From f99887403c340de29ada978fa45ee786cab7844c Mon Sep 17 00:00:00 2001 From: 3wc <3wc.git@doesthisthing.work> Date: Thu, 24 Sep 2020 20:56:27 +0200 Subject: [PATCH] Optional OAuth login --- .envrc.sample | 13 +++++++++++++ README.md | 19 ++++++++++++++++++- compose.oauth.yml | 29 +++++++++++++++++++++++++++++ compose.yml | 25 +++++++++++++++++++++++-- entrypoint.sh.tmpl | 40 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 123 insertions(+), 3 deletions(-) create mode 100644 compose.oauth.yml create mode 100644 entrypoint.sh.tmpl diff --git a/.envrc.sample b/.envrc.sample index e9e96a1..e1dc013 100644 --- a/.envrc.sample +++ b/.envrc.sample @@ -3,4 +3,17 @@ export DOMAIN=rocketchat.example.com export STACK_NAME=rocketchat export LETS_ENCRYPT_ENV=production +# Keycloak settings # https://docs.rocket.chat/guides/administrator-guides/settings-via-env-vars +export ADMIN_USERNAME=admin +export ADMIN_EMAIL=rocketchat@example.com + +# OAuth with Keycloak +#export COMPOSE_FILE="compose.yml:compose.oauth.yml" +#export Accounts_OAuth_Custom-Keycloak-url="https://id.example.com/auth" +#export Accounts_OAuth_Custom-Keycloak-token_path="/realms/realmname/protocol/openid-connect/token" +#export Accounts_OAuth_Custom-Keycloak-identity_path="/realms/realmname/protocol/openid-connect/userinfo" +#export Accounts_OAuth_Custom-Keycloak-authorize_path="/realms/realmname/protocol/openid-connect/auth" +#export Accounts_OAuth_Custom-Keycloak-id="rocketchat" + +#export OAUTH_KEY_VERSION=v1 diff --git a/README.md b/README.md index 41f9b8e..05769bd 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,21 @@ +# Rocketchat -# SSO +[Rocket.chat] RSS reader using Coöp Cloud ♥ + +1. Set up Docker Swarm and [`abra`] +2. Deploy [`compose-stacks/traefik`] +3. `cp .envrc.sample .envrc` +4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to + your Docker swarm box +5. `direnv allow` (or `. .envrc`) +6. `abra secret_generate db_password v1` +7. `abra deploy` +9. Open the configured domain in your browser to finish set-up + +## SSO https://docs.rocket.chat/guides/administrator-guides/authentication/open-id-connect/keycloak + +[Rocket.chat]: https://rocket.chat +[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra +[`compose-stacks/traefik`]: https://git.autonomic.zone/compose-stacks/traefik diff --git a/compose.oauth.yml b/compose.oauth.yml new file mode 100644 index 0000000..537177b --- /dev/null +++ b/compose.oauth.yml @@ -0,0 +1,29 @@ +--- +version: '3.8' + +services: + rocketchat: + secrets: + - oauth_key + environment: + - Accounts_OAuth_Custom-Keycloak=true + - Accounts_OAuth_Custom-Keycloak-url=${Accounts_OAuth_Custom_Keycloak_url} + - Accounts_OAuth_Custom-Keycloak-token_path=${Accounts_OAuth_Custom_Keycloak_token_path} + - Accounts_OAuth_Custom-Keycloak-token_sent_via=Header + - Accounts_OAuth_Custom-Keycloak-identity_token_sent_via=header + - Accounts_OAuth_Custom-Keycloak-identity_path=${Accounts_OAuth_Custom_Keycloak_identity_path} + - Accounts_OAuth_Custom-Keycloak-authorize_path=${Accounts_OAuth_Custom_Keycloak_authorize_path} + - Accounts_OAuth_Custom-Keycloak-scope=openid + - Accounts_OAuth_Custom-Keycloak-id=${Accounts_OAuth_Custom_Keycloak_id} + - Accounts_OAuth_Custom-Keycloak-login_style=redirect + - Accounts_OAuth_Custom-Keycloak-button_label_text=Login via Keycloak + - Accounts_OAuth_Custom-Keycloak-button_label_color="#FFFFFF" + - Accounts_OAuth_Custom-Keycloak-button_color="#13679A" + - Accounts_OAuth_Custom-Keycloak-username_field=preferred_username + - Accounts_OAuth_Custom-Keycloak-merge_users=false + - OAUTH_KEY_FILE=/run/secrets/oauth_key + +secrets: + oauth_key: + external: true + name: ${STACK_NAME}_oauth_key_${OAUTH_KEY_VERSION} diff --git a/compose.yml b/compose.yml index 3b9cd55..1952af3 100644 --- a/compose.yml +++ b/compose.yml @@ -14,14 +14,24 @@ services: done; (exit $$s)" volumes: - "rocketchat_uploads:/app/uploads" + secrets: + - admin_password environment: - PORT=3000 - ROOT_URL=https://${DOMAIN} - MONGO_URL=mongodb://mongo:27017/rocketchat - MONGO_OPLOG_URL=mongodb://mongo:27017/local - MAIL_URL=smtp://smtp.email -# - HTTP_PROXY=http://proxy.domain.com -# - HTTPS_PROXY=http://proxy.domain.com + - ADMIN_USERNAME + - ADMIN_PASS_FILE=/run/secrets/admin_password + - ADMIN_EMAIL + #- HTTP_PROXY=http://proxy.domain.com + #- HTTPS_PROXY=http://proxy.domain.com + configs: + - source: entrypoint_conf + target: /docker-entrypoint.sh + mode: 0555 + entrypoint: /docker-entrypoint.sh networks: - internal - proxy @@ -100,3 +110,14 @@ networks: volumes: rocketchat_uploads: mongo: + +secrets: + admin_password: + external: true + name: ${STACK_NAME}_admin_password_${ADMIN_PASSWORD_VERSION} + +configs: + entrypoint_conf: + name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION} + file: entrypoint.sh.tmpl + template_driver: golang diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl new file mode 100644 index 0000000..42c1009 --- /dev/null +++ b/entrypoint.sh.tmpl @@ -0,0 +1,40 @@ +#!/usr/bin/env bash + +file_env() { + # 3wc: Load $VAR_FILE into $VAR - useful for secrets. See + # https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +load_vars() { + file_env "ADMIN_PASS" + file_env "OAUTH_KEY" +} + +main() { + set -eu + + load_vars +} + +main + +# 3wc: upstream ENTRYPOINT +# we need to use `env` here because bash won't fuck with variable names with +# hyphens, but both `env` and `node` seem fine.. +env Accounts_OAuth_Custom-Keycloak-secret=$OAUTH_KEY "$@"