path: root/public/v4/apps/boxy-hq-only.yml

captainVersion: 4
services:
    $$cap_appname:
        image: boxyhq/jackson:$$cap_boxyhq_jackson_version
        restart: always
        caproverExtra:
            containerHttpPort: '5225'
        environment:
            EXTERNAL_URL: $$cap_external_url
            SAML_AUDIENCE: $$cap_saml_audience
            JACKSON_API_KEYS: $$cap_jackson_api_keys
            ADMIN_PORTAL_SSO_TENANT: $$cap_admin_portal_sso_tenant
            ADMIN_PORTAL_SSO_PRODUCT: $$cap_admin_portal_sso_product
            IDP_ENABLED: $$cap_idp_enabled
            PRE_LOADED_CONNECTION: $$cap_pre_loaded_connection
            CLIENT_SECRET_VERIFIER: $$cap_client_secret_verifier

            DB_ENGINE: $$cap_db_engine
            DB_URL: $$cap_db_url
            DB_TYPE: $$cap_db_type
            DB_TTL: $$cap_db_ttl
            DB_CLEANUP_LIMIT: $$cap_db_cleanup_limit
            DB_PAGE_LIMIT: $$cap_db_page_limit
            DB_ENCRYPTION_KEY: $$cap_db_encryption_key

            SMTP_HOST: $$cap_smtp_host
            SMTP_PORT: $$cap_smtp_port
            SMTP_USER: $$cap_smtp_user
            SMTP_PASSWORD: $$cap_smtp_password
            SMTP_FROM: $$cap_smtp_from

            NEXTAUTH_ACL: $$cap_nextauth_acl
            NEXTAUTH_URL: $$cap_nextauth_url
            NEXTAUTH_SECRET: $$cap_nextauth_secret
            NEXTAUTH_ADMIN_CREDENTIALS: $$cap_nextauth_admin_credentials

            RETRACED_HOST_URL: $$cap_retraced_host_url
            RETRACED_EXTERNAL_URL: $$cap_retraced_external_url
            RETRACED_ADMIN_ROOT_TOKEN: $$cap_retraced_admin_root_token

            TERMINUS_PROXY_HOST_URL: $$cap_terminus_proxy_host_url
            TERMINUS_ADMIN_ROOT_TOKEN: $$cap_terminus_admin_root_token

            OTEL_EXPORTER_OTLP_METRICS_ENDPOINT: $$cap_otel_exporter_otlp_metrics_endpoint
            OTEL_EXPORTER_OTLP_METRICS_HEADERS: $$cap_otel_exporter_otlp_metrics_headers

            OPENID_JWS_ALG: $$cap_openid_jws_alg
            OPENID_RSA_PRIVATE_KEY: $$cap_openid_rsa_private_key
            OPENID_RSA_PUBLIC_KEY: $$cap_openid_rsa_public_key
            PUBLIC_KEY: $$cap_public_key
            PRIVATE_KEY: $$cap_private_key

            BOXYHQ_LICENSE_KEY: $$cap_boxyhq_license_key

            WEBHOOK_URL: $$cap_webhook_url
            WEBHOOK_SECRET: $$cap_webhook_secret

            node_options: $$cap_node_options
            NEXT_TELEMETRY_DISABLED: $$cap_next_telemetry_disabled
caproverOneClickApp:
    variables:
        - id: $$cap_external_url
          label: External URL
          description: The public URL to reach this service. This is used internally to construct the callback url at which the SAML/OIDC IdP sends back the authorization response. (https://boxyhq.com/docs/jackson/deploy/env-variables#external_url)
          validRegex: '/.{1,}/'
          defaultValue: $$cap_appname.$$cap_root_domain
        - id: $$cap_saml_audience
          label: SAML Audience
          validRegex: '/.{1,}/'
          description: The value of this setting (same as SP EntityID of Jackson) allows the Jackson instance to verify that it is the intended recipient of a SAML response. The same value is also set in the SAML App created on the IdP end by your customers. Once set do not change this value unless you get your customers to reconfigure their SAML App again. It is case-sensitive. This does not have to be a real URL. (https://boxyhq.com/docs/jackson/deploy/env-variables#saml_audience)
          defaultValue: $$cap_appname.$$cap_root_domain
        - id: $$cap_jackson_api_keys
          label: API Keys
          validRegex: '/.{1,}/'
          description: A comma separated list of API keys that will be validated when serving the API requests for SSO connection (/api/v1/connections) and Directory Sync (/api/v1/directory-sync). (https://boxyhq.com/docs/jackson/deploy/env-variables#jackson_api_keys)
          defaultValue: $$cap_gen_random_hex(64)
        - id: $$cap_admin_portal_sso_tenant
          label: Admin Portal SSO Tenant
          description: This will be used as the tenant for the SSO connections (added from Settings tab) used to login into the Admin portal itself. Set this to a value that is less likely to conflict with the main Enterprise SSO connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#admin_portal_sso_tenant)
          validRegex: '/.{1,}/'
          defaultValue: _jackson_boxyhq
        - id: $$cap_admin_portal_sso_product
          label: Admin Portal SSO Product
          description: This will be used as the product for the SSO connections (added from Settings tab) used to login into the Admin portal itself. Set this to a value that is less likely to conflict with the main Enterprise SSO connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#admin_portal_sso_product)
          validRegex: '/.{1,}/'
          defaultValue: _jackson_admin_portal
        - id: $$cap_idp_enabled
          label: IDP Enabled
          description: Set to true to enable IdP initiated login for SAML. SP initiated login is the only recommended flow but you might have to support IdP login at times. (https://boxyhq.com/docs/jackson/deploy/env-variables#idp_enabled)
          defaultValue: true
        - id: $$cap_pre_loaded_connection
          label: Pre loaded connection
          description: If you only need a single tenant or a handful of pre-configured tenants then this config will help you read and load IdP (both OpenID and SAML)connections. It works well with the mem DB engine so you don't have to configure any external databases for this to work (though it works with those as well). This is a path (absolute or relative) to a directory that contains files organized in the format described in the next section. (https://boxyhq.com/docs/jackson/deploy/env-variables#pre_loaded_connection)
        - id: $$cap_client_secret_verifier
          label: Client secret verifier
          description: When tenant and product are used for the SAML flow (and PKCE is not being used) then we use dummy as placeholders for client_id and client_secret. This is not a security issue because SAML is tenanted and hence your Identity Provider will block access to anyone trying to log into your SAML tenant. However for additional security you should set CLIENT_SECRET_VERIFIER to a random secret and use that value as the client_secret during the OAuth 2.0 flow. (https://boxyhq.com/docs/jackson/deploy/env-variables#client_secret_verifier)
          validRegex: '/.{1,}/'
          defaultValue: $$cap_gen_random_hex(64)

        - id: $$cap_db_engine
          label: DB Engine
          description: Supported values are redis, sql, mongo, mem, planetscale, dynamodb (https://boxyhq.com/docs/jackson/deploy/env-variables#db_engine)
          validRegex: '/.{1,}/'
          defaultValue: sql
        - id: $$cap_db_url
          label: DB URL
          description: The database URL to connect to. If you are using self-signed certificates then pass sslmode=no-verify instead of sslmode=require in the DB_URL. This is because self-signed certs will be rejected as unauthorized in strict mode. Also, set DB_SSL=true and DB_SSL_REJECT_UNAUTHORIZED=false (see env vars below for more details). (https://boxyhq.com/docs/jackson/deploy/env-variables#db_url)
          validRegex: '/.{1,}/'
          defaultValue: postgres://postgres_user:postgres_password@localhost:5432/postgres_db
        - id: $$cap_db_type
          label: DB Type
          description: Only needed when DB_ENGINE is sql. Supported values are postgres, mysql, mariadb, mssql (https://boxyhq.com/docs/jackson/deploy/env-variables#db_type)
          validRegex: '/.{1,}/'
          defaultValue: postgres
        - id: $$cap_db_ttl
          label: DB TTL
          description: TTL for the code, session and token stores (in seconds). (https://boxyhq.com/docs/jackson/deploy/env-variables#db_ttl)
          defaultValue: 300
        - id: $$cap_db_cleanup_limit
          label: DB Cleanup limit
          description: Limit cleanup of TTL entries to this number. (https://boxyhq.com/docs/jackson/deploy/env-variables#db_cleanup_limit)
          defaultValue: 1000
        - id: $$cap_db_page_limit
          label: DB Page limit
          description: Page limit
          defaultValue: 50
        - id: $$cap_db_encryption_key
          label: DB Encryption key
          description: To encrypt data at rest specify a 32 character key. You can use openssl to generate a random 32 character key 'openssl rand -base64 24' (https://boxyhq.com/docs/jackson/deploy/env-variables#db_encryption_key)

        - id: $$cap_smtp_host
          label: SMTP Host
          description: The SMTP host. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_host)
          defaultValue: smtp.example.com
        - id: $$cap_smtp_port
          label: SMTP Port
          description: The SMTP server port. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_port)
          defaultValue: 587
        - id: $$cap_smtp_user
          label: SMTP User
          description: Username for the SMTP server. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_user)
          defaultValue: [email protected]
        - id: $$cap_smtp_password
          label: SMTP Password
          description: Password for the SMTP server. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_password)
        - id: $$cap_smtp_from
          label: SMTP From
          description: From address used to send mail. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_from)
          defaultValue: [email protected]

        - id: $$cap_nextauth_acl
          label: NextAuth ACL
          description: Set this to a comma separated string of email addresses or glob patterns like [email protected],*@marvel.com. Access will be denied to email addresses which don't match. If you don't specify any value access is denied to all. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_acl)
          defaultValue: [email protected],*@marvel.com
        - id: $$cap_nextauth_url
          label: NextAuth URL
          description: When running locally this will point to the local server https://boxyhq.my-domain.com. When deploying to production, set this to the canonical URL of the site. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_url)
          validRegex: '/.{1,}/'
          defaultValue: $$cap_appname.$$cap_root_domain
        - id: $$cap_nextauth_secret
          label: NextAuth Secret
          description: Set this to a random string. You can use openssl rand -base64 32 to get one. This secret is used to encrypt JWT and hash the email verification token. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_secret)
          validRegex: '/.{1,}/'
          defaultValue: $$cap_gen_random_hex(64)
        - id: $$cap_nextauth_admin_credentials
          label: NextAuth Admin credentials
          description: Set this to a comma separated string of the pattern email:password to enable login to the Admin Portal, for example [email protected]:Password123. If you don't specify any value access is denied to all. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_admin_credentials)

        - id: $$cap_retraced_host_url
          label: Retraced Host URL
          description: If you'd like to use the Admin Portal to manage our Audit Logs service (Retraced) then set this env var to the URL of the service. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_host_url)
        - id: $$cap_retraced_external_url
          label: Retraced External URL
          description: If you'd like to use the Admin Portal to manage our Audit Logs service (Retraced) then set this env var to the Public URL of the service. If this is the same as RETRACED_HOST_URL above then you can skip this and it will default to the value of RETRACED_HOST_URL. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_external_url)
        - id: $$cap_retraced_admin_root_token
          label: Retraced Admin root token
          description: you need to set the admin root token for Retraced so that we can connect to Retraced and fetch projects and audit logs. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_admin_root_token)

        - id: $$cap_terminus_proxy_host_url
          label: Terminus Proxy Host URL
        - id: $$cap_terminus_admin_root_token
          label: Terminus Admin root token

        - id: $$cap_otel_exporter_otlp_metrics_endpoint
          label: OTEL Exporter OTLP Metrics endpoint
          description: Target URL to which the exporter is going to send metrics.. (https://boxyhq.com/docs/jackson/deploy/env-variables#otel_exporter_otlp_endpoint-or-otel_exporter_otlp_metrics_endpoint)
        - id: $$cap_otel_exporter_otlp_metrics_headers
          label: OTEL Exporter OTLP Metrics headers
          description: Headers relevant for the endpoint, useful for specifying authentication details for providers. (https://boxyhq.com/docs/jackson/deploy/env-variables#otel_exporter_otlp_headers-or-otel_exporter_otlp_metrics_headers)

        - id: $$cap_openid_jws_alg
          label: OpenID JWS algorithms
          description: The algorithm used to sign the id_token. Jackson uses jose to create the ID token. Supported algorithms can be found at https://github.com/panva/jose/issues/114#digital-signatures. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_jws_alg)
          defaultValue: RS256
        - id: $$cap_openid_rsa_private_key
          label: OpenID RSA Private key
          description: Base64 value of private key. To generate one 'openssl genrsa -out private-key.pem 3072' then 'openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private_key.pem' and 'cat private_key.pem | base64'. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_rsa_private_key)
        - id: $$cap_openid_rsa_public_key
          label: OpenID RSA Public key
          description: Base64 value of public key. You can generate the public key from the private key as shown below 'openssl rsa -in private_key.pem -pubout -out public_key.pem' and than 'cat public_key.pem | base64'. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_rsa_public_key)
        - id: $$cap_public_key
          label: Public key
          description: This is the public key of the private key used to sign the SAML requests. Jackson expects the public key to be base64 encoded. (https://boxyhq.com/docs/jackson/deploy/env-variables#public_key)

        - id: $$cap_private_key
          label: Private key
          description: This is the private key used to sign the SAML requests. Jackson expects the private key to be base64 encoded. To generate a private key and public key pair you can use the following command 'openssl req -x509 -newkey rsa:2048 -keyout key.pem -out public.crt -sha256 -days 365 -nodes' then 'cat public.crt | base64' and that 'cat key.pem | base64' (https://boxyhq.com/docs/jackson/deploy/env-variables#private_key)
        - id: $$cap_boxyhq_license_key
          label: BoxyHQ License key

        - id: $$cap_webhook_url
          label: Webhook URL
          description: Specify a webhook URL to receive events about sso and directory connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#webhook_url)
        - id: $$cap_webhook_secret
          label: Webhook Secret
          description: Specify a secret to be used to sign the webhook payload. This is used to verify the authenticity of the webhook payload. (https://boxyhq.com/docs/jackson/deploy/env-variables#webhook_secret)

        - id: $$cap_node_options
          label: Node Options
          defaultValue: --max-http-header-size=81920 --dns-result-order=ipv4first
        - id: $$cap_next_telemetry_disabled
          label: Next Telemetry disabled
          defaultValue: 1

        - id: $$cap_boxyhq_jackson_version
          label: BoxyHQ Jackson Version
          defaultValue: 1.13.0
          description: Check out their Docker page for the valid tags https://hub.docker.com/r/boxyhq/jackson/tags/
          validRegex: /^([^\s^\/])+$/
    instructions:
        start: >-
            Reduce Time to Market without sacrificing your security posture!

            BoxyHQ’s suite of APIs for security and privacy helps engineering teams build and ship compliant cloud applications faster.

            SAML Jackson can be used with any web application to integrate the Single Sign-On (SSO) authentication.

            NOTE: If you turn it to HTTPS, then dont forget change variables from 'http://$$cap_appname.$$cap_root_domain' to 'https://$$cap_appname.$$cap_root_domain'

            Note: This app is intended for advanced users who'd like to have a central DB in a single container for BoxyHQ Jackson. You should start by configuring your DB at you self, you can it do before or after you installed the BoxyHQ Jackson.
        end: >-
            BoxyHQ is deployed and available as http://$$cap_appname.$$cap_root_domain.

            NOTE: If you turn it to HTTPS, then dont forget change variables from 'http://$$cap_appname.$$cap_root_domain' to 'https://$$cap_appname.$$cap_root_domain'

            IMPORTANT: It will take up to 2 minutes for BoxyHQ Jackson to be ready. Before that, you might see a 502 error page.

            Remember that this app will not create a Database by itself. You need to provide all that information.
    displayName: BoxyHQ Jackson (SAML to OAuht) - No Database
    isOfficial: true
    description: This will create a BoxyHQ Jackson only. You will need to create and configure the database information manually. Intended for advanced users.
    documentation: Taken from https://hub.docker.com/r/boxyhq/jackson/.