Add experimental OIDC setup
This commit is contained in:
decentral1se
parent
7fdfe01d6a
commit
61906f7a1c
GPG Key ID:
92DAD76BD9567B8A
30
.env.sample
30
.env.sample
|
|
@ -77,6 +77,7 @@ SECRET_OTP_SECRET_VERSION=v1
|
|||
SECRET_VAPID_PRIVATE_KEY_VERSION=v1
|
||||
SECRET_DB_PASSWORD_VERSION=v1
|
||||
SECRET_SMTP_PASSWORD_VERSION=v1
|
||||
SECRET_OIDC_CLIENT_SECRET_VERSION=v1
|
||||
|
||||
# Web Push
|
||||
# ========
|
||||
|
|
@ -170,6 +171,35 @@ DEFAULT_LOCALE=en
|
|||
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
|
||||
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
|
||||
|
||||
# OpenID Connect
|
||||
# --------------
|
||||
# COMPOSE_FILE="compose.yml:compose.oidc.yml"
|
||||
# OIDC_ENABLED=
|
||||
# OIDC_DISPLAY_NAME=
|
||||
# OIDC_ISSUER=
|
||||
# OIDC_DISCOVERY=
|
||||
# OIDC_CLIENT_AUTH_METHOD
|
||||
# OIDC_SCOPE=
|
||||
# OIDC_RESPONSE_TYPE=
|
||||
# OIDC_RESPONSE_MODE=
|
||||
# OIDC_DISPLAY=
|
||||
# OIDC_PROMPT=
|
||||
# OIDC_SEND_NONCE=
|
||||
# OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT=
|
||||
# OIDC_IDP_LOGOUT_REDIRECT_URI=
|
||||
# OIDC_UID_FIELD=
|
||||
# OIDC_CLIENT_ID=
|
||||
# OIDC_REDIRECT_URI=
|
||||
# OIDC_HTTP_SCHEME=
|
||||
# OIDC_HOST=
|
||||
# OIDC_PORT=
|
||||
# OIDC_AUTH_ENDPOINT=
|
||||
# OIDC_TOKEN_ENDPOINT=
|
||||
# OIDC_USER_INFO_ENDPOINT=
|
||||
# OIDC_JWKS_URI=
|
||||
# OIDC_END_SESSION_ENDPOINT=
|
||||
# OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=
|
||||
|
||||
# Hidden services (Not Supported)
|
||||
# ===============================
|
||||
# http_proxy= # yes, this should be lowercase
|
||||
|
|
|
|||
2
abra.sh
2
abra.sh
|
|
@ -1,5 +1,5 @@
|
|||
# shellcheck disable=SC2148
|
||||
export ENTRYPOINT_CONF_VERSION=v1
|
||||
export ENTRYPOINT_CONF_VERSION=v3
|
||||
#MASTO_APP_DIR="mastodon/public"
|
||||
|
||||
sub_rake() {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
web:
|
||||
secrets:
|
||||
- db_password
|
||||
- otp_secret
|
||||
- secret_key_base
|
||||
- smtp_password
|
||||
- vapid_private_key
|
||||
- oidc_client_secret
|
||||
|
||||
secrets:
|
||||
oidc_client_secret:
|
||||
name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
|
||||
external: true
|
||||
160
compose.yml
160
compose.yml
|
|
@ -50,7 +50,7 @@ services:
|
|||
hard: -1
|
||||
|
||||
web:
|
||||
image: &image decentral1se/hometown:v1.0.5_3.4.0
|
||||
image: &image decentral1se/hometown:v1.0.5_3.4.0_openid-sso
|
||||
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
|
||||
networks: &bothNetworks
|
||||
- proxy
|
||||
|
|
@ -100,90 +100,116 @@ services:
|
|||
- smtp_password
|
||||
- vapid_private_key
|
||||
environment: &env
|
||||
- ALLOW_ACCESS_TO_HIDDEN_SERVICE
|
||||
- ALTERNATE_DOMAINS
|
||||
- AUTHORIZED_FETCH
|
||||
- CACHE_REDIS_HOST
|
||||
- CACHE_REDIS_NAMESPACE
|
||||
- CACHE_REDIS_PORT
|
||||
- CACHE_REDIS_URL
|
||||
- DB_HOST
|
||||
- DB_USER
|
||||
- DB_NAME
|
||||
- DB_PASS_FILE=/run/secrets/db_password
|
||||
- DB_PORT
|
||||
- REDIS_HOST
|
||||
- REDIS_PORT
|
||||
- REDIS_URL
|
||||
- REDIS_NAMESPACE
|
||||
- CACHE_REDIS_HOST
|
||||
- CACHE_REDIS_PORT
|
||||
- CACHE_REDIS_URL
|
||||
- CACHE_REDIS_NAMESPACE
|
||||
- DB_USER
|
||||
- DEFAULT_LOCALE
|
||||
- EMAIL_DOMAIN_ALLOWLIST
|
||||
- EMAIL_DOMAIN_DENYLIST
|
||||
- ES_ENABLED
|
||||
- ES_HOST
|
||||
- ES_PORT
|
||||
- STATSD_ADDR
|
||||
- STATSD_NAMESPACE
|
||||
- VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
|
||||
- VAPID_PUBLIC_KEY
|
||||
- OTP_SECRET_FILE=/run/secrets/otp_secret
|
||||
- SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
|
||||
- LOCAL_DOMAIN
|
||||
- WEB_DOMAIN
|
||||
- ALTERNATE_DOMAINS
|
||||
- AUTHORIZED_FETCH
|
||||
- LIMITED_FEDERATION_MODE
|
||||
- RAILS_ENV
|
||||
- RAILS_SERVE_STATIC_FILES
|
||||
- SINGLE_USER_MODE
|
||||
- EMAIL_DOMAIN_ALLOWLIST
|
||||
- EMAIL_DOMAIN_DENYLIST
|
||||
- DEFAULT_LOCALE
|
||||
- MAX_SESSION_ACTIVATIONS
|
||||
- USER_ACTIVE_DAYS
|
||||
- SMTP_SERVER
|
||||
- SMTP_PORT
|
||||
- SMTP_LOGIN
|
||||
- SMTP_PASSWORD_FILE=/run/secrets/smtp_password
|
||||
- SMTP_FROM_ADDRESS
|
||||
- SMTP_DOMAIN
|
||||
- SMTP_DELIVERY_METHOD
|
||||
- SMTP_AUTH_METHOD
|
||||
- SMTP_CA_FILE
|
||||
- SMTP_OPENSSL_VERIFY_MODE
|
||||
- SMTP_ENABLE_STARTTLS_AUTO
|
||||
- SMTP_TLS
|
||||
- SMTP_SSL
|
||||
- PAPERCLIP_ROOT_PATH
|
||||
- PAPERCLIP_ROOT_URL
|
||||
- OAUTH_REDIRECT_AT_SIGN_IN
|
||||
- LDAP_ENABLED
|
||||
- LDAP_HOST
|
||||
- LDAP_PORT
|
||||
- LDAP_METHOD
|
||||
- LDAP_BASE
|
||||
- LDAP_BIND_DN
|
||||
- LDAP_PASSWORD
|
||||
- LDAP_UID
|
||||
- LDAP_SEARCH_FILTER
|
||||
- LDAP_ENABLED
|
||||
- LDAP_HOST
|
||||
- LDAP_MAIL
|
||||
- LDAP_METHOD
|
||||
- LDAP_PASSWORD
|
||||
- LDAP_PORT
|
||||
- LDAP_SEARCH_FILTER
|
||||
- LDAP_UID
|
||||
- LDAP_UID_CONVERSTION_ENABLED
|
||||
- SAML_ENABLED
|
||||
- LIMITED_FEDERATION_MODE
|
||||
- LOCAL_DOMAIN
|
||||
- MAX_SESSION_ACTIVATIONS
|
||||
- OAUTH_REDIRECT_AT_SIGN_IN
|
||||
- OIDC_AUTH_ENDPOINT
|
||||
- OIDC_CLIENT_AUTH_METHOD
|
||||
- OIDC_CLIENT_ID
|
||||
- OIDC_CLIENT_SECRET
|
||||
- OIDC_DISCOVERY
|
||||
- OIDC_DISPLAY
|
||||
- OIDC_DISPLAY_NAME
|
||||
- OIDC_ENABLED
|
||||
- OIDC_END_SESSION_ENDPOINT
|
||||
- OIDC_HOST
|
||||
- OIDC_IDP_LOGOUT_REDIRECT_URI
|
||||
- OIDC_ISSUER
|
||||
- OIDC_JWKS_URI
|
||||
- OIDC_PORT
|
||||
- OIDC_PROMPT
|
||||
- OIDC_REDIRECT_URI
|
||||
- OIDC_RESPONSE_MODE
|
||||
- OIDC_RESPONSE_TYPE
|
||||
- OIDC_SCOPE
|
||||
- OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED
|
||||
- OIDC_SEND_NONCE
|
||||
- OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT
|
||||
- OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
|
||||
- OIDC_TOKEN_ENDPOINT
|
||||
- OIDC_UID_FIELD
|
||||
- OIDC_USER_INFO_ENDPOINT
|
||||
- OTP_SECRET_FILE=/run/secrets/otp_secret
|
||||
- PAPERCLIP_ROOT_PATH
|
||||
- PAPERCLIP_ROOT_URL
|
||||
- RAILS_ENV
|
||||
- RAILS_SERVE_STATIC_FILES
|
||||
- REDIS_HOST
|
||||
- REDIS_NAMESPACE
|
||||
- REDIS_PORT
|
||||
- REDIS_URL
|
||||
- SAML_ACS_URL
|
||||
- SAML_ISSUER
|
||||
- SAML_IDP_SSO_TARGET_URL
|
||||
- SAML_IDP_CERT
|
||||
- SAML_IDP_CERT_FINGERPRINT
|
||||
- SAML_NAME_IDENTIFIER_FORMAT
|
||||
- SAML_CERT
|
||||
- SAML_PRIVATE_KEY
|
||||
- SAML_SECURITY_WANT_ASSERTION_SIGNED
|
||||
- SAML_SECURITY_WANT_ASSERTION_ENCRYPTED
|
||||
- SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED
|
||||
- SAML_ATTRIBUTES_STATEMENTS_UID
|
||||
- SAML_ATTRIBUTES_STATEMENTS_EMAIL
|
||||
- SAML_ATTRIBUTES_STATEMENTS_FULL_NAME
|
||||
- SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME
|
||||
- SAML_ATTRIBUTES_STATEMENTS_FULL_NAME
|
||||
- SAML_ATTRIBUTES_STATEMENTS_LAST_NAME
|
||||
- SAML_UID_ATTRIBUTE
|
||||
- SAML_ATTRIBUTES_STATEMENTS_UID
|
||||
- SAML_ATTRIBUTES_STATEMENTS_VERIFIED
|
||||
- SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL
|
||||
- SAML_CERT
|
||||
- SAML_ENABLED
|
||||
- SAML_IDP_CERT
|
||||
- SAML_IDP_CERT_FINGERPRINT
|
||||
- SAML_IDP_SSO_TARGET_URL
|
||||
- SAML_ISSUER
|
||||
- SAML_NAME_IDENTIFIER_FORMAT
|
||||
- SAML_PRIVATE_KEY
|
||||
- SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED
|
||||
- SAML_SECURITY_WANT_ASSERTION_ENCRYPTED
|
||||
- SAML_SECURITY_WANT_ASSERTION_SIGNED
|
||||
- SAML_UID_ATTRIBUTE
|
||||
- SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
|
||||
- SINGLE_USER_MODE
|
||||
- SMTP_AUTH_METHOD
|
||||
- SMTP_CA_FILE
|
||||
- SMTP_DELIVERY_METHOD
|
||||
- SMTP_DOMAIN
|
||||
- SMTP_ENABLE_STARTTLS_AUTO
|
||||
- SMTP_FROM_ADDRESS
|
||||
- SMTP_LOGIN
|
||||
- SMTP_OPENSSL_VERIFY_MODE
|
||||
- SMTP_PASSWORD_FILE=/run/secrets/smtp_password
|
||||
- SMTP_PORT
|
||||
- SMTP_SERVER
|
||||
- SMTP_SSL
|
||||
- SMTP_TLS
|
||||
- STATSD_ADDR
|
||||
- STATSD_NAMESPACE
|
||||
- USER_ACTIVE_DAYS
|
||||
- VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
|
||||
- VAPID_PUBLIC_KEY
|
||||
- WEB_DOMAIN
|
||||
- http_proxy # yes, this should be lowercase
|
||||
- ALLOW_ACCESS_TO_HIDDEN_SERVICE
|
||||
|
||||
streaming:
|
||||
image: *image
|
||||
|
|
|
|||
|
|
@ -28,5 +28,6 @@ file_env "OTP_SECRET"
|
|||
file_env "SECRET_KEY_BASE"
|
||||
file_env "SMTP_PASSWORD"
|
||||
file_env "VAPID_PRIVATE_KEY"
|
||||
file_env "OIDC_CLIENT_SECRET"
|
||||
|
||||
/usr/bin/tini -- "$@"
|
||||
|
|
|
|||
Reference in New Issue