don't put stock blueprints in /data, symlink
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
23557c49a5
commit
afc226825f
|
@ -132,6 +132,8 @@ RUN apt-get update && \
|
||||||
rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
|
rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
|
||||||
adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
|
adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
|
||||||
mkdir -p /data/certs /data/media /data/blueprints && \
|
mkdir -p /data/certs /data/media /data/blueprints && \
|
||||||
|
mkdir -p /ak-root/blueprints && \
|
||||||
|
ln -s /data/blueprints /ak-root/blueprints/local && \
|
||||||
mkdir -p /authentik/.ssh && \
|
mkdir -p /authentik/.ssh && \
|
||||||
mkdir -p /ak-root && \
|
mkdir -p /ak-root && \
|
||||||
chown authentik:authentik /data/certs /data/media /authentik/.ssh /ak-root
|
chown authentik:authentik /data/certs /data/media /authentik/.ssh /ak-root
|
||||||
|
@ -143,7 +145,7 @@ COPY ./schemas /ak-root/schemas
|
||||||
COPY ./locale /ak-root/locale
|
COPY ./locale /ak-root/locale
|
||||||
COPY ./tests /ak-root/tests
|
COPY ./tests /ak-root/tests
|
||||||
COPY ./manage.py /ak-root/
|
COPY ./manage.py /ak-root/
|
||||||
COPY ./blueprints /data/blueprints
|
COPY ./blueprints /ak-root/blueprints
|
||||||
COPY ./lifecycle/ /ak-root/lifecycle
|
COPY ./lifecycle/ /ak-root/lifecycle
|
||||||
COPY --from=go-builder /go/authentik /bin/authentik
|
COPY --from=go-builder /go/authentik /bin/authentik
|
||||||
COPY --from=python-deps /ak-root/venv /ak-root/venv
|
COPY --from=python-deps /ak-root/venv /ak-root/venv
|
||||||
|
|
|
@ -57,7 +57,7 @@ paths:
|
||||||
media: /data/media
|
media: /data/media
|
||||||
cert_discovery: /data/certs
|
cert_discovery: /data/certs
|
||||||
email_templates: /data/email-templates
|
email_templates: /data/email-templates
|
||||||
blueprints: /data/blueprints
|
blueprints: /ak-root/blueprints
|
||||||
|
|
||||||
debug: false
|
debug: false
|
||||||
remote_debug: false
|
remote_debug: false
|
||||||
|
|
|
@ -42,8 +42,8 @@ services:
|
||||||
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
|
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
|
||||||
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
|
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
|
||||||
volumes:
|
volumes:
|
||||||
- ./media:/media
|
- ./media:/data/media
|
||||||
- ./custom-templates:/templates
|
- ./custom-templates:/data/email-templates
|
||||||
env_file:
|
env_file:
|
||||||
- .env
|
- .env
|
||||||
ports:
|
ports:
|
||||||
|
@ -71,9 +71,9 @@ services:
|
||||||
user: root
|
user: root
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
- ./media:/media
|
- ./media:/data/media
|
||||||
- ./certs:/certs
|
- ./certs:/data/certs
|
||||||
- ./custom-templates:/templates
|
- ./custom-templates:/data/email-templates
|
||||||
env_file:
|
env_file:
|
||||||
- .env
|
- .env
|
||||||
depends_on:
|
depends_on:
|
||||||
|
|
|
@ -31,9 +31,9 @@ The following aspects can be configured:
|
||||||
|
|
||||||
- _Icon (URL)_: Optionally configure an Icon for the application
|
- _Icon (URL)_: Optionally configure an Icon for the application
|
||||||
|
|
||||||
If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
|
If the authentik server does not have a volume mounted under `/data/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
|
||||||
|
|
||||||
If there is a mount under `/media`, you'll instead see a field to upload a file.
|
If there is a mount under `/data/media`, you'll instead see a field to upload a file.
|
||||||
|
|
||||||
- _Publisher_: Text shown below the application
|
- _Publisher_: Text shown below the application
|
||||||
- _Description_: Subtext shown on the application card below the publisher
|
- _Description_: Subtext shown on the application card below the publisher
|
||||||
|
|
|
@ -29,7 +29,7 @@ Similar to [other outposts](../outposts/index.mdx), this outpost allows using [P
|
||||||
|
|
||||||
#### Persistence
|
#### Persistence
|
||||||
|
|
||||||
- `/media` is used to store icons and such, but not required, and if not mounted, authentik will allow you to set a URL to icons in place of a file upload
|
- `/data/media` is used to store icons and such, but not required, and if not mounted, authentik will allow you to set a URL to icons in place of a file upload
|
||||||
|
|
||||||
### Background Worker
|
### Background Worker
|
||||||
|
|
||||||
|
@ -37,8 +37,8 @@ This container executes background tasks, such as sending emails, the event noti
|
||||||
|
|
||||||
#### Persistence
|
#### Persistence
|
||||||
|
|
||||||
- `/certs` is used for authentik to import external certs, which in most cases shouldn't be used for SAML, but rather if you use authentik without a reverse proxy, this can be used for example for the [Let's Encrypt integration](../core/certificates.md#lets-encrypt)
|
- `/data/certs` is used for authentik to import external certs, which in most cases shouldn't be used for SAML, but rather if you use authentik without a reverse proxy, this can be used for example for the [Let's Encrypt integration](../core/certificates.md#lets-encrypt)
|
||||||
- `/templates` is used for [custom email templates](../flow/stages/email/index.mdx#custom-templates), and as with the other ones fully optional
|
- `/data/email-templates` is used for [custom email templates](../flow/stages/email/index.mdx#custom-templates), and as with the other ones fully optional
|
||||||
|
|
||||||
### PostgreSQL
|
### PostgreSQL
|
||||||
|
|
||||||
|
|
|
@ -24,9 +24,9 @@ For SAML use-cases, you can generate a Certificate that's valid for longer than
|
||||||
|
|
||||||
To use externally managed certificates, for example generated with certbot or HashiCorp Vault, you can use the discovery feature.
|
To use externally managed certificates, for example generated with certbot or HashiCorp Vault, you can use the discovery feature.
|
||||||
|
|
||||||
The docker-compose installation maps a `certs` directory to `/certs`, you can simply use this as an output directory for certbot.
|
The docker-compose installation maps a `certs` directory to `/data/certs`, you can simply use this as an output directory for certbot.
|
||||||
|
|
||||||
For Kubernetes, you can map custom secrets/volumes under `/certs`.
|
For Kubernetes, you can map custom secrets/volumes under `/data/certs`.
|
||||||
|
|
||||||
You can also bind mount single files into the folder, as long as they fall under this naming schema.
|
You can also bind mount single files into the folder, as long as they fall under this naming schema.
|
||||||
|
|
||||||
|
@ -62,9 +62,9 @@ Files are checked every 5 minutes, and will trigger an Outpost refresh if the fi
|
||||||
Starting with authentik 2022.9, you can also import certificates with any folder structure directly. To do this, run the following command within the worker container:
|
Starting with authentik 2022.9, you can also import certificates with any folder structure directly. To do this, run the following command within the worker container:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
ak import_certificate --certificate /certs/mycert.pem --private-key /certs/something.pem --name test
|
ak import_certificate --certificate /data/certs/mycert.pem --private-key /data/certs/something.pem --name test
|
||||||
# --private-key can be omitted to only import a certificate, i.e. to trust other connections
|
# --private-key can be omitted to only import a certificate, i.e. to trust other connections
|
||||||
# ak import_certificate --certificate /certs/othercert.pem --name test2
|
# ak import_certificate --certificate /data/certs/othercert.pem --name test2
|
||||||
```
|
```
|
||||||
|
|
||||||
This will import the certificate into authentik under the given name. This command is idempotent, meaning you can run it via a cron-job and authentik will only update the certificate when it changes.
|
This will import the certificate into authentik under the given name. This command is idempotent, meaning you can run it via a cron-job and authentik will only update the certificate when it changes.
|
||||||
|
@ -84,7 +84,7 @@ services:
|
||||||
certbot:
|
certbot:
|
||||||
image: certbot/dns-route53:v1.22.0
|
image: certbot/dns-route53:v1.22.0
|
||||||
volumes:
|
volumes:
|
||||||
- ./certs/:/etc/letsencrypt
|
- ./data/certs/:/etc/letsencrypt
|
||||||
# Variables depending on DNS Plugin
|
# Variables depending on DNS Plugin
|
||||||
environment:
|
environment:
|
||||||
AWS_ACCESS_KEY_ID: ...
|
AWS_ACCESS_KEY_ID: ...
|
||||||
|
|
|
@ -65,7 +65,7 @@ volumes:
|
||||||
name: authentik-templates
|
name: authentik-templates
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: email-templates
|
- name: email-templates
|
||||||
mountPath: /templates
|
mountPath: /data/email-templates
|
||||||
```
|
```
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
|
|
Reference in New Issue