mastodon: setup streaming and oicd login

single-dockerfile
Trammell Hudson 3 years ago
parent 0ac5d3b1a2
commit bd113a6061
  1. 1
      .gitignore
  2. 12
      mastodon/docker-compose.yaml
  3. 40
      mastodon/env.production
  4. 28
      mastodon/setup
  5. 21
      nginx/nginx/templates/social.conf.template

1
.gitignore vendored

@ -1,2 +1,3 @@
.*.swp .*.swp
data data
*.secrets

@ -47,12 +47,12 @@ services:
hard: -1 hard: -1
web: web:
# build: .
image: tootsuite/mastodon image: tootsuite/mastodon
restart: always restart: always
env_file: env_file:
- ../env.production - ../env.production
- env.production - env.production
- env.secrets
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001" command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001"
networks: networks:
- external_network - external_network
@ -73,7 +73,10 @@ services:
build: . build: .
image: tootsuite/mastodon image: tootsuite/mastodon
restart: always restart: always
env_file: env.production env_file:
- ../env.production
- env.production
- env.secrets
command: node ./streaming command: node ./streaming
networks: networks:
- external_network - external_network
@ -91,7 +94,10 @@ services:
build: . build: .
image: tootsuite/mastodon image: tootsuite/mastodon
restart: always restart: always
env_file: env.production env_file:
- ../env.production
- env.production
- env.secrets
command: bundle exec sidekiq command: bundle exec sidekiq
depends_on: depends_on:
- database - database

@ -43,15 +43,17 @@ ES_PASS=password
# ------- # -------
# Make sure to use `rake secret` to generate secrets # Make sure to use `rake secret` to generate secrets
# ------- # -------
SECRET_KEY_BASE=abcdef1234 # written to env.secrets
OTP_SECRET=99991234 #SECRET_KEY_BASE=abcdef1234
#OTP_SECRET=99991234
# Web Push # Web Push
# -------- # --------
# Generate with `rake mastodon:webpush:generate_vapid_key` # Generate with `rake mastodon:webpush:generate_vapid_key`
# -------- # --------
VAPID_PRIVATE_KEY= # written to env.secrets
VAPID_PUBLIC_KEY= #VAPID_PRIVATE_KEY=
#VAPID_PUBLIC_KEY=
# Sending mail # Sending mail
# ------------ # ------------
@ -69,31 +71,10 @@ SMTP_FROM_ADDRESS=notifications@example.com
#AWS_SECRET_ACCESS_KEY= #AWS_SECRET_ACCESS_KEY=
#S3_ALIAS_HOST=files.example.com #S3_ALIAS_HOST=files.example.com
# do not allow normal logins
OMNIAUTH_ONLY=true OMNIAUTH_ONLY=true
#SAML_ENABLED=true
#SAML_IDP_SSO_TARGET_URL=https://login.hackerspace.zone/realms/hackerspace/protocol/saml
#SAML_ACS_URL=https://social.hackerspace.zone/auth/auth/saml/callback
#SAML_ISSUER=mastodon
#SAML_IDP_CERT=MIICnzCCAYcCBgGAiY+tazANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhtYXN0b2RvbjAeFw0yMjA1MDMxMDUzNTZaFw0zMjA1MDMxMDU1MzZaMBMxETAPBgNVBAMMCG1hc3RvZG9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo+1QUockEX0Bx0EvkrHsX1cXjzNB3vOzpzHaIqSn2ztpQMxsCjWB8nHL4KDCdvXL4IrxRV4x1cT37r/oQsTbW8fplIfllMIQt5pnTSlacru3LX6smfS0xkhpolUp+JmHqnzJqw4/D+WI+dKQbMymWjZ32wI2SqoMI0t4j/c38S6dFgcaRrWcqR/B418F0Fsjs7FzyvjcOgUzPPmfdITmHvH4YDpdq1xsz/9FGwBLd4kgW2GEKWLFTDP9si275/kBuSPE1NGO32TWWSJX4YThkjJ5qDWv3WfxNhTrBpbmW8rUTpQhVFtE/L6dpxswNASNRx34JPwDRH1u971aQPfYaQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAP1+ssMQkSvPl4tctis5ccdD5KhtsbURppwCx96DjYGH9awI+XMhByV7fw/1Cm/KQteparldjzikflNxZySUmQ6IY67Vw6d+9T4FWuOPDy6jRdgU8nLBMeE/Xjb9Mn4ArXU29qXnCFaO9Nz0/yCOKTwv8VBY3XeixBzT/sIaSMEV8/KFY4707AZdr9SB9Rxtq88FC/BLETWY1dg9omx8kZqiM2aVhAW0jhej9urNBGab86o4Xv+v2Gvv8lsXVB0B7KfbFpV/fG/r2jBxXirVPcD0nzjbAzc3rSs+UgBqSNAO4Wb+IDlO0jYPqO4fw9hS22vZBsJ94GDXIH0t/PyQ5p
##SAML_IDP_CERT_FINGERPRINT=7B:53:95:6A:D6:FE:7E:E5:68:FE:9C:E1:68:51:BF:DD:F9:AF:63:F2
#SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
##SAML_CERT=
##SAML_PRIVATE_KEY=
#SAML_SECURITY_WANT_ASSERTION_SIGNED=true
##SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true
#SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
#SAML_ATTRIBUTES_STATEMENTS_UID=uid
#SAML_ATTRIBUTES_STATEMENTS_EMAIL=email
##SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241"
#SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME=first_name
#SAML_ATTRIBUTES_STATEMENTS_LAST_NAME=last_name
##SAML_UID_ATTRIBUTE=uid
##SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
##SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
#
# https://github.com/mastodon/mastodon/pull/16221 # OIDC supported since https://github.com/mastodon/mastodon/pull/16221
OIDC_ENABLED=true OIDC_ENABLED=true
OIDC_PROMPT=Keycloak OIDC_PROMPT=Keycloak
OIDC_DISPLAY_NAME=hackerspace.zone OIDC_DISPLAY_NAME=hackerspace.zone
@ -101,8 +82,7 @@ OIDC_ISSUER=https://login.hackerspace.zone/realms/hackerspace
OIDC_REDIRECT_URI=https://social.hackerspace.zone/auth/auth/openid_connect/callback OIDC_REDIRECT_URI=https://social.hackerspace.zone/auth/auth/openid_connect/callback
OIDC_DISCOVERY=true OIDC_DISCOVERY=true
OIDC_SCOPE=openid,profile OIDC_SCOPE=openid,profile
OIDC_UID_FIELD=uid OIDC_UID_FIELD=preferred_username
OIDC_CLIENT_ID=mastodon OIDC_CLIENT_ID=mastodon
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
OIDC_CLIENT_SECRET=abcdef12345 # OIDC_CLIENT_SECRET is in env.secrets

@ -7,11 +7,37 @@ cd "$DIRNAME"
source ../env.production source ../env.production
source ./env.production source ./env.production
mkdir -p data/system
chmod 777 data/system
rm -f env.secrets
cat > env.secrets << EOF
# Fake file to make db:setup happy
SECRET_KEY_BASE=000000
OTP_SECRET=000000
OIDC_CLIENT_SECRET=000000
EOF
if [ -z "$MASTODON_SKIP_DB_INIT" ]; then
info "configuring mastodon" info "configuring mastodon"
sudo docker-compose run web \ sudo docker-compose run web \
rails db:setup \ rails db:setup \
|| die "unable to login" || die "unable to login"
fi
# now create the real secrets file
echo > env.secrets "# DO NOT CHECK IN"
sudo docker-compose run web \
rails mastodon:webpush:generate_vapid_key \
>> env.secrets \
|| die "unable to generate vapid key"
echo "SECRET_KEY_BASE=$(openssl rand -hex 32)" >> env.secrets
echo "OTP_SECRET=$(openssl rand -hex 32)" >> env.secrets
CLIENT_SECRET="$(openssl rand -hex 32)"
echo "OIDC_CLIENT_SECRET=$CLIENT_SECRET" >> env.secrets
# create the keycloak side of the secret # create the keycloak side of the secret
cd ../keycloak cd ../keycloak
@ -33,6 +59,6 @@ sudo docker-compose exec -T keycloak \
"redirectUris": [ "https://$MASTODON_HOSTNAME/*" ], "redirectUris": [ "https://$MASTODON_HOSTNAME/*" ],
"webOrigins": [ "https://$MASTODON_HOSTNAME" ], "webOrigins": [ "https://$MASTODON_HOSTNAME" ],
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"secret": "$OIDC_CLIENT_SECRET" "secret": "$CLIENT_SECRET"
} }
EOF EOF

@ -6,6 +6,11 @@ server {
} }
} }
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server { server {
server_name social.${DOMAIN_NAME}; server_name social.${DOMAIN_NAME};
client_max_body_size 128m; client_max_body_size 128m;
@ -17,6 +22,22 @@ server {
proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Proto https;
} }
location /api/v1/streaming {
proxy_pass http://host.docker.internal:4000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
tcp_nodelay on;
}
listen 443 ssl; listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;

Loading…
Cancel
Save