diff --git a/.dockerignore b/.dockerignore
index 94cf9d0ab..b1eb0cd9b 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,8 +1,8 @@
env
-static
htmlcov
*.env.yml
**/node_modules
dist/**
build/**
build_docs/**
+Dockerfile
diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
index 9e0686754..0371bcf9e 100644
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -208,6 +208,9 @@ jobs:
- name: Building Docker Image
uses: docker/build-push-action@v3
with:
+ secrets: |
+ GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+ GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
tags: |
ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index d98f8e884..c09b8332b 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -31,6 +31,9 @@ jobs:
uses: docker/build-push-action@v3
with:
push: ${{ github.event_name == 'release' }}
+ secrets:
+ GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+ GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
tags: |
beryju/authentik:${{ steps.ev.outputs.version }},
beryju/authentik:${{ steps.ev.outputs.versionFamily }},
@@ -39,7 +42,8 @@ jobs:
ghcr.io/goauthentik/server:${{ steps.ev.outputs.versionFamily }},
ghcr.io/goauthentik/server:latest
platforms: linux/amd64,linux/arm64
- context: .
+ build-args: |
+ VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
build-outpost:
runs-on: ubuntu-latest
strategy:
@@ -84,6 +88,11 @@ jobs:
ghcr.io/goauthentik/${{ matrix.type }}:latest
file: ${{ matrix.type }}.Dockerfile
platforms: linux/amd64,linux/arm64
+ secrets: |
+ GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+ GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+ build-args: |
+ VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
build-outpost-binary:
timeout-minutes: 120
runs-on: ubuntu-latest
diff --git a/Dockerfile b/Dockerfile
index 37b399542..8ccbd20e3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -46,7 +46,21 @@ COPY ./go.sum /work/go.sum
RUN go build -o /work/authentik ./cmd/server/
-# Stage 5: Run
+# Stage 5: MaxMind GeoIP
+FROM docker.io/maxmindinc/geoipupdate:v4.10 as geoip
+
+ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
+
+RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
+ --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
+ mkdir -p /usr/share/GeoIP && \
+ /bin/sh -c "\
+ export GEOIPUPDATE_ACCOUNT_ID=$(cat /run/secrets/GEOIPUPDATE_ACCOUNT_ID); \
+ export GEOIPUPDATE_LICENSE_KEY=$(cat /run/secrets/GEOIPUPDATE_LICENSE_KEY); \
+ /usr/bin/entry.sh || exit 0 \
+ "
+
+# Stage 6: Run
FROM docker.io/python:3.11.1-slim-bullseye AS final-image
LABEL org.opencontainers.image.url https://goauthentik.io
@@ -60,6 +74,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
COPY --from=poetry-locker /work/requirements.txt /
COPY --from=poetry-locker /work/requirements-dev.txt /
+COPY --from=geoip /usr/share/GeoIP /geoip
RUN apt-get update && \
# Required for installing pip packages
diff --git a/docker-compose.yml b/docker-compose.yml
index ca289fa98..837b10fa9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -44,7 +44,6 @@ services:
volumes:
- ./media:/media
- ./custom-templates:/templates
- - geoip:/geoip
env_file:
- .env
ports:
@@ -72,16 +71,6 @@ services:
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
- - geoip:/geoip
- env_file:
- - .env
- geoipupdate:
- image: "maxmindinc/geoipupdate:latest"
- volumes:
- - "geoip:/usr/share/GeoIP"
- environment:
- GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
- GEOIPUPDATE_FREQUENCY: "8"
env_file:
- .env
@@ -90,5 +79,3 @@ volumes:
driver: local
redis:
driver: local
- geoip:
- driver: local
diff --git a/website/docs/core/geoip.mdx b/website/docs/core/geoip.mdx
new file mode 100644
index 000000000..b3cedbe47
--- /dev/null
+++ b/website/docs/core/geoip.mdx
@@ -0,0 +1,105 @@
+# GeoIP
+
+authentik supports GeoIP to add additional information to login/authorization/enrollment requests, and make policy decisions based on the lookup result.
+
+### Configuration
+
+:::info
+Starting with authentik 2022.12, GeoIP is bundled and does not require any additional setup.
+:::
+
+By default, the GeoIP database is loaded from `/geoip/GeoLite2-City.mmdb`. If more frequent database updates are desired, a volume can be mounted to `/geoip` to update this file externally. authentik will automatically re-load the file when it changes.
+
+### Deactivating GeoIP
+
+If you want to disable GeoIP, you can set the path to a non-existent path and authentik will skip the GeoIP.
+
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+
+
+
+Add the following block to your `.env` file:
+
+```shell
+AUTHENTIK_GEOIP=/tmp/non-existent-file
+```
+
+Afterwards, run the upgrade commands from the latest release notes.
+
+
+
+Add the following block to your `values.yml` file:
+
+```yaml
+authentik:
+ geoip: /tmp/non-existent-file
+```
+
+Afterwards, run the upgrade commands from the latest release notes.
+
+
+
+
+### External updates
+
+Sign up for a free MaxMind account [here](https://www.maxmind.com/en/geolite2/signup).
+
+
+
+Add the following block to a `docker-compose.override.yml` file in the same folder as the authentik docker-compose file:
+
+```yaml
+version: "3.2"
+
+services:
+ server:
+ volumes:
+ - geoip:/geoip
+ worker:
+ volumes:
+ - geoip:/geoip
+ geoipupdate:
+ image: "maxmindinc/geoipupdate:latest"
+ volumes:
+ - "geoip:/usr/share/GeoIP"
+ environment:
+ GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
+ GEOIPUPDATE_FREQUENCY: "8"
+ GEOIPUPDATE_ACCOUNT_ID: "*your account ID*"
+ GEOIPUPDATE_LICENSE_KEY: "*your license key*"
+volumes:
+ geoip:
+ driver: local
+```
+
+Afterwards, run the upgrade commands from the latest release notes.
+
+
+
+Add the following block to your `values.yml` file:
+
+```yaml
+geoip:
+ enabled: true
+ accountId: "*your account ID*"
+ licenseKey: "*your license key*"
+ editionIds: "GeoLite2-City"
+ image: maxmindinc/geoipupdate:v4.8
+ updateInterval: 8
+```
+
+Afterwards, run the upgrade commands from the latest release notes.
+
+
+
diff --git a/website/docs/flow/stages/captcha/index.md b/website/docs/flow/stages/captcha/index.md
index e4cf069ba..3a2f50a83 100644
--- a/website/docs/flow/stages/captcha/index.md
+++ b/website/docs/flow/stages/captcha/index.md
@@ -2,8 +2,18 @@
title: Captcha stage
---
-This stage adds a form of verification using [Google's ReCaptcha](https://www.google.com/recaptcha/intro/v3.html).
+This stage adds a form of verification using [Google's ReCaptcha](https://www.google.com/recaptcha/intro/v3.html) or compatible services.
+
+### Google ReCaptcha
This stage has two required fields: Public key and private key. These can both be acquired at https://www.google.com/recaptcha/admin.
+
+### hCaptcha
+
+See https://docs.hcaptcha.com/switch
+
+### Turnstile
+
+See https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha
diff --git a/website/docs/installation/configuration.md b/website/docs/installation/configuration.md
index dc0fe9da4..f69660b69 100644
--- a/website/docs/installation/configuration.md
+++ b/website/docs/installation/configuration.md
@@ -78,6 +78,10 @@ Defaults to `info`.
Which domain the session cookie should be set to. By default, the cookie is set to the domain authentik is accessed under.
+### `AUTHENTIK_GEOIP`
+
+Path to the GeoIP database. Defaults to `/geoip/GeoLite2-City.mmdb`. If the file is not found, authentik will skip GeoIP support.
+
### `AUTHENTIK_DISABLE_UPDATE_CHECK`
Disable the inbuilt update-checker. Defaults to `false`.
diff --git a/website/docs/installation/docker-compose.md b/website/docs/installation/docker-compose.md
index d16398266..6f397baa8 100644
--- a/website/docs/installation/docker-compose.md
+++ b/website/docs/installation/docker-compose.md
@@ -49,22 +49,6 @@ AUTHENTIK_EMAIL__TIMEOUT=10
AUTHENTIK_EMAIL__FROM=authentik@localhost
```
-## GeoIP configuration (optional)
-
-authentik can use a MaxMind-formatted GeoIP Database to extract location data from IPs. You can then use this location data in policies, and location data is saved in events.
-
-To configure GeoIP, sign up for a free MaxMind account [here](https://www.maxmind.com/en/geolite2/signup).
-
-After you have your account ID and license key, add the following block to your `.env` file:
-
-```shell
-GEOIPUPDATE_ACCOUNT_ID=*your account ID*
-GEOIPUPDATE_LICENSE_KEY=* your license key*
-AUTHENTIK_AUTHENTIK__GEOIP=/geoip/GeoLite2-City.mmdb
-```
-
-The GeoIP database will automatically be updated every 8 hours.
-
## Running on Port 80/443
By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can set the following variables in `.env`:
diff --git a/website/docs/policies/expression.mdx b/website/docs/policies/expression.mdx
index 1c6200f6f..54d6ba7f6 100644
--- a/website/docs/policies/expression.mdx
+++ b/website/docs/policies/expression.mdx
@@ -70,7 +70,7 @@ import Objects from "../expressions/_objects.md";
- `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
- `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
-- `geoip`: GeoIP object, which is added when GeoIP is enabled. See [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City)
+- `geoip`: GeoIP object, see [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City)
- `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
- `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example
diff --git a/website/docs/releases/v2022.12.md b/website/docs/releases/v2022.12.md
new file mode 100644
index 000000000..21d5320b1
--- /dev/null
+++ b/website/docs/releases/v2022.12.md
@@ -0,0 +1,194 @@
+---
+title: Release 2022.12
+slug: "2022.12"
+---
+
+## New features
+
+- Bundled GeoIP City database
+
+ authentik now comes with a bundled MaxMind GeoLite2 City database. This allows everyone to take advantage of the extra data provided by GeoIP. The default docker-compose file removes the GeoIP update container as it is no longer needed. See more [here](../core/geoip)
+
+- Customisable Captcha stage
+
+ The captcha stage now supports alternate compatible providers, like [hCaptcha](https://docs.hcaptcha.com/switch/) and [Turnstile](https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha/).
+
+## Upgrading
+
+This release does not introduce any new requirements.
+
+### docker-compose
+
+Download the docker-compose file for 2022.12 from [here](https://goauthentik.io/version/2022.12/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
+
+### Kubernetes
+
+Update your values to use the new images:
+
+```yaml
+image:
+ repository: ghcr.io/goauthentik/server
+ tag: 2022.12.0
+```
+
+## Minor changes/fixes
+
+## API Changes
+
+#### What's Changed
+
+---
+
+##### `GET` /stages/captcha/{stage_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+ - Added property `js_url` (string)
+
+ - Added property `api_url` (string)
+
+ - Changed property `public_key` (string)
+ > Public key, acquired your captcha Provider.
+
+##### `PUT` /stages/captcha/{stage_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `js_url` (string)
+
+- Added property `api_url` (string)
+
+- Changed property `public_key` (string)
+
+ > Public key, acquired your captcha Provider.
+
+- Changed property `private_key` (string)
+ > Private key, acquired your captcha Provider.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+ - Added property `js_url` (string)
+
+ - Added property `api_url` (string)
+
+ - Changed property `public_key` (string)
+ > Public key, acquired your captcha Provider.
+
+##### `PATCH` /stages/captcha/{stage_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `js_url` (string)
+
+- Added property `api_url` (string)
+
+- Changed property `public_key` (string)
+
+ > Public key, acquired your captcha Provider.
+
+- Changed property `private_key` (string)
+ > Private key, acquired your captcha Provider.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+ - Added property `js_url` (string)
+
+ - Added property `api_url` (string)
+
+ - Changed property `public_key` (string)
+ > Public key, acquired your captcha Provider.
+
+##### `GET` /flows/executor/{flow_slug}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+ Updated `ak-stage-captcha` component:
+ New required properties:
+
+ - `js_url`
+
+ * Added property `js_url` (string)
+
+##### `POST` /flows/executor/{flow_slug}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+ Updated `ak-stage-captcha` component:
+ New required properties:
+
+ - `js_url`
+
+ * Added property `js_url` (string)
+
+##### `POST` /stages/captcha/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `js_url` (string)
+
+- Added property `api_url` (string)
+
+- Changed property `public_key` (string)
+
+ > Public key, acquired your captcha Provider.
+
+- Changed property `private_key` (string)
+ > Private key, acquired your captcha Provider.
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+- Changed content type : `application/json`
+
+ - Added property `js_url` (string)
+
+ - Added property `api_url` (string)
+
+ - Changed property `public_key` (string)
+ > Public key, acquired your captcha Provider.
+
+##### `GET` /stages/captcha/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+ - Changed property `results` (array)
+
+ Changed items (object): > CaptchaStage Serializer
+
+ - Added property `js_url` (string)
+
+ - Added property `api_url` (string)
+
+ - Changed property `public_key` (string)
+ > Public key, acquired your captcha Provider.
diff --git a/website/sidebars.js b/website/sidebars.js
index dffe9505d..9ab48af07 100644
--- a/website/sidebars.js
+++ b/website/sidebars.js
@@ -34,6 +34,7 @@ module.exports = {
"core/applications",
"core/tenants",
"core/certificates",
+ "core/geoip",
],
},
{
@@ -217,13 +218,14 @@ module.exports = {
description: "Release notes for recent authentik versions",
},
items: [
+ "releases/v2022.12",
"releases/v2022.11",
"releases/v2022.10",
- "releases/v2022.9",
{
type: "category",
label: "Previous versions",
items: [
+ "releases/v2022.9",
"releases/v2022.8",
"releases/v2022.7",
"releases/v2022.6",