.

2025-04-21 14:12:15 -04:00
parent 5a8a0caba8
commit 2f7d77b3c3
5 changed files with 242 additions and 0 deletions
--- a/Techops/rundeck.knownelement.com/CloudronManifest.json
+++ b/Techops/rundeck.knownelement.com/CloudronManifest.json
@@ -0,0 +1,53 @@
 {
  "id": "com.rundeck.cloudron",
  "title": "Rundeck",
  "author": "Rundeck, Inc.",
  "description": "Job scheduler and runbook automation for teams. Rundeck enables self-service operations with policy-based access control, audit trail, and integrations with your existing tools.",
  "tagline": "Job scheduling and runbook automation",
  "version": "1.0.0",
  "healthCheckPath": "/api/40/system/info",
  "httpPort": 8080,
  "manifestVersion": 2,
  "website": "https://www.rundeck.com/",
  "contactEmail": "support@rundeck.com",
  "icon": "file://logo.png",
  "addons": {
    "localstorage": {},
    "postgresql": {
      "version": "14"
    }
  },
  "tags": [
    "automation",
    "devops",
    "scheduler",
    "workflow"
  ],
  "minBoxVersion": "7.4.0",
  "memoryLimit": 1024,
  "documentationUrl": "https://docs.rundeck.com/",
  "postInstallMessage": "Rundeck has been installed. The initial admin credentials are:\nUsername: admin\nPassword: {{ .password }}\n\nPlease change this password immediately after login.",
  "startCommand": "/app/code/start.sh",
  "configurePath": "/login",
  "mediaLinks": [],
  "changelog": [
    {
      "versionCode": 1,
      "version": "1.0.0",
      "releaseDate": "2025-04-21",
      "changes": [
        "Initial release of Rundeck for Cloudron"
      ]
    }
  ],
  "forumUrl": "https://github.com/cloudron-io/cloudron-app/issues",
  "features": {
    "ldap": true,
    "oauth": {
      "callback": "/user/oidclogin",
      "clientId": "{{ cloudron.oauth.clientId }}",
      "clientSecret": "{{ cloudron.oauth.clientSecret }}",
      "scope": "profile email"
    }
  }
 }
--- a/Techops/rundeck.knownelement.com/jaas-ldap.conf
+++ b/Techops/rundeck.knownelement.com/jaas-ldap.conf
@@ -0,0 +1,22 @@
 ldap {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="{{ldap.url}}"
    bindDn="{{ldap.bindDn}}"
    bindPassword="{{ldap.bindPassword}}"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="{{ldap.userBaseDn}}"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userPasswordAttribute="userPassword"
    userObjectClass="inetOrgPerson"
    roleBaseDn="{{ldap.groupBaseDn}}"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="groupOfNames"
    cacheDurationMillis="300000"
    supplementalRoles="user"
    reportStatistics="true";
 };
--- a/Techops/rundeck.knownelement.com/nginx.conf
+++ b/Techops/rundeck.knownelement.com/nginx.conf
@@ -0,0 +1,34 @@
 server {
    listen 8080;
    server_name localhost;
    access_log /dev/stdout;
    error_log /dev/stderr;
    client_max_body_size 50M;
    location / {
        proxy_pass http://127.0.0.1:4440;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400;
    }
    # OIDC callback
    location /user/oidclogin {
        proxy_pass http://127.0.0.1:4440/user/oidclogin;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
    }
 }
--- a/Techops/rundeck.knownelement.com/start.sh
+++ b/Techops/rundeck.knownelement.com/start.sh
@@ -0,0 +1,104 @@
 #!/bin/bash
 set -eu
 # Setup runtime environment
 echo "Setting up Rundeck runtime environment..."
 # Initialize data directories if they don't exist
 for dir in etc server/data var/logs projects libext .ssh; do
    if [ ! -d "/app/data/$dir" ]; then
        mkdir -p "/app/data/$dir"
        if [ -d "/tmp/data/$dir" ] && [ -n "$(ls -A "/tmp/data/$dir" 2>/dev/null)" ]; then
            cp -r "/tmp/data/$dir/"* "/app/data/$dir/"
        fi
    fi
 done
 # Setup database connection
 DB_URL="jdbc:postgresql://${CLOUDRON_POSTGRESQL_HOST}:${CLOUDRON_POSTGRESQL_PORT}/${CLOUDRON_POSTGRESQL_DATABASE}?user=${CLOUDRON_POSTGRESQL_USERNAME}&password=${CLOUDRON_POSTGRESQL_PASSWORD}"
 export RUNDECK_SERVER_DATASTORE_URL="$DB_URL"
 export RUNDECK_DATABASE_URL="$DB_URL"
 export RUNDECK_DATABASE_DRIVER="org.postgresql.Driver"
 export RUNDECK_DATABASE_USERNAME="${CLOUDRON_POSTGRESQL_USERNAME}"
 export RUNDECK_DATABASE_PASSWORD="${CLOUDRON_POSTGRESQL_PASSWORD}"
 # Generate initial admin password if not exists
 if ! grep -q "^admin:" /app/data/etc/realm.properties 2>/dev/null; then
    PASSWORD=$(openssl rand -hex 8)
    echo "admin:admin,user,admin" > /app/data/etc/realm.properties
    sed -i "s|{{ .password }}|$PASSWORD|g" /run/cloudron/app.json
 else
    sed -i "s|{{ .password }}|<existing password>|g" /run/cloudron/app.json
 fi
 # Update configurations
 if [ -f "/app/data/etc/framework.properties" ]; then
    # Set domain in framework.properties
    sed -i "s|framework.server.url = .*|framework.server.url = https://${CLOUDRON_APP_DOMAIN}|g" /app/data/etc/framework.properties
    sed -i "s|framework.server.hostname = .*|framework.server.hostname = ${CLOUDRON_APP_DOMAIN}|g" /app/data/etc/framework.properties
 fi
 if [ -f "/app/data/etc/rundeck-config.properties" ]; then
    # Update database connection in rundeck-config.properties
    sed -i "s|dataSource.url = .*|dataSource.url = ${RUNDECK_SERVER_DATASTORE_URL}|g" /app/data/etc/rundeck-config.properties
    sed -i "s|grails.serverURL = .*|grails.serverURL = https://${CLOUDRON_APP_DOMAIN}|g" /app/data/etc/rundeck-config.properties
 fi
 # Configure authentication
 if [[ -n "${CLOUDRON_OAUTH_IDENTIFIER:-}" ]]; then
    echo "Configuring OAuth/OIDC authentication..."
    export RUNDECK_SECURITY_OAUTH_ENABLED=true
    export RUNDECK_SECURITY_OAUTH_CLIENTID="${CLOUDRON_OAUTH_CLIENT_ID}"
    export RUNDECK_SECURITY_OAUTH_CLIENTSECRET="${CLOUDRON_OAUTH_CLIENT_SECRET}"
    export RUNDECK_SECURITY_OAUTH_AUTHORIZEURL="${CLOUDRON_OAUTH_ORIGIN}/auth/realms/${CLOUDRON_OAUTH_IDENTIFIER}/protocol/openid-connect/auth"
    export RUNDECK_SECURITY_OAUTH_TOKENURL="${CLOUDRON_OAUTH_ORIGIN}/auth/realms/${CLOUDRON_OAUTH_IDENTIFIER}/protocol/openid-connect/token"
    export RUNDECK_SECURITY_OAUTH_USERINFOURI="${CLOUDRON_OAUTH_ORIGIN}/auth/realms/${CLOUDRON_OAUTH_IDENTIFIER}/protocol/openid-connect/userinfo"
    cp /tmp/data/etc/jaas-oidc.conf /app/data/etc/jaas-oidc.conf
    export RUNDECK_JAASLOGIN=true
    export RDECK_JVM_OPTS="${RDECK_JVM_OPTS:-} -Drundeck.jaaslogin=true -Dloginmodule.name=oauth -Djava.security.auth.login.config=/app/data/etc/jaas-oidc.conf"
    # Add necessary properties to rundeck-config.properties
    echo "rundeck.security.oauth.enabled=true" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.security.oauth.clientId=${CLOUDRON_OAUTH_CLIENT_ID}" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.security.oauth.clientSecret=${CLOUDRON_OAUTH_CLIENT_SECRET}" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.security.oauth.authorizeUrl=${CLOUDRON_OAUTH_ORIGIN}/auth/realms/${CLOUDRON_OAUTH_IDENTIFIER}/protocol/openid-connect/auth" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.security.oauth.tokenUrl=${CLOUDRON_OAUTH_ORIGIN}/auth/realms/${CLOUDRON_OAUTH_IDENTIFIER}/protocol/openid-connect/token" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.security.oauth.userInfoUri=${CLOUDRON_OAUTH_ORIGIN}/auth/realms/${CLOUDRON_OAUTH_IDENTIFIER}/protocol/openid-connect/userinfo" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.security.oauth.autoCreateUsers=true" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.security.oauth.defaultRoles=user" >> /app/data/etc/rundeck-config.properties
 elif [[ -n "${CLOUDRON_LDAP_SERVER:-}" ]]; then
    echo "Configuring LDAP authentication..."
    cp /tmp/data/etc/jaas-ldap.conf /app/data/etc/jaas-ldap.conf
    # Replace placeholders in JAAS config
    sed -i "s|{{ldap.url}}|${CLOUDRON_LDAP_SERVER}:${CLOUDRON_LDAP_PORT}|g" /app/data/etc/jaas-ldap.conf
    sed -i "s|{{ldap.bindDn}}|${CLOUDRON_LDAP_BIND_DN}|g" /app/data/etc/jaas-ldap.conf
    sed -i "s|{{ldap.bindPassword}}|${CLOUDRON_LDAP_BIND_PASSWORD}|g" /app/data/etc/jaas-ldap.conf
    sed -i "s|{{ldap.userBaseDn}}|${CLOUDRON_LDAP_USERS_BASE_DN}|g" /app/data/etc/jaas-ldap.conf
    sed -i "s|{{ldap.groupBaseDn}}|${CLOUDRON_LDAP_GROUPS_BASE_DN}|g" /app/data/etc/jaas-ldap.conf
    export RUNDECK_JAASLOGIN=true
    export RDECK_JVM_OPTS="${RDECK_JVM_OPTS:-} -Drundeck.jaaslogin=true -Dloginmodule.name=ldap -Djava.security.auth.login.config=/app/data/etc/jaas-ldap.conf"
    # Enable JAAS LDAP in rundeck-config.properties
    echo "rundeck.security.jaasLoginModuleName=ldap" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.security.jaasProviderName=ldap" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.jaaslogin=true" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.feature.caseInsensitiveUsername.enabled=true" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.security.syncLdapUser=true" >> /app/data/etc/rundeck-config.properties
 else
    # Use file-based authentication
    echo "Using file-based authentication..."
    export RDECK_JVM_OPTS="${RDECK_JVM_OPTS:-} -Drundeck.jaaslogin=true -Dloginmodule.name=file -Djava.security.auth.login.config=/app/data/etc/jaas-file.conf"
    echo 'RDpropertyfilelogin { org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required debug="true" file="/app/data/etc/realm.properties"; };' > /app/data/etc/jaas-file.conf
    echo "rundeck.security.jaasLoginModuleName=file" >> /app/data/etc/rundeck-config.properties
    echo "rundeck.security.jaasProviderName=file" >> /app/data/etc/rundeck-config.properties
 fi
 # Set permissions
 chown -R cloudron:cloudron /app/data
 echo "Starting Rundeck services..."
 exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
--- a/Techops/rundeck.knownelement.com/supervisord.conf
+++ b/Techops/rundeck.knownelement.com/supervisord.conf
@@ -0,0 +1,29 @@
 [supervisord]
 nodaemon=true
 user=root
 logfile=/dev/stdout
 logfile_maxbytes=0
 pidfile=/var/run/supervisord.pid
 [program:rundeck]
 command=java -Xmx512m -Dserver.http.port=4440 -Drdeck.base=/app/data -jar /app/code/rundeck/webapps/rundeck.war
 directory=/app/code/rundeck
 user=cloudron
 environment=RDECK_BASE="/app/data",RUNDECK_SERVER_DATASTORE_URL="%(ENV_RUNDECK_SERVER_DATASTORE_URL)s",RUNDECK_SERVER_DATASTORE_DRIVER="%(ENV_RUNDECK_SERVER_DATASTORE_DRIVER)s",RUNDECK_GRAILS_URL="%(ENV_RUNDECK_GRAILS_URL)s",RUNDECK_SERVER_CONTEXTPATH="%(ENV_RUNDECK_SERVER_CONTEXTPATH)s",RUNDECK_SERVER_FORWARDED=%(ENV_RUNDECK_SERVER_FORWARDED)s,RUNDECK_LOGGING_STRATEGY="%(ENV_RUNDECK_LOGGING_STRATEGY)s",SERVER_SERVLET_CONTEXT_PATH="%(ENV_SERVER_SERVLET_CONTEXT_PATH)s",RUNDECK_JAASLOGIN=%(ENV_RUNDECK_JAASLOGIN)s,RUNDECK_SERVER_ADDRESS=%(ENV_RUNDECK_SERVER_ADDRESS)s,RUNDECK_SERVER_PORT=%(ENV_RUNDECK_SERVER_PORT)s
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autorestart=true
 priority=10
 startretries=5
 stopwaitsecs=60
 [program:nginx]
 command=/usr/sbin/nginx -g "daemon off;"
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autorestart=true
 priority=20