allow yunohost admin users to access forgejo admin page
This commit is contained in:
parent
03643d342e
commit
be9eeb8a5b
10 changed files with 171 additions and 13 deletions
12
doc/ADMIN.md
12
doc/ADMIN.md
|
@ -1,14 +1,10 @@
|
||||||
## Additional informations
|
## Additional informations
|
||||||
|
|
||||||
### Known issue about admin access
|
### User synchronization
|
||||||
This package ask during its installation which group of users should be considered as forgejo administrators. These users should be able to access the admin page of forgejo. But they won't :(
|
In order to allow access to Forgejo admin section, YunoHost users are automaticaly synchronized with Forgejo's.
|
||||||
Two forgejo features are not yet compatible :
|
You can use «Forgejo (admin)» permission to manage which user is considered as forgejo admin.
|
||||||
- the reverse proxy authentication (which allows yunohost user to be automatically logged in forgejo)
|
|
||||||
- the login source (which tells forgejo to check yunohost users base to know if it is an admin or not)
|
|
||||||
|
|
||||||
The choice have been done to keep the reverse proxy authentication. But an [issue](https://codeberg.org/forgejo/forgejo/issues/930) is created to have both features.
|
**Known issue** : when a user is added to a group (e.g. the one with «Forgejo (admin)» permission), the synchronization is not triggered by YunoHost. You have to update a user (without any modification) to trigger it. (https://github.com/YunoHost/issues/issues/2213)
|
||||||
|
|
||||||
In conclusion, this forgejo installation does not (yet) allow to access the forgejo admin page.
|
|
||||||
|
|
||||||
### Notes on SSH usage
|
### Notes on SSH usage
|
||||||
|
|
||||||
|
|
20
hooks/post_app_addaccess
Normal file
20
hooks/post_app_addaccess
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# IMPORT GENERIC HELPERS
|
||||||
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
|
pwd=$(dirname $0)
|
||||||
|
filename=$(basename $0)
|
||||||
|
|
||||||
|
# Set vars for following script
|
||||||
|
|
||||||
|
# The file name is <priority>-<app>
|
||||||
|
app=${filename#*-}
|
||||||
|
|
||||||
|
domain=$(ynh_app_setting_get --app=$app --key=domain)
|
||||||
|
path=$(ynh_app_setting_get --app=$app --key=path)
|
||||||
|
|
||||||
|
# Load common variables and helpers
|
||||||
|
source ${pwd}/../../apps/${app}/scripts/_common.sh
|
||||||
|
|
||||||
|
synchronize_users
|
20
hooks/post_app_removeaccess
Normal file
20
hooks/post_app_removeaccess
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# IMPORT GENERIC HELPERS
|
||||||
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
|
pwd=$(dirname $0)
|
||||||
|
filename=$(basename $0)
|
||||||
|
|
||||||
|
# Set vars for following script
|
||||||
|
|
||||||
|
# The file name is <priority>-<app>
|
||||||
|
app=${filename#*-}
|
||||||
|
|
||||||
|
domain=$(ynh_app_setting_get --app=$app --key=domain)
|
||||||
|
path=$(ynh_app_setting_get --app=$app --key=path)
|
||||||
|
|
||||||
|
# Load common variables and helpers
|
||||||
|
source ${pwd}/../../apps/${app}/scripts/_common.sh
|
||||||
|
|
||||||
|
synchronize_users
|
20
hooks/post_user_create
Normal file
20
hooks/post_user_create
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# IMPORT GENERIC HELPERS
|
||||||
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
|
pwd=$(dirname $0)
|
||||||
|
filename=$(basename $0)
|
||||||
|
|
||||||
|
# Set vars for following script
|
||||||
|
|
||||||
|
# The file name is <priority>-<app>
|
||||||
|
app=${filename#*-}
|
||||||
|
|
||||||
|
domain=$(ynh_app_setting_get --app=$app --key=domain)
|
||||||
|
path=$(ynh_app_setting_get --app=$app --key=path)
|
||||||
|
|
||||||
|
# Load common variables and helpers
|
||||||
|
source ${pwd}/../../apps/${app}/scripts/_common.sh
|
||||||
|
|
||||||
|
synchronize_users
|
20
hooks/post_user_delete
Normal file
20
hooks/post_user_delete
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# IMPORT GENERIC HELPERS
|
||||||
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
|
pwd=$(dirname $0)
|
||||||
|
filename=$(basename $0)
|
||||||
|
|
||||||
|
# Set vars for following script
|
||||||
|
|
||||||
|
# The file name is <priority>-<app>
|
||||||
|
app=${filename#*-}
|
||||||
|
|
||||||
|
domain=$(ynh_app_setting_get --app=$app --key=domain)
|
||||||
|
path=$(ynh_app_setting_get --app=$app --key=path)
|
||||||
|
|
||||||
|
# Load common variables and helpers
|
||||||
|
source ${pwd}/../../apps/${app}/scripts/_common.sh
|
||||||
|
|
||||||
|
synchronize_users
|
24
hooks/post_user_update
Normal file
24
hooks/post_user_update
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
###
|
||||||
|
# This hook is only used because yunohost doesn't trigger any hook when adding a user to a group (e.g. admin)
|
||||||
|
# After adding a user to a group, one should update a user to trigger this hook (https://forum.yunohost.org/t/hook-when-a-user-is-added-in-a-group/25437)
|
||||||
|
|
||||||
|
# IMPORT GENERIC HELPERS
|
||||||
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
|
pwd=$(dirname $0)
|
||||||
|
filename=$(basename $0)
|
||||||
|
|
||||||
|
# Set vars for following script
|
||||||
|
|
||||||
|
# The file name is <priority>-<app>
|
||||||
|
app=${filename#*-}
|
||||||
|
|
||||||
|
domain=$(ynh_app_setting_get --app=$app --key=domain)
|
||||||
|
path=$(ynh_app_setting_get --app=$app --key=path)
|
||||||
|
|
||||||
|
# Load common variables and helpers
|
||||||
|
source ${pwd}/../../apps/${app}/scripts/_common.sh
|
||||||
|
|
||||||
|
synchronize_users
|
|
@ -5,7 +5,7 @@ name = "Forgejo"
|
||||||
description.en = "Lightweight software forge"
|
description.en = "Lightweight software forge"
|
||||||
description.fr = "Forge logiciel légère"
|
description.fr = "Forge logiciel légère"
|
||||||
|
|
||||||
version = "1.19.3-0~ynh2"
|
version = "1.19.3-0~ynh3"
|
||||||
|
|
||||||
maintainers = ["Emmanuel Averty"]
|
maintainers = ["Emmanuel Averty"]
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,42 @@
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
function set_forgejo_login_source() {
|
function set_forgejo_login_source() {
|
||||||
|
ynh_print_info --message="Creating forgejo login source"
|
||||||
pushd "$install_dir"
|
pushd "$install_dir"
|
||||||
ynh_exec_as $app ./forgejo admin auth add-ldap-simple --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-dn "uid=%s,ou=Users,dc=yunohost,dc=org" --user-filter "(&(objectclass=posixAccount)(uid=%s)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --admin-filter "(permission=cn=forgejo.admin,ou=permission,dc=yunohost,dc=org)" --username-attribute "uid" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail"
|
ynh_exec_as $app ./forgejo admin auth add-ldap-simple --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-dn "uid=%s,ou=Users,dc=yunohost,dc=org" --user-filter "(&(objectclass=posixAccount)(uid=%s)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --admin-filter "(permission=cn=forgejo.admin,ou=permission,dc=yunohost,dc=org)" --username-attribute "uid" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail"
|
||||||
popd
|
popd
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function enable_login_source_sync() {
|
||||||
|
ynh_print_info --message="Set forgejo login source as synchronizable"
|
||||||
|
# Enable login source synchronisation manualy because forgejo command does not allow it (https://codeberg.org/forgejo/forgejo/issues/952)
|
||||||
|
ynh_psql_execute_as_root --database $db_name --sql "update login_source set is_sync_enabled = true where type = 5 and name = 'YunoHost LDAP'"
|
||||||
|
}
|
||||||
|
|
||||||
|
function create_forgejo_api_user() {
|
||||||
|
ynh_print_info --message="Creating forgejo api user"
|
||||||
|
forgejo_api_user=yunohost_api
|
||||||
|
forgejo_api_pwd=$(ynh_string_random --length=24)
|
||||||
|
ynh_app_setting_set --app=$app --key=forgejo_api_user --value=$forgejo_api_user
|
||||||
|
ynh_app_setting_set --app=$app --key=forgejo_api_pwd --value=$forgejo_api_pwd
|
||||||
|
pushd "$install_dir"
|
||||||
|
ynh_exec_as $app ./forgejo admin user create --username $forgejo_api_user --password $forgejo_api_pwd --email admin@${domain} --admin --must-change-password=false
|
||||||
|
forgejo_api_token=$(ynh_exec_as $app ./forgejo admin user generate-access-token --username $forgejo_api_user --token-name "admin" --scopes "sudo" --raw | tail -1)
|
||||||
|
ynh_app_setting_set --app=$app --key=forgejo_api_token --value=$forgejo_api_token
|
||||||
|
popd
|
||||||
|
}
|
||||||
|
|
||||||
|
function set_users_login_source() {
|
||||||
|
# Previously created users have «Local» login source. It should be «YunoHost LDAP»
|
||||||
|
for username in $(ynh_user_list); do
|
||||||
|
ynh_print_info --message="Updating forgejo user login type for ${username}"
|
||||||
|
|
||||||
|
ynh_psql_execute_as_root --database $db_name --sql "update public.user set login_source = (select id from login_source where name = 'YunoHost LDAP' and type = 5), login_name = name, login_type = 5 where name = '${username}'"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
function synchronize_users() {
|
||||||
|
ynh_print_info --message="Synchronizing forgejo users"
|
||||||
|
# User synchronization must be launched using API : no cli exists for this purpose (https://codeberg.org/forgejo/forgejo/issues/953)
|
||||||
|
curl --url https://${domain}${path}/api/v1/admin/cron/sync_external_users -X POST -H "Authorization: token $(ynh_app_setting_get --app=$app --key=forgejo_api_token)" -kfsS
|
||||||
|
}
|
|
@ -98,6 +98,13 @@ ynh_add_fail2ban_config --logpath "/var/log/$app/forgejo.log" --failregex ".*Fai
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Adding LDAP configuration..." --weight=1
|
ynh_script_progression --message="Adding LDAP configuration..." --weight=1
|
||||||
set_forgejo_login_source
|
set_forgejo_login_source
|
||||||
|
enable_login_source_sync
|
||||||
|
|
||||||
|
# API user creation
|
||||||
|
create_forgejo_api_user
|
||||||
|
|
||||||
|
# Yunohost user creation
|
||||||
|
synchronize_users
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# END OF SCRIPT
|
# END OF SCRIPT
|
||||||
|
|
|
@ -28,7 +28,7 @@ ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd"
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
|
ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
|
||||||
|
|
||||||
# Update forgejo login source
|
# Update forgejo login source (1.19.3-0~ynh2)
|
||||||
pushd "$install_dir"
|
pushd "$install_dir"
|
||||||
old_login_source_id=$(ynh_exec_as $app ./forgejo admin auth list | grep "YunoHost LDAP" | grep "via BindDN" | cut -f 1)
|
old_login_source_id=$(ynh_exec_as $app ./forgejo admin auth list | grep "YunoHost LDAP" | grep "via BindDN" | cut -f 1)
|
||||||
if [ ! -z $old_login_source_id ]; then
|
if [ ! -z $old_login_source_id ]; then
|
||||||
|
@ -40,6 +40,16 @@ pushd "$install_dir"
|
||||||
fi
|
fi
|
||||||
popd
|
popd
|
||||||
|
|
||||||
|
# Update login source synchronization flag (1.19.3-0~ynh3)
|
||||||
|
enable_login_source_sync
|
||||||
|
|
||||||
|
if [ -z ${forgejo_api_user:-} ]; then
|
||||||
|
create_forgejo_api_user
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Update users login source (1.19.3-0~ynh3)
|
||||||
|
set_users_login_source
|
||||||
|
|
||||||
# forgejo home directory has changed (yunohost packaging v2)
|
# forgejo home directory has changed (yunohost packaging v2)
|
||||||
# .ssh directory should move from old home dir (data_dir) to new one
|
# .ssh directory should move from old home dir (data_dir) to new one
|
||||||
# (/var/www/$app is the default value for home in resources.system_user)
|
# (/var/www/$app is the default value for home in resources.system_user)
|
||||||
|
@ -48,19 +58,19 @@ if [ -d "$data_dir/.ssh" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If secret_key doesn't exist, create it
|
# If secret_key doesn't exist, create it
|
||||||
if [ -z "$secret_key" ]; then
|
if [ -z ${secret_key:-} ]; then
|
||||||
secret_key=$($install_dir/forgejo generate secret SECRET_KEY)
|
secret_key=$($install_dir/forgejo generate secret SECRET_KEY)
|
||||||
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
|
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If lfs_jwt_secret doesn't exist, create it
|
# If lfs_jwt_secret doesn't exist, create it
|
||||||
if [ -z "$lfs_jwt_secret" ]; then
|
if [ -z ${lfs_jwt_secret:-} ]; then
|
||||||
lfs_jwt_secret=$($install_dir/forgejo generate secret JWT_SECRET)
|
lfs_jwt_secret=$($install_dir/forgejo generate secret JWT_SECRET)
|
||||||
ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret
|
ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If internal_token doesn't exist, create it
|
# If internal_token doesn't exist, create it
|
||||||
if [ -z "$internal_token" ]; then
|
if [ -z ${internal_token:-} ]; then
|
||||||
internal_token=$($install_dir/forgejo generate secret INTERNAL_TOKEN)
|
internal_token=$($install_dir/forgejo generate secret INTERNAL_TOKEN)
|
||||||
ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token
|
ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token
|
||||||
fi
|
fi
|
||||||
|
@ -130,6 +140,12 @@ ynh_script_progression --message="Starting a systemd service..." --weight=3
|
||||||
# Start a systemd service
|
# Start a systemd service
|
||||||
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/forgejo.log" --line_match="Starting new Web server: tcp:127.0.0.1:"
|
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/forgejo.log" --line_match="Starting new Web server: tcp:127.0.0.1:"
|
||||||
|
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# Synchronize users (backward compatibility 1.19.3-0~ynh3)
|
||||||
|
#=================================================
|
||||||
|
synchronize_users
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SETUP FAIL2BAN
|
# SETUP FAIL2BAN
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
Loading…
Reference in a new issue