Skip to content
Snippets Groups Projects
Commit 1e3f42ca authored by Christian Elberfeld's avatar Christian Elberfeld
Browse files

Hackmd oauth config

parent 69e86b10
No related branches found
No related tags found
No related merge requests found
...@@ -60,6 +60,12 @@ ...@@ -60,6 +60,12 @@
basedir: "/srv/{{ servicename }}", basedir: "/srv/{{ servicename }}",
domain: "grafana.test-warpzone.de" domain: "grafana.test-warpzone.de"
} }
- {
role: testserver/docker_hackmd, tags: [ test_hackmd, docker_services ],
servicename: "hackmd",
basedir: "/srv/{{ servicename }}",
domain: "md.test-warpzone.de"
}
- { - {
role: testserver/docker_nextcloud, tags: [ test_nextcloud, docker_services ], role: testserver/docker_nextcloud, tags: [ test_nextcloud, docker_services ],
servicename: "nextcloud", servicename: "nextcloud",
......
# Overview
* Authentication to Hackmd (CodiMD, Hedgedoc) is only possible with an account in uffd, regular authentication is disabled
* All users with group 'hackmd_access' can access the Application
# Setup OIDC Authentication via uffd
Uffd Reference: https://git.cccv.de/uffd
## Setup in HackDM
All setup is done in the docker-compose.yml
Reference: https://docs.hedgedoc.org/guides/auth/oauth/
## Setup in uffd
Create Groups:
- hackmd_access: General Access to Hackmd
Create a Service / OAuth Client:
Only Users with goup hackmd_access can access Wordpress
Client-ID: hackmd
Client-Secret: from file oauth_client_secret on the server
Redirect-URIs:
* https://md.test-warpzone.de/auth/oauth2/callback
---
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: /srv/hackmd/mysql_root_pass, length: 24 }
- { path: /srv/hackmd/mysql_user_pass, length: 12 }
- { path: /srv/hackmd/hackmd_session_secret, length: 32 }
- { path: /srv/hackmd/oauth_client_secret, length: 32 }
- name: create folder struct for hackmd
file:
path: "{{ item }}"
state: "directory"
with_items:
- /srv/hackmd/
- /srv/hackmd/db/
- name: Konfig-Dateien erstellen
template:
src: "{{ item }}"
dest: "/srv/hackmd/{{ item }}"
with_items:
- docker-compose.yml
- mysql-utf8.cnf
register: configs
- name: stop hackmd docker
community.docker.docker_compose_v2:
project_src: /srv/hackmd
state: absent
when: configs.changed
- name: start hackmd docker
community.docker.docker_compose_v2:
project_src: /srv/hackmd/
state: present
services:
app:
image: quay.io/hedgedoc/hedgedoc:latest
restart: always
depends_on:
- db
environment:
CMD_DOMAIN: "{{ domain }}"
CMD_PROTOCOL_USESSL: "true"
CMD_URL_ADDPORT: "false"
CMD_DB_URL: "mariadb://hackmd:{{ mysql_user_pass }}@db:3306/hackmd"
CMD_SESSION_SECRET: "{{ hackmd_session_secret }}"
CMD_ALLOW_ANONYMOUS: "true"
CMD_ALLOW_ANONYMOUS_EDITS: "true"
CMD_DEFAULT_PERMISSION: "freely"
CMD_ALLOW_FREEURL: "true"
CMD_EMAIL: "false"
CMD_OAUTH2_USER_PROFILE_URL: "{{ oauth_global.userinfo_url }}"
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: "preferred_username"
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: "preferred_username"
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: "email"
CMD_OAUTH2_TOKEN_URL: "{{ oauth_global.token_url }}"
CMD_OAUTH2_AUTHORIZATION_URL: "{{ oauth_global.authorize_url }}"
CMD_OAUTH2_CLIENT_ID: "hackmd"
CMD_OAUTH2_CLIENT_SECRET: "{{ oauth_client_secret }}"
CMD_OAUTH2_PROVIDERNAME: "Keycloak"
CMD_OAUTH2_SCOPE: "openid email profile"
labels:
- traefik.enable=true
- traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
- traefik.http.routers.{{ servicename }}.entrypoints=websecure
- traefik.http.services.{{ servicename }}.loadbalancer.server.port=3000
networks:
- default
- web
db:
image: mariadb:11
restart: always
volumes:
- /srv/hackmd/db:/var/lib/mysql
- /srv/hackmd/mysql-utf8.cnf:/etc/mysql/conf.d/utf8.cnf
environment:
MYSQL_ROOT_PASSWORD: "{{ mysql_root_pass }}"
MYSQL_PASSWORD: "{{ mysql_user_pass }}"
MYSQL_DATABASE: "hackmd"
MYSQL_USER: "hackmd"
networks:
- default
networks:
web:
external: true
[client]
default-character-set=utf8
[mysql]
default-character-set=utf8
[mysqld]
collation-server = utf8_unicode_ci
init-connect='SET NAMES utf8'
character-set-server = utf8
...@@ -34,7 +34,7 @@ services: ...@@ -34,7 +34,7 @@ services:
- web - web
db: db:
image: mariadb:11.2.2 image: mariadb:11
restart: always restart: always
volumes: volumes:
- /srv/hackmd/db:/var/lib/mysql - /srv/hackmd/db:/var/lib/mysql
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment