jyapayne/kaboot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kaboot/authentik/blueprints/kaboot-setup-production.yaml.example
Joey Yakimowich-Payne 1506210a2e
 Add Authentik blueprints for automated OAuth2/OIDC setup 
Automate the manual Authentik configuration process using native YAML blueprints
that are applied on container startup.

Changes:
- Add kaboot-setup.yaml blueprint for local development
- Add kaboot-setup-production.yaml.example for production with configurable domains
- Update docker-compose.yml and docker-compose.prod.yml to mount blueprints
- Add AUTHENTIK_BOOTSTRAP_PASSWORD/TOKEN env vars for automated admin setup
- Update setup.sh to generate bootstrap credentials and display admin password
- Update Caddyfile.example with proper proxy headers for Authentik
- Add Caddyfile to .gitignore (user-specific config)
- Update docs with Quick Start sections for automated setup

The blueprints create:
- OAuth2/OIDC provider (public client, client_id: kaboot-spa)
- Kaboot application with redirect URIs
- kaboot-users group with application binding
- Enrollment flow with sign-up capability
- Password complexity policy
- Test user and service account (passwords set manually)
2026-01-14 16:20:10 -07:00

216 lines
9.5 KiB
Text
Raw Blame History

# Kaboot Authentik Blueprint - PRODUCTION
# Copy this file to kaboot-setup-production.yaml and update the domain.
#
# IMPORTANT: Remove or rename kaboot-setup.yaml when using this file
# to avoid conflicting configurations.
#
# Prerequisites:
# - Set AUTHENTIK_BOOTSTRAP_PASSWORD and AUTHENTIK_BOOTSTRAP_TOKEN in .env
# - Mount this directory to /blueprints/custom in docker-compose.yml
# - Update KABOOT_DOMAIN and AUTH_DOMAIN below with your actual domains
#
# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
---
version: 1
metadata:
name: Kaboot Application Setup (Production)
labels:
blueprints.goauthentik.io/description: "Complete Kaboot OAuth2/OIDC setup for production"
context:
kaboot_domain: kaboot.example.com
auth_domain: auth.example.com
entries:
# ═══════════════════════════════════════════════════════════════════════════════
# GROUPS
# ═══════════════════════════════════════════════════════════════════════════════
- id: kaboot-users-group
model: authentik_core.group
identifiers:
name: kaboot-users
attrs:
name: kaboot-users
# ═══════════════════════════════════════════════════════════════════════════════
# OAUTH2/OIDC PROVIDER
# ═══════════════════════════════════════════════════════════════════════════════
- id: kaboot-oauth2-provider
model: authentik_providers_oauth2.oauth2provider
identifiers:
name: Kaboot OAuth2
attrs:
name: Kaboot OAuth2
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: public
client_id: kaboot-spa
redirect_uris:
- url: !Format ["https://%s/callback", !Context kaboot_domain]
matching_mode: strict
- url: !Format ["https://%s/silent-renew.html", !Context kaboot_domain]
matching_mode: strict
- url: !Format ["https://%s", !Context kaboot_domain]
matching_mode: strict
access_code_validity: minutes=1
access_token_validity: minutes=30
refresh_token_validity: days=30
sub_mode: hashed_user_id
include_claims_in_id_token: true
issuer_mode: per_provider
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]
# ═══════════════════════════════════════════════════════════════════════════════
# APPLICATION
# ═══════════════════════════════════════════════════════════════════════════════
- id: kaboot-application
model: authentik_core.application
identifiers:
slug: kaboot
attrs:
name: Kaboot
slug: kaboot
provider: !KeyOf kaboot-oauth2-provider
policy_engine_mode: any
meta_launch_url: !Format ["https://%s", !Context kaboot_domain]
- id: kaboot-group-policy-binding
model: authentik_policies.policybinding
identifiers:
target: !KeyOf kaboot-application
group: !KeyOf kaboot-users-group
attrs:
order: 0
enabled: true
negate: false
timeout: 30
# ═══════════════════════════════════════════════════════════════════════════════
# PASSWORD POLICY
# ═══════════════════════════════════════════════════════════════════════════════
- id: password-complexity-policy
model: authentik_policies_password.passwordpolicy
identifiers:
name: password-complexity
attrs:
name: password-complexity
password_field: password
length_min: 8
amount_uppercase: 1
amount_lowercase: 1
amount_digits: 1
error_message: "Password must be at least 8 characters with 1 uppercase, 1 lowercase, and 1 digit."
# ═══════════════════════════════════════════════════════════════════════════════
# ENROLLMENT STAGES
# ═══════════════════════════════════════════════════════════════════════════════
- id: enrollment-prompt-stage
model: authentik_stages_prompt.promptstage
identifiers:
name: enrollment-prompt
attrs:
name: enrollment-prompt
fields:
- !Find [authentik_stages_prompt.prompt, [name, default-source-enrollment-field-username]]
- !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
- !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
validation_policies:
- !KeyOf password-complexity-policy
- id: enrollment-user-write-stage
model: authentik_stages_user_write.userwritestage
identifiers:
name: enrollment-user-write
attrs:
name: enrollment-user-write
user_creation_mode: always_create
create_users_as_inactive: false
create_users_group: !KeyOf kaboot-users-group
- id: enrollment-user-login-stage
model: authentik_stages_user_login.userloginstage
identifiers:
name: enrollment-user-login
attrs:
name: enrollment-user-login
session_duration: hours=24
remember_me_offset: days=30
network_binding: no_binding
geoip_binding: no_binding
terminate_other_sessions: false
# ═══════════════════════════════════════════════════════════════════════════════
# ENROLLMENT FLOW
# ═══════════════════════════════════════════════════════════════════════════════
- id: enrollment-flow
model: authentik_flows.flow
identifiers:
slug: enrollment-flow
attrs:
name: Enrollment Flow
title: Sign Up
slug: enrollment-flow
designation: enrollment
authentication: none
- id: enrollment-flow-prompt-binding
model: authentik_flows.flowstagebinding
identifiers:
target: !KeyOf enrollment-flow
stage: !KeyOf enrollment-prompt-stage
attrs:
order: 10
evaluate_on_plan: true
re_evaluate_policies: false
invalid_response_action: retry
- id: enrollment-flow-user-write-binding
model: authentik_flows.flowstagebinding
identifiers:
target: !KeyOf enrollment-flow
stage: !KeyOf enrollment-user-write-stage
attrs:
order: 20
evaluate_on_plan: true
re_evaluate_policies: false
invalid_response_action: retry
- id: enrollment-flow-user-login-binding
model: authentik_flows.flowstagebinding
identifiers:
target: !KeyOf enrollment-flow
stage: !KeyOf enrollment-user-login-stage
attrs:
order: 30
evaluate_on_plan: true
re_evaluate_policies: false
invalid_response_action: retry
# ═══════════════════════════════════════════════════════════════════════════════
# LINK ENROLLMENT FLOW TO DEFAULT LOGIN
# ═══════════════════════════════════════════════════════════════════════════════
- id: update-identification-stage
model: authentik_stages_identification.identificationstage
identifiers:
name: default-authentication-identification
attrs:
enrollment_flow: !KeyOf enrollment-flow
user_fields:
- email
- username
case_insensitive_matching: true
show_matched_user: true
show_source_labels: false
pretend_user_exists: true
Reference in a new issue View git blame Copy permalink