From ff15cae0a41f348960b7e539d98b3bf4df398919 Mon Sep 17 00:00:00 2001
From: root <root@f11391a1.federatedcomputer.cloud>
Date: Tue, 13 Aug 2024 19:13:19 +0000
Subject: [PATCH] Added new SSO updates to authelia.sh nextcloud.sh matrix.sh
 gitea.sh

---
 lib/authelia.sh  |  2 +-
 lib/gitea.sh     | 46 +++++++++++++++++++++++++++++++
 lib/matrix.sh    | 70 ++++++++++++++++++++++++++++++++++++++++++++++--
 lib/nextcloud.sh |  5 ++--
 4 files changed, 118 insertions(+), 5 deletions(-)

diff --git a/lib/authelia.sh b/lib/authelia.sh
index f91fb5c..013b72b 100644
--- a/lib/authelia.sh
+++ b/lib/authelia.sh
@@ -109,7 +109,7 @@ authentication_backend:
     start_tls: false
     attributes:
       username: mail
-      display_name: cn
+      display_name: uid
       group_name: gidNumber
       mail: mail
     additional_users_dn: ou=people
diff --git a/lib/gitea.sh b/lib/gitea.sh
index 41d530b..aead8da 100644
--- a/lib/gitea.sh
+++ b/lib/gitea.sh
@@ -254,6 +254,20 @@ uninstall_gitea() {
   # Delete the app directory
   rm -rf /federated/apps/gitea
 
+  # Delete the image
+  docker image rm gitea/gitea:$IMAGE_VERSION &> /dev/null
+
+  # Delete the DNS record
+  docker exec pdns pdnsutil delete-rrset $DOMAIN gitea A
+
+  # Uninstall the SSO configuration if it exists in authelia (authelia must exist too)
+  if [[ $(grep "### Matrix" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]]; then
+    sed -i '/### Gitea/,/### /{/### PowerDNS/!{/### /!d}}' /federated/apps/authelia/data/config/idproviders.yml
+    sed -i '/### Gitea/d' /federated/apps/authelia/data/config/idproviders.yml
+    /federated/bin/stop authelia
+    /federated/bin/start authelia
+  fi
+
   kill -9 $SPINPID &> /dev/null
   echo -ne "done.\n"
 }
@@ -283,3 +297,35 @@ start_gitea() {
 
   echo -ne "done."
 }
+configsso_gitea() {
+  [ ! -d "/federated/apps/authelia" ] && failcheck "Authelia is not installed. You need this first before continuing."
+  [ ! -f "/federated/apps/authelia/data/config/idproviders.yml" ] && failcheck "Authelia idproviders.yml is missing."
+  [[ $(grep "### Gitea" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]] && failcheck "Authelia already has a Gitea configuration."
+
+  GITEA_CLIENT_SECRET=$(create_password);
+  GITEA_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $GITEA_CLIENT_SECRET | awk '{ print $2 }')
+
+cat >> /federated/apps/authelia/data/config/idproviders.yml <<EOF
+      ### Gitea
+      - client_id: 'gitea'
+        client_name: 'Gitea'
+        client_secret: $GITEA_CLIENT_SECRET_HASH
+        consent_mode: 'implicit'
+        public: false
+        authorization_policy: 'one_factor'
+        redirect_uris:
+          - 'https://gitea.$DOMAIN/user/oauth2/authelia/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
+EOF
+
+  # Restart Authelia for changes to take the above configuration
+  /federated/bin/stop authelia
+  /federated/bin/start authelia
+
+  docker exec --user 1000 gitea gitea admin auth add-oauth --name "Authelia" --provider "openidConnect" --key "gitea" --secret "$GITEA_CLIENT_SECRET" --auto-discover-url "https://authelia.$DOMAIN/.well-known/openid-configuration" --skip-local-2fa "true" --scopes "email profile" --group-claim-name "groups" --admin-group "admin" --restricted-group "guest"
+}
diff --git a/lib/matrix.sh b/lib/matrix.sh
index 1f240f8..423cb5c 100644
--- a/lib/matrix.sh
+++ b/lib/matrix.sh
@@ -32,6 +32,8 @@ services:
         ipv4_address: 172.99.0.19
     volumes:
      - ./data/matrix:/data
+    extra_hosts:
+      - "authelia.$DOMAIN:$EXTERNALIP"
     env_file:
       - ./.env
     labels:
@@ -134,8 +136,7 @@ start_matrix() {
   docker exec postgresql psql -U matrix -c "update users set admin='1' where name='\"@admin:matrix.$DOMAIN\"'" &> /dev/null
 
   docker exec pdns pdnsutil add-record $DOMAIN matrix A 86400 $EXTERNALIP &> /dev/null
-  [ $? -ne 0 ] && fail "Couldn't add dns record"
-
+  [ $? -ne 0 ] && fail "Couldn't add dns record for matrix"
 
   echo -ne "done."
 }
@@ -232,6 +233,71 @@ uninstall_matrix() {
   # Delete the app directory
   rm -rf /federated/apps/matrix
 
+  # Delete the image
+  docker image rm matrixdotorg/synapse:$IMAGE_VERSION &> /dev/null
+
+  # Delete the DNS record
+  docker exec pdns pdnsutil delete-rrset $DOMAIN matrix A
+
+  # Uninstall the SSO configuration if it exists in authelia (authelia must exist too)
+  if [[ $(grep "### Matrix" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]]; then
+    sed -i '/### Matrix/,/### /{/### PowerDNS/!{/### /!d}}' /federated/apps/authelia/data/config/idproviders.yml
+    sed -i '/### Matrix/d' /federated/apps/authelia/data/config/idproviders.yml
+    /federated/bin/stop authelia
+    /federated/bin/start authelia
+  fi
+
   kill -9 $SPINPID &> /dev/null
   echo -ne "done.\n"
 }
+configsso_matrix() {
+  [ ! -d "/federated/apps/authelia" ] && failcheck "Authelia is not installed. You need this first before continuing."
+  [ ! -f "/federated/apps/authelia/data/config/idproviders.yml" ] && failcheck "Authelia idproviders.yml is missing."
+  [[ $(grep "### Matrix" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]] && failcheck "Authelia already has a Matrix configuration."
+
+  MATRIX_CLIENT_SECRET=$(create_password);
+  MATRIX_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $MATRIX_CLIENT_SECRET | awk '{ print $2 }')
+
+cat >> /federated/apps/authelia/data/config/idproviders.yml <<EOF
+      ### Matrix
+      - client_id: 'matrix'
+        client_name: 'Matrix'
+        client_secret: $MATRIX_CLIENT_SECRET_HASH
+        public: false
+        authorization_policy: 'one_factor'
+        redirect_uris:
+          - 'https://matrix.$DOMAIN/_synapse/client/oidc/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        userinfo_signed_response_alg: 'none'
+EOF
+
+  # Restart Authelia for changes to take the above configuration
+  /federated/bin/stop authelia
+  /federated/bin/start authelia
+
+cat >> /federated/apps/matrix/data/matrix/homeserver.yaml <<EOF
+oidc_providers:
+  - idp_id: authelia
+    idp_name: "Authelia"
+    idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI"
+    discover: true
+    issuer: "https://authelia.$DOMAIN"
+    client_id: "matrix"
+    client_secret: "$MATRIX_CLIENT_SECRET"
+    scopes: ["openid", "profile", "email"]
+    allow_existing_users: true
+    user_mapping_provider:
+      config:
+        subject_claim: "sub"
+        localpart_template: "{{ user.name }}"
+        display_name_template: "{{ user.name }}"
+        email_template: "{{ user.email }}"
+EOF
+
+  # Restart Matrix for changes to take the above configuration
+  /federated/bin/stop matrix
+  /federated/bin/start matrix
+}
diff --git a/lib/nextcloud.sh b/lib/nextcloud.sh
index 7b6ac0e..6dd79bb 100644
--- a/lib/nextcloud.sh
+++ b/lib/nextcloud.sh
@@ -247,6 +247,7 @@ PATH=/var/www/html:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/sbin:/bin
 /var/www/html/occ config:system:delete trusted_domains
 /var/www/html/occ config:system:set trusted_domains 1 --value=*
 /var/www/html/occ config:system:set auto_logout --value=false
+/var/www/html/occ config:system:set allow_local_remote_servers --value=true
 /var/www/html/occ group:adduser admin admin
 /var/www/html/occ user:delete nextcloud
 /var/www/html/occ app:enable mail
@@ -372,7 +373,7 @@ cat >> /federated/apps/authelia/data/config/idproviders.yml <<EOF
           - 'email'
           - 'groups'
         userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'client_secret_post'
+        token_endpoint_auth_method: 'client_secret_basic'
 EOF
 
   # Restart Authelia for changes to take the above configuration
@@ -381,5 +382,5 @@ EOF
 
   docker exec -u 33 nextcloud /var/www/html/occ app:enable user_oidc
   docker exec -u 33 nextcloud /var/www/html/occ config:system:set --value=true --type=boolean user_oidc use_pkce
-  docker exec -u 33 nextcloud /var/www/html/occ user_oidc:provider Authelia --clientid="nextcloud" --clientsecret="$NEXTCLOUD_CLIENT_SECRET" --discoveryuri="https://authelia.$DOMAIN/.well-known/openid-configuration"
+  docker exec -u 33 nextcloud /var/www/html/occ user_oidc:provider Authelia --clientid="nextcloud" --clientsecret="$NEXTCLOUD_CLIENT_SECRET" --discoveryuri="https://authelia.$DOMAIN/.well-known/openid-configuration" --mapping-uid=name --endsessionendpointuri=https://authelia.$DOMAIN/logout
 }