diff --git a/data/hostname/bardo.internal.admin.swh.network.yaml b/data/hostname/bardo.internal.admin.swh.network.yaml --- a/data/hostname/bardo.internal.admin.swh.network.yaml +++ b/data/hostname/bardo.internal.admin.swh.network.yaml @@ -45,7 +45,17 @@ hedgedoc::allow_anonymous: true hedgedoc::allow_anonymous_edits: true + +# authentication hedgedoc::allow_email: true -hedgedoc::allow_email_register: true +hedgedoc::allow_email_register: false +hedgedoc::enable_keycloak: true +hedgedoc::keycloak::domain: auth.softwareheritage.org +hedgedoc::keycloak::realm: SoftwareHeritage +hedgedoc::keycloak::client::id: hedgedoc +# hedgedoc::keycloak::client::secret in private-data + + + hedgedoc::runtime_environment: production hedgedoc::log_level: debug diff --git a/site-modules/profile/manifests/hedgedoc.pp b/site-modules/profile/manifests/hedgedoc.pp --- a/site-modules/profile/manifests/hedgedoc.pp +++ b/site-modules/profile/manifests/hedgedoc.pp @@ -21,11 +21,19 @@ $db_port = lookup('swh::postgresql::port') $db_url = "postgres://${db_user}:${db_password}@${db_host}:${db_port}/${db_name}" + $session_secret = lookup('hedgedoc::session_secret') + $allow_anonymous = lookup('hedgedoc::allow_anonymous') $allow_anonymous_edits = lookup('hedgedoc::allow_anonymous_edits') $allow_email = lookup('hedgedoc::allow_email') $allow_email_register = lookup('hedgedoc::allow_email_register') + $enable_keycloak = lookup('hedgedoc::enable_keycloak', Boolean, 'first', false) + $keycloak_domain = lookup('hedgedoc::keycloak::domain') + $keycloak_realm = lookup('hedgedoc::keycloak::realm') + $keycloak_client_id = lookup('hedgedoc::keycloak::client::id') + $keycloak_client_secret = lookup('hedgedoc::keycloak::client::secret') + $runtime_environment = lookup('hedgedoc::runtime_environment') $log_level = lookup('hedgedoc::log_level') @@ -39,8 +47,8 @@ $install_path = "${root_install_path}/hedgedoc" $upgrade_flag_path = "${install_path}/hedgedoc-${version}-upgrade" - $sequelizerc_config_sequelizerc_path = "${install_path}/.sequelizerc" - $sequelizerc_config_json_path = "${install_path}/config.json" + $sequelizerc_path = "${install_path}/.sequelizerc" + $config_json_path = "${install_path}/config.json" $service_name = "hedgedoc" $unit_name = "${service_name}.service" @@ -91,14 +99,15 @@ require => Postgresql::Server::Db[$db_name], refreshonly => true, } ~> - file {$sequelizerc_config_json_path: + file {$config_json_path: ensure => present, owner => $user, group => $group, - mode => '0644', + # Contains credentials + mode => '0600', content => template("profile/hedgedoc/config.json.erb"), } ~> - file {$sequelizerc_config_sequelizerc_path: + file {$sequelizerc_path: ensure => present, owner => $user, group => $group, diff --git a/site-modules/profile/templates/hedgedoc/config.json.erb b/site-modules/profile/templates/hedgedoc/config.json.erb --- a/site-modules/profile/templates/hedgedoc/config.json.erb +++ b/site-modules/profile/templates/hedgedoc/config.json.erb @@ -1,6 +1,6 @@ { "<%= @runtime_environment %>": { - "sessionSecret": "change-this-secret", + "sessionSecret": "<%= @session_secret %>", "allowAnonymous": <%= @allow_anonymous %>, "allowAnonymousEdit": <%= @allow_anonymous_edits %>, "allowFreeURL": true, @@ -10,6 +10,19 @@ "allowOrigin": [ "localhost", "<%= @base_url %>"], "email": <%= @allow_email %>, "allowEmailRegister": <%= @allow_email_register %>, +<% if @enable_keycloak -%> + "oauth2": { + "baseURL": "https://<%= @keycloak_domain %>/", + "userProfileURL": "https://<%= @keycloak_domain %>/auth/realms/<%= @keycloak_realm %>/protocol/openid-connect/userinfo", + "userProfileUsernameAttr": "preferred_username", + "userProfileDisplayNameAttr": "name", + "userProfileEmailAttr": "email", + "tokenURL": "https://<%= @keycloak_domain %>/auth/realms/<%= @keycloak_realm %>/protocol/openid-connect/token", + "authorizationURL": "https://<%= @keycloak_domain %>/auth/realms/<%= @keycloak_realm %>/protocol/openid-connect/auth", + "clientID": "<%= @keycloak_client_id %>", + "clientSecret": "<%= @keycloak_client_secret %>" + }, +<% end -%> "hsts": { "enable": true, "maxAgeSeconds": 31536000,