pixelfed: OIDC login and mobile app work

single-dockerfile
Trammell Hudson 2 years ago
parent 0ead61e456
commit e31bf0ae41
  1. 6
      Makefile
  2. 78
      pixelfed.yaml
  3. 55
      pixelfed/app.php
  4. 73
      pixelfed/docker-compose.yaml
  5. 21
      pixelfed/env.production
  6. 2
      pixelfed/keycloak.sh
  7. 26
      pixelfed/nginx.conf

@ -9,7 +9,7 @@ MODULES += nextcloud
MODULES += mobilizon
MODULES += gitea
MODULES += nitter
#MODULES += pixelfed
MODULES += pixelfed
include env.production
domain_name := $(DOMAIN_NAME)
@ -81,6 +81,10 @@ data/gitea/host-setup.done:
mkdir -p $(dir $@)
touch $@
secrets/pixelfed: secrets/pixelfed.app
secrets/pixelfed.app:
echo 'APP_KEY=base64:$(shell openssl rand -base64 32)' > $@
keycloak-setup: secrets-setup
docker exec keycloak /setup.sh

@ -0,0 +1,78 @@
version: "3"
services:
pixelfed-app:
image: osresearch/pixelfed:latest
container_name: pixelfed-app
restart: always
volumes:
- ./data/pixelfed/storage:/var/www/storage
environment:
- APP_NAME="${DOMAIN_NAME} Pixelfed"
- INSTANCE_DESCRIPTION="${DOMAIN_NAME} Pixelfed"
- OIDC_CLIENT_ID=pixelfed
- OIDC_CLIENT_SECRET=${PIXELFED_CLIENT_SECRET}
- OIDC_PROVIDER_URL=https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}
- OIDC_ENABLED=true
- OIDC_PROVIDER_NAME=Keycloak
- APP_URL="https://${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
- APP_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
- ADMIN_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
- SESSION_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
- MAIL_DRIVER=log
- MAIL_HOST=${SMTP_SERVER}
- MAIL_PORT=${SMTP_PORT}
- MAIL_FROM_ADDRESS="pixelfed@${DOMAIN_NAME}"
- MAIL_FROM_NAME="Pixelfed"
- MAIL_USERNAME="${SMTP_USER}"
- MAIL_PASSWORD="${SMTP_PASSWORD}"
env_file:
- ./pixelfed/env.production
- ./secrets/pixelfed.app
depends_on:
- pixelfed-db
- pixelfed-redis
pixelfed-worker:
image: osresearch/pixelfed:latest
container_name: pixelfed-worker
restart: unless-stopped
volumes:
- ./data/pixelfed/storage:/var/www/storage
env_file:
- ./pixelfed/env.production
- ./secrets/pixelfed.app
command: gosu www-data php artisan horizon
depends_on:
- pixelfed-db
- pixelfed-redis
## DB and Cache
pixelfed-db:
image: mysql:8.0
container_name: pixelfed-db
restart: unless-stopped
command: --default-authentication-plugin=mysql_native_password
volumes:
- ./data/pixelfed/db-data:/var/lib/mysql
env_file:
- ./pixelfed/env.production
pixelfed-redis:
image: redis:5-alpine
container_name: pixelfed-redis
restart: unless-stopped
volumes:
- ./data/pixelfed/redis-data:/data
env_file:
- ./pixelfed/env.production
# add the subdomain nginx configuration into the nginx volume
nginx:
volumes:
- ./pixelfed/nginx.conf:/etc/nginx/templates/pixelfed.conf.template:ro
# add the subdomain client secrets to the keycloak-setup volume
keycloak:
volumes:
- ./pixelfed/keycloak.sh:/keycloak-setup/pixelfed.sh:ro
- ./secrets/pixelfed:/run/secrets/pixelfed:ro

@ -1,55 +0,0 @@
<?php
/*
|--------------------------------------------------------------------------
| Create The Application
|--------------------------------------------------------------------------
|
| The first thing we will do is create a new Laravel application instance
| which serves as the "glue" for all the components of Laravel, and is
| the IoC container for the system binding all of the various parts.
|
*/
$app = new Illuminate\Foundation\Application(
realpath(__DIR__.'/../')
);
/*
|--------------------------------------------------------------------------
| Bind Important Interfaces
|--------------------------------------------------------------------------
|
| Next, we need to bind some important interfaces into the container so
| we will be able to resolve them when needed. The kernels serve the
| incoming requests to this application from both the web and CLI.
|
*/
$app->singleton(
Illuminate\Contracts\Http\Kernel::class,
App\Http\Kernel::class
);
$app->singleton(
Illuminate\Contracts\Console\Kernel::class,
App\Console\Kernel::class
);
$app->singleton(
Illuminate\Contracts\Debug\ExceptionHandler::class,
App\Exceptions\Handler::class
);
/*
|--------------------------------------------------------------------------
| Return The Application
|--------------------------------------------------------------------------
|
| This script returns the application instance. The instance is given to
| the calling script so we can separate the building of the instances
| from the actual running of the application and sending responses.
|
*/
return $app;

@ -1,73 +0,0 @@
---
version: '3'
services:
## App and Worker
app:
image: osresearch/pixelfed
restart: unless-stopped
env_file:
- ../env.production
- env.production
- ../data/pixelfed/env.secrets
volumes:
- ../data/pixelfed/app-storage:/var/www/storage
- ../data/pixelfed/app-bootstrap:/var/www/bootstrap
- ../data/pixelfed/env.secrets:/var/www/.env
networks:
- external
- internal
ports:
- "8090:80"
depends_on:
- db
- redis
worker:
image: osresearch/pixelfed
restart: unless-stopped
env_file:
- ../env.production
- env.production
- ../data/pixelfed/env.secrets
volumes:
- ../data/pixelfed/app-storage:/var/www/storage
- ../data/pixelfed/app-bootstrap:/var/www/bootstrap
- ../data/pixelfed/env.secrets:/var/www/.env
networks:
- external
- internal
command: gosu www-data php artisan horizon
depends_on:
- db
- redis
## DB and Cache
db:
image: mysql:8.0
restart: unless-stopped
networks:
- internal
command: --default-authentication-plugin=mysql_native_password
env_file:
- ../env.production
- env.production
volumes:
- "../data/pixelfed/db-data:/var/lib/mysql"
redis:
image: redis:5-alpine
restart: unless-stopped
env_file:
- ../env.production
- env.production
volumes:
- "../data/pixelfed/redis-data:/data"
networks:
- internal
networks:
internal:
internal: true
external:
driver: bridge

@ -1,21 +1,16 @@
## Crypto
# APP_KEY is set env.secrets
# APP_KEY is set in secrets/pixelfed.app
## General Settings
APP_ENV=production
APP_DEBUG=false
# domain name specifics are passed in env.secrets
# APP_NAME="Pixelfed Prod (Testing)"
# APP_URL="https://pixelfed.hackerspace.zone"
# APP_DOMAIN="pixelfed.hackerspace.zone"
# ADMIN_DOMAIN="pixelfed.hackerspace.zone"
# SESSION_DOMAIN="pixelfed.hackerspace.zone"
# domain name specifics are passed in pixelfed.yaml
OPEN_REGISTRATION=true
ENFORCE_EMAIL_VERIFICATION=false
PF_MAX_USERS=1000
OAUTH_ENABLED=false
OAUTH_ENABLED=true # necessary for mobile app
APP_TIMEZONE=UTC
APP_LOCALE=en
@ -60,7 +55,7 @@ RESTRICTED_INSTANCE=false
## Databases (MySQL)
DB_CONNECTION=mysql
DB_DATABASE=pixelfed_prod
DB_HOST=db
DB_HOST=pixelfed-db
DB_PASSWORD=pixelfed_db_pass
DB_PORT=3306
DB_USERNAME=pixelfed
@ -81,7 +76,7 @@ MYSQL_USER=pixelfed
## Cache (Redis)
REDIS_CLIENT=phpredis
REDIS_SCHEME=tcp
REDIS_HOST=redis
REDIS_HOST=pixelfed-redis
REDIS_PASSWORD=redis_password
REDIS_PORT=6379
REDIS_DATABASE=0
@ -151,8 +146,4 @@ TRUST_PROXIES="*"
#PASSPORT_PRIVATE_KEY=
#PASSPORT_PUBLIC_KEY=
## OIDC for logins passed in in env.secrets
# OIDC_CLIENT_ID, OIDC_CLIENT_SECRET
# OIDC provider URL must include realm
# OIDC_PROVIDER_URL=https://login.hackerspace.zone/realms/hackerspace
OIDC_PROVIDER_NAME=oidc
## OIDC config is passed in pixelfed.yaml

@ -0,0 +1,2 @@
#!/bin/bash -x
client-create pixelfed "$PIXELFED_HOSTNAME.$DOMAIN_NAME" "$PIXELFED_CLIENT_SECRET" </dev/null

@ -0,0 +1,26 @@
server {
server_name ${PIXELFED_HOSTNAME} ${PIXELFED_HOSTNAME}.${DOMAIN_NAME};
client_max_body_size 128m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
gzip on;
gzip_disable "msie6";
proxy_read_timeout 1800s;
location / {
proxy_pass http://pixelfed-app/;
#proxy_pass http://172.17.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
include /etc/nginx/includes/ssl.conf;
}
Loading…
Cancel
Save