; then
|
||||||
|
echo "[sso-entrypoint] SSO plugin ${SSO_PLUGIN_VERSION} already installed"
|
||||||
|
else
|
||||||
|
echo "[sso-entrypoint] Installing SSO plugin ${SSO_PLUGIN_VERSION} ..."
|
||||||
|
rm -rf "${PLUGIN_DIR}"
|
||||||
|
git clone --depth 1 --branch "${SSO_PLUGIN_VERSION}" \
|
||||||
|
https://github.com/cryptpad/sso.git "${PLUGIN_DIR}"
|
||||||
|
echo "${SSO_PLUGIN_VERSION}" > "${VERSION_FILE}"
|
||||||
|
echo "[sso-entrypoint] SSO plugin installed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Hand off to the original CryptPad entrypoint
|
||||||
|
exec /bin/bash /cryptpad/docker-entrypoint.sh "$@"
|
||||||
15
sso.js.tmpl
Normal file
15
sso.js.tmpl
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
// CryptPad SSO configuration — generated from environment variables
|
||||||
|
// See https://github.com/cryptpad/sso for documentation
|
||||||
|
|
||||||
|
module.exports = {
|
||||||
|
enabled: "{{ env "SSO_ENABLED" }}" === "true",
|
||||||
|
enforced: "{{ env "SSO_ENFORCED" }}" === "true",
|
||||||
|
protocol: "oidc",
|
||||||
|
providerName: "{{ env "SSO_PROVIDER_NAME" }}",
|
||||||
|
oidcConfig: {
|
||||||
|
url: "{{ env "SSO_OIDC_URL" }}",
|
||||||
|
clientID: "{{ env "SSO_CLIENT_ID" }}",
|
||||||
|
clientSecret: "{{ env "SSO_CLIENT_SECRET" }}",
|
||||||
|
algorithm: "{{ env "SSO_JWT_ALG" }}"
|
||||||
|
}
|
||||||
|
};
|
||||||
Reference in New Issue
Block a user