feat: ECCNetLabのユーザのみoidcするように設定

dex-config.yaml

@@ -0,0 +1,32 @@
+issuer: https://auth.netken.ecc-comp.com
+
+storage:
+  type: memory
+
+connectors:
+  - type: github
+    id: github
+    name: GitHub
+    config:
+      clientID:
+      clientSecret:
+      redirectURI: https://auth.netken.ecc-comp.com/callback
+      orgs:
+        - name: ECCNetLab
+      loadAllGroups: false
+
+oauth2:
+  skipApprovalScreen: true
+
+staticClients:
+  - id: growi-client
+    redirectURIs:
+      - "https://wiki.netken.ecc-comp.com/passport/oidc/callback"
+    name: "Growi Wiki"
+    secret: growi-secret
+
+web:
+  http: 0.0.0.0:5556
+  allowedOrigins:
+    - "https://wiki.netken.ecc-comp.com"
+    - "https://auth.netken.ecc-comp.com"

docker-compose.override.yml

@@ -10,8 +10,9 @@ services:
       - "443:443"
     links:
       - app:app
+      - dex:dex
     environment:
-      DOMAINS: "wiki.netken.ecc-comp.com -> http://app:3000"
+      DOMAINS: 'wiki.netken.ecc-comp.com -> http://app:3000, auth.netken.ecc-comp.com -> http://dex:5556'
       STAGE: "production"
       FORCE_RENEW: "false"
       WEBSOCKET: "true"

docker-compose.yml

@@ -1,22 +1,35 @@
-version: '3'
+version: "3"
 
 services:
   app:
     image: weseek/growi:7
     ports:
-      - 127.0.0.1:3000:3000    # localhost only by default
+      - 3000:3000
     links:
       - mongo:mongo
       - elasticsearch:elasticsearch
+      - dex:dex
     depends_on:
-        mongo:
-          condition: service_healthy
-        elasticsearch:
-          condition: service_healthy
+      mongo:
+        condition: service_healthy
+      elasticsearch:
+        condition: service_healthy
+      dex:
+        condition: service_healthy
     environment:
+      # Basic Growi settings
       - MONGO_URI=mongodb://mongo:27017/growi
       - ELASTICSEARCH_URI=http://elasticsearch:9200/growi
       - PASSWORD_SEED=changeme
+      - APP_SITE_URL=https://wiki.netken.ecc-comp.com
+      - SECRET_TOKEN=your-secret-token-here
+
+      # OIDC settings for GitHub authentication via Dex
+      - OAUTH_OIDC_ISSUER_HOST=http://dex:5556
+      - OAUTH_OIDC_CLIENT_ID=growi-client
+      - OAUTH_OIDC_CLIENT_SECRET=growi-secret
+
+      # Optional settings (uncomment as needed)
       # - FILE_UPLOAD=mongodb   # activate this line if you use MongoDB GridFS rather than AWS
       # - FILE_UPLOAD=local     # activate this line if you use local storage of server rather than AWS
       # - MATHJAX=1             # activate this line if you want to use MathJax
@@ -25,12 +38,36 @@ services:
       # - FORCE_WIKI_MODE='private'   # activate this line to force wiki private mode
 
     entrypoint: "/docker-entrypoint.sh"
-    command: ["npm run migrate && node -r dotenv-flow/config --expose_gc dist/server/app.js"]
-
+    command:
+      [
+        "npm run migrate && node -r dotenv-flow/config --expose_gc dist/server/app.js",
+      ]
     restart: unless-stopped
     volumes:
       - growi_data:/data
 
+  dex:
+    image: docker.io/dexidp/dex:v2.43.1
+    restart: unless-stopped
+    ports:
+      - "5556:5556"
+    volumes:
+      - ./dex-config.yaml:/etc/dex/config.yaml:ro
+    command: ["dex", "serve", "/etc/dex/config.yaml"]
+    environment:
+      - DEX_LISTEN=0.0.0.0:5556
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "sh",
+          "-c",
+          "echo -e 'GET /healthz HTTP/1.1\\r\\nHost: localhost:5556\\r\\n\\r\\n' | nc localhost 5556 | grep -q '200 OK'",
+        ]
+      interval: 10s
+      timeout: 5s
+      retries: 6
+
   mongo:
     image: mongo:6.0
     restart: unless-stopped
@@ -49,7 +86,7 @@ services:
       dockerfile: ./Dockerfile
     environment:
       - bootstrap.memory_lock=true
-      - "ES_JAVA_OPTS=-Xms256m -Xmx256m"  # increase amount if you have enough memory
+      - "ES_JAVA_OPTS=-Xms256m -Xmx256m" # increase amount if you have enough memory
       - LOG4J_FORMAT_MSG_NO_LOOKUPS=true # CVE-2021-44228 mitigation for Elasticsearch <= 6.8.20/7.16.0
     ulimits:
       memlock: