From 314de5a19a5633074455895326ce7ced269295dd Mon Sep 17 00:00:00 2001
From: Trammell Hudson <hudson@trmm.net>
Date: Wed, 4 May 2022 19:28:31 +0000
Subject: [PATCH] setup: make all the scripts do the right thing and run
 through a full rebuild

---
 README.md          |  36 ++++-------
 grafana/setup      |  24 ++++----
 hedgedoc/setup     |  12 ++--
 keycloak/README.md | 149 ++-------------------------------------------
 keycloak/setup     |  29 +++++++--
 mastodon/README.md |  18 +-----
 mastodon/setup     |  34 +++++------
 matrix/setup       |   1 -
 nextcloud/setup    |  28 +++++----
 stop-all           |   7 +++
 10 files changed, 104 insertions(+), 234 deletions(-)
 create mode 100755 stop-all

diff --git a/README.md b/README.md
index 9841a81..3d15e4a 100644
--- a/README.md
+++ b/README.md
@@ -1,32 +1,22 @@
-apt install jq docker-compose
+# hackerspace.zone
 
-```
-cd keycloak
-sudo docker-compose up -d
-sleep 30
-./setup
-```
+Infrastructure for the self-hosted, single-sign-on, community-run services.
 
-```
-cd ../nginx
-./setup
-sudo docker-compose up -d
-```
+* Set the domain name in `env.production`
+* Create the DNS entries in the domain for `login`, `cloud`, `matrix`, `dashboard`, `docs` and maybe more.
+* Install dependencies:
 
 ```
-cd ../hedgedoc
-./setup
-sudo docker-compose up -d
+apt install jq docker-compose
 ```
 
-```
-cd ../nextcloud
-sudo docker-compose up -d
-./setup
-```
+* Setup each of the services. `keycloak` and `nginx` are required to start the others:
 
 ```
-cd ../mastodon
-./setup
-sudo docker-compose up
+./keycloak/setup
+./nginx/setup
+./hedgedoc/setup
+./nextcloud/setup
+./mastodon/setup
+./grafana/setup
 ```
diff --git a/grafana/setup b/grafana/setup
index 4fee596..70789cb 100755
--- a/grafana/setup
+++ b/grafana/setup
@@ -8,12 +8,18 @@ source env.production || die "no local env?"
 
 BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
 
-if [ ! -r "env.secrets" ]; then
-	GRAFANA_CLIENT_SECRET="$(openssl rand -hex 32)"
-	GRAFANA_ADMIN_PASSWORD="$(openssl rand -hex 4)"
+if [ -r "env.secrets" ]; then
+	docker-compose up -d || die "grafana: unable to start container"
+	exit 0
+fi
+
+docker-compose down 2>/dev/null
 
-	echo "Generating secrets: admin password $GRAFANA_ADMIN_PASSWORD"
-	cat <<EOF > env.secrets
+GRAFANA_CLIENT_SECRET="$(openssl rand -hex 32)"
+GRAFANA_ADMIN_PASSWORD="$(openssl rand -hex 4)"
+
+echo "Generating secrets: admin password $GRAFANA_ADMIN_PASSWORD"
+cat <<EOF > env.secrets
 # Do not check in!
 GF_SECURITY_ADMIN_PASSWORD=$GRAFANA_ADMIN_PASSWORD
 GF_SERVER_ROOT_URL=https://$GRAFANA_HOSTNAME/
@@ -23,13 +29,9 @@ GF_AUTH_GENERIC_OAUTH_TOKEN_URL=$BASE/token
 GF_AUTH_GENERIC_OAUTH_API_URL=$BASE/userinfo
 GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$GRAFANA_CLIENT_SECRET
 EOF
-else
-	source env.secrets || die "no secret env?"
-fi
 
-docker-compose down
 
-../keycloak/client-delete 'grafana' || echo "client did not exist?"
+../keycloak/client-delete 'grafana' 2>/dev/null
 
 ../keycloak/client-create << EOF || die "unable to create client id"
 {
@@ -43,4 +45,4 @@ docker-compose down
 }
 EOF
 
-docker-compose up -d || die "unable to bring up grafana"
+docker-compose up -d || die "grafana: unable to bring up container"
diff --git a/hedgedoc/setup b/hedgedoc/setup
index 0d3e742..23ec97d 100755
--- a/hedgedoc/setup
+++ b/hedgedoc/setup
@@ -6,14 +6,19 @@ cd "$DIRNAME"
 source ../env.production || die "no top levle env?"
 source env.production || die "no local env?"
 
-docker-compose down
+if [ -r "./env.secrets" ]; then
+	docker-compose up -d || die "hedgedoc: unable to start"
+	exit 0
+fi
+
+docker-compose down 2>/dev/null
 
 # regenerate the client secrets
 CLIENT_SECRET="$(openssl rand -hex 20)"
 SESSION_SECRET="$(openssl rand -hex 20)"
 
-rm -f env.secrets
 cat <<EOF > env.secrets
+# DO NOT CHECK IN
 CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
 CMD_SESSION_SECRET=$SESSION_SECRET
 EOF
@@ -46,5 +51,4 @@ EOF
 }
 EOF
 
-
-docker-compose up -d || die "unable to start container"
+docker-compose up -d || die "hedgedoc: unable to start container"
diff --git a/keycloak/README.md b/keycloak/README.md
index 9961d99..8c5278f 100644
--- a/keycloak/README.md
+++ b/keycloak/README.md
@@ -1,146 +1,7 @@
-For initial setup;
+# Keycloak
 
-* Setup auth credentials
-```
-sudo docker-compose exec keycloak \
-  /opt/keycloak/bin/kcadm.sh \
-  config credentials \
-  --server http://localhost:8080/ \
-  --user admin \
-  --password admin \
-  --realm master \
+Keycloak is the single-sign-on user authentication provider.
+You must set the `KEYCLOAK_ADMIN_PASSWORD` in the `env.secrets` file.
+This is the most important secret: it allows user accounts to be created
+for all the other services.
 
-```
-
-* Create a new realm for the `spacestation`:
-```
-sudo docker-compose exec keycloak \
-  /opt/keycloak/bin/kcadm.sh \
-  create realms \
-  -s realm=spacestation \
-  -s enabled=true \
-
-```
-
-# Fix up a id bug
-
-* https://github.com/hedgedoc/hedgedoc/issues/56
-
-```
-sudo docker-compose exec -T keycloak \
-  /opt/keycloak/bin/kcadm.sh \
-  create client-scopes \
-  -r spacestation \
-  -f - <<EOF
- {
-      "name": "id",
-      "protocol": "openid-connect",
-      "attributes": {
-        "include.in.token.scope": "true",
-        "display.on.consent.screen": "true"
-      },
-      "protocolMappers": [
-        {
-          "name": "id",
-          "protocol": "openid-connect",
-          "protocolMapper": "oidc-usermodel-property-mapper",
-          "consentRequired": false,
-          "config": {
-            "user.attribute": "id",
-            "id.token.claim": "true",
-            "access.token.claim": "true",
-            "jsonType.label": "String",
-            "userinfo.token.claim": "true"
-          }
-        }
-      ]
-}
-EOF
-
-# Create a client in the realm with a provided shared secret and client scope
-
-```
-sudo docker-compose exec -T keycloak \
-  /opt/keycloak/bin/kcadm.sh \
-  create clients \
-  -r spacestation \
-  -f - <<EOF
-{
-	"clientId": "hedgedoc",
-	"rootUrl": "http://spacestation:3000/",
-	"adminUrl": "http://spacestation:3000/",
-	"redirectUris": [ "http://spacestation:3000/*" ],
-	"webOrigins": [ "http://spacestation:3000" ],
-	"clientAuthenticatorType": "client-secret",
-	"secret": "abcdef1234",
-	"defaultClientScopes": [
-		"web-origins",
-		"acr",
-		"profile",
-		"roles",
-		"id",
-		"email"
-	],
-	"optionalClientScopes": [
-		"address",
-		"phone",
-		"offline_access",
-		"microprofile-jwt"
-	]
-}
-EOF
-```
-
-
-* Create an admin user
-```
-kcadm.sh create users \
-  -o \
-  --fields id,username \
-  -r spacestation \
-  -s username=admin \
-  -s enabled=true \
-  -s 'credentials=[{"type":"password","value":"admin","temporary":false}]' \
-
-
-
-sudo docker-compose exec keycloak \
-  /opt/keycloak/bin/kcadm.sh \
-  config credentials \
-  --server http://localhost:8080/ \
-  --user admin \
-  --password admin \
-  --realm master
-```
-
-
-```
-Create a new realm:
-  $ kcadm.sh create realms -s realm=demorealm -s enabled=true
-
-Create a new realm role in realm 'demorealm' returning newly created role:
-  $ kcadm.sh create roles -r demorealm -s name=manage-all -o
-
-Create a new user in realm 'demorealm' returning only 'id', and 'username' attributes:
-  $ kcadm.sh create users -r demorealm -s username=testuser -s enabled=true -o --fields id,username
-
-Create a new client using configuration read from standard input:
-  $ kcadm.sh create clients -r demorealm  -f - << EOF
-  {
-    "clientId": "my_client"
-  }
-  EOF
-
-Create a new group using configuration JSON passed as 'body' argument:
-  $ kcadm.sh create groups -r demorealm -b '{ "name": "Admins" }'
-
-Create a client using file as a template, and override some attributes - return an 'id' of new client:
-  $ kcadm.sh create clients -r demorealm -f my_client.json -s clientId=my_client2 -s 'redirectUris=["http://localhost:8980/myapp/*"]' -i
-
-Create a new client role for client my_client in realm 'demorealm' (replace ID with output of previous example command):
-  $ kcadm.sh create clients/ID/roles -r demorealm -s name=client_role
-
-
-Use 'kcadm.sh help' for general information and a list of commands
-
-```
diff --git a/keycloak/setup b/keycloak/setup
index 9c8bccf..97f9f0d 100755
--- a/keycloak/setup
+++ b/keycloak/setup
@@ -6,10 +6,29 @@ DIRNAME="$(dirname $0)"
 cd "$DIRNAME"
 source ../env.production
 source ./env.production
-source ./env.secrets
+
+if [ -r "./env.secrets" ]; then
+	docker-compose up -d || die "keycloak: unable to start container"
+	exit 0
+fi
+
+docker-compose down 2>/dev/null
+
+KEYCLOAK_ADMIN_PASSWORD="$(openssl rand -hex 8)"
+echo "Keycloak admin password $KEYCLOAK_ADMIN_PASSWORD"
+
+cat <<EOF > env.secrets
+# DO NOT CHECK IN
+KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
+EOF
+
+docker-compose up -d || die "unable to start keycloak"
+echo "sleeping a minute while keycloak initializes..." 
+sleep 30
+
 
 info "logging into server"
-sudo docker-compose exec keycloak \
+docker-compose exec keycloak \
   /opt/keycloak/bin/kcadm.sh \
   config credentials \
   --server http://localhost:8080/ \
@@ -20,7 +39,7 @@ sudo docker-compose exec keycloak \
 
 
 info "Create a new realm for '$REALM'"
-sudo docker-compose exec keycloak \
+docker-compose exec keycloak \
   /opt/keycloak/bin/kcadm.sh \
   create realms \
   -s "realm=$REALM" \
@@ -30,7 +49,7 @@ sudo docker-compose exec keycloak \
 
 # https://github.com/hedgedoc/hedgedoc/issues/56
 info "Fix up a id bug"
-sudo docker-compose exec -T keycloak \
+docker-compose exec -T keycloak \
   /opt/keycloak/bin/kcadm.sh \
   create client-scopes \
   -r "$REALM" \
@@ -62,7 +81,7 @@ EOF
 
 
 info "Create an admin user in realm"
-sudo docker-compose exec -T keycloak \
+docker-compose exec -T keycloak \
   /opt/keycloak/bin/kcadm.sh \
   create users \
   -o \
diff --git a/mastodon/README.md b/mastodon/README.md
index 8d57bbe..13794d3 100644
--- a/mastodon/README.md
+++ b/mastodon/README.md
@@ -1,16 +1,4 @@
-This needs setup run *first* and then `docker-compose up`
+# Mastodon
 
----
-
-
-Notes from https://gist.github.com/TrillCyborg/84939cd4013ace9960031b803a0590c4
-
-elastic search needs hacks to set permissions on data directory
-
-there's an interactive setup stage?
-
-need to preconfigure with hostname, email, etc
-
-VAPID key stuff?
-
-rails db:setup
+This is the vanilla version with Elastic Search and Single-Sign-On enabled.
+No other user accounts are allowed to join.
diff --git a/mastodon/setup b/mastodon/setup
index 2464e8f..84395d6 100755
--- a/mastodon/setup
+++ b/mastodon/setup
@@ -10,27 +10,17 @@ source ./env.production
 mkdir -p data/system
 chmod 777 data/system
 
-rm -f env.secrets
-cat > env.secrets << EOF
-# Fake file to make db:setup happy
-SECRET_KEY_BASE=000000
-OTP_SECRET=000000
-OIDC_CLIENT_SECRET=000000
-EOF
+if [ -r "./env.secrets" ]; then
+	docker-compose up -d || die "unable to restart mastodon"
+	exit 0
+fi
 
 # have to bring it all down before we touch the files
 docker-compose down
 
-if [ -z "$MASTODON_SKIP_DB_INIT" ]; then
-	info "configuring mastodon"
-	sudo docker-compose run --rm mastodon \
-	  rails db:setup \
-	|| die "unable to login"
-fi
-
 OIDC_CLIENT_SECRET="$(openssl rand -hex 32)"
 
-# now create the real secrets file,
+# create the secrets file,
 # along with some parameters that should be in the environment
 cat <<EOF > env.secrets
 # DO NOT CHECK IN
@@ -43,12 +33,20 @@ SECRET_KEY_BASE=$(openssl rand -hex 32)
 OTP_SECRET=$(openssl rand -hex 32)
 EOF
 
+info "mastodon: creating push keys"
 docker-compose run --rm mastodon \
-  rails mastodon:webpush:generate_vapid_key \
-  >> env.secrets \
+	rails mastodon:webpush:generate_vapid_key \
+	>> env.secrets \
 || die "unable to generate vapid key"
 
+info "mastodon: setting up database"
+docker-compose run --rm mastodon \
+	rails db:setup \
+|| die "unable to login"
+
+source ./env.secrets
 
+info "mastodon: creating keycloak interface"
 ../keycloak/client-delete mastodon
 ../keycloak/client-create <<EOF || die "Unable to create keycloak client"
 {
@@ -62,4 +60,4 @@ docker-compose run --rm mastodon \
 }
 EOF
 
-docker-compose up -d
+docker-compose up -d || die "mastodon: unable to start container"
diff --git a/matrix/setup b/matrix/setup
index d1aab6a..96660cc 100755
--- a/matrix/setup
+++ b/matrix/setup
@@ -27,7 +27,6 @@ docker run -it --rm \
 || die "unable to generate synapse config"
 
 MATRIX_CLIENT_SECRET="$(openssl rand -hex 20)"
-#MATRIX_CLIENT_SECRET="abcdef1234"
 
 cat <<EOF >> "$HOMESERVER_YAML"
 web_client_location: https://${MATRIX_HOSTNAME}/
diff --git a/nextcloud/setup b/nextcloud/setup
index 2d4214b..a533364 100755
--- a/nextcloud/setup
+++ b/nextcloud/setup
@@ -6,20 +6,23 @@ cd "$DIRNAME"
 source ../env.production || die "no top level env?"
 source env.production || die "no local env?"
 
-if [ ! -r "env.secrets" ]; then
-	NEXTCLOUD_CLIENT_SECRET="$(openssl rand -hex 32)"
-	NEXTCLOUD_ADMIN_PASSWORD="$(openssl rand -hex 4)"
+if [ -r "./env.secrets" ]; then
+	docker-compose up -d || die "nextcloud: unable to start"
+	exit 0
+fi
+
+docker-compose down 2>/dev/null
+
+NEXTCLOUD_CLIENT_SECRET="$(openssl rand -hex 32)"
+NEXTCLOUD_ADMIN_PASSWORD="$(openssl rand -hex 6)"
 
-	echo "Generating secrets: admin password $NEXTCLOUD_ADMIN_PASSWORD"
-	cat <<EOF > env.secrets
+echo "Generating secrets: admin password $NEXTCLOUD_ADMIN_PASSWORD"
+cat <<EOF > env.secrets
 # Do not check in!
 NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_ADMIN_PASSWORD
 NEXTCLOUD_TRUSTED_DOMAINS=$NEXTCLOUD_HOSTNAME
 NEXTCLOUD_CLIENT_SECRET=$NEXTCLOUD_CLIENT_SECRET
 EOF
-else
-	source env.secrets || die "no secret env?"
-fi
 
 BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
 PROVIDER="$(jq -c . <<EOF
@@ -50,14 +53,13 @@ docker-compose up -d || die "unable to bring up docker"
 
 # wait for the nextcloud instance to be responsive
 # TODO: how to find out if it is ready?
-echo "SLEEPING..."
-sleep 30
-
+echo "Sleeping a minute while nextcloud installs"
+sleep 60
 
 
 docker-compose exec -u www-data -T nextcloud bash -x <<EOF || die "unable to configure sociallogin"
-./occ app:remove sociallogin || echo "not yet installed"
-./occ app:install sociallogin || exit 1
+./occ app:install calendar
+./occ app:install sociallogin
 ./occ config:app:set sociallogin prevent_create_email_exists --value=1 || exit 1
 ./occ config:app:set sociallogin update_profile_on_login --value=1 || exit 1
 ./occ config:app:set sociallogin custom_providers --value='$PROVIDER' || exit 1
diff --git a/stop-all b/stop-all
new file mode 100755
index 0000000..5b8e97b
--- /dev/null
+++ b/stop-all
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+for file in */docker-compose.yaml ; do
+	dir="$(dirname "$file")"
+	echo "$dir"
+	( cd "$dir" ; docker-compose down )
+done