From afc226825f54ea44bbc5f6a584a7505accee78c7 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 25 Dec 2023 19:43:47 +0100 Subject: [PATCH] don't put stock blueprints in /data, symlink Signed-off-by: Jens Langhammer --- Dockerfile | 4 +++- authentik/lib/default.yml | 2 +- docker-compose.yml | 10 +++++----- website/docs/core/applications.md | 4 ++-- website/docs/core/architecture.md | 6 +++--- website/docs/core/certificates.md | 10 +++++----- website/docs/flow/stages/email/index.mdx | 2 +- 7 files changed, 20 insertions(+), 18 deletions(-) diff --git a/Dockerfile b/Dockerfile index 53de27013..bab10184d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -132,6 +132,8 @@ RUN apt-get update && \ rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \ adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \ mkdir -p /data/certs /data/media /data/blueprints && \ + mkdir -p /ak-root/blueprints && \ + ln -s /data/blueprints /ak-root/blueprints/local && \ mkdir -p /authentik/.ssh && \ mkdir -p /ak-root && \ chown authentik:authentik /data/certs /data/media /authentik/.ssh /ak-root @@ -143,7 +145,7 @@ COPY ./schemas /ak-root/schemas COPY ./locale /ak-root/locale COPY ./tests /ak-root/tests COPY ./manage.py /ak-root/ -COPY ./blueprints /data/blueprints +COPY ./blueprints /ak-root/blueprints COPY ./lifecycle/ /ak-root/lifecycle COPY --from=go-builder /go/authentik /bin/authentik COPY --from=python-deps /ak-root/venv /ak-root/venv diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml index 0fd5206c4..08d223464 100644 --- a/authentik/lib/default.yml +++ b/authentik/lib/default.yml @@ -57,7 +57,7 @@ paths: media: /data/media cert_discovery: /data/certs email_templates: /data/email-templates - blueprints: /data/blueprints + blueprints: /ak-root/blueprints debug: false remote_debug: false diff --git a/docker-compose.yml b/docker-compose.yml index a7491656d..88c36cc31 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -42,8 +42,8 @@ services: AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} volumes: - - ./media:/media - - ./custom-templates:/templates + - ./media:/data/media + - ./custom-templates:/data/email-templates env_file: - .env ports: @@ -71,9 +71,9 @@ services: user: root volumes: - /var/run/docker.sock:/var/run/docker.sock - - ./media:/media - - ./certs:/certs - - ./custom-templates:/templates + - ./media:/data/media + - ./certs:/data/certs + - ./custom-templates:/data/email-templates env_file: - .env depends_on: diff --git a/website/docs/core/applications.md b/website/docs/core/applications.md index d27d51097..9e3ded6da 100644 --- a/website/docs/core/applications.md +++ b/website/docs/core/applications.md @@ -31,9 +31,9 @@ The following aspects can be configured: - _Icon (URL)_: Optionally configure an Icon for the application - If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`. + If the authentik server does not have a volume mounted under `/data/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`. - If there is a mount under `/media`, you'll instead see a field to upload a file. + If there is a mount under `/data/media`, you'll instead see a field to upload a file. - _Publisher_: Text shown below the application - _Description_: Subtext shown on the application card below the publisher diff --git a/website/docs/core/architecture.md b/website/docs/core/architecture.md index 078279afe..9217d58c1 100644 --- a/website/docs/core/architecture.md +++ b/website/docs/core/architecture.md @@ -29,7 +29,7 @@ Similar to [other outposts](../outposts/index.mdx), this outpost allows using [P #### Persistence -- `/media` is used to store icons and such, but not required, and if not mounted, authentik will allow you to set a URL to icons in place of a file upload +- `/data/media` is used to store icons and such, but not required, and if not mounted, authentik will allow you to set a URL to icons in place of a file upload ### Background Worker @@ -37,8 +37,8 @@ This container executes background tasks, such as sending emails, the event noti #### Persistence -- `/certs` is used for authentik to import external certs, which in most cases shouldn't be used for SAML, but rather if you use authentik without a reverse proxy, this can be used for example for the [Let's Encrypt integration](../core/certificates.md#lets-encrypt) -- `/templates` is used for [custom email templates](../flow/stages/email/index.mdx#custom-templates), and as with the other ones fully optional +- `/data/certs` is used for authentik to import external certs, which in most cases shouldn't be used for SAML, but rather if you use authentik without a reverse proxy, this can be used for example for the [Let's Encrypt integration](../core/certificates.md#lets-encrypt) +- `/data/email-templates` is used for [custom email templates](../flow/stages/email/index.mdx#custom-templates), and as with the other ones fully optional ### PostgreSQL diff --git a/website/docs/core/certificates.md b/website/docs/core/certificates.md index 465f98ca5..b803f8e6d 100644 --- a/website/docs/core/certificates.md +++ b/website/docs/core/certificates.md @@ -24,9 +24,9 @@ For SAML use-cases, you can generate a Certificate that's valid for longer than To use externally managed certificates, for example generated with certbot or HashiCorp Vault, you can use the discovery feature. -The docker-compose installation maps a `certs` directory to `/certs`, you can simply use this as an output directory for certbot. +The docker-compose installation maps a `certs` directory to `/data/certs`, you can simply use this as an output directory for certbot. -For Kubernetes, you can map custom secrets/volumes under `/certs`. +For Kubernetes, you can map custom secrets/volumes under `/data/certs`. You can also bind mount single files into the folder, as long as they fall under this naming schema. @@ -62,9 +62,9 @@ Files are checked every 5 minutes, and will trigger an Outpost refresh if the fi Starting with authentik 2022.9, you can also import certificates with any folder structure directly. To do this, run the following command within the worker container: ```shell -ak import_certificate --certificate /certs/mycert.pem --private-key /certs/something.pem --name test +ak import_certificate --certificate /data/certs/mycert.pem --private-key /data/certs/something.pem --name test # --private-key can be omitted to only import a certificate, i.e. to trust other connections -# ak import_certificate --certificate /certs/othercert.pem --name test2 +# ak import_certificate --certificate /data/certs/othercert.pem --name test2 ``` This will import the certificate into authentik under the given name. This command is idempotent, meaning you can run it via a cron-job and authentik will only update the certificate when it changes. @@ -84,7 +84,7 @@ services: certbot: image: certbot/dns-route53:v1.22.0 volumes: - - ./certs/:/etc/letsencrypt + - ./data/certs/:/etc/letsencrypt # Variables depending on DNS Plugin environment: AWS_ACCESS_KEY_ID: ... diff --git a/website/docs/flow/stages/email/index.mdx b/website/docs/flow/stages/email/index.mdx index a7751e295..8b057b145 100644 --- a/website/docs/flow/stages/email/index.mdx +++ b/website/docs/flow/stages/email/index.mdx @@ -65,7 +65,7 @@ volumes: name: authentik-templates volumeMounts: - name: email-templates - mountPath: /templates + mountPath: /data/email-templates ```