mirror of
https://github.com/goauthentik/authentik
synced 2026-05-11 01:22:25 +02:00
117 lines
3.3 KiB
Bash
Executable File
117 lines
3.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -e -o pipefail
|
|
|
|
MODE_FILE="$TMPDIR/authentik-mode"
|
|
|
|
function log {
|
|
printf '{"event": "%s", "level": "info", "logger": "bootstrap"}\n' "$@" >&2
|
|
}
|
|
|
|
function wait_for_db {
|
|
python -m lifecycle.wait_for_db
|
|
log "Bootstrap completed"
|
|
}
|
|
|
|
function run_authentik {
|
|
case "$1" in
|
|
server)
|
|
shift 1
|
|
echo -n server >"$MODE_FILE"
|
|
if [[ -x "$(command -v authentik-server)" ]]; then
|
|
echo authentik-server "$@"
|
|
else
|
|
echo go run ./cmd/server "$@"
|
|
fi
|
|
;;
|
|
healthcheck)
|
|
if [[ -x "$(command -v authentik-server)" ]]; then
|
|
echo authentik-server "$@"
|
|
else
|
|
echo go run ./cmd/server "$@"
|
|
fi
|
|
;;
|
|
allinone | worker)
|
|
if [[ -x "$(command -v authentik)" ]]; then
|
|
echo authentik "$@"
|
|
else
|
|
echo cargo run -- "$@"
|
|
fi
|
|
;;
|
|
*)
|
|
echo "$@"
|
|
;;
|
|
esac
|
|
}
|
|
|
|
function check_if_root_and_run {
|
|
if [[ $EUID -ne 0 ]]; then
|
|
log "Not running as root, disabling permission fixes"
|
|
exec $(run_authentik "$@")
|
|
return
|
|
fi
|
|
SOCKET="/var/run/docker.sock"
|
|
GROUP="authentik"
|
|
if [[ -e "$SOCKET" ]]; then
|
|
# Get group ID of the docker socket, so we can create a matching group and
|
|
# add ourselves to it
|
|
DOCKER_GID="$(stat -c "%g" "${SOCKET}")"
|
|
# Ensure group for the id exists
|
|
getent group "${DOCKER_GID}" || groupadd -f -g "${DOCKER_GID}" docker
|
|
usermod -a -G "${DOCKER_GID}" authentik
|
|
# since the name of the group might not be docker, we need to lookup the group id
|
|
GROUP_NAME=$(getent group "${DOCKER_GID}" | sed 's/:/\n/g' | head -1)
|
|
GROUP="authentik:${GROUP_NAME}"
|
|
fi
|
|
# Fix permissions of certs and media
|
|
chown -R authentik:authentik /data /certs "${PROMETHEUS_MULTIPROC_DIR}"
|
|
chmod ug+rwx /data
|
|
chmod ug+rx /certs
|
|
exec chpst -u authentik:"${GROUP}" env HOME=/authentik $(run_authentik "$@")
|
|
}
|
|
|
|
function prepare_debug {
|
|
# Only attempt to install debug dependencies if we're running in a container
|
|
if [ ! -d /ak-root ]; then
|
|
return
|
|
fi
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
|
|
source "${VENV_PATH}/bin/activate"
|
|
uv sync --active --frozen
|
|
touch /unittest.xml
|
|
chown authentik:authentik /unittest.xml
|
|
}
|
|
|
|
if [[ -z "${PROMETHEUS_MULTIPROC_DIR}" ]]; then
|
|
export PROMETHEUS_MULTIPROC_DIR="${TMPDIR:-/tmp}/authentik_prometheus_tmp"
|
|
fi
|
|
mkdir -p "${PROMETHEUS_MULTIPROC_DIR}"
|
|
|
|
if [[ "$(python -m authentik.lib.config debugger 2>/dev/null)" == "True" ]]; then
|
|
prepare_debug
|
|
fi
|
|
|
|
if [[ "$1" == "bash" ]]; then
|
|
exec /usr/bin/env -S bash "$@"
|
|
elif [[ "$1" == "dump_config" ]]; then
|
|
shift 1
|
|
exec python -m authentik.lib.config "$@"
|
|
elif [[ "$1" == "debug" ]]; then
|
|
exec sleep infinity
|
|
elif [[ "$1" == "test-all" ]]; then
|
|
wait_for_db
|
|
prepare_debug
|
|
chmod 777 /root
|
|
check_if_root_and_run manage test authentik
|
|
elif [[ "$1" == "allinone" ]] || [[ "$1" == "server" ]] || [[ "$1" == "worker" ]]; then
|
|
wait_for_db
|
|
check_if_root_and_run "$@"
|
|
elif [[ "$1" == "healthcheck" ]]; then
|
|
check_if_root_and_run "$@" "$(cat "$MODE_FILE")"
|
|
else
|
|
wait_for_db
|
|
exec python -m manage "$@"
|
|
fi
|