| Nico Huber | 7f8dc5b | 2023-07-25 16:48:01 +0000 | [diff] [blame^] | 1 | #!/bin/sh |
| 2 | |
| 3 | set -eu |
| 4 | |
| 5 | kca() { |
| 6 | /opt/keycloak/bin/kcadm.sh "$@" |
| 7 | } |
| 8 | |
| 9 | kca_cred() { |
| 10 | kca config credentials \ |
| 11 | --server http://keycloak:8080 \ |
| 12 | --realm master \ |
| 13 | --user ${KEYCLOAK_ADMIN} \ |
| 14 | --password ${KEYCLOAK_ADMIN_PASSWORD} |
| 15 | } |
| 16 | |
| 17 | secret() { |
| 18 | seed=$(cat /run/secrets/seed) |
| 19 | printf "%s:%40s" "${seed}" "$*" | sha256sum | sed 's/[[:space:]].*//' |
| 20 | } |
| 21 | |
| 22 | i=15 |
| 23 | sleep ${i} # give it a moment to come up |
| 24 | while kca_cred 2>&1 | grep -q 'Connection refused\|Bad Gateway'; do |
| 25 | if [ ${i} -eq 60 ]; then |
| 26 | echo "ERROR: Couldn't login to Keycloak after ${i}s." |
| 27 | exit 1 |
| 28 | fi |
| 29 | echo Waiting... |
| 30 | sleep 1 |
| 31 | i=$((i+1)) |
| 32 | done |
| 33 | if ! kca_cred; then |
| 34 | echo "ERROR: Failed to login to Keycloak." |
| 35 | exit 2 |
| 36 | fi |
| 37 | |
| 38 | REALM=${SA_REALM:-sourcearcade} |
| 39 | if kca get realms/${REALM} --fields id >/dev/null 2>&1; then |
| 40 | echo Realm ${REALM} already set up. |
| 41 | else |
| 42 | kca create realms -f - <<EOF |
| 43 | { |
| 44 | "realm" : "${REALM}", |
| 45 | "enabled" : true, |
| 46 | "sslRequired" : "all", |
| 47 | "registrationAllowed" : true, |
| 48 | "resetPasswordAllowed" : true, |
| 49 | "rememberMe" : true, |
| 50 | "verifyEmail" : true, |
| 51 | "smtpServer" : { |
| 52 | "host" : "mail.${SA_PUBLIC_DOMAIN_NAME}", |
| 53 | "port" : "465", |
| 54 | "auth" : true, |
| 55 | "ssl" : true, |
| 56 | "user" : "keycloak@${SA_PUBLIC_DOMAIN_NAME}", |
| 57 | "password" : "$(secret mail:keycloak)", |
| 58 | "from" : "keycloak@${SA_PUBLIC_DOMAIN_NAME}", |
| 59 | "fromDisplayName" : "SourceArcade" |
| 60 | }, |
| 61 | "identityProviders" : [ { |
| 62 | "alias" : "github", |
| 63 | "providerId" : "github", |
| 64 | "enabled" : true, |
| 65 | "config" : { |
| 66 | "clientId" : "${GITHUB_OAUTH_CLIENT_ID}", |
| 67 | "clientSecret" : "${GITHUB_OAUTH_CLIENT_SECRET}" |
| 68 | } |
| 69 | } ] |
| 70 | } |
| 71 | EOF |
| 72 | |
| 73 | ac_id=$(kca get clients -r ${REALM} -q clientId=account-console --fields id \ |
| 74 | | sed -n 's/.*"id" : "\(.*\)".*/\1/p') |
| 75 | kca update clients/${ac_id} -r ${REALM} -s webOrigins='[ "+" ]' |
| 76 | |
| 77 | echo New realm ${REALM} set up. |
| 78 | fi |
| 79 | |
| 80 | if kca get clients -r ${REALM} -q clientId=gerrit --fields clientId | grep -q gerrit; then |
| 81 | echo Gerrit client in realm ${REALM} already set up. |
| 82 | else |
| 83 | kca create clients -r ${REALM} -f - <<EOF |
| 84 | { |
| 85 | "clientId" : "gerrit", |
| 86 | "name" : "Gerrit", |
| 87 | "enabled" : true, |
| 88 | "description" : "SourceArcade review platform", |
| 89 | "rootUrl" : "https://review.${SA_PUBLIC_DOMAIN_NAME}", |
| 90 | "clientAuthenticatorType" : "client-secret", |
| 91 | "secret" : "$(secret kc:gerrit)", |
| 92 | "protocol" : "openid-connect", |
| 93 | "directAccessGrantsEnabled" : false |
| 94 | } |
| 95 | EOF |
| 96 | echo Gerrit client in realm ${REALM} set up. |
| 97 | fi |