diff --git a/data/hostname/bardo.internal.admin.swh.network.yaml b/data/hostname/bardo.internal.admin.swh.network.yaml index e0e7a913..65a69dce 100644 --- a/data/hostname/bardo.internal.admin.swh.network.yaml +++ b/data/hostname/bardo.internal.admin.swh.network.yaml @@ -1,51 +1,61 @@ groups: hedgedoc: gid: 6000 users: hedgedoc: uid: 6000 shell: /bin/bash groups: - hedgedoc hedgedoc::db::host: localhost hedgedoc::db::database: hedgedoc hedgedoc::db::username: hedgedoc # hedgedoc::db::password: in private-data swh::postgresql::version: '12' swh::postgresql::port: 5433 swh::postgresql::cluster_name: "%{lookup('swh::postgresql::version')}/main" swh::postgresql::datadir_base: "%{lookup('swh::base_directory')}/postgres" swh::postgresql::datadir: "%{lookup('swh::postgresql::datadir_base')}/%{lookup('swh::postgresql::cluster_name')}" swh::postgresql::listen_addresses: - 0.0.0.0 swh::postgresql::network_accesses: - 192.168.100.0/24 # Monitoring - 192.168.130.0/24 # Staging services postgresql::globals::version: "%{alias('swh::postgresql::version')}" postgresql::server::config_entries: shared_buffers: "%{alias('swh::postgresql::shared_buffers')}" cluster_name: "%{alias('swh::postgresql::cluster_name')}" swh::dbs: hedgedoc: name: "%{alias('hedgedoc::db::database')}" user: "%{alias('hedgedoc::db::username')}" hedgedoc::release::version: 1.7.1 hedgedoc::release::digest: 17e7092430b36c96059309fdd03f9244f6a13611e28ced153d9dbf97e109d5ba hedgedoc::release::digest_type: sha256 hedgedoc::user: hedgedoc hedgedoc::group: hedgedoc hedgedoc::allow_anonymous: true hedgedoc::allow_anonymous_edits: true + +# authentication hedgedoc::allow_email: true -hedgedoc::allow_email_register: true +hedgedoc::allow_email_register: false +hedgedoc::enable_keycloak: true +hedgedoc::keycloak::domain: auth.softwareheritage.org +hedgedoc::keycloak::realm: SoftwareHeritage +hedgedoc::keycloak::client::id: hedgedoc +# hedgedoc::keycloak::client::secret in private-data + + + hedgedoc::runtime_environment: production hedgedoc::log_level: debug diff --git a/site-modules/profile/manifests/hedgedoc.pp b/site-modules/profile/manifests/hedgedoc.pp index 51226222..cabdfa20 100644 --- a/site-modules/profile/manifests/hedgedoc.pp +++ b/site-modules/profile/manifests/hedgedoc.pp @@ -1,140 +1,146 @@ # deploy a hedgedoc instance class profile::hedgedoc { $packages = [ 'npm', 'yarn', 'node-gyp' ] $keyid = lookup('yarn::apt_config::keyid') $key = lookup('yarn::apt_config::key') # ---- configuration $user = lookup('hedgedoc::user') $group = lookup('hedgedoc::group') $base_url = lookup('swh::deploy::hedgedoc::base_url') $db_host = lookup('hedgedoc::db::host') $db_name = lookup('hedgedoc::db::database') $db_user = lookup('hedgedoc::db::username') $db_password = lookup('swh::deploy::hedgedoc::db::password') $db_port = lookup('swh::postgresql::port') $db_url = "postgres://${db_user}:${db_password}@${db_host}:${db_port}/${db_name}" $allow_anonymous = lookup('hedgedoc::allow_anonymous') $allow_anonymous_edits = lookup('hedgedoc::allow_anonymous_edits') $allow_email = lookup('hedgedoc::allow_email') $allow_email_register = lookup('hedgedoc::allow_email_register') + $enable_keycloak = lookup('hedgedoc::enable_keycloak', Boolean, 'first', false) + $keycloak_domain = lookup('hedgedoc::keycloak::domain') + $keycloak_realm = lookup('hedgedoc::keycloak::realm') + $keycloak_client_id = lookup('hedgedoc::keycloak::client::id') + $keycloak_client_secret = lookup('hedgedoc::keycloak::client::secret') + $runtime_environment = lookup('hedgedoc::runtime_environment') $log_level = lookup('hedgedoc::log_level') # ---- install $version = lookup('hedgedoc::release::version') $archive_url = "https://github.com/hedgedoc/hedgedoc/releases/download/${version}/hedgedoc-${version}.tar.gz" $archive_digest = lookup('hedgedoc::release::digest') $archive_digest_type = lookup('hedgedoc::release::digest_type') $archive_path = "/tmp/hedgedoc-${version}.tar.gz" $root_install_path = "/opt" $install_path = "${root_install_path}/hedgedoc" $upgrade_flag_path = "${install_path}/hedgedoc-${version}-upgrade" $sequelizerc_config_sequelizerc_path = "${install_path}/.sequelizerc" $sequelizerc_config_json_path = "${install_path}/config.json" $service_name = "hedgedoc" $unit_name = "${service_name}.service" apt::source { 'yarn': location => "https://dl.yarnpkg.com/debian/", release => 'stable', repos => 'main', key => { id => $keyid, content => $key, }, } -> package { $packages: ensure => present, notify => Archive['hedgedoc'], } file { $install_path: ensure => 'directory', owner => $user, group => $group, mode => '0644', require => [User[$user], Group[$group]], } archive { 'hedgedoc': path => $archive_path, extract => true, source => $archive_url, extract_path => $root_install_path, creates => $install_path, checksum => $archive_digest, checksum_type => $archive_digest_type, cleanup => true, user => 'root', group => 'root', notify => File[$install_path], } ~> exec {'active-initialize': command => "touch ${upgrade_flag_path}", path => '/usr/bin', refreshonly => true, } ~> exec {'hedgedoc-flag-upgrade': command => "$install_path/bin/setup", cwd => $install_path, require => Postgresql::Server::Db[$db_name], refreshonly => true, } ~> file {$sequelizerc_config_json_path: ensure => present, owner => $user, group => $group, # Contains credentials mode => '0600', content => template("profile/hedgedoc/config.json.erb"), } ~> file {$sequelizerc_config_sequelizerc_path: ensure => present, owner => $user, group => $group, mode => '0644', content => template("profile/hedgedoc/sequelizerc.erb"), } ~> exec {'yarn-build': command => "yarn run build", cwd => $install_path, path => '/usr/bin', onlyif => "test -f ${upgrade_flag_path}", refreshonly => true, } ~> exec {'hegdedoc-flag-upgrade-done': command => "rm ${upgrade_flag_path}", cwd => $install_path, path => '/usr/bin', onlyif => "test -f ${upgrade_flag_path}", refreshonly => true, notify => Service[$service_name], } systemd::unit_file {$unit_name: ensure => present, content => template('profile/hedgedoc/hedgedoc.service.erb'), } service {$service_name: ensure => 'running', enable => true, require => [ Systemd::Unit_file[$unit_name], Package[$packages], Archive['hedgedoc'], ], } } diff --git a/site-modules/profile/templates/hedgedoc/config.json.erb b/site-modules/profile/templates/hedgedoc/config.json.erb index 70ac7df6..57e8ee22 100644 --- a/site-modules/profile/templates/hedgedoc/config.json.erb +++ b/site-modules/profile/templates/hedgedoc/config.json.erb @@ -1,37 +1,50 @@ { "<%= @runtime_environment %>": { "sessionSecret": "change-this-secret", "allowAnonymous": <%= @allow_anonymous %>, "allowAnonymousEdit": <%= @allow_anonymous_edits %>, "allowFreeURL": true, "protocolUseSSL": true, "domain": "<%= @base_url %>", "loglevel": "<%= @log_level %>", "allowOrigin": [ "localhost", "<%= @base_url %>"], "email": <%= @allow_email %>, "allowEmailRegister": <%= @allow_email_register %>, +<% if @enable_keycloak -%> + "oauth2": { + "baseURL": "https://<%= @keycloak_domain %>/", + "userProfileURL": "https://<%= @keycloak_domain %>/auth/realms/<%= @keycloak_realm %>/protocol/openid-connect/userinfo", + "userProfileUsernameAttr": "preferred_username", + "userProfileDisplayNameAttr": "name", + "userProfileEmailAttr": "email", + "tokenURL": "https://<%= @keycloak_domain %>/auth/realms/<%= @keycloak_realm %>/protocol/openid-connect/token", + "authorizationURL": "https://<%= @keycloak_domain %>/auth/realms/<%= @keycloak_realm %>/protocol/openid-connect/auth", + "clientID": "<%= @keycloak_client_id %>", + "clientSecret": "<%= @keycloak_client_secret %>" + }, +<% end -%> "hsts": { "enable": true, "maxAgeSeconds": 31536000, "includeSubdomains": true, "preload": true }, "csp": { "enable": true, "upgradeInsecureRequests": "auto", "addDefaults": true, "addDisqus": true, "addGoogleAnalytics": true }, "cookiePolicy": "lax", "db": { "username": "<%= @db_user %>", "password": "<%= @db_password %>", "database": "<%= @db_name %>", "host": "<%= @db_host %>", "port": "<%= @db_port %>", "dialect": "postgres" }, "linkifyHeaderStyle": "gfm" } }