Kinesin/sovereign
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updating configure script

Browse Source
This commit is contained in:
Ian Roddis
2026-05-02 09:33:13 -03:00
parent b7fe984147
commit cfa5473e34
1 changed files with 84 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
configure.py
+84
View File
@@ -220,6 +220,17 @@ class Config:
forgejo_lfs_jwt_secret: str
forgejo_ssh_port: int
# Automatisch
automatisch_db_password: str
automatisch_encryption_key: str
automatisch_webhook_secret_key: str
automatisch_app_secret_key: str
# Twenty CRM
twenty_app_secret: str
twenty_db_password: str
twenty_oidc_client_secret: str
# SMTP
smtp_host: str
smtp_port: int
@@ -365,6 +376,31 @@ cryptographically secure random source.
forgejo_ssh_port = int(prompt("SSH port", "2222"))
generated("Forgejo admin password", forgejo_admin_password)
# ── Uptime Kuma ───────────────────────────────────────────────────────────
header("Uptime Kuma (uptime monitoring)")
info("Access is gated by Authentik forward auth — no service-level credentials.")
info("Add monitors for each service subdomain via the dashboard after deployment.")
# ── Automatisch ───────────────────────────────────────────────────────────
header("Automatisch (workflow automation)")
info("The three secret keys encrypt stored integration credentials.")
info("WARNING: never rotate them after first deployment — doing so breaks")
info("all existing connections to third-party services.")
automatisch_db_password = gen_password(24)
automatisch_encryption_key = gen_secret(48)
automatisch_webhook_secret_key = gen_secret(48)
automatisch_app_secret_key = gen_secret(48)
# ── Twenty CRM ────────────────────────────────────────────────────────────
header("Twenty CRM")
info("An OIDC client secret is pre-generated below. Use this value when")
info("creating the OAuth2 application in Authentik, then complete SSO setup")
info("inside Twenty at: Settings → Security → SSO → Add provider.")
twenty_db_password = gen_password(24)
twenty_app_secret = gen_secret(48)
twenty_oidc_client_secret = gen_secret(40)
generated("Twenty OIDC client secret", twenty_oidc_client_secret, sensitive=True)
# ── SMTP ──────────────────────────────────────────────────────────────────
header("SMTP (outbound email)")
info("Defaults to the bundled Stalwart server.")
@@ -447,6 +483,13 @@ cryptographically secure random source.
forgejo_internal_token=forgejo_internal_token,
forgejo_lfs_jwt_secret=forgejo_lfs_jwt_secret,
forgejo_ssh_port=forgejo_ssh_port,
automatisch_db_password=automatisch_db_password,
automatisch_encryption_key=automatisch_encryption_key,
automatisch_webhook_secret_key=automatisch_webhook_secret_key,
automatisch_app_secret_key=automatisch_app_secret_key,
twenty_app_secret=twenty_app_secret,
twenty_db_password=twenty_db_password,
twenty_oidc_client_secret=twenty_oidc_client_secret,
smtp_host=smtp_host,
smtp_port=smtp_port,
smtp_password=smtp_password,
@@ -640,6 +683,38 @@ forgejo_admin_password: {s(c.forgejo_admin_password)}
forgejo_admin_email: {s(c.forgejo_admin_email)}
forgejo_ssh_port: {c.forgejo_ssh_port}
# =============================================================================
# UPTIME KUMA (uptime monitoring)
# =============================================================================
uptimekuma_domain: "status.{yaml_str(c.base_domain)}"
uptimekuma_version: "1"
# =============================================================================
# AUTOMATISCH (workflow automation)
# =============================================================================
automatisch_domain: "automate.{yaml_str(c.base_domain)}"
automatisch_version: "latest"
automatisch_db_password: {s(c.automatisch_db_password)}
# WARNING: these three keys encrypt stored integration credentials.
# Generate once and never rotate — changing them breaks all existing connections.
automatisch_encryption_key: {s(c.automatisch_encryption_key)}
automatisch_webhook_secret_key: {s(c.automatisch_webhook_secret_key)}
automatisch_app_secret_key: {s(c.automatisch_app_secret_key)}
# =============================================================================
# TWENTY CRM
# =============================================================================
twenty_domain: "crm.{yaml_str(c.base_domain)}"
twenty_version: "latest"
twenty_app_secret: {s(c.twenty_app_secret)}
twenty_db_password: {s(c.twenty_db_password)}
# Set this as the client secret when creating the OAuth2 application in Authentik,
# then configure SSO inside Twenty at: Settings → Security → SSO → Add provider.
twenty_oidc_client_secret: {s(c.twenty_oidc_client_secret)}
# =============================================================================
# WEBSITE (static landing page)
# =============================================================================
@@ -716,6 +791,7 @@ def print_credentials(c: Config) -> None:
row("Nextcloud", f"user: {c.nextcloud_admin_user}", c.nextcloud_admin_password)
row("Vaultwarden", "admin token", c.vaultwarden_admin_token)
row("Forgejo", f"user: {c.forgejo_admin_user}", c.forgejo_admin_password)
row("Twenty CRM", "OIDC client secret", c.twenty_oidc_client_secret)
divider()
@@ -728,6 +804,14 @@ def print_credentials(c: Config) -> None:
in all.yml, then re-run: just update-service dns
3. Wazuh requires TLS certs before first run — see the Wazuh
Docker documentation for the cert-generation step.
4. In Authentik, create Proxy Providers (Forward Auth) for:
• Uptime Kuma → https://status.{c.base_domain}
• Automatisch → https://automate.{c.base_domain}
Bind each to an Application and add both to the embedded outpost.
5. In Authentik, create an OAuth2/OIDC provider for Twenty CRM.
Use the OIDC client secret shown above, then in Twenty go to:
Settings → Security → SSO → Add provider
Discovery URL: https://auth.{c.base_domain}/application/o/twenty/.well-known/openid-configuration
""")