Added new fixes to SSO

2024-08-21 15:23:03 +00:00 · 2024-08-21 15:23:03 +00:00 · df0a331f8f
commit df0a331f8f
parent 2b153f37df
3 changed files with 203 additions and 2 deletions
--- a/lib/gitea.sh
+++ b/lib/gitea.sh
@ -329,4 +329,13 @@ EOF
  /federated/bin/start authelia

  docker exec --user 1000 gitea gitea admin auth add-oauth --name "Authelia" --provider "openidConnect" --key "gitea" --secret "$GITEA_CLIENT_SECRET" --auto-discover-url "https://authelia.$DOMAIN/.well-known/openid-configuration" --skip-local-2fa "true" --scopes "email profile" --group-claim-name "groups" --admin-group "admin" --restricted-group "guest"
+
+cat >> /federated/apps/gitea/.env <<EOF
+GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
+GITEA__oauth2_client__USERNAME=email
+GITEA__oauth2_client__ACCOUNT_LINKING=auto
+EOF
+
+  /federated/bin/stop gitea
+  /federated/bin/start gitea 
 }
--- a/lib/jitsi.sh
+++ b/lib/jitsi.sh
@ -604,7 +604,7 @@ JIBRI_XMPP_PASSWORD=
 #RESTART_POLICY=unless-stopped

 # Jitsi image version (useful for local development)
-#JITSI_IMAGE_VERSION=latest
+JITSI_IMAGE_VERSION=stable-9646
 ENABLE_SIMULCAST=false
 ENABLE_RECORDING=1
 ENABLE_LIVESTREAMING=1
@ -667,7 +667,7 @@ Here is your applications chart with on how to access this service:<br>
  <tr>
    <td class="tg-kwiq">Jitsi</td>
    <td class="tg-kwiq"><a href="https://jitsi.$DOMAIN" target="_blank" rel="noopener noreferrer"><span style="color:#340096">jitsi.$DOMAIN</span></a></td>
-    <td class="tg-kwiq">admin@$DOMAIN<br>admin password above</td>
+    <td class="tg-kwiq">admin@$DOMAIN<br>admin password in panel</td>
    <td class="tg-kwiq">All users in panel have access using user@$DOMAIN</td>
    <td class="tg-kwiq"><a href="https://documentation.federated.computer/docs/getting_started/welcome/" target="_blank" rel="noopener noreferrer"><span style="color:#340096">Click here</span></a></td>
    <td class="tg-kwiq">Jitsi is a zoom replacement video conferencing solution</td>
@ -707,6 +707,29 @@ uninstall_jitsi() {
  # Delete the app directory
  rm -rf /federated/apps/jitsi

+  # Delete the image
+  docker image rm jitsi/jvb:$JITSI_IMAGE_VERSION &> /dev/null
+  docker image rm jitsi/jicofo:$JITSI_IMAGE_VERSION &> /dev/null
+  docker image rm jitsi/prosody:$JITSI_IMAGE_VERSION &> /dev/null
+  docker image rm jitsi/web:$JITSI_IMAGE_VERSION &> /dev/null
+
+  # Delete the DNS record
+  docker exec pdns pdnsutil delete-rrset $DOMAIN jitsi A
+
+  # Uninstall the SSO configuration if it exists in authelia (authelia must exist too)
+  if [[ $(grep "### Jitsi" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]]; then
+    sed -i '/### Jitsi/,/### /{/### PowerDNS/!{/### /!d}}' /federated/apps/authelia/data/config/idproviders.yml
+    sed -i '/### Jitsi/d' /federated/apps/authelia/data/config/idproviders.yml
+    /federated/bin/stop authelia
+    /federated/bin/start authelia
+  fi
+
+  if [[ -d "/federated/apps/jitsiopenid" ]]; then
+    cd /federated/apps/jitsiopenid && docker-compose -f docker-compose.yml -p jitsiopenid down &> /dev/null
+    rm -rf /federated/apps/jitsiopenid
+    docker image rm mod242/jitsi-go-openid:latest &> /dev/null
+  fi
+
  kill -9 $SPINPID &> /dev/null
  echo -ne "done.\n"
 }
@ -716,3 +739,98 @@ start_jitsi() {

  echo -ne "done."
 }
+configsso_jitsi() {
+  [ ! -d "/federated/apps/authelia" ] && failcheck "Authelia is not installed. You need this first before continuing."
+  [ ! -f "/federated/apps/authelia/data/config/idproviders.yml" ] && failcheck "Authelia idproviders.yml is missing."
+  [[ $(grep "### Jitsi" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]] && failcheck "Authelia already has a Jitsi configuration."
+
+  JITSI_JWT_APP_SECRET=$(create_password);
+  JITSI_CLIENT_SECRET=$(create_password);
+  #echo "$JITSI_CLIENT_SECRET" > /federated/apps/jitsi/.jitsiclient.secret
+  #chmod 600 /federated/apps/jitsi/.jitsiclient.secret
+  JITSI_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $JITSI_CLIENT_SECRET | awk '{ print $2 }')
+
+cat >> /federated/apps/authelia/data/config/idproviders.yml <<EOF
+      ### Jitsi
+      - client_id: 'jitsi'
+        client_name: 'Jitsi'
+        client_secret: $JITSI_CLIENT_SECRET_HASH
+        consent_mode: 'implicit'
+        public: false
+        authorization_policy: 'one_factor'
+        redirect_uris:
+          - 'https://jitsi.$DOMAIN/jitsi-openid/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
+EOF
+
+  # Restart Authelia for changes to take the above configuration
+  /federated/bin/stop authelia
+  /federated/bin/start authelia
+
+  sed -i "s/AUTH_TYPE=.*/AUTH_TYPE=jwt/g" /federated/apps/jitsi/.env
+  sed -i "s/#JWT_APP_ID=.*/JWT_APP_ID=jitsi.$DOMAIN/g" /federated/apps/jitsi/.env
+  sed -i "s/#JWT_APP_SECRET=.*/JWT_APP_SECRET=$JITSI_JWT_APP_SECRET/g" /federated/apps/jitsi/.env
+  sed -i "s/#JWT_ACCEPTED_ISSUERS=.*/JWT_ACCEPTED_ISSUERS=jitsi/g" /federated/apps/jitsi/.env
+  sed -i "s/#JWT_ACCEPTED_AUDIENCES=.*/JWT_ACCEPTED_AUDIENCES=jitsi/g" /federated/apps/jitsi/.env
+  echo "TOKEN_AUTH_URL=https://jitsi.$DOMAIN/jitsi-openid/authenticate?state={state}&room={room}" >> /federated/apps/jitsi/.env
+
+  # Install Jitsi OpenID GO plugin
+  mkdir -p /federated/apps/jitsiopenid &> /dev/null
+
+cat >> /federated/apps/jitsiopenid/docker-compose.yml <<EOF
+version: '3.7'
+
+services:
+  jitsiopenid:
+    image: mod242/jitsi-go-openid:\${IMAGE_VERSION}
+    container_name: jitsiopenid
+    hostname: jitsiopenid.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      federated:
+        ipv4_address: 172.99.0.43
+    extra_hosts:
+      - "authelia.$DOMAIN:$EXTERNALIP"
+    env_file:
+      - ./.env
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.srv-jitsiopenid.loadbalancer.server.port=3001"
+      - "traefik.http.middlewares.strip-jitsiopenid.stripprefix.prefixes=/jitsi-openid"
+      - "traefik.http.routers.jitsiopenid.middlewares=strip-jitsiopenid"
+      - "traefik.http.routers.jitsiopenid.service=srv-jitsiopenid"
+      - "traefik.http.routers.jitsiopenid.entrypoints=websecure"
+      - "traefik.http.routers.jitsiopenid.rule=Host(\`jitsi.$DOMAIN\`) && PathPrefix(\`/jitsi-openid\`)"
+      - "traefik.http.routers.jitsiopenid.tls=true"
+      - "traefik.http.routers.jitsiopenid.tls.certresolver=letsencrypt"
+
+networks:
+  federated:
+    external: true
+EOF
+
+cat > /federated/apps/jitsiopenid/.env <<EOF
+IMAGE_VERSION="latest"
+JITSI_SECRET=$JITSI_JWT_APP_SECRET
+JITSI_URL=https://jitsi.$DOMAIN
+JITSI_SUB=jitsi.$DOMAIN
+ISSUER_BASE_URL=https://authelia.$DOMAIN
+BASE_URL=https://jitsi.$DOMAIN/jitsi-openid
+CLIENT_ID=jitsi
+SECRET=$JITSI_CLIENT_SECRET
+PREJOIN=false
+DEEPLINK=true
+NAME_KEY=name
+EOF
+chmod 600 /federated/apps/jitsiopenid/.env
+
+  /federated/bin/stop jitsi
+  /federated/bin/start jitsi
+  /federated/bin/start jitsiopenid
+}
--- a/lib/jitsiopenid.sh
+++ b/lib/jitsiopenid.sh
@ -0,0 +1,74 @@
+#!/bin/bash
+#
+# Jitsiopenid Service
+# This logic is in jitsi.sh (and used there) instead of here, but keeping this around anyway
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+get_appvars
+
+config_jitsiopenid() {
+  echo -ne "\n* Configuring /federated/apps/jitsiopenid container.."
+
+  if [ ! -d "/federated/apps/jitsiopenid" ]; then
+    mkdir -p /federated/apps/jitsiopenid &> /dev/null
+  fi
+
+cat > /federated/apps/jitsiopenid/docker-compose.yml <<EOF
+version: '3.7'
+
+services:
+  jitsiopenid:
+    image: mod242/jitsi-go-openid:\${IMAGE_VERSION}
+    container_name: jitsiopenid
+    hostname: jitsiopenid.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      federated:
+        ipv4_address: 172.99.0.43
+    extra_hosts:
+      - "authelia.$DOMAIN:$EXTERNALIP"
+    env_file:
+      - ./.env
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.srv-jitsiopenid.loadbalancer.server.port=3001"
+      - "traefik.http.middlewares.strip-jitsiopenid.stripprefix.prefixes=/jitsi-openid"
+      - "traefik.http.routers.jitsiopenid.middlewares=strip-jitsiopenid"
+      - "traefik.http.routers.jitsiopenid.service=srv-jitsiopenid"
+      - "traefik.http.routers.jitsiopenid.entrypoints=websecure"
+      - "traefik.http.routers.jitsiopenid.rule=Host(\`jitsi.$DOMAIN\`) && PathPrefix(\`/jitsi-openid\`) || Host(\`jitsi.$DOMAIN\`) && PathPrefix(\`/callback\`)"
+      - "traefik.http.routers.jitsiopenid.tls=true"
+      - "traefik.http.routers.jitsiopenid.tls.certresolver=letsencrypt"
+
+networks:
+  federated:
+    external: true
+EOF
+
+JWT_APP_SECRET=$(grep JWT_APP_SECRET /federated/apps/jitsi/.env | awk -F= '{ print $2 }')
+JITSI_CLIENT_SECRET=$(cat /federated/apps/jitsi/.jisticlient.secret)
+
+cat > /federated/apps/jitsiopenid/.env <<EOF
+IMAGE_VERSION="latest"
+JITSI_SECRET=$JITSI_SECRET
+JITSI_URL=https://jitsi.$DOMAIN
+JITSI_SUB=jitsi.$DOMAIN
+ISSUER_BASE_URL=https://authelia.$DOMAIN
+BASE_URL=https://jitsi.$DOMAIN
+CLIENT_ID=jitsi
+SECRET=$JITSI_CLIENT_SECRET
+PREJOIN=false
+DEEPLINK=true
+NAME_KEY=name
+EOF
+chmod 600 /federated/apps/jitsiopenid/.env
+ 
+echo -ne "done."
+}
+start_jitsiopenid() {
+  # Start service with command to make sure it's up before proceeding
+  start_service "jitsiopenid" "nc -z 172.99.0.43 3001 &> /dev/null" "7"
+
+  echo -ne "done."
+}