vladan/hklbgd-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

kanidm initial local setup

Browse source
This commit is contained in:
Vladan Popovic 2024-02-26 18:40:33 +01:00
parent 2fee9ddf21
commit b97b2c911f
4 changed files with 259 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

98
kanidm/app.ini Normal file
View file

@ -0,0 +1,98 @@
APP_NAME = Hklbgd: Git forge beogradskog haklaba.
RUN_MODE = prod
RUN_USER = git
WORK_PATH = /data/gitea
[repository]
ROOT = /data/git/repositories
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
DOMAIN = forge.hklbgd.org
SSH_DOMAIN = forge.hklbgd.org
HTTP_PORT = 3000
ROOT_URL = http://forge.hklbgd.org:3000/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = Uw3LrBKqyOESkHJDcpfP_AM_eLE-WKWTV48inxIfqNk
OFFLINE_MODE = false
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
NAME = gitea
USER = root
PASSWD =
LOG_SQL = false
SCHEMA =
SSL_MODE = disable
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
[attachment]
PATH = /data/gitea/attachments
[log]
MODE = console
LEVEL = info
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
SECRET_KEY =
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MDg0NDAwODh9.VO3I2beskQWkE-yU5QC3WWjaVuqH80piJroJxj71-HA
PASSWORD_HASH_ALGO = pbkdf2_hi
[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = true
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[lfs]
PATH = /data/git/lfs
[mailer]
ENABLED = false
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
WHITELISTED_URIS = id.hklbgd.org
[cron.update_checker]
ENABLED = false
[repository.pull-request]
DEFAULT_MERGE_STYLE = squash
[repository.signing]
DEFAULT_TRUST_MODEL = committer
[oauth2]
JWT_SECRET = 9Xl_coahn4U31L78IxKSZk7k6z_r2uQlQ_DVDlNsKyM

67
kanidm/main.tf Normal file
View file

@ -0,0 +1,67 @@
terraform {
required_providers {
libvirt = {
source = "dmacvicar/libvirt"
version = "0.7.6"
}
}
}
provider "libvirt" {
uri = "qemu:///system"
}
resource "libvirt_volume" "fcos" {
name = "fcos"
pool = "default"
source = "fedora-coreos-39.20240128.3.0-qemu.x86_64.qcow2"
format = "qcow2"
}
resource "libvirt_volume" "kanidm" {
name = "kanidm-rootfs.qcow2"
base_volume_id = libvirt_volume.fcos.id
}
resource "libvirt_volume" "data" {
name = "kanidm-data.qcow2"
pool = "default"
size = 3221225472
format = "qcow2"
lifecycle {
prevent_destroy = true
}
}
resource "libvirt_ignition" "kanidm" {
name = "kanidm-service.ign"
content = "service.ign"
}
resource "libvirt_domain" "kanidm" {
name = "kanidm"
autostart = true
memory = "2048"
vcpu = 2
coreos_ignition = libvirt_ignition.kanidm.id
disk {
volume_id = "${libvirt_volume.kanidm.id}"
}
disk {
volume_id = "${libvirt_volume.data.id}"
}
network_interface {
network_name = "default"
hostname = "kanidm.hklbgd.org"
addresses = ["192.168.122.110"]
mac = "56:FA:7E:C9:6A:E9"
wait_for_lease = true
}
console {
type = "pty"
target_port = "0"
target_type = "virtio"
source_path = "/dev/pts/25"
}
}

18
kanidm/server.toml Normal file
View file

@ -0,0 +1,18 @@
bindaddress = "[::]:8443"
ldapbindaddress = "[::]:3636"
trust_x_forward_for = false
db_path = "/data/kanidm.db"
db_arc_size = 1024
tls_chain = "/data/certs/fullchain1.pem"
tls_key = "/data/certs/privkey1.pem"
log_level = "debug"
domain = "kanidm.hklbgd.org" # !!! don't modify !!!
origin = "https://kanidm.hklbgd.org" # webauthn origin
#
[online_backup]
path = "/data/kanidm/backups/"
schedule = "00 04 * * *"
versions = 3 # number of backups to keep

76
kanidm/service.bu Normal file
View file

@ -0,0 +1,76 @@
variant: fcos
version: 1.5.0
passwd:
users:
- name: vladan
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFtUc2UvKFGSSlP3RRXUIToDYh8a8pg5DqDkJS+nBTG vladan@jenga
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEY82J6Za3qkt7N6hZIOMEBeUna1dmsQjFZm3rIQzzz vladan@proxmox-coreos
password_hash: "$y$j9T$kBtBBkINmXh6lxmBqCJkr1$bA1fjZ5pC4CUr6VUnRe2FAWrW5tb6lfX/7.38axa5S3"
groups:
- wheel
shell: /bin/bash
storage:
disks:
- device: /dev/vdb
wipe_table: false
partitions:
- number: 1
label: kanidm
start_mib: 0
size_mib: 10000
filesystems:
- path: /var/lib/kanidm
device: /dev/disk/by-partlabel/kanidm
format: xfs
label: data
with_mount_unit: true
wipe_filesystem: false
files:
- path: /etc/hostname
mode: 0644
contents:
inline: kanidm.hklbgd.org
- path: /etc/kanidm/server.toml
contents:
local: server.toml
mode: 0400
- path: /etc/kanidm/certs/cert1.pem
contents:
local: certs/cert1.pem
mode: 0400
- path: /etc/kanidm/certs/chain1.pem
contents:
local: certs/chain1.pem
mode: 0400
- path: /etc/kanidm/certs/fullchain1.pem
contents:
local: certs/fullchain1.pem
mode: 0400
- path: /etc/kanidm/certs/privkey1.pem
contents:
local: certs/privkey1.pem
mode: 0400
- path: /etc/containers/systemd/kanidm.container
contents:
inline: |
[Unit]
Description=Kanidm - a modern and simple identity management platform written in rust.
After=network-online.target
Wants=network-online.target
[Service]
TimeoutStartSec=60
[Container]
ContainerName=kanidm
Image=docker.io/kanidm/server:latest
Volume=/var/lib/kanidm:/data:z
Volume=/etc/kanidm/server.toml:/data/server.toml:z
Volume=/etc/kanidm/certs:/data/certs:z
PublishPort=8443:8443
PublishPort=3636:3636
[Install]
# Start by default on boot
WantedBy=multi-user.target default.target