# CryptPad — First-Time Setup

## Prerequisites

- DNS: `cryptpad.<domain_suffix>` must resolve to the server
- DNS: `sandbox.cryptpad.<domain_suffix>` must resolve to the server (sandbox iframe domain)
- **Authentik** must be deployed and running (dependency)

## Steps

1. **Create the app:**
   ```bash
   abra app new cryptpad --server <SERVER> --domain cryptpad.<DOMAIN_SUFFIX> --no-input
   ```

2. **Generate secrets:**
   ```bash
   abra app secret generate cryptpad.<DOMAIN_SUFFIX> --all -m --no-input
   ```
   Save output to `recipe-info/testsecrets/cryptpad.<DOMAIN_SUFFIX>`.

3. **Configure SSO compose file:**
   Edit the env file at `~/.abra/servers/<SERVER>/cryptpad.<DOMAIN_SUFFIX>.env` and set:
   ```
   COMPOSE_FILE=compose.yml:compose.sso.yml
   ```
   This enables the SSO overlay that adds OIDC support.

4. **Deploy:**
   ```bash
   abra app deploy cryptpad.<DOMAIN_SUFFIX> --chaos --force --no-input
   ```

5. **Authentik SSO integration:**
   ```bash
   python3 recipe-info/cryptpad/setup_authentik_integration.py
   ```
   This creates an OAuth2 provider and application in Authentik, creates a test user, inserts the client secret, and updates CryptPad's env file with SSO settings.

6. **Redeploy with SSO settings:**
   ```bash
   abra app deploy cryptpad.<DOMAIN_SUFFIX> --chaos --force --no-input
   ```
   Wait ~2 minutes for the SSO plugin to install and CryptPad to rebuild.

7. **Verify:** curl `https://cryptpad.<DOMAIN_SUFFIX>` returns HTTP 200.

## Notes

- Credentials are saved to `recipe-info/cryptpad/authentik-test-credentials.<DOMAIN_SUFFIX>.toml`.
- OIDC test user: `testuser` / `testpass123`.
- The SSO plugin takes a couple of minutes to install on first deploy.