website: codespell with custom dictionary and CI (#5062)
This commit is contained in:
parent
5b9f35a4a1
commit
5d84f2a079
|
@ -15,3 +15,6 @@ indent_size = 2
|
||||||
|
|
||||||
[*.go]
|
[*.go]
|
||||||
indent_style = tab
|
indent_style = tab
|
||||||
|
|
||||||
|
[Makefile]
|
||||||
|
indent_style = tab
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
authentic->authentik
|
|
@ -29,6 +29,7 @@ jobs:
|
||||||
- bandit
|
- bandit
|
||||||
- pyright
|
- pyright
|
||||||
- pending-migrations
|
- pending-migrations
|
||||||
|
- codespell
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
|
|
26
Makefile
26
Makefile
|
@ -4,6 +4,20 @@ UID = $(shell id -u)
|
||||||
GID = $(shell id -g)
|
GID = $(shell id -g)
|
||||||
NPM_VERSION = $(shell python -m scripts.npm_version)
|
NPM_VERSION = $(shell python -m scripts.npm_version)
|
||||||
|
|
||||||
|
CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
|
||||||
|
-I .github/codespell-words.txt \
|
||||||
|
-S 'web/src/locales/**' \
|
||||||
|
authentik \
|
||||||
|
internal \
|
||||||
|
cmd \
|
||||||
|
web/src \
|
||||||
|
website/src \
|
||||||
|
website/blog \
|
||||||
|
website/developer-docs \
|
||||||
|
website/docs \
|
||||||
|
website/integrations \
|
||||||
|
website/src
|
||||||
|
|
||||||
all: lint-fix lint test gen web
|
all: lint-fix lint test gen web
|
||||||
|
|
||||||
test-go:
|
test-go:
|
||||||
|
@ -26,14 +40,7 @@ test:
|
||||||
lint-fix:
|
lint-fix:
|
||||||
isort authentik tests scripts lifecycle
|
isort authentik tests scripts lifecycle
|
||||||
black authentik tests scripts lifecycle
|
black authentik tests scripts lifecycle
|
||||||
codespell -I .github/codespell-words.txt -S 'web/src/locales/**' -w \
|
codespell -w $(CODESPELL_ARGS)
|
||||||
authentik \
|
|
||||||
internal \
|
|
||||||
cmd \
|
|
||||||
web/src \
|
|
||||||
website/src \
|
|
||||||
website/docs \
|
|
||||||
website/developer-docs
|
|
||||||
|
|
||||||
lint:
|
lint:
|
||||||
pylint authentik tests lifecycle
|
pylint authentik tests lifecycle
|
||||||
|
@ -172,6 +179,9 @@ ci-pylint: ci--meta-debug
|
||||||
ci-black: ci--meta-debug
|
ci-black: ci--meta-debug
|
||||||
black --check $(PY_SOURCES)
|
black --check $(PY_SOURCES)
|
||||||
|
|
||||||
|
ci-codespell: ci--meta-debug
|
||||||
|
codespell $(CODESPELL_ARGS) -s
|
||||||
|
|
||||||
ci-isort: ci--meta-debug
|
ci-isort: ci--meta-debug
|
||||||
isort --check $(PY_SOURCES)
|
isort --check $(PY_SOURCES)
|
||||||
|
|
||||||
|
|
|
@ -38,7 +38,7 @@ We have a roadmap with several new features, and we want to hear your opinions o
|
||||||
Roadmapped features include:
|
Roadmapped features include:
|
||||||
|
|
||||||
- **RBAC**
|
- **RBAC**
|
||||||
- Currently there’s only the option of users to be superusers or regular users, and superusers can edit everything, including all authentic objects. This goes against the security principle of [least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), and as such goes against our security-focused mantra. Role-based access control (RBAC) restricts CRUD rights on authentik objects based on a specific _role,_ providing even more fine-grained control.
|
- Currently there’s only the option of users to be superusers or regular users, and superusers can edit everything, including all authentik objects. This goes against the security principle of [least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), and as such goes against our security-focused mantra. Role-based access control (RBAC) restricts CRUD rights on authentik objects based on a specific _role,_ providing even more fine-grained control.
|
||||||
- **UX improvements**
|
- **UX improvements**
|
||||||
- Ease of use and clear, intuitive UIs is always one of our main goals, and we’re now focusing yet more on making the experience of using authentik even better. Less jumping around in the UI and more helpful context actions, suggestions, and recommendations.
|
- Ease of use and clear, intuitive UIs is always one of our main goals, and we’re now focusing yet more on making the experience of using authentik even better. Less jumping around in the UI and more helpful context actions, suggestions, and recommendations.
|
||||||
- **Push-notification multifactor authentication** (Enterprise)
|
- **Push-notification multifactor authentication** (Enterprise)
|
||||||
|
@ -66,7 +66,7 @@ The following offerings are described in detail on the new page (coming soon!) i
|
||||||
Our forever-free offering, the open source authentik project, has been active for over 5 years, and now has the support of Authentik Security. For self-hosted environments, works using all major authentication protocols (OAuth2/OpenID Connect, SAML, LDAP, and proxy authentication), with an advanced, customizable policy engine, and community support.
|
Our forever-free offering, the open source authentik project, has been active for over 5 years, and now has the support of Authentik Security. For self-hosted environments, works using all major authentication protocols (OAuth2/OpenID Connect, SAML, LDAP, and proxy authentication), with an advanced, customizable policy engine, and community support.
|
||||||
|
|
||||||
- Enterprise Self-hosted:
|
- Enterprise Self-hosted:
|
||||||
Our Enterprise Self-hosted plan offers all of the features of open source authentic (and is still source-available), plus releases with long-term-support (LTS), an enterprise-level support plan, and additional features for larger organizations such as AI-based risk assessment and multifactor authentication (MFA) with push notification.
|
Our Enterprise Self-hosted plan offers all of the features of open source authentik (and is still source-available), plus releases with long-term-support (LTS), an enterprise-level support plan, and additional features for larger organizations such as AI-based risk assessment and multifactor authentication (MFA) with push notification.
|
||||||
- Enterprise Cloud:
|
- Enterprise Cloud:
|
||||||
The Enterprise Cloud plan provides the convenience of our enterprise-level product as a SaaS offering, hosted and managed by Authentik Security. For many organizations, the benefits of decreased operational costs and universal data access (no VPN, servers, and network configuration required) make SaaS the best choice. With the cloud offering, the same enterprise-level support plan is included, and migrating to self-hosted is always an option.
|
The Enterprise Cloud plan provides the convenience of our enterprise-level product as a SaaS offering, hosted and managed by Authentik Security. For many organizations, the benefits of decreased operational costs and universal data access (no VPN, servers, and network configuration required) make SaaS the best choice. With the cloud offering, the same enterprise-level support plan is included, and migrating to self-hosted is always an option.
|
||||||
|
|
||||||
|
|
|
@ -95,7 +95,7 @@ SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group
|
||||||
SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
|
SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
|
||||||
# Identity Provider entityID URL
|
# Identity Provider entityID URL
|
||||||
SAML2_IDP_ENTITYID=METADATAURL
|
SAML2_IDP_ENTITYID=METADATAURL
|
||||||
# Auto-load metatadata from the IDP
|
# Auto-load metadata from the IDP
|
||||||
# Setting this to true negates the need to specify the next three options
|
# Setting this to true negates the need to specify the next three options
|
||||||
SAML2_AUTOLOAD_METADATA=true
|
SAML2_AUTOLOAD_METADATA=true
|
||||||
|
|
||||||
|
|
|
@ -51,9 +51,9 @@ The following placeholders will be used:
|
||||||
- `StartTLS`: Unchecked
|
- `StartTLS`: Unchecked
|
||||||
- `Skip SSL/TLS Verification`:
|
- `Skip SSL/TLS Verification`:
|
||||||
- If using a certificate issued by a certificate authority Jellyfin trusts, leave this unchecked.
|
- If using a certificate issued by a certificate authority Jellyfin trusts, leave this unchecked.
|
||||||
- If you're using a self signed certifcate, check this box.
|
- If you're using a self signed certificate, check this box.
|
||||||
- `Allow password change`: Unchecked
|
- `Allow password change`: Unchecked
|
||||||
- Since authentik already has a frontend for password resets, its not nessessary to include this in Jellyfin, especially since it requires bind user to have privileges.
|
- Since authentik already has a frontend for password resets, its not necessary to include this in Jellyfin, especially since it requires bind user to have privileges.
|
||||||
- `Password Reset URL`: Empty
|
- `Password Reset URL`: Empty
|
||||||
- `LDAP Bind User`: Set this to a the user you want to bind to in authentik. By default the path will be `ou=users,dc=company,dc=com` so the LDAP Bind user will be `cn=ldap_bind_user,ou=users,dc=company,dc=com`.
|
- `LDAP Bind User`: Set this to a the user you want to bind to in authentik. By default the path will be `ou=users,dc=company,dc=com` so the LDAP Bind user will be `cn=ldap_bind_user,ou=users,dc=company,dc=com`.
|
||||||
- `LDAP Bind User Password`: The Password of the user. If using a Service account, this is the token.
|
- `LDAP Bind User Password`: The Password of the user. If using a Service account, this is the token.
|
||||||
|
|
|
@ -68,7 +68,7 @@ Group based permissions are not implemented in the below example
|
||||||
|
|
||||||
Use npm to install passport-openidconnect
|
Use npm to install passport-openidconnect
|
||||||
|
|
||||||
Navigate to the node-red `node_modules` directory, this is dependant on your chosen install method. In the official Node-RED docker container the `node_modules` directory is located in the data volume `data/node_modules/`. Alternatively enter the docker container `docker exec -it nodered bash` and `cd /data/node_modules` to utilise npm within the docker container.
|
Navigate to the node-red `node_modules` directory, this is dependent on your chosen install method. In the official Node-RED docker container the `node_modules` directory is located in the data volume `data/node_modules/`. Alternatively enter the docker container `docker exec -it nodered bash` and `cd /data/node_modules` to utilise npm within the docker container.
|
||||||
|
|
||||||
Run the command `npm install passport-openidconnect`
|
Run the command `npm install passport-openidconnect`
|
||||||
|
|
||||||
|
|
|
@ -45,7 +45,7 @@ Now restart your container:
|
||||||
**Provider**
|
**Provider**
|
||||||
In authentik, go to the Admin Interface and click _Applications/Providers_.
|
In authentik, go to the Admin Interface and click _Applications/Providers_.
|
||||||
|
|
||||||
Create a Proxy Provider. Give it a name (e.g. `Paperless Proxy`), then choose explicit or implicit consent (whether you want authentic to show a button to proceed to Paperless after login, or to just go there).
|
Create a Proxy Provider. Give it a name (e.g. `Paperless Proxy`), then choose explicit or implicit consent (whether you want authentik to show a button to proceed to Paperless after login, or to just go there).
|
||||||
|
|
||||||
Choose Forward Auth (single application), then add the External host: `https://paperless.company`
|
Choose Forward Auth (single application), then add the External host: `https://paperless.company`
|
||||||
|
|
||||||
|
|
|
@ -57,7 +57,7 @@ In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` t
|
||||||
- Name: LDAP
|
- Name: LDAP
|
||||||
- Type: LDAP
|
- Type: LDAP
|
||||||
|
|
||||||
## pfSense unsecure setup (without SSL)
|
## pfSense insecure setup (without SSL)
|
||||||
|
|
||||||
:::caution
|
:::caution
|
||||||
This setup should only be used for testing purpose, because passwords will be sent in clear text to authentik.
|
This setup should only be used for testing purpose, because passwords will be sent in clear text to authentik.
|
||||||
|
|
|
@ -13,7 +13,7 @@ QNAP Systems, Inc. is a Taiwanese corporation that specializes in network-attach
|
||||||
Connecting a QNAP NAS to an LDAP Directory is a little bit special
|
Connecting a QNAP NAS to an LDAP Directory is a little bit special
|
||||||
as it is **not** (well) documented what really is done behind the scenes of QNAP.
|
as it is **not** (well) documented what really is done behind the scenes of QNAP.
|
||||||
|
|
||||||
## Preperation
|
## Preparation
|
||||||
|
|
||||||
The following placeholders will be used:
|
The following placeholders will be used:
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@ It provides full functionality you expect from an email client, including MIME s
|
||||||
This integration describes how to use Roundcube's oauth support with authentik to automatically sign into an email account.
|
This integration describes how to use Roundcube's oauth support with authentik to automatically sign into an email account.
|
||||||
The mail server must support XOAUTH2 for both SMTPD and IMAP/POP. Postfix SMTP server can also use Dovecot for authentication which provides Postfix with xoauth2 capability without configuring it separately.
|
The mail server must support XOAUTH2 for both SMTPD and IMAP/POP. Postfix SMTP server can also use Dovecot for authentication which provides Postfix with xoauth2 capability without configuring it separately.
|
||||||
|
|
||||||
## Preperation
|
## Preparation
|
||||||
|
|
||||||
The following placeholders will be used:
|
The following placeholders will be used:
|
||||||
|
|
||||||
|
|
|
@ -87,7 +87,7 @@ Change the following fields
|
||||||
- LDAP Filter: &(objectClass=user)
|
- LDAP Filter: &(objectClass=user)
|
||||||
- Username Field: mail
|
- Username Field: mail
|
||||||
:::note
|
:::note
|
||||||
Setting the Username fieled to mail is recommended in order to ensure the usernameisunique. See https://snipe-it.readme.io/docs/ldap-sync-login
|
Setting the Username field to mail is recommended in order to ensure the usernameisunique. See https://snipe-it.readme.io/docs/ldap-sync-login
|
||||||
:::
|
:::
|
||||||
- Allow unauthenticated bind: **unticked**
|
- Allow unauthenticated bind: **unticked**
|
||||||
- Last Name: sn
|
- Last Name: sn
|
||||||
|
|
|
@ -17,7 +17,7 @@ a consequence, it cannot be used to provide automount or sudo
|
||||||
configuration nor can it provide netgroups or services to `nss`.
|
configuration nor can it provide netgroups or services to `nss`.
|
||||||
Kerberos is also not supported.
|
Kerberos is also not supported.
|
||||||
|
|
||||||
## Preperation
|
## Preparation
|
||||||
|
|
||||||
The following placeholders will be used:
|
The following placeholders will be used:
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@ title: TrueNAS TrueCommand
|
||||||
From https://www.truenas.com/truecommand/
|
From https://www.truenas.com/truecommand/
|
||||||
:::note
|
:::note
|
||||||
What is TrueCommand?
|
What is TrueCommand?
|
||||||
TrueCommand is a ZFS-aware solution allowing you to set custom alerts on statistics like ARC usage or pool capacity and ensuring storag
|
TrueCommand is a ZFS-aware solution allowing you to set custom alerts on statistics like ARC usage or pool capacity and ensuring storage
|
||||||
e uptime and future planning. TrueCommand also identifies and pinpoints errors on drives or vdevs (RAID groups), saving you valuable ti
|
e uptime and future planning. TrueCommand also identifies and pinpoints errors on drives or vdevs (RAID groups), saving you valuable ti
|
||||||
me when resolving issues.
|
me when resolving issues.
|
||||||
:::
|
:::
|
||||||
|
|
|
@ -53,6 +53,6 @@ To avoid that all users get admin access to Uptime Kuma create a group in authen
|
||||||
|
|
||||||
## Uptime Kuma
|
## Uptime Kuma
|
||||||
|
|
||||||
Disble auth from Uptime Kuma, go to `Settings` > `Advanced` > `Disable Auth`
|
Disable auth from Uptime Kuma, go to `Settings` > `Advanced` > `Disable Auth`
|
||||||
|
|
||||||
To access the dashboard, open `https://uptime-kuma.company/dashboard`, this will start the login with authentik. You can also set this address as the Launch URL for the application.
|
To access the dashboard, open `https://uptime-kuma.company/dashboard`, this will start the login with authentik. You can also set this address as the Launch URL for the application.
|
||||||
|
|
|
@ -75,7 +75,7 @@ return request.user.email
|
||||||
|
|
||||||
## Weblate configuration
|
## Weblate configuration
|
||||||
|
|
||||||
The variables bellow need to be set, depending on if you deploy in a container or not you can take a look at the following links
|
The variables below need to be set, depending on if you deploy in a container or not you can take a look at the following links
|
||||||
|
|
||||||
- https://docs.weblate.org/en/latest/admin/config.html#config
|
- https://docs.weblate.org/en/latest/admin/config.html#config
|
||||||
- https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment
|
- https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment
|
||||||
|
@ -96,4 +96,4 @@ Should you wish to only allow registration and login through Authentik, you shou
|
||||||
- REQUIRE_LOGIN: `1`
|
- REQUIRE_LOGIN: `1`
|
||||||
- NO_EMAIL_AUTH: `1`
|
- NO_EMAIL_AUTH: `1`
|
||||||
|
|
||||||
Should you wish to deploy this in a container prefix all the variables with `WEBLATE_` and set them as enviornment variables
|
Should you wish to deploy this in a container prefix all the variables with `WEBLATE_` and set them as environment variables
|
||||||
|
|
|
@ -61,7 +61,7 @@ In authentik, create an application (under _Resources/Applications_) with these
|
||||||
|
|
||||||
## zammad Setup
|
## zammad Setup
|
||||||
|
|
||||||
Configure Zammad SAML settings by going to settings (the gear icon), and selecting `Security -> Third-party Applications` and activiate `Authentication via SAML` and change the following fields:
|
Configure Zammad SAML settings by going to settings (the gear icon), and selecting `Security -> Third-party Applications` and activate `Authentication via SAML` and change the following fields:
|
||||||
|
|
||||||
- Display name: authentik
|
- Display name: authentik
|
||||||
- IDP SSO target URL: https://authentik.company/application/saml/ticketsystem-seatable/sso/binding/init/
|
- IDP SSO target URL: https://authentik.company/application/saml/ticketsystem-seatable/sso/binding/init/
|
||||||
|
|
|
@ -13,7 +13,7 @@ From https://zulip.com
|
||||||
With Zulip, you can catch up on important conversations while ignoring irrelevant ones.
|
With Zulip, you can catch up on important conversations while ignoring irrelevant ones.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
## Preperation
|
## Preparation
|
||||||
|
|
||||||
The following placeholders will be used:
|
The following placeholders will be used:
|
||||||
|
|
||||||
|
|
|
@ -136,7 +136,7 @@ module.exports = {
|
||||||
items: [
|
items: [
|
||||||
{
|
{
|
||||||
type: "category",
|
type: "category",
|
||||||
label: "Directory syncronization",
|
label: "Directory synchronization",
|
||||||
items: [
|
items: [
|
||||||
"sources/active-directory/index",
|
"sources/active-directory/index",
|
||||||
"sources/freeipa/index",
|
"sources/freeipa/index",
|
||||||
|
|
Reference in New Issue