init
This commit is contained in:
commit
86b21ebf4b
15 changed files with 435 additions and 0 deletions
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
env/
|
7
Dockerfile
Normal file
7
Dockerfile
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
FROM squidfunk/mkdocs-material:5.5.14
|
||||||
|
EXPOSE 8000
|
||||||
|
COPY . /docs
|
||||||
|
ENTRYPOINT ["/bin/sh"]
|
||||||
|
RUN apk add --no-cache curl
|
||||||
|
# RUN pip install mkdocs-awesome-pages-plugin
|
||||||
|
CMD ["-c", "mkdocs build && python -m http.server --bind 0.0.0.0 --directory site 8000"]
|
9
README.md
Normal file
9
README.md
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
|
||||||
|
|
||||||
|
```
|
||||||
|
python3 -m venv env
|
||||||
|
env/bin/activate
|
||||||
|
pip3 install -r requirements.txt
|
||||||
|
mkdocs serve
|
||||||
|
```
|
||||||
|
|
28
docker-compose.yml
Normal file
28
docker-compose.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: test:latest
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD", "curl", "-f", "http://localhost:8000"]
|
||||||
|
interval: 10s
|
||||||
|
timeout: 10s
|
||||||
|
retries: 10
|
||||||
|
start_period: 15s
|
||||||
|
deploy:
|
||||||
|
update_config:
|
||||||
|
failure_action: rollback
|
||||||
|
order: start-first
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.services.coop-cloud-mkdocs.loadbalancer.server.port=8000"
|
||||||
|
- "traefik.http.routers.coop-cloud-mkdocs.rule=Host(`docs.local-it.org`)"
|
||||||
|
- "traefik.http.routers.coop-cloud-mkdocs.entrypoints=web"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
proxy:
|
||||||
|
external: true
|
||||||
|
|
23
docs/apps/authentik.md
Normal file
23
docs/apps/authentik.md
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
# Single-Sign-On Provider
|
||||||
|
|
||||||
|
[Authentik](https://goauthentik.io) ist unser Single-Sign-On (SSO) Provider und Identity Management.
|
||||||
|
Alle Apps die per SSO angebunden werden sollen, müssen später in der Administrationsoberfläche konfiguriert werden.
|
||||||
|
|
||||||
|
```
|
||||||
|
abra app new --domain example.com --server servername --app-name servername_authentik --secrets authentik
|
||||||
|
abra app config servername_authentik # only if custom config needed
|
||||||
|
abra app deploy servername_authentik
|
||||||
|
```
|
||||||
|
|
||||||
|
TODO: SECRETS
|
||||||
|
Passwörter für akadmin, token sichern
|
||||||
|
|
||||||
|
|
||||||
|
### openid-connect endpoints
|
||||||
|
|
||||||
|
https://sso.example.org/application/o/authorize/
|
||||||
|
https://sso.example.org/application/o/token/
|
||||||
|
https://sso.example.org/application/o/userinfo/
|
||||||
|
https://sso.example.org/application/o/nextcloud/end-session/
|
||||||
|
|
||||||
|
---
|
158
docs/apps/nextcloud.md
Normal file
158
docs/apps/nextcloud.md
Normal file
|
@ -0,0 +1,158 @@
|
||||||
|
|
||||||
|
# Nextcloud
|
||||||
|
|
||||||
|
im authentik:
|
||||||
|
openid-provider anlegen
|
||||||
|
app anlegen
|
||||||
|
|
||||||
|
|
||||||
|
!!! note "Auf lit.cloud Infrastruktur"
|
||||||
|
`git clone https://git.local-it.org/LIT/nextcloud ~/.abra/apps/nextcloud`
|
||||||
|
|
||||||
|
```
|
||||||
|
abra app new --secrets --domain example.com --server servername --app-name servername_cloud cloud
|
||||||
|
abra config servername_cloud
|
||||||
|
abra deploy servername_cloud
|
||||||
|
```
|
||||||
|
|
||||||
|
Die Installation von Nextcloud kann eine Weile dauern. Der status kann so überprüft werden:
|
||||||
|
`abra app run --user www-data servername_cloud app /var/www/html/occ status`
|
||||||
|
|
||||||
|
#### Installation von Nextcloud Apps:
|
||||||
|
```
|
||||||
|
abra app run --user www-data servername_cloud app /var/www/html/occ app:install calendar
|
||||||
|
abra app run --user www-data servername_cloud app /var/www/html/occ app:install sociallogin
|
||||||
|
abra app run --user www-data servername_cloud app /var/www/html/occ app:install onlyoffice
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Dashboard deaktivieren:
|
||||||
|
`abra app run --user www-data servername_cloud app /var/www/html/occ app:disable dashboard`
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#### Nextcloud [Social Login SSO](https://github.com/zorn-v/nextcloud-social-login/tree/54ff473bca76bae891fbcd0d6f0fa6a937e6c1ab) konfigurieren
|
||||||
|
|
||||||
|
TODO: urls anpassen
|
||||||
|
```
|
||||||
|
abra app run --user www-data servername_cloud app /var/www/html/occ config:app:set sociallogin custom_providers --value='
|
||||||
|
{
|
||||||
|
"custom_oidc": [
|
||||||
|
{
|
||||||
|
"name": "authentik",
|
||||||
|
"title": "SKA",
|
||||||
|
"authorizeUrl": "https://sso.he.local-it.org/application/o/authorize/",
|
||||||
|
"tokenUrl": "https://sso.he.local-it.org/application/o/token/",
|
||||||
|
"displayNameClaim": "preferred_username",
|
||||||
|
"userInfoUrl": "https://sso.he.local-it.org/application/o/userinfo/",
|
||||||
|
"logoutUrl": "https://sso.he.local-it.org/application/o/nextcloud/end-session/",
|
||||||
|
"clientId": "nextcloud",
|
||||||
|
"clientSecret": "secret",
|
||||||
|
"scope": "openid profile email nextcloud",
|
||||||
|
"groupsClaim": "nextcloud_groups",
|
||||||
|
"style": "openid",
|
||||||
|
"defaultGroup": "",
|
||||||
|
"groupMapping": {
|
||||||
|
"admin": "admin"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}'
|
||||||
|
|
||||||
|
|
||||||
|
abra app run --user www-data swe-hospiz-cloud app /var/www/html/occ config:app:set sociallogin update_profile_on_login --value 1
|
||||||
|
abra app run --user www-data swe-hospiz-cloud app /var/www/html/occ config:app:set sociallogin auto_create_groups --value 1
|
||||||
|
abra app run --user www-data swe-hospiz-cloud app /var/www/html/occ config:app:set sociallogin hide_default_login --value 1
|
||||||
|
|
||||||
|
All Possbile Values:
|
||||||
|
'disable_registration',
|
||||||
|
'create_disabled_users',
|
||||||
|
'allow_login_connect',
|
||||||
|
'prevent_create_email_exists',
|
||||||
|
'update_profile_on_login',
|
||||||
|
'no_prune_user_groups',
|
||||||
|
'auto_create_groups',
|
||||||
|
'restrict_users_wo_mapped_groups',
|
||||||
|
'restrict_users_wo_assigned_groups',
|
||||||
|
'disable_notify_admins',
|
||||||
|
'hide_default_login',
|
||||||
|
|
||||||
|
|
||||||
|
abra app run --user www-data swe-hospiz-cloud app /var/www/html/occ config:system:set allow_user_to_change_display_name --value=false
|
||||||
|
abra app run --user www-data swe-hospiz-cloud app /var/www/html/occ config:system:set lost_password_link --value=disabled
|
||||||
|
abra app run --user www-data swe-hospiz-cloud app /var/www/html/occ config:system:set social_login_auto_redirect --value=true
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Konfiguration überprüfen
|
||||||
|
```
|
||||||
|
abra app run --user www-data servername_cloud bash
|
||||||
|
cat config/config.php
|
||||||
|
```
|
||||||
|
|
||||||
|
### Custom Group Mapping
|
||||||
|
|
||||||
|
In Authentik:
|
||||||
|
|
||||||
|
* Customisation -> Property Mappings
|
||||||
|
* Create -> Scope Mapping
|
||||||
|
|
||||||
|
Scope-Name: "nextcloud"
|
||||||
|
Expression: `return { "nextcloud_groups": [{"gid": group.name, "displayName": group.name} for group in request.user.ak_groups.all()], }`
|
||||||
|
|
||||||
|
* Providers -> nextcloud
|
||||||
|
* Advanced Protocol Settings
|
||||||
|
* Scopes
|
||||||
|
|
||||||
|
Scopes auswählen: "authentik default OAuth Mapping: OpenID {email, openid, profile}" , nextcloud
|
||||||
|
|
||||||
|
|
||||||
|
## Backup
|
||||||
|
|
||||||
|
### Nextcloud von einem Backup wiederherstellen
|
||||||
|
|
||||||
|
Offizieller [Nextcloud-Guide](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html)
|
||||||
|
|
||||||
|
|
||||||
|
Wartungs-Modus aktivieren
|
||||||
|
```
|
||||||
|
abra app run --user www-data yksflip-cloud app /var/www/html/occ maintenance:mode --on
|
||||||
|
```
|
||||||
|
|
||||||
|
Wiederherstellen von Dateien
|
||||||
|
```
|
||||||
|
restic restore --include /backups/yksflip-cloud_app -t restored latest
|
||||||
|
docker cp -a r/backups/yksflip-cloud_app/* $(docker ps -q -f name=cloud_app):/
|
||||||
|
```
|
||||||
|
|
||||||
|
Sicher stellen dass File-Permissions und Ownership stimmen:
|
||||||
|
```
|
||||||
|
docker exec -it $(docker ps -q -f name=cloud_app) bash
|
||||||
|
$ ls -la
|
||||||
|
$ chown -R www-data:www-data data config custom_apps
|
||||||
|
```
|
||||||
|
|
||||||
|
Datenbank wiederherstellen
|
||||||
|
```
|
||||||
|
|
||||||
|
restic restore --include /backups/yksflip-cloud_db -t r latest
|
||||||
|
docker exec -it $(docker ps -q -f name=cloud_db) bash
|
||||||
|
$ mysql -u root -p"$(cat /run/secrets/db_root_password)" -e "DROP DATABASE nextcloud"
|
||||||
|
$ mysql -u root -p"$(cat /run/secrets/db_root_password)" -e "CREATE DATABASE nextcloud"
|
||||||
|
$ mysql -u root -p"$(cat /run/secrets/db_root_password)" nextcloud < /tmp/backup/backup.sql
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! note "Bei Postgres DB"
|
||||||
|
`/usr/bin/pg_restore -c -U nextcloud -d nextcloud < /tmp/backup/dump.sql`
|
||||||
|
TODO: Check this
|
||||||
|
git
|
||||||
|
Wartungs-Modus aktivieren
|
||||||
|
```
|
||||||
|
abra app run --user www-data yksflip-cloud app /var/www/html/occ maintenance:data-fingerprint
|
||||||
|
abra app run --user www-data yksflip-cloud app /var/www/html/occ maintenance:mode --on
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Falls nötig kann auch ein repair gestartet werden:
|
||||||
|
```
|
||||||
|
abra app run --user www-data yksflip-cloud app /var/www/html/occ maintenance:repair
|
||||||
|
```
|
15
docs/apps/onlyoffice.md
Normal file
15
docs/apps/onlyoffice.md
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
# Onlyoffice
|
||||||
|
|
||||||
|
!!! note "Auf lit.cloud Infrastruktur"
|
||||||
|
TODO
|
||||||
|
|
||||||
|
|
||||||
|
```
|
||||||
|
abra app new --domain office.example.com --server servername --app-name servername_onlyoffice
|
||||||
|
abra app config servername_onlyoffice
|
||||||
|
abra app deploy servername_onlyoffice
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Nextcloud Konfiguration anpassen:
|
||||||
|
https://office.example.com
|
||||||
|
JWT_SECRET
|
20
docs/apps/wekan.md
Normal file
20
docs/apps/wekan.md
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
# Wekan
|
||||||
|
|
||||||
|
[Wekan](https://github.com/wekan/wekan/wiki) ist ein Kanban Board.
|
||||||
|
|
||||||
|
|
||||||
|
im authentik:
|
||||||
|
openid-provider anlegen
|
||||||
|
app anlegen
|
||||||
|
|
||||||
|
!!! note "Auf lit.cloud Infrastruktur"
|
||||||
|
`git clone https://git.local-it.org/LIT/wekan ~/.abra/apps/wekan`
|
||||||
|
|
||||||
|
```
|
||||||
|
abra app new --domain example.com --server servername --app-name servername_wekan wekan
|
||||||
|
abra config servername_wekan # OAUTH2_SECRET anpassen
|
||||||
|
abra deploy servername_wekan
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Login Button umbenennen: User -> Administration -> Layout -> Benutzerdefinierter Text der OIDC-Schaltfläche
|
1
docs/assets/favicon.svg
Normal file
1
docs/assets/favicon.svg
Normal file
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 14 KiB |
1
docs/assets/logo.svg
Normal file
1
docs/assets/logo.svg
Normal file
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 33 KiB |
9
docs/faq.md
Normal file
9
docs/faq.md
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
# FAQ
|
||||||
|
|
||||||
|
##
|
||||||
|
|
||||||
|
## Serveradmin FAQ
|
||||||
|
|
||||||
|
* I accidientially removed myself from the admin group in Authentik and lost access
|
||||||
|
`abra app run swe-hospiz-sso server ak create_admin_group admin`
|
||||||
|
[see docs](https://goauthentik.io/docs/troubleshooting/missing_admin_group)
|
15
docs/index.md
Normal file
15
docs/index.md
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
# Software für kollaboratives Arbeiten [SKA]
|
||||||
|
|
||||||
|
|
||||||
|
[Installation](installation.md)
|
||||||
|
|
||||||
|
## Apps
|
||||||
|
|
||||||
|
* [Authentik](apps/authentik.md)
|
||||||
|
* [Nextcloud](apps/nextcloud.md)
|
||||||
|
* [OnlyOffice](apps/onlyoffice.md)
|
||||||
|
* [Wekan](apps/wekan.md)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
Ein Projekt von [local-it](https://local-it.org)
|
126
docs/installation.md
Normal file
126
docs/installation.md
Normal file
|
@ -0,0 +1,126 @@
|
||||||
|
# Installation
|
||||||
|
|
||||||
|
Basierend auf [abra](https://git.coopcloud.tech/coop-cloud/abra) von [coopcloud](https://coopcloud.tech)
|
||||||
|
|
||||||
|
## Basis System
|
||||||
|
|
||||||
|
### Docker auf dem Server
|
||||||
|
|
||||||
|
```
|
||||||
|
ssh -p 22 root@example.org
|
||||||
|
sudo apt update
|
||||||
|
sudo apt upgrade -y
|
||||||
|
sudo apt install docker.io
|
||||||
|
docker swarm init
|
||||||
|
docker network create -d overlay --scope swarm proxy
|
||||||
|
```
|
||||||
|
oder folge der Anleitung von [Docker](https://docs.docker.com/engine/install/)
|
||||||
|
|
||||||
|
### Abra auf dem Client
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo apt update
|
||||||
|
sudo apt install curl git
|
||||||
|
curl https://install.abra.autonomic.zone | bash
|
||||||
|
export PATH=$PATH:$HOME/.local/bin
|
||||||
|
echo "PATH$PATH:$HOME/.local/bin" >> ~/.bashrc
|
||||||
|
abra -h
|
||||||
|
```
|
||||||
|
|
||||||
|
Server zu Abra hinzufügen
|
||||||
|
|
||||||
|
```
|
||||||
|
abra server add example.org username port
|
||||||
|
abra server init
|
||||||
|
```
|
||||||
|
|
||||||
|
Für weitere Details: [docs.coopcloud.tech](https://docs.coopcloud.tech/deploy/)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Reverse-Proxy
|
||||||
|
|
||||||
|
Wir verwenden Traefik als Reverse-Proxy. Er erkennt automatisch Apps im Docker Swarm und leitet von den konfigurierten Subdomains auf die entsprechenden Apps um.
|
||||||
|
|
||||||
|
!!! note "Auf lit.cloud Infrastruktur"
|
||||||
|
`git clone https://git.local-it.org/LIT/traefik ~/.abra/apps/traefik`
|
||||||
|
|
||||||
|
|
||||||
|
```
|
||||||
|
**TODO**: braucht man das oder macht das abra server init?:
|
||||||
|
docker network create -d overlay --scope swarm proxy
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
```
|
||||||
|
abra app new --domain example.com --server servername --app-name servername_traefik traefik
|
||||||
|
abra app config servername_traefik # only if custom config needed
|
||||||
|
abra app deploy servername_traefik
|
||||||
|
```
|
||||||
|
|
||||||
|
Du kannst den Status der Installation mit `abra app ps servername_traefik` überprüfen
|
||||||
|
|
||||||
|
|
||||||
|
## Apps
|
||||||
|
|
||||||
|
Grundsätzlich können alle Apps verwendet werden, die von coop-cloud unterstützt werden, allerdings sind nicht alle Apps umbedingt vollständig integriert. Im folgenden stellen wir Apps vor, die bereits mit Single-Sign-On integriert und wir im Betrieb schon gute Erfahrungen mit gemacht haben.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Backups
|
||||||
|
|
||||||
|
Das automatisierte Backup basiert auf dem [backup-bot](https://git.coopcloud.tech/coop-cloud/backup-bot-two),
|
||||||
|
der anhand von Docker Labels Verzeichnisse kopiert und mit [Restic](https://restic.readthedocs.io/en/latest/) per S3 Storage oder per SFTP auf einer entfernten Maschine sichert. Von uns bereitgestellte Apps enthalten bereits die dafür benötigten Labels.
|
||||||
|
|
||||||
|
Voroab wird ein zugang zu einem S3-Kompatiblen Storage oder Server mit SFTP benötigt.
|
||||||
|
z.B.: [Hetzner Storage Box](https://www.hetzner.com/storage/storage-box), [Wasabi S3](wasabisys.com)
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
#### S3 Storage
|
||||||
|
|
||||||
|
```
|
||||||
|
abra app new backup-bot-two
|
||||||
|
abra app secret insert servername-backupbot aws_secret_access_key v1 <secret-key>
|
||||||
|
abra app secret generate backupbot_local restic_password v1
|
||||||
|
abra app config
|
||||||
|
abra app deploy
|
||||||
|
```
|
||||||
|
#### SFTP Storage
|
||||||
|
|
||||||
|
TODO
|
||||||
|
|
||||||
|
### Wiederherstellen
|
||||||
|
|
||||||
|
```
|
||||||
|
export AWS_ACCESS_KEY_ID=
|
||||||
|
export AWS_SECRET_ACCESS_KEY=
|
||||||
|
export RESTIC_REPOSITORY=s3:your-s3-storage.org:/bucketname
|
||||||
|
export RESTIC_PASSWORD_FILE=./restic_password
|
||||||
|
|
||||||
|
# Show list of all snaphosts
|
||||||
|
restic snapshots
|
||||||
|
|
||||||
|
# Show all paths in snapshot
|
||||||
|
restic ls latest
|
||||||
|
|
||||||
|
# Prune Snapshots
|
||||||
|
restic forget --prune --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --keep-yearly 3
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#### Wekan
|
||||||
|
|
||||||
|
docker context use old-server
|
||||||
|
docker exec wekan_db_1 bash -c "mongodump --archive=/tmp/wekan.archive"
|
||||||
|
docker cp wekan_db_1:dump/wekan-2021-12-03.archiv .
|
||||||
|
docker context use new-server
|
||||||
|
docker cp wekan-2021-12-03.archiv lit-board_db.1.yzvn5bhlr4vpval2kytazhgwr:/tmp/
|
||||||
|
docker exec lit-board_db.1 bash -c "mongorestore --drop --verbose --archive=/tmp/wekan.archive"
|
||||||
|
|
||||||
|
|
||||||
|
--8<-- "includes/abbreviations.md"
|
19
mkdocs.yml
Normal file
19
mkdocs.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
site_name: LIT Docs
|
||||||
|
site_url: https://docs.local-it.org
|
||||||
|
|
||||||
|
theme:
|
||||||
|
language: de
|
||||||
|
name: material
|
||||||
|
favicon: assets/favicon.svg
|
||||||
|
logo: assets/favicon.svg
|
||||||
|
|
||||||
|
markdown_extensions:
|
||||||
|
- abbr
|
||||||
|
- pymdownx.snippets
|
||||||
|
- admonition
|
||||||
|
- pymdownx.details
|
||||||
|
- pymdownx.superfences
|
||||||
|
|
||||||
|
repo_name: LIT/docs
|
||||||
|
repo_url: https://git.local-it.org/LIT/docs
|
||||||
|
edit_uri: _edit/main/docs/
|
3
requirements.txt
Normal file
3
requirements.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
mkdocs-material-extensions==1.0.3
|
||||||
|
mkdocs-material==7.2.6
|
||||||
|
mkdocs==1.2.2
|
Loading…
Reference in a new issue