forked from coop-cloud/mediawiki
First attempt at OpenID login
See https://git.autonomic.zone/compose-stacks/mediawiki/issues/14.
This commit is contained in:
parent
d75e15310c
commit
3ffc239373
@ -18,6 +18,7 @@ export MEDIAWIKI_SECRET_KEY_VERSION=v1
|
||||
export LOCAL_SETTINGS_CONF_VERSION=v1
|
||||
export HTACCESS_CONF_VERSION=v1
|
||||
export ENTRYPOINT_CONF_VERSION=v1
|
||||
export COMPOSER_LOCAL_CONF_VERSION=v1
|
||||
|
||||
# SAML
|
||||
|
||||
@ -40,3 +41,11 @@ export ENTRYPOINT_CONF_VERSION=v1
|
||||
## SMTP
|
||||
#export COMPOSE_FILE="compose.yml:compose.mailrelay.yml"
|
||||
#export SMTP_HOST=postfix_relay_app
|
||||
|
||||
# OpenID Connect
|
||||
|
||||
# export OPENID_ENABLED=1
|
||||
# export COMPOSE_FILE="compose.yml:compose.openid.yml"
|
||||
# export OPENID_KEYCLOAK_URL="https://keycloak.local:8080/auth/realms/acme/"
|
||||
# export OPENID_CLIENT_ID="mediawiki"
|
||||
# export OPENID_CLIENT_SECRET_VERSION=v1
|
||||
|
||||
@ -183,6 +183,16 @@ $wgGroupPermissions['*']['createaccount'] = false;
|
||||
$wgDebugLogFile = "/var/log/debug-{$wgDBname}.log";
|
||||
{{ end }}
|
||||
|
||||
{{ if eq (env "OPENID_ENABLED") "1" }}
|
||||
wfLoadExtension( 'PluggableAuth' );
|
||||
wfLoadExtension( 'OpenIDConnect' );
|
||||
|
||||
$wgOpenIDConnect_Config['{{ env "OPENID_KEYCLOAK_URL" }}'] = [
|
||||
'clientID' => '{{ env "OPENID_CLIENT_ID"}}',
|
||||
'clientsecret' => '{{ secret "openid-client-secret" }}'
|
||||
];
|
||||
{{ end }}
|
||||
|
||||
{{ if env "SMTP_HOST" }}
|
||||
$wgSMTP = [
|
||||
'host' => '{{ env "SMTP_HOST" }}', // could also be an IP address. Where the SMTP server is located
|
||||
|
||||
19
README.md
19
README.md
@ -10,18 +10,18 @@ Based on [`mediawiki-ve-bundle`][mediawiki-ve].
|
||||
|
||||
1. Set up Docker Swarm and [`abra`][abra]
|
||||
2. Deploy [`compose-stacks/traefik`][compose-traefik]
|
||||
2. `cp .envrc.sample .envrc`
|
||||
3. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
|
||||
3. `cp .envrc.sample .envrc`
|
||||
4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
|
||||
your Docker swarm box
|
||||
4. `direnv allow` (or `. .envrc`)
|
||||
5. Generate secrets:
|
||||
5. `direnv allow` (or `. .envrc`)
|
||||
6. Generate secrets:
|
||||
```
|
||||
abra secret_generate db_password v1
|
||||
abra secret_generate db_root_password v1
|
||||
abra secret_generate mediawiki_secret_key v1 "pwgen -n 64 1"
|
||||
```
|
||||
6. `abra deploy`
|
||||
7. Create an initial admin user:
|
||||
7. `abra deploy`
|
||||
8. Create an initial admin user:
|
||||
`abra run app php /var/www/html/maintenance/createAndPromote.php YourUsername YourPassword`
|
||||
|
||||
## SimpleSAMLphp
|
||||
@ -57,6 +57,12 @@ system. Patches to make this configurable are welcome!
|
||||
# 'sqlite:/var/simplesamlphp/data/simplesamlphp.sq3'
|
||||
```
|
||||
|
||||
## OpenID Connect
|
||||
|
||||
1. Edit `.envrc` and uncomment lines in the `OPENID` section (including `COMPOSE_FILE`)
|
||||
1. `direnv allow`
|
||||
1. Get your Keycloak generated client secret and `docker secret create` it as `openid_client_secret`
|
||||
|
||||
## License
|
||||
|
||||
MIT License
|
||||
@ -65,7 +71,6 @@ MIT License
|
||||
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||
[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
|
||||
[mediawiki-ve]: https://hub.docker.com/r/revianlabs/mediawiki-ve-bundle
|
||||
|
||||
[simplesamlphp]: https://simplesamlphp.org/
|
||||
[mw-simplesamlphp]: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp
|
||||
[venatorfox-simplesamlphp]: https://hub.docker.com/r/venatorfox/simplesamlphp
|
||||
|
||||
21
compose.openid.yml
Normal file
21
compose.openid.yml
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- OPENID_KEYCLOAK_URL
|
||||
- OPENID_CLIENT_ID
|
||||
secrets:
|
||||
- openid_client_secret
|
||||
|
||||
secrets:
|
||||
openid_client_secret:
|
||||
name: ${STACK_NAME}_openid_client_secret_${OPENID_CLIENT_SECRET_VERSION}
|
||||
external: true
|
||||
|
||||
configs:
|
||||
composer_local_conf:
|
||||
name: ${STACK_NAME}_composer_local_${COMPOSER_LOCAL_CONF_VERSION}
|
||||
file: composer.local.json.tmpl
|
||||
template_driver: golang
|
||||
9
composer.local.json
Normal file
9
composer.local.json
Normal file
@ -0,0 +1,9 @@
|
||||
{
|
||||
"extra": {
|
||||
"merge-plugin": {
|
||||
"include": [
|
||||
"extensions/OpenIDConnect/composer.json"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -2,12 +2,24 @@
|
||||
|
||||
set -eu -o pipefail
|
||||
|
||||
init_php() {
|
||||
if ! type composer > /dev/null 2>&1; then
|
||||
apt update && apt install -y curl git
|
||||
curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
|
||||
php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=1.10.15
|
||||
composer -V
|
||||
init_composer() {
|
||||
set -eu
|
||||
|
||||
if [ -n "$OPENID_ENABLED" ]; then
|
||||
if ! type composer > /dev/null 2>&1; then
|
||||
apt update && apt install -y curl git
|
||||
curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
|
||||
php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=1.10.15
|
||||
composer -V
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
composer_update() {
|
||||
set -eu
|
||||
|
||||
if [ -n "$OPENID_ENABLED" ]; then
|
||||
cd /var/www/html/ && composer update
|
||||
fi
|
||||
}
|
||||
|
||||
@ -60,7 +72,9 @@ main() {
|
||||
install_extensions
|
||||
|
||||
init_db
|
||||
init_php
|
||||
|
||||
init_composer
|
||||
composer_update
|
||||
}
|
||||
|
||||
main
|
||||
|
||||
Loading…
Reference in New Issue
Block a user