From bd113a60615420689198c8b0e8751585bc989ef4 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 3 May 2022 13:52:02 +0000 Subject: [PATCH] mastodon: setup streaming and oicd login --- .gitignore | 1 + mastodon/docker-compose.yaml | 12 +++++-- mastodon/env.production | 40 ++++++---------------- mastodon/setup | 34 +++++++++++++++--- nginx/nginx/templates/social.conf.template | 21 ++++++++++++ 5 files changed, 71 insertions(+), 37 deletions(-) diff --git a/.gitignore b/.gitignore index 1cc1547..678f78a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .*.swp data +*.secrets diff --git a/mastodon/docker-compose.yaml b/mastodon/docker-compose.yaml index df2d75b..c6c2363 100644 --- a/mastodon/docker-compose.yaml +++ b/mastodon/docker-compose.yaml @@ -47,12 +47,12 @@ services: hard: -1 web: - # build: . image: tootsuite/mastodon restart: always env_file: - ../env.production - env.production + - env.secrets command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001" networks: - external_network @@ -73,7 +73,10 @@ services: build: . image: tootsuite/mastodon restart: always - env_file: env.production + env_file: + - ../env.production + - env.production + - env.secrets command: node ./streaming networks: - external_network @@ -91,7 +94,10 @@ services: build: . image: tootsuite/mastodon restart: always - env_file: env.production + env_file: + - ../env.production + - env.production + - env.secrets command: bundle exec sidekiq depends_on: - database diff --git a/mastodon/env.production b/mastodon/env.production index 2938c18..4b40eb1 100644 --- a/mastodon/env.production +++ b/mastodon/env.production @@ -43,15 +43,17 @@ ES_PASS=password # ------- # Make sure to use `rake secret` to generate secrets # ------- -SECRET_KEY_BASE=abcdef1234 -OTP_SECRET=99991234 +# written to env.secrets +#SECRET_KEY_BASE=abcdef1234 +#OTP_SECRET=99991234 # Web Push # -------- # Generate with `rake mastodon:webpush:generate_vapid_key` # -------- -VAPID_PRIVATE_KEY= -VAPID_PUBLIC_KEY= +# written to env.secrets +#VAPID_PRIVATE_KEY= +#VAPID_PUBLIC_KEY= # Sending mail # ------------ @@ -69,31 +71,10 @@ SMTP_FROM_ADDRESS=notifications@example.com #AWS_SECRET_ACCESS_KEY= #S3_ALIAS_HOST=files.example.com - +# do not allow normal logins OMNIAUTH_ONLY=true -#SAML_ENABLED=true -#SAML_IDP_SSO_TARGET_URL=https://login.hackerspace.zone/realms/hackerspace/protocol/saml -#SAML_ACS_URL=https://social.hackerspace.zone/auth/auth/saml/callback -#SAML_ISSUER=mastodon -#SAML_IDP_CERT=MIICnzCCAYcCBgGAiY+tazANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhtYXN0b2RvbjAeFw0yMjA1MDMxMDUzNTZaFw0zMjA1MDMxMDU1MzZaMBMxETAPBgNVBAMMCG1hc3RvZG9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo+1QUockEX0Bx0EvkrHsX1cXjzNB3vOzpzHaIqSn2ztpQMxsCjWB8nHL4KDCdvXL4IrxRV4x1cT37r/oQsTbW8fplIfllMIQt5pnTSlacru3LX6smfS0xkhpolUp+JmHqnzJqw4/D+WI+dKQbMymWjZ32wI2SqoMI0t4j/c38S6dFgcaRrWcqR/B418F0Fsjs7FzyvjcOgUzPPmfdITmHvH4YDpdq1xsz/9FGwBLd4kgW2GEKWLFTDP9si275/kBuSPE1NGO32TWWSJX4YThkjJ5qDWv3WfxNhTrBpbmW8rUTpQhVFtE/L6dpxswNASNRx34JPwDRH1u971aQPfYaQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAP1+ssMQkSvPl4tctis5ccdD5KhtsbURppwCx96DjYGH9awI+XMhByV7fw/1Cm/KQteparldjzikflNxZySUmQ6IY67Vw6d+9T4FWuOPDy6jRdgU8nLBMeE/Xjb9Mn4ArXU29qXnCFaO9Nz0/yCOKTwv8VBY3XeixBzT/sIaSMEV8/KFY4707AZdr9SB9Rxtq88FC/BLETWY1dg9omx8kZqiM2aVhAW0jhej9urNBGab86o4Xv+v2Gvv8lsXVB0B7KfbFpV/fG/r2jBxXirVPcD0nzjbAzc3rSs+UgBqSNAO4Wb+IDlO0jYPqO4fw9hS22vZBsJ94GDXIH0t/PyQ5p -##SAML_IDP_CERT_FINGERPRINT=7B:53:95:6A:D6:FE:7E:E5:68:FE:9C:E1:68:51:BF:DD:F9:AF:63:F2 -#SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified -##SAML_CERT= -##SAML_PRIVATE_KEY= -#SAML_SECURITY_WANT_ASSERTION_SIGNED=true -##SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true -#SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true -#SAML_ATTRIBUTES_STATEMENTS_UID=uid -#SAML_ATTRIBUTES_STATEMENTS_EMAIL=email -##SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241" -#SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME=first_name -#SAML_ATTRIBUTES_STATEMENTS_LAST_NAME=last_name -##SAML_UID_ATTRIBUTE=uid -##SAML_ATTRIBUTES_STATEMENTS_VERIFIED= -##SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL= -# -# https://github.com/mastodon/mastodon/pull/16221 +# OIDC supported since https://github.com/mastodon/mastodon/pull/16221 OIDC_ENABLED=true OIDC_PROMPT=Keycloak OIDC_DISPLAY_NAME=hackerspace.zone @@ -101,8 +82,7 @@ OIDC_ISSUER=https://login.hackerspace.zone/realms/hackerspace OIDC_REDIRECT_URI=https://social.hackerspace.zone/auth/auth/openid_connect/callback OIDC_DISCOVERY=true OIDC_SCOPE=openid,profile -OIDC_UID_FIELD=uid +OIDC_UID_FIELD=preferred_username OIDC_CLIENT_ID=mastodon OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true -OIDC_CLIENT_SECRET=abcdef12345 - +# OIDC_CLIENT_SECRET is in env.secrets diff --git a/mastodon/setup b/mastodon/setup index aeced1b..d88ff56 100755 --- a/mastodon/setup +++ b/mastodon/setup @@ -7,11 +7,37 @@ cd "$DIRNAME" source ../env.production source ./env.production -info "configuring mastodon" +mkdir -p data/system +chmod 777 data/system + +rm -f env.secrets +cat > env.secrets << EOF +# Fake file to make db:setup happy +SECRET_KEY_BASE=000000 +OTP_SECRET=000000 +OIDC_CLIENT_SECRET=000000 +EOF + +if [ -z "$MASTODON_SKIP_DB_INIT" ]; then + info "configuring mastodon" + sudo docker-compose run web \ + rails db:setup \ + || die "unable to login" +fi + +# now create the real secrets file +echo > env.secrets "# DO NOT CHECK IN" + sudo docker-compose run web \ - rails db:setup \ -|| die "unable to login" + rails mastodon:webpush:generate_vapid_key \ + >> env.secrets \ +|| die "unable to generate vapid key" + +echo "SECRET_KEY_BASE=$(openssl rand -hex 32)" >> env.secrets +echo "OTP_SECRET=$(openssl rand -hex 32)" >> env.secrets +CLIENT_SECRET="$(openssl rand -hex 32)" +echo "OIDC_CLIENT_SECRET=$CLIENT_SECRET" >> env.secrets # create the keycloak side of the secret cd ../keycloak @@ -33,6 +59,6 @@ sudo docker-compose exec -T keycloak \ "redirectUris": [ "https://$MASTODON_HOSTNAME/*" ], "webOrigins": [ "https://$MASTODON_HOSTNAME" ], "clientAuthenticatorType": "client-secret", - "secret": "$OIDC_CLIENT_SECRET" + "secret": "$CLIENT_SECRET" } EOF diff --git a/nginx/nginx/templates/social.conf.template b/nginx/nginx/templates/social.conf.template index c56e066..a18f404 100644 --- a/nginx/nginx/templates/social.conf.template +++ b/nginx/nginx/templates/social.conf.template @@ -6,6 +6,11 @@ server { } } +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + server { server_name social.${DOMAIN_NAME}; client_max_body_size 128m; @@ -17,6 +22,22 @@ server { proxy_set_header X-Forwarded-Proto https; } + location /api/v1/streaming { + proxy_pass http://host.docker.internal:4000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + tcp_nodelay on; + } + + listen 443 ssl; ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;