knoflook/hometown
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add experimental OIDC setup

Browse Source
This commit is contained in:
decentral1se 2021-05-29 01:54:44 +02:00
parent 7fdfe01d6a
commit 61906f7a1c
Signed by untrusted user who does not match committer: decentral1se
GPG Key ID: 92DAD76BD9567B8A
5 changed files with 142 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
.env.sample
View File

@ -77,6 +77,7 @@ SECRET_OTP_SECRET_VERSION=v1
SECRET_VAPID_PRIVATE_KEY_VERSION=v1 SECRET_VAPID_PRIVATE_KEY_VERSION=v1
SECRET_DB_PASSWORD_VERSION=v1 SECRET_DB_PASSWORD_VERSION=v1
SECRET_SMTP_PASSWORD_VERSION=v1 SECRET_SMTP_PASSWORD_VERSION=v1
SECRET_OIDC_CLIENT_SECRET_VERSION=v1
# Web Push # Web Push
# ======== # ========
@ -170,6 +171,35 @@ DEFAULT_LOCALE=en
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED= # SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL= # SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
# OpenID Connect
# --------------
# COMPOSE_FILE="compose.yml:compose.oidc.yml"
# OIDC_ENABLED=
# OIDC_DISPLAY_NAME=
# OIDC_ISSUER=
# OIDC_DISCOVERY=
# OIDC_CLIENT_AUTH_METHOD
# OIDC_SCOPE=
# OIDC_RESPONSE_TYPE=
# OIDC_RESPONSE_MODE=
# OIDC_DISPLAY=
# OIDC_PROMPT=
# OIDC_SEND_NONCE=
# OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT=
# OIDC_IDP_LOGOUT_REDIRECT_URI=
# OIDC_UID_FIELD=
# OIDC_CLIENT_ID=
# OIDC_REDIRECT_URI=
# OIDC_HTTP_SCHEME=
# OIDC_HOST=
# OIDC_PORT=
# OIDC_AUTH_ENDPOINT=
# OIDC_TOKEN_ENDPOINT=
# OIDC_USER_INFO_ENDPOINT=
# OIDC_JWKS_URI=
# OIDC_END_SESSION_ENDPOINT=
# OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=
# Hidden services (Not Supported) # Hidden services (Not Supported)
# =============================== # ===============================
# http_proxy= # yes, this should be lowercase # http_proxy= # yes, this should be lowercase

2
abra.sh
View File

@ -1,5 +1,5 @@
# shellcheck disable=SC2148 # shellcheck disable=SC2148
export ENTRYPOINT_CONF_VERSION=v1 export ENTRYPOINT_CONF_VERSION=v3
#MASTO_APP_DIR="mastodon/public" #MASTO_APP_DIR="mastodon/public"
sub_rake() { sub_rake() {

17
compose.oidc.yml Normal file
View File

@ -0,0 +1,17 @@
---
version: "3.8"
services:
web:
secrets:
- db_password
- otp_secret
- secret_key_base
- smtp_password
- vapid_private_key
- oidc_client_secret
secrets:
oidc_client_secret:
name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
external: true

160
compose.yml
View File

@ -50,7 +50,7 @@ services:
hard: -1 hard: -1
web: web:
image: &image decentral1se/hometown:v1.0.5_3.4.0 image: &image decentral1se/hometown:v1.0.5_3.4.0_openid-sso
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks: &bothNetworks networks: &bothNetworks
- proxy - proxy
@ -100,90 +100,116 @@ services:
- smtp_password - smtp_password
- vapid_private_key - vapid_private_key
environment: &env environment: &env
- ALLOW_ACCESS_TO_HIDDEN_SERVICE
- ALTERNATE_DOMAINS
- AUTHORIZED_FETCH
- CACHE_REDIS_HOST
- CACHE_REDIS_NAMESPACE
- CACHE_REDIS_PORT
- CACHE_REDIS_URL
- DB_HOST - DB_HOST
- DB_USER
- DB_NAME - DB_NAME
- DB_PASS_FILE=/run/secrets/db_password - DB_PASS_FILE=/run/secrets/db_password
- DB_PORT - DB_PORT
- REDIS_HOST - DB_USER
- REDIS_PORT - DEFAULT_LOCALE
- REDIS_URL - EMAIL_DOMAIN_ALLOWLIST
- REDIS_NAMESPACE - EMAIL_DOMAIN_DENYLIST
- CACHE_REDIS_HOST
- CACHE_REDIS_PORT
- CACHE_REDIS_URL
- CACHE_REDIS_NAMESPACE
- ES_ENABLED - ES_ENABLED
- ES_HOST - ES_HOST
- ES_PORT - ES_PORT
- STATSD_ADDR
- STATSD_NAMESPACE
- VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
- VAPID_PUBLIC_KEY
- OTP_SECRET_FILE=/run/secrets/otp_secret
- SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
- LOCAL_DOMAIN
- WEB_DOMAIN
- ALTERNATE_DOMAINS
- AUTHORIZED_FETCH
- LIMITED_FEDERATION_MODE
- RAILS_ENV
- RAILS_SERVE_STATIC_FILES
- SINGLE_USER_MODE
- EMAIL_DOMAIN_ALLOWLIST
- EMAIL_DOMAIN_DENYLIST
- DEFAULT_LOCALE
- MAX_SESSION_ACTIVATIONS
- USER_ACTIVE_DAYS
- SMTP_SERVER
- SMTP_PORT
- SMTP_LOGIN
- SMTP_PASSWORD_FILE=/run/secrets/smtp_password
- SMTP_FROM_ADDRESS
- SMTP_DOMAIN
- SMTP_DELIVERY_METHOD
- SMTP_AUTH_METHOD
- SMTP_CA_FILE
- SMTP_OPENSSL_VERIFY_MODE
- SMTP_ENABLE_STARTTLS_AUTO
- SMTP_TLS
- SMTP_SSL
- PAPERCLIP_ROOT_PATH
- PAPERCLIP_ROOT_URL
- OAUTH_REDIRECT_AT_SIGN_IN
- LDAP_ENABLED
- LDAP_HOST
- LDAP_PORT
- LDAP_METHOD
- LDAP_BASE - LDAP_BASE
- LDAP_BIND_DN - LDAP_BIND_DN
- LDAP_PASSWORD - LDAP_ENABLED
- LDAP_UID - LDAP_HOST
- LDAP_SEARCH_FILTER
- LDAP_MAIL - LDAP_MAIL
- LDAP_METHOD
- LDAP_PASSWORD
- LDAP_PORT
- LDAP_SEARCH_FILTER
- LDAP_UID
- LDAP_UID_CONVERSTION_ENABLED - LDAP_UID_CONVERSTION_ENABLED
- SAML_ENABLED - LIMITED_FEDERATION_MODE
- LOCAL_DOMAIN
- MAX_SESSION_ACTIVATIONS
- OAUTH_REDIRECT_AT_SIGN_IN
- OIDC_AUTH_ENDPOINT
- OIDC_CLIENT_AUTH_METHOD
- OIDC_CLIENT_ID
- OIDC_CLIENT_SECRET
- OIDC_DISCOVERY
- OIDC_DISPLAY
- OIDC_DISPLAY_NAME
- OIDC_ENABLED
- OIDC_END_SESSION_ENDPOINT
- OIDC_HOST
- OIDC_IDP_LOGOUT_REDIRECT_URI
- OIDC_ISSUER
- OIDC_JWKS_URI
- OIDC_PORT
- OIDC_PROMPT
- OIDC_REDIRECT_URI
- OIDC_RESPONSE_MODE
- OIDC_RESPONSE_TYPE
- OIDC_SCOPE
- OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED
- OIDC_SEND_NONCE
- OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT
- OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
- OIDC_TOKEN_ENDPOINT
- OIDC_UID_FIELD
- OIDC_USER_INFO_ENDPOINT
- OTP_SECRET_FILE=/run/secrets/otp_secret
- PAPERCLIP_ROOT_PATH
- PAPERCLIP_ROOT_URL
- RAILS_ENV
- RAILS_SERVE_STATIC_FILES
- REDIS_HOST
- REDIS_NAMESPACE
- REDIS_PORT
- REDIS_URL
- SAML_ACS_URL - SAML_ACS_URL
- SAML_ISSUER
- SAML_IDP_SSO_TARGET_URL
- SAML_IDP_CERT
- SAML_IDP_CERT_FINGERPRINT
- SAML_NAME_IDENTIFIER_FORMAT
- SAML_CERT
- SAML_PRIVATE_KEY
- SAML_SECURITY_WANT_ASSERTION_SIGNED
- SAML_SECURITY_WANT_ASSERTION_ENCRYPTED
- SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED
- SAML_ATTRIBUTES_STATEMENTS_UID
- SAML_ATTRIBUTES_STATEMENTS_EMAIL - SAML_ATTRIBUTES_STATEMENTS_EMAIL
- SAML_ATTRIBUTES_STATEMENTS_FULL_NAME
- SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME - SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME
- SAML_ATTRIBUTES_STATEMENTS_FULL_NAME
- SAML_ATTRIBUTES_STATEMENTS_LAST_NAME - SAML_ATTRIBUTES_STATEMENTS_LAST_NAME
- SAML_UID_ATTRIBUTE - SAML_ATTRIBUTES_STATEMENTS_UID
- SAML_ATTRIBUTES_STATEMENTS_VERIFIED - SAML_ATTRIBUTES_STATEMENTS_VERIFIED
- SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL - SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL
- SAML_CERT
- SAML_ENABLED
- SAML_IDP_CERT
- SAML_IDP_CERT_FINGERPRINT
- SAML_IDP_SSO_TARGET_URL
- SAML_ISSUER
- SAML_NAME_IDENTIFIER_FORMAT
- SAML_PRIVATE_KEY
- SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED
- SAML_SECURITY_WANT_ASSERTION_ENCRYPTED
- SAML_SECURITY_WANT_ASSERTION_SIGNED
- SAML_UID_ATTRIBUTE
- SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
- SINGLE_USER_MODE
- SMTP_AUTH_METHOD
- SMTP_CA_FILE
- SMTP_DELIVERY_METHOD
- SMTP_DOMAIN
- SMTP_ENABLE_STARTTLS_AUTO
- SMTP_FROM_ADDRESS
- SMTP_LOGIN
- SMTP_OPENSSL_VERIFY_MODE
- SMTP_PASSWORD_FILE=/run/secrets/smtp_password
- SMTP_PORT
- SMTP_SERVER
- SMTP_SSL
- SMTP_TLS
- STATSD_ADDR
- STATSD_NAMESPACE
- USER_ACTIVE_DAYS
- VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
- VAPID_PUBLIC_KEY
- WEB_DOMAIN
- http_proxy # yes, this should be lowercase - http_proxy # yes, this should be lowercase
- ALLOW_ACCESS_TO_HIDDEN_SERVICE
streaming: streaming:
image: *image image: *image

1
entrypoint.sh.tmpl
View File

@ -28,5 +28,6 @@ file_env "OTP_SECRET"
file_env "SECRET_KEY_BASE" file_env "SECRET_KEY_BASE"
file_env "SMTP_PASSWORD" file_env "SMTP_PASSWORD"
file_env "VAPID_PRIVATE_KEY" file_env "VAPID_PRIVATE_KEY"
file_env "OIDC_CLIENT_SECRET"
/usr/bin/tini -- "$@" /usr/bin/tini -- "$@"