Make SimpleSAML optional using separate compose
This commit is contained in:
parent
2aac2eb0c5
commit
bae33cacd9
|
@ -19,16 +19,18 @@ export ENTRYPOINT_CONF_VERSION=v1
|
|||
|
||||
# SAML
|
||||
|
||||
export SAML_ENABLED=1
|
||||
export SAML_CONTACT_NAME="Sam Ell"
|
||||
export SAML_CONTACT_EMAIL="saml@example.com"
|
||||
#export COMPOSE="compose.yml compose.simplesaml.yml"
|
||||
|
||||
export SAML_EMAIL_ATTRIBUTE=email
|
||||
export SAML_REAL_NAME_ATTRIBUTE=realname
|
||||
export SAML_AUTH_SOURCE_ID=dev-sp
|
||||
export SAML_USERNAME_ATTRIBUTE=user
|
||||
#export SAML_ENABLED=1
|
||||
#export SAML_CONTACT_NAME="Sam Ell"
|
||||
#export SAML_CONTACT_EMAIL="saml@example.com"
|
||||
|
||||
export SAML_ADMIN_PASSWORD_VERSION=v1
|
||||
export SAML_SECRET_SALT_VERSION=v1
|
||||
#export SAML_EMAIL_ATTRIBUTE=email
|
||||
#export SAML_REAL_NAME_ATTRIBUTE=realname
|
||||
#export SAML_AUTH_SOURCE_ID=dev-sp
|
||||
#export SAML_USERNAME_ATTRIBUTE=user
|
||||
|
||||
export SAML_ENTRYPOINT_CONF_VERSION=v1
|
||||
#export SAML_ADMIN_PASSWORD_VERSION=v1
|
||||
#export SAML_SECRET_SALT_VERSION=v1
|
||||
|
||||
#export SAML_ENTRYPOINT_CONF_VERSION=v1
|
||||
|
|
38
README.md
38
README.md
|
@ -18,10 +18,38 @@ Based on [`mediawiki-ve-bundle`][mediawiki-ve].
|
|||
8. `abra service_run mediawiki /bin/bash` to open a shell
|
||||
9. `php /var/www/html/maintenance/createAndPromote.php YourUsername YourPassword`
|
||||
|
||||
## SimpleSAML
|
||||
## SimpleSAMLphp
|
||||
|
||||
1. `abra secret_generate saml_admin_password v1`
|
||||
2. `abra secret_generate saml_secret_key v1 "pwgen -n 64 1"`
|
||||
This app includes optional SAML Single Sign On using
|
||||
[SimpleSAMLphp][simplesamlphp] and Mediawiki's
|
||||
[Extension:SimpleSAMLphp][mw-simplesamlphp], based on the
|
||||
[`venatorfox/simplesamlphp`][venatorfox-simplesamlphp] image.
|
||||
|
||||
NOTE: currently, if you enable SAML then it'll disable Mediawiki's own user account
|
||||
system. Patches to make this configurable are welcome!
|
||||
|
||||
1. Edit `.envrc` and uncomment lines in the `SAML` section (including `COMPOSE`)
|
||||
2. `direnv allow`
|
||||
3. Generate secrets:
|
||||
```
|
||||
abra secret_generate saml_admin_password v1
|
||||
abra secret_generate saml_secret_key v1 "pwgen -n 64 1"
|
||||
```
|
||||
4. `abra deploy`
|
||||
5. Copy your SimpleSAMLphp metadata and certificates to the container (assuming
|
||||
you have local `metadata` and `cert` folders:
|
||||
```
|
||||
abra cp metadata simplesamlphp:/var/simplesamlphp/
|
||||
abra cp cert simplesamlphp:/var/simplesamlphp/
|
||||
```
|
||||
6. You can log into SimpleSAMLphp using the password you generated at
|
||||
https://$DOMAIN/simplesaml/ and test authentication
|
||||
7. Edit SimpleSAMLphp's `config.php` and change `store.sql.dsn`:
|
||||
```
|
||||
abra run simplesamlphp vim
|
||||
# find 'store.sql.dsn' and edit to:
|
||||
# 'sqlite:/var/simplesamlphp/data/simplesamlphp.sq3'
|
||||
```
|
||||
|
||||
## License
|
||||
|
||||
|
@ -31,3 +59,7 @@ MIT License
|
|||
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||
[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
|
||||
[mediawiki-ve]: https://hub.docker.com/r/revianlabs/mediawiki-ve-bundle
|
||||
|
||||
[simplesamlphp]: https://simplesamlphp.org/
|
||||
[mw-simplesamlphp]: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp
|
||||
[venatorfox-simplesamlphp]: https://hub.docker.com/r/venatorfox/simplesamlphp
|
||||
|
|
|
@ -0,0 +1,80 @@
|
|||
---
|
||||
version: '3.8'
|
||||
|
||||
services:
|
||||
mediawiki:
|
||||
volumes:
|
||||
- 'simplesaml:/var/simplesamlphp/'
|
||||
- 'simplesaml_log:/var/simplesamlphp/log'
|
||||
environment:
|
||||
- SAML_AUTH_SOURCE_ID=${SAML_AUTH_SOURCE_ID}
|
||||
- SAML_EMAIL_ATTRIBUTE=${SAML_EMAIL_ATTRIBUTE}
|
||||
- SAML_REAL_NAME_ATTRIBUTE=${SAML_REAL_NAME_ATTRIBUTE}
|
||||
- SAML_SERVICE_PROVIDER=${SAML_SERVICE_PROVIDER}
|
||||
- SAML_USERNAME_ATTRIBUTE=${SAML_USERNAME_ATTRIBUTE}
|
||||
|
||||
simplesaml:
|
||||
image: venatorfox/simplesamlphp:latest
|
||||
secrets:
|
||||
- saml_admin_password
|
||||
- saml_secret_salt
|
||||
environment:
|
||||
- DOMAIN=${DOMAIN}
|
||||
- CONFIG_BASEURLPATH=https://${DOMAIN}/simplesaml/
|
||||
- CONFIG_AUTHADMINPASSWORD_FILE=/run/secrets/saml_admin_password
|
||||
- CONFIG_SECRETSALT_FILE=/run/secrets/saml_secret_salt
|
||||
- CONFIG_TECHNICALCONTACT_NAME=${SAML_CONTACT_NAME}
|
||||
- CONFIG_TECHNICALCONTACT_EMAIL=${SAML_CONTACT_EMAIL}
|
||||
- CONFIG_SHOWERRORS=true
|
||||
- CONFIG_ERRORREPORTING=true
|
||||
- CONFIG_ADMINPROTECTINDEXPAGE=true
|
||||
- CONFIG_LOGGINGLEVEL=INFO
|
||||
- CONFIG_ENABLESAML20IDP=true
|
||||
- CONFIG_STORETYPE=sql
|
||||
#- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
|
||||
#- CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'memcached']\n ],
|
||||
- OPENLDAP_TLS_REQCERT=allow
|
||||
- MTA_NULLCLIENT=true
|
||||
- POSTFIX_MYHOSTNAME=${DOMAIN}
|
||||
- POSTFIX_MYORIGIN=$$mydomain
|
||||
- POSTFIX_INETINTERFACES=loopback-only
|
||||
- DOCKER_REDIRECTLOGS=false
|
||||
# Required if DOCKER_REDIRECTLOGS=true
|
||||
# tty: true
|
||||
configs:
|
||||
- source: entrypoint_saml_conf
|
||||
target: /docker-entrypoint.simplesaml.sh
|
||||
mode: 0555
|
||||
volumes:
|
||||
- simplesaml:/var/simplesamlphp/
|
||||
- simplesaml_log:/var/simplesamlphp/log
|
||||
networks:
|
||||
- internal
|
||||
- proxy
|
||||
entrypoint: /docker-entrypoint.simplesaml.sh
|
||||
#entrypoint: ["tail", "-f", "/dev/null"]
|
||||
deploy:
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.${STACK_NAME}_simplesaml.loadbalancer.server.port=80"
|
||||
- "traefik.http.routers.${STACK_NAME}_simplesaml.rule=(Host(`${DOMAIN}`) && PathPrefix(`/simplesaml`))"
|
||||
- "traefik.http.routers.${STACK_NAME}_simplesaml.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}_simplesaml.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
|
||||
volumes:
|
||||
simplesaml:
|
||||
simplesaml_log:
|
||||
|
||||
secrets:
|
||||
saml_admin_password:
|
||||
name: ${STACK_NAME}_saml_admin_password_${SAML_ADMIN_PASSWORD_VERSION}
|
||||
external: true
|
||||
saml_secret_salt:
|
||||
name: ${STACK_NAME}_saml_secret_salt_${SAML_SECRET_SALT_VERSION}
|
||||
external: true
|
||||
|
||||
configs:
|
||||
entrypoint_saml_conf:
|
||||
name: ${STACK_NAME}_entrypoint_saml_${SAML_ENTRYPOINT_CONF_VERSION}
|
||||
file: entrypoint.simplesaml.sh.tmpl
|
||||
template_driver: golang
|
66
compose.yml
66
compose.yml
|
@ -33,16 +33,9 @@ services:
|
|||
- MEDIAWIKI_SITENAME=${MEDIAWIKI_SITENAME}
|
||||
- MEDIAWIKI_SITENAMESPACE=${MEDIAWIKI_SITENAMESPACE}
|
||||
- SAML_ENABLED=${SAML_ENABLED}
|
||||
- SAML_AUTH_SOURCE_ID=${SAML_AUTH_SOURCE_ID}
|
||||
- SAML_EMAIL_ATTRIBUTE=${SAML_EMAIL_ATTRIBUTE}
|
||||
- SAML_REAL_NAME_ATTRIBUTE=${SAML_REAL_NAME_ATTRIBUTE}
|
||||
- SAML_SERVICE_PROVIDER=${SAML_SERVICE_PROVIDER}
|
||||
- SAML_USERNAME_ATTRIBUTE=${SAML_USERNAME_ATTRIBUTE}
|
||||
volumes:
|
||||
- 'mediawiki_images:/var/www/html/images'
|
||||
- 'parsoid:/usr/lib/parsoid'
|
||||
- 'simplesaml:/var/simplesamlphp/'
|
||||
- 'simplesaml_log:/var/simplesamlphp/log'
|
||||
configs:
|
||||
- source: LocalSettings_conf
|
||||
target: /var/www/html/LocalSettings.php
|
||||
|
@ -70,59 +63,10 @@ services:
|
|||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
entrypoint: /docker-entrypoint2.sh
|
||||
|
||||
simplesaml:
|
||||
image: venatorfox/simplesamlphp:latest
|
||||
secrets:
|
||||
- saml_admin_password
|
||||
- saml_secret_salt
|
||||
environment:
|
||||
- DOMAIN=${DOMAIN}
|
||||
- CONFIG_BASEURLPATH=https://${DOMAIN}/simplesaml/
|
||||
- CONFIG_AUTHADMINPASSWORD_FILE=/run/secrets/saml_admin_password
|
||||
- CONFIG_SECRETSALT_FILE=/run/secrets/saml_secret_salt
|
||||
- CONFIG_TECHNICALCONTACT_NAME=${SAML_CONTACT_NAME}
|
||||
- CONFIG_TECHNICALCONTACT_EMAIL=${SAML_CONTACT_EMAIL}
|
||||
- CONFIG_SHOWERRORS=true
|
||||
- CONFIG_ERRORREPORTING=true
|
||||
- CONFIG_ADMINPROTECTINDEXPAGE=true
|
||||
- CONFIG_LOGGINGLEVEL=INFO
|
||||
- CONFIG_ENABLESAML20IDP=true
|
||||
- CONFIG_STORETYPE=sql
|
||||
#- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
|
||||
#- CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'memcached']\n ],
|
||||
- OPENLDAP_TLS_REQCERT=allow
|
||||
- MTA_NULLCLIENT=true
|
||||
- POSTFIX_MYHOSTNAME=${DOMAIN}
|
||||
- POSTFIX_MYORIGIN=$$mydomain
|
||||
- POSTFIX_INETINTERFACES=loopback-only
|
||||
- DOCKER_REDIRECTLOGS=false
|
||||
tty: true
|
||||
configs:
|
||||
- source: entrypoint_saml_conf
|
||||
target: /docker-entrypoint.simplesaml.sh
|
||||
mode: 0555
|
||||
volumes:
|
||||
- simplesaml:/var/simplesamlphp/
|
||||
- simplesaml_log:/var/simplesamlphp/log
|
||||
networks:
|
||||
- internal
|
||||
- proxy
|
||||
entrypoint: /docker-entrypoint.simplesaml.sh
|
||||
#entrypoint: ["tail", "-f", "/dev/null"]
|
||||
deploy:
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.${STACK_NAME}_simplesaml.loadbalancer.server.port=80"
|
||||
- "traefik.http.routers.${STACK_NAME}_simplesaml.rule=(Host(`${DOMAIN}`) && PathPrefix(`/simplesaml`))"
|
||||
- "traefik.http.routers.${STACK_NAME}_simplesaml.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}_simplesaml.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
|
||||
volumes:
|
||||
mariadb:
|
||||
mediawiki_images:
|
||||
parsoid:
|
||||
simplesaml:
|
||||
simplesaml_log:
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
|
@ -139,12 +83,6 @@ secrets:
|
|||
mediawiki_secret_key:
|
||||
name: ${STACK_NAME}_mediawiki_secret_key_${MEDIAWIKI_SECRET_KEY_VERSION}
|
||||
external: true
|
||||
saml_admin_password:
|
||||
name: ${STACK_NAME}_saml_admin_password_${SAML_ADMIN_PASSWORD_VERSION}
|
||||
external: true
|
||||
saml_secret_salt:
|
||||
name: ${STACK_NAME}_saml_secret_salt_${SAML_SECRET_SALT_VERSION}
|
||||
external: true
|
||||
|
||||
configs:
|
||||
LocalSettings_conf:
|
||||
|
@ -159,7 +97,3 @@ configs:
|
|||
name: ${STACK_NAME}_entrypoint2_${ENTRYPOINT_CONF_VERSION}
|
||||
file: entrypoint.sh.tmpl
|
||||
template_driver: golang
|
||||
entrypoint_saml_conf:
|
||||
name: ${STACK_NAME}_entrypoint_saml_${SAML_ENTRYPOINT_CONF_VERSION}
|
||||
file: entrypoint.simplesaml.sh.tmpl
|
||||
template_driver: golang
|
||||
|
|
Loading…
Reference in New Issue