Taiga

Install

The documentation is fairly good at describing what to do but here is a quick set guide.

First check you have git, docker and docker-compose installed at the versions it recommends.

git clone https://github.com/taigaio/taiga-docker
cd taia-docker
git checkout stable

Set every instance of these with passwords in docker-compose.yml and docker-compose-inits.yml.

Important: do not include symbols in the passwords or else you may get some very strange errors.

POSTGRES_PASSWORD
TAIGA_SECRET_KEY
RABBITMQ_PASS

Edit these values to match your setup:

TAIGA_SITES_SCHEME: http
TAIGA_SITES_DOMAIN: example.com
TAIGA_URL: "http://example.com"
TAIGA_WEBSOCKETS_URL: "ws://example.com"

Then run:

./launch-taiga.sh # Or ./launch-all.sh if you want penpot too
# Wait a couple of minutes AFTER the command has FINISHED then run it again.
./launch-taiga.sh
# Check that the back service has finished booting (May take 5mins) :
docker logs taiga-docker_taiga-back_1

You should have observed the following on the last command:

Applied <THINGS>
Give permission to taiga:taiga
Listening at: http://0.0.0.0:8000 (1)
<Booted 3 service workers>

Once you see the service workers are booted you can create the super user:

./taiga-manage.sh createsuperuser

Make sure you set up the reverse proxy exactly as the documentation says just don't forget to add a listen line:

listen 80;

Updating Configuration

If you need to change the Taiga configuration just run the launch-taiga.sh/launch-all.sh again.

If you need to change config details that involve the setup you may need to nuke the volumes:

docker-compose down -v

https

Https can be a bit tricky to setup at first but just make sure to make all of these listed changes and it should work:

First ensure the webserver is listening for https or port 443 - do not change the proxy target!

Then in docker-compose.yml make the following edits:

• TAIGA_SITES_SCHEME: "https"
• TAIGA_URL: "https://example.com"
• TAIGA_WEBSOCKETS_URL: "wss://taiga.organicdesign.fund"

There is no need to change the port at the bottom of the file.

SSO

Currently the only SSO options for Taiga is Github, Gitlab and OpenID Connect using taiga-contrib-openid-auth.

OpenID Auth Install

The instructions on the repo work but are a little funky so here is a quicker setup procedure.

Enter the Taiga docker directory (the clone from taiga-docker):

wget https://raw.githubusercontent.com/taigaio/taiga-back/master/docker/config.py https://raw.githubusercontent.com/taigaio/taiga-front/master/docker/config_env_subst.sh https://raw.githubusercontent.com/taigaio/taiga-front/master/docker/conf.json.template;
mv conf.json.template conf.json;

Then update the docker-compose.yml configuration like so:

x-environment:
  # Enable OpenID users to auto sign up if they don't have an account.
  PUBLIC_REGISTER_ENABLED: "True"

  # OpenID settings
  ENABLE_OPENID: "True"
  OPENID_USER_URL : "https://<URL OF YOUR PROVIDER>/me"
  OPENID_TOKEN_URL : "https://<URL OF YOUR PROVIDER>/token"
  OPENID_CLIENT_ID : "<CLIENT ID>"
  OPENID_CLIENT_SECRET : "<CLIENT SECRET>"

services:
  taiga-back:
    image: robrotheram/taiga-back-openid

  taiga-front:
    image: robrotheram/taiga-front-openid
    environment:
      # Disable non OpenID users to sign up.
      PUBLIC_REGISTER_ENABLED: "False"

      ENABLE_OPENID: "true"
      OPENID_URL : "https://<URL OF YOUR PROVIDER>/auth"
      OPENID_CLIENT_ID : "<ClientID>"
      # This will show as "SIGN IN WITH Provider name"
      OPENID_NAME: "Provider name"

Provider Setup

The plugin by default does not send a scopes request so it is necessary to intercept the request and add the sopes that it needs, this can be done in express like so:

app.get("/auth", (req, res, next) => {
	if (req.query.scope)
		return next();

	let params = "?scope=openid email profile"

	for (const key of Object.keys(req.query))
		params += `&${key}=${req.query[key]}`;

	return res.redirect(`/auth${params}`);
});

// The rest of your routing.

You will need to configure your provider with a configuration like this:

clients: [{
	client_id: "foo",
	client_secret: "bar",
	redirect_uris: ["https://jwt.io", "https://oidcdebugger.com/debug", "https://openidconnect.net/callback"],
	response_types: ["id_token", "code"],
	grant_types: ["implicit", "authorization_code"],
	token_endpoint_auth_method: "client_secret_post"
}],

claims: {
	openid: ["sub"],
	email: ["email"],
	profile: ["preferred_username", "name"]
}

Account Linking

The OpenID Connect plugin gives you access to the account that matches the email claim, so accounts don't need to be linked - just ensure the emails line up.

OpenID Signups

The OpenID Connect plugin allows you to customize what sort of users can create an account.

If you don't want anyone to be able to create an account just ensure all the following fields are set to false in the docker-compose.yml configuration:

x-environment:
  PUBLIC_REGISTER_ENABLED: "False"

If you want to allow people to signup via OpenID but nothing else then:

x-environment:
  PUBLIC_REGISTER_ENABLED: "True"

taiga-front:
  environment:
    PUBLIC_REGISTER_ENABLED: "False" # If this option is not here it defaults to false.

If you want anyone to be able to signup then have them all set to true:

x-environment:
  PUBLIC_REGISTER_ENABLED: "True"

taiga-front:
  environment:
    PUBLIC_REGISTER_ENABLED: "True"

Debugging

If you need to check the database:

sudo docker exec -ti taiga-docker_taiga-db_1 psql -U DB_USER DB_NAME # taiga taiga

Then to show the tables:

\dt

Then to view all users:

SELECT * FROM "users_user";