mastodon: export vapid key for worker

keycloak: do not recreate an existing client, create roles for admin
pixelfed: include domains in worker, too
10 changed files with 73 additions and 20 deletions
--- a/5
+++ b/5
@ -33,6 +33,8 @@ nginx-shell:
 	$(DOCKER) exec nginx sh
 nginx-logs:
 	$(DOCKER) logs -f --tail 1000 nginx
 mastodon-logs:
 	$(DOCKER) logs -f --tail 1000 mastodon
 grafana-shell:
 	$(DOCKER) exec grafana bash
 hedgedoc-shell:
@ -42,6 +44,9 @@ keycloak-shell:
 keycloak-rebuild:
 	$(DOCKER) create keycloak
 	$(DOCKER) restart keycloak
 mastodon-es-rebuild:
 	$(DOCKER) create mastodon-es
 	$(DOCKER) restart mastodon-es
 mastodon-shell:
 	$(DOCKER) exec mastodon bash
 mastodon-streaming-shell:
--- a/keycloak.yaml
+++ b/keycloak.yaml
@ -38,6 +38,7 @@ services:
        - ./data/keycloak/certs:/etc/x509/https
        - ./data/keycloak/keycloak:/opt/keycloak/data
        - ./keycloak/client-create:/bin/client-create:ro
        - ./keycloak/client-get:/bin/client-get:ro
        - ./keycloak/create-user:/bin/create-user:ro
        - ./keycloak/remind-user:/bin/remind-user:ro
        - ./keycloak/keycloak-login.sh:/bin/keycloak-login.sh:ro
--- a/keycloak/client-create
+++ b/keycloak/client-create
@ -5,22 +5,19 @@ client_name="$1"
 hostname="$2"
 secret="$3"
-client_id="$(kcadm.sh get clients \
+client_id="$(client-get $client_name)"
 	-r "$REALM" \
 	--fields id \
 	-q clientId="$client_name" \
 	--format csv \
 	--noquotes \
 )"
 if [ -n "$client_id" ]; then
-	kcadm.sh delete "clients/$client_id" -r "$REALM" || die "$client_id: unable to delete"
+	#kcadm.sh delete "clients/$client_id" -r "$REALM" || die "$client_id: unable to delete"
 	echo >&2 "$client_name: $client_id already exists"
 	echo "$client_id"
 	exit 0
 fi
 # remember to add a leading , if adding extra data
 extra="$(cat -)"
-kcadm.sh create clients -r "$REALM"  -f - <<EOF || die "$client_id: unable to create"
+kcadm.sh create clients -r "$REALM"  -f - <<EOF || die "$client_name: unable to create"
 {
 	"clientId": "$client_name",
 	"rootUrl": "https://$hostname",
@ -32,3 +29,7 @@ kcadm.sh create clients -r "$REALM"  -f - <<EOF || die "$client_id: unable to cr
 	$extra
 }
 EOF
 client_id=$(client-get "$client_name")
 echo >&2 "$client_name: $client_id created"
 echo "$client_id"
--- a/keycloak/client-get
+++ b/keycloak/client-get
@ -0,0 +1,14 @@
 #!/bin/sh
 client_name="$1"
 if [ -z "$client_name" ]; then
 	echo >&2 "usage: $0 client-name"
 	exit 1
 fi
 kcadm.sh get clients \
 	-r "$REALM" \
 	-q "clientId=$client_name" \
 	--fields id \
 	--format csv \
 	--noquotes
--- a/keycloak/mapper-setup.sh
+++ b/keycloak/mapper-setup.sh
@ -2,7 +2,7 @@
 # Turn on the userinfo for the roles/cient roles default protocol mapper.
 # this should be so much easier, but they don't have ways to do queries?
 # and they don't include jq in the keycloak container, so updating the JSON
-# it bangning the rocks together with sed and awk.
+# it banging the rocks together with sed and awk.
 die() { echo >&2 "ERROR: $@" ; exit 1 ; }
@ -12,11 +12,24 @@ if [ -z "$SCOPE_ID" ]; then die "no client scope" ; fi
 MAPPER_ID=$(kcadm.sh get -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models --format csv --noquotes | awk -F, '/,client roles,/ { print $1 }')
 if [ -z "$MAPPER_ID" ]; then die "no mapper defined" ; fi
-kcadm.sh get -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID \
+tee /tmp/map <<EOF
-        | sed 's/"userinfo.token.claim" : "false"/"userinfo.token.claim" : "true"/' \
+{
-        > /tmp/map
+  "id" : "$MAPPER_ID",
-
+  "name" : "client roles",
-cat /tmp/map
+  "protocol" : "openid-connect",
-
+  "protocolMapper" : "oidc-usermodel-client-role-mapper",
-kcadm.sh update -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID -f /tmp/map
+  "consentRequired" : false,
  "config" : {
    "user.attribute" : "foo",
    "access.token.claim" : "true",
    "userinfo.token.claim" : "true",
    "claim.name" : "resource_access.\${client_id}.roles",
    "jsonType.label" : "String",
    "multivalued" : "true"
  }
 }
 EOF
 kcadm.sh update -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID -f /tmp/map \
 	|| die "$REALM/$SCOPE_ID/$MAPPER_ID: unable to configure mapper"
 kcadm.sh get -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID
--- a/mastodon.yaml
+++ b/mastodon.yaml
@ -160,7 +160,8 @@ services:
      - SMTP_LOGIN=$SMTP_USER
      - SMTP_PASSWORD=$SMTP_PASSWORD
      - SMTP_FROM_ADDRESS=mastodon@$DOMAIN_NAME
-    command: bundle exec sidekiq
+      - VAPID_KEY_FILE=/mastodon/public/system/vapid_key
    entrypoint: ['/bin/bash', '-c', 'if [ -r "$$VAPID_KEY_FILE" ]; then . "$$VAPID_KEY_FILE" ; export VAPID_PUBLIC_KEY VAPID_PRIVATE_KEY ; echo "VAPID_PUBLIC_KEY=$$VAPID_PUBLIC_KEY"; fi ; exec bundle exec sidekiq' ]
    depends_on:
      - mastodon-db
      - mastodon-redis
--- a/mastodon/entrypoint.sh
+++ b/mastodon/entrypoint.sh
@ -21,6 +21,7 @@ if [ ! -r "$VAPID_KEY" ]; then
 fi
 . "$VAPID_KEY"
 export VAPID_PRIVATE_KEY VAPID_PUBLIC_KEY
 if [ ! -r "$DB_SETUP" ]; then
 	rails db:setup \
--- a/mastodon/keycloak.sh
+++ b/mastodon/keycloak.sh
@ -1,3 +1,6 @@
 #!/bin/bash -x
-client-create mastodon "$MASTODON_HOSTNAME.$DOMAIN_NAME" "$MASTODON_CLIENT_SECRET" </dev/null
+client_id=$(client-create mastodon "$MASTODON_HOSTNAME.$DOMAIN_NAME" "$MASTODON_CLIENT_SECRET" </dev/null)
 echo '{"name":"admin"}' | kcadm.sh create -r "$REALM" "clients/$client_id/roles" -f -
 echo '{"name":"moderator"}' | kcadm.sh create -r "$REALM" "clients/$client_id/roles" -f -
--- a/pixelfed.yaml
+++ b/pixelfed.yaml
@ -41,6 +41,18 @@ services:
    env_file:
      - ./pixelfed/env.production
      - ./secrets/pixelfed.app
    environment:
      - APP_URL="https://${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
      - APP_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
      - ADMIN_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
      - SESSION_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
      - MAIL_DRIVER=log
      - MAIL_HOST=${SMTP_SERVER}
      - MAIL_PORT=${SMTP_PORT}
      - MAIL_FROM_ADDRESS="pixelfed@${DOMAIN_NAME}"
      - MAIL_FROM_NAME="Pixelfed"
      - MAIL_USERNAME="${SMTP_USER}"
      - MAIL_PASSWORD="${SMTP_PASSWORD}"
    command: gosu www-data php artisan horizon
    depends_on:
      - pixelfed-db
--- a/pixelfed/keycloak.sh
+++ b/pixelfed/keycloak.sh
@ -1,2 +1,4 @@
 #!/bin/bash -x
-client-create pixelfed "$PIXELFED_HOSTNAME.$DOMAIN_NAME" "$PIXELFED_CLIENT_SECRET" </dev/null
+client_id=$(client-create pixelfed "$PIXELFED_HOSTNAME.$DOMAIN_NAME" "$PIXELFED_CLIENT_SECRET" </dev/null)
 echo '{"name":"admin"}' | kcadm.sh create -r "$REALM" "clients/$client_id/roles" -f -
Author	SHA1	Message	Date
Ubuntu	07568c6f4b	mastodon: export vapid key for worker	2 years ago
Ubuntu	62fcccf0c7	keycloak: do not recreate an existing client, create roles for admin	2 years ago
Ubuntu	9b909fe572	pixelfed: include domains in worker, too	2 years ago
Ubuntu	b2c44dd57f	keycloak: fix userinfo.token.claim setup	2 years ago
Ubuntu	84013dec99	Merge branch 'single-dockerfile' of ssh://git.v.st/vst/env into single-dockerfile	2 years ago
Ubuntu	e26c1fa637	Merge branch 'single-dockerfile' of ssh://git.v.st/vst/env into single-dockerfile	2 years ago
Ubuntu	6e016d2c88	mastodon logs	2 years ago