2020-09-09 22:14:59 +00:00
|
|
|
#!/bin/bash -e
|
2021-11-19 23:32:24 +00:00
|
|
|
function log {
|
|
|
|
printf '{"event": "%s", "level": "info", "logger": "bootstrap"}\n' "$@" > /dev/stderr
|
|
|
|
}
|
|
|
|
|
2021-11-25 12:38:31 +00:00
|
|
|
function wait_for_db {
|
|
|
|
python -m lifecycle.wait_for_db
|
|
|
|
log "Bootstrap completed"
|
|
|
|
}
|
2021-05-13 18:11:49 +00:00
|
|
|
|
|
|
|
function check_if_root {
|
|
|
|
if [[ $EUID -ne 0 ]]; then
|
2021-11-19 23:32:24 +00:00
|
|
|
log "Not running as root, disabling permission fixes"
|
2021-05-13 20:55:35 +00:00
|
|
|
$1
|
2021-05-13 18:11:49 +00:00
|
|
|
return
|
|
|
|
fi
|
|
|
|
SOCKET="/var/run/docker.sock"
|
2021-06-09 13:56:12 +00:00
|
|
|
GROUP="authentik"
|
2021-05-13 18:11:49 +00:00
|
|
|
if [[ -e "$SOCKET" ]]; then
|
|
|
|
# Get group ID of the docker socket, so we can create a matching group and
|
|
|
|
# add ourselves to it
|
|
|
|
DOCKER_GID=$(stat -c '%g' $SOCKET)
|
2021-09-09 13:24:35 +00:00
|
|
|
# Ensure group for the id exists
|
2021-05-13 22:50:20 +00:00
|
|
|
getent group $DOCKER_GID || groupadd -f -g $DOCKER_GID docker
|
2021-05-13 18:11:49 +00:00
|
|
|
usermod -a -G $DOCKER_GID authentik
|
2021-09-09 13:24:35 +00:00
|
|
|
# since the name of the group might not be docker, we need to lookup the group id
|
2021-12-04 19:06:02 +00:00
|
|
|
GROUP_NAME=$(getent group $DOCKER_GID | sed 's/:/\n/g' | head -1)
|
2021-09-09 13:24:35 +00:00
|
|
|
GROUP="authentik:${GROUP_NAME}"
|
2021-05-13 18:11:49 +00:00
|
|
|
fi
|
|
|
|
# Fix permissions of backups and media
|
2021-12-03 17:27:06 +00:00
|
|
|
chown -R authentik:authentik /media /backups /certs
|
2021-06-09 13:56:12 +00:00
|
|
|
chpst -u authentik:$GROUP env HOME=/authentik $1
|
2021-05-13 18:11:49 +00:00
|
|
|
}
|
|
|
|
|
2021-11-19 23:32:24 +00:00
|
|
|
function prefixwith {
|
|
|
|
local prefix="$1"
|
|
|
|
shift
|
|
|
|
"$@" > >(sed "s/^/$prefix: /") 2> >(sed "s/^/$prefix (err): /" >&2)
|
|
|
|
}
|
|
|
|
|
|
|
|
function restore {
|
|
|
|
PG_HOST=$(python -m authentik.lib.config postgresql.host 2> /dev/null)
|
|
|
|
PG_NAME=$(python -m authentik.lib.config postgresql.name 2> /dev/null)
|
|
|
|
PG_USER=$(python -m authentik.lib.config postgresql.user 2> /dev/null)
|
|
|
|
PG_PORT=$(python -m authentik.lib.config postgresql.port 2> /dev/null)
|
|
|
|
export PGPASSWORD=$(python -m authentik.lib.config postgresql.password 2> /dev/null)
|
|
|
|
log "Ensuring no one can connect to the database"
|
|
|
|
prefixwith "psql" psql -h"${PG_HOST}" -U"${PG_USER}" -c"UPDATE pg_database SET datallowconn = 'false' WHERE datname = '${PG_NAME}';" "postgres"
|
|
|
|
prefixwith "psql" psql -h"${PG_HOST}" -U"${PG_USER}" -c"SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE datname = '${PG_NAME}';" "postgres"
|
|
|
|
log "deleting and re-creating database"
|
|
|
|
prefixwith "psql" dropdb -h"${PG_HOST}" -U"${PG_USER}" "${PG_NAME}" || trueacku
|
|
|
|
prefixwith "psql" createdb -h"${PG_HOST}" -U"${PG_USER}" "${PG_NAME}"
|
|
|
|
log "running initial migrations"
|
|
|
|
prefixwith "migrate" python -m lifecycle.migrate 2> /dev/null
|
|
|
|
log "restoring database"
|
|
|
|
prefixwith "restore" python -m manage dbrestore -i ${@:2}
|
|
|
|
}
|
|
|
|
|
2021-10-05 18:45:18 +00:00
|
|
|
MODE_FILE="/tmp/authentik-mode"
|
|
|
|
|
2020-09-09 22:14:59 +00:00
|
|
|
if [[ "$1" == "server" ]]; then
|
2021-11-25 12:38:31 +00:00
|
|
|
wait_for_db
|
2021-10-05 18:45:18 +00:00
|
|
|
echo "server" > $MODE_FILE
|
2021-10-12 12:44:32 +00:00
|
|
|
# We only set prometheus_multiproc_dir for serer, as with the worker it just fills up the disk
|
2022-01-19 08:42:46 +00:00
|
|
|
# as one file is created per process
|
|
|
|
#
|
|
|
|
# Set to TMPDIR instead hardcoded path so this can be used outside docker too
|
|
|
|
export prometheus_multiproc_dir=$TMPDIR
|
2021-04-18 12:47:50 +00:00
|
|
|
python -m lifecycle.migrate
|
2021-05-02 22:49:16 +00:00
|
|
|
/authentik-proxy
|
2020-09-09 22:14:59 +00:00
|
|
|
elif [[ "$1" == "worker" ]]; then
|
2021-10-05 18:45:18 +00:00
|
|
|
echo "worker" > $MODE_FILE
|
2021-12-24 22:25:38 +00:00
|
|
|
check_if_root "celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events"
|
2021-12-09 10:38:57 +00:00
|
|
|
elif [[ "$1" == "flower" ]]; then
|
|
|
|
echo "flower" > $MODE_FILE
|
|
|
|
celery -A authentik.root.celery flower
|
2020-10-03 18:36:36 +00:00
|
|
|
elif [[ "$1" == "backup" ]]; then
|
2021-11-25 12:38:31 +00:00
|
|
|
wait_for_db
|
2020-10-03 18:36:36 +00:00
|
|
|
python -m manage dbbackup --clean
|
|
|
|
elif [[ "$1" == "restore" ]]; then
|
2021-11-25 12:38:31 +00:00
|
|
|
wait_for_db
|
2021-11-19 23:32:24 +00:00
|
|
|
restore $@
|
2020-10-03 18:36:36 +00:00
|
|
|
elif [[ "$1" == "bash" ]]; then
|
|
|
|
/bin/bash
|
2021-06-09 13:50:32 +00:00
|
|
|
elif [[ "$1" == "test" ]]; then
|
2022-01-06 20:29:08 +00:00
|
|
|
# https://github.com/python-poetry/poetry/issues/4493
|
|
|
|
pip install platformdirs
|
2021-12-24 22:25:38 +00:00
|
|
|
poetry install
|
2021-06-09 14:03:51 +00:00
|
|
|
touch /unittest.xml
|
|
|
|
chown authentik:authentik /unittest.xml
|
2021-06-09 13:50:32 +00:00
|
|
|
check_if_root "python -m manage test authentik"
|
2021-10-05 18:45:18 +00:00
|
|
|
elif [[ "$1" == "healthcheck" ]]; then
|
|
|
|
mode=$(cat $MODE_FILE)
|
2021-10-05 19:03:54 +00:00
|
|
|
if [[ $mode == "server" ]]; then
|
2021-10-05 20:19:33 +00:00
|
|
|
curl --user-agent "goauthentik.io lifecycle Healthcheck" -I http://localhost:9000/-/health/ready/
|
2021-10-05 18:45:18 +00:00
|
|
|
elif [[ $mode == "worker" ]]; then
|
2021-10-16 12:28:05 +00:00
|
|
|
celery -A authentik.root.celery inspect ping -d celery@$HOSTNAME --timeout 5 -j
|
2021-12-09 10:38:57 +00:00
|
|
|
elif [[ $mode == "flower" ]]; then
|
|
|
|
curl http://localhost:5555/metrics
|
2021-10-05 18:45:18 +00:00
|
|
|
fi
|
2021-11-25 12:38:31 +00:00
|
|
|
elif [[ "$1" == "dump_config" ]]; then
|
|
|
|
python -m authentik.lib.config
|
2020-09-09 22:14:59 +00:00
|
|
|
else
|
|
|
|
python -m manage "$@"
|
|
|
|
fi
|