mirror of
https://github.com/zokradonh/kopano-docker
synced 2025-06-07 07:56:12 +00:00
Add support for meet guest mode and make meet configurable through env (#105)
* get settings for meet from env * prepare ssl container for device registration for konnect/kwmserver * move device registry modification to konnect container * enable WebApp in the app switcher * upstream docker container has been updated to alpine 3.9 * update konnect * add further config for guest mode * replace the check for the file with a check for konnect startup * fix kwmserver wrapper * add possibility to change logging in kwmserver
This commit is contained in:
Felix Bartels
GitHub
parent
4e367badc5
commit
140506df7d
@ -427,8 +427,11 @@ services:
|
||||
volumes:
|
||||
- kopanossl/:/kopano/ssl
|
||||
- kopanosocket/:/run/kopano
|
||||
depends_on:
|
||||
- kopano_ssl
|
||||
environment:
|
||||
- FQDN=${FQDN}
|
||||
- allow_client_guests=yes
|
||||
env_file:
|
||||
- kopano_konnect.env
|
||||
networks:
|
||||
@ -438,6 +441,9 @@ services:
|
||||
kopano_playground:
|
||||
image: ${docker_repo:-zokradonh}/kopano_playground
|
||||
container_name: kopano_playground
|
||||
depends_on:
|
||||
- kopano_kapi
|
||||
- kopano_konnect
|
||||
networks:
|
||||
- kopano-net
|
||||
- web-net
|
||||
@ -446,9 +452,14 @@ services:
|
||||
image: ${docker_repo:-zokradonh}/kopano_kwmserver:${KWM_VERSION:-latest}
|
||||
container_name: kopano_kwmserver
|
||||
command: wrapper.sh
|
||||
depends_on:
|
||||
- kopano_kapi
|
||||
- kopano_konnect
|
||||
environment:
|
||||
- INSECURE=${INSECURE}
|
||||
- oidc_issuer_identifier=https://${FQDN}
|
||||
- enable_guest_api=yes
|
||||
- public_guest_access_regexp=^group/public/.*
|
||||
env_file:
|
||||
- kopano_kwmserver.env
|
||||
volumes:
|
||||
@ -462,6 +473,8 @@ services:
|
||||
environment:
|
||||
- SERVICE_TO_START=meet
|
||||
- KCCONF_KWEBD_TLS=no
|
||||
- KCCONF_MEET_guests_enabled=true
|
||||
- KCCONF_MEET_disableFullGAB=false
|
||||
env_file:
|
||||
- kopano_meet.env
|
||||
depends_on:
|
||||
|
||||
@ -1,16 +1,19 @@
|
||||
ARG CODE_VERSION=0.19.1
|
||||
ARG CODE_VERSION=0.20.0
|
||||
FROM kopano/konnectd:${CODE_VERSION}
|
||||
ARG CODE_VERSION
|
||||
ENV CODE_VERSION="${CODE_VERSION}"
|
||||
|
||||
RUN apk add --no-cache \
|
||||
openssl
|
||||
jq \
|
||||
moreutils \
|
||||
openssl \
|
||||
py-pip \
|
||||
&& pip install yq==2.7.2
|
||||
|
||||
ENV DOCKERIZE_VERSION v0.6.1
|
||||
RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
|
||||
&& tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
|
||||
&& rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz
|
||||
|
||||
RUN mkdir -p /etc/kopano/
|
||||
COPY konnectd-identifier-registration.yaml konnectd-identifier-scopes.yaml /etc/kopano/
|
||||
COPY --chown=nobody:nogroup konnectd-identifier-registration.yaml konnectd-identifier-scopes.yaml /etc/kopano/
|
||||
COPY wrapper.sh /usr/local/bin
|
||||
|
||||
@ -2,6 +2,25 @@
|
||||
|
||||
set -e
|
||||
|
||||
dockerize \
|
||||
-wait file:///kopano/ssl/meet-kwmserver.pem \
|
||||
-timeout 360s
|
||||
cd /kopano/ssl/
|
||||
|
||||
konnectd utils jwk-from-pem --use sig /kopano/ssl/meet-kwmserver.pem > /tmp/jwk-meet.json
|
||||
CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml
|
||||
yq -y ".clients |= [{\"id\": \"kpop-https://$FQDN/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://$FQDN/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge /kopano/ssl/konnectd-identifier-registration.yaml
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
if [ -n "$log_level" ]; then
|
||||
set -- "$@" --log-level="$log_level"
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
if [ "$allow_client_guests" = "yes" ]; then
|
||||
set -- "$@" "--allow-client-guests"
|
||||
fi
|
||||
|
||||
dockerize \
|
||||
-wait file:///kopano/ssl/konnectd-tokens-signing-key.pem \
|
||||
-wait file:///kopano/ssl/konnectd-encryption.key \
|
||||
@ -10,6 +29,6 @@ dockerize \
|
||||
--signing-private-key=/kopano/ssl/konnectd-tokens-signing-key.pem \
|
||||
--encryption-secret=/kopano/ssl/konnectd-encryption.key \
|
||||
--iss=https://"$FQDN" \
|
||||
--identifier-registration-conf /etc/kopano/konnectd-identifier-registration.yaml \
|
||||
--identifier-registration-conf /kopano/ssl/konnectd-identifier-registration.yaml \
|
||||
--identifier-scopes-conf /etc/kopano/konnectd-identifier-scopes.yaml \
|
||||
kc
|
||||
"$@" kc
|
||||
|
||||
@ -3,4 +3,13 @@ FROM kopano/kwmserverd:${CODE_VERSION}
|
||||
ARG CODE_VERSION
|
||||
ENV CODE_VERSION="${CODE_VERSION}"
|
||||
|
||||
USER root
|
||||
|
||||
ENV DOCKERIZE_VERSION v0.6.1
|
||||
RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
|
||||
&& tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
|
||||
&& rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz
|
||||
|
||||
COPY wrapper.sh /usr/local/bin
|
||||
|
||||
USER nobody
|
||||
|
||||
@ -2,14 +2,72 @@
|
||||
|
||||
set -e
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
if [ -n "$log_level" ]; then
|
||||
set -- "$@" --log-level="$log_level"
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
if [ -n "$oidc_issuer_identifier" ]; then
|
||||
set -- "$@" --iss="$oidc_issuer_identifier"
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
if [ "$enable_guest_api" = "yes" ]; then
|
||||
set -- "$@" --enable-guest-api
|
||||
fi
|
||||
|
||||
if [ "$INSECURE" = "yes" ]; then
|
||||
set -- "$@" --insecure
|
||||
fi
|
||||
|
||||
exec /usr/local/bin/docker-entrypoint.sh serve "$@"
|
||||
# kwmserver turn
|
||||
# shellcheck disable=SC2154
|
||||
|
||||
if [ -z "$turn_service_url" ]; then
|
||||
turn_service_url=https://turnauth.kopano.com/turnserverauth/
|
||||
fi
|
||||
|
||||
if [ -n "$turn_service_url" ]; then
|
||||
set -- "$@" --turn-service-url="$turn_service_url"
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
if [ -n "$turn_service_credentials" ]; then
|
||||
set -- "$@" --turn-service-credentials="$$turn_service_credentials"
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
if [ -n "$turn_server_shared_secret" ]; then
|
||||
set -- "$@" --turn-server-shared-secret="$turn_server_shared_secret"
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
if [ -n "$turn_uris" ]; then
|
||||
for uri in $turn_uris; do
|
||||
set -- "$@" --turn-uri="$uri"
|
||||
done
|
||||
fi
|
||||
|
||||
# kwmserver guest
|
||||
# shellcheck disable=SC2154
|
||||
if [ "$allow_guest_only_channels" = "yes" ]; then
|
||||
set -- "$@" --allow-guest-only-channels
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
if [ -n "$public_guest_access_regexp" ]; then
|
||||
set -- "$@" --public-guest-access-regexp="$public_guest_access_regexp"
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2034
|
||||
export registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
|
||||
|
||||
# originally I wanted to wait for $registration_conf, but I needed to precreate the file
|
||||
# so the konnect container (since the startup is running as nobody) can write to it.
|
||||
exec dockerize \
|
||||
-wait http://kopano_konnect:8777/.well-known/openid-configuration \
|
||||
-timeout 360s \
|
||||
/usr/local/bin/docker-entrypoint.sh serve \
|
||||
--registration-conf /kopano/ssl/konnectd-identifier-registration.yaml \
|
||||
"$@"
|
||||
|
||||
@ -18,7 +18,18 @@ if [ $# -gt 0 ]; then
|
||||
exit
|
||||
fi
|
||||
|
||||
# TODO use jq to modify /usr/share/kopano-kweb/www/config/kopano/meet.json
|
||||
CONFIG_JSON="/usr/share/kopano-kweb/www/config/kopano/meet.json"
|
||||
echo "Updating $CONFIG_JSON"
|
||||
for setting in $(compgen -A variable KCCONF_MEET); do
|
||||
setting2=${setting#KCCONF_MEET_}
|
||||
# dots in setting2 need to be escaped to not be handled as separate entities in the json file
|
||||
jq ".\"${setting2//_/\".\"}\" = \"${!setting}\"" $CONFIG_JSON | sponge $CONFIG_JSON
|
||||
done
|
||||
|
||||
# enable Kopano WebApp in the app switcher
|
||||
jq '.apps += {"enabled": ["kopano-webapp"]}' $CONFIG_JSON | sponge $CONFIG_JSON
|
||||
|
||||
#cat $CONFIG_JSON
|
||||
|
||||
sed -i s/\ *=\ */=/g /etc/kopano/kwebd.cfg
|
||||
# shellcheck disable=SC2046
|
||||
@ -26,4 +37,3 @@ export $(grep -v '^#' /etc/kopano/kwebd.cfg | xargs -d '\n')
|
||||
# cleaning up env variables
|
||||
unset "${!KCCONF_@}"
|
||||
exec kopano-kwebd serve
|
||||
|
||||
|
||||
21
ssl/start.sh
21
ssl/start.sh
@ -53,6 +53,27 @@ if [ ! -f $secretkey ]; then
|
||||
mv $secretkey.tmp $secretkey
|
||||
fi
|
||||
|
||||
# Meet guest mode
|
||||
ecparam="/kopano/ssl/ecparam.pem"
|
||||
if [ ! -f $ecparam ]; then
|
||||
echo "Creating ec param key for Meet..."
|
||||
openssl ecparam -name prime256v1 -genkey -noout -out $ecparam.tmp >/dev/null 2>&1
|
||||
mv $ecparam.tmp $ecparam
|
||||
fi
|
||||
|
||||
# create registration.yml so that konnect can write to it
|
||||
touch /kopano/ssl/konnectd-identifier-registration.yaml
|
||||
# chown to the numerical representation of nobody/nogroup
|
||||
chown 65534:65534 /kopano/ssl/konnectd-identifier-registration.yaml
|
||||
|
||||
eckey="/kopano/ssl/meet-kwmserver.pem"
|
||||
if [ ! -f $eckey ]; then
|
||||
echo "Creating ec key for Meet..."
|
||||
openssl ec -in $ecparam -out $eckey.tmp >/dev/null 2>&1
|
||||
chown 65534:65534 $eckey.tmp
|
||||
mv $eckey.tmp $eckey
|
||||
fi
|
||||
|
||||
echo "SSL certs:"
|
||||
ls -l /kopano/ssl/*.*
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user