|
|
|
|
#!/bin/bash
|
|
|
|
|
die() { echo >&2 "$@" ; exit 1 ; }
|
|
|
|
|
|
|
|
|
|
DIRNAME="$(dirname $0)"
|
|
|
|
|
cd "$DIRNAME"
|
|
|
|
|
source ../env.production || die "no top level env?"
|
|
|
|
|
source env.production || die "no local env?"
|
|
|
|
|
|
|
|
|
|
if [ ! -r "env.secrets" ]; then
|
|
|
|
|
NEXTCLOUD_CLIENT_SECRET="$(openssl rand -hex 32)"
|
|
|
|
|
NEXTCLOUD_ADMIN_PASSWORD="$(openssl rand -hex 4)"
|
|
|
|
|
|
|
|
|
|
echo "Generating secrets: admin password $NEXTCLOUD_ADMIN_PASSWORD"
|
|
|
|
|
cat <<EOF > env.secrets
|
|
|
|
|
# Do not check in!
|
|
|
|
|
NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_ADMIN_PASSWORD
|
|
|
|
|
NEXTCLOUD_TRUSTED_DOMAINS=$NEXTCLOUD_HOSTNAME
|
|
|
|
|
NEXTCLOUD_CLIENT_SECRET=$NEXTCLOUD_CLIENT_SECRET
|
|
|
|
|
EOF
|
|
|
|
|
else
|
|
|
|
|
source env.secrets || die "no secret env?"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
|
|
|
|
|
PROVIDER="$(jq -c . <<EOF
|
|
|
|
|
{
|
|
|
|
|
"custom_oidc": [
|
|
|
|
|
{
|
|
|
|
|
"name": "keycloak",
|
|
|
|
|
"title": "Keycloak",
|
|
|
|
|
"clientId": "nextcloud",
|
|
|
|
|
"clientSecret": "$NEXTCLOUD_CLIENT_SECRET",
|
|
|
|
|
"authorizeUrl": "$BASE/auth",
|
|
|
|
|
"tokenUrl": "$BASE/token",
|
|
|
|
|
"userInfoUrl": "$BASE/userinfo",
|
|
|
|
|
"logoutUrl": "$BASE/logout",
|
|
|
|
|
"scope": "openid",
|
|
|
|
|
"groupsClaim": "roles",
|
|
|
|
|
"style": "keycloak",
|
|
|
|
|
"displayNameClaim": "",
|
|
|
|
|
"defaultGroup": ""
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
EOF
|
|
|
|
|
)"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
docker-compose up -d || die "unable to bring up docker"
|
|
|
|
|
|
|
|
|
|
# wait for the nextcloud instance to be responsive
|
|
|
|
|
# TODO: how to find out if it is ready?
|
|
|
|
|
echo "SLEEPING..."
|
|
|
|
|
sleep 30
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
docker-compose exec -u www-data -T nextcloud bash -x <<EOF || die "unable to configure sociallogin"
|
|
|
|
|
./occ app:remove sociallogin || echo "not yet installed"
|
|
|
|
|
./occ app:install sociallogin || exit 1
|
|
|
|
|
./occ config:app:set sociallogin prevent_create_email_exists --value=1 || exit 1
|
|
|
|
|
./occ config:app:set sociallogin update_profile_on_login --value=1 || exit 1
|
|
|
|
|
./occ config:app:set sociallogin custom_providers --value='$PROVIDER' || exit 1
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
../keycloak/client-delete 'nextcloud' || echo "client did not exist?"
|
|
|
|
|
|
|
|
|
|
../keycloak/client-create << EOF || die "unable to create client id"
|
|
|
|
|
{
|
|
|
|
|
"clientId": "nextcloud",
|
|
|
|
|
"rootUrl": "https://$NEXTCLOUD_HOSTNAME/",
|
|
|
|
|
"adminUrl": "https://$NEXTCLOUD_HOSTNAME/",
|
|
|
|
|
"redirectUris": [ "https://$NEXTCLOUD_HOSTNAME/*" ],
|
|
|
|
|
"webOrigins": [ "https://$NEXTCLOUD_HOSTNAME" ],
|
|
|
|
|
"clientAuthenticatorType": "client-secret",
|
|
|
|
|
"secret": "$NEXTCLOUD_CLIENT_SECRET"
|
|
|
|
|
}
|
|
|
|
|
EOF
|
