diff --git a/all-apps/authelia/4/Caddyfile b/all-apps/authelia/4/Caddyfile new file mode 100644 index 0000000..af89d41 --- /dev/null +++ b/all-apps/authelia/4/Caddyfile @@ -0,0 +1,5 @@ +{$authelia_SUBDOMAIN}.{$ROOT_DOMAIN} { + import maintenance_intercept + + reverse_proxy authelia:9091 +} diff --git a/all-apps/authelia/4/Makefile b/all-apps/authelia/4/Makefile new file mode 100644 index 0000000..19a868e --- /dev/null +++ b/all-apps/authelia/4/Makefile @@ -0,0 +1,15 @@ +IMAGE_DEPS := $(IMAGE_DEPS) \ +app/authelia/postgres_db \ +app/authelia/postgres_user \ +app/authelia/postgres_password \ +app/authelia/authelia-config/configuration.yml + +app/authelia/postgres_db: $(apps_config) + bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_DB" > $@' +app/authelia/postgres_user: $(apps_config) + bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_USER" > $@' +app/authelia/postgres_password: $(apps_config) + bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_PASSWORD" > $@' +app/authelia/authelia-config/configuration.yml: $(apps_config) app/authelia/authelia-config/configuration.yml.tmpl \ +app/authelia/make-authelia-config.sh + ./app/authelia/make-authelia-config.sh $(apps_config) diff --git a/all-apps/authelia/4/authelia-config/configuration.yml.tmpl b/all-apps/authelia/4/authelia-config/configuration.yml.tmpl new file mode 100644 index 0000000..2ff999b --- /dev/null +++ b/all-apps/authelia/4/authelia-config/configuration.yml.tmpl @@ -0,0 +1,118 @@ +--- +############################################################### +# Authelia configuration # +############################################################### + +server: + address: 'tcp://:9091/authelia' + endpoints: + authz: + forward-auth: + implementation: 'ForwardAuth' + +log: + level: 'debug' + +totp: + issuer: 'authelia.com' + +identity_validation: + reset_password: + jwt_secret: '$AUTHELIA_JWT_SECRET' + +# lldap service account user should instead +# use an account with lldap_password_manager group +# since that can't be used to change an admin password +authentication_backend: + ldap: + address: 'ldap://lldap:3890' + implementation: 'lldap' + timeout: '5s' + pooling: + enable: false + count: 5 + retries: 2 + timeout: '10 seconds' + base_dn: 'DC=nassella,DC=org' +# additional_users_dn: 'OU=users' +# additional_groups_dn: 'OU=groups' +# group_search_mode: 'filter' +# permit_referrals: false + permit_unauthenticated_bind: false + permit_feature_detection_failure: false + user: 'uid=admin,ou=people,dc=nassella,dc=org' + password: '$LLDAP_ADMIN_PASSWORD' + # attributes: + # distinguished_name: 'distinguishedName' + # username: 'uid' + # display_name: 'displayName' + # family_name: 'sn' + # given_name: 'givenName' + # middle_name: 'middleName' + # nickname: '' + # gender: '' + # birthdate: '' + # website: 'wWWHomePage' + # profile: '' + # picture: '' + # zoneinfo: '' + # locale: '' + # phone_number: 'telephoneNumber' + # phone_extension: '' + # street_address: 'streetAddress' + # locality: 'l' + # region: 'st' + # postal_code: 'postalCode' + # country: 'c' + # mail: 'mail' + # member_of: 'memberOf' + # group_name: 'cn' + # extra: + # extra_example: + # name: '' + # multi_valued: false + # value_type: 'string' + +access_control: + default_policy: 'deny' + rules: + # - domain: 'public.x.localhost' + # policy: 'bypass' + # - domain: 'app.nassella.org' + # policy: 'one_factor' + - domain: '$DOZZLE_FULL_DOMAIN' + policy: 'two_factor' + +session: + secret: '$AUTHELIA_SESSION_SECRET' + + cookies: + - name: 'authelia_session' + domain: '$ROOT_DOMAIN' # Should match whatever your root protected domain is + authelia_url: 'https://$AUTHELIA_FULL_DOMAIN' + expiration: '1 hour' # 1 hour + inactivity: '5 minutes' # 5 minutes + +regulation: + max_retries: 3 + find_time: '2 minutes' + ban_time: '5 minutes' + +storage: + encryption_key: '$AUTHELIA_ENCRYPTION_KEY' + postgres: + address: 'tcp://authelia_db:5432' + servers: [] + database: '$AUTHELIA_POSTGRES_DB' + schema: 'public' + username: '$AUTHELIA_POSTGRES_USER' + password: '$AUTHELIA_POSTGRES_PASSWORD' + timeout: '5s' + +notifier: + smtp: + address: 'submission://$SMTP_HOST:$SMTP_PORT' + username: '$SMTP_AUTH_USER' + password: '$SMTP_AUTH_PASSWORD' + sender: '$SMTP_FROM' +... diff --git a/all-apps/authelia/4/docker-compose.yaml b/all-apps/authelia/4/docker-compose.yaml new file mode 100644 index 0000000..5cc36ab --- /dev/null +++ b/all-apps/authelia/4/docker-compose.yaml @@ -0,0 +1,58 @@ +secrets: + authelia_postgres_db: + file: ./authelia/postgres_db + authelia_postgres_password: + file: ./authelia/postgres_password + authelia_postgres_user: + file: ./authelia/postgres_user + +services: + authelia_db: + image: postgres:18-trixie + environment: + - POSTGRES_DB_FILE=/run/secrets/authelia_postgres_db + - POSTGRES_USER_FILE=/run/secrets/authelia_postgres_user + - POSTGRES_PASSWORD_FILE=/run/secrets/authelia_postgres_password + shm_size: 128mb + restart: always + volumes: + - /nassella/authelia/var-lib-postgresql:/var/lib/postgresql + networks: + - authelia_internal_db + healthcheck: + test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"] + start_period: 15s + interval: 30s + retries: 3 + timeout: 5s + secrets: + - authelia_postgres_db + - authelia_postgres_password + - authelia_postgres_user + + authelia: + image: 'authelia/authelia' + volumes: + - ./authelia/authelia-config/configuration.yml:/config/configuration.yml:ro + networks: + - lb + - authelia_internal_db + - lldap_internal + depends_on: + lldap: + condition: service_healthy + authelia_db: + condition: service_healthy + restart: 'unless-stopped' + healthcheck: + ## In production the healthcheck section should be commented. + disable: true + +networks: + lb: + lldap_internal: + driver: bridge + internal: true + authelia_internal_db: + driver: bridge + internal: true diff --git a/all-apps/authelia/4/make-authelia-config.sh b/all-apps/authelia/4/make-authelia-config.sh new file mode 100755 index 0000000..49af443 --- /dev/null +++ b/all-apps/authelia/4/make-authelia-config.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +set -e +set -a # export everything in the config for later use by envsubst + +. $1 # source the apps.config file with then env vars + +read -r -a APP_CONFIGS <<< "$APP_CONFIGS" + +authelia_subdomain= +dozzle_subdomain= + +for config_string in ${APP_CONFIGS[@]}; do + IFS=',' + read -r -a config <<< "$config_string" + + app=${config[0]} + subdomain=${config[1]} + + if [ "$app" = "authelia" ]; then + authelia_subdomain="$subdomain" + fi + + if [ "$app" = "dozzle" ]; then + dozzle_subdomain="$subdomain" + fi +done + +export AUTHELIA_FULL_DOMAIN="$authelia_subdomain.$ROOT_DOMAIN" +export DOZZLE_FULL_DOMAIN="$dozzle_subdomain.$ROOT_DOMAIN" +envsubst < app/authelia/authelia-config/configuration.yml.tmpl > app/authelia/authelia-config/configuration.yml diff --git a/all-apps/dozzle/20/Caddyfile b/all-apps/dozzle/20/Caddyfile new file mode 100644 index 0000000..98f7294 --- /dev/null +++ b/all-apps/dozzle/20/Caddyfile @@ -0,0 +1,7 @@ +{$dozzle_SUBDOMAIN}.{$ROOT_DOMAIN} { + forward_auth authelia:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + reverse_proxy http://dozzle:8080 +} diff --git a/all-apps/dozzle/20/Makefile b/all-apps/dozzle/20/Makefile deleted file mode 100644 index 671ca83..0000000 --- a/all-apps/dozzle/20/Makefile +++ /dev/null @@ -1,5 +0,0 @@ -IMAGE_DEPS := $(IMAGE_DEPS) \ -app/dozzle/Caddyfile - -app/dozzle/Caddyfile: $(apps_config) app/dozzle/make-caddyfile.sh - ./app/dozzle/make-caddyfile.sh $(apps_config) > $@ diff --git a/all-apps/dozzle/20/make-caddyfile.sh b/all-apps/dozzle/20/make-caddyfile.sh deleted file mode 100755 index 7d92c29..0000000 --- a/all-apps/dozzle/20/make-caddyfile.sh +++ /dev/null @@ -1,15 +0,0 @@ -#/bin/bash - -set -e - -. $1 # source the apps.config file with then env vars - -host_admin_password_encoded=`echo "$HOST_ADMIN_PASSWORD" | docker run --rm -i caddy:2 caddy hash-password` - -echo '{$dozzle_SUBDOMAIN}.{$ROOT_DOMAIN} {' -echo " basic_auth {" -echo " $HOST_ADMIN_USER $host_admin_password_encoded" -echo " }" -echo " reverse_proxy http://dozzle:8080" -echo "}" -echo "" diff --git a/all-apps/ghost/6/docker-compose.yaml b/all-apps/ghost/6/docker-compose.yaml index edb5a83..cb5a852 100644 --- a/all-apps/ghost/6/docker-compose.yaml +++ b/all-apps/ghost/6/docker-compose.yaml @@ -57,6 +57,14 @@ services: retries: 120 networks: - ghost_network + command: + - --performance-schema=OFF + - --innodb-buffer-pool-size=64M + - --max-connections=10 + - --table-open-cache=128 + - --table-definition-cache=128 + - --thread-cache-size=2 + - --innodb-log-buffer-size=8M ghost_traffic-analytics: image: ghost/traffic-analytics:1.0 diff --git a/all-apps/lldap/0.6.3/Caddyfile b/all-apps/lldap/0.6.3/Caddyfile new file mode 100644 index 0000000..40ddf9b --- /dev/null +++ b/all-apps/lldap/0.6.3/Caddyfile @@ -0,0 +1,4 @@ +{$lldap_SUBDOMAIN}.{$ROOT_DOMAIN} { + import maintenance_intercept + reverse_proxy http://lldap:17170 +} diff --git a/all-apps/lldap/0.6.3/Makefile b/all-apps/lldap/0.6.3/Makefile new file mode 100644 index 0000000..02247b9 --- /dev/null +++ b/all-apps/lldap/0.6.3/Makefile @@ -0,0 +1,21 @@ +IMAGE_DEPS := $(IMAGE_DEPS) \ +app/lldap/postgres_db \ +app/lldap/postgres_user \ +app/lldap/postgres_password \ +app/lldap/admin_password \ +app/lldap/jwt_secret \ +app/lldap/lldap-config/lldap_config.toml + +app/lldap/postgres_db: $(apps_config) + bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_DB" > $@' +app/lldap/postgres_user: $(apps_config) + bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_USER" > $@' +app/lldap/postgres_password: $(apps_config) + bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_PASSWORD" > $@' +app/lldap/admin_password: $(apps_config) + bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_ADMIN_PASSWORD" > $@' +app/lldap/jwt_secret: $(apps_config) + bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_JWT_SECRET" > $@' +app/lldap/lldap-config/lldap_config.toml: $(apps_config) app/lldap/lldap-config/lldap_config.toml.tmpl \ +app/lldap/make-lldap-config.sh + ./app/lldap/make-lldap-config.sh $(apps_config) diff --git a/all-apps/lldap/0.6.3/docker-compose.yaml b/all-apps/lldap/0.6.3/docker-compose.yaml new file mode 100644 index 0000000..cd760f4 --- /dev/null +++ b/all-apps/lldap/0.6.3/docker-compose.yaml @@ -0,0 +1,65 @@ +secrets: + lldap_postgres_db: + file: ./lldap/postgres_db + lldap_postgres_password: + file: ./lldap/postgres_password + lldap_postgres_user: + file: ./lldap/postgres_user + lldap_admin_password: + file: ./lldap/admin_password + lldap_jwt_secret: + file: ./lldap/jwt_secret + +services: + lldap_db: + image: postgres:18-trixie + environment: + - POSTGRES_DB_FILE=/run/secrets/lldap_postgres_db + - POSTGRES_USER_FILE=/run/secrets/lldap_postgres_user + - POSTGRES_PASSWORD_FILE=/run/secrets/lldap_postgres_password + shm_size: 128mb + restart: always + volumes: + - /nassella/lldap/var-lib-postgresql:/var/lib/postgresql + networks: + - lldap_db_internal + healthcheck: + test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"] + start_period: 15s + interval: 30s + retries: 3 + timeout: 5s + secrets: + - lldap_postgres_db + - lldap_postgres_password + - lldap_postgres_user + + lldap: + image: lldap/lldap:stable + environment: + - LLDAP_JWT_SECRET_FILE=/run/secrets/lldap_jwt_secret + - LLDAP_LDAP_USER_PASS_FILE=/run/secrets/lldap_admin_password + volumes: + - ./lldap/lldap-config/:/data + networks: + - lb + - lldap_internal + - lldap_db_internal + depends_on: + lldap_db: + condition: service_healthy + secrets: + - lldap_postgres_db + - lldap_postgres_password + - lldap_postgres_user + - lldap_jwt_secret + - lldap_admin_password + +networks: + lb: + lldap_internal: + driver: bridge + internal: true + lldap_db_internal: + driver: bridge + internal: true diff --git a/all-apps/lldap/0.6.3/lldap-config/lldap_config.toml.tmpl b/all-apps/lldap/0.6.3/lldap-config/lldap_config.toml.tmpl new file mode 100644 index 0000000..dcc8749 --- /dev/null +++ b/all-apps/lldap/0.6.3/lldap-config/lldap_config.toml.tmpl @@ -0,0 +1,161 @@ +## Default configuration for Docker. +## All the values can be overridden through environment variables, prefixed +## with "LLDAP_". For instance, "ldap_port" can be overridden with the +## "LLDAP_LDAP_PORT" variable. + +## Tune the logging to be more verbose by setting this to be true. +## You can set it with the LLDAP_VERBOSE environment variable. +# verbose=false + +## The host address that the LDAP server will be bound to. +## To enable IPv6 support, simply switch "ldap_host" to "::": +## To only allow connections from localhost (if you want to restrict to local self-hosted services), +## change it to "127.0.0.1" ("::1" in case of IPv6). +## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections +## originating from outside the container. +ldap_host = "0.0.0.0" + +## The port on which to have the LDAP server. +#ldap_port = 3890 + +## The host address that the HTTP server will be bound to. +## To enable IPv6 support, simply switch "http_host" to "::". +## To only allow connections from localhost (if you want to restrict to local self-hosted services), +## change it to "127.0.0.1" ("::1" in case of IPv6). +## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections +## originating from outside the container. +http_host = "0.0.0.0" + +## The port on which to have the HTTP server, for user login and +## administration. +#http_port = 17170 + +## The public URL of the server, for password reset links. +http_url = "https://$LLDAP_FULL_DOMAIN" + +## The path to the front-end assets (relative to the working directory). +#assets_path = "./app" + +## Random secret for JWT signature. +## This secret should be random, and should be shared with application +## servers that need to consume the JWTs. +## Changing this secret will invalidate all user sessions and require +## them to re-login. +## You should probably set it through the LLDAP_JWT_SECRET environment +## variable from a secret ".env" file. +## This can also be set from a file's contents by specifying the file path +## in the LLDAP_JWT_SECRET_FILE environment variable +## You can generate it with (on linux): +## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' . +from="$SMTP_FROM" +## Same for reply-to, optional. +#reply_to="Do not reply " + +## Options to configure LDAPS. +## To set these options from environment variables, use the following format +## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT +[ldaps_options] +## Whether to enable LDAPS. +#enabled=true +## Port on which to listen. +#port=6360 +## Certificate file. +#cert_file="/data/cert.pem" +## Certificate key file. +#key_file="/data/key.pem" \ No newline at end of file diff --git a/all-apps/lldap/0.6.3/make-lldap-config.sh b/all-apps/lldap/0.6.3/make-lldap-config.sh new file mode 100755 index 0000000..2228e34 --- /dev/null +++ b/all-apps/lldap/0.6.3/make-lldap-config.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e +set -a # export everything in the config for later use by envsubst + +. $1 # source the apps.config file with then env vars + +read -r -a APP_CONFIGS <<< "$APP_CONFIGS" + +lldap_subdomain= + +for config_string in ${APP_CONFIGS[@]}; do + IFS=',' + read -r -a config <<< "$config_string" + + app=${config[0]} + subdomain=${config[1]} + + if [ "$app" = "lldap" ]; then + lldap_subdomain="$subdomain" + fi +done + +export LLDAP_FULL_DOMAIN="$lldap_subdomain.$ROOT_DOMAIN" +envsubst < app/lldap/lldap-config/lldap_config.toml.tmpl > app/lldap/lldap-config/lldap_config.toml diff --git a/all-apps/wordpress/8.4/docker-compose.yaml b/all-apps/wordpress/8.4/docker-compose.yaml index 50de4d1..3140fae 100644 --- a/all-apps/wordpress/8.4/docker-compose.yaml +++ b/all-apps/wordpress/8.4/docker-compose.yaml @@ -65,6 +65,14 @@ services: secrets: - wordpress_db_password - wordpress_db_root_password + command: + - --performance-schema=OFF + - --innodb-buffer-pool-size=64M + - --max-connections=10 + - --table-open-cache=128 + - --table-definition-cache=128 + - --thread-cache-size=2 + - --innodb-log-buffer-size=8M # wordpress_init: # image: wordpress:cli-php8.4 diff --git a/src/db.scm b/src/db.scm index d811e69..ec6df3d 100644 --- a/src/db.scm +++ b/src/db.scm @@ -626,7 +626,9 @@ where user_id=$1;" (2 . "adding-deployments-instance-backup") (3 . "normalizing-apps") (4 . "fixing-app-normalization") - (5 . "adding-wordpress-app"))) + (5 . "adding-wordpress-app") + (6 . "adding-lldap-app") + (7 . "adding-authelia-app"))) (define (run-pending-migrations conn) (let* ((migration-ids (sort (map car *migrations*) <)) diff --git a/src/migrations/6-adding-lldap-app-up.sql b/src/migrations/6-adding-lldap-app-up.sql new file mode 100644 index 0000000..1162d13 --- /dev/null +++ b/src/migrations/6-adding-lldap-app-up.sql @@ -0,0 +1 @@ +insert into apps(app_name) values('lldap'); diff --git a/src/migrations/7-adding-authelia-app-up.sql b/src/migrations/7-adding-authelia-app-up.sql new file mode 100644 index 0000000..5b76de9 --- /dev/null +++ b/src/migrations/7-adding-authelia-app-up.sql @@ -0,0 +1 @@ +insert into apps(app_name) values('authelia'); diff --git a/src/nassella.scm b/src/nassella.scm index ee2adb5..ac0a821 100644 --- a/src/nassella.scm +++ b/src/nassella.scm @@ -947,12 +947,13 @@ chmod -R 777 /opt/keys"))) (input (@ (type "hidden") (name "sid") (value ,(alist-ref 'sid (current-params) equal?)))) (Button (@ (type "submit")) "Create Account")))))) +;; https://app.nassella.org/unsecured/account/create?sid={CHECKOUT_SESSION_ID} (post "/unsecured/account/create-submit" - (let ((email (stripe-session-email (alist-ref 'sid (current-params)))) - (username (alist-ref 'username (current-params)))) - (create-lldap-user username email) - (with-db/transaction (lambda (db) (create-user db email username)))) - (redirect "/authelia/reset-password")) + (let ((email (stripe-session-email (alist-ref 'sid (current-params)))) + (username (alist-ref 'username (current-params)))) + (create-lldap-user username email) + (with-db/transaction (lambda (db) (create-user db email username)))) + (redirect "/authelia/reset-password")) ;;; REQUIRES AUTHED USER (post "/config/wizard/create-instance" @@ -1112,6 +1113,8 @@ chmod -R 777 /opt/keys"))) (else '())) (Field (@ (name "wordpress") (type "checkbox") (label ("wordpress")) (checked ,(member 'wordpress (alist-ref 'selected-apps results))))) + (Field (@ (name "lldap") (type "checkbox") (label ("lldap")) (checked ,(member 'lldap (alist-ref 'selected-apps results))))) + (Field (@ (name "authelia") (type "checkbox") (label ("authelia")) (checked ,(member 'authelia (alist-ref 'selected-apps results))))) (Field (@ (name "log-viewer") (type "checkbox") (label ("Log Viewer")) (checked #t) (disabled "disabled")))) ;; TODO add config for when automatic upgrades are scheduled for? ;; TODO add config for server timezone? @@ -1131,6 +1134,8 @@ chmod -R 777 /opt/keys"))) (ghost . ,(or (and (alist-ref 'ghost (current-params)) "6") #f)) (nassella . ,(or (and (alist-ref 'nassella (current-params)) "b0.0.1") #f)) (wordpress . ,(or (and (alist-ref 'wordpress (current-params)) "8.4") #f)) + (lldap . ,(or (and (alist-ref 'lldap (current-params)) "0.6.3") #f)) + (authelia . ,(or (and (alist-ref 'authelia (current-params)) "4") #f)) (instance-control . "b0.0.1") (log-viewer . "20")))) (update-root-domain db @@ -1194,6 +1199,20 @@ chmod -R 777 /opt/keys"))) (@ (title "Wordpress")) (Field (@ (name "wordpress-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'wordpress app-config eq? '()) eq? "wordpress")))))) '()) + ,@(if (member 'lldap selected-apps) + `((Fieldset + (@ (title "LLDAP")) + (Field (@ (name "lldap-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'lldap app-config eq? '()) eq? "lldap")))) + (Field (@ (name "lldap-user-email") (label ("Admin Email Address")) (type "email") + (value ,(alist-ref 'user-email (alist-ref 'lldap app-config eq? '()) eq? "")))) + (Field (@ (name "lldap-admin-password") (label ("Admin Password")) (type "password") + (value ,(alist-ref 'admin-password (alist-ref 'lldap app-config eq? '()) eq? "")))))) + '()) + ,@(if (member 'authelia selected-apps) + `((Fieldset + (@ (title "Authelia")) + (Field (@ (name "authelia-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'authelia app-config eq? '()) eq? "authelia")))))) + '()) (Fieldset (@ (title "Log Viewer")) (Field (@ (name "log-viewer-subdomain") (label ("Subdomain")) @@ -1202,7 +1221,7 @@ chmod -R 777 /opt/keys"))) (value ,(alist-ref 'user (alist-ref 'log-viewer app-config eq? '()) eq? "")))) (Field (@ (name "log-viewer-password") (label ("Password")) (type "password") (value ,(alist-ref 'password (alist-ref 'log-viewer app-config eq? '()) eq? ""))))) - ,@(if (or (member 'nextcloud selected-apps) (member 'ghost selected-apps) (member 'nassella selected-apps)) + ,@(if (or (member 'nextcloud selected-apps) (member 'ghost selected-apps) (member 'nassella selected-apps) (member 'authelia selected-apps)) `((Fieldset (@ (title "All Apps - Email - SMTP")) (Field (@ (name "smtp-host") (label ("Host")) @@ -1276,6 +1295,31 @@ chmod -R 777 /opt/keys"))) (db-root-password . ,(or (alist-ref 'db-root-password (alist-ref 'wordpress config eq? '())) (generate-postgres-password))))) + (lldap . ((subdomain . ,(alist-ref 'lldap-subdomain (current-params))) + (db-password . ,(or (alist-ref 'db-password + (alist-ref 'lldap config eq? '())) + (generate-postgres-password))) + (jwt-secret . ,(or (alist-ref 'jwt-secret + (alist-ref 'lldap config eq? '())) + (generate-jwt-secret))) + (key-seed . ,(or (alist-ref 'key-seed + (alist-ref 'lldap config eq? '())) + (generate-key-seed))) + (admin-password . ,(alist-ref 'lldap-admin-password (current-params))) + (user-email . ,(alist-ref 'lldap-user-email (current-params))))) + (authelia . ((subdomain . ,(alist-ref 'authelia-subdomain (current-params))) + (db-password . ,(or (alist-ref 'db-password + (alist-ref 'authelia config eq? '())) + (generate-postgres-password))) + (jwt-secret . ,(or (alist-ref 'jwt-secret + (alist-ref 'authelia config eq? '())) + (generate-jwt-secret))) + (session-secret . ,(or (alist-ref 'session-secret + (alist-ref 'authelia config eq? '())) + (generate-authelia-key-seed))) + (encryption-key . ,(or (alist-ref 'encryption-key + (alist-ref 'authelia config eq? '())) + (generate-authelia-key-seed))))) (log-viewer . ((subdomain . ,(alist-ref 'log-viewer-subdomain (current-params))) (user . ,(alist-ref 'log-viewer-user (current-params))) (password . ,(alist-ref 'log-viewer-password (current-params))))) @@ -1406,7 +1450,6 @@ chmod -R 777 /opt/keys"))) (VStack (Form-Nav (@ (back-to ,(conc "/config/wizard/machine2/" instance-id)) (submit-button "Launch"))))))))) -;; TODO should this perform a backup and then run the systemctl stop app command first? (post "/config/wizard/review-submit/:id" (let* ((instance-id (alist-ref "id" (current-params) equal?)) (status (string->symbol @@ -1479,6 +1522,19 @@ chmod -R 777 /opt/keys"))) ("NASSELLA_AUTHELIA_KEY_SEED" . ,(alist-ref 'authelia-key-seed (alist-ref 'nassella config))) ("WORDPRESS_DB_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'wordpress config))) ("WORDPRESS_DB_ROOT_PASSWORD" . ,(alist-ref 'db-root-password (alist-ref 'wordpress config))) + ("LLDAP_POSTGRES_DB" . "lldap") + ("LLDAP_POSTGRES_USER" . "lldap") + ("LLDAP_POSTGRES_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'lldap config))) + ("LLDAP_JWT_SECRET" . ,(alist-ref 'jwt-secret (alist-ref 'lldap config))) + ("LLDAP_KEY_SEED" . ,(alist-ref 'key-seed (alist-ref 'lldap config))) + ("LLDAP_ADMIN_PASSWORD" . ,(alist-ref 'admin-password (alist-ref 'lldap config))) + ("LLDAP_USER_EMAIL" . ,(alist-ref 'user-email (alist-ref 'lldap config))) + ("AUTHELIA_POSTGRES_DB" . "authelia") + ("AUTHELIA_POSTGRES_USER" . "authelia") + ("AUTHELIA_POSTGRES_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'authelia config))) + ("AUTHELIA_JWT_SECRET" . ,(alist-ref 'jwt-secret (alist-ref 'authelia config))) + ("AUTHELIA_SESSION_SECRET" . ,(alist-ref 'session-secret (alist-ref 'authelia config))) + ("AUTHELIA_ENCRYPTION_KEY" . ,(alist-ref 'encryption-key (alist-ref 'authelia config))) ("SMTP_HOST" . ,(alist-ref 'smtp-host (alist-ref 'all-apps config))) ("SMTP_PORT" . ,(alist-ref 'smtp-port (alist-ref 'all-apps config))) ("SMTP_AUTH_USER" . ,(alist-ref 'smtp-auth-user (alist-ref 'all-apps config))) @@ -1518,6 +1574,7 @@ chmod -R 777 /opt/keys"))) (with-db/transaction (lambda (db) (update-deployment-progress db deployment-id '((instance-backup . in-progress))))) + ;; ;; TODO does this handle new deployments? We should not do a back up if this is new! ;; (handle-exceptions ;; exn ;; (with-db/transaction