diff --git a/site.yml b/site.yml index a532b27a159d8fcee3dfc1511e1f41b7de5067fb..834fff2e11119e99cf63a1e7fc537d0880116b65 100644 --- a/site.yml +++ b/site.yml @@ -60,6 +60,12 @@ basedir: "/srv/{{ servicename }}", domain: "grafana.test-warpzone.de" } + - { + role: testserver/docker_hackmd, tags: [ test_hackmd, docker_services ], + servicename: "hackmd", + basedir: "/srv/{{ servicename }}", + domain: "md.test-warpzone.de" + } - { role: testserver/docker_nextcloud, tags: [ test_nextcloud, docker_services ], servicename: "nextcloud", diff --git a/testserver/docker_hackmd/Documentation.md b/testserver/docker_hackmd/Documentation.md new file mode 100644 index 0000000000000000000000000000000000000000..55aa2ae3a0e9abb539fd4c72b7c983c9f5186a97 --- /dev/null +++ b/testserver/docker_hackmd/Documentation.md @@ -0,0 +1,32 @@ + +# Overview + +* Authentication to Hackmd (CodiMD, Hedgedoc) is only possible with an account in uffd, regular authentication is disabled +* All users with group 'hackmd_access' can access the Application + +# Setup OIDC Authentication via uffd + +Uffd Reference: https://git.cccv.de/uffd + + +## Setup in HackDM + +All setup is done in the docker-compose.yml +Reference: https://docs.hedgedoc.org/guides/auth/oauth/ + + +## Setup in uffd + +Create Groups: + +- hackmd_access: General Access to Hackmd + +Create a Service / OAuth Client: + +Only Users with goup hackmd_access can access Wordpress + +Client-ID: hackmd +Client-Secret: from file oauth_client_secret on the server +Redirect-URIs: +* https://md.test-warpzone.de/auth/oauth2/callback + diff --git a/testserver/docker_hackmd/tasks/main.yml b/testserver/docker_hackmd/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..75ffba40e75de49b59590c5b269ef423d3184de4 --- /dev/null +++ b/testserver/docker_hackmd/tasks/main.yml @@ -0,0 +1,38 @@ +--- + +- include_tasks: ../functions/get_secret.yml + with_items: + - { path: /srv/hackmd/mysql_root_pass, length: 24 } + - { path: /srv/hackmd/mysql_user_pass, length: 12 } + - { path: /srv/hackmd/hackmd_session_secret, length: 32 } + - { path: /srv/hackmd/oauth_client_secret, length: 32 } + + +- name: create folder struct for hackmd + file: + path: "{{ item }}" + state: "directory" + with_items: + - /srv/hackmd/ + - /srv/hackmd/db/ + + +- name: Konfig-Dateien erstellen + template: + src: "{{ item }}" + dest: "/srv/hackmd/{{ item }}" + with_items: + - docker-compose.yml + - mysql-utf8.cnf + register: configs + +- name: stop hackmd docker + community.docker.docker_compose_v2: + project_src: /srv/hackmd + state: absent + when: configs.changed + +- name: start hackmd docker + community.docker.docker_compose_v2: + project_src: /srv/hackmd/ + state: present diff --git a/testserver/docker_hackmd/templates/docker-compose.yml b/testserver/docker_hackmd/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..e9a7011eee9cb8d5916de16b7df05bdf9391c5ae --- /dev/null +++ b/testserver/docker_hackmd/templates/docker-compose.yml @@ -0,0 +1,54 @@ +services: + + app: + image: quay.io/hedgedoc/hedgedoc:latest + restart: always + depends_on: + - db + environment: + CMD_DOMAIN: "{{ domain }}" + CMD_PROTOCOL_USESSL: "true" + CMD_URL_ADDPORT: "false" + CMD_DB_URL: "mariadb://hackmd:{{ mysql_user_pass }}@db:3306/hackmd" + CMD_SESSION_SECRET: "{{ hackmd_session_secret }}" + CMD_ALLOW_ANONYMOUS: "true" + CMD_ALLOW_ANONYMOUS_EDITS: "true" + CMD_DEFAULT_PERMISSION: "freely" + CMD_ALLOW_FREEURL: "true" + CMD_EMAIL: "false" + CMD_OAUTH2_USER_PROFILE_URL: "{{ oauth_global.userinfo_url }}" + CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: "preferred_username" + CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: "preferred_username" + CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: "email" + CMD_OAUTH2_TOKEN_URL: "{{ oauth_global.token_url }}" + CMD_OAUTH2_AUTHORIZATION_URL: "{{ oauth_global.authorize_url }}" + CMD_OAUTH2_CLIENT_ID: "hackmd" + CMD_OAUTH2_CLIENT_SECRET: "{{ oauth_client_secret }}" + CMD_OAUTH2_PROVIDERNAME: "Keycloak" + CMD_OAUTH2_SCOPE: "openid email profile" + labels: + - traefik.enable=true + - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) + - traefik.http.routers.{{ servicename }}.entrypoints=websecure + - traefik.http.services.{{ servicename }}.loadbalancer.server.port=3000 + networks: + - default + - web + + db: + image: mariadb:11 + restart: always + volumes: + - /srv/hackmd/db:/var/lib/mysql + - /srv/hackmd/mysql-utf8.cnf:/etc/mysql/conf.d/utf8.cnf + environment: + MYSQL_ROOT_PASSWORD: "{{ mysql_root_pass }}" + MYSQL_PASSWORD: "{{ mysql_user_pass }}" + MYSQL_DATABASE: "hackmd" + MYSQL_USER: "hackmd" + networks: + - default + +networks: + web: + external: true diff --git a/testserver/docker_hackmd/templates/mysql-utf8.cnf b/testserver/docker_hackmd/templates/mysql-utf8.cnf new file mode 100644 index 0000000000000000000000000000000000000000..367210a9c7b5d70ae9f27b5946bb448eb0b111b9 --- /dev/null +++ b/testserver/docker_hackmd/templates/mysql-utf8.cnf @@ -0,0 +1,11 @@ +[client] +default-character-set=utf8 + +[mysql] +default-character-set=utf8 + + +[mysqld] +collation-server = utf8_unicode_ci +init-connect='SET NAMES utf8' +character-set-server = utf8 diff --git a/webserver/docker_hackmd/templates/docker-compose.yml b/webserver/docker_hackmd/templates/docker-compose.yml index 959a2dfef148077a37d31044099cff2aeca3cb38..d9fe915aecb86dfaf110a047eb0adcc394a394ec 100644 --- a/webserver/docker_hackmd/templates/docker-compose.yml +++ b/webserver/docker_hackmd/templates/docker-compose.yml @@ -34,7 +34,7 @@ services: - web db: - image: mariadb:11.2.2 + image: mariadb:11 restart: always volumes: - /srv/hackmd/db:/var/lib/mysql