diff --git a/docs/examples/docker/idp-authentik-traefik/README.md b/docs/examples/docker/idp-authentik-traefik/README.md index 8034ac0f..9517ace7 100644 --- a/docs/examples/docker/idp-authentik-traefik/README.md +++ b/docs/examples/docker/idp-authentik-traefik/README.md @@ -3,9 +3,24 @@ This example should be enough to get things working. I have confirmed this basic config personally. User creation and management work, however once a user is passed through to copy party, manual editing of the config file will be needed to control new users. i.e. anyone you let through your SSO portal will be granted basic/default settings and permissions, unless manually configured otherwise. +To control more than just letting users through to your instance, make sure to add the username passed through by authentik to copyparty (default just the authentik username) with a plain password. e.g. : + +``` +[accounts] + username: foo +``` + +This will allow you to use copyparty's existing config mechanisms to manage users from your SSO. Add the relevant user/s to the su group to given them superuser privilleges within copyparty. + +Ensure to create the external network proxy (not needed if everything you want behind traefik is is the same docker-compose stack).To create the "proxy" docker network see https://docs.docker.com/reference/cli/docker/network/create/ + +for an basic example: + `docker network create -d bridge proxy` + this is based on: * https://goauthentik.io/docker-compose.yml * https://goauthentik.io/docs/providers/proxy/server_traefik incomplete list of modifications made: * support for running with podman as root on fedora (`:z` volumes, `label:disable`) +v \ No newline at end of file diff --git a/docs/examples/docker/idp-authentik-traefik/cpp/copyparty.conf b/docs/examples/docker/idp-authentik-traefik/cpp/copyparty.conf index afdad42f..4297cf90 100644 --- a/docs/examples/docker/idp-authentik-traefik/cpp/copyparty.conf +++ b/docs/examples/docker/idp-authentik-traefik/cpp/copyparty.conf @@ -13,7 +13,12 @@ # because that is the data-volume in the docker containers, # because a deployment like this (with an IdP) is more commonly # seen in containerized environments -- but this is not required +[accounts] + #match the username to authentik header used, password is ignored + username: foo +[groups] + su: username # "su" is a special group-name in copyparty, members get admin rights [global] e2dsa # enable file indexing and filesystem scanning @@ -52,26 +57,9 @@ rwmda: ${u}, @su # read-write-move-delete-admin for that username + the "su" group -[/lounge/${g}] # each group gets their own shared volume - /w/lounge/${g} # stored at DATAVOLUME/lounge/groupname - accs: - r: * # read-access for anyone, and - rwmda: @${g}, @su # read-write-move-delete-admin for that group + the "su" group - - -[/lounge/${g}/priv] # and a private area for each group too - /w/lounge/${g}/priv # stored at DATAVOLUME/lounge/groupname/priv - accs: - rwmda: @${g}, @su # read-write-move-delete-admin for that group + the "su" group - - # and create some strategic volumes to prevent anyone from gaining # unintended access to priv folders if the users/groups db is lost [/u] /w/u accs: rwmda: @su -[/lounge] - /w/lounge - accs: - rwmda: @su diff --git a/docs/examples/docker/idp-authentik-traefik/docker-compose.yml b/docs/examples/docker/idp-authentik-traefik/docker-compose.yml index c649e0be..44e692f3 100644 --- a/docs/examples/docker/idp-authentik-traefik/docker-compose.yml +++ b/docs/examples/docker/idp-authentik-traefik/docker-compose.yml @@ -18,10 +18,23 @@ services: ports: - 3923 labels: - - 'traefik.enable=true' - - 'traefik.http.routers.fs.rule=Host(`fs.example.com`)' - - 'traefik.http.routers.fs.entrypoints=http' + - "traefik.enable=true" + - "traefik.http.routers.fs.entrypoints=http" + - "traefik.http.routers.fs.rule=Host(`fs.example.com`)" + - "traefik.http.middlewares.fs-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.fs.middlewares=fs-https-redirect" + - "traefik.http.routers.fs-secure.entrypoints=https" + + - "traefik.http.routers.fs-secure.rule=Host(`fs.example.com`)" + - "traefik.http.routers.fs-secure.tls=true" + - "traefik.http.routers.fs-secure.tls.certresolver=cloudflare" + - "traefik.http.routers.fs-secure.service=fs" + - "traefik.http.services.fs.loadbalancer.server.port=3923" + - 'traefik.http.routers.fs.middlewares=ak-forwardauth@docker' # using authentik built-in docker outpost + - "traefik.docker.network=proxy" + depends_on: + - authentik_server stop_grace_period: 15s # thumbnailer is allowed to continue finishing up for 10s after the shutdown signal environment: LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE @@ -107,6 +120,7 @@ services: env_file: - .env ports: + #can be commented out if you only want to access authentik via traefik - 9000 - 9443 depends_on: @@ -131,8 +145,8 @@ services: # ForwardAuth middleware → embedded outpost (internal URL!) will work for all services on the same docker network - "traefik.http.middlewares.ak-forwardauth.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik" - "traefik.http.middlewares.ak-forwardauth.forwardauth.trustForwardHeader=true" - # Choose which headers you want forwarded to the backend - - "traefik.http.middlewares.ak-forwardauth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid" + # Choose which headers you want forwarded to the backend from https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_traefik/ + - "traefik.http.middlewares.ak-forwardauth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups" networks: - proxy - authentik-backend @@ -168,6 +182,8 @@ services: networks: - proxy - authentik-backend + +#you have to manually create this network before starting docker-compose networks: proxy: external: true