diff --git a/.envrc.sample b/.envrc.sample index 0f35ba8..a9fe2d6 100644 --- a/.envrc.sample +++ b/.envrc.sample @@ -8,9 +8,15 @@ export MEDIAWIKI_SITENAMESPACE="Example_Wiki" export MEDIAWIKI_EMAIL_CONTACT="info@wiki.example.com" export MEDIAWIKI_EMAIL_FROM="wiki@wiki.example.com" +export SAML_CONTACT_NAME="Sam Ell" +export SAML_CONTACT_EMAIL="saml@example.com" + export DB_ROOT_PASSWORD_VERSION=v1 export DB_PASSWORD_VERSION=v1 export MEDIAWIKI_SECRET_KEY_VERSION=v1 +export SAML_ADMIN_PASSWORD_VERSION=v1 + export LOCAL_SETTINGS_CONF_VERSION=v1 export HTACCESS_CONF_VERSION=v1 export ENTRYPOINT_CONF_VERSION=v1 +export SAML_ENTRYPOINT_CONF_VERSION=v1 diff --git a/compose.yml b/compose.yml index c8aaa2d..1bd8c73 100644 --- a/compose.yml +++ b/compose.yml @@ -61,14 +61,17 @@ services: - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" entrypoint: /docker-entrypoint2.sh - simplesamlphp: + + simplesaml: image: venatorfox/simplesamlphp:latest + secrets: + - saml_admin_password environment: - - CONFIG_BASEURLPATH=${DOMAIN}/simplesamlphp - - CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw== + - CONFIG_BASEURLPATH=https://${DOMAIN}/simplesaml/ + - CONFIG_AUTHADMINPASSWORD_FILE=/run/secrets/saml_admin_password - CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy - - CONFIG_TECHNICALCONTACT_NAME=Adam W Zheng - - CONFIG_TECHNICALCONTACT_EMAIL=helo@autonomic.zone + - CONFIG_TECHNICALCONTACT_NAME=${SAML_CONTACT_NAME} + - CONFIG_TECHNICALCONTACT_EMAIL=${SAML_CONTACT_EMAIL} - CONFIG_SHOWERRORS=true - CONFIG_ERRORREPORTING=true - CONFIG_ADMINPROTECTINDEXPAGE=true @@ -78,15 +81,29 @@ services: #- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp #- CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'some-memcacheda01'],\n ['hostname' => 'some-memcacheda02'],\n ],\n [\n ['hostname' => 'some-memcachedb01'],\n ['hostname' => 'some-memcachedb02'],\n ], - OPENLDAP_TLS_REQCERT=allow - - MTA_NULLCLIENT=false + - MTA_NULLCLIENT=true - POSTFIX_MYHOSTNAME=${DOMAIN} - POSTFIX_MYORIGIN=$$mydomain - POSTFIX_INETINTERFACES=loopback-only - DOCKER_REDIRECTLOGS=true + tty: true + configs: + - source: entrypoint_saml_conf + target: /docker-entrypoint.simplesaml.sh + mode: 0555 volumes: - simplesaml:/var/simplesamlphp/ networks: - internal + - proxy + entrypoint: /docker-entrypoint.simplesaml.sh + deploy: + labels: + - "traefik.enable=true" + - "traefik.http.services.${STACK_NAME}_simplesaml.loadbalancer.server.port=80" + - "traefik.http.routers.${STACK_NAME}_simplesaml.rule=(Host(`${DOMAIN}`) && PathPrefix(`/simplesaml`))" + - "traefik.http.routers.${STACK_NAME}_simplesaml.entrypoints=web-secure" + - "traefik.http.routers.${STACK_NAME}_simplesaml.tls.certresolver=${LETS_ENCRYPT_ENV}" volumes: mariadb: @@ -109,6 +126,9 @@ secrets: mediawiki_secret_key: name: ${STACK_NAME}_mediawiki_secret_key_${MEDIAWIKI_SECRET_KEY_VERSION} external: true + saml_admin_password: + name: ${STACK_NAME}_saml_admin_password_${MEDIAWIKI_SECRET_KEY_VERSION} + external: true configs: LocalSettings_conf: @@ -123,3 +143,7 @@ configs: name: ${STACK_NAME}_entrypoint2_${ENTRYPOINT_CONF_VERSION} file: entrypoint.sh.tmpl template_driver: golang + entrypoint_saml_conf: + name: ${STACK_NAME}_entrypoint_saml_${ENTRYPOINT_CONF_VERSION} + file: entrypoint.simplesaml.sh.tmpl + template_driver: golang diff --git a/entrypoint.simplesaml.sh.tmpl b/entrypoint.simplesaml.sh.tmpl new file mode 100644 index 0000000..1cd285f --- /dev/null +++ b/entrypoint.simplesaml.sh.tmpl @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +set -e + +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +file_env "CONFIG_AUTHADMINPASSWORD" + +/init "$@"