Compare commits
7 Commits
0.1.3+5.82
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
a2d725f437 | ||
|
|
d31244bdd6 | ||
|
|
bc05150011 | ||
| 58115d9628 | |||
|
|
603b233823 | ||
|
|
4ef2ddd223 | ||
|
|
ddd833b908 |
19
.env.sample
19
.env.sample
@ -1,6 +1,6 @@
|
||||
TYPE=civicrm-wordpress
|
||||
|
||||
DOMAIN=civicrm.example.com
|
||||
DOMAIN=civicrm-wordpress.example.com
|
||||
|
||||
## Domain aliases
|
||||
#EXTRA_DOMAINS=', `www.civicrm.example.com`'
|
||||
@ -37,3 +37,20 @@ SECRET_CIVICRM_SITE_KEY_VERSION=v1 # length=16
|
||||
SECRET_CIVICRM_CRED_KEY_VERSION=v1 # length=43
|
||||
SECRET_CIVICRM_SIGN_KEY_VERSION=v1 # length=43
|
||||
SECRET_WORDPRESS_ADMIN_PASSWORD_VERSION=v1
|
||||
|
||||
## -- OpenId Connect --
|
||||
|
||||
#COMPOSE_FILE="compose.yml:compose.openidconnect.yml"
|
||||
#OPEN_ID_CLIENT_ID=
|
||||
#SECRET_OPEN_ID_CLIENT_SECRET_VERSION=v1
|
||||
|
||||
# If you are using authentik, just set this
|
||||
#AUTHENTIK_DOMAIN=authentik.company
|
||||
|
||||
# Otherwise, you must set all of these
|
||||
#OPEN_ID_PROVIDER_LOGIN_URL=https://authentik.company/application/o/authorize/
|
||||
#OPEN_ID_USERINFO_URL=https://authentik.company/application/o/userinfo/
|
||||
#OPEN_ID_TOKEN_ENDPOINT_URL=https://authentik.company/application/o/token/
|
||||
#OPEN_ID_END_SESSION_URL=https://authentik.company/application/o/wordpress/end-session/
|
||||
|
||||
## -- OpenId Connect --
|
||||
|
||||
18
README.md
18
README.md
@ -19,16 +19,22 @@
|
||||
* `abra app new civicrm-wordpress`
|
||||
* `abra app config <app-name>`
|
||||
|
||||
Generate secrets (be sure to save them):
|
||||
* `abra app secret g <app-name> db_root_password v1`
|
||||
* `abra app secret g <app-name> db_password v1`
|
||||
* `abra app secret g <app-name> civicrm_site_key v1`
|
||||
* `abra app secret g <app-name> civicrm_cred_key v1`
|
||||
* `abra app secret g <app-name> civicrm_sign_key v1`
|
||||
SMTP:
|
||||
* Make sure to configure Traefik to support SMTP
|
||||
|
||||
Authentik integration:
|
||||
* When configuring, uncomment `COMPOSE_FILE`, `OPEN_ID_CLIENT_ID`, `SECRET_OPEN_ID_CLIENT_SECRET_VERSION`, and `AUTHENTIK_DOMAIN`
|
||||
* To configure your Authentik deployment, follow the guide at [`docs.goauthentik.io/integrations/services/wordpress`](https://docs.goauthentik.io/integrations/services/wordpress/).
|
||||
* NOTE: at the time of writing the Authentik integration guide incorrectly says to set the redirect URI to `https://wp.company/admin-ajax.php?action=openid-connect-authorize` when it should be `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`
|
||||
* If using a different OpenID provider, leave `AUTHENTIK_DOMAIN` commented and uncomment the other OpenID configuration options
|
||||
|
||||
Insert secrets:
|
||||
* `abra app secret i <app-name> wordpress_admin_password v1 '<temp account password>'`
|
||||
* `abra app secret i <app-name> smtp_password v1 '<smtp password>'`
|
||||
* (Authentik) `abra app secret i <app-name> openid_client_secret v1 <openid client secret>`
|
||||
|
||||
Generate secrets (be sure to save them):
|
||||
* `abra app secret g -a <app-name>`
|
||||
|
||||
Deploy app:
|
||||
* `abra app deploy <app-name>`
|
||||
|
||||
1
abra.sh
1
abra.sh
@ -31,6 +31,7 @@ file_env "SMTP_PASSWORD"
|
||||
export APACHE_SITES_AVAILABLE_CONF_VERSION=v1
|
||||
export CIVICRM_SETTINGS_PHP_VERSION=v1
|
||||
export ENTRYPOINT_VERSION=v1
|
||||
export OPENID_SETTINGS_VERSION=v1
|
||||
|
||||
change_password(){
|
||||
echo "Changing password for $1"
|
||||
|
||||
14
compose.openidconnect.yml
Normal file
14
compose.openidconnect.yml
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- OPEN_ID_CLIENT_SECRET_FILE=/run/secrets/openid_client_secret
|
||||
secrets:
|
||||
- openid_client_secret
|
||||
|
||||
secrets:
|
||||
openid_client_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_openid_client_secret_${SECRET_OPEN_ID_CLIENT_SECRET_VERSION}
|
||||
@ -45,6 +45,8 @@ services:
|
||||
mode: 555
|
||||
- source: civicrm-settings-php
|
||||
target: /usr/local/etc/civicrm/civicrm.settings.php
|
||||
- source: openid-settings
|
||||
target: /usr/local/etc/civicrm/openid_settings.json
|
||||
entrypoint: /usr/local/bin/entrypoint.sh
|
||||
deploy:
|
||||
restart_policy:
|
||||
@ -59,7 +61,7 @@ services:
|
||||
#- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||
- "coop-cloud.${STACK_NAME}.version=0.1.3+5.82.0-wordpress-php8.1"
|
||||
- "coop-cloud.${STACK_NAME}.version=0.2.1+5.82.0-wordpress-php8.1"
|
||||
- "backupbot.backup=true"
|
||||
- "backupbot.backup.path=/var/www/html/wp-content/uploads"
|
||||
healthcheck:
|
||||
@ -139,6 +141,10 @@ configs:
|
||||
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
|
||||
file: entrypoint.sh
|
||||
template_driver: golang
|
||||
openid-settings:
|
||||
name: ${STACK_NAME}_openid_settings_${OPENID_SETTINGS_VERSION}
|
||||
file: openid_settings.json
|
||||
template_driver: golang
|
||||
|
||||
secrets:
|
||||
db_root_password:
|
||||
|
||||
@ -29,6 +29,7 @@ file_env "CIVICRM_SITE_KEY"
|
||||
file_env "CIVICRM_CRED_KEYS"
|
||||
file_env "SMTP_PASSWORD"
|
||||
file_env "WORDPRESS_ADMIN_PASSWORD"
|
||||
file_env "OPEN_ID_CLIENT_SECRET"
|
||||
|
||||
if [[ "${1-default}" == "cron" ]]; then
|
||||
echo "============ Running cron job ============"
|
||||
@ -88,6 +89,46 @@ pushd /var/www/html/wp-content/uploads/civicrm/
|
||||
fi
|
||||
popd
|
||||
|
||||
OPEN_ID_CLIENT_ID="${OPEN_ID_CLIENT_ID:-unused}"
|
||||
if [ "$OPEN_ID_CLIENT_ID" != "unused" ]; then
|
||||
# install OpenID Connect Generic plugin
|
||||
if ! su civicrm -c "wp plugin is-installed daggerhart-openid-connect-generic"; then
|
||||
echo "============ Running OpenId Connect Install ============"
|
||||
su civicrm -c "wp plugin install daggerhart-openid-connect-generic --activate"
|
||||
else
|
||||
echo "OpenID Connect Generic Plugin already installed"
|
||||
fi
|
||||
|
||||
# if openid connect hasn't been configured, insert default settings
|
||||
if ! su civicrm -c "wp option get openid_connect_generic_settings"; then
|
||||
echo "Configuring OpenId Connect Plugin default settings"
|
||||
su civicrm -c "wp option add openid_connect_generic_settings --format=json < /usr/local/etc/civicrm/openid_settings.json"
|
||||
else
|
||||
echo "OpenId Connect Plugin default settings already present"
|
||||
fi
|
||||
|
||||
echo "============ Configuring OpenId Connect ============"
|
||||
su civicrm -c "wp option patch update openid_connect_generic_settings client_id $OPEN_ID_CLIENT_ID"
|
||||
su civicrm -c "wp option patch update openid_connect_generic_settings client_secret $OPEN_ID_CLIENT_SECRET"
|
||||
|
||||
AUTHENTIK_DOMAIN="${AUTHENTIK_DOMAIN:-unused}"
|
||||
if [ "$AUTHENTIK_DOMAIN" != "unused" ]; then
|
||||
echo "============ Configuring Authentik ============"
|
||||
su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_login https://$AUTHENTIK_DOMAIN/application/o/authorize/"
|
||||
su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_userinfo https://$AUTHENTIK_DOMAIN/application/o/userinfo/"
|
||||
su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_token https://$AUTHENTIK_DOMAIN/application/o/token/"
|
||||
su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_end_session https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/"
|
||||
else
|
||||
echo "============ Configuring Generic OpenId Provider ============"
|
||||
su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_login $OPEN_ID_PROVIDER_LOGIN_URL"
|
||||
su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_userinfo $OPEN_ID_USERINFO_URL"
|
||||
su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_token $OPEN_ID_TOKEN_ENDPOINT_URL"
|
||||
su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_end_session $OPEN_ID_END_SESSION_URL"
|
||||
fi
|
||||
else
|
||||
echo "not using OpenIdConnect"
|
||||
fi
|
||||
|
||||
echo "============ Setting up cron ============"
|
||||
printenv > /etc/environment
|
||||
apt update && apt install -y cron
|
||||
|
||||
29
openid_settings.json
Normal file
29
openid_settings.json
Normal file
@ -0,0 +1,29 @@
|
||||
|
||||
{
|
||||
"login_type":"button",
|
||||
"client_id":"",
|
||||
"client_secret":"",
|
||||
"scope":"email profile openid offline_access",
|
||||
"endpoint_login":"",
|
||||
"endpoint_userinfo":"",
|
||||
"endpoint_token":"",
|
||||
"endpoint_end_session":"",
|
||||
"acr_values":"",
|
||||
"identity_key":"preferred_username",
|
||||
"no_sslverify":"0",
|
||||
"http_request_timeout":"5",
|
||||
"enforce_privacy":"0",
|
||||
"alternate_redirect_uri":"0",
|
||||
"nickname_key":"preferred_username",
|
||||
"email_format":"{email}",
|
||||
"displayname_format":"",
|
||||
"identify_with_username":"0",
|
||||
"state_time_limit":"180",
|
||||
"token_refresh_enable":"1",
|
||||
"link_existing_users":"0",
|
||||
"create_if_does_not_exist":"1",
|
||||
"redirect_user_back":"0",
|
||||
"redirect_on_logout":"1",
|
||||
"enable_logging":"0",
|
||||
"log_limit":"1000"
|
||||
}
|
||||
1
release/0.2.0+5.82.0-wordpress-php8.1
Normal file
1
release/0.2.0+5.82.0-wordpress-php8.1
Normal file
@ -0,0 +1 @@
|
||||
Authentik Support
|
||||
1
release/0.2.1+5.82.0-wordpress-php8.1
Normal file
1
release/0.2.1+5.82.0-wordpress-php8.1
Normal file
@ -0,0 +1 @@
|
||||
Fix bug when not using openid
|
||||
Loading…
x
Reference in New Issue
Block a user