configure sso in seafile

2024-12-01 17:51:36 +01:00
parent 3dab583d01
commit b99c70072c
4 changed files with 38 additions and 4 deletions
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -36,7 +36,6 @@

 import unprotected jellyfin host:8097
 import unprotected authentik host:19000
-import unprotected jupyter host:9999
 import unprotected grafana host:3333
 import unprotected pgadmin host:5050
 import unprotected homarr host:17575
@@ -90,5 +89,6 @@ import protected dsmr host:8888
 import protected transmission host:9091
 import protected droppy host:8989
 import protected filebrowser host:8002
+import protected jupyter host:9999

 import sites/*.caddy
--- a/caddy/sites/seafile.caddy
+++ b/caddy/sites/seafile.caddy
@@ -4,4 +4,3 @@ seafile.rik.veenboer.xyz {
 	}
 	reverse_proxy host:8082
 }
-
--- a/docker-compose.caddy.yml
+++ b/docker-compose.caddy.yml
@@ -15,6 +15,7 @@ services:
        restart: unless-stopped
        volumes:
        - /opt/caddy/Caddyfile:/etc/caddy/Caddyfile
+        - /opt/caddy/sites:/etc/caddy/sites
        - /opt/caddy/data:/data/caddy
        - /opt/caddy/logs:/var/log
        extra_hosts:
--- a/seafile/server/seafile/conf/seahub_settings.py
+++ b/seafile/server/seafile/conf/seahub_settings.py
@@ -1,7 +1,9 @@
 SECRET_KEY = "e$3$hp7u@1ba25kxxa46a7q+bc*3dfulsxhyq+nmap1f@me78$"
-SERVICE_URL = "https://seafile.rik.veenboer.xyz"
+
+DOMAIN = "seafile.rik.veenboer.xyz"
+SERVICE_URL = f"https://{DOMAIN}"
 CSRF_TRUSTED_ORIGINS = [SERVICE_URL]
-DEBUG = False
+DEBUG = True
 TIME_ZONE = 'Europe/Amsterdam'
 DATABASES = {
    'default': {
@@ -14,3 +16,35 @@ DATABASES = {
        'OPTIONS': {'charset': 'utf8mb4'},
    }
 }
+
+ENABLE_OAUTH = True
+
+# If create new user when he/she logs in Seafile for the first time, defalut `True`.
+OAUTH_CREATE_UNKNOWN_USER = True
+
+# If active new user when he/she logs in Seafile for the first time, defalut `True`.
+OAUTH_ACTIVATE_USER_AFTER_CREATION = True
+
+# Usually OAuth works through SSL layer. If your server is not parametrized to allow HTTPS, some method will raise an "oauthlib.oauth2.rfc6749.errors.InsecureTransportError". Set this to `True` to avoid this error.
+OAUTH_ENABLE_INSECURE_TRANSPORT = False
+
+# Client id/secret generated by authorization server when you register your client application.
+OAUTH_CLIENT_ID = "ppPkXbiyxpYKOlHdKHNM69HlzrKBz1DB9eTgvfgh"
+OAUTH_CLIENT_SECRET = "G1F5UwQyMDFSZpo8OjMLdU7TbMniWzNDJqjGHsGo1Yr03MOMM5uAw4gHLRMdxM72DLZUWWgSllEOkHk8ifBH7FVhlNw9zwc5LNOFIoXzMNZAuaJhLDlWPjWrfMCiosNT"
+
+# Callback url when user authentication succeeded. Note, the redirect url you input when you register your client application MUST be exactly the same as this value.
+OAUTH_REDIRECT_URL = f"{SERVICE_URL}/oauth/callback/"
+
+# The following should NOT be changed if you are using Github as OAuth provider.
+OAUTH_PROVIDER_DOMAIN = 'authentik.rik.veenboer.xyz'
+
+OAUTH_AUTHORIZATION_URL = f'https://{OAUTH_PROVIDER_DOMAIN}/application/o/authorize/'
+OAUTH_TOKEN_URL = f'https://{OAUTH_PROVIDER_DOMAIN}/application/o/token/'
+OAUTH_USER_INFO_URL = f'https://{OAUTH_PROVIDER_DOMAIN}/application/o/userinfo/'
+# OAUTH_SCOPE = ["openid", "profile", "email", "seafile"]
+OAUTH_SCOPE = ["profile", "seafile"]
+OAUTH_ATTRIBUTE_MAP = {
+    "seafile_id": (True, "email"),
+    "seafile_email": (False, "contact_email"),
+    "name": (False, "name"),
+}