nextcloud: rework for automation

3 years ago · de29603e75
parent 9dc35e4f5d
commit de29603e75
3 changed files with 82 additions and 41 deletions
--- a/nextcloud/README.md
+++ b/nextcloud/README.md
@ -1,35 +0,0 @@
-Enable SSO:
-
-```
-( cd ../keycloak ; sudo docker-compose exec -T keycloak \
-  /opt/keycloak/bin/kcadm.sh \
-  create clients \
-  --realm master --user admin --password admin \
-  -r spacestation \
-  -f - ) <<EOF
-{
-	"clientId": "nextcloud",
-	"rootUrl": "http://spacestation:9000/",
-	"adminUrl": "http://spacestation:9000/",
-	"redirectUris": [ "http://spacestation:9000/*" ],
-	"webOrigins": [ "http://spacestation:9000" ],
-	"clientAuthenticatorType": "client-secret",
-	"secret": "nextcloud-secret"
-}
-EOF
-```
-
-and configure the social login app:
-
-```
-sudo docker-compose exec -u www-data -T nextcloud \
-  ./occ app:install sociallogin \
-&& sudo docker-compose exec -u www-data -T nextcloud \
-  ./occ config:app:set sociallogin prevent_create_email_exists --value=1 \
-&& sudo docker-compose exec -u www-data -T nextcloud \
-  ./occ config:app:set sociallogin update_profile_on_login --value=1 \
-&& sudo docker-compose exec -u www-data -T nextcloud \
-  ./occ config:app:set \
-  sociallogin custom_providers \
-  --value='{"custom_oidc":[{"name":"keycloak","title":"Keycloak","authorizeUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/auth","tokenUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/token","displayNameClaim":"","userInfoUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/userinfo","logoutUrl":"","clientId":"nextcloud","clientSecret":"nextcloud-secret","scope":"openid","groupsClaim":"roles","style":"keycloak","defaultGroup":""}]}'
-```
--- a/nextcloud/docker-compose.yaml
+++ b/nextcloud/docker-compose.yaml
@ -20,12 +20,13 @@ services:
      - ../env.production
      - env.production
    environment:
-      - POSTGRES_HOST=database
-      - POSTGRES_DB=nextcloud
-      - POSTGRES_USER=nextcloud
-      - POSTGRES_PASSWORD=nextcloud
-      - NEXTCLOUD_TRUSTED_DOMAINS=spacestation
-      - NEXTCLOUD_ADMIN_USER=admin
+      POSTGRES_HOST: database
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD: nextcloud
+      #NEXTCLOUD_TRUSTED_DOMAINS: "${NEXTCLOUD_HOSTNAME}"
+      NEXTCLOUD_TRUSTED_DOMAINS: cloud.example.com
+      NEXTCLOUD_ADMIN_USER: admin
    volumes:
      - ./data/nextcloud:/var/www/html
    depends_on:
--- a/nextcloud/setup
+++ b/nextcloud/setup
@ -0,0 +1,75 @@
+#!/bin/bash
+die() { echo >&2 "$@" ; exit 1 ; }
+
+DIRNAME="$(dirname $0)"
+cd "$DIRNAME"
+[ -r env.production ] && source env.production
+[ -r ../env.production ] && source ../env.production
+
+sudo docker-compose exec -u www-data -T nextcloud \
+  ./occ app:install sociallogin \
+|| die "unable to install sociallogin app"
+
+sudo docker-compose exec -u www-data -T nextcloud \
+  ./occ config:app:set sociallogin prevent_create_email_exists --value=1 \
+|| die "unable to config sociallogin"
+
+sudo docker-compose exec -u www-data -T nextcloud \
+  ./occ config:app:set sociallogin update_profile_on_login --value=1 \
+|| die "unable to config sociallogin"
+
+BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
+SECRET="$(openssl rand -hex 20)"
+PROVIDER="$(jq -c . <<EOF
+{
+	"custom_oidc": [
+		{
+			"name":		"keycloak",
+			"title":	"Keycloak",
+			"clientId":	"nextcloud",
+			"clientSecret":	"$SECRET",
+			"authorizeUrl":	"$BASE/auth",
+			"tokenUrl":	"$BASE/token",
+			"userInfoUrl":	"$BASE/userinfo",
+			"logoutUrl":	"",	
+			"displayNameClaim": "",
+			"scope":	"openid",
+			"groupsClaim":	"roles",
+			"style":	"keycloak",
+			"defaultGroup":	""
+		}
+	]
+}
+EOF
+)"
+
+sudo docker-compose exec -u www-data -T nextcloud \
+  ./occ config:app:set \
+  sociallogin custom_providers \
+  --value="$PROVIDER" \
+|| die "unable to set keycloak parameters"
+
+
+# create the keycloak side of the secret
+cd ../keycloak
+source env.production
+
+sudo docker-compose exec -T keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  create clients \
+  --server http://localhost:8080/ \
+  --user admin \
+  --password "$KEYCLOAK_ADMIN_PASSWORD" \
+  --realm master \
+  -r "$REALM" \
+  -f - <<EOF || die "unable to create client id"
+{
+	"clientId": "nextcloud",
+	"rootUrl": "https://$NEXTCLOUD_HOSTNAME/",
+	"adminUrl": "https://$NEXTCLOUD_HOSTNAME/",
+	"redirectUris": [ "https://$NEXTCLOUD_HOSTNAME/*" ],
+	"webOrigins": [ "https://$NEXTCLOUD_HOSTNAME" ],
+	"clientAuthenticatorType": "client-secret",
+	"secret": "$SECRET"
+}
+EOF