Add Authentik SSO, budget visibility, Resend email, 12h item default
Opens Veola up to more users (Parodia's Authentik) and makes Apify spend visible to everyone. - Auth: Traefik forward-auth (trust X-Authentik-* headers only from trusted_proxies CIDRs, keyed by email, role synced from admin_group), keeping local password login as break-glass. New [auth] config, CaptureDirectIP + ForwardAuth middleware, deploy/authentik-forward-auth.md. - Budget: count every Apify run (apify_api_usage table) and show calls + estimated cost to all users on the dashboard, with an optional monthly-budget bar. New [budget] config + settings. - Email: Resend client for opt-in deal alerts and a weekly digest (Mon 09:00). Per-user email + toggles on Settings. New [resend] config. - Defaults: new items default to a 12-hour poll interval to cut spend. users table gains email/auth_source/email-pref columns (migrated in place). go build/vet/test green; boots and migrates cleanly.
This commit is contained in:
@@ -13,6 +13,25 @@ secure_cookies = true
|
||||
session_secret = "change-this-to-a-random-32-byte-string-aaaa"
|
||||
encryption_key = "change-this-to-a-different-random-32-byte-string-bb"
|
||||
|
||||
# Identity. mode = "local" (default) uses Veola's own password login. mode =
|
||||
# "forward" additionally trusts identity headers set by a reverse proxy doing
|
||||
# forward-auth (Traefik in front of Authentik); local password login stays
|
||||
# available as a break-glass fallback. Users are matched/created by EMAIL.
|
||||
#
|
||||
# SECURITY: forward-auth headers are honored ONLY when the direct connection
|
||||
# comes from a CIDR in trusted_proxies. Without this, anyone who can reach the
|
||||
# port could spoof the headers. Set it to your proxy's address(es). Veola
|
||||
# refuses to start in forward mode with an empty trusted_proxies list.
|
||||
[auth]
|
||||
mode = "local"
|
||||
# trusted_proxies = ["127.0.0.1/32"] # required when mode = "forward"
|
||||
# admin_group = "veola-admins" # IdP group that maps to the admin role
|
||||
# Header names default to Authentik's; override only if your proxy differs.
|
||||
# forward_header_user = "X-Authentik-Username"
|
||||
# forward_header_email = "X-Authentik-Email"
|
||||
# forward_header_name = "X-Authentik-Name"
|
||||
# forward_header_groups = "X-Authentik-Groups"
|
||||
|
||||
[apify]
|
||||
api_key = ""
|
||||
|
||||
@@ -55,6 +74,26 @@ daily_call_limit = 5000
|
||||
base_url = "https://ntfy.yourdomain.com"
|
||||
default_topic = "veola"
|
||||
|
||||
# Resend transactional email (https://resend.com) for opt-in deal alerts and
|
||||
# the weekly digest. api_key and from can also be set via /settings. The from
|
||||
# address domain must be verified in your Resend account. Each user enables
|
||||
# their own email + opt-ins on the Settings page.
|
||||
[resend]
|
||||
api_key = ""
|
||||
from = "Veola <veola@yourdomain.com>"
|
||||
|
||||
# Budget visibility. Apify bills per actor run/result, which Veola cannot read
|
||||
# back exactly, so apify_cost_per_call is a USD estimate multiplied by the
|
||||
# recorded run count. monthly_budget_usd > 0 draws a budget bar on the
|
||||
# dashboard (visible to every signed-in user). Both are overridable via
|
||||
# /settings.
|
||||
[budget]
|
||||
apify_cost_per_call = 0.0
|
||||
monthly_budget_usd = 0.0
|
||||
|
||||
[scheduler]
|
||||
# Per-item poll cadence is set on the add-item form (new items default to a
|
||||
# 12-hour refresh to keep Apify spend down). This global value is the fallback
|
||||
# for items left at 0.
|
||||
global_poll_interval_minutes = 60
|
||||
match_confidence_threshold = 0.6
|
||||
|
||||
Reference in New Issue
Block a user