[BUG] : SSO settings are wiped out at container start
Navino16 opened this issue · comments
I've set the following settings in the settings.yml file:
security:
enableLogin: true # set to 'true' to enable login
csrfDisabled: false # Set to 'true' to disable CSRF protection (not recommended for production)
loginAttemptCount: 5 # lock user account after 5 tries
loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts
# initialLogin:
# username: "admin" # Initial username for the first login
# password: "stirling" # Initial password for the first login
oauth2:
enabled: true # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work)
issuer: "https://auth.REDACTED" # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) end-point
clientId: "stirling-pdf" # Client ID from your provider
clientSecret: "REDACTED" # Client Secret from your provider
autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users
useAsUsername: "email" # Default is 'email'; custom fields can be used as the username
scopes: "openid, profile, email, groups" # Specify the scopes for which the application will request permissions
When the container start the settings are loaded but then they are wiped out, resulting in settings.yml file looking like that:
security:
enableLogin: true # set to 'true' to enable login
csrfDisabled: false # Set to 'true' to disable CSRF protection (not recommended for production)
loginAttemptCount: 5 # lock user account after 5 tries
loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts
# initialLogin:
# username: "admin" # Initial username for the first login
# password: "stirling" # Initial password for the first login
oauth2:
# enabled: false # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work)
# issuer: "" # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) end-point
# clientId: "" # Client ID from your provider
# clientSecret: "" # Client Secret from your provider
# autoCreateUser: false # set to 'true' to allow auto-creation of non-existing users
# useAsUsername: "email" # Default is 'email'; custom fields can be used as the username
# scopes: "openid, profile, email" # Specify the scopes for which the application will request permissions
# provider: "google" # Set this to your OAuth provider's name, e.g., 'google' or 'keycloak'
And obviously, at next reboot it will no longer work
Here is my docker-compose.yml file for reference:
---
services:
## https://hub.docker.com/r/frooodle/s-pdf
stirling-pdf:
image: frooodle/s-pdf:latest
container_name: stirling-pdf
labels:
- diun.enable=true
env_file:
- ../common.env
- ./stirling-pdf.env
volumes:
- ./config/stirling-pdf/settings.yml:/configs/settings.yml
- ./config/stirling-pdf/fra.traineddata:/usr/share/tessdata/fra.traineddata
- /absolute/path/to/data/stirling-pdf/configs:/configs
- /absolute/path/to/data/stirling-pdf/tessdata:/usr/share/tessdata
networks:
- myNetwork
restart: unless-stopped
Content of env files:
## ../common.env
PGID=1000 # Set user used for running the container (doesn't work in every container)
PUID=1000 # Set group used for running the container (doesn't work in every container)
TZ=Europe/Paris # Set timezone used for running the container (doesn't work in every container)
## ./stirling.env
DOCKER_ENABLE_SECURITY=true
INSTALL_BOOK_AND_ADVANCED_HTML_OPS=true
LANGS=en_GB,fr_FR
could you send over your full settings file so i can try reproduce the resetting locally?
Full settings file:
# Welcome to settings file
# Remove comment marker # if on start of line to enable the configuration
# If you want to override with environment parameter follow parameter naming SECURITY_INITIALLOGIN_USERNAME
security:
enableLogin: true # set to 'true' to enable login
csrfDisabled: false # Set to 'true' to disable CSRF protection (not recommended for production)
loginAttemptCount: 5 # lock user account after 5 tries
loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts
# initialLogin:
# username: "admin" # Initial username for the first login
# password: "stirling" # Initial password for the first login
oauth2:
enabled: true # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work)
issuer: "https://auth.REDACTED" # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) end-point
clientId: "stirling-pdf" # Client ID from your provider
clientSecret: "REDACTED" # Client Secret from your provider
autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users
useAsUsername: "email" # Default is 'email'; custom fields can be used as the username
scopes: "openid, profile, email, groups" # Specify the scopes for which the application will request permissions
# provider: "google" # Set this to your OAuth provider's name, e.g., 'google' or 'keycloak'
# client:
# google:
# clientId: "" # Client ID for Google OAuth2
# clientSecret: "" # Client Secret for Google OAuth2
# scopes: "https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile" # Scopes for Google OAuth2
# useAsUsername: "email" # Field to use as the username for Google OAuth2
# github:
# clientId: "" # Client ID for GitHub OAuth2
# clientSecret: "" # Client Secret for GitHub OAuth2
# scopes: "read:user" # Scope for GitHub OAuth2
# useAsUsername: "login" # Field to use as the username for GitHub OAuth2
# keycloak:
# issuer: "http://192.168.0.123:8888/realms/stirling-pdf" # URL of the Keycloak realm's OpenID Connect Discovery endpoint
# clientId: "stirling-pdf" # Client ID for Keycloak OAuth2
# clientSecret: "" # Client Secret for Keycloak OAuth2
# scopes: "openid, profile, email" # Scopes for Keycloak OAuth2
# useAsUsername: "email" # Field to use as the username for Keycloak OAuth2
system:
defaultLocale: 'fr-FR' # Set the default language (e.g. 'de-DE', 'fr-FR', etc)
googlevisibility: false # 'true' to allow Google visibility (via robots.txt), 'false' to disallow
enableAlphaFunctionality: false # Set to enable functionality which might need more testing before it fully goes live (This feature might make no changes)
showUpdate: true # see when a new update is available
showUpdateOnlyAdmin: true # Only admins can see when a new update is available, depending on showUpdate it must be set to 'true'
customHTMLFiles: false # enable to have files placed in /customFiles/templates override the existing template html files
ui:
appName: null # Application's visible name
homeDescription: null # Short description or tagline shown on homepage.
appNameNavbar: null # Name displayed on the navigation bar
endpoints:
toRemove: [] # List endpoints to disable (e.g. ['img-to-pdf', 'remove-pages'])
groupsToRemove: [] # List groups to disable (e.g. ['LibreOffice'])
metrics:
enabled: true # 'true' to enable Info APIs (`/api/*`) endpoints, 'false' to disable
# Automatically Generated Settings (Do Not Edit Directly)
AutomaticallyGenerated:
key: REDACTED
If it's can have any impact, the openId provider is Authelia
fixed in 0.25.2!