r/mnemosyne
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(deploy): document Casdoor SSO configuration and group setup
All checks were successful
CVE Scan & Docker Build / security-scan (push) Successful in 58s
Details
CVE Scan & Docker Build / build-and-push (push) Successful in 1m5s
Details

Browse Source
This commit is contained in:
Robert Helewka
2026-05-12 11:55:13 -04:00
parent ed4d0db930
commit d8b07975dd
1 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
docs/deploy.md
View File

@@ -108,6 +108,12 @@ docker compose -f /srv/mnemosyne/docker-compose.yaml \
docker compose -f /srv/mnemosyne/docker-compose.yaml \ docker compose -f /srv/mnemosyne/docker-compose.yaml \
run --rm app \ run --rm app \
python manage.py seed_signing_key --kid daedalus-1 --retire-other python manage.py seed_signing_key --kid daedalus-1 --retire-other
# Create Django groups for SSO role mapping (View Only / Staff / SME / Admin).
# Safe to re-run — idempotent.
docker compose -f /srv/mnemosyne/docker-compose.yaml \
run --rm app \
python manage.py create_sso_groups
``` ```
The `seed_signing_key` command prints the generated secret once to stdout — it The `seed_signing_key` command prints the generated secret once to stdout — it
@@ -218,6 +224,25 @@ relevant service `environment:` blocks. The per-service scoping is defined in
|----------|-----------------| |----------|-----------------|
| `MCP_REQUIRE_AUTH` | `True` | | `MCP_REQUIRE_AUTH` | `True` |
### SSO / Casdoor — `app` only
| Variable | Example / default | Notes |
|----------|-------------------|-------|
| `CASDOOR_ENABLED` | `True` | Set `False` to disable SSO and show only local login |
| `CASDOOR_ORIGIN` | `https://casdoor.ouranos.helu.ca` | Backend URL used for OIDC discovery (`/.well-known/openid-configuration`) |
| `CASDOOR_ORIGIN_FRONTEND` | `https://casdoor.ouranos.helu.ca` | Frontend URL shown to the browser (may differ behind a reverse proxy) |
| `CASDOOR_CLIENT_ID` | `{{ vault_mnemosyne_casdoor_client_id }}` | OAuth client ID from the Casdoor application |
| `CASDOOR_CLIENT_SECRET` | `{{ vault_mnemosyne_casdoor_client_secret }}` | OAuth client secret from the Casdoor application |
| `CASDOOR_ORG_NAME` | `ouranos` | Default organisation slug in Casdoor |
| `CASDOOR_SSL_VERIFY` | `true` | `true` in production; `false` only in sandboxes with self-signed certs |
| `ALLOW_LOCAL_LOGIN` | `False` | Show the local username/password form to non-superusers. Superusers always see it regardless of this flag. |
Register the OIDC callback URL in the Casdoor application before enabling SSO:
```
https://mnemosyne.ouranos.helu.ca/accounts/oidc/casdoor/login/callback/
```
### LLM API encryption — `app`, `worker` ### LLM API encryption — `app`, `worker`
| Variable | Notes | | Variable | Notes |
@@ -377,3 +402,5 @@ will report as a failure.
| `vault_rabbitmq_password` | embedded in `CELERY_BROKER_URL` | | `vault_rabbitmq_password` | embedded in `CELERY_BROKER_URL` |
| `vault_mnemosyne_llm_encryption_key` | `LLM_API_SECRETS_ENCRYPTION_KEY` | | `vault_mnemosyne_llm_encryption_key` | `LLM_API_SECRETS_ENCRYPTION_KEY` |
| `vault_mnemosyne_daedalus_service_password` | passed to `ensure_service_user --password` | | `vault_mnemosyne_daedalus_service_password` | passed to `ensure_service_user --password` |
| `vault_mnemosyne_casdoor_client_id` | `CASDOOR_CLIENT_ID` |
| `vault_mnemosyne_casdoor_client_secret` | `CASDOOR_CLIENT_SECRET` |