Compare commits
16 Commits
0.2.0+apac
...
main
Author | SHA1 | Date |
---|---|---|
Moritz | 7ec54e395d | |
Simon | 7f73b1c79e | |
Simon | 5bd20ca185 | |
Simon | dc2d7c7b99 | |
Simon | aae873dfe5 | |
Simon | 028eb71e34 | |
Simon | facbb958a5 | |
Moritz | a4f02cf0a4 | |
Philipp Rothmann | 92c3bcf27e | |
Philipp Rothmann | 5c4f6098bf | |
Moritz | 7220e08109 | |
3wc | af070f42e7 | |
3wc | ca97a2b248 | |
3wc | f42ad06dbf | |
3wc | e88b9bdc76 | |
3wc | 7f8382687a |
27
.drone.yml
27
.drone.yml
|
@ -3,10 +3,12 @@ kind: pipeline
|
|||
name: deploy to swarm-test.autonomic.zone
|
||||
steps:
|
||||
- name: deployment
|
||||
image: decentral1se/stack-ssh-deploy:latest
|
||||
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
|
||||
settings:
|
||||
host: swarm-test.autonomic.zone
|
||||
stack: kimai
|
||||
networks:
|
||||
- proxy
|
||||
deploy_key:
|
||||
from_secret: drone_ssh_swarm_test
|
||||
generate_secrets: true
|
||||
|
@ -16,19 +18,26 @@ steps:
|
|||
STACK_NAME: kimai
|
||||
LETS_ENCRYPT_ENV: production
|
||||
ENTRYPOINT_CONF_VERSION: v1
|
||||
ADMIN_PASSWORD_VERSION: v1
|
||||
DB_PASSWORD_VERSION: v1
|
||||
DB_ROOT_PASSWORD_VERSION: v1
|
||||
LOCAL_CONF_VERSION: v1
|
||||
SECRET_DB_PASSWORD_VERSION: v1
|
||||
SECRET_DB_ROOT_PASSWORD_VERSION: v1
|
||||
SECRET_ADMIN_PASSWORD_VERSION: v1
|
||||
trigger:
|
||||
branch:
|
||||
- main
|
||||
---
|
||||
kind: pipeline
|
||||
name: recipe release
|
||||
name: generate recipe catalogue
|
||||
steps:
|
||||
- name: release a new version
|
||||
image: thecoopcloud/drone-abra:latest
|
||||
image: plugins/downstream
|
||||
settings:
|
||||
command: recipe kimai release
|
||||
deploy_key:
|
||||
from_secret: abra_bot_deploy_key
|
||||
server: https://build.coopcloud.tech
|
||||
token:
|
||||
from_secret: drone_abra-bot_token
|
||||
fork: true
|
||||
repositories:
|
||||
- coop-cloud/auto-recipes-catalogue-json
|
||||
|
||||
trigger:
|
||||
event: tag
|
||||
|
|
|
@ -8,9 +8,13 @@ LETS_ENCRYPT_ENV=production
|
|||
SECRET_DB_PASSWORD_VERSION=v1
|
||||
SECRET_DB_ROOT_PASSWORD_VERSION=v1
|
||||
SECRET_ADMIN_PASSWORD_VERSION=v1
|
||||
SECRET_SSO_CERT_VERSION=v1
|
||||
|
||||
# SSO_ENABLED=0
|
||||
# SSO_PROVIDER_URL=https://sso.example.org/
|
||||
# SSO_SAML_URL=https://sso.example.org/application/saml/<application-slug>/sso/binding/redirect/
|
||||
# SSO_LOGOUT_URL=https://sso.example.org/if/session-end/<application-slug>/
|
||||
# SSO_CERT="muchmuchbase64certificatefoobar=="
|
||||
|
||||
# MAILER_URL="smtp://<from>:<password>%3F@<mailserver>:587"
|
||||
# MAILER_FROM="Kimai Notifications noreply@example.com"
|
|
@ -20,9 +20,9 @@ Based on the recommended [`tobybatch/kimai2`] compose file.
|
|||
1. Set up Docker Swarm and [`abra`]
|
||||
2. Deploy [`coop-cloud/traefik`]
|
||||
3. `abra app new kimai --secrets`
|
||||
4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
|
||||
4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
|
||||
your Docker swarm box
|
||||
5. `abra app YOURAPPDOMAIN deploy`
|
||||
5. `abra app deploy YOURAPPDOMAIN`
|
||||
6. `abra app run YOURAPPDOMAIN app create_admin`
|
||||
|
||||
[Kimai]: https://www.kimai.org/
|
||||
|
|
8
abra.sh
8
abra.sh
|
@ -1,7 +1,13 @@
|
|||
export ENTRYPOINT_CONF_VERSION=v1
|
||||
export LOCAL_CONF_VERSION=v1
|
||||
export LOCAL_CONF_VERSION=v2
|
||||
|
||||
create_admin () {
|
||||
export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$(cat /run/secrets/db_password)@$DATABASE_HOST/$DATABASE_NAME"
|
||||
/opt/kimai/bin/console kimai:create-user admin admin@example.org ROLE_SUPER_ADMIN
|
||||
}
|
||||
|
||||
insert_authentik_certificate() {
|
||||
SSO_PROVIDER_DOMAIN=$(echo $SSO_PROVIDER_URL | cut -d '/' -f 3)
|
||||
CERT=$(abra app cmd -T $SSO_PROVIDER_DOMAIN worker get_certificate Kimai)
|
||||
abra app secret insert $APP_NAME sso_cert v1 $CERT
|
||||
}
|
||||
|
|
52
compose.yml
52
compose.yml
|
@ -1,7 +1,7 @@
|
|||
version: '3.8'
|
||||
services:
|
||||
app:
|
||||
image: kimai/kimai2:apache-1.29.1-prod
|
||||
image: kimai/kimai2:apache-2.15.0-prod
|
||||
environment:
|
||||
- APP_ENV=prod
|
||||
- TRUSTED_HOSTS=localhost,traefik,${DOMAIN},127.0.0.1
|
||||
|
@ -10,7 +10,7 @@ services:
|
|||
- ADMINPASS_FILE=/run/secrets/admin_password
|
||||
- DATABASE_TYPE=mysql
|
||||
- DATABASE_HOST=db
|
||||
- DATABASE_NAME=kimai
|
||||
- DATABASE_NAME=kimai?charset=utf8mb4&serverVersion=5.7
|
||||
- DATABASE_USER=kimai
|
||||
- DATABASE_PASSWORD_FILE=/run/secrets/db_password
|
||||
- DOMAIN
|
||||
|
@ -18,7 +18,8 @@ services:
|
|||
- SSO_PROVIDER_URL
|
||||
- SSO_SAML_URL
|
||||
- SSO_LOGOUT_URL
|
||||
- SSO_CERT
|
||||
- MAILER_URL
|
||||
- MAILER_FROM
|
||||
volumes:
|
||||
- kimai_public:/opt/kimai/public
|
||||
- kimai_var:/opt/kimai/var
|
||||
|
@ -34,16 +35,16 @@ services:
|
|||
secrets:
|
||||
- db_password
|
||||
- admin_password
|
||||
- sso_cert
|
||||
depends_on:
|
||||
- db
|
||||
#entrypoint: ['tail', '-f', '/dev/null']
|
||||
entrypoint: /docker-entrypoint.sh
|
||||
#healthcheck:
|
||||
# test: curl -s -o /dev/null http://localhost:8001 || exit 1
|
||||
# interval: 20s
|
||||
# start_period: 10s
|
||||
# timeout: 10s
|
||||
# retries: 3
|
||||
healthcheck:
|
||||
test: curl -s -o /dev/null http://localhost:8001 || exit 1
|
||||
interval: 20s
|
||||
start_period: 120s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
|
@ -57,7 +58,7 @@ services:
|
|||
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||
- coop-cloud.${STACK_NAME}.app.version=0.2.0+apache-debian-1.29.1-prod
|
||||
- "coop-cloud.${STACK_NAME}.version=1.0.0+apache-2.15.0-prod"
|
||||
db:
|
||||
image: mysql:5.7
|
||||
environment:
|
||||
|
@ -73,24 +74,25 @@ services:
|
|||
- db_password
|
||||
- db_root_password
|
||||
command: --default-storage-engine innodb
|
||||
#healthcheck:
|
||||
# test: mysqladmin -pchangemeplease ping -h localhost
|
||||
# interval: 20s
|
||||
# start_period: 10s
|
||||
# timeout: 10s
|
||||
# retries: 3
|
||||
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)" ping -h localhost']
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 10
|
||||
start_period: 1m
|
||||
deploy:
|
||||
labels:
|
||||
- backupbot.backup="true"
|
||||
- backupbot.backup.pre-hook='mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" kimai > /tmp/backup/backup.sql'
|
||||
- backupbot.backup.post-hook="rm -rf /tmp/backup"
|
||||
- backupbot.backup.path="/tmp/backup/"
|
||||
- "backupbot.backup=true"
|
||||
- "backupbot.backup.pre-hook=sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" kimai > /var/lib/mysql/backup.sql'"
|
||||
- "backupbot.backup.post-hook=rm -f /var/lib/mysql/backup.sql"
|
||||
- "backupbot.backup.path=/var/lib/mysql/backup.sql"
|
||||
|
||||
volumes:
|
||||
kimai_var:
|
||||
kimai_public:
|
||||
mariadb:
|
||||
|
||||
|
||||
secrets:
|
||||
db_password:
|
||||
external: true
|
||||
|
@ -101,10 +103,16 @@ secrets:
|
|||
admin_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
|
||||
sso_cert:
|
||||
external: true
|
||||
name: ${STACK_NAME}_sso_cert_${SECRET_SSO_CERT_VERSION}
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
external: true
|
||||
internal:
|
||||
|
||||
|
||||
configs:
|
||||
entrypoint_conf:
|
||||
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
|
||||
|
|
|
@ -7,10 +7,12 @@ kimai:
|
|||
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
|
||||
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
|
||||
roles:
|
||||
resetOnLogin: true
|
||||
attribute: http://schemas.xmlsoap.org/claims/Group
|
||||
mapping:
|
||||
# Insert your roles here (ROLE_USER is added automatically)
|
||||
- { saml: admin.group, kimai: ROLE_ADMIN }
|
||||
- { saml: "authentik Admins", kimai: ROLE_ADMIN }
|
||||
connection:
|
||||
# You SAML provider
|
||||
# Your Authentik instance, replace https://authentik.company with your authentik URL
|
||||
|
@ -19,12 +21,11 @@ kimai:
|
|||
singleSignOnService:
|
||||
url: "{{ env "SSO_SAML_URL" }}"
|
||||
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||
# the "single logout" feature was not yet tested, if you want to help, please let me know!
|
||||
singleLogoutService:
|
||||
url: "{{ env "SSO_LOGOUT_URL" }}"
|
||||
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||
# Signing certificate from *Advanced protocol settings*
|
||||
x509cert: "{{ env "SSO_CERT" }}"
|
||||
x509cert: "{{ secret "sso_cert" }}"
|
||||
# Service Provider Data that we are deploying.
|
||||
# Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL
|
||||
sp:
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
Make sure to have have a working backup before upgrading!
|
Loading…
Reference in New Issue