Optional OAuth login

2020-09-24 20:56:27 +02:00
parent de6be2b142
commit f99887403c
5 changed files with 123 additions and 3 deletions
--- a/.envrc.sample
+++ b/.envrc.sample
@ -3,4 +3,17 @@ export DOMAIN=rocketchat.example.com
 export STACK_NAME=rocketchat
 export LETS_ENCRYPT_ENV=production

+# Keycloak settings
 # https://docs.rocket.chat/guides/administrator-guides/settings-via-env-vars
+export ADMIN_USERNAME=admin
+export ADMIN_EMAIL=rocketchat@example.com
+
+# OAuth with Keycloak
+#export COMPOSE_FILE="compose.yml:compose.oauth.yml"
+#export Accounts_OAuth_Custom-Keycloak-url="https://id.example.com/auth"
+#export Accounts_OAuth_Custom-Keycloak-token_path="/realms/realmname/protocol/openid-connect/token"
+#export Accounts_OAuth_Custom-Keycloak-identity_path="/realms/realmname/protocol/openid-connect/userinfo"
+#export Accounts_OAuth_Custom-Keycloak-authorize_path="/realms/realmname/protocol/openid-connect/auth"
+#export Accounts_OAuth_Custom-Keycloak-id="rocketchat"
+
+#export OAUTH_KEY_VERSION=v1
--- a/README.md
+++ b/README.md
@ -1,4 +1,21 @@
+# Rocketchat

-# SSO
+[Rocket.chat] RSS reader using Coöp Cloud ♥
+
+1. Set up Docker Swarm and [`abra`]
+2. Deploy [`compose-stacks/traefik`]
+3. `cp .envrc.sample .envrc`
+4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
+   your Docker swarm box
+5. `direnv allow` (or `. .envrc`)
+6. `abra secret_generate db_password v1`
+7. `abra deploy`
+9. Open the configured domain in your browser to finish set-up
+
+## SSO

 https://docs.rocket.chat/guides/administrator-guides/authentication/open-id-connect/keycloak
+
+[Rocket.chat]: https://rocket.chat
+[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
+[`compose-stacks/traefik`]: https://git.autonomic.zone/compose-stacks/traefik
--- a/compose.oauth.yml
+++ b/compose.oauth.yml
@ -0,0 +1,29 @@
+---
+version: '3.8'
+
+services:
+  rocketchat:
+    secrets:
+      - oauth_key
+    environment:
+      - Accounts_OAuth_Custom-Keycloak=true
+      - Accounts_OAuth_Custom-Keycloak-url=${Accounts_OAuth_Custom_Keycloak_url}
+      - Accounts_OAuth_Custom-Keycloak-token_path=${Accounts_OAuth_Custom_Keycloak_token_path}
+      - Accounts_OAuth_Custom-Keycloak-token_sent_via=Header
+      - Accounts_OAuth_Custom-Keycloak-identity_token_sent_via=header
+      - Accounts_OAuth_Custom-Keycloak-identity_path=${Accounts_OAuth_Custom_Keycloak_identity_path}
+      - Accounts_OAuth_Custom-Keycloak-authorize_path=${Accounts_OAuth_Custom_Keycloak_authorize_path}
+      - Accounts_OAuth_Custom-Keycloak-scope=openid
+      - Accounts_OAuth_Custom-Keycloak-id=${Accounts_OAuth_Custom_Keycloak_id}
+      - Accounts_OAuth_Custom-Keycloak-login_style=redirect
+      - Accounts_OAuth_Custom-Keycloak-button_label_text=Login via Keycloak
+      - Accounts_OAuth_Custom-Keycloak-button_label_color="#FFFFFF"
+      - Accounts_OAuth_Custom-Keycloak-button_color="#13679A"
+      - Accounts_OAuth_Custom-Keycloak-username_field=preferred_username
+      - Accounts_OAuth_Custom-Keycloak-merge_users=false
+      - OAUTH_KEY_FILE=/run/secrets/oauth_key
+
+secrets:
+  oauth_key:    
+    external: true 
+    name: ${STACK_NAME}_oauth_key_${OAUTH_KEY_VERSION}
--- a/compose.yml
+++ b/compose.yml
@ -14,14 +14,24 @@ services:
        done; (exit $$s)"
    volumes:
      - "rocketchat_uploads:/app/uploads"
+    secrets:
+      - admin_password
    environment:
      - PORT=3000
      - ROOT_URL=https://${DOMAIN}
      - MONGO_URL=mongodb://mongo:27017/rocketchat
      - MONGO_OPLOG_URL=mongodb://mongo:27017/local
      - MAIL_URL=smtp://smtp.email
-#       - HTTP_PROXY=http://proxy.domain.com
-#       - HTTPS_PROXY=http://proxy.domain.com
+      - ADMIN_USERNAME
+      - ADMIN_PASS_FILE=/run/secrets/admin_password
+      - ADMIN_EMAIL
+      #- HTTP_PROXY=http://proxy.domain.com
+      #- HTTPS_PROXY=http://proxy.domain.com
+    configs:
+      - source: entrypoint_conf
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
    networks:
      - internal
      - proxy
@ -100,3 +110,14 @@ networks:
 volumes:
  rocketchat_uploads:
  mongo:
+
+secrets:
+  admin_password:    
+    external: true 
+    name: ${STACK_NAME}_admin_password_${ADMIN_PASSWORD_VERSION}
+
+configs:
+  entrypoint_conf:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+file_env() {
+	# 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+	# 	https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+load_vars() {
+	file_env "ADMIN_PASS"
+	file_env "OAUTH_KEY"
+}
+
+main() {
+	set -eu
+
+	load_vars
+}
+
+main 
+
+# 3wc: upstream ENTRYPOINT
+# we need to use `env` here because bash won't fuck with variable names with
+# hyphens, but both `env` and `node` seem fine..
+env Accounts_OAuth_Custom-Keycloak-secret=$OAUTH_KEY "$@"