From cfa5473e34264258db892765a7d1d341a1d08565 Mon Sep 17 00:00:00 2001 From: Ian Roddis <31021769+iroddis@users.noreply.github.com> Date: Sat, 2 May 2026 09:33:13 -0300 Subject: [PATCH] updating configure script --- configure.py | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/configure.py b/configure.py index 595a863..ce5447d 100644 --- a/configure.py +++ b/configure.py @@ -220,6 +220,17 @@ class Config: forgejo_lfs_jwt_secret: str forgejo_ssh_port: int + # Automatisch + automatisch_db_password: str + automatisch_encryption_key: str + automatisch_webhook_secret_key: str + automatisch_app_secret_key: str + + # Twenty CRM + twenty_app_secret: str + twenty_db_password: str + twenty_oidc_client_secret: str + # SMTP smtp_host: str smtp_port: int @@ -365,6 +376,31 @@ cryptographically secure random source. forgejo_ssh_port = int(prompt("SSH port", "2222")) generated("Forgejo admin password", forgejo_admin_password) + # ── Uptime Kuma ─────────────────────────────────────────────────────────── + header("Uptime Kuma (uptime monitoring)") + info("Access is gated by Authentik forward auth — no service-level credentials.") + info("Add monitors for each service subdomain via the dashboard after deployment.") + + # ── Automatisch ─────────────────────────────────────────────────────────── + header("Automatisch (workflow automation)") + info("The three secret keys encrypt stored integration credentials.") + info("WARNING: never rotate them after first deployment — doing so breaks") + info("all existing connections to third-party services.") + automatisch_db_password = gen_password(24) + automatisch_encryption_key = gen_secret(48) + automatisch_webhook_secret_key = gen_secret(48) + automatisch_app_secret_key = gen_secret(48) + + # ── Twenty CRM ──────────────────────────────────────────────────────────── + header("Twenty CRM") + info("An OIDC client secret is pre-generated below. Use this value when") + info("creating the OAuth2 application in Authentik, then complete SSO setup") + info("inside Twenty at: Settings → Security → SSO → Add provider.") + twenty_db_password = gen_password(24) + twenty_app_secret = gen_secret(48) + twenty_oidc_client_secret = gen_secret(40) + generated("Twenty OIDC client secret", twenty_oidc_client_secret, sensitive=True) + # ── SMTP ────────────────────────────────────────────────────────────────── header("SMTP (outbound email)") info("Defaults to the bundled Stalwart server.") @@ -447,6 +483,13 @@ cryptographically secure random source. forgejo_internal_token=forgejo_internal_token, forgejo_lfs_jwt_secret=forgejo_lfs_jwt_secret, forgejo_ssh_port=forgejo_ssh_port, + automatisch_db_password=automatisch_db_password, + automatisch_encryption_key=automatisch_encryption_key, + automatisch_webhook_secret_key=automatisch_webhook_secret_key, + automatisch_app_secret_key=automatisch_app_secret_key, + twenty_app_secret=twenty_app_secret, + twenty_db_password=twenty_db_password, + twenty_oidc_client_secret=twenty_oidc_client_secret, smtp_host=smtp_host, smtp_port=smtp_port, smtp_password=smtp_password, @@ -640,6 +683,38 @@ forgejo_admin_password: {s(c.forgejo_admin_password)} forgejo_admin_email: {s(c.forgejo_admin_email)} forgejo_ssh_port: {c.forgejo_ssh_port} +# ============================================================================= +# UPTIME KUMA (uptime monitoring) +# ============================================================================= + +uptimekuma_domain: "status.{yaml_str(c.base_domain)}" +uptimekuma_version: "1" + +# ============================================================================= +# AUTOMATISCH (workflow automation) +# ============================================================================= + +automatisch_domain: "automate.{yaml_str(c.base_domain)}" +automatisch_version: "latest" +automatisch_db_password: {s(c.automatisch_db_password)} +# WARNING: these three keys encrypt stored integration credentials. +# Generate once and never rotate — changing them breaks all existing connections. +automatisch_encryption_key: {s(c.automatisch_encryption_key)} +automatisch_webhook_secret_key: {s(c.automatisch_webhook_secret_key)} +automatisch_app_secret_key: {s(c.automatisch_app_secret_key)} + +# ============================================================================= +# TWENTY CRM +# ============================================================================= + +twenty_domain: "crm.{yaml_str(c.base_domain)}" +twenty_version: "latest" +twenty_app_secret: {s(c.twenty_app_secret)} +twenty_db_password: {s(c.twenty_db_password)} +# Set this as the client secret when creating the OAuth2 application in Authentik, +# then configure SSO inside Twenty at: Settings → Security → SSO → Add provider. +twenty_oidc_client_secret: {s(c.twenty_oidc_client_secret)} + # ============================================================================= # WEBSITE (static landing page) # ============================================================================= @@ -716,6 +791,7 @@ def print_credentials(c: Config) -> None: row("Nextcloud", f"user: {c.nextcloud_admin_user}", c.nextcloud_admin_password) row("Vaultwarden", "admin token", c.vaultwarden_admin_token) row("Forgejo", f"user: {c.forgejo_admin_user}", c.forgejo_admin_password) + row("Twenty CRM", "OIDC client secret", c.twenty_oidc_client_secret) divider() @@ -728,6 +804,14 @@ def print_credentials(c: Config) -> None: in all.yml, then re-run: just update-service dns 3. Wazuh requires TLS certs before first run — see the Wazuh Docker documentation for the cert-generation step. + 4. In Authentik, create Proxy Providers (Forward Auth) for: + • Uptime Kuma → https://status.{c.base_domain} + • Automatisch → https://automate.{c.base_domain} + Bind each to an Application and add both to the embedded outpost. + 5. In Authentik, create an OAuth2/OIDC provider for Twenty CRM. + Use the OIDC client secret shown above, then in Twenty go to: + Settings → Security → SSO → Add provider + Discovery URL: https://auth.{c.base_domain}/application/o/twenty/.well-known/openid-configuration """)