From 6efb33dd6821de271867a7d860f0e30459001362 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 21 Apr 2021 23:14:45 +0200
Subject: onlyoffice: enable jwt auth

---
 roles/apps/onlyoffice/defaults/main.yml         |   9 ++-
 roles/apps/onlyoffice/tasks/main.yml            | 103 +++++++++++++++---------
 roles/apps/onlyoffice/templates/pod-spec.yml.j2 |  33 ++++++--
 3 files changed, 96 insertions(+), 49 deletions(-)

(limited to 'roles')

diff --git a/roles/apps/onlyoffice/defaults/main.yml b/roles/apps/onlyoffice/defaults/main.yml
index 0142ed87..1ea4773a 100644
--- a/roles/apps/onlyoffice/defaults/main.yml
+++ b/roles/apps/onlyoffice/defaults/main.yml
@@ -1,12 +1,12 @@
 ---
-onlyoffice_app_uid: "960"
-onlyoffice_app_gid: "960"
+# onlyoffice_app_uid: "960"
+# onlyoffice_app_gid: "960"
 
 onlyoffice_db_uid: "961"
 onlyoffice_db_gid: "961"
 
-onlyoffice_amqp_uid: "962"
-onlyoffice_amqp_gid: "962"
+# onlyoffice_amqp_uid: "962"
+# onlyoffice_amqp_gid: "962"
 
 # onlyoffice_base_path: /srv/onlyoffice
 
@@ -21,6 +21,7 @@ onlyoffice_amqp_gid: "962"
 #     version: 6.2.1.24
 #     port: 8600
 #     hostname: office.example.com
+#     jwt_secret: very-secure-password
 #     database:
 #       version: 9.5.25
 #       password: secret
diff --git a/roles/apps/onlyoffice/tasks/main.yml b/roles/apps/onlyoffice/tasks/main.yml
index dd16a8de..da253a77 100644
--- a/roles/apps/onlyoffice/tasks/main.yml
+++ b/roles/apps/onlyoffice/tasks/main.yml
@@ -30,26 +30,26 @@
     state: directory
 
 
-
-- name: add group for onlyoffice app
-  group:
-    name: oo-app
-    gid: "{{ onlyoffice_app_gid }}"
-
-- name: add user for onlyoffice app
-  user:
-    name: oo-app
-    uid: "{{ onlyoffice_app_uid }}"
-    group: oo-app
-    password: "!"
-
-- name: create onlyoffice app subdirectory
-  loop: "{{ onlyoffice_instances | list }}"
-  file:
-    path: "{{ onlyoffice_base_path }}/{{ item }}/onlyoffice"
-    owner: "{{ onlyoffice_app_uid }}"
-    group: "{{ onlyoffice_app_gid }}"
-    state: directory
+# TODO: run documentserver components as non-root
+# - name: add group for onlyoffice app
+#   group:
+#     name: oo-app
+#     gid: "{{ onlyoffice_app_gid }}"
+
+# - name: add user for onlyoffice app
+#   user:
+#     name: oo-app
+#     uid: "{{ onlyoffice_app_uid }}"
+#     group: oo-app
+#     password: "!"
+
+# - name: create onlyoffice app subdirectory
+#   loop: "{{ onlyoffice_instances | list }}"
+#   file:
+#     path: "{{ onlyoffice_base_path }}/{{ item }}/onlyoffice"
+#     owner: "{{ onlyoffice_app_uid }}"
+#     group: "{{ onlyoffice_app_gid }}"
+#     state: directory
 
 
 - name: add group for onlyoffice db
@@ -75,22 +75,44 @@
     state: directory
 
 
-- name: create onlyoffice rabbitmq subdirectory
-  loop: "{{ onlyoffice_instances | dict2items}}"
-  loop_control:
-    label: "{{ item.key }}"
-  file:
-    path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq"
-    state: directory
-
-- name: install rabbitmq config snipped
-  loop: "{{ onlyoffice_instances | dict2items}}"
-  loop_control:
-    label: "{{ item.key }}"
-  copy:
-    dest: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq/config"
-    content: |
-      management.tcp.ip = 127.0.0.1
+# TODO: run documentserver components as non-root
+# - name: add group for onlyoffice aqmp
+#   group:
+#     name: oo-aqmp
+#     gid: "{{ onlyoffice_aqmp_gid }}"
+
+# - name: add user for onlyoffice aqmp
+#   user:
+#     name: oo-aqmp
+#     uid: "{{ onlyoffice_aqmp_uid }}"
+#     group: oo-aqmp
+#     password: "!"
+
+# - name: create onlyoffice aqmp subdirectory
+#   loop: "{{ onlyoffice_instances | list }}"
+#   file:
+#     path: "{{ onlyoffice_base_path }}/{{ item }}/onlyoffice"
+#     owner: "{{ onlyoffice_aqmp_uid }}"
+#     group: "{{ onlyoffice_aqmp_gid }}"
+#     state: directory
+
+# TODO: AQMP config?
+# - name: create onlyoffice rabbitmq subdirectory
+#   loop: "{{ onlyoffice_instances | dict2items}}"
+#   loop_control:
+#     label: "{{ item.key }}"
+#   file:
+#     path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq"
+#     state: directory
+
+# - name: install rabbitmq config snipped
+#   loop: "{{ onlyoffice_instances | dict2items}}"
+#   loop_control:
+#     label: "{{ item.key }}"
+#   copy:
+#     dest: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq/config"
+#     content: |
+#       management.tcp.ip = 127.0.0.1
 
 
 - name: install pod manifest
@@ -102,10 +124,11 @@
       name: "onlyoffice-{{ item.key }}"
       spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
       mode: "0600"
-      config_hash_items:
-      - path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq/config"
-        properties:
-        - checksum
+# TODO: AQMP config?
+#       config_hash_items:
+#       - path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq/config"
+#         properties:
+#         - checksum
   include_role:
     name: kubernetes/standalone/pod
 
diff --git a/roles/apps/onlyoffice/templates/pod-spec.yml.j2 b/roles/apps/onlyoffice/templates/pod-spec.yml.j2
index 3ceb5244..74fb1ab6 100644
--- a/roles/apps/onlyoffice/templates/pod-spec.yml.j2
+++ b/roles/apps/onlyoffice/templates/pod-spec.yml.j2
@@ -1,14 +1,21 @@
-{#
+{# TODO:
 securityContext:
   allowPrivilegeEscalation: false
 #}
 terminationGracePeriodSeconds: 120
 containers:
+{# TODO: only listen to localhost #}
 - name: documentserver
   image: "onlyoffice/documentserver:{{ item.value.version }}"
   resources:
     limits:
       memory: "4Gi"
+{# TODO:
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsUser: {{ onlyoffice_amqp_uid }}
+    runAsGroup: {{ onlyoffice_amqp_gid }}
+#}
   env:
   - name: "DB_TYPE"
     value: "postgres"
@@ -26,6 +33,12 @@ containers:
     value: "rabbitmq"
   - name: "AMQP_URI"
     value: "amqp://onlyoffice:{{ item.value.amqp.password }}@127.0.0.1:5672"
+{% if 'jwt_secret' in item.value %}
+  - name: "JWT_ENABLED"
+    value: "true"
+  - name: "JWT_SECRET"
+    value: "{{ item.value.jwt_secret }}"
+{% endif %}
   ports:
   - containerPort: 80
     hostPort: {{ item.value.port }}
@@ -55,6 +68,12 @@ containers:
 {# TODO: only listen to localhost #}
 - name: rabbitmq
   image: "rabbitmq:{{ item.value.amqp.version }}"
+{# TODO:
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsUser: {{ onlyoffice_amqp_uid }}
+    runAsGroup: {{ onlyoffice_amqp_gid }}
+#}
   env:
   - name: "RABBITMQ_NODENAME"
     value: "rabbit@localhost"
@@ -64,18 +83,22 @@ containers:
     value: "onlyoffice"
   - name: "RABBITMQ_DEFAULT_PASS"
     value: "{{ item.value.amqp.password }}"
+{# TODO: AQMP config?
   volumeMounts:
   - name: rabbitmq
     mountPath: /etc/rabbitmq/conf.d/k8s.conf
     subPath: config
     readOnly: true
+#}
 
 volumes:
-- name: rabbitmq
-  hostPath:
-    path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq"
-    type: Directory
 - name: postgres
   hostPath:
     path: "{{ onlyoffice_base_path }}/{{ item.key }}/postgres"
     type: Directory
+{# TODO: AQMP config?
+- name: rabbitmq
+  hostPath:
+    path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq"
+    type: Directory
+#}
-- 
cgit v1.2.3