recipe-maintainers/recipe-maintainer
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
recipe-maintainer/utils
History
autonomic-bot f283a371bb recipe-maintainer: public snapshot (secrets + deployment plans removed, single commit) 
Sanitized single-commit public mirror of recipe-maintainer.
- Removed test-ssh/.testenv (live creds); added test-ssh/.testenv.example placeholders.
- Removed plans/ and planned-updates/ (deployment-planning docs) so no client/
  deployment domains appear in the public repo.
- All other secret stores were already gitignored.
- docs.coopcloud.tech retained as a submodule (public upstream).
2026-06-16 20:18:24 +00:00
..
tests
recipe-maintainer: public snapshot (secrets + deployment plans removed, single commit)
2026-06-16 20:18:24 +00:00
authentik_client.py
recipe-maintainer: public snapshot (secrets + deployment plans removed, single commit)
2026-06-16 20:18:24 +00:00
README.md
recipe-maintainer: public snapshot (secrets + deployment plans removed, single commit)
2026-06-16 20:18:24 +00:00
setup_cryptpad_sso.py
recipe-maintainer: public snapshot (secrets + deployment plans removed, single commit)
2026-06-16 20:18:24 +00:00
setup_immich_sso.py
recipe-maintainer: public snapshot (secrets + deployment plans removed, single commit)
2026-06-16 20:18:24 +00:00

README.md

Utils

Helper scripts for configuring SSO and other integrations across Co-op Cloud recipes.

All scripts use stdlib only (no pip dependencies) and share authentik_client.py for Authentik API interactions.

Getting an Authentik API Token

All SSO setup scripts require an --authentik-token. You can create one from your akadmin password in several ways:

Via curl:

curl -s -X POST https://<authentik-domain>/api/v3/core/tokens/ \
  -H "Content-Type: application/json" \
  -u "akadmin:<your-akadmin-password>" \
  -d '{"identifier": "sso-setup", "intent": "api", "description": "Token for SSO setup scripts"}'

The response JSON contains a key field — that's your token.

To retrieve an existing token's key:

curl -s https://<authentik-domain>/api/v3/core/tokens/sso-setup/view_key/ \
  -u "akadmin:<your-akadmin-password>"

Via the Authentik admin UI:

Go to Directory > Tokens and App passwords > Create, set intent to "API Token", then copy the token value.

Prerequisites

The target abra apps (CryptPad, Immich, etc.) must already be deployed before running the SSO setup scripts. The scripts will fail with a clear error if the app is not found. Authentik resources (OAuth2 providers, applications) are created automatically if they don't exist.

Scripts

setup_cryptpad_sso.py

Configures Authentik as the OIDC provider for CryptPad SSO. Ensures the OAuth2 provider/application exist in Authentik, updates the CryptPad abra .env file, and inserts the client secret as a Docker secret. Requires the CryptPad abra app to already exist.

python3 utils/setup_cryptpad_sso.py \
  --authentik-domain auth.example.com \
  --authentik-token <admin-api-token> \
  --cryptpad-domain pad.example.com

Optional flags: --client-id, --app-slug, --test-user, --test-pass, --test-email, --no-test-user.

setup_immich_sso.py

Configures Authentik as the OIDC provider for Immich OAuth. Ensures the OAuth2 provider/application exist in Authentik, then configures Immich OAuth settings via its REST API. Requires Immich to already be deployed and reachable.

python3 utils/setup_immich_sso.py \
  --authentik-domain auth.example.com \
  --authentik-token <admin-api-token> \
  --immich-domain photos.example.com \
  --immich-admin-email admin@example.com \
  --immich-admin-pass <password>