Adding lldap and authelia.

This commit is contained in:
2026-07-08 14:48:54 -07:00
parent e62593bf44
commit b8605f02ab
19 changed files with 595 additions and 28 deletions

View File

@@ -0,0 +1,5 @@
{$authelia_SUBDOMAIN}.{$ROOT_DOMAIN} {
import maintenance_intercept
reverse_proxy authelia:9091
}

View File

@@ -0,0 +1,15 @@
IMAGE_DEPS := $(IMAGE_DEPS) \
app/authelia/postgres_db \
app/authelia/postgres_user \
app/authelia/postgres_password \
app/authelia/authelia-config/configuration.yml
app/authelia/postgres_db: $(apps_config)
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_DB" > $@'
app/authelia/postgres_user: $(apps_config)
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_USER" > $@'
app/authelia/postgres_password: $(apps_config)
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_PASSWORD" > $@'
app/authelia/authelia-config/configuration.yml: $(apps_config) app/authelia/authelia-config/configuration.yml.tmpl \
app/authelia/make-authelia-config.sh
./app/authelia/make-authelia-config.sh $(apps_config)

View File

@@ -0,0 +1,118 @@
---
###############################################################
# Authelia configuration #
###############################################################
server:
address: 'tcp://:9091/authelia'
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
log:
level: 'debug'
totp:
issuer: 'authelia.com'
identity_validation:
reset_password:
jwt_secret: '$AUTHELIA_JWT_SECRET'
# lldap service account user should instead
# use an account with lldap_password_manager group
# since that can't be used to change an admin password
authentication_backend:
ldap:
address: 'ldap://lldap:3890'
implementation: 'lldap'
timeout: '5s'
pooling:
enable: false
count: 5
retries: 2
timeout: '10 seconds'
base_dn: 'DC=nassella,DC=org'
# additional_users_dn: 'OU=users'
# additional_groups_dn: 'OU=groups'
# group_search_mode: 'filter'
# permit_referrals: false
permit_unauthenticated_bind: false
permit_feature_detection_failure: false
user: 'uid=admin,ou=people,dc=nassella,dc=org'
password: '$LLDAP_ADMIN_PASSWORD'
# attributes:
# distinguished_name: 'distinguishedName'
# username: 'uid'
# display_name: 'displayName'
# family_name: 'sn'
# given_name: 'givenName'
# middle_name: 'middleName'
# nickname: ''
# gender: ''
# birthdate: ''
# website: 'wWWHomePage'
# profile: ''
# picture: ''
# zoneinfo: ''
# locale: ''
# phone_number: 'telephoneNumber'
# phone_extension: ''
# street_address: 'streetAddress'
# locality: 'l'
# region: 'st'
# postal_code: 'postalCode'
# country: 'c'
# mail: 'mail'
# member_of: 'memberOf'
# group_name: 'cn'
# extra:
# extra_example:
# name: ''
# multi_valued: false
# value_type: 'string'
access_control:
default_policy: 'deny'
rules:
# - domain: 'public.x.localhost'
# policy: 'bypass'
# - domain: 'app.nassella.org'
# policy: 'one_factor'
- domain: '$DOZZLE_FULL_DOMAIN'
policy: 'two_factor'
session:
secret: '$AUTHELIA_SESSION_SECRET'
cookies:
- name: 'authelia_session'
domain: '$ROOT_DOMAIN' # Should match whatever your root protected domain is
authelia_url: 'https://$AUTHELIA_FULL_DOMAIN'
expiration: '1 hour' # 1 hour
inactivity: '5 minutes' # 5 minutes
regulation:
max_retries: 3
find_time: '2 minutes'
ban_time: '5 minutes'
storage:
encryption_key: '$AUTHELIA_ENCRYPTION_KEY'
postgres:
address: 'tcp://authelia_db:5432'
servers: []
database: '$AUTHELIA_POSTGRES_DB'
schema: 'public'
username: '$AUTHELIA_POSTGRES_USER'
password: '$AUTHELIA_POSTGRES_PASSWORD'
timeout: '5s'
notifier:
smtp:
address: 'submission://$SMTP_HOST:$SMTP_PORT'
username: '$SMTP_AUTH_USER'
password: '$SMTP_AUTH_PASSWORD'
sender: '$SMTP_FROM'
...

View File

@@ -0,0 +1,58 @@
secrets:
authelia_postgres_db:
file: ./authelia/postgres_db
authelia_postgres_password:
file: ./authelia/postgres_password
authelia_postgres_user:
file: ./authelia/postgres_user
services:
authelia_db:
image: postgres:18-trixie
environment:
- POSTGRES_DB_FILE=/run/secrets/authelia_postgres_db
- POSTGRES_USER_FILE=/run/secrets/authelia_postgres_user
- POSTGRES_PASSWORD_FILE=/run/secrets/authelia_postgres_password
shm_size: 128mb
restart: always
volumes:
- /nassella/authelia/var-lib-postgresql:/var/lib/postgresql
networks:
- authelia_internal_db
healthcheck:
test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
start_period: 15s
interval: 30s
retries: 3
timeout: 5s
secrets:
- authelia_postgres_db
- authelia_postgres_password
- authelia_postgres_user
authelia:
image: 'authelia/authelia'
volumes:
- ./authelia/authelia-config/configuration.yml:/config/configuration.yml:ro
networks:
- lb
- authelia_internal_db
- lldap_internal
depends_on:
lldap:
condition: service_healthy
authelia_db:
condition: service_healthy
restart: 'unless-stopped'
healthcheck:
## In production the healthcheck section should be commented.
disable: true
networks:
lb:
lldap_internal:
driver: bridge
internal: true
authelia_internal_db:
driver: bridge
internal: true

View File

@@ -0,0 +1,31 @@
#!/bin/bash
set -e
set -a # export everything in the config for later use by envsubst
. $1 # source the apps.config file with then env vars
read -r -a APP_CONFIGS <<< "$APP_CONFIGS"
authelia_subdomain=
dozzle_subdomain=
for config_string in ${APP_CONFIGS[@]}; do
IFS=','
read -r -a config <<< "$config_string"
app=${config[0]}
subdomain=${config[1]}
if [ "$app" = "authelia" ]; then
authelia_subdomain="$subdomain"
fi
if [ "$app" = "dozzle" ]; then
dozzle_subdomain="$subdomain"
fi
done
export AUTHELIA_FULL_DOMAIN="$authelia_subdomain.$ROOT_DOMAIN"
export DOZZLE_FULL_DOMAIN="$dozzle_subdomain.$ROOT_DOMAIN"
envsubst < app/authelia/authelia-config/configuration.yml.tmpl > app/authelia/authelia-config/configuration.yml

View File

@@ -0,0 +1,7 @@
{$dozzle_SUBDOMAIN}.{$ROOT_DOMAIN} {
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy http://dozzle:8080
}

View File

@@ -1,5 +0,0 @@
IMAGE_DEPS := $(IMAGE_DEPS) \
app/dozzle/Caddyfile
app/dozzle/Caddyfile: $(apps_config) app/dozzle/make-caddyfile.sh
./app/dozzle/make-caddyfile.sh $(apps_config) > $@

View File

@@ -1,15 +0,0 @@
#/bin/bash
set -e
. $1 # source the apps.config file with then env vars
host_admin_password_encoded=`echo "$HOST_ADMIN_PASSWORD" | docker run --rm -i caddy:2 caddy hash-password`
echo '{$dozzle_SUBDOMAIN}.{$ROOT_DOMAIN} {'
echo " basic_auth {"
echo " $HOST_ADMIN_USER $host_admin_password_encoded"
echo " }"
echo " reverse_proxy http://dozzle:8080"
echo "}"
echo ""

View File

@@ -57,6 +57,14 @@ services:
retries: 120
networks:
- ghost_network
command:
- --performance-schema=OFF
- --innodb-buffer-pool-size=64M
- --max-connections=10
- --table-open-cache=128
- --table-definition-cache=128
- --thread-cache-size=2
- --innodb-log-buffer-size=8M
ghost_traffic-analytics:
image: ghost/traffic-analytics:1.0

View File

@@ -0,0 +1,4 @@
{$lldap_SUBDOMAIN}.{$ROOT_DOMAIN} {
import maintenance_intercept
reverse_proxy http://lldap:17170
}

View File

@@ -0,0 +1,21 @@
IMAGE_DEPS := $(IMAGE_DEPS) \
app/lldap/postgres_db \
app/lldap/postgres_user \
app/lldap/postgres_password \
app/lldap/admin_password \
app/lldap/jwt_secret \
app/lldap/lldap-config/lldap_config.toml
app/lldap/postgres_db: $(apps_config)
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_DB" > $@'
app/lldap/postgres_user: $(apps_config)
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_USER" > $@'
app/lldap/postgres_password: $(apps_config)
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_PASSWORD" > $@'
app/lldap/admin_password: $(apps_config)
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_ADMIN_PASSWORD" > $@'
app/lldap/jwt_secret: $(apps_config)
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_JWT_SECRET" > $@'
app/lldap/lldap-config/lldap_config.toml: $(apps_config) app/lldap/lldap-config/lldap_config.toml.tmpl \
app/lldap/make-lldap-config.sh
./app/lldap/make-lldap-config.sh $(apps_config)

View File

@@ -0,0 +1,65 @@
secrets:
lldap_postgres_db:
file: ./lldap/postgres_db
lldap_postgres_password:
file: ./lldap/postgres_password
lldap_postgres_user:
file: ./lldap/postgres_user
lldap_admin_password:
file: ./lldap/admin_password
lldap_jwt_secret:
file: ./lldap/jwt_secret
services:
lldap_db:
image: postgres:18-trixie
environment:
- POSTGRES_DB_FILE=/run/secrets/lldap_postgres_db
- POSTGRES_USER_FILE=/run/secrets/lldap_postgres_user
- POSTGRES_PASSWORD_FILE=/run/secrets/lldap_postgres_password
shm_size: 128mb
restart: always
volumes:
- /nassella/lldap/var-lib-postgresql:/var/lib/postgresql
networks:
- lldap_db_internal
healthcheck:
test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
start_period: 15s
interval: 30s
retries: 3
timeout: 5s
secrets:
- lldap_postgres_db
- lldap_postgres_password
- lldap_postgres_user
lldap:
image: lldap/lldap:stable
environment:
- LLDAP_JWT_SECRET_FILE=/run/secrets/lldap_jwt_secret
- LLDAP_LDAP_USER_PASS_FILE=/run/secrets/lldap_admin_password
volumes:
- ./lldap/lldap-config/:/data
networks:
- lb
- lldap_internal
- lldap_db_internal
depends_on:
lldap_db:
condition: service_healthy
secrets:
- lldap_postgres_db
- lldap_postgres_password
- lldap_postgres_user
- lldap_jwt_secret
- lldap_admin_password
networks:
lb:
lldap_internal:
driver: bridge
internal: true
lldap_db_internal:
driver: bridge
internal: true

View File

@@ -0,0 +1,161 @@
## Default configuration for Docker.
## All the values can be overridden through environment variables, prefixed
## with "LLDAP_". For instance, "ldap_port" can be overridden with the
## "LLDAP_LDAP_PORT" variable.
## Tune the logging to be more verbose by setting this to be true.
## You can set it with the LLDAP_VERBOSE environment variable.
# verbose=false
## The host address that the LDAP server will be bound to.
## To enable IPv6 support, simply switch "ldap_host" to "::":
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
## change it to "127.0.0.1" ("::1" in case of IPv6).
## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections
## originating from outside the container.
ldap_host = "0.0.0.0"
## The port on which to have the LDAP server.
#ldap_port = 3890
## The host address that the HTTP server will be bound to.
## To enable IPv6 support, simply switch "http_host" to "::".
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
## change it to "127.0.0.1" ("::1" in case of IPv6).
## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections
## originating from outside the container.
http_host = "0.0.0.0"
## The port on which to have the HTTP server, for user login and
## administration.
#http_port = 17170
## The public URL of the server, for password reset links.
http_url = "https://$LLDAP_FULL_DOMAIN"
## The path to the front-end assets (relative to the working directory).
#assets_path = "./app"
## Random secret for JWT signature.
## This secret should be random, and should be shared with application
## servers that need to consume the JWTs.
## Changing this secret will invalidate all user sessions and require
## them to re-login.
## You should probably set it through the LLDAP_JWT_SECRET environment
## variable from a secret ".env" file.
## This can also be set from a file's contents by specifying the file path
## in the LLDAP_JWT_SECRET_FILE environment variable
## You can generate it with (on linux):
## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
# jwt_secret = "$NASSELLA_LLDAP_JWT_SECRET"
## Base DN for LDAP.
## This is usually your domain name, and is used as a
## namespace for your users. The choice is arbitrary, but will be needed
## to configure the LDAP integration with other services.
## The sample value is for "example.com", but you can extend it with as
## many "dc" as you want, and you don't actually need to own the domain
## name.
ldap_base_dn = "dc=nassella,dc=org"
## Admin username.
## For the LDAP interface, a value of "admin" here will create the LDAP
## user "cn=admin,ou=people,dc=example,dc=com" (with the base DN above).
## For the administration interface, this is the username.
#ldap_user_dn = "admin"
## Admin email.
## Email for the admin account. It is only used when initially creating
## the admin user, and can safely be omitted.
ldap_user_email = "$LLDAP_USER_EMAIL"
## Admin password.
## Password for the admin account, both for the LDAP bind and for the
## administration interface. It is only used when initially creating
## the admin user.
## It should be minimum 8 characters long.
## You can set it with the LLDAP_LDAP_USER_PASS environment variable.
## This can also be set from a file's contents by specifying the file path
## in the LLDAP_LDAP_USER_PASS_FILE environment variable
## Note: you can create another admin user for user administration, this
## is just the default one.
# ldap_user_pass = ""
## Force reset of the admin password.
## Break glass in case of emergency: if you lost the admin password, you
## can set this to true to force a reset of the admin password to the value
## of ldap_user_pass above.
## Alternatively, you can set it to "always" to reset every time the server starts.
# force_ldap_user_pass_reset = false
## Database URL.
## This encodes the type of database (SQlite, MySQL, or PostgreSQL)
## , the path, the user, password, and sometimes the mode (when
## relevant).
## Note: SQlite should come with "?mode=rwc" to create the DB
## if not present.
## Example URLs:
## - "postgres://postgres-user:password@postgres-server/my-database"
## - "mysql://mysql-user:password@mysql-server/my-database"
##
## This can be overridden with the LLDAP_DATABASE_URL env variable.
database_url = "postgres://lldap:$LLDAP_POSTGRES_PASSWORD@lldap_db/lldap"
## Private key file.
## Not recommended, use key_seed instead.
## Contains the secret private key used to store the passwords safely.
## Note that even with a database dump and the private key, an attacker
## would still have to perform an (expensive) brute force attack to find
## each password.
## Randomly generated on first run if it doesn't exist.
## Env variable: LLDAP_KEY_FILE
#key_file = "/data/private_key"
## Seed to generate the server private key, see key_file above.
## This can be any random string, the recommendation is that it's at least 12
## characters long.
## Env variable: LLDAP_KEY_SEED
key_seed = "$LLDAP_KEY_SEED"
## Ignored attributes.
## Some services will request attributes that are not present in LLDAP. When it
## is the case, LLDAP will warn about the attribute being unknown. If you want
## to ignore the attribute and the service works without, you can add it to this
## list to silence the warning.
#ignored_user_attributes = [ "sAMAccountName" ]
#ignored_group_attributes = [ "mail", "userPrincipalName" ]
## Options to configure SMTP parameters, to send password reset emails.
## To set these options from environment variables, use the following format
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
[smtp_options]
## Whether to enabled password reset via email, from LLDAP.
enable_password_reset=true
## The SMTP server.
server="$SMTP_HOST"
## The SMTP port.
port=$SMTP_PORT
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
smtp_encryption = "TLS"
## The SMTP user, usually your email address.
user="$SMTP_AUTH_USER"
## The SMTP password.
password="$SMTP_AUTH_PASSSWORD"
## The header field, optional: how the sender appears in the email. The first
## is a free-form name, followed by an email between <>.
from="$SMTP_FROM"
## Same for reply-to, optional.
#reply_to="Do not reply <noreply@localhost>"
## Options to configure LDAPS.
## To set these options from environment variables, use the following format
## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT
[ldaps_options]
## Whether to enable LDAPS.
#enabled=true
## Port on which to listen.
#port=6360
## Certificate file.
#cert_file="/data/cert.pem"
## Certificate key file.
#key_file="/data/key.pem"

View File

@@ -0,0 +1,25 @@
#!/bin/bash
set -e
set -a # export everything in the config for later use by envsubst
. $1 # source the apps.config file with then env vars
read -r -a APP_CONFIGS <<< "$APP_CONFIGS"
lldap_subdomain=
for config_string in ${APP_CONFIGS[@]}; do
IFS=','
read -r -a config <<< "$config_string"
app=${config[0]}
subdomain=${config[1]}
if [ "$app" = "lldap" ]; then
lldap_subdomain="$subdomain"
fi
done
export LLDAP_FULL_DOMAIN="$lldap_subdomain.$ROOT_DOMAIN"
envsubst < app/lldap/lldap-config/lldap_config.toml.tmpl > app/lldap/lldap-config/lldap_config.toml

View File

@@ -65,6 +65,14 @@ services:
secrets:
- wordpress_db_password
- wordpress_db_root_password
command:
- --performance-schema=OFF
- --innodb-buffer-pool-size=64M
- --max-connections=10
- --table-open-cache=128
- --table-definition-cache=128
- --thread-cache-size=2
- --innodb-log-buffer-size=8M
# wordpress_init:
# image: wordpress:cli-php8.4

View File

@@ -626,7 +626,9 @@ where user_id=$1;"
(2 . "adding-deployments-instance-backup")
(3 . "normalizing-apps")
(4 . "fixing-app-normalization")
(5 . "adding-wordpress-app")))
(5 . "adding-wordpress-app")
(6 . "adding-lldap-app")
(7 . "adding-authelia-app")))
(define (run-pending-migrations conn)
(let* ((migration-ids (sort (map car *migrations*) <))

View File

@@ -0,0 +1 @@
insert into apps(app_name) values('lldap');

View File

@@ -0,0 +1 @@
insert into apps(app_name) values('authelia');

View File

@@ -947,12 +947,13 @@ chmod -R 777 /opt/keys")))
(input (@ (type "hidden") (name "sid") (value ,(alist-ref 'sid (current-params) equal?))))
(Button (@ (type "submit")) "Create Account"))))))
;; https://app.nassella.org/unsecured/account/create?sid={CHECKOUT_SESSION_ID}
(post "/unsecured/account/create-submit"
(let ((email (stripe-session-email (alist-ref 'sid (current-params))))
(username (alist-ref 'username (current-params))))
(create-lldap-user username email)
(with-db/transaction (lambda (db) (create-user db email username))))
(redirect "/authelia/reset-password"))
(let ((email (stripe-session-email (alist-ref 'sid (current-params))))
(username (alist-ref 'username (current-params))))
(create-lldap-user username email)
(with-db/transaction (lambda (db) (create-user db email username))))
(redirect "/authelia/reset-password"))
;;; REQUIRES AUTHED USER
(post "/config/wizard/create-instance"
@@ -1112,6 +1113,8 @@ chmod -R 777 /opt/keys")))
(else
'()))
(Field (@ (name "wordpress") (type "checkbox") (label ("wordpress")) (checked ,(member 'wordpress (alist-ref 'selected-apps results)))))
(Field (@ (name "lldap") (type "checkbox") (label ("lldap")) (checked ,(member 'lldap (alist-ref 'selected-apps results)))))
(Field (@ (name "authelia") (type "checkbox") (label ("authelia")) (checked ,(member 'authelia (alist-ref 'selected-apps results)))))
(Field (@ (name "log-viewer") (type "checkbox") (label ("Log Viewer")) (checked #t) (disabled "disabled"))))
;; TODO add config for when automatic upgrades are scheduled for?
;; TODO add config for server timezone?
@@ -1131,6 +1134,8 @@ chmod -R 777 /opt/keys")))
(ghost . ,(or (and (alist-ref 'ghost (current-params)) "6") #f))
(nassella . ,(or (and (alist-ref 'nassella (current-params)) "b0.0.1") #f))
(wordpress . ,(or (and (alist-ref 'wordpress (current-params)) "8.4") #f))
(lldap . ,(or (and (alist-ref 'lldap (current-params)) "0.6.3") #f))
(authelia . ,(or (and (alist-ref 'authelia (current-params)) "4") #f))
(instance-control . "b0.0.1")
(log-viewer . "20"))))
(update-root-domain db
@@ -1194,6 +1199,20 @@ chmod -R 777 /opt/keys")))
(@ (title "Wordpress"))
(Field (@ (name "wordpress-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'wordpress app-config eq? '()) eq? "wordpress"))))))
'())
,@(if (member 'lldap selected-apps)
`((Fieldset
(@ (title "LLDAP"))
(Field (@ (name "lldap-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'lldap app-config eq? '()) eq? "lldap"))))
(Field (@ (name "lldap-user-email") (label ("Admin Email Address")) (type "email")
(value ,(alist-ref 'user-email (alist-ref 'lldap app-config eq? '()) eq? ""))))
(Field (@ (name "lldap-admin-password") (label ("Admin Password")) (type "password")
(value ,(alist-ref 'admin-password (alist-ref 'lldap app-config eq? '()) eq? ""))))))
'())
,@(if (member 'authelia selected-apps)
`((Fieldset
(@ (title "Authelia"))
(Field (@ (name "authelia-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'authelia app-config eq? '()) eq? "authelia"))))))
'())
(Fieldset
(@ (title "Log Viewer"))
(Field (@ (name "log-viewer-subdomain") (label ("Subdomain"))
@@ -1202,7 +1221,7 @@ chmod -R 777 /opt/keys")))
(value ,(alist-ref 'user (alist-ref 'log-viewer app-config eq? '()) eq? ""))))
(Field (@ (name "log-viewer-password") (label ("Password")) (type "password")
(value ,(alist-ref 'password (alist-ref 'log-viewer app-config eq? '()) eq? "")))))
,@(if (or (member 'nextcloud selected-apps) (member 'ghost selected-apps) (member 'nassella selected-apps))
,@(if (or (member 'nextcloud selected-apps) (member 'ghost selected-apps) (member 'nassella selected-apps) (member 'authelia selected-apps))
`((Fieldset
(@ (title "All Apps - Email - SMTP"))
(Field (@ (name "smtp-host") (label ("Host"))
@@ -1276,6 +1295,31 @@ chmod -R 777 /opt/keys")))
(db-root-password . ,(or (alist-ref 'db-root-password
(alist-ref 'wordpress config eq? '()))
(generate-postgres-password)))))
(lldap . ((subdomain . ,(alist-ref 'lldap-subdomain (current-params)))
(db-password . ,(or (alist-ref 'db-password
(alist-ref 'lldap config eq? '()))
(generate-postgres-password)))
(jwt-secret . ,(or (alist-ref 'jwt-secret
(alist-ref 'lldap config eq? '()))
(generate-jwt-secret)))
(key-seed . ,(or (alist-ref 'key-seed
(alist-ref 'lldap config eq? '()))
(generate-key-seed)))
(admin-password . ,(alist-ref 'lldap-admin-password (current-params)))
(user-email . ,(alist-ref 'lldap-user-email (current-params)))))
(authelia . ((subdomain . ,(alist-ref 'authelia-subdomain (current-params)))
(db-password . ,(or (alist-ref 'db-password
(alist-ref 'authelia config eq? '()))
(generate-postgres-password)))
(jwt-secret . ,(or (alist-ref 'jwt-secret
(alist-ref 'authelia config eq? '()))
(generate-jwt-secret)))
(session-secret . ,(or (alist-ref 'session-secret
(alist-ref 'authelia config eq? '()))
(generate-authelia-key-seed)))
(encryption-key . ,(or (alist-ref 'encryption-key
(alist-ref 'authelia config eq? '()))
(generate-authelia-key-seed)))))
(log-viewer . ((subdomain . ,(alist-ref 'log-viewer-subdomain (current-params)))
(user . ,(alist-ref 'log-viewer-user (current-params)))
(password . ,(alist-ref 'log-viewer-password (current-params)))))
@@ -1406,7 +1450,6 @@ chmod -R 777 /opt/keys")))
(VStack
(Form-Nav (@ (back-to ,(conc "/config/wizard/machine2/" instance-id)) (submit-button "Launch")))))))))
;; TODO should this perform a backup and then run the systemctl stop app command first?
(post "/config/wizard/review-submit/:id"
(let* ((instance-id (alist-ref "id" (current-params) equal?))
(status (string->symbol
@@ -1479,6 +1522,19 @@ chmod -R 777 /opt/keys")))
("NASSELLA_AUTHELIA_KEY_SEED" . ,(alist-ref 'authelia-key-seed (alist-ref 'nassella config)))
("WORDPRESS_DB_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'wordpress config)))
("WORDPRESS_DB_ROOT_PASSWORD" . ,(alist-ref 'db-root-password (alist-ref 'wordpress config)))
("LLDAP_POSTGRES_DB" . "lldap")
("LLDAP_POSTGRES_USER" . "lldap")
("LLDAP_POSTGRES_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'lldap config)))
("LLDAP_JWT_SECRET" . ,(alist-ref 'jwt-secret (alist-ref 'lldap config)))
("LLDAP_KEY_SEED" . ,(alist-ref 'key-seed (alist-ref 'lldap config)))
("LLDAP_ADMIN_PASSWORD" . ,(alist-ref 'admin-password (alist-ref 'lldap config)))
("LLDAP_USER_EMAIL" . ,(alist-ref 'user-email (alist-ref 'lldap config)))
("AUTHELIA_POSTGRES_DB" . "authelia")
("AUTHELIA_POSTGRES_USER" . "authelia")
("AUTHELIA_POSTGRES_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'authelia config)))
("AUTHELIA_JWT_SECRET" . ,(alist-ref 'jwt-secret (alist-ref 'authelia config)))
("AUTHELIA_SESSION_SECRET" . ,(alist-ref 'session-secret (alist-ref 'authelia config)))
("AUTHELIA_ENCRYPTION_KEY" . ,(alist-ref 'encryption-key (alist-ref 'authelia config)))
("SMTP_HOST" . ,(alist-ref 'smtp-host (alist-ref 'all-apps config)))
("SMTP_PORT" . ,(alist-ref 'smtp-port (alist-ref 'all-apps config)))
("SMTP_AUTH_USER" . ,(alist-ref 'smtp-auth-user (alist-ref 'all-apps config)))
@@ -1518,6 +1574,7 @@ chmod -R 777 /opt/keys")))
(with-db/transaction
(lambda (db)
(update-deployment-progress db deployment-id '((instance-backup . in-progress)))))
;; ;; TODO does this handle new deployments? We should not do a back up if this is new!
;; (handle-exceptions
;; exn
;; (with-db/transaction