Initial QSfera import
This commit is contained in:
@@ -0,0 +1,161 @@
|
||||
## Basic Settings ##
|
||||
# Define the docker compose log driver used.
|
||||
# Defaults to local
|
||||
LOG_DRIVER=
|
||||
# If you're on an internet facing server, comment out following line.
|
||||
# It skips certificate validation for various parts of КуСфера and is
|
||||
# needed when self signed certificates are used.
|
||||
INSECURE=true
|
||||
|
||||
## Features ##
|
||||
COMPOSE_FILE=docker-compose.yml:traefik.yml:keycloak.yml:ldap-server.yml
|
||||
|
||||
## Traefik Settings ##
|
||||
# Note: Traefik is always enabled and can't be disabled.
|
||||
# Serve Traefik dashboard.
|
||||
# Defaults to "false".
|
||||
TRAEFIK_DASHBOARD=
|
||||
# Domain of Traefik, where you can find the dashboard.
|
||||
# Defaults to "traefik.qsfera.test"
|
||||
TRAEFIK_DOMAIN=
|
||||
# Basic authentication for the traefik dashboard.
|
||||
# Defaults to user "admin" and password "admin" (written as: "admin:$2y$05$KDHu3xq92SPaO3G8Ybkc7edd51pPLJcG1nWk3lmlrIdANQ/B6r5pq").
|
||||
# To create user:password pair, it's possible to use this command:
|
||||
# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
|
||||
TRAEFIK_BASIC_AUTH_USERS=
|
||||
# Email address for obtaining LetsEncrypt certificates.
|
||||
# Needs only be changed if this is a public facing server.
|
||||
TRAEFIK_ACME_MAIL=
|
||||
# Set to the following for testing to check the certificate process:
|
||||
# "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
# With staging configured, there will be an SSL error in the browser.
|
||||
# When certificates are displayed and are emitted by # "Fake LE Intermediate X1",
|
||||
# the process went well and the envvar can be reset to empty to get valid certificates.
|
||||
TRAEFIK_ACME_CASERVER=
|
||||
# Enable the Traefik ACME (Automatic Certificate Management Environment) for automatic SSL certificate management.
|
||||
TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
|
||||
# Enable Traefik to use local certificates.
|
||||
#TRAEFIK_SERVICES_TLS_CONFIG="tls=true"
|
||||
# You also need to provide a config file in ./config/traefik/dynamic/certs.yml
|
||||
# Example:
|
||||
# cat ./config/traefik/dynamic/certs.yml
|
||||
# tls:
|
||||
# certificates:
|
||||
# - certFile: /certs/qsfera.test.crt
|
||||
# keyFile: /certs/qsfera.test.key
|
||||
# stores:
|
||||
# - default
|
||||
#
|
||||
# The certificates need to copied into ./certs/, the absolute path inside the container is /certs/.
|
||||
# You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
|
||||
# Enable the access log for Traefik by setting the following variable to true.
|
||||
TRAEFIK_ACCESS_LOG=
|
||||
# Configure the log level for Traefik.
|
||||
# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR".
|
||||
TRAEFIK_LOG_LEVEL=
|
||||
|
||||
|
||||
## КуСфера Settings ##
|
||||
# The qsfera container image.
|
||||
# For production releases: "qsfera/qsfera"
|
||||
# For rolling releases: "qsfera/qsfera-rolling"
|
||||
# Defaults to production if not set otherwise
|
||||
OC_DOCKER_IMAGE=qsfera/qsfera-rolling
|
||||
# The qsfera container version.
|
||||
# Defaults to "latest" and points to the latest stable tag.
|
||||
OC_DOCKER_TAG=
|
||||
# Domain of qsfera, where you can find the frontend.
|
||||
# Defaults to "cloud.qsfera.test"
|
||||
OC_DOMAIN=
|
||||
# Demo users should not be created on a production instance,
|
||||
# because their passwords are public. Defaults to "false".
|
||||
# If demo users is set to "true", the following user accounts are created automatically:
|
||||
# alan, mary, margaret, dennis and lynn - the password is 'demo' for all.
|
||||
DEMO_USERS=
|
||||
# Admin Password for the КуСфера admin user.
|
||||
# NOTE: This is only needed when using the built-in LDAP server (idm).
|
||||
# If you are using an external LDAP server, the admin password is managed by the LDAP server.
|
||||
# NOTE: This variable needs to be set before the first start of КуСфера. Changes to this variable after the first start will be IGNORED.
|
||||
# If not set, qsfera will not work properly. The container will be restarting.
|
||||
# After the first initialization, the admin password can only be changed via the КуСфера User Settings UI or by using the КуСфера CLI.
|
||||
# Documentation: https://docs.qsfera.eu/docs/admin/resources/common-issues#-change-admin-password-set-in-env
|
||||
INITIAL_ADMIN_PASSWORD=
|
||||
# Define the qsfera loglevel used.
|
||||
#
|
||||
LOG_LEVEL=
|
||||
# Define the kind of logging.
|
||||
# The default log can be read by machines.
|
||||
# Set this to true to make the log human readable.
|
||||
# LOG_PRETTY=true
|
||||
#
|
||||
# Define the qsfera storage location. Set the paths for config and data to a local path.
|
||||
# Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
|
||||
# This matches the default user inside the container and avoids permission issues when accessing files.
|
||||
# Note that especially the data directory can grow big.
|
||||
# Leaving it default stores data in docker internal volumes.
|
||||
# OC_CONFIG_DIR=/your/local/qsfera/config
|
||||
# OC_DATA_DIR=/your/local/qsfera/data
|
||||
|
||||
### Compose Configuration ###
|
||||
# Path separator for supplemental compose files specified in COMPOSE_FILE.
|
||||
COMPOSE_PATH_SEPARATOR=:
|
||||
|
||||
### Ldap Settings ###
|
||||
# LDAP is always needed for КуСфера to store user data as there is no relational database.
|
||||
# The built-in LDAP server should used for testing purposes or small installations only.
|
||||
# For production installations, it is recommended to use an external LDAP server.
|
||||
# We are using OpenLDAP as the default LDAP server because it is proven to be stable and reliable.
|
||||
# This LDAP configuration is known to work with КуСфера and provides a blueprint for
|
||||
# configuring an external LDAP server based on other products like Microsoft Active Directory or other LDAP servers.
|
||||
#
|
||||
# Password of LDAP bind user "cn=admin,dc=qsfera,dc=eu". Defaults to "admin"
|
||||
LDAP_BIND_PASSWORD=
|
||||
# The LDAP server also creates an qsfera admin user dn: uid=admin,ou=users,dc=qsfera,dc=eu
|
||||
# The initial password for this user is "admin"
|
||||
# NOTE: This password can only be set once, if you want to change it later, you have to use the КуСфера User Settings UI.
|
||||
# If you changed the password and lost it, you need to execute the following LDAP query to reset it:
|
||||
# enter the ldap-server container with `docker compose exec ldap-server sh`
|
||||
# and run the following command to change the password:
|
||||
# ldappasswd -H ldap://127.0.0.1:1389 -D "cn=admin,dc=qsfera,dc=eu" -W "uid=admin,ou=users,dc=qsfera,dc=eu"
|
||||
# You will be prompted for the LDAP bind password.
|
||||
# The output should provide you a new password for the admin user.
|
||||
|
||||
|
||||
### Keycloak Settings ###
|
||||
# Keycloak is an open-source identity and access management solution.
|
||||
# We are using Keycloak as the default identity provider on production installations.
|
||||
# It can be used to federate authentication with other identity providers like
|
||||
# Microsoft Entra ID, ADFS or other SAML/OIDC providers.
|
||||
# The use of Keycloak as bridge between КуСфера and other identity providers creates more control over the
|
||||
# authentication process, the allowed clients and the session management.
|
||||
# Keycloak also manages the Role Based Access Control (RBAC) for КуСфера.
|
||||
# Keycloak can be used in two different modes:
|
||||
# 1. Autoprovisioning: New users are automatically created in qsfera when they log in for the first time.
|
||||
# 2. Shared User Directory: Users are created in Keycloak and can be used in КуСфера immediately
|
||||
# because the LDAP server is connected to both Keycloak and КуСфера.
|
||||
# Only use one of the two modes at a time.
|
||||
|
||||
## Autoprovisioning Mode ##
|
||||
# Use together with idm/external-idp.yml
|
||||
# If you want to use a keycloak for local testing, you can use testing/external-keycloak.yml and testing/ldap-manager.yml
|
||||
# Domain of your Identity Provider.
|
||||
IDP_DOMAIN=
|
||||
# IdP Issuer URL, which is used to identify the Identity Provider.
|
||||
# We need the complete URL, including the protocol (http or https) and the realm.
|
||||
# Example: "https://keycloak.qsfera.test/realms/qsfera"
|
||||
IDP_ISSUER_URL=
|
||||
# Url of the account edit page from your Identity Provider.
|
||||
IDP_ACCOUNT_URL=
|
||||
|
||||
## Shared User Directory Mode ##
|
||||
# Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml
|
||||
# Domain for Keycloak. Defaults to "keycloak.qsfera.test".
|
||||
KEYCLOAK_DOMAIN=
|
||||
# Admin user login name. Defaults to "kcadmin".
|
||||
KEYCLOAK_ADMIN=
|
||||
# Admin user login password. Defaults to "admin".
|
||||
KEYCLOAK_ADMIN_PASSWORD=
|
||||
# Keycloak Database username. Defaults to "keycloak".
|
||||
KC_DB_USERNAME=
|
||||
# Keycloak Database password. Defaults to "keycloak".
|
||||
KC_DB_PASSWORD=
|
||||
@@ -0,0 +1,49 @@
|
||||
# Development/Test Deployment for a multi-tenacy setup
|
||||
|
||||
The docker compose files in this directory are derived from the
|
||||
qsfera-compose project and can be used to deploy a Development or Testing
|
||||
environment for a multi-tenancy setup of КуСфера. It consists of the
|
||||
following services:
|
||||
|
||||
* `provisioning`: The КуСфера graph service deployed in a standalone mode. It
|
||||
is configured to provide the libregraph education API for managing tenants
|
||||
and users. The `ldap-server`service (see below) is used to store the tenants
|
||||
and users.
|
||||
* `ldap-server`: An OpenLDAP server that is used by the provisioning service to
|
||||
store tenants and users. Used by the КуСфера services as the user directory
|
||||
(for looking up users and searching for sharees).
|
||||
* `keycloak`: The OpenID Connect Provider used for authenticating users. The
|
||||
pre-loaded realm is configured to add `tenantid` claim into the identity and
|
||||
access tokens. It's also currently consuming user from the `ldap-server`
|
||||
(this federation will likely go away in the future and is optional for future
|
||||
configurations).
|
||||
* `qsfera`: The КуСфера configured so that is hides users from different
|
||||
tenants from each other.
|
||||
|
||||
To deploy the setup, run:
|
||||
|
||||
```bash
|
||||
docker compose -f docker-compose.yml -f keycloak.yml -f ldap-server.yml -f traefik.yml up
|
||||
```
|
||||
|
||||
Once deployed you can use the `initialize_users.go` to create a couple of example
|
||||
tenants and some users in each tenant:
|
||||
|
||||
* Tenant `Famous Coders` with users `dennis` and `grace`
|
||||
* Tenant `Scientists` with users `einstein` and `marie`
|
||||
|
||||
The passwords for the users is set to `demo` in keycloak
|
||||
|
||||
```
|
||||
> go run initialize_users.go
|
||||
Created tenant: Famous Coders with id fc58e19a-3a2a-4afc-90ec-8f94986db340
|
||||
Created user: Dennis Ritchie with id ee1e14e7-b00b-4eec-8b03-a6bf0e29c77c
|
||||
Created user: Grace Hopper with id a29f3afd-e4a3-4552-91e8-cc99e26bffce
|
||||
Created tenant: Scientists with id 18406c53-e2d6-4e83-98b6-a55880eef195
|
||||
Created user: Albert Einstein with id 12023d37-d6ce-4f19-a318-b70866f265ba
|
||||
Created user: Marie Curie with id 30c3c825-c37d-4e85-8195-0142e4884872
|
||||
Setting password for user: grace
|
||||
Setting password for user: marie
|
||||
Setting password for user: dennis
|
||||
Setting password for user: einstein
|
||||
```
|
||||
@@ -0,0 +1,63 @@
|
||||
{
|
||||
"clientId": "КуСфераAndroid",
|
||||
"name": "КуСфера Android App",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"redirectUris": [
|
||||
"oc://android.qsfera.eu"
|
||||
],
|
||||
"webOrigins": [],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
"consentRequired": false,
|
||||
"standardFlowEnabled": true,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"serviceAccountsEnabled": false,
|
||||
"publicClient": true,
|
||||
"frontchannelLogout": false,
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"saml.assertion.signature": "false",
|
||||
"saml.force.post.binding": "false",
|
||||
"saml.multivalued.roles": "false",
|
||||
"saml.encrypt": "false",
|
||||
"post.logout.redirect.uris": "oc://android.qsfera.eu",
|
||||
"backchannel.logout.revoke.offline.tokens": "false",
|
||||
"saml.server.signature": "false",
|
||||
"saml.server.signature.keyinfo.ext": "false",
|
||||
"exclude.session.state.from.auth.response": "false",
|
||||
"backchannel.logout.session.required": "true",
|
||||
"client_credentials.use_refresh_token": "false",
|
||||
"saml_force_name_id_format": "false",
|
||||
"saml.client.signature": "false",
|
||||
"tls.client.certificate.bound.access.tokens": "false",
|
||||
"saml.authnstatement": "false",
|
||||
"display.on.consent.screen": "false",
|
||||
"saml.onetimeuse.condition": "false"
|
||||
},
|
||||
"authenticationFlowBindingOverrides": {},
|
||||
"fullScopeAllowed": true,
|
||||
"nodeReRegistrationTimeout": -1,
|
||||
"defaultClientScopes": [
|
||||
"web-origins",
|
||||
"profile",
|
||||
"roles",
|
||||
"groups",
|
||||
"basic",
|
||||
"email"
|
||||
],
|
||||
"optionalClientScopes": [
|
||||
"address",
|
||||
"phone",
|
||||
"offline_access",
|
||||
"microprofile-jwt"
|
||||
],
|
||||
"access": {
|
||||
"view": true,
|
||||
"configure": true,
|
||||
"manage": true
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,64 @@
|
||||
{
|
||||
"clientId": "КуСфераDesktop",
|
||||
"name": "КуСфера Desktop Client",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"redirectUris": [
|
||||
"http://127.0.0.1",
|
||||
"http://localhost"
|
||||
],
|
||||
"webOrigins": [],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
"consentRequired": false,
|
||||
"standardFlowEnabled": true,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"serviceAccountsEnabled": false,
|
||||
"publicClient": true,
|
||||
"frontchannelLogout": false,
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"saml.assertion.signature": "false",
|
||||
"saml.force.post.binding": "false",
|
||||
"saml.multivalued.roles": "false",
|
||||
"saml.encrypt": "false",
|
||||
"post.logout.redirect.uris": "+",
|
||||
"backchannel.logout.revoke.offline.tokens": "false",
|
||||
"saml.server.signature": "false",
|
||||
"saml.server.signature.keyinfo.ext": "false",
|
||||
"exclude.session.state.from.auth.response": "false",
|
||||
"backchannel.logout.session.required": "true",
|
||||
"client_credentials.use_refresh_token": "false",
|
||||
"saml_force_name_id_format": "false",
|
||||
"saml.client.signature": "false",
|
||||
"tls.client.certificate.bound.access.tokens": "false",
|
||||
"saml.authnstatement": "false",
|
||||
"display.on.consent.screen": "false",
|
||||
"saml.onetimeuse.condition": "false"
|
||||
},
|
||||
"authenticationFlowBindingOverrides": {},
|
||||
"fullScopeAllowed": true,
|
||||
"nodeReRegistrationTimeout": -1,
|
||||
"defaultClientScopes": [
|
||||
"web-origins",
|
||||
"profile",
|
||||
"roles",
|
||||
"groups",
|
||||
"basic",
|
||||
"email"
|
||||
],
|
||||
"optionalClientScopes": [
|
||||
"address",
|
||||
"phone",
|
||||
"offline_access",
|
||||
"microprofile-jwt"
|
||||
],
|
||||
"access": {
|
||||
"view": true,
|
||||
"configure": true,
|
||||
"manage": true
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,63 @@
|
||||
{
|
||||
"clientId": "КуСфераIOS",
|
||||
"name": "КуСфера iOS App",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"redirectUris": [
|
||||
"oc://ios.qsfera.eu"
|
||||
],
|
||||
"webOrigins": [],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
"consentRequired": false,
|
||||
"standardFlowEnabled": true,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"serviceAccountsEnabled": false,
|
||||
"publicClient": true,
|
||||
"frontchannelLogout": false,
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"saml.assertion.signature": "false",
|
||||
"saml.force.post.binding": "false",
|
||||
"saml.multivalued.roles": "false",
|
||||
"saml.encrypt": "false",
|
||||
"post.logout.redirect.uris": "oc://ios.qsfera.eu",
|
||||
"backchannel.logout.revoke.offline.tokens": "false",
|
||||
"saml.server.signature": "false",
|
||||
"saml.server.signature.keyinfo.ext": "false",
|
||||
"exclude.session.state.from.auth.response": "false",
|
||||
"backchannel.logout.session.required": "true",
|
||||
"client_credentials.use_refresh_token": "false",
|
||||
"saml_force_name_id_format": "false",
|
||||
"saml.client.signature": "false",
|
||||
"tls.client.certificate.bound.access.tokens": "false",
|
||||
"saml.authnstatement": "false",
|
||||
"display.on.consent.screen": "false",
|
||||
"saml.onetimeuse.condition": "false"
|
||||
},
|
||||
"authenticationFlowBindingOverrides": {},
|
||||
"fullScopeAllowed": true,
|
||||
"nodeReRegistrationTimeout": -1,
|
||||
"defaultClientScopes": [
|
||||
"web-origins",
|
||||
"profile",
|
||||
"roles",
|
||||
"groups",
|
||||
"basic",
|
||||
"email"
|
||||
],
|
||||
"optionalClientScopes": [
|
||||
"address",
|
||||
"phone",
|
||||
"offline_access",
|
||||
"microprofile-jwt"
|
||||
],
|
||||
"access": {
|
||||
"view": true,
|
||||
"configure": true,
|
||||
"manage": true
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,66 @@
|
||||
{
|
||||
"clientId": "Cyberduck",
|
||||
"name": "Cyberduck",
|
||||
"description": "File transfer utility client",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"redirectUris": [
|
||||
"x-cyberduck-action:oauth",
|
||||
"x-mountainduck-action:oauth"
|
||||
],
|
||||
"webOrigins": [],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
"consentRequired": false,
|
||||
"standardFlowEnabled": true,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"serviceAccountsEnabled": false,
|
||||
"publicClient": true,
|
||||
"frontchannelLogout": false,
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"saml.assertion.signature": "false",
|
||||
"saml.force.post.binding": "false",
|
||||
"saml.multivalued.roles": "false",
|
||||
"saml.encrypt": "false",
|
||||
"oauth2.device.authorization.grant.enabled": "false",
|
||||
"backchannel.logout.revoke.offline.tokens": "false",
|
||||
"saml.server.signature": "false",
|
||||
"saml.server.signature.keyinfo.ext": "false",
|
||||
"exclude.session.state.from.auth.response": "false",
|
||||
"oidc.ciba.grant.enabled": "false",
|
||||
"backchannel.logout.session.required": "true",
|
||||
"client_credentials.use_refresh_token": "false",
|
||||
"saml_force_name_id_format": "false",
|
||||
"saml.client.signature": "false",
|
||||
"tls.client.certificate.bound.access.tokens": "false",
|
||||
"saml.authnstatement": "false",
|
||||
"display.on.consent.screen": "false",
|
||||
"saml.onetimeuse.condition": "false"
|
||||
},
|
||||
"authenticationFlowBindingOverrides": {},
|
||||
"fullScopeAllowed": true,
|
||||
"nodeReRegistrationTimeout": -1,
|
||||
"defaultClientScopes": [
|
||||
"web-origins",
|
||||
"profile",
|
||||
"roles",
|
||||
"groups",
|
||||
"basic",
|
||||
"email"
|
||||
],
|
||||
"optionalClientScopes": [
|
||||
"address",
|
||||
"phone",
|
||||
"offline_access",
|
||||
"microprofile-jwt"
|
||||
],
|
||||
"access": {
|
||||
"view": true,
|
||||
"configure": true,
|
||||
"manage": true
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,74 @@
|
||||
{
|
||||
"clientId": "web",
|
||||
"name": "КуСфера Web App",
|
||||
"description": "",
|
||||
"rootUrl": "{{OC_URL}}",
|
||||
"adminUrl": "{{OC_URL}}",
|
||||
"baseUrl": "",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"redirectUris": [
|
||||
"{{OC_URL}}/",
|
||||
"{{OC_URL}}/oidc-callback.html",
|
||||
"{{OC_URL}}/oidc-silent-redirect.html"
|
||||
],
|
||||
"webOrigins": [
|
||||
"{{OC_URL}}"
|
||||
],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
"consentRequired": false,
|
||||
"standardFlowEnabled": true,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"serviceAccountsEnabled": false,
|
||||
"publicClient": true,
|
||||
"frontchannelLogout": false,
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"saml.assertion.signature": "false",
|
||||
"saml.force.post.binding": "false",
|
||||
"saml.multivalued.roles": "false",
|
||||
"saml.encrypt": "false",
|
||||
"post.logout.redirect.uris": "+",
|
||||
"oauth2.device.authorization.grant.enabled": "false",
|
||||
"backchannel.logout.revoke.offline.tokens": "false",
|
||||
"saml.server.signature": "false",
|
||||
"saml.server.signature.keyinfo.ext": "false",
|
||||
"exclude.session.state.from.auth.response": "false",
|
||||
"oidc.ciba.grant.enabled": "false",
|
||||
"backchannel.logout.url": "{{OC_URL}}/backchannel_logout",
|
||||
"backchannel.logout.session.required": "true",
|
||||
"client_credentials.use_refresh_token": "false",
|
||||
"saml_force_name_id_format": "false",
|
||||
"saml.client.signature": "false",
|
||||
"tls.client.certificate.bound.access.tokens": "false",
|
||||
"saml.authnstatement": "false",
|
||||
"display.on.consent.screen": "false",
|
||||
"saml.onetimeuse.condition": "false"
|
||||
},
|
||||
"authenticationFlowBindingOverrides": {},
|
||||
"fullScopeAllowed": true,
|
||||
"nodeReRegistrationTimeout": -1,
|
||||
"defaultClientScopes": [
|
||||
"web-origins",
|
||||
"profile",
|
||||
"roles",
|
||||
"groups",
|
||||
"basic",
|
||||
"email"
|
||||
],
|
||||
"optionalClientScopes": [
|
||||
"address",
|
||||
"phone",
|
||||
"offline_access",
|
||||
"microprofile-jwt"
|
||||
],
|
||||
"access": {
|
||||
"view": true,
|
||||
"configure": true,
|
||||
"manage": true
|
||||
}
|
||||
}
|
||||
+8
@@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
printenv
|
||||
# replace qsfera domain and LDAP password in keycloak realm import
|
||||
mkdir /opt/keycloak/data/import
|
||||
sed -e "s/cloud.qsfera.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/qsfera-realm.json > /opt/keycloak/data/import/qsfera-realm.json
|
||||
|
||||
# run original docker-entrypoint
|
||||
/opt/keycloak/bin/kc.sh "$@"
|
||||
File diff suppressed because it is too large
Load Diff
+38
@@ -0,0 +1,38 @@
|
||||
:root {
|
||||
--pf-global--primary-color--100: #e2baff;
|
||||
--pf-global--primary-color--200: #e2baff;
|
||||
--pf-global--primary-color--dark-100: #e2baff;
|
||||
--pf-global--Color--light-100: #20434f;
|
||||
}
|
||||
|
||||
@font-face {
|
||||
font-family: QSfera;
|
||||
src: url('../fonts/QSfera500-Regular.woff2') format('woff2');
|
||||
font-weight: normal;
|
||||
font-style: normal;
|
||||
}
|
||||
|
||||
@font-face {
|
||||
font-family: QSfera;
|
||||
src: url('../fonts/QSfera750-Bold.woff2') format('woff2');
|
||||
font-weight: bold;
|
||||
font-style: normal;
|
||||
}
|
||||
|
||||
body {
|
||||
font-family: "QSfera", "Open Sans", Helvetica, Arial, sans-serif;
|
||||
background: url(../img/background.png) no-repeat center !important;
|
||||
background-size: cover !important;
|
||||
}
|
||||
|
||||
.kc-logo-text {
|
||||
background-image: url(../img/logo.svg) !important;
|
||||
background-size: contain;
|
||||
width: 400px;
|
||||
margin: 0 !important;
|
||||
}
|
||||
|
||||
#kc-header-wrapper{
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
}
|
||||
BIN
Binary file not shown.
BIN
Binary file not shown.
BIN
Binary file not shown.
|
After Width: | Height: | Size: 30 KiB |
+15
@@ -0,0 +1,15 @@
|
||||
<svg width="170" height="35" viewBox="0 0 170 35" fill="none" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="КуСфера">
|
||||
<g transform="scale(0.1944444444)">
|
||||
<path fill="#061D2B" d="M34,12h112C158,12 168,22 168,34v112C168,158 158,168 146,168H34C22,168 12,158 12,146V34C12,22 22,12 34,12z"/>
|
||||
<path fill="#123E55" fill-opacity="0.74" d="M12,45C48,19 87,20 121,48C145,68 158,68 168,60V34C168,22 158,12 146,12H34C22,12 12,22 12,34z"/>
|
||||
<path fill="#19B8C9" fill-opacity="0.18" d="M12,126C46,105 82,104 114,124C139,139 156,139 168,128V146C168,158 158,168 146,168H34C22,168 12,158 12,146z"/>
|
||||
<path fill="none" stroke="#20D6E6" stroke-linecap="round" stroke-width="10" d="M75,47C100,29 138,39 153,70C167,100 151,135 121,147"/>
|
||||
<path fill="none" stroke="#9AF8FF" stroke-linecap="round" stroke-width="4" d="M81,45C101,35 130,39 146,62"/>
|
||||
<path fill="#21D1D6" d="M48,52h25v50h-25z"/>
|
||||
<path fill="#F8FCFF" d="M48,102h25v42h-25z"/>
|
||||
<path fill="#18BFD0" d="M77,94L111,55H143L99,103z"/>
|
||||
<path fill="#F8FCFF" d="M77,104L100,82L148,144H116z"/>
|
||||
<path fill="#9DF8FF" fill-opacity="0.45" d="M48,52h25v8h-25z"/>
|
||||
</g>
|
||||
<text x="47" y="24.5" fill="#20D6E6" font-family="Inter, Segoe UI, Arial, sans-serif" font-size="22" font-weight="700">КуСфера</text>
|
||||
</svg>
|
||||
|
After Width: | Height: | Size: 1.3 KiB |
+19
@@ -0,0 +1,19 @@
|
||||
document.addEventListener("DOMContentLoaded", function () {
|
||||
const setLogoUrl = (url) => {
|
||||
const logoTextSelector = document.querySelector(".kc-logo-text");
|
||||
|
||||
if (!logoTextSelector) {
|
||||
return
|
||||
}
|
||||
|
||||
const link = document.createElement("a");
|
||||
link.href = url;
|
||||
link.target = "_blank";
|
||||
|
||||
const parent = logoTextSelector.parentNode;
|
||||
parent.insertBefore(link, logoTextSelector);
|
||||
link.appendChild(logoTextSelector);
|
||||
}
|
||||
|
||||
setLogoUrl('')
|
||||
});
|
||||
+5
@@ -0,0 +1,5 @@
|
||||
parent=keycloak
|
||||
import=common/keycloak
|
||||
|
||||
styles=css/login.css css/theme.css
|
||||
scripts=js/script.js
|
||||
@@ -0,0 +1,9 @@
|
||||
#!/bin/bash
|
||||
echo "Running custom LDAP entrypoint script..."
|
||||
|
||||
if [ ! -f /opt/bitnami/openldap/share/openldap.key ]
|
||||
then
|
||||
openssl req -x509 -newkey rsa:4096 -keyout /opt/bitnami/openldap/share/openldap.key -out /opt/bitnami/openldap/share/openldap.crt -sha256 -days 365 -batch -nodes
|
||||
fi
|
||||
# run original docker-entrypoint
|
||||
/opt/bitnami/scripts/openldap/entrypoint.sh "$@"
|
||||
@@ -0,0 +1,20 @@
|
||||
dn: dc=qsfera,dc=eu
|
||||
objectClass: organization
|
||||
objectClass: dcObject
|
||||
dc: qsfera
|
||||
o: qsfera
|
||||
|
||||
dn: ou=users,dc=qsfera,dc=eu
|
||||
objectClass: organizationalUnit
|
||||
ou: users
|
||||
|
||||
dn: cn=admin,dc=qsfera,dc=eu
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: person
|
||||
cn: admin
|
||||
sn: admin
|
||||
uid: ldapadmin
|
||||
|
||||
dn: ou=tenants,dc=qsfera,dc=eu
|
||||
objectClass: organizationalUnit
|
||||
ou: tenants
|
||||
@@ -0,0 +1,20 @@
|
||||
dn: uid=admin,ou=users,dc=qsfera,dc=eu
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: organizationalPerson
|
||||
objectClass: person
|
||||
objectClass: top
|
||||
uid: admin
|
||||
givenName: Admin
|
||||
sn: Admin
|
||||
cn: admin
|
||||
displayName: Admin
|
||||
description: An admin for this КуСфера instance.
|
||||
mail: admin@example.org
|
||||
userPassword:: e1NTSEF9UWhmaFB3dERydTUydURoWFFObDRMbzVIckI3TkI5Nmo==
|
||||
|
||||
dn: cn=administrators,ou=groups,dc=qsfera,dc=eu
|
||||
objectClass: groupOfNames
|
||||
objectClass: top
|
||||
cn: administrators
|
||||
description: КуСфера Administrators
|
||||
member: uid=admin,ou=users,dc=qsfera,dc=eu
|
||||
@@ -0,0 +1,47 @@
|
||||
directives:
|
||||
child-src:
|
||||
- '''self'''
|
||||
connect-src:
|
||||
- '''self'''
|
||||
- 'blob:'
|
||||
- 'https://${COMPANION_DOMAIN|companion.qsfera.test}${TRAEFIK_PORT_HTTPS}/'
|
||||
- 'wss://${COMPANION_DOMAIN|companion.qsfera.test}${TRAEFIK_PORT_HTTPS}/'
|
||||
- 'https://raw.githubusercontent.com/qsfera-eu/awesome-apps/'
|
||||
- 'https://${IDP_DOMAIN|keycloak.qsfera.test}${TRAEFIK_PORT_HTTPS}/'
|
||||
- 'https://update.qsfera.eu/'
|
||||
default-src:
|
||||
- '''none'''
|
||||
font-src:
|
||||
- '''self'''
|
||||
frame-ancestors:
|
||||
- '''self'''
|
||||
frame-src:
|
||||
- '''self'''
|
||||
- 'blob:'
|
||||
- 'https://embed.diagrams.net/'
|
||||
# In contrary to bash and docker the default is given after the | character
|
||||
- 'https://${COLLABORA_DOMAIN|collabora.qsfera.test}${TRAEFIK_PORT_HTTPS}/'
|
||||
# This is needed for the external-sites web extension when embedding sites
|
||||
- 'https://docs.qsfera.eu'
|
||||
img-src:
|
||||
- '''self'''
|
||||
- 'data:'
|
||||
- 'blob:'
|
||||
- 'https://raw.githubusercontent.com/qsfera-eu/awesome-apps/'
|
||||
- 'https://tile.openstreetmap.org/'
|
||||
# In contrary to bash and docker the default is given after the | character
|
||||
- 'https://${COLLABORA_DOMAIN|collabora.qsfera.test}${TRAEFIK_PORT_HTTPS}/'
|
||||
manifest-src:
|
||||
- '''self'''
|
||||
media-src:
|
||||
- '''self'''
|
||||
object-src:
|
||||
- '''self'''
|
||||
- 'blob:'
|
||||
script-src:
|
||||
- '''self'''
|
||||
- '''unsafe-inline'''
|
||||
- 'https://${IDP_DOMAIN|keycloak.qsfera.test}${TRAEFIK_PORT_HTTPS}/'
|
||||
style-src:
|
||||
- '''self'''
|
||||
- '''unsafe-inline'''
|
||||
@@ -0,0 +1,40 @@
|
||||
# This adds four additional routes to the proxy. Forwarding
|
||||
# request on '/carddav/', '/caldav/' and the respective '/.well-knwown'
|
||||
# endpoints to the radicale container and setting the required headers.
|
||||
additional_policies:
|
||||
- name: default
|
||||
routes:
|
||||
- endpoint: /caldav/
|
||||
backend: http://radicale:5232
|
||||
remote_user_header: X-Remote-User
|
||||
skip_x_access_token: true
|
||||
additional_headers:
|
||||
- X-Script-Name: /caldav
|
||||
- endpoint: /.well-known/caldav
|
||||
backend: http://radicale:5232
|
||||
remote_user_header: X-Remote-User
|
||||
skip_x_access_token: true
|
||||
additional_headers:
|
||||
- X-Script-Name: /caldav
|
||||
- endpoint: /carddav/
|
||||
backend: http://radicale:5232
|
||||
remote_user_header: X-Remote-User
|
||||
skip_x_access_token: true
|
||||
additional_headers:
|
||||
- X-Script-Name: /carddav
|
||||
- endpoint: /.well-known/carddav
|
||||
backend: http://radicale:5232
|
||||
remote_user_header: X-Remote-User
|
||||
skip_x_access_token: true
|
||||
additional_headers:
|
||||
- X-Script-Name: /carddav
|
||||
# To enable the radicale web UI add this rule.
|
||||
# "unprotected" is True because the Web UI itself ask for
|
||||
# the password.
|
||||
# Also set "type" to "internal" in the config/radicale/config
|
||||
# - endpoint: /caldav/.web/
|
||||
# backend: http://radicale:5232/
|
||||
# unprotected: true
|
||||
# skip_x_access_token: true
|
||||
# additional_headers:
|
||||
# - X-Script-Name: /caldav
|
||||
+72
@@ -0,0 +1,72 @@
|
||||
set -e
|
||||
|
||||
printenv
|
||||
# Function to add arguments to the command
|
||||
add_arg() {
|
||||
TRAEFIK_CMD="$TRAEFIK_CMD $1"
|
||||
}
|
||||
|
||||
# Initialize the base command
|
||||
TRAEFIK_CMD="traefik"
|
||||
|
||||
# Base Traefik arguments (from your existing configuration)
|
||||
add_arg "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
|
||||
# enable dashboard
|
||||
add_arg "--api.dashboard=true"
|
||||
# define entrypoints
|
||||
add_arg "--entryPoints.http.address=:80"
|
||||
add_arg "--entryPoints.http.http.redirections.entryPoint.to=https"
|
||||
add_arg "--entryPoints.http.http.redirections.entryPoint.scheme=https"
|
||||
add_arg "--entryPoints.https.address=:443"
|
||||
# change default timeouts for long-running requests
|
||||
# this is needed for webdav clients that do not support the TUS protocol
|
||||
add_arg "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
|
||||
add_arg "--entryPoints.https.transport.respondingTimeouts.writeTimeout=12h"
|
||||
add_arg "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
|
||||
# docker provider (get configuration from container labels)
|
||||
add_arg "--providers.docker.endpoint=unix:///var/run/docker.sock"
|
||||
add_arg "--providers.docker.exposedByDefault=false"
|
||||
# access log
|
||||
add_arg "--accessLog=${TRAEFIK_ACCESS_LOG:-false}"
|
||||
add_arg "--accessLog.format=json"
|
||||
add_arg "--accessLog.fields.headers.names.X-Request-Id=keep"
|
||||
|
||||
# Add Let's Encrypt configuration if enabled
|
||||
if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" = "tls.certresolver=letsencrypt" ]; then
|
||||
echo "Configuring Traefik with Let's Encrypt..."
|
||||
add_arg "--certificatesResolvers.letsencrypt.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
|
||||
add_arg "--certificatesResolvers.letsencrypt.acme.storage=/certs/acme.json"
|
||||
add_arg "--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http"
|
||||
add_arg "--certificatesResolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
|
||||
fi
|
||||
|
||||
# Add local certificate configuration if enabled
|
||||
if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" = "tls=true" ]; then
|
||||
echo "Configuring Traefik with local certificates..."
|
||||
add_arg "--providers.file.directory=/etc/traefik/dynamic"
|
||||
add_arg "--providers.file.watch=true"
|
||||
fi
|
||||
|
||||
# Warning if neither certificate method is enabled
|
||||
if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" != "tls=true" ] && [ "${TRAEFIK_SERVICES_TLS_CONFIG}" != "tls.certresolver=letsencrypt" ]; then
|
||||
echo "WARNING: Neither Let's Encrypt nor local certificates are enabled."
|
||||
echo "HTTPS will not work properly without certificate configuration."
|
||||
fi
|
||||
|
||||
# Add any custom arguments from environment variable
|
||||
if [ -n "${TRAEFIK_CUSTOM_ARGS}" ]; then
|
||||
echo "Adding custom Traefik arguments: ${TRAEFIK_CUSTOM_ARGS}"
|
||||
TRAEFIK_CMD="$TRAEFIK_CMD $TRAEFIK_CUSTOM_ARGS"
|
||||
fi
|
||||
|
||||
# Add any additional arguments passed to the script
|
||||
for arg in "$@"; do
|
||||
add_arg "$arg"
|
||||
done
|
||||
|
||||
# Print the final command for debugging
|
||||
echo "Starting Traefik with command:"
|
||||
echo "$TRAEFIK_CMD"
|
||||
|
||||
# Execute Traefik
|
||||
exec $TRAEFIK_CMD
|
||||
@@ -0,0 +1,119 @@
|
||||
---
|
||||
services:
|
||||
# КуСфера instance configured for multi-tenancy using keycloak as identity provider
|
||||
# The graph service is setup to consume users via the CS3 API.
|
||||
qsfera:
|
||||
image: ${OC_DOCKER_IMAGE:-qsfera/qsfera-rolling}:${OC_DOCKER_TAG:-latest}
|
||||
# changelog: https://github.com/qsfera/server/tree/main/changelog
|
||||
# release notes: https://docs.qsfera.eu/qsfera_release_notes.html
|
||||
networks:
|
||||
qsfera-net:
|
||||
entrypoint:
|
||||
- /bin/sh
|
||||
# run qsfera init to initialize a configuration file with random secrets
|
||||
# it will fail on subsequent runs, because the config file already exists
|
||||
# therefore we ignore the error and then start the qsfera server
|
||||
command: ["-c", "qsfera init || true; qsfera server"]
|
||||
environment:
|
||||
OC_MULTI_TENANT_ENABLED: "true"
|
||||
# enable services that are not started automatically
|
||||
OC_URL: https://${OC_DOMAIN:-cloud.qsfera.test}
|
||||
OC_LOG_LEVEL: ${LOG_LEVEL:-info}
|
||||
OC_LOG_COLOR: "${LOG_PRETTY:-false}"
|
||||
OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
|
||||
OC_EXCLUDE_RUN_SERVICES: idm,idp
|
||||
PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
|
||||
OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.qsfera.test}/realms/qsfera
|
||||
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
|
||||
WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
|
||||
PROXY_USER_OIDC_CLAIM: "uuid"
|
||||
PROXY_USER_CS3_CLAIM: "userid"
|
||||
WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.qsfera.test}/realms/qsfera/account"
|
||||
# admin and demo accounts must be created in Keycloak
|
||||
OC_ADMIN_USER_ID: ""
|
||||
SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
|
||||
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
|
||||
GRAPH_USERNAME_MATCH: "none"
|
||||
GROUPS_DRIVER: "null"
|
||||
# This is needed to set the correct CSP rules for КуСфера
|
||||
IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.qsfera.test}
|
||||
# do not use SSL between the reverse proxy and КуСфера
|
||||
PROXY_TLS: "false"
|
||||
# INSECURE: needed if КуСфера / reverse proxy is using self generated certificates
|
||||
OC_INSECURE: "${INSECURE:-false}"
|
||||
# basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
|
||||
PROXY_ENABLE_BASIC_AUTH: "false"
|
||||
GRAPH_IDENTITY_BACKEND: "cs3"
|
||||
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/qsfera/csp.yaml
|
||||
OC_LDAP_URI: ldaps://ldap-server:1636
|
||||
OC_LDAP_INSECURE: "true"
|
||||
OC_LDAP_BIND_DN: "cn=admin,dc=qsfera,dc=eu"
|
||||
OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
|
||||
OC_LDAP_USER_BASE_DN: "ou=users,dc=qsfera,dc=eu"
|
||||
OC_LDAP_USER_SCHEMA_TENANT_ID: "qsferaMemberOfSchool"
|
||||
PROXY_LOG_LEVEL: "debug"
|
||||
volumes:
|
||||
- ./config/qsfera/csp.yaml:/etc/qsfera/csp.yaml
|
||||
# configure the .env file to use own paths instead of docker internal volumes
|
||||
- ${OC_CONFIG_DIR:-qsfera-config}:/etc/qsfera
|
||||
- ${OC_DATA_DIR:-qsfera-data}:/var/lib/qsfera
|
||||
logging:
|
||||
driver: ${LOG_DRIVER:-local}
|
||||
restart: always
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.qsfera.entrypoints=https"
|
||||
- "traefik.http.routers.qsfera.rule=Host(`${OC_DOMAIN:-cloud.qsfera.test}`)"
|
||||
- "traefik.http.routers.qsfera.service=qsfera"
|
||||
- "traefik.http.services.qsfera.loadbalancer.server.port=9200"
|
||||
- "traefik.http.routers.qsfera.${TRAEFIK_SERVICES_TLS_CONFIG}"
|
||||
# Stand-alone instance of the 'graph' service to serve the provisioning API
|
||||
provsioning:
|
||||
image: ${OC_DOCKER_IMAGE:-qsfera/qsfera-rolling}:${OC_DOCKER_TAG:-latest}
|
||||
networks:
|
||||
qsfera-net:
|
||||
entrypoint:
|
||||
- /bin/sh
|
||||
# run qsfera init to initialize a configuration file with random secrets
|
||||
# it will fail on subsequent runs, because the config file already exists
|
||||
# therefore we ignore the error and then start the qsfera server
|
||||
command: ["-c", "qsfera init || true; qsfera graph server"]
|
||||
environment:
|
||||
OC_LOG_LEVEL: "debug"
|
||||
OC_LOG_COLOR: "${LOG_PRETTY:-false}"
|
||||
OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
|
||||
# This just runs the standalone graph service we don't need access to the registry
|
||||
MICRO_REGISTRY: "memory"
|
||||
# INSECURE: needed if КуСфера / reverse proxy is using self generated certificates
|
||||
OC_INSECURE: "${INSECURE:-false}"
|
||||
GRAPH_HTTP_ADDR: "0.0.0.0:9120"
|
||||
GRAPH_HTTP_API_TOKEN: "${PROVISIONING_API_TOKEN:-changeme}"
|
||||
# disable listening for events
|
||||
GRAPH_EVENTS_ENDPOINT: ""
|
||||
GRAPH_STORE_NODES: ""
|
||||
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
|
||||
GRAPH_USERNAME_MATCH: "none"
|
||||
GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED: "true"
|
||||
GRAPH_LDAP_SCHOOL_BASE_DN: "ou=tenants,dc=qsfera,dc=eu"
|
||||
OC_LDAP_URI: ldaps://ldap-server:1636
|
||||
OC_LDAP_INSECURE: "true"
|
||||
OC_LDAP_BIND_DN: "cn=admin,dc=qsfera,dc=eu"
|
||||
OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
|
||||
OC_LDAP_USER_BASE_DN: "ou=users,dc=qsfera,dc=eu"
|
||||
OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
|
||||
volumes:
|
||||
# configure the .env file to use own paths instead of docker internal volumes
|
||||
- ${PROVISIONING_CONFIG_DIR:-provisioning-config}:/etc/qsfera
|
||||
logging:
|
||||
driver: ${LOG_DRIVER:-local}
|
||||
restart: always
|
||||
ports:
|
||||
- "9120:9120"
|
||||
|
||||
volumes:
|
||||
qsfera-config:
|
||||
qsfera-data:
|
||||
provisioning-config:
|
||||
|
||||
networks:
|
||||
qsfera-net:
|
||||
@@ -0,0 +1,175 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
|
||||
"github.com/Nerzal/gocloak/v13"
|
||||
"github.com/go-resty/resty/v2"
|
||||
libregraph "github.com/opencloud-eu/libre-graph-api-go"
|
||||
)
|
||||
|
||||
const (
|
||||
provisioningAPIURL = "http://localhost:9120/graph"
|
||||
provisioningAuthToken = "changeme"
|
||||
)
|
||||
|
||||
type tenantWithUsers struct {
|
||||
tenant libregraph.EducationSchool
|
||||
users []libregraph.EducationUser
|
||||
}
|
||||
|
||||
var demoTenants = []tenantWithUsers{
|
||||
{
|
||||
tenant: libregraph.EducationSchool{
|
||||
DisplayName: libregraph.PtrString("Famous Coders"),
|
||||
ExternalId: libregraph.PtrString("famouscodersExternalID"),
|
||||
},
|
||||
users: []libregraph.EducationUser{
|
||||
{
|
||||
DisplayName: libregraph.PtrString("Dennis Ritchie"),
|
||||
OnPremisesSamAccountName: libregraph.PtrString("dennis"),
|
||||
Mail: libregraph.PtrString("dennis@example.org"),
|
||||
ExternalId: libregraph.PtrString("ExternalID1"),
|
||||
},
|
||||
{
|
||||
DisplayName: libregraph.PtrString("Grace Hopper"),
|
||||
OnPremisesSamAccountName: libregraph.PtrString("grace"),
|
||||
Mail: libregraph.PtrString("grace@example.org"),
|
||||
ExternalId: libregraph.PtrString("ExternalID2"),
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
tenant: libregraph.EducationSchool{
|
||||
DisplayName: libregraph.PtrString("Scientists"),
|
||||
ExternalId: libregraph.PtrString("scientistsExternalID"),
|
||||
},
|
||||
users: []libregraph.EducationUser{
|
||||
{
|
||||
DisplayName: libregraph.PtrString("Albert Einstein"),
|
||||
OnPremisesSamAccountName: libregraph.PtrString("einstein"),
|
||||
Mail: libregraph.PtrString("einstein@example.org"),
|
||||
ExternalId: libregraph.PtrString("ExternalID3"),
|
||||
},
|
||||
{
|
||||
DisplayName: libregraph.PtrString("Marie Curie"),
|
||||
OnPremisesSamAccountName: libregraph.PtrString("marie"),
|
||||
Mail: libregraph.PtrString("marie@example.org"),
|
||||
ExternalId: libregraph.PtrString("ExternalID4"),
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
func main() {
|
||||
lgconf := libregraph.NewConfiguration()
|
||||
lgconf.Servers = libregraph.ServerConfigurations{
|
||||
{
|
||||
URL: provisioningAPIURL,
|
||||
},
|
||||
}
|
||||
lgconf.DefaultHeader = map[string]string{"Authorization": "Bearer " + provisioningAuthToken}
|
||||
lgclient := libregraph.NewAPIClient(lgconf)
|
||||
|
||||
for _, tenant := range demoTenants {
|
||||
tenantid, err := createTenant(lgclient, tenant.tenant)
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to create tenant: %s\n", err)
|
||||
continue
|
||||
}
|
||||
for _, user := range tenant.users {
|
||||
userid1, err := createUser(lgclient, user)
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to create user: %s\n", err)
|
||||
continue
|
||||
}
|
||||
_, err = lgclient.EducationSchoolApi.AddUserToSchool(context.TODO(), tenantid).EducationUserReference(libregraph.EducationUserReference{
|
||||
OdataId: libregraph.PtrString(fmt.Sprintf("%s/education/users/%s", provisioningAPIURL, userid1)),
|
||||
}).Execute()
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to add user to tenant: %s\n", err)
|
||||
continue
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resetAllUserPasswords()
|
||||
setUserRoles()
|
||||
}
|
||||
|
||||
func createUser(client *libregraph.APIClient, user libregraph.EducationUser) (string, error) {
|
||||
newUser, _, err := client.EducationUserApi.CreateEducationUser(context.TODO()).EducationUser(user).Execute()
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to create user: %s\n", err)
|
||||
return "", err
|
||||
}
|
||||
fmt.Printf("Created user: %s with id %s\n", newUser.GetDisplayName(), newUser.GetId())
|
||||
return newUser.GetId(), nil
|
||||
}
|
||||
|
||||
func createTenant(client *libregraph.APIClient, tenant libregraph.EducationSchool) (string, error) {
|
||||
newTenant, _, err := client.EducationSchoolApi.CreateSchool(context.TODO()).EducationSchool(tenant).Execute()
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to create tenant: %s\n", err)
|
||||
return "", err
|
||||
}
|
||||
fmt.Printf("Created tenant: %s with id %s\n", newTenant.GetDisplayName(), newTenant.GetId())
|
||||
return newTenant.GetId(), nil
|
||||
}
|
||||
|
||||
func setUserRoles() {
|
||||
tls := tls.Config{InsecureSkipVerify: true}
|
||||
restyClient := resty.New().SetTLSClientConfig(&tls)
|
||||
client := gocloak.NewClient("https://keycloak.qsfera.test")
|
||||
client.SetRestyClient(restyClient)
|
||||
ctx := context.Background()
|
||||
token, err := client.LoginAdmin(ctx, "kcadmin", "admin", "master")
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to login: %s\n", err)
|
||||
panic("Something wrong with the credentials or url")
|
||||
}
|
||||
|
||||
role, _ := client.GetRealmRole(ctx, token.AccessToken, "qsfera", "qsferaUser")
|
||||
users, err := client.GetUsers(ctx, token.AccessToken, "qsfera", gocloak.GetUsersParams{})
|
||||
if err != nil {
|
||||
fmt.Printf("%s\n", err)
|
||||
panic("Oh no!, failed to list users :(")
|
||||
}
|
||||
for _, user := range users {
|
||||
err := client.AddRealmRoleToUser(ctx, token.AccessToken, "qsfera", *user.ID, []gocloak.Role{
|
||||
*role,
|
||||
})
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to assign role to user %s: %s\n", *user.Username, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func resetAllUserPasswords() {
|
||||
tls := tls.Config{InsecureSkipVerify: true}
|
||||
restyClient := resty.New().SetTLSClientConfig(&tls)
|
||||
client := gocloak.NewClient("https://keycloak.qsfera.test")
|
||||
client.SetRestyClient(restyClient)
|
||||
ctx := context.Background()
|
||||
token, err := client.LoginAdmin(ctx, "kcadmin", "admin", "master")
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to login: %s\n", err)
|
||||
panic("Something wrong with the credentials or url")
|
||||
}
|
||||
|
||||
users, err := client.GetUsers(ctx, token.AccessToken, "qsfera", gocloak.GetUsersParams{})
|
||||
if err != nil {
|
||||
fmt.Printf("%s\n", err)
|
||||
panic("Oh no!, failed to list users :(")
|
||||
}
|
||||
for _, user := range users {
|
||||
fmt.Printf("Setting password for user: %s\n", *user.Username)
|
||||
err = client.SetPassword(ctx, token.AccessToken, *user.ID, "qsfera", "demo", false)
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to set password for user %s: %s\n", *user.Username, err)
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,55 @@
|
||||
---
|
||||
services:
|
||||
qsfera:
|
||||
environment:
|
||||
postgres:
|
||||
image: postgres:alpine
|
||||
networks:
|
||||
qsfera-net:
|
||||
volumes:
|
||||
- keycloak_postgres_data:/var/lib/postgresql/data
|
||||
environment:
|
||||
POSTGRES_DB: keycloak
|
||||
POSTGRES_USER: ${KC_DB_USERNAME:-keycloak}
|
||||
POSTGRES_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
|
||||
logging:
|
||||
driver: ${LOG_DRIVER:-local}
|
||||
restart: always
|
||||
|
||||
keycloak:
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.keycloak.entrypoints=https"
|
||||
- "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.qsfera.test}`)"
|
||||
- "traefik.http.routers.keycloak.${TRAEFIK_SERVICES_TLS_CONFIG}"
|
||||
- "traefik.http.routers.keycloak.service=keycloak"
|
||||
- "traefik.http.services.keycloak.loadbalancer.server.port=8080"
|
||||
image: quay.io/keycloak/keycloak:26.4
|
||||
networks:
|
||||
qsfera-net:
|
||||
command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
|
||||
entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
|
||||
volumes:
|
||||
- "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
|
||||
- "./config/keycloak/qsfera-realm.dist.json:/opt/keycloak/data/import-dist/qsfera-realm.json"
|
||||
- "./config/keycloak/themes/qsfera:/opt/keycloak/themes/qsfera"
|
||||
environment:
|
||||
OC_DOMAIN: ${OC_DOMAIN:-cloud.qsfera.test}
|
||||
KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.qsfera.test}
|
||||
KC_DB: postgres
|
||||
KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
|
||||
KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
|
||||
KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
|
||||
KC_FEATURES: impersonation
|
||||
KC_PROXY_HEADERS: xforwarded
|
||||
KC_HTTP_ENABLED: true
|
||||
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
|
||||
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
|
||||
depends_on:
|
||||
- postgres
|
||||
logging:
|
||||
driver: ${LOG_DRIVER:-local}
|
||||
restart: always
|
||||
|
||||
volumes:
|
||||
keycloak_postgres_data:
|
||||
@@ -0,0 +1,32 @@
|
||||
---
|
||||
services:
|
||||
ldap-server:
|
||||
image: bitnamilegacy/openldap:2.6
|
||||
networks:
|
||||
qsfera-net:
|
||||
entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
|
||||
environment:
|
||||
BITNAMI_DEBUG: true
|
||||
LDAP_TLS_VERIFY_CLIENT: never
|
||||
LDAP_ENABLE_TLS: "yes"
|
||||
LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt
|
||||
LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt
|
||||
LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
|
||||
LDAP_ROOT: "dc=qsfera,dc=eu"
|
||||
LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
|
||||
ports:
|
||||
- "127.0.0.1:389:1389"
|
||||
- "127.0.0.1:636:1636"
|
||||
volumes:
|
||||
# Only use the base ldif file to create the base structure
|
||||
- ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
|
||||
# Use the custom schema from qsfera because we are in full control of the ldap server
|
||||
- ../shared/config/ldap/schemas/10_qsfera_schema.ldif:/schemas/10_qsfera_schema.ldif
|
||||
- ../shared/config/ldap/schemas/20_qsfera_education_schema.ldif:/schemas/20_qsfera_education_schema.ldif
|
||||
- ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
|
||||
- ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
|
||||
- ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
|
||||
|
||||
volumes:
|
||||
ldap-certs:
|
||||
ldap-data:
|
||||
@@ -0,0 +1,24 @@
|
||||
---
|
||||
# This file can be used to be added to the qsfera_full example
|
||||
# to browse the LDAP server with a web interface.
|
||||
# This is not a production ready setup.
|
||||
services:
|
||||
ldap-manager:
|
||||
image: phpldapadmin/phpldapadmin:latest
|
||||
networks:
|
||||
qsfera-net:
|
||||
environment:
|
||||
LDAP_HOST: ldap-server
|
||||
LDAP_PORT: 1389
|
||||
LDAP_LOGIN_OBJECTCLASS: "inetOrgPerson"
|
||||
APP_URL: "https://${LDAP_MANAGER_DOMAIN:-ldap.qsfera.test}"
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.ldap-manager.entrypoints=https"
|
||||
- "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.qsfera.test}`)"
|
||||
- "traefik.http.routers.ldap-manager.${TRAEFIK_SERVICES_TLS_CONFIG}"
|
||||
- "traefik.http.routers.ldap-manager.service=ldap-manager"
|
||||
- "traefik.http.services.ldap-manager.loadbalancer.server.port=8080"
|
||||
logging:
|
||||
driver: ${LOG_DRIVER:-local}
|
||||
restart: always
|
||||
@@ -0,0 +1,45 @@
|
||||
---
|
||||
services:
|
||||
qsfera:
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.qsfera.entrypoints=https"
|
||||
- "traefik.http.routers.qsfera.rule=Host(`${OC_DOMAIN:-cloud.qsfera.test}`)"
|
||||
- "traefik.http.routers.qsfera.service=qsfera"
|
||||
- "traefik.http.services.qsfera.loadbalancer.server.port=9200"
|
||||
- "traefik.http.routers.qsfera.${TRAEFIK_SERVICES_TLS_CONFIG}"
|
||||
traefik:
|
||||
image: traefik:v3.6.7
|
||||
# release notes: https://github.com/traefik/traefik/releases
|
||||
networks:
|
||||
qsfera-net:
|
||||
aliases:
|
||||
- ${OC_DOMAIN:-cloud.qsfera.test}
|
||||
- ${KEYCLOAK_DOMAIN:-keycloak.qsfera.test}
|
||||
entrypoint: [ "/bin/sh", "/opt/traefik/bin/docker-entrypoint-override.sh"]
|
||||
environment:
|
||||
- "TRAEFIK_SERVICES_TLS_CONFIG=${TRAEFIK_SERVICES_TLS_CONFIG:-tls.certresolver=letsencrypt}"
|
||||
- "TRAEFIK_ACME_MAIL=${TRAEFIK_ACME_MAIL:-example@example.org}"
|
||||
- "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
|
||||
- "TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-ERROR}"
|
||||
- "TRAEFIK_ACCESS_LOG=${TRAEFIK_ACCESS_LOG:-false}"
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
volumes:
|
||||
- "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
|
||||
- "./config/traefik/docker-entrypoint-override.sh:/opt/traefik/bin/docker-entrypoint-override.sh"
|
||||
- "${TRAEFIK_CERTS_DIR:-./certs}:/certs"
|
||||
- "./config/traefik/dynamic:/etc/traefik/dynamic"
|
||||
labels:
|
||||
- "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
|
||||
# defaults to admin:admin
|
||||
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}"
|
||||
- "traefik.http.routers.traefik.entrypoints=https"
|
||||
- "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.qsfera.test}`)"
|
||||
- "traefik.http.routers.traefik.middlewares=traefik-auth"
|
||||
- "traefik.http.routers.traefik.${TRAEFIK_SERVICES_TLS_CONFIG}"
|
||||
- "traefik.http.routers.traefik.service=api@internal"
|
||||
logging:
|
||||
driver: ${LOG_DRIVER:-local}
|
||||
restart: always
|
||||
Reference in New Issue
Block a user