mastodon: setup streaming and oicd login

3 years ago · bd113a6061
parent 0ac5d3b1a2
commit bd113a6061
5 changed files with 71 additions and 37 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 .*.swp
 data
+*.secrets
--- a/mastodon/docker-compose.yaml
+++ b/mastodon/docker-compose.yaml
@ -47,12 +47,12 @@ services:
        hard: -1

  web:
-          #    build: .
    image: tootsuite/mastodon
    restart: always
    env_file:
      - ../env.production
      - env.production
+      - env.secrets
    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001"
    networks:
      - external_network
@ -73,7 +73,10 @@ services:
    build: .
    image: tootsuite/mastodon
    restart: always
-    env_file: env.production
+    env_file:
+      - ../env.production
+      - env.production
+      - env.secrets
    command: node ./streaming
    networks:
      - external_network
@ -91,7 +94,10 @@ services:
    build: .
    image: tootsuite/mastodon
    restart: always
-    env_file: env.production
+    env_file:
+      - ../env.production
+      - env.production
+      - env.secrets
    command: bundle exec sidekiq
    depends_on:
      - database
--- a/mastodon/env.production
+++ b/mastodon/env.production
@ -43,15 +43,17 @@ ES_PASS=password
 # -------
 # Make sure to use `rake secret` to generate secrets
 # -------
-SECRET_KEY_BASE=abcdef1234
-OTP_SECRET=99991234
+# written to env.secrets
+#SECRET_KEY_BASE=abcdef1234
+#OTP_SECRET=99991234

 # Web Push
 # --------
 # Generate with `rake mastodon:webpush:generate_vapid_key`
 # --------
-VAPID_PRIVATE_KEY=
-VAPID_PUBLIC_KEY=
+# written to env.secrets
+#VAPID_PRIVATE_KEY=
+#VAPID_PUBLIC_KEY=

 # Sending mail
 # ------------
@ -69,31 +71,10 @@ SMTP_FROM_ADDRESS=notifications@example.com
 #AWS_SECRET_ACCESS_KEY=
 #S3_ALIAS_HOST=files.example.com

-
+# do not allow normal logins
 OMNIAUTH_ONLY=true
-#SAML_ENABLED=true
-#SAML_IDP_SSO_TARGET_URL=https://login.hackerspace.zone/realms/hackerspace/protocol/saml
-#SAML_ACS_URL=https://social.hackerspace.zone/auth/auth/saml/callback
-#SAML_ISSUER=mastodon
-#SAML_IDP_CERT=MIICnzCCAYcCBgGAiY+tazANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhtYXN0b2RvbjAeFw0yMjA1MDMxMDUzNTZaFw0zMjA1MDMxMDU1MzZaMBMxETAPBgNVBAMMCG1hc3RvZG9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo+1QUockEX0Bx0EvkrHsX1cXjzNB3vOzpzHaIqSn2ztpQMxsCjWB8nHL4KDCdvXL4IrxRV4x1cT37r/oQsTbW8fplIfllMIQt5pnTSlacru3LX6smfS0xkhpolUp+JmHqnzJqw4/D+WI+dKQbMymWjZ32wI2SqoMI0t4j/c38S6dFgcaRrWcqR/B418F0Fsjs7FzyvjcOgUzPPmfdITmHvH4YDpdq1xsz/9FGwBLd4kgW2GEKWLFTDP9si275/kBuSPE1NGO32TWWSJX4YThkjJ5qDWv3WfxNhTrBpbmW8rUTpQhVFtE/L6dpxswNASNRx34JPwDRH1u971aQPfYaQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAP1+ssMQkSvPl4tctis5ccdD5KhtsbURppwCx96DjYGH9awI+XMhByV7fw/1Cm/KQteparldjzikflNxZySUmQ6IY67Vw6d+9T4FWuOPDy6jRdgU8nLBMeE/Xjb9Mn4ArXU29qXnCFaO9Nz0/yCOKTwv8VBY3XeixBzT/sIaSMEV8/KFY4707AZdr9SB9Rxtq88FC/BLETWY1dg9omx8kZqiM2aVhAW0jhej9urNBGab86o4Xv+v2Gvv8lsXVB0B7KfbFpV/fG/r2jBxXirVPcD0nzjbAzc3rSs+UgBqSNAO4Wb+IDlO0jYPqO4fw9hS22vZBsJ94GDXIH0t/PyQ5p
-##SAML_IDP_CERT_FINGERPRINT=7B:53:95:6A:D6:FE:7E:E5:68:FE:9C:E1:68:51:BF:DD:F9:AF:63:F2
-#SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-##SAML_CERT=
-##SAML_PRIVATE_KEY=
-#SAML_SECURITY_WANT_ASSERTION_SIGNED=true
-##SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true
-#SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
-#SAML_ATTRIBUTES_STATEMENTS_UID=uid
-#SAML_ATTRIBUTES_STATEMENTS_EMAIL=email
-##SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241"
-#SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME=first_name
-#SAML_ATTRIBUTES_STATEMENTS_LAST_NAME=last_name
-##SAML_UID_ATTRIBUTE=uid
-##SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
-##SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
-#

-# https://github.com/mastodon/mastodon/pull/16221
+# OIDC supported since https://github.com/mastodon/mastodon/pull/16221
 OIDC_ENABLED=true
 OIDC_PROMPT=Keycloak
 OIDC_DISPLAY_NAME=hackerspace.zone
@ -101,8 +82,7 @@ OIDC_ISSUER=https://login.hackerspace.zone/realms/hackerspace
 OIDC_REDIRECT_URI=https://social.hackerspace.zone/auth/auth/openid_connect/callback
 OIDC_DISCOVERY=true
 OIDC_SCOPE=openid,profile
-OIDC_UID_FIELD=uid
+OIDC_UID_FIELD=preferred_username
 OIDC_CLIENT_ID=mastodon
 OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
-OIDC_CLIENT_SECRET=abcdef12345
-
+# OIDC_CLIENT_SECRET is in env.secrets
--- a/mastodon/setup
+++ b/mastodon/setup
@ -7,11 +7,37 @@ cd "$DIRNAME"
 source ../env.production
 source ./env.production

+mkdir -p data/system
+chmod 777 data/system
+
+rm -f env.secrets
+cat > env.secrets << EOF
+# Fake file to make db:setup happy
+SECRET_KEY_BASE=000000
+OTP_SECRET=000000
+OIDC_CLIENT_SECRET=000000
+EOF
+
+if [ -z "$MASTODON_SKIP_DB_INIT" ]; then
 	info "configuring mastodon"
 	sudo docker-compose run web \
 	  rails db:setup \
 	|| die "unable to login"
+fi
+
+# now create the real secrets file
+echo > env.secrets "# DO NOT CHECK IN"
+
+sudo docker-compose run web \
+  rails mastodon:webpush:generate_vapid_key \
+  >> env.secrets \
+|| die "unable to generate vapid key"
+
+echo "SECRET_KEY_BASE=$(openssl rand -hex 32)" >> env.secrets
+echo "OTP_SECRET=$(openssl rand -hex 32)" >> env.secrets

+CLIENT_SECRET="$(openssl rand -hex 32)"
+echo "OIDC_CLIENT_SECRET=$CLIENT_SECRET" >> env.secrets

 # create the keycloak side of the secret
 cd ../keycloak
@ -33,6 +59,6 @@ sudo docker-compose exec -T keycloak \
 	"redirectUris": [ "https://$MASTODON_HOSTNAME/*" ],
 	"webOrigins": [ "https://$MASTODON_HOSTNAME" ],
 	"clientAuthenticatorType": "client-secret",
-	"secret": "$OIDC_CLIENT_SECRET"
+	"secret": "$CLIENT_SECRET"
 }
 EOF
--- a/nginx/nginx/templates/social.conf.template
+++ b/nginx/nginx/templates/social.conf.template
@ -6,6 +6,11 @@ server {
 	}
 }

+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+}
+
 server {
 	server_name social.${DOMAIN_NAME};
 	client_max_body_size 128m;
@ -17,6 +22,22 @@ server {
 		proxy_set_header X-Forwarded-Proto https;
 	}

+        location /api/v1/streaming {
+                proxy_pass http://host.docker.internal:4000;
+                proxy_set_header Host $host; 
+                proxy_set_header X-Real-IP $remote_addr; 
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection $connection_upgrade;
+
+		proxy_buffering off;
+		proxy_redirect off;
+		proxy_http_version 1.1;
+		tcp_nodelay on;
+        }
+
+
 	listen 443 ssl;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;