From b97b2c911f672c44cd0b1db029adaf9245bc5880 Mon Sep 17 00:00:00 2001 From: Vladan Popovic Date: Mon, 26 Feb 2024 18:40:33 +0100 Subject: [PATCH] kanidm initial local setup --- kanidm/app.ini | 98 ++++++++++++++++++++++++++++++++++++++++++++++ kanidm/main.tf | 67 +++++++++++++++++++++++++++++++ kanidm/server.toml | 18 +++++++++ kanidm/service.bu | 76 +++++++++++++++++++++++++++++++++++ 4 files changed, 259 insertions(+) create mode 100644 kanidm/app.ini create mode 100644 kanidm/main.tf create mode 100644 kanidm/server.toml create mode 100644 kanidm/service.bu diff --git a/kanidm/app.ini b/kanidm/app.ini new file mode 100644 index 0000000..a885629 --- /dev/null +++ b/kanidm/app.ini @@ -0,0 +1,98 @@ +APP_NAME = Hklbgd: Git forge beogradskog haklaba. +RUN_MODE = prod +RUN_USER = git +WORK_PATH = /data/gitea + +[repository] +ROOT = /data/git/repositories + +[repository.local] +LOCAL_COPY_PATH = /data/gitea/tmp/local-repo + +[repository.upload] +TEMP_PATH = /data/gitea/uploads + +[server] +APP_DATA_PATH = /data/gitea +DOMAIN = forge.hklbgd.org +SSH_DOMAIN = forge.hklbgd.org +HTTP_PORT = 3000 +ROOT_URL = http://forge.hklbgd.org:3000/ +DISABLE_SSH = false +SSH_PORT = 22 +SSH_LISTEN_PORT = 22 +LFS_START_SERVER = true +LFS_JWT_SECRET = Uw3LrBKqyOESkHJDcpfP_AM_eLE-WKWTV48inxIfqNk +OFFLINE_MODE = false + +[database] +PATH = /data/gitea/gitea.db +DB_TYPE = sqlite3 +NAME = gitea +USER = root +PASSWD = +LOG_SQL = false +SCHEMA = +SSL_MODE = disable + +[indexer] +ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve + +[session] +PROVIDER_CONFIG = /data/gitea/sessions +PROVIDER = file + +[picture] +AVATAR_UPLOAD_PATH = /data/gitea/avatars +REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars + +[attachment] +PATH = /data/gitea/attachments + +[log] +MODE = console +LEVEL = info +ROOT_PATH = /data/gitea/log + +[security] +INSTALL_LOCK = true +SECRET_KEY = +REVERSE_PROXY_LIMIT = 1 +REVERSE_PROXY_TRUSTED_PROXIES = * +INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MDg0NDAwODh9.VO3I2beskQWkE-yU5QC3WWjaVuqH80piJroJxj71-HA +PASSWORD_HASH_ALGO = pbkdf2_hi + +[service] +DISABLE_REGISTRATION = true +REQUIRE_SIGNIN_VIEW = false +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = false +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +DEFAULT_KEEP_EMAIL_PRIVATE = true +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.localhost + +[lfs] +PATH = /data/git/lfs + +[mailer] +ENABLED = false + +[openid] +ENABLE_OPENID_SIGNIN = true +ENABLE_OPENID_SIGNUP = true +WHITELISTED_URIS = id.hklbgd.org + +[cron.update_checker] +ENABLED = false + +[repository.pull-request] +DEFAULT_MERGE_STYLE = squash + +[repository.signing] +DEFAULT_TRUST_MODEL = committer + +[oauth2] +JWT_SECRET = 9Xl_coahn4U31L78IxKSZk7k6z_r2uQlQ_DVDlNsKyM diff --git a/kanidm/main.tf b/kanidm/main.tf new file mode 100644 index 0000000..14d1d38 --- /dev/null +++ b/kanidm/main.tf @@ -0,0 +1,67 @@ +terraform { + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + version = "0.7.6" + } + } +} + +provider "libvirt" { + uri = "qemu:///system" +} + +resource "libvirt_volume" "fcos" { + name = "fcos" + pool = "default" + source = "fedora-coreos-39.20240128.3.0-qemu.x86_64.qcow2" + format = "qcow2" +} +resource "libvirt_volume" "kanidm" { + name = "kanidm-rootfs.qcow2" + base_volume_id = libvirt_volume.fcos.id +} + +resource "libvirt_volume" "data" { + name = "kanidm-data.qcow2" + pool = "default" + size = 3221225472 + format = "qcow2" + lifecycle { + prevent_destroy = true + } +} + +resource "libvirt_ignition" "kanidm" { + name = "kanidm-service.ign" + content = "service.ign" +} + +resource "libvirt_domain" "kanidm" { + name = "kanidm" + autostart = true + memory = "2048" + vcpu = 2 + + coreos_ignition = libvirt_ignition.kanidm.id + + disk { + volume_id = "${libvirt_volume.kanidm.id}" + } + disk { + volume_id = "${libvirt_volume.data.id}" + } + network_interface { + network_name = "default" + hostname = "kanidm.hklbgd.org" + addresses = ["192.168.122.110"] + mac = "56:FA:7E:C9:6A:E9" + wait_for_lease = true + } + console { + type = "pty" + target_port = "0" + target_type = "virtio" + source_path = "/dev/pts/25" + } +} diff --git a/kanidm/server.toml b/kanidm/server.toml new file mode 100644 index 0000000..8508071 --- /dev/null +++ b/kanidm/server.toml @@ -0,0 +1,18 @@ +bindaddress = "[::]:8443" +ldapbindaddress = "[::]:3636" +trust_x_forward_for = false +db_path = "/data/kanidm.db" +db_arc_size = 1024 + +tls_chain = "/data/certs/fullchain1.pem" +tls_key = "/data/certs/privkey1.pem" + +log_level = "debug" + +domain = "kanidm.hklbgd.org" # !!! don't modify !!! +origin = "https://kanidm.hklbgd.org" # webauthn origin +# +[online_backup] +path = "/data/kanidm/backups/" +schedule = "00 04 * * *" +versions = 3 # number of backups to keep diff --git a/kanidm/service.bu b/kanidm/service.bu new file mode 100644 index 0000000..017842f --- /dev/null +++ b/kanidm/service.bu @@ -0,0 +1,76 @@ +variant: fcos +version: 1.5.0 +passwd: + users: + - name: vladan + ssh_authorized_keys: + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFtUc2UvKFGSSlP3RRXUIToDYh8a8pg5DqDkJS+nBTG vladan@jenga + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEY82J6Za3qkt7N6hZIOMEBeUna1dmsQjFZm3rIQzzz vladan@proxmox-coreos + password_hash: "$y$j9T$kBtBBkINmXh6lxmBqCJkr1$bA1fjZ5pC4CUr6VUnRe2FAWrW5tb6lfX/7.38axa5S3" + groups: + - wheel + shell: /bin/bash +storage: + disks: + - device: /dev/vdb + wipe_table: false + partitions: + - number: 1 + label: kanidm + start_mib: 0 + size_mib: 10000 + filesystems: + - path: /var/lib/kanidm + device: /dev/disk/by-partlabel/kanidm + format: xfs + label: data + with_mount_unit: true + wipe_filesystem: false + files: + - path: /etc/hostname + mode: 0644 + contents: + inline: kanidm.hklbgd.org + - path: /etc/kanidm/server.toml + contents: + local: server.toml + mode: 0400 + - path: /etc/kanidm/certs/cert1.pem + contents: + local: certs/cert1.pem + mode: 0400 + - path: /etc/kanidm/certs/chain1.pem + contents: + local: certs/chain1.pem + mode: 0400 + - path: /etc/kanidm/certs/fullchain1.pem + contents: + local: certs/fullchain1.pem + mode: 0400 + - path: /etc/kanidm/certs/privkey1.pem + contents: + local: certs/privkey1.pem + mode: 0400 + - path: /etc/containers/systemd/kanidm.container + contents: + inline: | + [Unit] + Description=Kanidm - a modern and simple identity management platform written in rust. + After=network-online.target + Wants=network-online.target + + [Service] + TimeoutStartSec=60 + + [Container] + ContainerName=kanidm + Image=docker.io/kanidm/server:latest + Volume=/var/lib/kanidm:/data:z + Volume=/etc/kanidm/server.toml:/data/server.toml:z + Volume=/etc/kanidm/certs:/data/certs:z + PublishPort=8443:8443 + PublishPort=3636:3636 + + [Install] + # Start by default on boot + WantedBy=multi-user.target default.target