setup: make all the scripts do the right thing and run through a full rebuild

single-dockerfile
Trammell Hudson 3 years ago
parent 8124fabe4b
commit 314de5a19a
  1. 36
      README.md
  2. 16
      grafana/setup
  3. 12
      hedgedoc/setup
  4. 149
      keycloak/README.md
  5. 29
      keycloak/setup
  6. 18
      mastodon/README.md
  7. 30
      mastodon/setup
  8. 1
      matrix/setup
  9. 22
      nextcloud/setup
  10. 7
      stop-all

@ -1,32 +1,22 @@
apt install jq docker-compose
# hackerspace.zone
```
cd keycloak
sudo docker-compose up -d
sleep 30
./setup
```
Infrastructure for the self-hosted, single-sign-on, community-run services.
```
cd ../nginx
./setup
sudo docker-compose up -d
```
* Set the domain name in `env.production`
* Create the DNS entries in the domain for `login`, `cloud`, `matrix`, `dashboard`, `docs` and maybe more.
* Install dependencies:
```
cd ../hedgedoc
./setup
sudo docker-compose up -d
apt install jq docker-compose
```
```
cd ../nextcloud
sudo docker-compose up -d
./setup
```
* Setup each of the services. `keycloak` and `nginx` are required to start the others:
```
cd ../mastodon
./setup
sudo docker-compose up
./keycloak/setup
./nginx/setup
./hedgedoc/setup
./nextcloud/setup
./mastodon/setup
./grafana/setup
```

@ -8,7 +8,13 @@ source env.production || die "no local env?"
BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
if [ ! -r "env.secrets" ]; then
if [ -r "env.secrets" ]; then
docker-compose up -d || die "grafana: unable to start container"
exit 0
fi
docker-compose down 2>/dev/null
GRAFANA_CLIENT_SECRET="$(openssl rand -hex 32)"
GRAFANA_ADMIN_PASSWORD="$(openssl rand -hex 4)"
@ -23,13 +29,9 @@ GF_AUTH_GENERIC_OAUTH_TOKEN_URL=$BASE/token
GF_AUTH_GENERIC_OAUTH_API_URL=$BASE/userinfo
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$GRAFANA_CLIENT_SECRET
EOF
else
source env.secrets || die "no secret env?"
fi
docker-compose down
../keycloak/client-delete 'grafana' || echo "client did not exist?"
../keycloak/client-delete 'grafana' 2>/dev/null
../keycloak/client-create << EOF || die "unable to create client id"
{
@ -43,4 +45,4 @@ docker-compose down
}
EOF
docker-compose up -d || die "unable to bring up grafana"
docker-compose up -d || die "grafana: unable to bring up container"

@ -6,14 +6,19 @@ cd "$DIRNAME"
source ../env.production || die "no top levle env?"
source env.production || die "no local env?"
docker-compose down
if [ -r "./env.secrets" ]; then
docker-compose up -d || die "hedgedoc: unable to start"
exit 0
fi
docker-compose down 2>/dev/null
# regenerate the client secrets
CLIENT_SECRET="$(openssl rand -hex 20)"
SESSION_SECRET="$(openssl rand -hex 20)"
rm -f env.secrets
cat <<EOF > env.secrets
# DO NOT CHECK IN
CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
CMD_SESSION_SECRET=$SESSION_SECRET
EOF
@ -46,5 +51,4 @@ EOF
}
EOF
docker-compose up -d || die "unable to start container"
docker-compose up -d || die "hedgedoc: unable to start container"

@ -1,146 +1,7 @@
For initial setup;
# Keycloak
* Setup auth credentials
```
sudo docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
config credentials \
--server http://localhost:8080/ \
--user admin \
--password admin \
--realm master \
Keycloak is the single-sign-on user authentication provider.
You must set the `KEYCLOAK_ADMIN_PASSWORD` in the `env.secrets` file.
This is the most important secret: it allows user accounts to be created
for all the other services.
```
* Create a new realm for the `spacestation`:
```
sudo docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
create realms \
-s realm=spacestation \
-s enabled=true \
```
# Fix up a id bug
* https://github.com/hedgedoc/hedgedoc/issues/56
```
sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create client-scopes \
-r spacestation \
-f - <<EOF
{
"name": "id",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"name": "id",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"user.attribute": "id",
"id.token.claim": "true",
"access.token.claim": "true",
"jsonType.label": "String",
"userinfo.token.claim": "true"
}
}
]
}
EOF
# Create a client in the realm with a provided shared secret and client scope
```
sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create clients \
-r spacestation \
-f - <<EOF
{
"clientId": "hedgedoc",
"rootUrl": "http://spacestation:3000/",
"adminUrl": "http://spacestation:3000/",
"redirectUris": [ "http://spacestation:3000/*" ],
"webOrigins": [ "http://spacestation:3000" ],
"clientAuthenticatorType": "client-secret",
"secret": "abcdef1234",
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"id",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}
EOF
```
* Create an admin user
```
kcadm.sh create users \
-o \
--fields id,username \
-r spacestation \
-s username=admin \
-s enabled=true \
-s 'credentials=[{"type":"password","value":"admin","temporary":false}]' \
sudo docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
config credentials \
--server http://localhost:8080/ \
--user admin \
--password admin \
--realm master
```
```
Create a new realm:
$ kcadm.sh create realms -s realm=demorealm -s enabled=true
Create a new realm role in realm 'demorealm' returning newly created role:
$ kcadm.sh create roles -r demorealm -s name=manage-all -o
Create a new user in realm 'demorealm' returning only 'id', and 'username' attributes:
$ kcadm.sh create users -r demorealm -s username=testuser -s enabled=true -o --fields id,username
Create a new client using configuration read from standard input:
$ kcadm.sh create clients -r demorealm -f - << EOF
{
"clientId": "my_client"
}
EOF
Create a new group using configuration JSON passed as 'body' argument:
$ kcadm.sh create groups -r demorealm -b '{ "name": "Admins" }'
Create a client using file as a template, and override some attributes - return an 'id' of new client:
$ kcadm.sh create clients -r demorealm -f my_client.json -s clientId=my_client2 -s 'redirectUris=["http://localhost:8980/myapp/*"]' -i
Create a new client role for client my_client in realm 'demorealm' (replace ID with output of previous example command):
$ kcadm.sh create clients/ID/roles -r demorealm -s name=client_role
Use 'kcadm.sh help' for general information and a list of commands
```

@ -6,10 +6,29 @@ DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production
source ./env.production
source ./env.secrets
if [ -r "./env.secrets" ]; then
docker-compose up -d || die "keycloak: unable to start container"
exit 0
fi
docker-compose down 2>/dev/null
KEYCLOAK_ADMIN_PASSWORD="$(openssl rand -hex 8)"
echo "Keycloak admin password $KEYCLOAK_ADMIN_PASSWORD"
cat <<EOF > env.secrets
# DO NOT CHECK IN
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
EOF
docker-compose up -d || die "unable to start keycloak"
echo "sleeping a minute while keycloak initializes..."
sleep 30
info "logging into server"
sudo docker-compose exec keycloak \
docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
config credentials \
--server http://localhost:8080/ \
@ -20,7 +39,7 @@ sudo docker-compose exec keycloak \
info "Create a new realm for '$REALM'"
sudo docker-compose exec keycloak \
docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
create realms \
-s "realm=$REALM" \
@ -30,7 +49,7 @@ sudo docker-compose exec keycloak \
# https://github.com/hedgedoc/hedgedoc/issues/56
info "Fix up a id bug"
sudo docker-compose exec -T keycloak \
docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create client-scopes \
-r "$REALM" \
@ -62,7 +81,7 @@ EOF
info "Create an admin user in realm"
sudo docker-compose exec -T keycloak \
docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create users \
-o \

@ -1,16 +1,4 @@
This needs setup run *first* and then `docker-compose up`
# Mastodon
---
Notes from https://gist.github.com/TrillCyborg/84939cd4013ace9960031b803a0590c4
elastic search needs hacks to set permissions on data directory
there's an interactive setup stage?
need to preconfigure with hostname, email, etc
VAPID key stuff?
rails db:setup
This is the vanilla version with Elastic Search and Single-Sign-On enabled.
No other user accounts are allowed to join.

@ -10,27 +10,17 @@ source ./env.production
mkdir -p data/system
chmod 777 data/system
rm -f env.secrets
cat > env.secrets << EOF
# Fake file to make db:setup happy
SECRET_KEY_BASE=000000
OTP_SECRET=000000
OIDC_CLIENT_SECRET=000000
EOF
if [ -r "./env.secrets" ]; then
docker-compose up -d || die "unable to restart mastodon"
exit 0
fi
# have to bring it all down before we touch the files
docker-compose down
if [ -z "$MASTODON_SKIP_DB_INIT" ]; then
info "configuring mastodon"
sudo docker-compose run --rm mastodon \
rails db:setup \
|| die "unable to login"
fi
OIDC_CLIENT_SECRET="$(openssl rand -hex 32)"
# now create the real secrets file,
# create the secrets file,
# along with some parameters that should be in the environment
cat <<EOF > env.secrets
# DO NOT CHECK IN
@ -43,12 +33,20 @@ SECRET_KEY_BASE=$(openssl rand -hex 32)
OTP_SECRET=$(openssl rand -hex 32)
EOF
info "mastodon: creating push keys"
docker-compose run --rm mastodon \
rails mastodon:webpush:generate_vapid_key \
>> env.secrets \
|| die "unable to generate vapid key"
info "mastodon: setting up database"
docker-compose run --rm mastodon \
rails db:setup \
|| die "unable to login"
source ./env.secrets
info "mastodon: creating keycloak interface"
../keycloak/client-delete mastodon
../keycloak/client-create <<EOF || die "Unable to create keycloak client"
{
@ -62,4 +60,4 @@ docker-compose run --rm mastodon \
}
EOF
docker-compose up -d
docker-compose up -d || die "mastodon: unable to start container"

@ -27,7 +27,6 @@ docker run -it --rm \
|| die "unable to generate synapse config"
MATRIX_CLIENT_SECRET="$(openssl rand -hex 20)"
#MATRIX_CLIENT_SECRET="abcdef1234"
cat <<EOF >> "$HOMESERVER_YAML"
web_client_location: https://${MATRIX_HOSTNAME}/

@ -6,9 +6,15 @@ cd "$DIRNAME"
source ../env.production || die "no top level env?"
source env.production || die "no local env?"
if [ ! -r "env.secrets" ]; then
if [ -r "./env.secrets" ]; then
docker-compose up -d || die "nextcloud: unable to start"
exit 0
fi
docker-compose down 2>/dev/null
NEXTCLOUD_CLIENT_SECRET="$(openssl rand -hex 32)"
NEXTCLOUD_ADMIN_PASSWORD="$(openssl rand -hex 4)"
NEXTCLOUD_ADMIN_PASSWORD="$(openssl rand -hex 6)"
echo "Generating secrets: admin password $NEXTCLOUD_ADMIN_PASSWORD"
cat <<EOF > env.secrets
@ -17,9 +23,6 @@ NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_ADMIN_PASSWORD
NEXTCLOUD_TRUSTED_DOMAINS=$NEXTCLOUD_HOSTNAME
NEXTCLOUD_CLIENT_SECRET=$NEXTCLOUD_CLIENT_SECRET
EOF
else
source env.secrets || die "no secret env?"
fi
BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
PROVIDER="$(jq -c . <<EOF
@ -50,14 +53,13 @@ docker-compose up -d || die "unable to bring up docker"
# wait for the nextcloud instance to be responsive
# TODO: how to find out if it is ready?
echo "SLEEPING..."
sleep 30
echo "Sleeping a minute while nextcloud installs"
sleep 60
docker-compose exec -u www-data -T nextcloud bash -x <<EOF || die "unable to configure sociallogin"
./occ app:remove sociallogin || echo "not yet installed"
./occ app:install sociallogin || exit 1
./occ app:install calendar
./occ app:install sociallogin
./occ config:app:set sociallogin prevent_create_email_exists --value=1 || exit 1
./occ config:app:set sociallogin update_profile_on_login --value=1 || exit 1
./occ config:app:set sociallogin custom_providers --value='$PROVIDER' || exit 1

@ -0,0 +1,7 @@
#!/bin/bash
for file in */docker-compose.yaml ; do
dir="$(dirname "$file")"
echo "$dir"
( cd "$dir" ; docker-compose down )
done
Loading…
Cancel
Save