Compare commits
3 Commits
upload-lim
...
user_oidc_
| Author | SHA1 | Date | |
|---|---|---|---|
| ec5934e191 | |||
| 4c3f6fa14d | |||
| eb3816b9c2 |
@ -93,6 +93,14 @@ DEFAULT_QUOTA="10 GB"
|
||||
#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
|
||||
#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
|
||||
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml"
|
||||
# APPS="$APPS user_oidc"
|
||||
# USER_OIDC_PROVIDER=
|
||||
# USER_OIDC_ID=
|
||||
# USER_OIDC_DISCOVERY_URI=
|
||||
# USER_OIDC_END_SESSION_URI=
|
||||
# USER_OIDC_LOGIN_ONLY=false
|
||||
# SECRET_USER_OIDC_SECRET_VERSION=v1
|
||||
|
||||
# HSTS Options
|
||||
# Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html
|
||||
|
||||
25
README.md
25
README.md
@ -188,6 +188,31 @@ We've been able to get this setup by using the [social login](https://apps.nextc
|
||||
|
||||
If using Keycloak, you'll want to do [this trick](https://janikvonrotz.ch/2020/10/20/openid-connect-with-nextcloud-and-keycloak/) also.
|
||||
|
||||
## How do I enable OpenID Connect (OIDC) providers?
|
||||
[user_oidc](https://github.com/nextcloud/user_oidc) is the recommended way to integrate Nextcloud with OIDC providers.
|
||||
|
||||
Run `abra app config <app-name>`
|
||||
|
||||
Set the following envs:
|
||||
```env
|
||||
COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml"
|
||||
APPS="$APPS user_oidc"
|
||||
USER_OIDC_PROVIDER=example-provider # this has been tested with keycloak
|
||||
USER_OIDC_ID=example-client-id # get this from your oidc provider
|
||||
USER_OIDC_DISCOVERY_URI=example-oidc-provider.com/.well-known/openid-configuration # get this from your oidc provider
|
||||
USER_OIDC_END_SESSION_URI=example-oidc-provider.com/protocol/openid-connect/logout # get this from your oidc provider
|
||||
USER_OIDC_LOGIN_ONLY=false # set this to true to automatically redirect all logins to your oidc provider
|
||||
SECRET_USER_OIDC_SECRET_VERSION=v1
|
||||
```
|
||||
|
||||
Then insert the client secret from your OIDC provider:
|
||||
```sh
|
||||
abra app secret insert <app-name> user_oidc_secret v1 <client-secret from oidc provider>
|
||||
```
|
||||
|
||||
After you deploy (or redeploy), run the following to set up the user_oidc Nextcloud app:
|
||||
`abra app cmd <app-name> app set_user_oidc`
|
||||
|
||||
## How can I customise the CSS?
|
||||
|
||||
There is some basic stuff in the admin settings.
|
||||
|
||||
19
abra.sh
19
abra.sh
@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
export FPM_TUNE_VERSION=v5
|
||||
export NGINX_CONF_VERSION=v8b
|
||||
export NGINX_CONF_VERSION=v8
|
||||
export MY_CNF_VERSION=v6
|
||||
export ENTRYPOINT_VERSION=v3
|
||||
export ENTRYPOINT_WHITEBOARD_VERSION=v1
|
||||
@ -159,6 +159,23 @@ set_authentik() {
|
||||
run_occ 'config:system:set lost_password_link --value=disabled'
|
||||
}
|
||||
|
||||
set_user_oidc() {
|
||||
install_apps user_oidc
|
||||
USER_OIDC_SECRET=$(cat /run/secrets/user_oidc_secret)
|
||||
run_occ "user_oidc:provider \
|
||||
--clientid=${USER_OIDC_ID} \
|
||||
--clientsecret=${USER_OIDC_SECRET} \
|
||||
--discoveryuri=${USER_OIDC_DISCOVERY_URI} \
|
||||
--endsessionendpointuri=${USER_OIDC_END_SESSION_URI} \
|
||||
--postlogouturi=https://${DOMAIN} \
|
||||
--scope='openid email profile' \
|
||||
${USER_OIDC_PROVIDER}"
|
||||
# disable non user_oidc login
|
||||
if [[ ${USER_OIDC_LOGIN_ONLY:-false} = "true" ]]; then
|
||||
run_occ "config:app:set --value=0 user_oidc allow_multiple_user_backends"
|
||||
fi
|
||||
}
|
||||
|
||||
disable_skeletondirectory() {
|
||||
run_occ "config:system:set skeletondirectory --value ''"
|
||||
}
|
||||
|
||||
10
compose.user_oidc.yml
Normal file
10
compose.user_oidc.yml
Normal file
@ -0,0 +1,10 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
app:
|
||||
secrets:
|
||||
- user_oidc_secret
|
||||
|
||||
secrets:
|
||||
user_oidc_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_user_oidc_secret_${SECRET_USER_OIDC_SECRET_VERSION}
|
||||
@ -14,7 +14,6 @@ services:
|
||||
- STACK_NAME
|
||||
- HSTS_ENABLED
|
||||
- HSTS_PRELOAD
|
||||
- PHP_UPLOAD_LIMIT=${PHP_UPLOAD_LIMIT:-512M}
|
||||
volumes:
|
||||
- nextcloud:/var/www/html/
|
||||
- nextapps:/var/www/html/custom_apps:cached
|
||||
@ -38,7 +37,6 @@ services:
|
||||
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-buffering.buffering.maxRequestBodyBytes=0"
|
||||
- "caddy=${DOMAIN}"
|
||||
- "caddy.reverse_proxy={{upstreams 80}}"
|
||||
- "caddy.tls.on_demand="
|
||||
|
||||
@ -54,7 +54,7 @@ http {
|
||||
{{ end }}
|
||||
|
||||
# set max upload size
|
||||
client_max_body_size {{ env "PHP_UPLOAD_LIMIT" }} ;
|
||||
client_max_body_size 512M;
|
||||
fastcgi_buffers 64 4K;
|
||||
|
||||
# Enable gzip but do not remove ETag headers
|
||||
@ -162,10 +162,6 @@ http {
|
||||
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
|
||||
fastcgi_read_timeout 3600s;
|
||||
fastcgi_send_timeout 3600s;
|
||||
fastcgi_connect_timeout 60s;
|
||||
}
|
||||
|
||||
location ~ \.(?:css|js|svg|gif)$ {
|
||||
|
||||
Reference in New Issue
Block a user