From 6ba4003dd64683fb88e5396bb9ba4feee117d8ec Mon Sep 17 00:00:00 2001
From: Ubuntu <ubuntu@hackerspace-zone.labs.lowerlayer.nl>
Date: Sat, 19 Nov 2022 23:45:44 +0000
Subject: [PATCH 1/3] makefile: move secrets out of ./data into ./secrets

---
 Makefile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 43852d3..d77b95f 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,7 @@ help:
 UC = $(shell echo '$1' | tr '[:lower:]' '[:upper:]')
 
 DOCKER = \
-	$(foreach m,$(MODULES),. data/$m/secrets && ) \
+	$(foreach m,$(MODULES),. secrets/$m && ) \
 	docker-compose \
 		--env-file env.production \
 		$(foreach m,$(MODULES),--file ./$m.yaml) \
@@ -52,28 +52,28 @@ matrix-logs:
 	$(DOCKER) logs --tail 100 -f matrix-synapse
 nextcloud-logs:
 	$(DOCKER) logs -f nextcloud
-nginx-build: data/nginx/secrets
+nginx-build: secrets/nginx
 	$(DOCKER) build nginx
 
 certdir		= ./data/certbot/conf/live/${DOMAIN_NAME}
 
 run: secrets-setup
 
-secrets-setup: $(foreach m,$(MODULES),data/$m/secrets)
+secrets-setup: $(foreach m,$(MODULES),secrets/$m)
 
 # Create the per-subdomain secrets if they don't exist
 # not every service requires all of these features, but create them anyway
 GET_MODULE = $(call UC,$(word 2,$(subst /, ,$@)))
 RAND = $$(openssl rand -hex $1)
 
-data/%/secrets:
+secrets/%:
 	mkdir -p $(dir $@)
 	echo >$@ "# DO NOT CHECK IN"
 	echo >>$@ "export $(GET_MODULE)_ADMIN_PASSWORD=$(call RAND,8)"
 	echo >>$@ "export $(GET_MODULE)_CLIENT_SECRET=$(call RAND,20)"
 	echo >>$@ "export $(GET_MODULE)_SESSION_SECRET=$(call RAND,20)"
 
-data/gitea/secrets: data/gitea/host-setup.done
+secrets/gitea: data/gitea/host-setup.done
 data/gitea/host-setup.done:
 	sudo ./gitea/host-setup.sh
 	mkdir -p $(dir $@)

From 0ead61e45622c8dd1813dada39b766ef8cc9f9cc Mon Sep 17 00:00:00 2001
From: Trammell Hudson <hudson@trmm.net>
Date: Fri, 25 Nov 2022 19:39:13 +0000
Subject: [PATCH 2/3] ignore secrets

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 303e9a1..29774c1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ env.smtp
 *.old
 *.log
 test
+secrets

From e31bf0ae410e7ff1ca4d1458dfc543751f666cc2 Mon Sep 17 00:00:00 2001
From: Trammell Hudson <hudson@trmm.net>
Date: Fri, 25 Nov 2022 19:43:23 +0000
Subject: [PATCH 3/3] pixelfed: OIDC login and mobile app work

---
 Makefile                     |  6 ++-
 pixelfed.yaml                | 78 ++++++++++++++++++++++++++++++++++++
 pixelfed/app.php             | 55 -------------------------
 pixelfed/docker-compose.yaml | 73 ---------------------------------
 pixelfed/env.production      | 21 +++-------
 pixelfed/keycloak.sh         |  2 +
 pixelfed/nginx.conf          | 26 ++++++++++++
 7 files changed, 117 insertions(+), 144 deletions(-)
 create mode 100644 pixelfed.yaml
 delete mode 100644 pixelfed/app.php
 delete mode 100644 pixelfed/docker-compose.yaml
 create mode 100755 pixelfed/keycloak.sh
 create mode 100644 pixelfed/nginx.conf

diff --git a/Makefile b/Makefile
index 1e1d515..ed6497b 100644
--- a/Makefile
+++ b/Makefile
@@ -9,7 +9,7 @@ MODULES += nextcloud
 MODULES += mobilizon
 MODULES += gitea
 MODULES += nitter
-#MODULES += pixelfed
+MODULES += pixelfed
 
 include env.production
 domain_name := $(DOMAIN_NAME)
@@ -81,6 +81,10 @@ data/gitea/host-setup.done:
 	mkdir -p $(dir $@)
 	touch $@
 
+secrets/pixelfed: secrets/pixelfed.app
+secrets/pixelfed.app:
+	echo 'APP_KEY=base64:$(shell openssl rand -base64 32)' > $@
+
 keycloak-setup: secrets-setup
 	docker exec keycloak /setup.sh
 
diff --git a/pixelfed.yaml b/pixelfed.yaml
new file mode 100644
index 0000000..7b1b01c
--- /dev/null
+++ b/pixelfed.yaml
@@ -0,0 +1,78 @@
+version: "3"
+services:
+  pixelfed-app:
+    image: osresearch/pixelfed:latest
+    container_name: pixelfed-app
+    restart: always
+    volumes:
+      - ./data/pixelfed/storage:/var/www/storage
+    environment:
+      - APP_NAME="${DOMAIN_NAME} Pixelfed"
+      - INSTANCE_DESCRIPTION="${DOMAIN_NAME} Pixelfed"
+      - OIDC_CLIENT_ID=pixelfed
+      - OIDC_CLIENT_SECRET=${PIXELFED_CLIENT_SECRET}
+      - OIDC_PROVIDER_URL=https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}
+      - OIDC_ENABLED=true
+      - OIDC_PROVIDER_NAME=Keycloak
+      - APP_URL="https://${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
+      - APP_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
+      - ADMIN_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
+      - SESSION_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
+      - MAIL_DRIVER=log
+      - MAIL_HOST=${SMTP_SERVER}
+      - MAIL_PORT=${SMTP_PORT}
+      - MAIL_FROM_ADDRESS="pixelfed@${DOMAIN_NAME}"
+      - MAIL_FROM_NAME="Pixelfed"
+      - MAIL_USERNAME="${SMTP_USER}"
+      - MAIL_PASSWORD="${SMTP_PASSWORD}"
+    env_file:
+      - ./pixelfed/env.production
+      - ./secrets/pixelfed.app
+    depends_on:
+      - pixelfed-db
+      - pixelfed-redis
+
+  pixelfed-worker:
+    image: osresearch/pixelfed:latest
+    container_name: pixelfed-worker
+    restart: unless-stopped
+    volumes:
+      - ./data/pixelfed/storage:/var/www/storage
+    env_file:
+      - ./pixelfed/env.production
+      - ./secrets/pixelfed.app
+    command: gosu www-data php artisan horizon
+    depends_on:
+      - pixelfed-db
+      - pixelfed-redis
+
+## DB and Cache
+  pixelfed-db:
+    image: mysql:8.0
+    container_name: pixelfed-db
+    restart: unless-stopped
+    command: --default-authentication-plugin=mysql_native_password
+    volumes:
+      - ./data/pixelfed/db-data:/var/lib/mysql
+    env_file:
+      - ./pixelfed/env.production
+
+  pixelfed-redis:
+    image: redis:5-alpine
+    container_name: pixelfed-redis
+    restart: unless-stopped
+    volumes:
+      - ./data/pixelfed/redis-data:/data
+    env_file:
+      - ./pixelfed/env.production
+
+  # add the subdomain nginx configuration into the nginx volume
+  nginx:
+    volumes:
+      - ./pixelfed/nginx.conf:/etc/nginx/templates/pixelfed.conf.template:ro
+
+  # add the subdomain client secrets to the keycloak-setup volume
+  keycloak:
+    volumes:
+      - ./pixelfed/keycloak.sh:/keycloak-setup/pixelfed.sh:ro
+      - ./secrets/pixelfed:/run/secrets/pixelfed:ro
diff --git a/pixelfed/app.php b/pixelfed/app.php
deleted file mode 100644
index f2801ad..0000000
--- a/pixelfed/app.php
+++ /dev/null
@@ -1,55 +0,0 @@
-<?php
-
-/*
-|--------------------------------------------------------------------------
-| Create The Application
-|--------------------------------------------------------------------------
-|
-| The first thing we will do is create a new Laravel application instance
-| which serves as the "glue" for all the components of Laravel, and is
-| the IoC container for the system binding all of the various parts.
-|
-*/
-
-$app = new Illuminate\Foundation\Application(
-    realpath(__DIR__.'/../')
-);
-
-/*
-|--------------------------------------------------------------------------
-| Bind Important Interfaces
-|--------------------------------------------------------------------------
-|
-| Next, we need to bind some important interfaces into the container so
-| we will be able to resolve them when needed. The kernels serve the
-| incoming requests to this application from both the web and CLI.
-|
-*/
-
-$app->singleton(
-    Illuminate\Contracts\Http\Kernel::class,
-    App\Http\Kernel::class
-);
-
-$app->singleton(
-    Illuminate\Contracts\Console\Kernel::class,
-    App\Console\Kernel::class
-);
-
-$app->singleton(
-    Illuminate\Contracts\Debug\ExceptionHandler::class,
-    App\Exceptions\Handler::class
-);
-
-/*
-|--------------------------------------------------------------------------
-| Return The Application
-|--------------------------------------------------------------------------
-|
-| This script returns the application instance. The instance is given to
-| the calling script so we can separate the building of the instances
-| from the actual running of the application and sending responses.
-|
-*/
-
-return $app;
diff --git a/pixelfed/docker-compose.yaml b/pixelfed/docker-compose.yaml
deleted file mode 100644
index 0f52828..0000000
--- a/pixelfed/docker-compose.yaml
+++ /dev/null
@@ -1,73 +0,0 @@
----
-version: '3'
-
-services:
-## App and Worker
-  app:
-    image: osresearch/pixelfed
-    restart: unless-stopped
-    env_file:
-      - ../env.production
-      - env.production
-      - ../data/pixelfed/env.secrets
-    volumes:
-      - ../data/pixelfed/app-storage:/var/www/storage
-      - ../data/pixelfed/app-bootstrap:/var/www/bootstrap
-      - ../data/pixelfed/env.secrets:/var/www/.env
-    networks:
-      - external
-      - internal
-    ports:
-      - "8090:80"
-    depends_on:
-      - db
-      - redis
-
-  worker:
-    image: osresearch/pixelfed
-    restart: unless-stopped
-    env_file:
-      - ../env.production
-      - env.production
-      - ../data/pixelfed/env.secrets
-    volumes:
-      - ../data/pixelfed/app-storage:/var/www/storage
-      - ../data/pixelfed/app-bootstrap:/var/www/bootstrap
-      - ../data/pixelfed/env.secrets:/var/www/.env
-    networks:
-      - external
-      - internal
-    command: gosu www-data php artisan horizon
-    depends_on:
-      - db
-      - redis
-
-## DB and Cache
-  db:
-    image: mysql:8.0
-    restart: unless-stopped
-    networks:
-      - internal
-    command: --default-authentication-plugin=mysql_native_password
-    env_file:
-      - ../env.production
-      - env.production
-    volumes:
-      - "../data/pixelfed/db-data:/var/lib/mysql"
-
-  redis:
-    image: redis:5-alpine
-    restart: unless-stopped
-    env_file:
-      - ../env.production
-      - env.production
-    volumes:
-      - "../data/pixelfed/redis-data:/data"
-    networks:
-      - internal
-
-networks:
-  internal:
-    internal: true
-  external:
-    driver: bridge
diff --git a/pixelfed/env.production b/pixelfed/env.production
index cc2049e..d022e4d 100644
--- a/pixelfed/env.production
+++ b/pixelfed/env.production
@@ -1,21 +1,16 @@
 ## Crypto
-# APP_KEY is set env.secrets
+# APP_KEY is set in secrets/pixelfed.app
 
 ## General Settings
 APP_ENV=production
 APP_DEBUG=false
 
-# domain name specifics are passed in env.secrets
-# APP_NAME="Pixelfed Prod (Testing)"
-# APP_URL="https://pixelfed.hackerspace.zone"
-# APP_DOMAIN="pixelfed.hackerspace.zone"
-# ADMIN_DOMAIN="pixelfed.hackerspace.zone"
-# SESSION_DOMAIN="pixelfed.hackerspace.zone"
+# domain name specifics are passed in pixelfed.yaml
 
 OPEN_REGISTRATION=true
 ENFORCE_EMAIL_VERIFICATION=false
 PF_MAX_USERS=1000
-OAUTH_ENABLED=false
+OAUTH_ENABLED=true # necessary for mobile app
 
 APP_TIMEZONE=UTC
 APP_LOCALE=en
@@ -60,7 +55,7 @@ RESTRICTED_INSTANCE=false
 ## Databases (MySQL)
 DB_CONNECTION=mysql
 DB_DATABASE=pixelfed_prod
-DB_HOST=db
+DB_HOST=pixelfed-db
 DB_PASSWORD=pixelfed_db_pass
 DB_PORT=3306
 DB_USERNAME=pixelfed
@@ -81,7 +76,7 @@ MYSQL_USER=pixelfed
 ## Cache (Redis)
 REDIS_CLIENT=phpredis
 REDIS_SCHEME=tcp
-REDIS_HOST=redis
+REDIS_HOST=pixelfed-redis
 REDIS_PASSWORD=redis_password
 REDIS_PORT=6379
 REDIS_DATABASE=0
@@ -151,8 +146,4 @@ TRUST_PROXIES="*"
 #PASSPORT_PRIVATE_KEY=
 #PASSPORT_PUBLIC_KEY=
 
-## OIDC for logins passed in in env.secrets
-# OIDC_CLIENT_ID, OIDC_CLIENT_SECRET
-# OIDC provider URL must include realm
-# OIDC_PROVIDER_URL=https://login.hackerspace.zone/realms/hackerspace
-OIDC_PROVIDER_NAME=oidc
+## OIDC config is passed in pixelfed.yaml
diff --git a/pixelfed/keycloak.sh b/pixelfed/keycloak.sh
new file mode 100755
index 0000000..b036a48
--- /dev/null
+++ b/pixelfed/keycloak.sh
@@ -0,0 +1,2 @@
+#!/bin/bash -x
+client-create pixelfed "$PIXELFED_HOSTNAME.$DOMAIN_NAME" "$PIXELFED_CLIENT_SECRET" </dev/null
diff --git a/pixelfed/nginx.conf b/pixelfed/nginx.conf
new file mode 100644
index 0000000..5e01fbf
--- /dev/null
+++ b/pixelfed/nginx.conf
@@ -0,0 +1,26 @@
+server {
+	server_name ${PIXELFED_HOSTNAME} ${PIXELFED_HOSTNAME}.${DOMAIN_NAME};
+	client_max_body_size 128m;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+
+	gzip on;
+	gzip_disable "msie6";
+
+	proxy_read_timeout 1800s;
+
+	location / {
+		proxy_pass http://pixelfed-app/;
+		#proxy_pass http://172.17.0.1:8080/;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+	include /etc/nginx/includes/ssl.conf;
+}