ilot/authentik: new aport

ilot/authentik/APKBUILD

@@ -0,0 +1,258 @@
+# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
+# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
+pkgname=authentik
+pkgver=2024.4.3
+pkgrel=1
+pkgdesc="An open-source Identity Provider focused on flexibility and versatility"
+url="https://github.com/goauthentik/authentik"
+# s390x: missing py3-celery py3-flower and py3-kombu
+# armhf/armv7/x86: out of memory error when building goauthentik
+# ppc64le: not supported by Rollup build
+arch="aarch64 x86_64"
+license="MIT"
+depends="
+	libcap-setcap
+	nginx
+	postgresql
+	procps
+	pwgen
+	py3-aiohttp
+	py3-aiosignal
+	py3-amqp
+	py3-anyio
+	py3-asgiref
+	py3-asn1
+	py3-asn1crypto
+	py3-async-timeout
+	py3-attrs
+	py3-autobahn
+	py3-automat
+	py3-bcrypt
+	py3-billiard
+	py3-cachetools
+	py3-cbor2
+	py3-celery
+	py3-certifi
+	py3-cffi
+	py3-channels
+	py3-channels_redis
+	py3-charset-normalizer
+	py3-click
+	py3-click-didyoumean
+	py3-click-plugins
+	py3-click-repl
+	py3-codespell
+	py3-colorama
+	py3-constantly
+	py3-cparser
+	py3-cryptography
+	py3-dacite
+	py3-daphne
+	py3-dateutil
+	py3-deepmerge
+	py3-defusedxml
+	py3-deprecated
+	py3-dnspython
+	py3-django
+	py3-django-filter
+	py3-django-guardian
+	py3-django-model-utils
+	py3-django-otp
+	py3-django-prometheus
+	py3-django-redis
+	py3-django-rest-framework~=3.14.0
+	py3-django-rest-framework-guardian
+	py3-django-storages
+	py3-django-tenants
+	py3-docker-py
+	py3-dotenv
+	py3-dumb-init
+	py3-duo_client
+	py3-drf-spectacular
+	py3-email-validator
+	py3-facebook-sdk
+	py3-fido2
+	py3-flower
+	py3-frozenlist
+	py3-geoip2
+	py3-google-auth
+	py3-gunicorn
+	py3-h11
+	py3-httptools
+	py3-humanize
+	py3-hyperlink
+	py3-idna
+	py3-incremental
+	py3-inflection
+	py3-jsonschema
+	py3-jsonpatch
+	py3-jwt
+	py3-kombu
+	py3-kubernetes
+	py3-ldap3
+	py3-lxml
+	py3-maxminddb
+	py3-msgpack
+	py3-multidict
+	py3-oauthlib
+	py3-opencontainers
+	py3-openssl
+	py3-packaging
+	py3-paramiko
+	py3-parsing
+	py3-prometheus-client
+	py3-prompt_toolkit
+	py3-psycopg
+	py3-psycopg-c
+	py3-pydantic-scim
+	py3-pynacl
+	py3-pyrsistent
+	py3-python-jwt
+	py3-redis
+	py3-requests
+	py3-requests-oauthlib
+	py3-rsa
+	py3-scim2-filter-parser
+	py3-setproctitle
+	py3-sentry-sdk
+	py3-service_identity
+	py3-setuptools
+	py3-six
+	py3-sniffio
+	py3-sqlparse
+	py3-structlog
+	py3-swagger-spec-validator
+	py3-tornado
+	py3-twilio
+	py3-twisted
+	py3-txaio
+	py3-tenant-schemas-celery
+	py3-typing-extensions
+	py3-tz
+	py3-ua-parser
+	py3-uritemplate
+	py3-urllib3-secure-extra
+	py3-uvloop
+	py3-vine
+	py3-watchdog
+	py3-watchfiles
+	py3-wcwidth
+	py3-webauthn
+	py3-websocket-client
+	py3-websockets
+	py3-wrapt
+	py3-wsproto
+	py3-xmlsec
+	py3-yaml
+	py3-yarl
+	py3-zope-interface
+	py3-zxcvbn
+	redis
+	uvicorn
+	"
+makedepends="go npm"
+# checkdepends scooped up by poetry due to number
+checkdepends="poetry py3-coverage"
+# tests disabled for now
+options="!check"
+install="$pkgname.post-install $pkgname.post-upgrade $pkgname.pre-install"
+source="
+	$pkgname-$pkgver.tar.gz::https://github.com/goauthentik/authentik/archive/refs/tags/version/$pkgver.tar.gz
+	authentik.openrc
+	authentik-worker.openrc
+	authentik-ldap.openrc
+	authentik-ldap.conf
+	authentik-manage.sh
+	fix-ak-bash.patch
+	root-settings-csrf_trusted_origins.patch
+	"
+builddir="$srcdir/"authentik-version-$pkgver
+subpackages="$pkgname-openrc $pkgname-doc"
+pkgusers="authentik"
+pkggroups="authentik"
+
+export GOPATH=$srcdir/go
+export GOCACHE=$srcdir/go-build
+export GOTMPDIR=$srcdir
+
+build() {
+	msg "Building authentik-ldap"
+	go build -o ldap cmd/ldap/main.go
+	msg "Building authentik-proxy"
+	go build -o proxy cmd/proxy/main.go
+	msg "Building authentik-radius"
+	go build -o radius cmd/proxy/main.go
+	msg "Building authentik-server"
+	go build -o server cmd/server/*.go
+
+	msg "Building authentik-web"
+	cd web
+	npm ci --no-audit
+	npm run build
+	cd ..
+
+	msg "Building website"
+	cd website
+	npm ci --no-audit
+	npm run build
+}
+
+package() {
+	msg "Packaging $pkgname"
+	mkdir -p "$pkgdir"/usr/share/webapps/authentik/web
+	mkdir -p "$pkgdir"/usr/share/webapps/authentik/website
+	mkdir -p "$pkgdir"/var/lib/authentik
+	mkdir -p "$pkgdir"/usr/share/doc
+	mkdir -p "$pkgdir"/usr/bin
+	cp -dr "$builddir"/authentik "$pkgdir"/usr/share/webapps/authentik
+	cp -dr "$builddir"/web/dist "$pkgdir"/usr/share/webapps/authentik/web/dist
+	cp -dr "$builddir"/web/authentik "$pkgdir"/usr/share/webapps/authentik/web/authentik
+	cp -dr "$builddir"/website/build "$pkgdir"/usr/share/doc/authentik
+	cp -dr "$builddir"/tests "$pkgdir"/usr/share/webapps/authentik/tests
+	cp -dr "$builddir"/lifecycle "$pkgdir"/usr/share/webapps/authentik/lifecycle
+	cp -dr "$builddir"/locale "$pkgdir"/usr/share/webapps/authentik/locale
+	cp -dr "$builddir"/blueprints "$pkgdir"/var/lib/authentik/blueprints
+	install -Dm755 "$builddir"/manage.py "$pkgdir"/usr/share/webapps/authentik/manage.py
+	install -Dm755 "$builddir"/server "$pkgdir"/usr/share/webapps/authentik/server
+	ln -s "/etc/authentik/config.yml" "$pkgdir"/usr/share/webapps/authentik/local.env.yml
+
+	install -Dm755 "$builddir"/proxy "$pkgdir"/usr/bin/authentik-proxy
+	install -Dm755 "$builddir"/ldap "$pkgdir"/usr/bin/authentik-ldap
+	install -Dm755 "$builddir"/radius "$pkgdir"/usr/bin/authentik-radius
+
+	install -Dm755 "$srcdir"/$pkgname.openrc \
+		"$pkgdir"/etc/init.d/$pkgname
+	install -Dm755 "$srcdir"/$pkgname-worker.openrc \
+		"$pkgdir"/etc/init.d/$pkgname-worker
+	install -Dm755 "$srcdir"/$pkgname-ldap.openrc \
+		"$pkgdir"/etc/init.d/$pkgname-ldap
+	install -Dm640 "$srcdir"/$pkgname-ldap.conf \
+		"$pkgdir"/etc/conf.d/$pkgname-ldap
+	install -Dm640 "$builddir"/authentik/lib/default.yml \
+		"$pkgdir"/etc/authentik/config.yml
+	chown root:www-data "$pkgdir"/etc/authentik/config.yml
+
+	mv "$pkgdir"/usr/share/webapps/authentik/web/dist/custom.css "$pkgdir"/etc/authentik/custom.css
+	ln -s "/etc/authentik/custom.css" "$pkgdir"/usr/share/webapps/authentik/web/dist/custom.css
+	chown root:www-data "$pkgdir"/etc/authentik/custom.css
+
+	sed -i 's|cert_discovery_dir.*|cert_discovery_dir: /var/lib/authentik/certs|' "$pkgdir"/etc/authentik/config.yml
+	sed -i 's|blueprints_dir.*|blueprints_dir: /var/lib/authentik/blueprints|' "$pkgdir"/etc/authentik/config.yml
+	sed -i 's|template_dir.*|template_dir: /var/lib/authentik/templates|' "$pkgdir"/etc/authentik/config.yml
+	printf "\ncsrf:\n  trusted_origins: ['auth.example.com']" >> "$pkgdir"/etc/authentik/config.yml
+	printf "\nsecret_key: '@@SECRET_KEY@@'" >> "$pkgdir"/etc/authentik/config.yml
+
+	# Install wrapper script to /usr/bin.
+	install -m755 -D "$srcdir"/authentik-manage.sh "$pkgdir"/usr/bin/authentik-manage
+}
+
+sha512sums="
+121ed925d81a5cb2a14fed8ec8b324352e40b1fcbba83573bfdc1d1f66a91d9670cd64d7ef752c8a2df6c34fc3e19e8aec5c6752d33e87b487a462a590212ab0  authentik-2024.4.3.tar.gz
+4defb4fe3a4230f4aa517fbecd5e5b8bcef2a64e1b40615660ae9eec33597310a09df5e126f4d39ce7764bd1716c0a7040637699135c103cbc1879593c6c06f1  authentik.openrc
+6cb03b9b69df39bb4539fe05c966536314d766b2e9307a92d87070ba5f5b7e7ab70f1b5ee1ab3c0c50c23454f9c5a4caec29e63fdf411bbb7a124ad687569b89  authentik-worker.openrc
+351e6920d987861f8bf0d7ab2f942db716a8dbdad1f690ac662a6ef29ac0fd46cf817cf557de08f1c024703503d36bc8b46f0d9eb1ecaeb399dce4c3bb527d17  authentik-ldap.openrc
+89ee5f0ffdade1c153f3a56ff75b25a7104aa81d8c7a97802a8f4b0eab34850cee39f874dabe0f3c6da3f71d6a0f938f5e8904169e8cdd34d407c8984adee6b0  authentik-ldap.conf
+f1a3cb215b6210fa7d857a452a9f2bc4dc0520e49b9fa7027547cff093d740a7e2548f1bf1f8831f7d5ccb80c8e523ee0c8bafcc4dc42d2788725f2137d21bee  authentik-manage.sh
+3e47db684a3f353dcecdb7bab8836b9d5198766735d77f676a51d952141a0cf9903fcb92e6306c48d2522d7a1f3028b37247fdc1dc74d4d6e043da7eb4f36d49  fix-ak-bash.patch
+5c60e54b6a7829d611af66f5cb8184a002b5ae927efbd024c054a7c176fcb9efcfbe5685279ffcf0390b0f0abb3bb03e02782c6867c2b38d1ad2d508aae83fa0  root-settings-csrf_trusted_origins.patch
+"

ilot/authentik/authentik-ldap.conf

@@ -0,0 +1,3 @@
+AUTHENTIK_HOST=https://example.com
+AUTHENTIK_TOKEN=your-authentik-token
+AUTHENTIK_INSECURE=true

ilot/authentik/authentik-ldap.openrc

@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+  
+name="$RC_SVCNAME"
+cfgfile="/etc/conf.d/$RC_SVCNAME"
+pidfile="/run/$RC_SVCNAME.pid"
+working_directory="/usr/share/webapps/authentik"
+command="/usr/bin/authentik-ldap"
+command_user="authentik"
+command_group="authentik"
+start_stop_daemon_args=""
+command_background="yes"
+output_log="/var/log/authentik/$RC_SVCNAME.log"
+error_log="/var/log/authentik/$RC_SVCNAME.err"
+
+depend() {
+        need authentik
+}
+
+start_pre() {
+	cd "$working_directory"
+        checkpath --directory --owner $command_user:$command_group --mode 0775 \
+                /var/log/authentik
+	export AUTHENTIK_HOST AUTHENTIK_TOKEN AUTHENTIK_INSECURE AUTHENTIK_DEBUG
+}

ilot/authentik/authentik-manage.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+BUNDLE_DIR='/usr/share/webapps/authentik'
+
+cd $BUNDLE_DIR
+
+if [ "$(id -un)" != 'authentik' ]; then
+	exec su authentik -c '"$0" "$@"' -- ./manage.py "$@"
+else
+	exec ./manage.py "$@"
+fi

ilot/authentik/authentik-worker.openrc

@@ -0,0 +1,32 @@
+#!/sbin/openrc-run
+  
+name="$RC_SVCNAME"
+cfgfile="/etc/conf.d/$RC_SVCNAME.conf"
+pidfile="/run/$RC_SVCNAME.pid"
+working_directory="/usr/share/webapps/authentik"
+command="/usr/bin/authentik-manage"
+command_args="worker"
+command_user="authentik"
+command_group="authentik"
+start_stop_daemon_args=""
+command_background="yes"
+output_log="/var/log/authentik/$RC_SVCNAME.log"
+error_log="/var/log/authentik/$RC_SVCNAME.err"
+
+depend() {
+        need redis
+        need postgresql
+}
+
+start_pre() {
+	cd "$working_directory"
+        checkpath --directory --owner $command_user:$command_group --mode 0775 \
+                /var/log/authentik \
+                /var/lib/authentik/certs \
+                /var/lib/authentik/blueprints
+}
+
+stop_pre() {
+	ebegin "Killing child processes"
+	kill $(ps -o pid= --ppid $(cat $pidfile)) || true
+}

ilot/authentik/authentik.openrc

@@ -0,0 +1,30 @@
+#!/sbin/openrc-run
+  
+name="$RC_SVCNAME"
+cfgfile="/etc/conf.d/$RC_SVCNAME.conf"
+pidfile="/run/$RC_SVCNAME.pid"
+working_directory="/usr/share/webapps/authentik"
+command="/usr/share/webapps/authentik/server"
+command_user="authentik"
+command_group="authentik"
+start_stop_daemon_args=""
+command_background="yes"
+output_log="/var/log/authentik/$RC_SVCNAME.log"
+error_log="/var/log/authentik/$RC_SVCNAME.err"
+
+depend() {
+        need redis
+        need postgresql
+}
+
+start_pre() {
+	cd "$working_directory"
+        checkpath --directory --owner $command_user:$command_group --mode 0775 \
+                /var/log/authentik \
+                /var/lib/authentik/certs
+}
+
+stop_pre() {
+	ebegin "Killing child processes"
+	kill $(ps -o pid= --ppid $(cat $pidfile)) || true
+}

ilot/authentik/authentik.post-install

@@ -0,0 +1,39 @@
+#!/bin/sh
+set -eu
+
+group=authentik
+config_file='/etc/authentik/config.yml'
+
+setcap 'cap_net_bind_service=+ep' /usr/share/webapps/authentik/server
+
+if [ $(grep '@@SECRET_KEY@@' "$config_file") ]; then
+	echo "* Generating random secret in $config_file" >&2
+
+	secret_key="$(pwgen -s 50 1)"
+	sed -i "s|@@SECRET_KEY@@|$secret_key|" "$config_file"
+	chown root:$group "$config_file"
+fi
+
+if [ "${0##*.}" = 'post-upgrade' ]; then
+	cat >&2 <<-EOF
+	*
+	* To finish Authentik upgrade run:
+	*
+	*     authentik-manage migrate
+	*
+	EOF
+else
+	cat >&2 <<-EOF
+	*
+	* 1. Adjust settings in /etc/authentik/config.yml.
+	*
+	* 2. Create database for Authentik:
+	*
+	*     psql -c "CREATE ROLE authentik PASSWORD 'top-secret' INHERIT LOGIN;"
+	*     psql -c "CREATE DATABASE authentik OWNER authentik ENCODING 'UTF-8';"
+	*
+	* 3. Run "authentik-manage migrate"
+	* 4. Setup admin user at https://<your server>/if/flow/initial-setup/
+	*
+	EOF
+fi

ilot/authentik/authentik.post-upgrade

@@ -0,0 +1 @@
+authentik.post-install

ilot/authentik/authentik.pre-install

@@ -0,0 +1,26 @@
+#!/bin/sh
+# It's very important to set user/group correctly.
+
+authentik_dir='/var/lib/authentik'
+
+if ! getent group authentik 1>/dev/null; then
+	echo '* Creating group authentik' 1>&2
+
+	addgroup -S authentik
+fi
+
+if ! id authentik 2>/dev/null 1>&2; then
+	echo '* Creating user authentik' 1>&2
+
+	adduser -DHS -G authentik -h "$authentik_dir" -s /bin/sh  \
+		-g "added by apk for authentik" authentik
+	passwd -u authentik 1>/dev/null  # unlock
+fi
+
+if ! id -Gn authentik | grep -Fq redis; then
+	echo '* Adding user authentik to group redis' 1>&2
+
+	addgroup authentik redis
+fi
+
+exit 0

ilot/authentik/fix-ak-bash.patch

@@ -0,0 +1,10 @@
+diff --git a/lifecycle/ak.orig b/lifecycle/ak
+index 615bfe9..1646274 100755
+--- a/lifecycle/ak.orig
++++ b/lifecycle/ak
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env -S bash -e
++#!/usr/bin/env bash
+ MODE_FILE="${TMPDIR}/authentik-mode"
+ 
+ function log {

ilot/authentik/root-settings-csrf_trusted_origins.patch

@@ -0,0 +1,12 @@
+diff --git a/authentik/root/settings.py b/authentik/root/settings.py
+index 15e689b06..8b0c1d744 100644
+--- a/authentik/root/settings.py
++++ b/authentik/root/settings.py
+@@ -33,6 +33,7 @@ AUTH_USER_MODEL = "authentik_core.User"
+ 
+ CSRF_COOKIE_NAME = "authentik_csrf"
+ CSRF_HEADER_NAME = "HTTP_X_AUTHENTIK_CSRF"
++CSRF_TRUSTED_ORIGINS = CONFIG.get("csrf.trusted_origins")
+ LANGUAGE_COOKIE_NAME = "authentik_language"
+ SESSION_COOKIE_NAME = "authentik_session"
+ SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)