From f81f3ea65ca1df2f418059a8cd405da07107ea42 Mon Sep 17 00:00:00 2001
From: root <root@f11391a1.federatedcomputer.cloud>
Date: Wed, 4 Dec 2024 17:36:25 +0000
Subject: [PATCH] Added SSO support for new installs and convertdomain

---
 bin/convertdomain     | 170 ++++++++++++++++++++++++++++++++++++++++--
 bin/install-federated |  12 ++-
 2 files changed, 174 insertions(+), 8 deletions(-)

diff --git a/bin/convertdomain b/bin/convertdomain
index d5e4a06..18bcf50 100755
--- a/bin/convertdomain
+++ b/bin/convertdomain
@@ -121,7 +121,7 @@ convert_traefik() {
   rm -rf /federated/apps/traefik/data/letsencrypt/acme.json
 
   # Start Traefik
-  docker compose -f /federated/apps/traefik/docker-compose.yml -p traefik up -d &> /dev/null
+  docker-compose -f /federated/apps/traefik/docker-compose.yml -p traefik up -d &> /dev/null
 
   # Keep trying to see that certificates are generated
   RETRY="20"
@@ -134,7 +134,7 @@ convert_traefik() {
       break
     else
       if [ "$RETRY" == 1 ]; then
-        docker compose -f /federated/apps/traefik/docker-compose.yml -p traefik down &> /dev/null
+        docker-compose -f /federated/apps/traefik/docker-compose.yml -p traefik down &> /dev/null
         failcheck "There was a problem starting service /federated/apps/traefik\nCheck the output of 'docker logs traefik'"
       fi
       ((RETRY--))
@@ -497,6 +497,14 @@ fi
   # Remove configs
   rm /federated/apps/nextcloud/data/var/www/html/config.sh /federated/apps/nextcloud/data/var/www/html/configs.json
 
+  # Configure SSO to Authelia
+  NEXTCLOUD_CLIENT_SECRET=$(cat /federated/apps/nextcloud/.nextcloud.client.secret)
+  docker exec -u 33 nextcloud /var/www/html/occ user_oidc:provider:delete Authelia -f
+  docker exec -u 33 nextcloud /var/www/html/occ config:system:set allow_local_remote_servers --value=true
+  docker exec -u 33 nextcloud /var/www/html/occ app:enable user_oidc
+  docker exec -u 33 nextcloud /var/www/html/occ config:system:set --value=true --type=boolean user_oidc use_pkce
+  docker exec -u 33 nextcloud /var/www/html/occ user_oidc:provider Authelia --clientid="nextcloud" --clientsecret="$NEXTCLOUD_CLIENT_SECRET" --discoveryuri="https://authelia.$DOMAIN_NEW/.well-known/openid-configuration" --mapping-uid=name --endsessionendpointuri=https://authelia.$DOMAIN_NEW/logout
+
   echo -ne "done."
 }
 convert_matrix() {
@@ -534,8 +542,8 @@ convert_matrix() {
   # Insert our Postgres and LDAP config
 cat >> /federated/apps/matrix/data/matrix/homeserver.yaml <<EOF
 
-web_client_location: https://element.$DOMAIN_NEW/
-public_baseurl: https://matrix.$DOMAIN_NEW:443/
+web_client_location: https://element.$DOMAIN/
+public_baseurl: https://matrix.$DOMAIN_NEW/
 serve_server_wellknown: true
 turn_uris: [ "turn:turn.$DOMAIN_NEW?transport=udp", "turn:turn.$DOMAIN_NEW?transport=tcp" ]
 turn_shared_secret: "$COTURN_MATRIX_SECRET"
@@ -595,6 +603,7 @@ EOF
 #  sed -i "s#$DOMAIN.crt#$DOMAIN_NEW.crt#g" /federated/apps/matrix/data/matrix/homeserver.yaml
 #  sed -i "s#$DOMAIN.key#$DOMAIN_NEW.key#g" /federated/apps/matrix/data/matrix/homeserver.yaml
 
+
   # Grab the container IP from docker-compose
   SERVICE_IP=`grep ipv4_address /federated/apps/matrix/docker-compose.yml | awk '{ print $2 }'`
 
@@ -606,6 +615,32 @@ EOF
   # Set admin user as admin in Matrix
   docker exec postgresql psql -U matrix -c "update users set admin='1' where name='\"@admin:matrix.$DOMAIN_NEW\"'" &> /dev/null
 
+  # Configure SSO to Authelia
+  MATRIX_CLIENT_SECRET=$(cat /federated/apps/matrix/.matrix.client.secret)
+
+cat >> /federated/apps/matrix/data/matrix/homeserver.yaml <<EOF
+oidc_providers:
+  - idp_id: authelia
+    idp_name: "Authelia"
+    idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI"
+    discover: true
+    issuer: "https://authelia.$DOMAIN_NEW"
+    client_id: "matrix"
+    client_secret: "$MATRIX_CLIENT_SECRET"
+    scopes: ["openid", "profile", "email"]
+    allow_existing_users: true
+    user_mapping_provider:
+      config:
+        subject_claim: "sub"
+        localpart_template: "{{ user.name }}"
+        display_name_template: "{{ user.name }}"
+        email_template: "{{ user.email }}"
+EOF
+
+  # Restart Matrix for changes to take the above configuration
+  run_command "/federated/bin/stop matrix"
+  run_command "/federated/bin/start matrix"
+
   echo -ne "done."
 }
 convert_element() {
@@ -752,10 +787,16 @@ convert_gitea() {
   # Start service with command to make sure it's up before proceeding
   start_service_convert "gitea" "nc -z $SERVICE_IP 3000 &> /dev/null"
 
-  # Delete tne current admin and create the admin user with new domain name
+  # Delete the current admin and create the admin user with new domain name
   docker exec --user 1000 gitea bash -c "gitea admin user delete --id 1"
   docker exec --user 1000 gitea gitea admin user create --admin --username gitea --password $ADMINPASS --email admin@$DOMAIN_NEW
 
+  # Configure SSO to Authelia
+  GITEA_CLIENT_SECRET=$(cat /federated/apps/gitea/.gitea.client.secret)
+  GITEA_AUTH_ID=$(docker exec --user 1000 gitea gitea admin auth list | tail -1 | awk '{ print $1 }')
+  docker exec --user 1000 gitea gitea admin auth delete --id ${GITEA_AUTH_ID}
+  docker exec --user 1000 gitea gitea admin auth add-oauth --name "Authelia" --provider "openidConnect" --key "gitea" --secret "$GITEA_CLIENT_SECRET" --auto-discover-url "https://authelia.$DOMAIN_NEW/.well-known/openid-configuration" --skip-local-2fa "true" --scopes "openid email profile" --group-claim-name "groups" --admin-group "admin" --restricted-group "guest"
+
   echo -ne "done."
 }
 convert_caddy() {
@@ -842,6 +883,8 @@ convert_wordpress() {
   docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD wordpress -e \"update wp_users set user_email='admin@$DOMAIN_NEW' where ID='1';\""
   docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD wordpress -e \"update wp_usermeta set meta_value='admin@$DOMAIN_NEW' where meta_value='admin@$DOMAIN';\""
   docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD wordpress -e \"update wp_users set display_name='admin@$DOMAIN_NEW' where ID='1';\""
+  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD wordpress -e \"update wp_options set option_value = '$ORG_NEW Blog' where option_name = 'blogname';\""
+  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD wordpress -e \"update wp_options set option_value = 'admin@$DOMAIN_NEW' where option_name = 'admin_email';\""
 
   # Grab the container IP from docker-compose
   SERVICE_IP=`grep ipv4_address /federated/apps/wordpress/docker-compose.yml | awk '{ print $2 }'`
@@ -878,6 +921,18 @@ convert_bookstack() {
 
   docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD bookstack -e \"update users set email='admin@$DOMAIN_NEW' where id = 1;\""
 
+  # Setup external_auth_id for each user in bookstack users table
+  BOOKSTACK_SECRET=$(cat /federated/apps/bookstack/.env | grep "DB_PASS" | awk -F= '{ print $2 }')
+#  for i in $(docker exec pdnsmysql mysql -ubookstack -p${BOOKSTACK_SECRET} bookstack -sN -e "select email from users;"); do
+#    docker exec pdnsmysql mysql -ubookstack -p${BOOKSTACK_SECRET} bookstack -e "update users set external_auth_id = '$i' where email = '$i'";
+#  done
+
+  for i in $(docker exec pdnsmysql mysql -ubookstack -p${BOOKSTACK_SECRET} bookstack -sN -e "select name from users;"); do
+    NAME_LOWERCASE=$(echo "$i" | tr '[:upper:]' '[:lower:]');
+    docker exec pdnsmysql mysql -ubookstack -p${BOOKSTACK_SECRET} bookstack -sN -e "update users set email = '$NAME_LOWERCASE@$DOMAIN_NEW' where name = '$i';";
+    docker exec pdnsmysql mysql -ubookstack -p${BOOKSTACK_SECRET} bookstack -sN -e "update users set external_auth_id = '$NAME_LOWERCASE@$DOMAIN_NEW' where name = '$i';";
+  done
+
   # Grab the container IP from docker-compose
   SERVICE_IP=`grep ipv4_address /federated/apps/bookstack/docker-compose.yml | awk '{ print $2 }'`
 
@@ -922,6 +977,10 @@ convert_espocrm() {
   #### Convert EspoCRM
   echo -ne "\n* Converting espocrm.."
 
+  # Grab the SSO client secret for config below before removing espocrm
+  ESPOCRM_CLIENT_SECRET=$(cat /federated/apps/espocrm/.env | grep ESPOCRM_CONFIG_OIDC_CLIENT_SECRET | awk -F= '{ print $2 }')
+  ESPOCRM_IMAGE_VERSION=$(cat /federated/apps/espocrm/.env | grep IMAGE_VERSION | awk -F\" '{ print $2 }')
+
   rm -rf /federated/apps/espocrm
   mkdir -p /federated/apps/espocrm/data/var/www/html
 
@@ -934,6 +993,8 @@ services:
     container_name: espocrm
     hostname: espocrm.$DOMAIN_NEW
     restart: always
+    extra_hosts:
+      - "authelia.$DOMAIN_NEW:$EXTERNALIP"
     networks:
       core:
         ipv4_address: 192.168.0.39
@@ -955,7 +1016,7 @@ EOF
 ESPOCRM_SECRET=$(create_password);
 
 cat > /federated/apps/espocrm/.env <<EOF
-IMAGE_VERSION="8.0.5-apache"
+IMAGE_VERSION="$ESPOCRM_IMAGE_VERSION"
 ESPOCRM_DATABASE_HOST=pdnsmysql.$DOMAIN_NEW
 ESPOCRM_DATABASE_NAME=espocrm
 ESPOCRM_DATABASE_USER=espocrm
@@ -1012,6 +1073,36 @@ chmod 600 /federated/apps/espocrm/.env
   # Start service with command to make sure it's up before proceeding
   start_service_convert "espocrm" "nc -z $SERVICE_IP 80 &> /dev/null"
 
+  # Configure SSO to Authelia
+cat >> /federated/apps/espocrm/.env <<EOF
+ESPOCRM_CONFIG_AUTHENTICATION_METHOD=Oidc
+ESPOCRM_CONFIG_OIDC_USERNAME_CLAIM=preferred_username
+ESPOCRM_CONFIG_OIDC_FALLBACK=true
+ESPOCRM_CONFIG_OIDC_CLIENT_ID=espocrm
+ESPOCRM_CONFIG_OIDC_CLIENT_SECRET=$ESPOCRM_CLIENT_SECRET
+ESPOCRM_CONFIG_OIDC_AUTHORIZATION_ENDPOINT=https://authelia.$DOMAIN_NEW/api/oidc/authorization
+ESPOCRM_CONFIG_OIDC_TOKEN_ENDPOINT=https://authelia.$DOMAIN_NEW/api/oidc/token
+ESPOCRM_CONFIG_OIDC_JWKS_ENDPOINT=https://authelia.$DOMAIN_NEW/jwks.json
+ESPOCRM_CONFIG_OIDC_LOGOUT_URL=https://authelia.$DOMAIN_NEW/logout
+ESPOCRM_CONFIG_OIDC_CREATE_USER=true
+ESPOCRM_CONFIG_OIDC_ALLOW_ADMIN_USER=true
+ESPOCRM_CONFIG_OIDC_SYNC=false
+ESPOCRM_CONFIG_OIDC_SYNC_TEAMS=false
+ESPOCRM_CONFIG_OIDC_ALLOW_REGULAR_USER_FALLBACK=false
+ESPOCRM_CONFIG_OIDC_AUTHORIZATION_PROMPT=consent
+EOF
+
+  # Add in Scopes after authenticationMethod
+  sed -i "/oidcScopes/{n;N;N;N;d}" /federated/apps/espocrm/data/var/www/html/data/config.php
+  sed -i "/oidcScopes/d" /federated/apps/espocrm/data/var/www/html/data/config.php
+  sed -i "/authenticationMethod/a  \  'oidcScopes' => [\n\    0 => 'profile',\n\    1 => 'email',\n\    2 => 'groups',\n\    3 => 'openid'\n\  ]," /federated/apps/espocrm/data/var/www/html/data/config.php
+
+  # Set auth method to Oidc only
+  sed -i "s/ESPOCRM_CONFIG_AUTHENTICATION_METHOD=LDAP/#ESPOCRM_CONFIG_AUTHENTICATION_METHOD=LDAP/g" /federated/apps/espocrm/.env
+
+  run_command "/federated/bin/stop espocrm"
+  run_command "/federated/bin/start espocrm"
+
   echo -ne "done."
 }
 convert_dashboard() {
@@ -1035,6 +1126,7 @@ convert_roundcube() {
 
   sed -i "s#$DOMAIN#$DOMAIN_NEW#g" /federated/apps/roundcube/docker-compose.yml
   sed -i "s#$DOMAIN#$DOMAIN_NEW#g" /federated/apps/roundcube/.env
+  sed -i "s#$DOMAIN#$DOMAIN_NEW#g" /federated/apps/roundcube/data/var/www/html/config/config.inc.php
 
   # Grab the container IP from docker-compose
   SERVICE_IP=`grep ipv4_address /federated/apps/roundcube/docker-compose.yml | awk '{ print $2 }'`
@@ -1044,6 +1136,72 @@ convert_roundcube() {
 
   echo -ne "done."
 }
+convert_authelia() {
+  #### Convert Authelia
+  echo -ne "\n* Converting authelia.."
+
+  sed -i "s#$DOMAIN#$DOMAIN_NEW#g" /federated/apps/authelia/docker-compose.yml
+  sed -i "s#$DOMAIN#$DOMAIN_NEW#g" /federated/apps/authelia/.env
+  sed -i "s#$DOMAIN#$DOMAIN_NEW#g" /federated/apps/authelia/data/config/configuration.yml
+  sed -i "s#$DOMAIN#$DOMAIN_NEW#g" /federated/apps/authelia/data/config/idproviders.yml
+
+  if [ "${#DOMAIN_ARRAY[@]}" -eq "3" ]; then
+    sed -i "s#dc=federatedcomputer,dc=cloud#dc=$DOMAIN_FIRST,dc=$DOMAIN_MIDDLE,dc=$DOMAIN_LAST#g" /federated/apps/authelia/.env
+  else
+    sed -i "s#dc=federatedcomputer,dc=cloud#dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST#g" /federated/apps/authelia/.env
+  fi
+
+  # Configure SSO to Authelia
+  # Delete the entries in the pdns settings table
+  [[ -d "/federated/apps/pdnsmysql/data/var/lib/mysql/pdnsadmin" ]] && POWERDNS_DB="pdnsadmin" || POWERDNS_DB="pdns"
+  docker exec pdnsmysql mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e "delete from setting where name like '%oidc_oauth%';"
+
+  POWERDNS_CLIENT_SECRET=$(cat /federated/apps/authelia/.powerdns.client.secret)
+
+  # Insert PowerDNS configuration because we need an initial
+  # config for Authelia to run
+  PDNS_MYSQL_COMMAND1="insert into setting (name, value) values (\"oidc_oauth_enabled\", \"True\");insert into setting (name, value) values (\"oidc_oauth_key\", \"powerdns\");"
+  PDNS_MYSQL_COMMAND2="insert into setting (name, value) values (\"oidc_oauth_scope\", \"openid profile groups email\");insert into setting (name, value) values (\"oidc_oauth_api_url\", \"https://authelia.$DOMAIN_NEW/api/oidc/userinfo\");"
+  PDNS_MYSQL_COMMAND3="insert into setting (name, value) values (\"oidc_oauth_auto_configure\", \"True\");insert into setting (name, value) values (\"oidc_oauth_metadata_url\", \"https://authelia.$DOMAIN_NEW/.well-known/openid-configuration\");"
+  PDNS_MYSQL_COMMAND4="insert into setting (name, value) values (\"oidc_oauth_token_url\", \"\");insert into setting (name, value) values (\"oidc_oauth_authorize_url\", \"\");"
+  PDNS_MYSQL_COMMAND5="insert into setting (name, value) values (\"oidc_oauth_logout_url\", \"https://authelia.$DOMAIN_NEW/logout\");insert into setting (name, value) values (\"oidc_oauth_username\", \"preferred_username\");"
+  PDNS_MYSQL_COMMAND6="insert into setting (name, value) values (\"oidc_oauth_email\", \"email\");insert into setting (name, value) values (\"oidc_oauth_firstname\", \"preferred_username\");"
+  PDNS_MYSQL_COMMAND7="insert into setting (name, value) values (\"oidc_oauth_last_name\", \"name\");insert into setting (name, value) values (\"oidc_oauth_account_name_property\", \"preferred_username\");"
+  PDNS_MYSQL_COMMAND8="insert into setting (name, value) values (\"oidc_oauth_account_description_property\", \"name\");insert into setting (name, value) values (\"oidc_oauth_secret\", \"$POWERDNS_CLIENT_SECRET\");"
+  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND;'"
+  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND1;'"
+  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND2;'"
+  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND3;'"
+  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND4;'"
+  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND5;'"
+  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND6;'"
+  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND7;'"
+  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND8;'"
+
+  # Grab the container IP from docker-compose
+  SERVICE_IP=`grep ipv4_address /federated/apps/authelia/docker-compose.yml | awk '{ print $2 }'`
+
+  # Start service with command to make sure it's up before proceeding
+  start_service_convert "authelia" "nc -z $SERVICE_IP 9091 &> /dev/null"
+
+  echo -ne "done."
+}
+convert_jitsiopenid() {
+  #### Convert JitsiOpenID
+  echo -ne "\n* Converting jitsiopenid.."
+
+  sed -i "s#$DOMAIN#$DOMAIN_NEW#g" /federated/apps/jitsiopenid/docker-compose.yml
+  sed -i "s#$DOMAIN#$DOMAIN_NEW#g" /federated/apps/jitsiopenid/.env
+
+  # Grab the container IP from docker-compose
+  SERVICE_IP=`grep ipv4_address /federated/apps/jitsiopenid/docker-compose.yml | awk '{ print $2 }'`
+
+  # Start service with command to make sure it's up before proceeding
+  run_command "/federated/bin/start jitsiopenid"
+
+  echo -ne "done."
+}
+
 usage() {
   echo "$0: <domain.com> <organization name>"
   exit 2
diff --git a/bin/install-federated b/bin/install-federated
index 3852909..781f78a 100755
--- a/bin/install-federated
+++ b/bin/install-federated
@@ -87,8 +87,10 @@ elif [ "$BUNDLE" = "better" ]; then
   CORE_APPS=("pdnsmysql" "pdns" "pdnsadmin" "traefik" "postgresql" "ldap")
   EXTRA_APPS=("mail" "collabora" "nextcloud" "autodiscover" "panel" "vaultwarden" "dashboard" "roundcube" "wordpress" "wireguard" "matrix" "element" "jitsi" "espocrm")
 elif [ "$BUNDLE" = "best" ]; then
-  CORE_APPS=("pdnsmysql" "pdns" "pdnsadmin" "traefik" "postgresql" "ldap")
-  EXTRA_APPS=("mail" "collabora" "nextcloud" "autodiscover" "panel" "vaultwarden" "dashboard" "roundcube" "wordpress" "wireguard" "matrix" "element" "jitsi" "espocrm" "baserow" "bookstack" "gitea" "freescout")
+#  CORE_APPS=("pdnsmysql" "pdns" "pdnsadmin" "traefik" "postgresql" "ldap")
+#  EXTRA_APPS=("mail" "collabora" "nextcloud" "autodiscover" "panel" "vaultwarden" "dashboard" "roundcube" "wordpress" "wireguard" "matrix" "element" "jitsi" "espocrm" "baserow" "bookstack" "gitea" "freescout")
+  CORE_APPS=("pdnsmysql" "pdns" "pdnsadmin" "traefik" "postgresql" "ldap" "mail")
+  EXTRA_APPS=("authelia" "collabora" "nextcloud" "autodiscover" "panel" "vaultwarden" "dashboard" "roundcube" "wordpress" "wireguard" "matrix" "element" "jitsi" "espocrm" "baserow" "bookstack" "gitea" "freescout")
 else
   CORE_APPS=("pdnsmysql" "pdns" "pdnsadmin" "traefik" "postgresql" "ldap")
   EXTRA_APPS=("mail" "collabora" "nextcloud" "autodiscover" "panel" "vaultwarden" "dashboard" "roundcube" "wordpress" "wireguard" "matrix" "element" "jitsi" "espocrm" "baserow" "bookstack" "gitea" "freescout")
@@ -132,6 +134,12 @@ done
 
 wait
 
+# Configure SSO for each app
+for i in "${EXTRA_APPS[@]}"; do
+  . /federated/lib/$i.sh
+  [[ $(type -t configsso_$i) == function ]] && configsso_$i
+done
+
 # Add cron jobs for backup, upgrade, dumpcerts
 add_cron
 run_finishtasks