diff --git a/.drone.yml b/.drone.yml index a86b636..2136f92 100644 --- a/.drone.yml +++ b/.drone.yml @@ -14,10 +14,13 @@ steps: networks: - proxy environment: - DOMAIN: mealie.swarm-test.autonomic.zone # UPDATE ME + DOMAIN: mealie.swarm-test.autonomic.zone STACK_NAME: mealie LETS_ENCRYPT_ENV: staging LOG_CONFIG_VERSION: v1 + OIDC_CLIENT_SECRET_VERSION: v1 + APP_ENTRYPOINT_VERSION: v1 + trigger: branch: - main diff --git a/.env.sample b/.env.sample index efef38c..6224bbc 100644 --- a/.env.sample +++ b/.env.sample @@ -20,6 +20,7 @@ LOG_CONFIG_OVERRIDE=/app/logconf-override.json # DEFAULT_PASSWORD=MyPassword ## OIDC Authentication with Keycloak: https://docs.mealie.io/documentation/getting-started/authentication/oidc/ +# COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml" # OIDC_AUTH_ENABLED=true # ALLOW_PASSWORD_LOGIN=false # OIDC_SIGNUP_ENABLED=true @@ -30,4 +31,4 @@ LOG_CONFIG_OVERRIDE=/app/logconf-override.json # OIDC_USER_CLAIM=email # OIDC_NAME_CLAIM=preferred_username # OIDC_CLIENT_ID= -# OIDC_CLIENT_SECRET= +# OIDC_CLIENT_SECRET_VERSION=v1 # generate=false diff --git a/README.md b/README.md index a89b34d..02ca96d 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech) and [`docs.me ## Single Sign On (SSO) -The default config contains commented-out lines for setting up SSO with [Keycloak](https://recipes.coopcloud.tech/keycloak). +The default config contains commented-out lines for setting up SSO with [Keycloak](https://recipes.coopcloud.tech/keycloak). Uncomment those lines and edit as needed. To set the client secret, run `abra app secret insert oidc_client_secret v1` During the first-time setup, you'll want to ensure `ALLOW_PASSWORD_LOGIN=true` so you can login as the default admin to perform the initial setup and change the local admin password. You can set it back to false after that. diff --git a/abra.sh b/abra.sh index 2f614f0..9b9802b 100644 --- a/abra.sh +++ b/abra.sh @@ -1 +1,2 @@ export LOG_CONFIG_VERSION=v1 +export APP_ENTRYPOINT_VERSION=v1 diff --git a/compose.oidc.yml b/compose.oidc.yml new file mode 100644 index 0000000..0b1bdb1 --- /dev/null +++ b/compose.oidc.yml @@ -0,0 +1,20 @@ +services: + app: + secrets: + - oidc_client_secret + configs: + - source: app_entrypoint + target: /abra-entrypoint.sh + mode: 0555 + entrypoint: /abra-entrypoint.sh + +secrets: + oidc_client_secret: + name: ${STACK_NAME}_oidc_client_secret_${OIDC_CLIENT_SECRET_VERSION} + external: true + +configs: + app_entrypoint: + name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION} + file: entrypoint.sh.tmpl + template_driver: golang diff --git a/compose.yml b/compose.yml index e75a0a7..a5ea3b9 100644 --- a/compose.yml +++ b/compose.yml @@ -1,9 +1,6 @@ ---- -version: "3.8" - services: app: - image: ghcr.io/mealie-recipes/mealie:v3.1.2 + image: ghcr.io/mealie-recipes/mealie:v3.3.0 networks: - proxy volumes: @@ -20,7 +17,7 @@ services: - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https" - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true" - - "coop-cloud.${STACK_NAME}.version=1.2.2+v3.1.2" + - "coop-cloud.${STACK_NAME}.version=2.0.0+v3.3.0" - "backupbot.backup=true" - "backupbot.backup.path=/app/data/" # Upstream dockerfile specifies a healthcheck diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl new file mode 100644 index 0000000..db97c20 --- /dev/null +++ b/entrypoint.sh.tmpl @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +# Inspiration: https://git.coopcloud.tech/coop-cloud/peertube/src/branch/main/entrypoint.sh.tmpl +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + + export "$var"="$val" + unset "$fileVar" +} + +{{ if not (eq (env "OIDC_CLIENT_SECRET_VERSION") "") }} +file_env "OIDC_CLIENT_SECRET_VERSION" +{{ end }} + +# Must match https://github.com/mealie-recipes/mealie/blob/3ba2227bc79bc857d4b04f9d9878045b7a098af4/docker/Dockerfile#L164 +/app/run.sh "$@" diff --git a/release/next b/release/next new file mode 100644 index 0000000..7c3880d --- /dev/null +++ b/release/next @@ -0,0 +1,12 @@ +BREAKING CHANGE: TOKEN_TIME now maxes out at 87600 (10 years) in v3.3.0 of mealie. + +BREAKING CHANGE (if you use SSO): We added the ability to store the oidc client secret in docker secrets. + +To migrate, add the following lines to your config: + + COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml" + OIDC_CLIENT_SECRET_VERSION=v1 + +Then remove the client secret from your config and insert it as a secret using this command: + + abra app secret insert oidc_client_secret v1