coop-cloud/rocketchat
1
0
Fork 0
Code Issues 1 Pull Requests 1 Releases Wiki Activity

Optional OAuth login

Browse Source
This commit is contained in:
3wc
2020-09-24 20:56:27 +02:00
parent de6be2b142
commit f99887403c
5 changed files with 123 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.envrc.sample
View File

@ -3,4 +3,17 @@ export DOMAIN=rocketchat.example.com
export STACK_NAME=rocketchat export STACK_NAME=rocketchat
export LETS_ENCRYPT_ENV=production export LETS_ENCRYPT_ENV=production
# Keycloak settings
# https://docs.rocket.chat/guides/administrator-guides/settings-via-env-vars # https://docs.rocket.chat/guides/administrator-guides/settings-via-env-vars
export ADMIN_USERNAME=admin
export ADMIN_EMAIL=rocketchat@example.com
# OAuth with Keycloak
#export COMPOSE_FILE="compose.yml:compose.oauth.yml"
#export Accounts_OAuth_Custom-Keycloak-url="https://id.example.com/auth"
#export Accounts_OAuth_Custom-Keycloak-token_path="/realms/realmname/protocol/openid-connect/token"
#export Accounts_OAuth_Custom-Keycloak-identity_path="/realms/realmname/protocol/openid-connect/userinfo"
#export Accounts_OAuth_Custom-Keycloak-authorize_path="/realms/realmname/protocol/openid-connect/auth"
#export Accounts_OAuth_Custom-Keycloak-id="rocketchat"
#export OAUTH_KEY_VERSION=v1

19
README.md
View File

@ -1,4 +1,21 @@
# Rocketchat
# SSO [Rocket.chat] RSS reader using Coöp Cloud ♥
1. Set up Docker Swarm and [`abra`]
2. Deploy [`compose-stacks/traefik`]
3. `cp .envrc.sample .envrc`
4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
your Docker swarm box
5. `direnv allow` (or `. .envrc`)
6. `abra secret_generate db_password v1`
7. `abra deploy`
9. Open the configured domain in your browser to finish set-up
## SSO
https://docs.rocket.chat/guides/administrator-guides/authentication/open-id-connect/keycloak https://docs.rocket.chat/guides/administrator-guides/authentication/open-id-connect/keycloak
[Rocket.chat]: https://rocket.chat
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
[`compose-stacks/traefik`]: https://git.autonomic.zone/compose-stacks/traefik

29
compose.oauth.yml Normal file
View File

@ -0,0 +1,29 @@
---
version: '3.8'
services:
rocketchat:
secrets:
- oauth_key
environment:
- Accounts_OAuth_Custom-Keycloak=true
- Accounts_OAuth_Custom-Keycloak-url=${Accounts_OAuth_Custom_Keycloak_url}
- Accounts_OAuth_Custom-Keycloak-token_path=${Accounts_OAuth_Custom_Keycloak_token_path}
- Accounts_OAuth_Custom-Keycloak-token_sent_via=Header
- Accounts_OAuth_Custom-Keycloak-identity_token_sent_via=header
- Accounts_OAuth_Custom-Keycloak-identity_path=${Accounts_OAuth_Custom_Keycloak_identity_path}
- Accounts_OAuth_Custom-Keycloak-authorize_path=${Accounts_OAuth_Custom_Keycloak_authorize_path}
- Accounts_OAuth_Custom-Keycloak-scope=openid
- Accounts_OAuth_Custom-Keycloak-id=${Accounts_OAuth_Custom_Keycloak_id}
- Accounts_OAuth_Custom-Keycloak-login_style=redirect
- Accounts_OAuth_Custom-Keycloak-button_label_text=Login via Keycloak
- Accounts_OAuth_Custom-Keycloak-button_label_color="#FFFFFF"
- Accounts_OAuth_Custom-Keycloak-button_color="#13679A"
- Accounts_OAuth_Custom-Keycloak-username_field=preferred_username
- Accounts_OAuth_Custom-Keycloak-merge_users=false
- OAUTH_KEY_FILE=/run/secrets/oauth_key
secrets:
oauth_key:
external: true
name: ${STACK_NAME}_oauth_key_${OAUTH_KEY_VERSION}

21
compose.yml
View File

@ -14,14 +14,24 @@ services:
done; (exit $$s)" done; (exit $$s)"
volumes: volumes:
- "rocketchat_uploads:/app/uploads" - "rocketchat_uploads:/app/uploads"
secrets:
- admin_password
environment: environment:
- PORT=3000 - PORT=3000
- ROOT_URL=https://${DOMAIN} - ROOT_URL=https://${DOMAIN}
- MONGO_URL=mongodb://mongo:27017/rocketchat - MONGO_URL=mongodb://mongo:27017/rocketchat
- MONGO_OPLOG_URL=mongodb://mongo:27017/local - MONGO_OPLOG_URL=mongodb://mongo:27017/local
- MAIL_URL=smtp://smtp.email - MAIL_URL=smtp://smtp.email
- ADMIN_USERNAME
- ADMIN_PASS_FILE=/run/secrets/admin_password
- ADMIN_EMAIL
#- HTTP_PROXY=http://proxy.domain.com #- HTTP_PROXY=http://proxy.domain.com
#- HTTPS_PROXY=http://proxy.domain.com #- HTTPS_PROXY=http://proxy.domain.com
configs:
- source: entrypoint_conf
target: /docker-entrypoint.sh
mode: 0555
entrypoint: /docker-entrypoint.sh
networks: networks:
- internal - internal
- proxy - proxy
@ -100,3 +110,14 @@ networks:
volumes: volumes:
rocketchat_uploads: rocketchat_uploads:
mongo: mongo:
secrets:
admin_password:
external: true
name: ${STACK_NAME}_admin_password_${ADMIN_PASSWORD_VERSION}
configs:
entrypoint_conf:
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
file: entrypoint.sh.tmpl
template_driver: golang

40
entrypoint.sh.tmpl Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env bash
file_env() {
# 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
# https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
export "$var"="$val"
unset "$fileVar"
}
load_vars() {
file_env "ADMIN_PASS"
file_env "OAUTH_KEY"
}
main() {
set -eu
load_vars
}
main
# 3wc: upstream ENTRYPOINT
# we need to use `env` here because bash won't fuck with variable names with
# hyphens, but both `env` and `node` seem fine..
env Accounts_OAuth_Custom-Keycloak-secret=$OAUTH_KEY "$@"