Initial SAML-based config

.gitignore

@@ -0,0 +1,2 @@
+.env
+

compose.yaml

@@ -0,0 +1,82 @@
+services:
+  grist:
+    image: gristlabs/grist:1.1.7
+    networks:
+      - proxy
+      - internal
+    environment:
+      - GRIST_DATABASE_URL=postgresql://${STACK_NAME}_db:5432/grist
+      - GRIST_REDIS_URL=redis://${STACK_NAME}_redis:6379
+      - GRIST_DATA_DIR=/var/grist-data
+      - GRIST_SUPPORT_ANON
+      - GRIST_SESSION_SECRET
+      - GRIST_SANDBOX_FLAVOR
+      - APP_HOME_URL=https://${DOMAIN}
+      - APP_DOC_URL=https://${DOMAIN}
+      - GRIST_SINGLE_ORG
+      - GRIST_ORG_IN_PATH
+      - COOKIE_MAX_AGE
+      - GRIST_FORCE_LOGIN
+      - GRIST_SAML_SP_HOST=https://${DOMAIN}
+      - GRIST_SAML_SP_KEY=/keys/private.key
+      - GRIST_SAML_SP_CERT=/keys/certificate.crt
+      - GRIST_SAML_IDP_LOGIN
+      - GRIST_SAML_IDP_LOGOUT
+      - GRIST_SAML_IDP_SKIP_SLO
+      - GRIST_SAML_IDP_CERTS=/keys/idp-cert.pem
+      - GRIST_SAML_IDP_UNENCRYPTED
+      - GRIST_HIDE_UI_ELEMENTS
+      - GRIST_DEFAULT_EMAIL
+    volumes:
+      - grist_keys:/keys
+      - grist_data:/persist
+    depends_on:
+      - db
+      - redis
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8484"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "caddy=${DOMAIN}"
+        - "caddy.reverse_proxy={{upstreams 8484}}"
+        - "caddy.tls.on_demand="
+
+  db:
+    image: postgres:13
+    networks:
+      - internal
+    secrets:
+      - db_password
+    volumes:
+      - 'postgresql_data:/var/lib/postgresql/data'
+    environment:
+      - POSTGRES_USER=grist
+      - POSTGRES_DB=grist
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+
+  redis:
+    image: redis:7.2-alpine
+    networks:
+      - internal
+    volumes:
+      - 'redis_data:/data'
+
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password
+
+volumes:
+  postgresql_data:
+  redis_data:
+  grist_data:
+  grist_keys:
+
+
+networks:
+  proxy:
+    external: true
+  internal:

prepare_keys.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Stack name and volume name
+VOLUME_NAME="${STACK_NAME}_grist_keys"
+
+# Temporary container name for key and certificate generation
+KEY_CERT_GEN_CONTAINER="temp-generate-key-cert"
+
+# Temporary container name for cert writing
+CERT_WRITE_CONTAINER="temp-store-cert"
+
+# Environment variable containing the X509 certificate
+X509_CERT_CONTENT="${GRIST_SAML_IDP_CERTS_STRING}"
+
+# Check if the Docker volume exists
+if ! docker volume inspect $VOLUME_NAME > /dev/null 2>&1; then
+    echo "Creating Docker volume: $VOLUME_NAME"
+    docker volume create $VOLUME_NAME
+fi
+
+# Run a temporary Alpine container to generate the key and certificate
+docker run --name $KEY_CERT_GEN_CONTAINER -v $VOLUME_NAME:/keys -it alpine sh -c "
+    apk add openssl; \
+    echo 'Generating RSA private key and self-signed certificate...'; \
+    openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout /keys/private.key -out /keys/certificate.crt; \
+    echo 'RSA private key and self-signed certificate generated in the $VOLUME_NAME volume.'
+"
+docker rm -f $KEY_CERT_GEN_CONTAINER
+
+
+# Check if X509 certificate content is provided and not empty
+if [ -n "$X509_CERT_CONTENT" ]; then
+    docker run --name $CERT_WRITE_CONTAINER -v $VOLUME_NAME:/keys -it alpine sh -c "
+        echo 'Writing X509 certificate to PEM file...'; \
+        echo '-----BEGIN CERTIFICATE-----' > /keys/idp-cert.pem; \
+        echo \"$X509_CERT_CONTENT\" >> /keys/idp-cert.pem; \
+        echo '-----END CERTIFICATE-----' >> /keys/idp-cert.pem;
+        echo 'X509 certificate written to /keys/idp-cert.pem.'
+    "
+    docker rm -f $CERT_WRITE_CONTAINER
+fi