chore: publish 0.3.0+5.82.0-wordpress-php8.1 release

Reviewed-on: coop-cloud/civicrm-wordpress#3
Reviewed-by: yksflip <flip@yksflip.de>

.drone.yml

@@ -6,33 +6,27 @@ steps:
     image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
-      stack: {{ .Name }}
+      stack: civicrm-wordpress
       generate_secrets: true
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
       networks:
-        - proxy
+         proxy
     environment:
-      DOMAIN: {{ .Name }}.swarm-test.autonomic.zone
+      DOMAIN: civicrm-wordpress.swarm-test.autonomic.zone
-      STACK_NAME: {{ .Name }}
+      STACK_NAME: civicrm-wordpress
       LETS_ENCRYPT_ENV: production
+      EXTRA_VOLUME: "/dev/null:/tmp/.dummy"
+      APACHE_SITES_AVAILABLE_CONF_VERSION: v1
+      CIVICRM_SETTINGS_PHP_VERSION: v1
+      ENTRYPOINT_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_DB_ROOT_PASSWORD_VERSION: v1
+      SECRET_CIVICRM_SITE_KEY_VERSION: 'v1'
+      SECRET_CIVICRM_CRED_KEY_VERSION: 'v1'
+      SECRET_CIVICRM_SIGN_KEY_VERSION: 'v1'
+      CIVICRM_COMPONENTS: 'CiviEvent,CiviContribute,CiviMember,CiviMail,CiviReport'
 trigger:
   branch:
     - main
----
-kind: pipeline
-name: generate recipe catalogue
-steps:
-  - name: release a new version
-    image: plugins/downstream
-    settings:
-      server: https://build.coopcloud.tech
-      token:
-        from_secret: drone_abra-bot_token
-      fork: true
-      repositories:
-        - coop-cloud/auto-recipes-catalogue-json
-
-trigger:
-  event: tag

.env.sample

@@ -1,6 +1,6 @@
-TYPE=civicrm
+TYPE=civicrm-wordpress
 
-DOMAIN=civicrm.example.com
+DOMAIN=civicrm-wordpress.example.com
 
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.civicrm.example.com`'
@@ -10,12 +10,14 @@ LETS_ENCRYPT_ENV=production
 PROJECT_NAME=example
 
 CIVICRM_COMPONENTS=CiviEvent,CiviContribute,CiviMember,CiviMail,CiviReport
-# CIVICRM_EXTENSIONS=shoreditch mosaico
+# CIVICRM_EXTENSIONS=mosaico
 CIVICRM_DB_NAME=civicrm
 CIVICRM_DB_USER=civicrm
 CIVICRM_DB_HOST=mysql
 CIVICRM_DB_PORT=3306
 
+WORDPRESS_LOCALE=en_US
+WORDPRESS_ADMIN_EMAIL=
 WORDPRESS_DB_NAME=wordpress
 WORDPRESS_DB_USER=wordpress
 WORDPRESS_DB_HOST=mysql
@@ -34,3 +36,21 @@ SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_CIVICRM_SITE_KEY_VERSION=v1 # length=16
 SECRET_CIVICRM_CRED_KEY_VERSION=v1 # length=43
 SECRET_CIVICRM_SIGN_KEY_VERSION=v1 # length=43
+SECRET_WORDPRESS_ADMIN_PASSWORD_VERSION=v1
+
+## -- OpenId Connect --
+
+#COMPOSE_FILE="compose.yml:compose.openidconnect.yml"
+#OPEN_ID_CLIENT_ID=
+#SECRET_OPEN_ID_CLIENT_SECRET_VERSION=v1
+
+# If you are using authentik, just set this
+#AUTHENTIK_DOMAIN=authentik.company
+
+# Otherwise, you must set all of these
+#OPEN_ID_PROVIDER_LOGIN_URL=https://authentik.company/application/o/authorize/
+#OPEN_ID_USERINFO_URL=https://authentik.company/application/o/userinfo/
+#OPEN_ID_TOKEN_ENDPOINT_URL=https://authentik.company/application/o/token/
+#OPEN_ID_END_SESSION_URL=https://authentik.company/application/o/wordpress/end-session/
+
+## -- OpenId Connect --

README.md

@@ -1,6 +1,6 @@
 # civicrm
 
-> One line description of the recipe
+> CiviCRM Wordpress
 
 <!-- metadata -->
 
@@ -16,9 +16,24 @@
 <!-- endmetadata -->
 
 ## Quick start
-
+* `abra app new civicrm-wordpress`
-* `abra app new civicrm --secrets`
 * `abra app config <app-name>`
+
+Authentik integration:
+* When configuring, uncomment `COMPOSE_FILE`, `OPEN_ID_CLIENT_ID`, `SECRET_OPEN_ID_CLIENT_SECRET_VERSION`, and `AUTHENTIK_DOMAIN`
+* To configure your Authentik deployment, follow the guide at [`docs.goauthentik.io/integrations/services/wordpress`](https://docs.goauthentik.io/integrations/services/wordpress/).
+* NOTE: at the time of writing the Authentik integration guide incorrectly says to set the redirect URI to `https://wp.company/admin-ajax.php?action=openid-connect-authorize` when it should be `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`
+* If using a different OpenID provider, leave `AUTHENTIK_DOMAIN` commented and uncomment the other OpenID configuration options
+
+Insert secrets:
+* `abra app secret i <app-name> wordpress_admin_password v1 '<temp account password>'`
+* `abra app secret i <app-name> smtp_password v1 '<smtp password>'`
+* (Authentik) `abra app secret i <app-name> openid_client_secret v1 <openid client secret>`
+
+Generate secrets (be sure to save them):
+* `abra app secret g -a <app-name>`
+
+Deploy app:
 * `abra app deploy <app-name>`
 
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
@@ -26,11 +41,11 @@ For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
 
 ### Install extensions
 
-set them in the env config and run: `abra app cmd civi.dev.local-it.cloud app install_extensions`
+set them in the env config and run: `abra app cmd civi.example.org app install_extensions`
 
 to install unoffical extension run smth like:
 
 ```
-abra app cmd civi.dev.local-it.cloud app install_custom_extension shoreditch https://github.com/civicrm/org.civicrm.shoreditch
+abra app cmd civi.example.org app install_custom_extension shoreditch https://github.com/civicrm/org.civicrm.shoreditch
-abra app cmd civi.dev.local-it.cloud app install_custom_extension shoreditchwpworkarounds https://lab.civicrm.org/extensions/shoreditchwpworkarounds.git
+abra app cmd civi.example.org app install_custom_extension shoreditchwpworkarounds https://lab.civicrm.org/extensions/shoreditchwpworkarounds.git
 ```

abra.sh

@@ -31,6 +31,7 @@ file_env "SMTP_PASSWORD"
 export APACHE_SITES_AVAILABLE_CONF_VERSION=v1
 export CIVICRM_SETTINGS_PHP_VERSION=v1
 export ENTRYPOINT_VERSION=v1
+export OPENID_SETTINGS_VERSION=v1
 
 change_password(){
     echo "Changing password for $1"

compose.openidconnect.yml

@@ -0,0 +1,14 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - OPEN_ID_CLIENT_SECRET_FILE=/run/secrets/openid_client_secret
+    secrets:
+      - openid_client_secret
+
+secrets:
+  openid_client_secret:
+    external: true
+    name: ${STACK_NAME}_openid_client_secret_${SECRET_OPEN_ID_CLIENT_SECRET_VERSION}

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: michaelmcandrew/civicrm:5.59.4-wordpress-php8.1
+    image: michaelmcandrew/civicrm:5.82.0-wordpress-php8.1
     hostname: civicrm
     environment:
       - PROJECT_NAME
@@ -24,16 +24,18 @@ services:
       - SMTP_PORT
       - SMTP_USER
       - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
+      - WORDPRESS_ADMIN_PASSWORD_FILE=/run/secrets/wordpress_admin_password
     secrets:
       - db_password
       - civicrm_site_key
       - civicrm_cred_key
       - civicrm_sign_key
       - smtp_password
+      - wordpress_admin_password
     volumes:
       - data:/var/www/html/wp-content/uploads
     networks:
-      - default
+      - internal
       - proxy
     configs:
       - source: apache-sites-available-conf
@@ -43,6 +45,8 @@ services:
         mode: 555
       - source: civicrm-settings-php
         target: /usr/local/etc/civicrm/civicrm.settings.php
+      - source: openid-settings
+        target: /usr/local/etc/civicrm/openid_settings.json
     entrypoint: /usr/local/bin/entrypoint.sh
     deploy:
       restart_policy:
@@ -57,7 +61,7 @@ services:
         #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+5.59.4-wordpress-php8.1"
+        - "coop-cloud.${STACK_NAME}.version=0.3.0+5.82.0-wordpress-php8.1"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/var/www/html/wp-content/uploads"
     healthcheck:
@@ -90,6 +94,8 @@ services:
       timeout: 10s
       retries: 10
       start_period: 1m
+    networks:
+      - internal
     deploy:
       restart_policy:
         condition: on-failure
@@ -114,6 +120,7 @@ services:
 networks:
   proxy:
     external: true
+  internal:
 
 volumes:
   mariadb:
@@ -134,6 +141,10 @@ configs:
     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
     file: entrypoint.sh
     template_driver: golang
+  openid-settings:
+    name: ${STACK_NAME}_openid_settings_${OPENID_SETTINGS_VERSION}
+    file: openid_settings.json
+    template_driver: golang
 
 secrets:
   db_root_password:
@@ -154,3 +165,6 @@ secrets:
   civicrm_sign_key:
     external: true
     name: ${STACK_NAME}_civicrm_sign_key_${SECRET_CIVICRM_SIGN_KEY_VERSION}
+  wordpress_admin_password:
+    external: true
+    name: ${STACK_NAME}_wordpress_admin_password_${SECRET_WORDPRESS_ADMIN_PASSWORD_VERSION}

entrypoint.sh

@@ -28,6 +28,8 @@ file_env "CIVICRM_DB_PASS"
 file_env "CIVICRM_SITE_KEY"
 file_env "CIVICRM_CRED_KEYS"
 file_env "SMTP_PASSWORD"
+file_env "WORDPRESS_ADMIN_PASSWORD"
+file_env "OPEN_ID_CLIENT_SECRET"
 
 if  [[  "${1-default}" == "cron" ]]; then
   echo "============ Running cron job ============"
@@ -36,7 +38,7 @@ if  [[  "${1-default}" == "cron" ]]; then
   exit $?
 fi
 
-until mysql -e '\q' -h db -p"${WORDPRESS_DB_PASS}" && mysql -e '\q' -h "${CIVICRM_DB_HOST}" -p"${CIVICRM_DB_PASS}"; do
+until mysql -e '\q' -h"${WORDPRESS_DB_HOST}" -u"${WORDPRESS_DB_USER}" -p"${WORDPRESS_DB_PASS}" && mysql -e '\q' -h"${CIVICRM_DB_HOST}" -u"${CIVICRM_DB_USER}" -p"${CIVICRM_DB_PASS}"; do
   echo "============ Waiting for db container to come up============"
   sleep 2
 done;
@@ -49,9 +51,9 @@ if su civicrm -c "wp core is-installed"; then
   echo "============ Wordpress already installed ============"
 else
   echo "============ Installing Wordpress ============"
-  su civicrm -c "wp core install --locale=de_DE --url=$BASE_URL --title=$PROJECT_NAME --admin_user=admin --admin_email=$SMTP_USER"
+  su civicrm -c "wp core install --locale=$WORDPRESS_LOCALE --url=$BASE_URL --title=$PROJECT_NAME --admin_user=admin --admin_email=$WORDPRESS_ADMIN_EMAIL --admin_password='$WORDPRESS_ADMIN_PASSWORD'"
-  su civicrm -c "wp language core install de_DE"
+  su civicrm -c "wp language core install $WORDPRESS_LOCALE"
-  su civicrm -c "wp language core activate de_DE"
+  su civicrm -c "wp language core activate $WORDPRESS_LOCALE"
 fi
 
 # Setup Civicrm L10n
@@ -73,7 +75,7 @@ pushd /var/www/html/wp-content/uploads/civicrm/
       touch is_installed
       rm -rf civicrm.settings.php
       su civicrm -c "wp plugin activate civicrm"
-      su civicrm -c "cv core:install -vv --keep --db=mysql://$CIVICRM_DB_USER:$CIVICRM_DB_PASS@$CIVICRM_DB_HOST:$CIVICRM_DB_PORT/$CIVICRM_DB_NAME --lang de_DE --comp $CIVICRM_COMPONENTS"
+      su civicrm -c "cv core:install -vv --keep --db=mysql://$CIVICRM_DB_USER:$CIVICRM_DB_PASS@$CIVICRM_DB_HOST:$CIVICRM_DB_PORT/$CIVICRM_DB_NAME --lang $WORDPRESS_LOCALE --comp $CIVICRM_COMPONENTS"
       mv civicrm.settings.php civicrm.settings.php.generated
       cp /usr/local/etc/civicrm/civicrm.settings.php civicrm.settings.php
       chmod a-wx /var/www/html/wp-content/uploads/civicrm/civicrm.settings.php
@@ -87,6 +89,47 @@ pushd /var/www/html/wp-content/uploads/civicrm/
   fi
 popd
 
+OPEN_ID_CLIENT_ID="${OPEN_ID_CLIENT_ID:-unused}"
+if  [ "$OPEN_ID_CLIENT_ID" != "unused" ]; then
+  # install OpenID Connect Generic plugin
+  if ! su civicrm -c "wp plugin is-installed daggerhart-openid-connect-generic"; then
+    echo "============ Running OpenId Connect Install ============"
+    su civicrm -c "wp plugin install daggerhart-openid-connect-generic --activate"
+  else
+    echo "OpenID Connect Generic Plugin already installed"
+  fi
+
+  # if openid connect hasn't been configured, insert default settings
+  if ! su civicrm -c "wp option get openid_connect_generic_settings"; then
+    echo "Configuring OpenId Connect Plugin default settings"
+    su civicrm -c "wp option add openid_connect_generic_settings --format=json < /usr/local/etc/civicrm/openid_settings.json"
+  else
+    echo "OpenId Connect Plugin default settings already present"
+  fi
+
+  echo "============ Configuring OpenId Connect ============"
+  su civicrm -c "wp option patch update openid_connect_generic_settings client_id $OPEN_ID_CLIENT_ID"
+  su civicrm -c "wp option patch update openid_connect_generic_settings client_secret $OPEN_ID_CLIENT_SECRET"
+  su civicrm -c "wp option patch update openid_connect_generic_settings link_existing_users 1"
+
+  AUTHENTIK_DOMAIN="${AUTHENTIK_DOMAIN:-unused}"
+  if  [ "$AUTHENTIK_DOMAIN" != "unused" ]; then
+    echo "============ Configuring Authentik ============"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_login https://$AUTHENTIK_DOMAIN/application/o/authorize/"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_userinfo https://$AUTHENTIK_DOMAIN/application/o/userinfo/"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_token https://$AUTHENTIK_DOMAIN/application/o/token/"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_end_session https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/"
+  else
+    echo "============ Configuring Generic OpenId Provider ============"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_login $OPEN_ID_PROVIDER_LOGIN_URL"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_userinfo $OPEN_ID_USERINFO_URL"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_token $OPEN_ID_TOKEN_ENDPOINT_URL"
+    su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_end_session $OPEN_ID_END_SESSION_URL"
+  fi
+else
+    echo "not using OpenIdConnect"
+fi
+
 echo "============ Setting up cron ============"
 printenv > /etc/environment
 apt update && apt install -y cron

openid_settings.json

@@ -0,0 +1,29 @@
+
+{
+    "login_type":"button",
+    "client_id":"",
+    "client_secret":"",
+    "scope":"email profile openid offline_access",
+    "endpoint_login":"",
+    "endpoint_userinfo":"",
+    "endpoint_token":"",
+    "endpoint_end_session":"",
+    "acr_values":"",
+    "identity_key":"preferred_username",
+    "no_sslverify":"0",
+    "http_request_timeout":"5",
+    "enforce_privacy":"0",
+    "alternate_redirect_uri":"0",
+    "nickname_key":"preferred_username",
+    "email_format":"{email}",
+    "displayname_format":"",
+    "identify_with_username":"0",
+    "state_time_limit":"180",
+    "token_refresh_enable":"1",
+    "link_existing_users":"0",
+    "create_if_does_not_exist":"1",
+    "redirect_user_back":"0",
+    "redirect_on_logout":"1",
+    "enable_logging":"0",
+    "log_limit":"1000"
+}   

release/0.1.3+5.82.0-wordpress-php8.1

@@ -0,0 +1 @@
+Updated CiviCRM and set language to english

release/0.2.0+5.82.0-wordpress-php8.1

@@ -0,0 +1 @@
+Authentik Support

release/0.2.1+5.82.0-wordpress-php8.1

@@ -0,0 +1 @@
+Fix bug when not using openid

release/0.3.0+5.82.0-wordpress-php8.1

@@ -0,0 +1 @@
+openid connect link existing users by default