chore: publish 0.4.0+4.3.2 release

.env.sample

@@ -7,23 +7,35 @@ SECRET_ADMIN_PASSWORD_VERSION=v1
 
 DEFAULT_LOCALES="fr_FR fr_FR.UTF-8 en_GB en_GB.UTF-8 en_US en_US.UTF-8 nl_NL nl_NL.UTF-8"
 
+COMPOSE_FILE="compose.yml"
+
 # Custom R version
-#COMPOSE_FILE="compose.yml:compose.version.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.version.yml"
 #R_VERSION=3.6.3
 
 # MSSQL driver
 MSSQL_ENABLED="1"
 
+# Comment out if you are using keycloak or oidc
+COMPOSE_FILE="$COMPOSE_FILE:compose.local-users.yml"
+# Share the local user database with other instances
+#COMPOSE_FILE="$COMPOSE_FILE:compose.local-users-shared.yml"
+#LOCAL_USERS_VOLUME=rstudio_example_com_users
+
 # OpenID Connect (SSO)
-# COMPOSE_FILE="compose.yml:compose.oidc.yml"
-# OIDC_ENABLED=1
-# OIDC_CLIENT_ID=
-# OIDC_ISSUER_URL=
-# SECRET_OIDC_CLIENT_SECRET=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
+#OIDC_ENABLED=1
+#OIDC_CLIENT_ID=
+#OIDC_ISSUER_URL=
+#SECRET_OIDC_CLIENT_SECRET=v1
 
 # Keycloak integration
-# COMPOSE_FILE="compose.yml:compose.keycloak.yml"
-# KEYCLOAK_ENABLED=1
-# KEYCLOAK_CLIENT_ID=
-# KEYCLOAK_CLIENT_TOKEN_URL=
-# SECRET_KEYCLOAK_CLIENT_SECRET=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
+#KEYCLOAK_ENABLED=1
+#KEYCLOAK_CLIENT_ID=
+#KEYCLOAK_CLIENT_TOKEN_URL=
+#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
+
+# Shared secret
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak-sharedsecret.yml"
+#SHARED_SECRET_NAME=keycloak_rstudio_client_secret

abra.sh

@@ -1,4 +1,4 @@
-export CUSTOM_ENTRYPOINT_VERSION=v12
+export CUSTOM_ENTRYPOINT_VERSION=v17
 export OIDC_CONF_VERSION=v1
 export PAM_EXEC_OAUTH2_YAML_VERSION=v1
-export PAM_SCRIPT_AUTH_VERSION=v4
+export PAM_SCRIPT_AUTH_VERSION=v7

compose.keycloak-sharedsecret.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+secrets:
+  keycloak_client_secret:
+    name: ${SHARED_SECRET_NAME}
+    external: true

compose.keycloak.yml

@@ -32,5 +32,5 @@ configs:
 
 secrets:
   keycloak_client_secret:
-    name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET}
+    name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET_VERSION}
     external: true

compose.local-users-shared.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+volumes:
+  users:
+    external: true
+    name: ${LOCAL_USERS_VOLUME}

compose.local-users.yml

@@ -0,0 +1,12 @@
+---
+version: "3.8"
+
+services:
+  app:
+    volumes:
+      - users:/opt/users
+    environment:
+      - COPY_USERS=1
+
+volumes:
+  users:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: rocker/tidyverse:4.1.0
+    image: rocker/tidyverse:4.3.2
     networks:
       - proxy
     volumes:
@@ -29,7 +29,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+4.1.0"
+        - "coop-cloud.${STACK_NAME}.version=0.4.0+4.3.2"
     entrypoint: /docker-entrypoint.sh
     command: /init
 

entrypoint.sh.tmpl

@@ -21,6 +21,35 @@ file_env() {
    unset "$fileVar"
 }
 
+{{ if eq (env "COPY_USERS") "1" }}
+cp /opt/users/passwd /etc/passwd || true
+cp /opt/users/shadow /etc/shadow || true
+cp /opt/users/group /etc/group || true
+
+copy_users() {
+  while true; do
+    if [ /etc/passwd -nt /opt/users/passwd ]; then
+      cp -uv /etc/passwd /opt/users/passwd
+    else
+      cp -uv /opt/users/passwd /etc/passwd 
+    fi
+    if [ /etc/shadow -nt /opt/users/shadow ]; then
+      cp -uv /etc/shadow /opt/users/shadow
+    else
+      cp -uv /opt/users/shadow /etc/shadow 
+    fi
+    if [ /etc/group -nt /opt/users/group ]; then
+      cp -uv /etc/group /opt/users/group
+    else
+      cp -uv /opt/users/group /etc/group 
+    fi
+    sleep 60
+  done
+}
+
+copy_users &
+{{ end }}
+
 file_env "PASSWORD"
 
 {{ if eq (env "OIDC_ENABLED") "1" }}
@@ -30,6 +59,7 @@ echo 'auth-openid-base-uri=https://{{ env "DOMAIN" }}' >> /etc/rstudio/rserver.c
 {{ end }}
 
 {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
+apt update --allow-releaseinfo-change
 apt install -y libpam-script
 mkdir -p /opt/pam-exec-oauth2/
 wget https://github.com/WASHNote/pam-exec-oauth2/releases/download/v0.0.1/pam-exec-oauth2 -O /opt/pam-exec-oauth2/pam-exec-oauth2
@@ -47,7 +77,7 @@ curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add -
 
 curl https://packages.microsoft.com/config/ubuntu/20.04/prod.list > /etc/apt/sources.list.d/mssql-release.list
 
-apt update && apt install -yq msodbcsql17 mssql-tools
+apt update && apt -o Dpkg::Options::="--force-overwrite" install -yq msodbcsql17 mssql-tools
 {{ end }}
 
 locale-gen {{ env "DEFAULT_LOCALES" }}

pam_script_auth.sh

@@ -10,9 +10,10 @@ if ! id "$PAM_USER" &>/dev/null; then
 	# without it, UID→username mapping changes on every container restart, which
 	# creates file ownership issues and prevents RStudio from working.
 	# See https://github.com/WASHNote/washnote-apps/issues/67
-	uid=$(echo "$PAM_USER" | md5sum | grep -Eo "[[:digit:]]{3}"  | head -n1)
+	uid=$(echo "$PAM_USER" | md5sum | grep -Eo "[[:digit:]]{3}"  | head -n1 | sed -E 's/^0+//')
 	uid=$((1000+uid))
 	adduser --uid="$uid" "$PAM_USER" --disabled-password --quiet --gecos ""
+    usermod -aG staff "$PAM_USER"
 fi
 
 exit 0