change secrets on deploy

This commit is contained in:
Willy Kloucek
2021-02-09 16:00:04 +01:00
parent c32dd3d362
commit 2efbb13e66
19 changed files with 227 additions and 43 deletions

View File

@@ -17,6 +17,8 @@ TRAEFIK_ACME_MAIL=
OCIS_DOCKER_TAG=
# Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
OCIS_DOMAIN=
# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
OCIS_JWT_SECRET=
### LDAP server settings ###

View File

@@ -51,14 +51,14 @@ services:
environment:
# CS3 users from ldap specific configuration
PROXY_CONFIG_FILE: "/config/proxy-config.json"
LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))"
LDAP_URI: ldap://ldap-server:389
LDAP_BINDDN: "cn=admin,dc=owncloud,dc=com"
LDAP_BINDPW: ${LDAP_ADMIN_PASSWORD:-admin}
LDAP_BASEDN: "dc=owncloud,dc=com"
LDAP_LOGIN_ATTRIBUTE: uid
LDAP_UUID_ATTRIBUTE: "ownclouduuid"
LDAP_UUID_ATTRIBUTE_TYPE: binary
IDP_LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))"
IDP_LDAP_URI: ldap://ldap-server:389
IDP_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
IDP_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
IDP_LDAP_BASE_DN: "dc=owncloud,dc=com"
IDP_LDAP_LOGIN_ATTRIBUTE: uid
IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid"
IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary
PROXY_ACCOUNT_BACKEND_TYPE: cs3
STORAGE_LDAP_HOSTNAME: ldap-server
STORAGE_LDAP_PORT: 636
@@ -74,6 +74,8 @@ services:
OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
# change default secrets
OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
volumes:
- ./config/ocis/proxy-config.json:/config/proxy-config.json
- ocis-data:/var/tmp/ocis

View File

@@ -19,6 +19,12 @@ OCIS_DOCKER_TAG=
OCIS_DOMAIN=
# owncloud Web openid connect client id. Defaults to "web"
OCIS_OIDC_CLIENT_ID=
# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
IDP_LDAP_BIND_PASSWORD=
# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
STORAGE_LDAP_BIND_PASSWORD=
# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
OCIS_JWT_SECRET=
### Keycloak ###
# Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test"

View File

@@ -0,0 +1,25 @@
#!/bin/sh
set -evx
ocis server&
sleep 10
echo "##################################################"
echo "change default secrets:"
# IDP
IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
echo " IDP user UUID: $IDP_USER_UUID"
ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID
# REVA
REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
echo " Reva user UUID: $REVA_USER_UUID"
ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID
killall ocis
echo "default serets changed"
echo "##################################################"
ocis server

View File

@@ -47,6 +47,9 @@ services:
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
# Keycloak IDP specific configuration
PROXY_AUTOPROVISION_ACCOUNTS: "true"
@@ -60,7 +63,12 @@ services:
OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
# change default secrets
IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
volumes:
- ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
- ocis-data:/var/tmp/ocis
labels:
- "traefik.enable=true"

View File

@@ -17,7 +17,12 @@ TRAEFIK_ACME_MAIL=
OCIS_DOCKER_TAG=
# Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
OCIS_DOMAIN=
# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
IDP_LDAP_BIND_PASSWORD=
# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
STORAGE_LDAP_BIND_PASSWORD=
# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
OCIS_JWT_SECRET=
# If you want to use debugging and tracing with this stack,
# you need uncomment following line. Please see documentation at

View File

@@ -0,0 +1,25 @@
#!/bin/sh
set -evx
ocis server&
sleep 10
echo "##################################################"
echo "change default secrets:"
# IDP
IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
echo " IDP user UUID: $IDP_USER_UUID"
ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID
# REVA
REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
echo " Reva user UUID: $REVA_USER_UUID"
ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID
killall ocis
echo "default serets changed"
echo "##################################################"
ocis server

View File

@@ -46,11 +46,19 @@ services:
image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
networks:
ocis-net:
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
# change default secrets
IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
volumes:
- ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
- ocis-data:/var/tmp/ocis
labels:
- "traefik.enable=true"