don't put stock blueprints in /data, symlink

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-12-25 19:43:47 +01:00
parent 23557c49a5
commit afc226825f
No known key found for this signature in database
7 changed files with 20 additions and 18 deletions

View File

@ -132,6 +132,8 @@ RUN apt-get update && \
rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \ rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \ adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
mkdir -p /data/certs /data/media /data/blueprints && \ mkdir -p /data/certs /data/media /data/blueprints && \
mkdir -p /ak-root/blueprints && \
ln -s /data/blueprints /ak-root/blueprints/local && \
mkdir -p /authentik/.ssh && \ mkdir -p /authentik/.ssh && \
mkdir -p /ak-root && \ mkdir -p /ak-root && \
chown authentik:authentik /data/certs /data/media /authentik/.ssh /ak-root chown authentik:authentik /data/certs /data/media /authentik/.ssh /ak-root
@ -143,7 +145,7 @@ COPY ./schemas /ak-root/schemas
COPY ./locale /ak-root/locale COPY ./locale /ak-root/locale
COPY ./tests /ak-root/tests COPY ./tests /ak-root/tests
COPY ./manage.py /ak-root/ COPY ./manage.py /ak-root/
COPY ./blueprints /data/blueprints COPY ./blueprints /ak-root/blueprints
COPY ./lifecycle/ /ak-root/lifecycle COPY ./lifecycle/ /ak-root/lifecycle
COPY --from=go-builder /go/authentik /bin/authentik COPY --from=go-builder /go/authentik /bin/authentik
COPY --from=python-deps /ak-root/venv /ak-root/venv COPY --from=python-deps /ak-root/venv /ak-root/venv

View File

@ -57,7 +57,7 @@ paths:
media: /data/media media: /data/media
cert_discovery: /data/certs cert_discovery: /data/certs
email_templates: /data/email-templates email_templates: /data/email-templates
blueprints: /data/blueprints blueprints: /ak-root/blueprints
debug: false debug: false
remote_debug: false remote_debug: false

View File

@ -42,8 +42,8 @@ services:
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes: volumes:
- ./media:/media - ./media:/data/media
- ./custom-templates:/templates - ./custom-templates:/data/email-templates
env_file: env_file:
- .env - .env
ports: ports:
@ -71,9 +71,9 @@ services:
user: root user: root
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
- ./media:/media - ./media:/data/media
- ./certs:/certs - ./certs:/data/certs
- ./custom-templates:/templates - ./custom-templates:/data/email-templates
env_file: env_file:
- .env - .env
depends_on: depends_on:

View File

@ -31,9 +31,9 @@ The following aspects can be configured:
- _Icon (URL)_: Optionally configure an Icon for the application - _Icon (URL)_: Optionally configure an Icon for the application
If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`. If the authentik server does not have a volume mounted under `/data/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
If there is a mount under `/media`, you'll instead see a field to upload a file. If there is a mount under `/data/media`, you'll instead see a field to upload a file.
- _Publisher_: Text shown below the application - _Publisher_: Text shown below the application
- _Description_: Subtext shown on the application card below the publisher - _Description_: Subtext shown on the application card below the publisher

View File

@ -29,7 +29,7 @@ Similar to [other outposts](../outposts/index.mdx), this outpost allows using [P
#### Persistence #### Persistence
- `/media` is used to store icons and such, but not required, and if not mounted, authentik will allow you to set a URL to icons in place of a file upload - `/data/media` is used to store icons and such, but not required, and if not mounted, authentik will allow you to set a URL to icons in place of a file upload
### Background Worker ### Background Worker
@ -37,8 +37,8 @@ This container executes background tasks, such as sending emails, the event noti
#### Persistence #### Persistence
- `/certs` is used for authentik to import external certs, which in most cases shouldn't be used for SAML, but rather if you use authentik without a reverse proxy, this can be used for example for the [Let's Encrypt integration](../core/certificates.md#lets-encrypt) - `/data/certs` is used for authentik to import external certs, which in most cases shouldn't be used for SAML, but rather if you use authentik without a reverse proxy, this can be used for example for the [Let's Encrypt integration](../core/certificates.md#lets-encrypt)
- `/templates` is used for [custom email templates](../flow/stages/email/index.mdx#custom-templates), and as with the other ones fully optional - `/data/email-templates` is used for [custom email templates](../flow/stages/email/index.mdx#custom-templates), and as with the other ones fully optional
### PostgreSQL ### PostgreSQL

View File

@ -24,9 +24,9 @@ For SAML use-cases, you can generate a Certificate that's valid for longer than
To use externally managed certificates, for example generated with certbot or HashiCorp Vault, you can use the discovery feature. To use externally managed certificates, for example generated with certbot or HashiCorp Vault, you can use the discovery feature.
The docker-compose installation maps a `certs` directory to `/certs`, you can simply use this as an output directory for certbot. The docker-compose installation maps a `certs` directory to `/data/certs`, you can simply use this as an output directory for certbot.
For Kubernetes, you can map custom secrets/volumes under `/certs`. For Kubernetes, you can map custom secrets/volumes under `/data/certs`.
You can also bind mount single files into the folder, as long as they fall under this naming schema. You can also bind mount single files into the folder, as long as they fall under this naming schema.
@ -62,9 +62,9 @@ Files are checked every 5 minutes, and will trigger an Outpost refresh if the fi
Starting with authentik 2022.9, you can also import certificates with any folder structure directly. To do this, run the following command within the worker container: Starting with authentik 2022.9, you can also import certificates with any folder structure directly. To do this, run the following command within the worker container:
```shell ```shell
ak import_certificate --certificate /certs/mycert.pem --private-key /certs/something.pem --name test ak import_certificate --certificate /data/certs/mycert.pem --private-key /data/certs/something.pem --name test
# --private-key can be omitted to only import a certificate, i.e. to trust other connections # --private-key can be omitted to only import a certificate, i.e. to trust other connections
# ak import_certificate --certificate /certs/othercert.pem --name test2 # ak import_certificate --certificate /data/certs/othercert.pem --name test2
``` ```
This will import the certificate into authentik under the given name. This command is idempotent, meaning you can run it via a cron-job and authentik will only update the certificate when it changes. This will import the certificate into authentik under the given name. This command is idempotent, meaning you can run it via a cron-job and authentik will only update the certificate when it changes.
@ -84,7 +84,7 @@ services:
certbot: certbot:
image: certbot/dns-route53:v1.22.0 image: certbot/dns-route53:v1.22.0
volumes: volumes:
- ./certs/:/etc/letsencrypt - ./data/certs/:/etc/letsencrypt
# Variables depending on DNS Plugin # Variables depending on DNS Plugin
environment: environment:
AWS_ACCESS_KEY_ID: ... AWS_ACCESS_KEY_ID: ...

View File

@ -65,7 +65,7 @@ volumes:
name: authentik-templates name: authentik-templates
volumeMounts: volumeMounts:
- name: email-templates - name: email-templates
mountPath: /templates mountPath: /data/email-templates
``` ```
</TabItem> </TabItem>