diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 1651d1a..f66c085 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -4,7 +4,7 @@ env: VERSION: 2.18.2 PGVERSION: 15 DEBIANRELEASE: bookworm - DOCKERREVISION: 7 + DOCKERREVISION: 8 on: push: diff --git a/Changes.md b/Changes.md index 8d53c35..19c717e 100644 --- a/Changes.md +++ b/Changes.md @@ -1,5 +1,6 @@ # Changes +* 2024-04-08: add `DEFAULT_WEBSITE` and `PROTECTION` env var * 2024-04-04: add docker revision in version string * 2024-04-03: fix cache patch * 2024-03-27: add missing Jitsi/logout method @@ -9,7 +10,7 @@ * 2024-03-03: Add Jitsi support * 2024-02-19: OIDC Auth PKCE * 2024-02-12: 2.18.2 -* 2024-01-31: Add SERVERNAME +* 2024-01-31: Add `SERVERNAME` * 2024-01-11: Add patch to provide applications scope * 2024-01-11: Add patch to fix OIDC logout when any relyong party failed * 2024-01-08: Add fix-dropcsp.patch diff --git a/base-no-s6/install/etc/cont-init.d/update-llng-conf b/base-no-s6/install/etc/cont-init.d/update-llng-conf index f1191b7..4bdc456 100755 --- a/base-no-s6/install/etc/cont-init.d/update-llng-conf +++ b/base-no-s6/install/etc/cont-init.d/update-llng-conf @@ -15,6 +15,11 @@ if test "$USERLOGGER" = "stderr"; then perl -i -ne 'print unless /^userLogger\s*=/;print "userLogger = Lemonldap::NG::Common::Logger::Std\n" if/^\[\s*all\s*\]/;' /etc/lemonldap-ng/lemonldap-ng.ini; fi +if test "$DEFAULT_WEBSITE" = "yes"; then + echo "Drop Nginx default website" + rm -f /etc/nginx/sites-enabled/default +fi + # OPTIONAL DATABASE FOR CONFIGURATION # # 1 - Check for PostgreSQL server @@ -83,8 +88,10 @@ elif [ "$LDAP_URL" != "" ]; then fi fi +PORTALURL=`portalUrl "$PORTAL"` + /usr/share/docker-llng/updateConf "setDomain" "$SSODOMAIN" -/usr/share/docker-llng/updateConf "set" portal "$PORTAL" +/usr/share/docker-llng/updateConf "set" portal "$PORTALURL" if test "$CROWDSEC_SERVER" != ""; then echo "Configure LLNG to use $CROWDSEC_SERVER as Crowdsec server" diff --git a/base-no-s6/install/usr/bin/portalHost b/base-no-s6/install/usr/bin/portalHost new file mode 120000 index 0000000..136a1e9 --- /dev/null +++ b/base-no-s6/install/usr/bin/portalHost @@ -0,0 +1 @@ +portalUrl \ No newline at end of file diff --git a/base-no-s6/install/usr/bin/portalUrl b/base-no-s6/install/usr/bin/portalUrl new file mode 100755 index 0000000..a74c1ab --- /dev/null +++ b/base-no-s6/install/usr/bin/portalUrl @@ -0,0 +1,14 @@ +#!/usr/bin/perl + +use strict; + +my $arg = $ARGV[0] or die 'Missing arg'; +my $wantUrl = ($0 =~ /url/i); +my $prefix = 'https://'; + +$prefix = $1 if $arg =~ s#^(https?://)##; + +$arg =~ s#/.*$##; +warn 'Maybe bas PORTAL value' unless $arg =~ /^\w[\w\.-]*\w$/; + +print $wantUrl ? "$prefix$arg/" : $arg; diff --git a/base/Dockerfile b/base/Dockerfile index eff0029..d02b832 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -65,6 +65,7 @@ ENV SSODOMAIN=example.com \ PORTAL_CRON=yes \ FORCE_KEY_REGENERATION=no \ DEBIAN_FRONTEND=noninteractive \ + DEFAULT_WEBSITE=no \ PGSSLCERT=/tmp/postgres.crt COPY *.patch / diff --git a/base/install/etc/cont-init.d/update-llng-conf b/base/install/etc/cont-init.d/update-llng-conf index f1191b7..4bdc456 100755 --- a/base/install/etc/cont-init.d/update-llng-conf +++ b/base/install/etc/cont-init.d/update-llng-conf @@ -15,6 +15,11 @@ if test "$USERLOGGER" = "stderr"; then perl -i -ne 'print unless /^userLogger\s*=/;print "userLogger = Lemonldap::NG::Common::Logger::Std\n" if/^\[\s*all\s*\]/;' /etc/lemonldap-ng/lemonldap-ng.ini; fi +if test "$DEFAULT_WEBSITE" = "yes"; then + echo "Drop Nginx default website" + rm -f /etc/nginx/sites-enabled/default +fi + # OPTIONAL DATABASE FOR CONFIGURATION # # 1 - Check for PostgreSQL server @@ -83,8 +88,10 @@ elif [ "$LDAP_URL" != "" ]; then fi fi +PORTALURL=`portalUrl "$PORTAL"` + /usr/share/docker-llng/updateConf "setDomain" "$SSODOMAIN" -/usr/share/docker-llng/updateConf "set" portal "$PORTAL" +/usr/share/docker-llng/updateConf "set" portal "$PORTALURL" if test "$CROWDSEC_SERVER" != ""; then echo "Configure LLNG to use $CROWDSEC_SERVER as Crowdsec server" diff --git a/base/install/usr/bin/portalHost b/base/install/usr/bin/portalHost new file mode 120000 index 0000000..136a1e9 --- /dev/null +++ b/base/install/usr/bin/portalHost @@ -0,0 +1 @@ +portalUrl \ No newline at end of file diff --git a/base/install/usr/bin/portalUrl b/base/install/usr/bin/portalUrl new file mode 100755 index 0000000..a74c1ab --- /dev/null +++ b/base/install/usr/bin/portalUrl @@ -0,0 +1,14 @@ +#!/usr/bin/perl + +use strict; + +my $arg = $ARGV[0] or die 'Missing arg'; +my $wantUrl = ($0 =~ /url/i); +my $prefix = 'https://'; + +$prefix = $1 if $arg =~ s#^(https?://)##; + +$arg =~ s#/.*$##; +warn 'Maybe bas PORTAL value' unless $arg =~ /^\w[\w\.-]*\w$/; + +print $wantUrl ? "$prefix$arg/" : $arg; diff --git a/full/Dockerfile b/full/Dockerfile index 932827e..9662b73 100644 --- a/full/Dockerfile +++ b/full/Dockerfile @@ -4,6 +4,8 @@ LABEL maintainer="Yadd yadd@debian.org>" \ name="yadd/lemonldap-ng-full" \ version="v1.0" +ENV PROTECTION=manager + RUN echo "# Install nginx and portal and manager libs" && \ apt -y update && \ apt -y dist-upgrade && \ diff --git a/full/README.md b/full/README.md index 2338d00..9e8c65a 100644 --- a/full/README.md +++ b/full/README.md @@ -28,6 +28,12 @@ docker-compose example to see how to do this using redis and See [yadd/lemonldap-ng-base](https://github.com/guimard/llng-docker/blob/master/base/README.md#readme) +* Other: + * `DEFAULT_WEBSITE` = `no`, if set to `yes` the default Nginx website is + deleted + * `PROTECTION` = `manager`, set it to `none` if you don't want to protect + the manager by LemonLDAP-NG itself + ## Docker-compose example Example with Crowdsec enabled, Postgres database and Redis to share sessions. diff --git a/full/install/etc/cont-init.d/update-nginx-conf b/full/install/etc/cont-init.d/update-nginx-conf index 62a46a6..64b9765 100755 --- a/full/install/etc/cont-init.d/update-nginx-conf +++ b/full/install/etc/cont-init.d/update-nginx-conf @@ -1,7 +1,15 @@ #!/command/with-contenv sh +PORTAL=${PORTAL:-auth.example.com} +PORTALHOST=`portalHost "$PORTAL"` +SSODOMAIN=${SSODOMAIN:-example.com} +SERVERNAME=${SERVERNAME:-${PORTALHOST}} +SERVERNAME=${SERVERNAME%/*} +export SERVERNAME + perl -i -pe 's#__FASTCGISOCKDIR__#/run/llng-fastcgi-server#g; s#__PORT__#80#g; +s#__SERVERNAME__#$ENV{SERVERNAME}#g; s#__DNSDOMAIN__#$ENV{SSODOMAIN}#g; s#__PORTALSITEDIR__#/usr/share/lemonldap-ng/portal/htdocs/#g; s#__PORTALSTATICDIR__#/usr/share/lemonldap-ng/portal/htdocs/static/#g; @@ -12,5 +20,10 @@ s#__PORT__#80#g; s#__DNSDOMAIN__#$ENV{SSODOMAIN}#g; s#__MANAGERSITEDIR__#/usr/share/lemonldap-ng/manager/htdocs/#g; s#__MANAGERSTATICDIR__#/usr/share/lemonldap-ng/manager/htdocs/static/#g; -s#__DEFDOCDIR__#/usr/share/doc/lemonldap-ng-doc/#g; +s#__DEFDOCDIR__#/usr/share/doc/lemonldap-ng/#g; ' /etc/lemonldap-ng/manager-nginx.conf + +if test "$PROTECTION" != ""; then + echo "Set manager protection to $PROTECTION" + perl -i -pe 's/^protection\s*=.*$/protection='$PROTECTION'/' /etc/lemonldap-ng/lemonldap-ng.ini +fi diff --git a/manager/Dockerfile b/manager/Dockerfile index 3794a2a..8a5c211 100644 --- a/manager/Dockerfile +++ b/manager/Dockerfile @@ -4,6 +4,7 @@ LABEL maintainer="Yadd yadd@debian.org>" \ name="yadd/lemonldap-ng-manager" \ version="v1.0" +ENV PROTECTION=manager RUN echo "# Install nginx and manager libs" && \ apt -y update && \ diff --git a/manager/README.md b/manager/README.md index 1ca7583..37c72e5 100644 --- a/manager/README.md +++ b/manager/README.md @@ -28,6 +28,12 @@ docker-compose example to see how to do this using redis and See [yadd/lemonldap-ng-base](https://github.com/guimard/llng-docker/blob/master/base/README.md#readme) +* Other: + * `DEFAULT_WEBSITE` = `no`, if set to `yes` the default Nginx website is + deleted + * `PROTECTION` = `manager`, set it to `none` if you don't want to protect + the manager by LemonLDAP-NG itself + ## Docker-compose example Example with Crowdsec enabled, Postgres database and Redis to share sessions. diff --git a/manager/install/etc/cont-init.d/update-nginx-manager-conf b/manager/install/etc/cont-init.d/update-nginx-manager-conf index b8a61db..2ef6ac2 100755 --- a/manager/install/etc/cont-init.d/update-nginx-manager-conf +++ b/manager/install/etc/cont-init.d/update-nginx-manager-conf @@ -7,3 +7,8 @@ s#__MANAGERSITEDIR__#/usr/share/lemonldap-ng/manager/htdocs/#g; s#__MANAGERSTATICDIR__#/usr/share/lemonldap-ng/manager/htdocs/static/#g; s#__DEFDOCDIR__#/usr/share/doc/lemonldap-ng/#g; ' /etc/lemonldap-ng/manager-nginx.conf + +if test "$PROTECTION" != ""; then + echo "Set manager protection to $PROTECTION" + perl -i -pe 's/^protection\s*=.*$/protection='$PROTECTION'/' /etc/lemonldap-ng/lemonldap-ng.ini +fi diff --git a/portal/install/etc/cont-init.d/update-nginx-portal-conf b/portal/install/etc/cont-init.d/update-nginx-portal-conf index 65e6418..c849959 100755 --- a/portal/install/etc/cont-init.d/update-nginx-portal-conf +++ b/portal/install/etc/cont-init.d/update-nginx-portal-conf @@ -1,8 +1,9 @@ #!/command/with-contenv sh PORTAL=${PORTAL:-auth.example.com} +PORTALHOST=`portalHost "$PORTAL"` SSODOMAIN=${SSODOMAIN:-example.com} -SERVERNAME=${SERVERNAME:-${PORTAL#*://}} +SERVERNAME=${SERVERNAME:-${PORTALHOST}} SERVERNAME=${SERVERNAME%/*} export SERVERNAME