diff --git a/ilot/authentik/APKBUILD b/ilot/authentik/APKBUILD new file mode 100644 index 0000000..d10a575 --- /dev/null +++ b/ilot/authentik/APKBUILD @@ -0,0 +1,258 @@ +# Contributor: Antoine Martin (ayakael) +# Maintainer: Antoine Martin (ayakael) +pkgname=authentik +pkgver=2024.4.3 +pkgrel=1 +pkgdesc="An open-source Identity Provider focused on flexibility and versatility" +url="https://github.com/goauthentik/authentik" +# s390x: missing py3-celery py3-flower and py3-kombu +# armhf/armv7/x86: out of memory error when building goauthentik +# ppc64le: not supported by Rollup build +arch="aarch64 x86_64" +license="MIT" +depends=" + libcap-setcap + nginx + postgresql + procps + pwgen + py3-aiohttp + py3-aiosignal + py3-amqp + py3-anyio + py3-asgiref + py3-asn1 + py3-asn1crypto + py3-async-timeout + py3-attrs + py3-autobahn + py3-automat + py3-bcrypt + py3-billiard + py3-cachetools + py3-cbor2 + py3-celery + py3-certifi + py3-cffi + py3-channels + py3-channels_redis + py3-charset-normalizer + py3-click + py3-click-didyoumean + py3-click-plugins + py3-click-repl + py3-codespell + py3-colorama + py3-constantly + py3-cparser + py3-cryptography + py3-dacite + py3-daphne + py3-dateutil + py3-deepmerge + py3-defusedxml + py3-deprecated + py3-dnspython + py3-django + py3-django-filter + py3-django-guardian + py3-django-model-utils + py3-django-otp + py3-django-prometheus + py3-django-redis + py3-django-rest-framework~=3.14.0 + py3-django-rest-framework-guardian + py3-django-storages + py3-django-tenants + py3-docker-py + py3-dotenv + py3-dumb-init + py3-duo_client + py3-drf-spectacular + py3-email-validator + py3-facebook-sdk + py3-fido2 + py3-flower + py3-frozenlist + py3-geoip2 + py3-google-auth + py3-gunicorn + py3-h11 + py3-httptools + py3-humanize + py3-hyperlink + py3-idna + py3-incremental + py3-inflection + py3-jsonschema + py3-jsonpatch + py3-jwt + py3-kombu + py3-kubernetes + py3-ldap3 + py3-lxml + py3-maxminddb + py3-msgpack + py3-multidict + py3-oauthlib + py3-opencontainers + py3-openssl + py3-packaging + py3-paramiko + py3-parsing + py3-prometheus-client + py3-prompt_toolkit + py3-psycopg + py3-psycopg-c + py3-pydantic-scim + py3-pynacl + py3-pyrsistent + py3-python-jwt + py3-redis + py3-requests + py3-requests-oauthlib + py3-rsa + py3-scim2-filter-parser + py3-setproctitle + py3-sentry-sdk + py3-service_identity + py3-setuptools + py3-six + py3-sniffio + py3-sqlparse + py3-structlog + py3-swagger-spec-validator + py3-tornado + py3-twilio + py3-twisted + py3-txaio + py3-tenant-schemas-celery + py3-typing-extensions + py3-tz + py3-ua-parser + py3-uritemplate + py3-urllib3-secure-extra + py3-uvloop + py3-vine + py3-watchdog + py3-watchfiles + py3-wcwidth + py3-webauthn + py3-websocket-client + py3-websockets + py3-wrapt + py3-wsproto + py3-xmlsec + py3-yaml + py3-yarl + py3-zope-interface + py3-zxcvbn + redis + uvicorn + " +makedepends="go npm" +# checkdepends scooped up by poetry due to number +checkdepends="poetry py3-coverage" +# tests disabled for now +options="!check" +install="$pkgname.post-install $pkgname.post-upgrade $pkgname.pre-install" +source=" + $pkgname-$pkgver.tar.gz::https://github.com/goauthentik/authentik/archive/refs/tags/version/$pkgver.tar.gz + authentik.openrc + authentik-worker.openrc + authentik-ldap.openrc + authentik-ldap.conf + authentik-manage.sh + fix-ak-bash.patch + root-settings-csrf_trusted_origins.patch + " +builddir="$srcdir/"authentik-version-$pkgver +subpackages="$pkgname-openrc $pkgname-doc" +pkgusers="authentik" +pkggroups="authentik" + +export GOPATH=$srcdir/go +export GOCACHE=$srcdir/go-build +export GOTMPDIR=$srcdir + +build() { + msg "Building authentik-ldap" + go build -o ldap cmd/ldap/main.go + msg "Building authentik-proxy" + go build -o proxy cmd/proxy/main.go + msg "Building authentik-radius" + go build -o radius cmd/proxy/main.go + msg "Building authentik-server" + go build -o server cmd/server/*.go + + msg "Building authentik-web" + cd web + npm ci --no-audit + npm run build + cd .. + + msg "Building website" + cd website + npm ci --no-audit + npm run build +} + +package() { + msg "Packaging $pkgname" + mkdir -p "$pkgdir"/usr/share/webapps/authentik/web + mkdir -p "$pkgdir"/usr/share/webapps/authentik/website + mkdir -p "$pkgdir"/var/lib/authentik + mkdir -p "$pkgdir"/usr/share/doc + mkdir -p "$pkgdir"/usr/bin + cp -dr "$builddir"/authentik "$pkgdir"/usr/share/webapps/authentik + cp -dr "$builddir"/web/dist "$pkgdir"/usr/share/webapps/authentik/web/dist + cp -dr "$builddir"/web/authentik "$pkgdir"/usr/share/webapps/authentik/web/authentik + cp -dr "$builddir"/website/build "$pkgdir"/usr/share/doc/authentik + cp -dr "$builddir"/tests "$pkgdir"/usr/share/webapps/authentik/tests + cp -dr "$builddir"/lifecycle "$pkgdir"/usr/share/webapps/authentik/lifecycle + cp -dr "$builddir"/locale "$pkgdir"/usr/share/webapps/authentik/locale + cp -dr "$builddir"/blueprints "$pkgdir"/var/lib/authentik/blueprints + install -Dm755 "$builddir"/manage.py "$pkgdir"/usr/share/webapps/authentik/manage.py + install -Dm755 "$builddir"/server "$pkgdir"/usr/share/webapps/authentik/server + ln -s "/etc/authentik/config.yml" "$pkgdir"/usr/share/webapps/authentik/local.env.yml + + install -Dm755 "$builddir"/proxy "$pkgdir"/usr/bin/authentik-proxy + install -Dm755 "$builddir"/ldap "$pkgdir"/usr/bin/authentik-ldap + install -Dm755 "$builddir"/radius "$pkgdir"/usr/bin/authentik-radius + + install -Dm755 "$srcdir"/$pkgname.openrc \ + "$pkgdir"/etc/init.d/$pkgname + install -Dm755 "$srcdir"/$pkgname-worker.openrc \ + "$pkgdir"/etc/init.d/$pkgname-worker + install -Dm755 "$srcdir"/$pkgname-ldap.openrc \ + "$pkgdir"/etc/init.d/$pkgname-ldap + install -Dm640 "$srcdir"/$pkgname-ldap.conf \ + "$pkgdir"/etc/conf.d/$pkgname-ldap + install -Dm640 "$builddir"/authentik/lib/default.yml \ + "$pkgdir"/etc/authentik/config.yml + chown root:www-data "$pkgdir"/etc/authentik/config.yml + + mv "$pkgdir"/usr/share/webapps/authentik/web/dist/custom.css "$pkgdir"/etc/authentik/custom.css + ln -s "/etc/authentik/custom.css" "$pkgdir"/usr/share/webapps/authentik/web/dist/custom.css + chown root:www-data "$pkgdir"/etc/authentik/custom.css + + sed -i 's|cert_discovery_dir.*|cert_discovery_dir: /var/lib/authentik/certs|' "$pkgdir"/etc/authentik/config.yml + sed -i 's|blueprints_dir.*|blueprints_dir: /var/lib/authentik/blueprints|' "$pkgdir"/etc/authentik/config.yml + sed -i 's|template_dir.*|template_dir: /var/lib/authentik/templates|' "$pkgdir"/etc/authentik/config.yml + printf "\ncsrf:\n trusted_origins: ['auth.example.com']" >> "$pkgdir"/etc/authentik/config.yml + printf "\nsecret_key: '@@SECRET_KEY@@'" >> "$pkgdir"/etc/authentik/config.yml + + # Install wrapper script to /usr/bin. + install -m755 -D "$srcdir"/authentik-manage.sh "$pkgdir"/usr/bin/authentik-manage +} + +sha512sums=" +121ed925d81a5cb2a14fed8ec8b324352e40b1fcbba83573bfdc1d1f66a91d9670cd64d7ef752c8a2df6c34fc3e19e8aec5c6752d33e87b487a462a590212ab0 authentik-2024.4.3.tar.gz +4defb4fe3a4230f4aa517fbecd5e5b8bcef2a64e1b40615660ae9eec33597310a09df5e126f4d39ce7764bd1716c0a7040637699135c103cbc1879593c6c06f1 authentik.openrc +6cb03b9b69df39bb4539fe05c966536314d766b2e9307a92d87070ba5f5b7e7ab70f1b5ee1ab3c0c50c23454f9c5a4caec29e63fdf411bbb7a124ad687569b89 authentik-worker.openrc +351e6920d987861f8bf0d7ab2f942db716a8dbdad1f690ac662a6ef29ac0fd46cf817cf557de08f1c024703503d36bc8b46f0d9eb1ecaeb399dce4c3bb527d17 authentik-ldap.openrc +89ee5f0ffdade1c153f3a56ff75b25a7104aa81d8c7a97802a8f4b0eab34850cee39f874dabe0f3c6da3f71d6a0f938f5e8904169e8cdd34d407c8984adee6b0 authentik-ldap.conf +f1a3cb215b6210fa7d857a452a9f2bc4dc0520e49b9fa7027547cff093d740a7e2548f1bf1f8831f7d5ccb80c8e523ee0c8bafcc4dc42d2788725f2137d21bee authentik-manage.sh +3e47db684a3f353dcecdb7bab8836b9d5198766735d77f676a51d952141a0cf9903fcb92e6306c48d2522d7a1f3028b37247fdc1dc74d4d6e043da7eb4f36d49 fix-ak-bash.patch +5c60e54b6a7829d611af66f5cb8184a002b5ae927efbd024c054a7c176fcb9efcfbe5685279ffcf0390b0f0abb3bb03e02782c6867c2b38d1ad2d508aae83fa0 root-settings-csrf_trusted_origins.patch +" diff --git a/ilot/authentik/authentik-ldap.conf b/ilot/authentik/authentik-ldap.conf new file mode 100644 index 0000000..c31e819 --- /dev/null +++ b/ilot/authentik/authentik-ldap.conf @@ -0,0 +1,3 @@ +AUTHENTIK_HOST=https://example.com +AUTHENTIK_TOKEN=your-authentik-token +AUTHENTIK_INSECURE=true diff --git a/ilot/authentik/authentik-ldap.openrc b/ilot/authentik/authentik-ldap.openrc new file mode 100644 index 0000000..fc033be --- /dev/null +++ b/ilot/authentik/authentik-ldap.openrc @@ -0,0 +1,24 @@ +#!/sbin/openrc-run + +name="$RC_SVCNAME" +cfgfile="/etc/conf.d/$RC_SVCNAME" +pidfile="/run/$RC_SVCNAME.pid" +working_directory="/usr/share/webapps/authentik" +command="/usr/bin/authentik-ldap" +command_user="authentik" +command_group="authentik" +start_stop_daemon_args="" +command_background="yes" +output_log="/var/log/authentik/$RC_SVCNAME.log" +error_log="/var/log/authentik/$RC_SVCNAME.err" + +depend() { + need authentik +} + +start_pre() { + cd "$working_directory" + checkpath --directory --owner $command_user:$command_group --mode 0775 \ + /var/log/authentik + export AUTHENTIK_HOST AUTHENTIK_TOKEN AUTHENTIK_INSECURE AUTHENTIK_DEBUG +} diff --git a/ilot/authentik/authentik-manage.sh b/ilot/authentik/authentik-manage.sh new file mode 100644 index 0000000..ef7357d --- /dev/null +++ b/ilot/authentik/authentik-manage.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +BUNDLE_DIR='/usr/share/webapps/authentik' + +cd $BUNDLE_DIR + +if [ "$(id -un)" != 'authentik' ]; then + exec su authentik -c '"$0" "$@"' -- ./manage.py "$@" +else + exec ./manage.py "$@" +fi diff --git a/ilot/authentik/authentik-worker.openrc b/ilot/authentik/authentik-worker.openrc new file mode 100644 index 0000000..f0fa964 --- /dev/null +++ b/ilot/authentik/authentik-worker.openrc @@ -0,0 +1,32 @@ +#!/sbin/openrc-run + +name="$RC_SVCNAME" +cfgfile="/etc/conf.d/$RC_SVCNAME.conf" +pidfile="/run/$RC_SVCNAME.pid" +working_directory="/usr/share/webapps/authentik" +command="/usr/bin/authentik-manage" +command_args="worker" +command_user="authentik" +command_group="authentik" +start_stop_daemon_args="" +command_background="yes" +output_log="/var/log/authentik/$RC_SVCNAME.log" +error_log="/var/log/authentik/$RC_SVCNAME.err" + +depend() { + need redis + need postgresql +} + +start_pre() { + cd "$working_directory" + checkpath --directory --owner $command_user:$command_group --mode 0775 \ + /var/log/authentik \ + /var/lib/authentik/certs \ + /var/lib/authentik/blueprints +} + +stop_pre() { + ebegin "Killing child processes" + kill $(ps -o pid= --ppid $(cat $pidfile)) || true +} diff --git a/ilot/authentik/authentik.openrc b/ilot/authentik/authentik.openrc new file mode 100644 index 0000000..a036393 --- /dev/null +++ b/ilot/authentik/authentik.openrc @@ -0,0 +1,30 @@ +#!/sbin/openrc-run + +name="$RC_SVCNAME" +cfgfile="/etc/conf.d/$RC_SVCNAME.conf" +pidfile="/run/$RC_SVCNAME.pid" +working_directory="/usr/share/webapps/authentik" +command="/usr/share/webapps/authentik/server" +command_user="authentik" +command_group="authentik" +start_stop_daemon_args="" +command_background="yes" +output_log="/var/log/authentik/$RC_SVCNAME.log" +error_log="/var/log/authentik/$RC_SVCNAME.err" + +depend() { + need redis + need postgresql +} + +start_pre() { + cd "$working_directory" + checkpath --directory --owner $command_user:$command_group --mode 0775 \ + /var/log/authentik \ + /var/lib/authentik/certs +} + +stop_pre() { + ebegin "Killing child processes" + kill $(ps -o pid= --ppid $(cat $pidfile)) || true +} diff --git a/ilot/authentik/authentik.post-install b/ilot/authentik/authentik.post-install new file mode 100755 index 0000000..a715d20 --- /dev/null +++ b/ilot/authentik/authentik.post-install @@ -0,0 +1,39 @@ +#!/bin/sh +set -eu + +group=authentik +config_file='/etc/authentik/config.yml' + +setcap 'cap_net_bind_service=+ep' /usr/share/webapps/authentik/server + +if [ $(grep '@@SECRET_KEY@@' "$config_file") ]; then + echo "* Generating random secret in $config_file" >&2 + + secret_key="$(pwgen -s 50 1)" + sed -i "s|@@SECRET_KEY@@|$secret_key|" "$config_file" + chown root:$group "$config_file" +fi + +if [ "${0##*.}" = 'post-upgrade' ]; then + cat >&2 <<-EOF + * + * To finish Authentik upgrade run: + * + * authentik-manage migrate + * + EOF +else + cat >&2 <<-EOF + * + * 1. Adjust settings in /etc/authentik/config.yml. + * + * 2. Create database for Authentik: + * + * psql -c "CREATE ROLE authentik PASSWORD 'top-secret' INHERIT LOGIN;" + * psql -c "CREATE DATABASE authentik OWNER authentik ENCODING 'UTF-8';" + * + * 3. Run "authentik-manage migrate" + * 4. Setup admin user at https:///if/flow/initial-setup/ + * + EOF +fi diff --git a/ilot/authentik/authentik.post-upgrade b/ilot/authentik/authentik.post-upgrade new file mode 120000 index 0000000..d310dd8 --- /dev/null +++ b/ilot/authentik/authentik.post-upgrade @@ -0,0 +1 @@ +authentik.post-install \ No newline at end of file diff --git a/ilot/authentik/authentik.pre-install b/ilot/authentik/authentik.pre-install new file mode 100644 index 0000000..792f304 --- /dev/null +++ b/ilot/authentik/authentik.pre-install @@ -0,0 +1,26 @@ +#!/bin/sh +# It's very important to set user/group correctly. + +authentik_dir='/var/lib/authentik' + +if ! getent group authentik 1>/dev/null; then + echo '* Creating group authentik' 1>&2 + + addgroup -S authentik +fi + +if ! id authentik 2>/dev/null 1>&2; then + echo '* Creating user authentik' 1>&2 + + adduser -DHS -G authentik -h "$authentik_dir" -s /bin/sh \ + -g "added by apk for authentik" authentik + passwd -u authentik 1>/dev/null # unlock +fi + +if ! id -Gn authentik | grep -Fq redis; then + echo '* Adding user authentik to group redis' 1>&2 + + addgroup authentik redis +fi + +exit 0 diff --git a/ilot/authentik/fix-ak-bash.patch b/ilot/authentik/fix-ak-bash.patch new file mode 100644 index 0000000..c6afafb --- /dev/null +++ b/ilot/authentik/fix-ak-bash.patch @@ -0,0 +1,10 @@ +diff --git a/lifecycle/ak.orig b/lifecycle/ak +index 615bfe9..1646274 100755 +--- a/lifecycle/ak.orig ++++ b/lifecycle/ak +@@ -1,4 +1,4 @@ +-#!/usr/bin/env -S bash -e ++#!/usr/bin/env bash + MODE_FILE="${TMPDIR}/authentik-mode" + + function log { diff --git a/ilot/authentik/root-settings-csrf_trusted_origins.patch b/ilot/authentik/root-settings-csrf_trusted_origins.patch new file mode 100644 index 0000000..4c235f9 --- /dev/null +++ b/ilot/authentik/root-settings-csrf_trusted_origins.patch @@ -0,0 +1,12 @@ +diff --git a/authentik/root/settings.py b/authentik/root/settings.py +index 15e689b06..8b0c1d744 100644 +--- a/authentik/root/settings.py ++++ b/authentik/root/settings.py +@@ -33,6 +33,7 @@ AUTH_USER_MODEL = "authentik_core.User" + + CSRF_COOKIE_NAME = "authentik_csrf" + CSRF_HEADER_NAME = "HTTP_X_AUTHENTIK_CSRF" ++CSRF_TRUSTED_ORIGINS = CONFIG.get("csrf.trusted_origins") + LANGUAGE_COOKIE_NAME = "authentik_language" + SESSION_COOKIE_NAME = "authentik_session" + SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)