diff --git a/.env.sample b/.env.sample index 2c2424d..591be91 100644 --- a/.env.sample +++ b/.env.sample @@ -7,5 +7,18 @@ DOMAIN=lasuite-docs.example.com LETS_ENCRYPT_ENV=production +# NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README +OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/certs +OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/auth +OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/token +OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/userinfo +OIDC_RP_CLIENT_ID=impress # FIXME: Move to docker secret OIDC_RP_CLIENT_SECRET=example +OIDC_RP_SIGN_ALGO=RS256 +OIDC_RP_SCOPES="openid email" +LOGIN_REDIRECT_URL=https://${DOMAIN} +LOGIN_REDIRECT_URL_FAILURE=https://${DOMAIN} +LOGOUT_REDIRECT_URL=https://${DOMAIN} +OIDC_REDIRECT_ALLOWED_HOSTS='["https://auth.${DOMAIN}", "https://${DOMAIN}"]' +OIDC_AUTH_REQUEST_EXTRA_PARAMS="{'acr_values'='eidas1'}" diff --git a/README.md b/README.md index 437e73d..d6951f6 100644 --- a/README.md +++ b/README.md @@ -17,8 +17,13 @@ ## Quick start +* Deploy Single Sign On (see [Authentication](#authentication) below) * `abra app new lasuite-docs --secrets` * `abra app config ` * `abra app deploy ` For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech). + +## Authentication + +Docs **requires** an OpenID Connect (OIDC) single sign-on provider; we recommend [Authentik](https://git.coopcloud.tech/coop-cloud/authentik) or [Keycloak](https://git.coopcloud.tech/coop-cloud/keycloak), both of which are installable using Co-op Cloud. diff --git a/TODO.md b/TODO.md index f6f094e..f608715 100644 --- a/TODO.md +++ b/TODO.md @@ -4,7 +4,7 @@ - [x] Fix image uploads - [ ] Update recipe metadata -- [ ] External OIDC server (+ move options to `.env.sample`) +- [x] External OIDC server (+ move options to `.env.sample`) - [ ] Customisable Django `DJANGO_SECRET_KEY` and `DJANGO_SUPERUSER_PASSWORD` - [ ] Versioned recipe release diff --git a/compose.yml b/compose.yml index ca60483..39284b6 100644 --- a/compose.yml +++ b/compose.yml @@ -31,20 +31,20 @@ x-common-env: &common-env AWS_S3_SECRET_ACCESS_KEY: password MEDIA_BASE_URL: https://${DOMAIN} AWS_STORAGE_BUCKET_NAME: docs-media-storage - # OIDC - OIDC_OP_JWKS_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/certs - OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/auth - OIDC_OP_TOKEN_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/token - OIDC_OP_USER_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/userinfo - OIDC_RP_CLIENT_ID: impress + # OIDC - settings from .env, see .env.sample + OIDC_OP_JWKS_ENDPOINT: + OIDC_OP_AUTHORIZATION_ENDPOINT: + OIDC_OP_TOKEN_ENDPOINT: + OIDC_OP_USER_ENDPOINT: + OIDC_RP_CLIENT_ID: OIDC_RP_CLIENT_SECRET: - OIDC_RP_SIGN_ALGO: RS256 - OIDC_RP_SCOPES: "openid email" - LOGIN_REDIRECT_URL: https://${DOMAIN} - LOGIN_REDIRECT_URL_FAILURE: https://${DOMAIN} - LOGOUT_REDIRECT_URL: https://${DOMAIN} - OIDC_REDIRECT_ALLOWED_HOSTS: '["https://auth.${DOMAIN}", "https://${DOMAIN}"]' - OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}" + OIDC_RP_SIGN_ALGO: + OIDC_RP_SCOPES: + LOGIN_REDIRECT_URL: + LOGIN_REDIRECT_URL_FAILURE: + LOGOUT_REDIRECT_URL: + OIDC_REDIRECT_ALLOWED_HOSTS: + OIDC_AUTH_REQUEST_EXTRA_PARAMS: # AI AI_FEATURE_ENABLED: "false" AI_BASE_URL: https://openaiendpoint.com @@ -81,31 +81,6 @@ x-minio-env: &minio-env # FIXME: Move to docker secret MINIO_ROOT_PASSWORD: password -x-keycloak-env: &kc-keycloak-env - KC_BOOTSTRAP_ADMIN_USERNAME: admin - # FIXME: Move to docker secret - KC_BOOTSTRAP_ADMIN_PASSWORD: admin - KC_DB: postgres - KC_DB_URL_HOST: kc_postgresql - KC_DB_SCHEMA: public - PROXY_ADDRESS_FORWARDING: 'true' - KC_HOSTNAME: https://auth.${DOMAIN} - KC_HTTP_ENABLED: "true" - # KC_HTTPS_CERTIFICATE_FILE: /etc/ssl/certs/docs.crt - # KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/ssl/private/docs.key` - -x-kc-postgres-env: &kc-postgres-env - # Postgresql db container configuration - POSTGRES_DB: keycloak - POSTGRES_USER: keycloak - # FIXME: Move to docker secret - POSTGRES_PASSWORD: keycloak - # Keycloak database configuration - KC_DB_URL_DATABASE: keycloak - KC_DB_USERNAME: keycloak - # FIXME: Move to docker secret - KC_DB_PASSWORD: keycloak - services: app: image: lasuite/impress-frontend:v3.3.0 @@ -223,42 +198,6 @@ services: - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - # FIXME: remove - kc_postgresql: - image: postgres:16 - networks: - - backend - healthcheck: - test: ["CMD", "pg_isready", "-q", "-U", "keycloak", "-d", "keycloak"] - interval: 1s - timeout: 2s - retries: 300 - environment: - <<: *kc-postgres-env - PGDATA: var/lib/postgresql/data/pgdata - volumes: - - postgres_keycloak:/var/lib/postgresql/data/pgdata - - keycloak: - image: quay.io/keycloak/keycloak:26.1.0 - command: ["start"] - networks: - - proxy - - backend - environment: - <<: [*kc-keycloak-env, *kc-postgres-env] - # volumes: - # - certs:/etc/ssl/certs:ro - deploy: - labels: - - "traefik.enable=true" - - "traefik.docker.network=proxy" - - "traefik.http.routers.${STACK_NAME}-keycloak.tls=true" - - "traefik.http.services.${STACK_NAME}-keycloak.loadbalancer.server.port=8080" - - "traefik.http.routers.${STACK_NAME}-keycloak.rule=Host(`auth.${DOMAIN}`)" - - "traefik.http.routers.${STACK_NAME}-keycloak.tls.certresolver=${LETS_ENCRYPT_ENV}" - - "traefik.http.routers.${STACK_NAME}-keycloak.entrypoints=web-secure" - networks: proxy: external: true @@ -267,9 +206,6 @@ networks: volumes: postgres: minio: - # FIXME: remove this - postgres_keycloak: - # certs: configs: nginx_conf: