diff --git a/intern/docker_homeassistant/templates/config/configuration.yaml b/intern/docker_homeassistant/templates/config/configuration.yaml
index bf459fcb5ff089da20f3613b222587bfbbff21eb..d71e31e94b2fb189493c2b68e782b357d4566efc 100644
--- a/intern/docker_homeassistant/templates/config/configuration.yaml
+++ b/intern/docker_homeassistant/templates/config/configuration.yaml
@@ -801,12 +801,6 @@ automation ansible:
triggers: []
conditions: []
actions:
- - action: light.turn_on
- metadata: {}
- data:
- brightness_pct: 50
- target:
- device_id: c4f8f83fb287ba7b1d66b674a1564c75
- delay:
hours: 0
minutes: 3
diff --git a/webserver/docker_gitlab/Documentation.md b/webserver/docker_gitlab/Documentation.md
new file mode 100644
index 0000000000000000000000000000000000000000..934f4109e8a2268067bad32db305022844457abc
--- /dev/null
+++ b/webserver/docker_gitlab/Documentation.md
@@ -0,0 +1,14 @@
+
+# Gitlab Access with uffd as Access Provider
+
+Redirect URL: https://gitlab.warpzone.ms/users/auth/openid_connect/callback
+
+## Browsing without login
+
+https://gitlab.warpzone.ms/explore
+
+## Features not supported in Community edition
+
+- Set Admin Flag
+- Manage Groups
+
diff --git a/webserver/docker_gitlab/tasks/main.yml b/webserver/docker_gitlab/tasks/main.yml
index 36dbab8ee61499229f7655c0705cd10408984979..3a9085f3e6f30008996ec0258e5c12ca0855af69 100644
--- a/webserver/docker_gitlab/tasks/main.yml
+++ b/webserver/docker_gitlab/tasks/main.yml
@@ -2,9 +2,9 @@
- include_tasks: ../functions/get_secret.yml
with_items:
- - { path: /srv/shared/noreply_email_pass, length: -1 }
- - { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
- - { path: /srv/gitlab/runner_registration_token, length: -1 }
+ - { path: /srv/shared/noreply_email_pass, length: -1 }
+ - { path: /srv/gitlab/secret/oidc_client_secret, length: 32 }
+ - { path: /srv/gitlab/secret/runner_registration_token, length: -1 }
# Benötigte Verzeichnisstrukturen erstellen
diff --git a/webserver/docker_gitlab/templates/conf/gitlab.rb b/webserver/docker_gitlab/templates/conf/gitlab.rb
index 055b7bfa47ef13447d05bde65df6169680d38a19..2de54aa14d76ff112a505a402fe3acb58ac711dd 100644
--- a/webserver/docker_gitlab/templates/conf/gitlab.rb
+++ b/webserver/docker_gitlab/templates/conf/gitlab.rb
@@ -455,7 +455,7 @@ gitlab_rails['object_store']['objects']['pages']['bucket'] = nil
# gitlab_rails['ldap_enabled'] = false
# gitlab_rails['prevent_ldap_sign_in'] = false
-gitlab_rails['ldap_enabled'] = true
+# gitlab_rails['ldap_enabled'] = true
###! **remember to close this block with 'EOS' below**
@@ -503,24 +503,24 @@ gitlab_rails['ldap_enabled'] = true
# sync_ssh_keys: false
# EOS
-gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
- main:
- label: 'LDAP'
- host: '{{ ldap_ip_ext }}'
- port: 389
- uid: 'uid'
- method: 'plain'
- bind_dn: '{{ ldap_readonly_bind_dn }}'
- password: '{{ ldap_readonly_pass }}'
- base: '{{ ldap_base_dn }}'
- user_filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
- attributes:
- username: ['uid', 'cn']
- email: ['mail', 'email']
- name: 'cn'
- first_name: 'givenName'
- last_name: 'sn'
-EOS
+# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
+# main:
+# label: 'LDAP'
+# host: '{{ ldap_ip_ext }}'
+# port: 389
+# uid: 'uid'
+# method: 'plain'
+# bind_dn: '{{ ldap_readonly_bind_dn }}'
+# password: '{ { ldap_readonly_pass } }'
+# base: '{{ ldap_base_dn }}'
+# user_filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
+# attributes:
+# username: ['uid', 'cn']
+# email: ['mail', 'email']
+# name: 'cn'
+# first_name: 'givenName'
+# last_name: 'sn'
+# EOS
### Smartcard authentication settings
@@ -555,6 +555,45 @@ EOS
# }
# ]
+
+gitlab_rails['omniauth_enabled'] = true
+gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
+gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
+gitlab_rails['omniauth_auto_link_ldap_user'] = true
+gitlab_rails['omniauth_auto_link_saml_user'] = true
+gitlab_rails['omniauth_block_auto_created_users'] = false
+gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
+gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email']
+gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
+
+gitlab_rails['omniauth_providers'] = [
+ {
+ name: "openid_connect",
+ label: "uffd",
+ args: {
+ name: "openid_connect",
+ scope: ["openid", "profile", "email", "groups"],
+ response_type: "code",
+ issuer: "{{ oidc_global.provider_url }}",
+ discovery: true,
+ uid_field: "preferred_username",
+ gitlab_username_claim: "name",
+ send_scope_to_token_endpoint: "true",
+ client_options: {
+ identifier: "gitlab",
+ secret: "{{ oidc_client_secret }}",
+ redirect_uri: "https://{{ domain }}/users/auth/openid_connect/callback",
+ gitlab: {
+ groups_attribute: "groups",
+ required_groups: ["gitlab_access"],
+ admin_groups: ["gitlab_admin"]
+ }
+ }
+ }
+ }
+]
+
+
### Backup Settings
###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html
@@ -757,6 +796,9 @@ registry_external_url 'https://{{ domain_registry }}'
# gitlab_rails['registry_port'] = "5005"
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
gitlab_rails['registry_enabled'] = true
+#gitlab_rails['registry_host'] = "{{ domain_registry }}"
+#gitlab_rails['registry_port'] = ""
+#gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
# Notification secret, it's used to authenticate notification requests to GitLab application
# You only need to change this when you use external Registry service, otherwise
@@ -765,12 +807,15 @@ gitlab_rails['registry_enabled'] = true
###! **Do not change the following 3 settings unless you know what you are
###! doing**
-# gitlab_rails['registry_api_url'] = "http://localhost:5000"
+gitlab_rails['registry_api_url'] = "http://localhost:5000"
# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"
### Settings used by Registry application
registry['enable'] = true
+registry['registry_http_addr'] = "0.0.0.0:5000"
+# registry['log_directory'] = "/var/log/gitlab/registry"
+
# registry['username'] = "registry"
# registry['group'] = "registry"
# registry['uid'] = nil
@@ -807,6 +852,19 @@ registry['enable'] = true
# }
# }
+# registry['storage'] = {
+# 'filesystem' => {
+# 'rootdirectory' => "/var/opt/gitlab/gitlab-rails/shared/registry"
+# },
+# 'delete' => {
+# 'enabled' => true
+# },
+# 'cache' => {
+# 'blobdescriptor' => 'inmemory'
+# }
+# }
+
+
### Registry notifications endpoints
# registry['notifications'] = [
# {
@@ -1300,6 +1358,10 @@ registry['enable'] = true
# nginx['redirect_http_to_https'] = false
# nginx['redirect_http_to_https_port'] = 80
+# Increase maximal header size, needed for registry to work
+nginx['client_max_body_size'] = "500m"
+nginx['large_client_header_buffers'] = "8 32k"
+
##! Most root CA's are included by default
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"
@@ -1755,6 +1817,7 @@ registry_nginx['enable'] = true
registry_nginx['listen_port'] = 5005
registry_nginx['listen_https'] = false
+registry_nginx['proxy_pass'] = "http://localhost:5000"
registry_nginx['proxy_set_headers'] = {
"Host" => "$http_host",
@@ -1764,6 +1827,20 @@ registry_nginx['proxy_set_headers'] = {
"X-Forwarded-Ssl" => "on"
}
+# Increase maximal header size, needed for registry to work
+registry_nginx['client_max_body_size'] = "500m"
+registry_nginx['large_client_header_buffers'] = "8 32k"
+
+# Konfiguriere zusätzliche Nginx-Parameter für Registry
+registry_nginx['custom_gitlab_server_config'] = "
+ client_header_buffer_size 64k;
+ proxy_buffer_size 64k;
+ proxy_buffers 8 64k;
+ proxy_busy_buffers_size 64k;
+ proxy_connect_timeout 300s;
+ proxy_read_timeout 300s;
+"
+
################################################################################
## Prometheus
##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/
diff --git a/webserver/docker_gitlab/templates/docker-compose.yml b/webserver/docker_gitlab/templates/docker-compose.yml
index fe57d498fa6e5c128150b5c8f16abd3759329d2f..4d514d3f6d1f537159c18e4016c666a61a279bf3 100644
--- a/webserver/docker_gitlab/templates/docker-compose.yml
+++ b/webserver/docker_gitlab/templates/docker-compose.yml
@@ -2,7 +2,8 @@ services:
app:
- image: gitlab/gitlab-ce:latest
+ # Version pinned due to upgrade problems with 17.9.x
+ image: gitlab/gitlab-ce:17.8.6-ce.0
restart: always
ports:
- "444:22"
@@ -24,6 +25,8 @@ services:
- traefik.http.routers.{{ servicename }}_registry.entrypoints=websecure
- traefik.http.routers.{{ servicename }}_registry.service={{ servicename }}_registry
- traefik.http.services.{{ servicename }}_registry.loadbalancer.server.port=5005
+ - traefik.http.middlewares.registry-headers.headers.customRequestHeaders.Host={{ domain_registry }}
+ - traefik.http.routers.{{ servicename }}_registry.middlewares=registry-headers
networks:
- default
- web
diff --git a/webserver/docker_matrix/Documentation.md b/webserver/docker_matrix/Documentation.md
new file mode 100644
index 0000000000000000000000000000000000000000..7d3f1f8cb7c9d33278df98fb19340b302d8c7de8
--- /dev/null
+++ b/webserver/docker_matrix/Documentation.md
@@ -0,0 +1,25 @@
+
+# Warpzone Matrix Server
+
+Der Server ist von extern über Port 443 und 8008 erreichbar.
+
+Neue Bentzer werden austomatisch in die folgenden Räume gejoint:
+ - #warpzone:matrix.warpzone.ms
+ - #warpzone-matrixonly:matrix.warpzone.ms
+
+# Anmeldung
+
+Die Anmeldung erfolget über uffd.
+Hierbei wird die Anmeldung über Openid und Benutzername/Passwort unterstützt.
+
+Für die Anmeldung über Benutzername/Passwort läuft in einem zusätzlichen Container der Dienst uffd-ldapd
+
+## Uffd Konfiguration:
+
+- Client-ID: matrix
+- Redirect-URIs: https://matrix.warpzone.ms/_synapse/client/oidc/callback
+
+# Uffd API Client für uffd-ldapd
+
+- Name: matrix-ldapd
+- Berechtigungen: users, checkpassword, mail_aliases
diff --git a/webserver/docker_matrix/tasks/main.yml b/webserver/docker_matrix/tasks/main.yml
index fd773fcefb820eeba76902b159b3c07fbff08b63..6b03f32e3a5484b424d5c345927aa76f12cce314 100644
--- a/webserver/docker_matrix/tasks/main.yml
+++ b/webserver/docker_matrix/tasks/main.yml
@@ -2,10 +2,16 @@
- include_tasks: ../functions/get_secret.yml
with_items:
- - { path: /srv/shared/noreply_email_pass, length: -1 }
- - { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
- - { path: "{{ basedir }}/postgres_user_pass", length: 24 }
- - { path: "{{ basedir }}/admin_access_token", length: -1 } # Get in Element fo an Admin User: Settings > Help > Advanced
+ - { path: "/srv/shared/noreply_email_pass", length: -1 }
+ - { path: "/srv/ldap/secret/ldap_readonly_pass", length: -1 }
+ - { path: "{{ basedir }}/postgres_user_pass", length: 24 }
+ - { path: "{{ basedir }}/uffd_api_secret", length: 32 }
+ - { path: "{{ basedir }}/ldapd_bind_pw", length: 32 }
+ - { path: "{{ basedir }}/matrix_macaroon_secret_key", length: 32 }
+ - { path: "{{ basedir }}/matrix_registration_shared_secret", length: 32 }
+ - { path: "{{ basedir }}/matrix_form_secret", length: 32 }
+ - { path: "{{ basedir }}/matrix_oidc_secret", length: 32 }
+ - { path: "{{ basedir }}/admin_access_token", length: -1 } # Get in Element fo an Admin User: Settings > Help > Advanced
- name: create folder struct for matrix
@@ -16,9 +22,8 @@
group: www-data
with_items:
- "{{ basedir }}/"
- - "{{ basedir }}/ma1sd-config/"
- - "{{ basedir }}/ma1sd-data/"
- "{{ basedir }}/synapse-data/"
+ - "{{ basedir }}/uffd-ldapd/"
- name: create folder struct for matrix db
@@ -37,10 +42,9 @@
dest: "{{ basedir }}/{{ item }}"
with_items:
- docker-compose.yml
- - rest_auth_provider.py
- - ma1sd-config/ma1sd.yaml
- synapse-data/homeserver.log.config
- synapse-data/homeserver.yaml
+ - uffd-ldapd/Dockerfile
register: configs
diff --git a/webserver/docker_matrix/templates/docker-compose.yml b/webserver/docker_matrix/templates/docker-compose.yml
index a9e6f7fdb95c6309d827d61e63dfe57cbac6ee49..717bb557e5cc62fcb23b312fd235c4ea8d17f4e0 100644
--- a/webserver/docker_matrix/templates/docker-compose.yml
+++ b/webserver/docker_matrix/templates/docker-compose.yml
@@ -14,7 +14,7 @@ services:
image: postgres:16
restart: always
volumes:
- - {{ basedir }}/db:/var/lib/postgresql/data
+ - "{{ basedir }}/db:/var/lib/postgresql/data"
environment:
POSTGRES_DB: synapse
POSTGRES_USER: synapse
@@ -23,6 +23,21 @@ services:
networks:
- default
+
+ ldap:
+
+ build: uffd-ldapd/
+ restart: always
+ environment:
+ SERVER_API_URL: "{{ oidc_global.provider_url }}"
+ SERVER_API_USER: "matrix-ldapd"
+ SERVER_API_SECRET: "{{ uffd_api_secret }}"
+ SERVER_BASE_DN: "{{ oidc_global.ldap_base_dn }}"
+ SERVER_BIND_PASSWORD: "{{ ldapd_bind_pw }}"
+ networks:
+ - default
+
+
synapse:
image: matrixdotorg/synapse:latest
@@ -31,11 +46,9 @@ services:
cpuset: "0"
depends_on:
- db
- - ma1sd
+ - ldap
volumes:
- - {{ basedir }}/synapse-data/:/data
- # Python version can be found in the dockerfile: https://github.com/matrix-org/synapse/blob/develop/docker/Dockerfile check for tag to get the correct version
- - {{ basedir }}/rest_auth_provider.py:/usr/local/lib/python3.12/site-packages/rest_auth_provider.py
+ - "{{ basedir }}/synapse-data/:/data"
environment:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
TZ: "Europe/Berlin"
@@ -53,23 +66,6 @@ services:
- default
- web
- ma1sd:
-
- image: ma1uta/ma1sd:2.5.0
- restart: always
- volumes:
- - {{ basedir }}/ma1sd-config/:/etc/ma1sd
- - {{ basedir }}/ma1sd-data/:/var/ma1sd
- labels:
- - com.centurylinklabs.watchtower.enable=false
- - traefik.enable=true
- - traefik.http.routers.{{ servicename }}-ma1sd.rule=((Host(`{{ domain }}`) && PathPrefix(`/_matrix/client/r0/login`)) || (Host(`{{ domain }}`) && PathPrefix(`/_matrix/identity`)))
- - traefik.http.routers.{{ servicename }}-ma1sd.entrypoints=websecure
- - traefik.http.services.{{ servicename }}-ma1sd.loadbalancer.server.port=8090
- networks:
- - default
- - web
-
purgemediacache:
@@ -78,7 +74,7 @@ services:
depends_on:
- synapse
volumes:
- - {{ basedir }}/purgemediacache.sh:/curl.sh
+ - "{{ basedir }}/purgemediacache.sh:/curl.sh"
environment:
CRON_SCHEDULE: "0 7 * * *"
networks:
diff --git a/webserver/docker_matrix/templates/ma1sd-config/ma1sd.yaml b/webserver/docker_matrix/templates/ma1sd-config/ma1sd.yaml
deleted file mode 100644
index dd8b2422e75ea3deb49a769f8b038b0f9c44539b..0000000000000000000000000000000000000000
--- a/webserver/docker_matrix/templates/ma1sd-config/ma1sd.yaml
+++ /dev/null
@@ -1,231 +0,0 @@
-
-#######################
-# Matrix config items #
-#######################
-# Matrix domain, same as the domain configure in your Homeserver configuration.
-# NOTE: in Synapse Homeserver, the Matrix domain is defined as 'server_name' in configuration file.
-#
-# This is used to build the various identifiers in all the features.
-#
-# If the hostname of the public URL used to reach your Matrix services is different from your Matrix domain,
-# per example matrix.domain.tld vs domain.tld, then use the server.name configuration option.
-# See the "Configure" section of the Getting Started guide for more info.
-#
-matrix:
- domain: 'matrix.warpzone.ms'
- v1: true # deprecated
- v2: true # MSC2140 API v2. Riot require enabled V2 API.
-
-
-################
-# Signing keys #
-################
-# Absolute path for the Identity Server signing keys database.
-# /!\ THIS MUST **NOT** BE YOUR HOMESERVER KEYS FILE /!\
-# If this path does not exist, it will be auto-generated.
-#
-# During testing, /var/tmp/ma1sd/keys is a possible value
-# For production, recommended location shall be one of the following:
-# - /var/lib/ma1sd/keys
-# - /var/opt/ma1sd/keys
-# - /var/local/ma1sd/keys
-#
-key:
- path: '/var/ma1sd/keys'
-
-
-# Path to the SQLite DB file for ma1sd internal storage
-# /!\ THIS MUST **NOT** BE YOUR HOMESERVER DATABASE /!\
-#
-# Examples:
-# - /var/opt/ma1sd/store.db
-# - /var/local/ma1sd/store.db
-# - /var/lib/ma1sd/store.db
-#
-storage:
-# backend: sqlite # or postgresql
- provider:
- sqlite:
- database: '/var/ma1sd/store.db'
-# postgresql:
-# # Wrap all string values with quotes to avoid yaml parsing mistakes
-# database: '//localhost/ma1sd' # or full variant //192.168.1.100:5432/ma1sd_database
-# username: 'ma1sd_user'
-# password: 'ma1sd_password'
-#
-# # Pool configuration for postgresql backend.
-# #######
-# # Enable or disable pooling
-# pool: false
-#
-# #######
-# # Check database connection before get from pool
-# testBeforeGetFromPool: false # or true
-#
-# #######
-# # There is an internal thread which checks each of the database connections as a keep-alive mechanism. This set the
-# # number of milliseconds it sleeps between checks -- default is 30000. To disable the checking thread, set this to
-# # 0 before you start using the connection source.
-# checkConnectionsEveryMillis: 30000
-#
-# #######
-# # Set the number of connections that can be unused in the available list.
-# maxConnectionsFree: 5
-#
-# #######
-# # Set the number of milliseconds that a connection can stay open before being closed. Set to 9223372036854775807 to have
-# # the connections never expire.
-# maxConnectionAgeMillis: 3600000
-
-###################
-# Identity Stores #
-###################
-# If you are using synapse standalone and do not have an Identity store,
-# see https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md#synapse-identity-store
-#
-# If you would like to integrate with your AD/Samba/LDAP server,
-# see https://github.com/ma1uta/ma1sd/blob/master/docs/stores/ldap.md
-#
-# For any other Identity store, or to simply discover them,
-# see https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md
-
-ldap:
- enabled: true
- connection:
- host: '{{ ldap_ip_ext }}'
- port: 389
- bindDn: '{{ ldap_readonly_bind_dn }}'
- bindPassword: '{{ ldap_readonly_pass }}'
- baseDNs:
- - '{{ ldap_base_dn }}'
- filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
- attribute:
- uid:
- type: 'uid'
- value: 'uid'
- name: 'uid'
- threepid:
- email:
- - 'mail'
- msisdn:
- - 'phone'
-
-#################################################
-# Notifications for invites/addition to profile #
-#################################################
-# This is mandatory to deal with anything e-mail related.
-#
-# For an introduction to sessions, invites and 3PIDs in general,
-# see https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/session/session.md#3pid-sessions
-#
-# If you would like to change the content of the notifications,
-# see https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md
-#
-#### E-mail connector
-threepid:
- medium:
- email:
- identity:
- # The e-mail to send as.
- from: "matrix-identity@warpzone.ms"
-
- connectors:
- smtp:
- # SMTP host
- host: "{{ smtp_host }}"
-
- # TLS mode for the connection
- # Possible values:
- # 0 Disable any kind of TLS entirely
- # 1 Enable STARTLS if supported by server (default)
- # 2 Force STARTLS and fail if not available
- # 3 Use full TLS/SSL instead of STARTLS
- #
- tls: 1
-
- # SMTP port
- # Be sure to adapt depending on your TLS choice, if changed from default
- port: "{{ smtp_port }}"
-
- # Login for SMTP
- login: "{{ noreply_email_user }}"
-
- # Password for the account
- password: "{{ noreply_email_pass }}"
-
-
-#### MSC2134 (hash lookup)
-
-#hashing:
-# enabled: false # enable or disable the hash lookup MSC2140 (default is false)
-# pepperLength: 20 # length of the pepper value (default is 20)
-# rotationPolicy: per_requests # or `per_seconds` how often the hashes will be updating
-# hashStorageType: sql # or `in_memory` where the hashes will be stored
-# algorithms:
-# - none # the same as v1 bulk lookup
-# - sha256 # hash the 3PID and pepper.
-# delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s)
-# requests: 10 # how many lookup requests will be performed before updating hashes if rotation policy = per_requests (default is 10)
-
-### hash lookup for synapseSql provider.
-# synapseSql:
-# lookup:
-# query: 'select user_id as mxid, medium, address from user_threepid_id_server' # query for retrive 3PIDs for hashes.
-# legacyRoomNames: false # use the old query to get room names.
-
-### hash lookup for ldap provider (with example of the ldap configuration)
-# ldap:
-# enabled: true
-# lookup: true # hash lookup
-# activeDirectory: false
-# defaultDomain: ''
-# connection:
-# host: 'ldap.domain.tld'
-# port: 389
-# bindDn: 'cn=admin,dc=domain,dc=tld'
-# bindPassword: 'Secret'
-# baseDNs:
-# - 'dc=domain,dc=tld'
-# attribute:
-# uid:
-# type: 'uid' # or mxid
-# value: 'cn'
-# name: 'displayName'
-# identity:
-# filter: '(objectClass=inetOrgPerson)'
-
-#### MSC2140 (Terms)
-#policy:
-# policies:
-# term_name: # term name
-# version: 1.0 # version
-# terms:
-# en: # lang
-# name: term name en # localized name
-# url: https://ma1sd.host.tld/term_en.html # localized url
-# fe: # lang
-# name: term name fr # localized name
-# url: https://ma1sd.host.tld/term_fr.html # localized url
-# regexp:
-# - '/_matrix/identity/v2/account.*'
-# - '/_matrix/identity/v2/hash_details'
-# - '/_matrix/identity/v2/lookup'
-#
-
-# logging:
-# root: error # default level for all loggers (apps and thirdparty libraries)
-# app: info # log level only for the ma1sd
-# requests: false # or true to dump full requests and responses
-
-dns:
- overwrite:
- homeserver:
- client:
- - name: 'matrix.warpzone.ms'
- value: 'http://synapse:8008'
-
-
-session:
- policy:
- validation:
- enabled: false
diff --git a/webserver/docker_matrix/templates/synapse-data/homeserver.yaml b/webserver/docker_matrix/templates/synapse-data/homeserver.yaml
index 93813866e74f62ffc18298e85b73cf81e0581264..bbe4a09146d776ac76bc8feddea4e6dadb945484 100644
--- a/webserver/docker_matrix/templates/synapse-data/homeserver.yaml
+++ b/webserver/docker_matrix/templates/synapse-data/homeserver.yaml
@@ -5,6 +5,9 @@ use_presence: false
allow_public_rooms_without_auth: false
allow_public_rooms_over_federation: true
forget_rooms_on_leave: true
+macaroon_secret_key: "{{ matrix_macaroon_secret_key }}"
+registration_shared_secret: "{{ matrix_registration_shared_secret }}"
+form_secret: "{{ matrix_form_secret}}"
listeners:
- port: 8448
@@ -62,29 +65,67 @@ thumbnail_sizes:
url_preview_enabled: true
url_preview_ip_range_blacklist:
- - '127.0.0.0/8'
- - '10.0.0.0/8'
- - '172.16.0.0/12'
- - '192.168.0.0/16'
- - '100.64.0.0/10'
- - '192.0.0.0/24'
- - '169.254.0.0/16'
- - '198.18.0.0/15'
- - '192.0.2.0/24'
- - '198.51.100.0/24'
- - '203.0.113.0/24'
- - '224.0.0.0/4'
- - '::1/128'
- - 'fe80::/10'
- - 'fc00::/7'
+ - '127.0.0.0/8'
+ - '10.0.0.0/8'
+ - '172.16.0.0/12'
+ - '192.168.0.0/16'
+ - '100.64.0.0/10'
+ - '192.0.0.0/24'
+ - '169.254.0.0/16'
+ - '198.18.0.0/15'
+ - '192.0.2.0/24'
+ - '198.51.100.0/24'
+ - '203.0.113.0/24'
+ - '224.0.0.0/4'
+ - '::1/128'
+ - 'fe80::/10'
+ - 'fc00::/7'
max_spider_size: 10M
enable_registration: false
-default_identity_server: "{{ matrix.identity_server }}"
+
+password_config:
+ enabled: true
+
+# OIDC Single Sign-On with uffd
+oidc_providers:
+ - idp_id: "uffd"
+ idp_name: "warpzone SSO (uffd)"
+ discover: true
+ enable_registration: true
+ allow_existing_users: true
+ user_profile_method: "userinfo_endpoint"
+ issuer: "{{ oidc_global.provider_url }}"
+ client_id: "matrix"
+ client_secret: "{{ matrix_oidc_secret }}"
+ scopes:
+ - "openid"
+ - "profile"
+ - "email"
+ user_mapping_provider:
+ config:
+ localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
+ display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
+ email_template: "{% raw %}{{ user.email }}{% endraw %}"
+
+# Password login with uffd-ldapd
+modules:
+ - module: "ldap_auth_provider.LdapAuthProviderModule"
+ config:
+ enabled: true
+ uri: "ldap://ldap:389"
+ start_tls: false
+ base: "ou=users,{{ oidc_global.ldap_base_dn }}"
+ attributes:
+ uid: "uid"
+ mail: "mail"
+ name: "displayName"
+
auto_join_rooms:
- "#warpzone:{{ matrix.domain }}"
+ - "#warpzone-matrixonly:{{ matrix.domain }}"
report_stats: false
@@ -104,11 +145,6 @@ email:
enable_notifs: true
notif_for_new_users: False
-password_providers:
- - module: "rest_auth_provider.RestAuthProvider"
- config:
- endpoint: "http://ma1sd:8090"
-
encryption_enabled_by_default_for_room_type: invite
enable_group_creation: false
diff --git a/webserver/docker_matrix/templates/uffd-ldapd/Dockerfile b/webserver/docker_matrix/templates/uffd-ldapd/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..b68744e0ee530c619c40a93e62a8b4db568f2cfb
--- /dev/null
+++ b/webserver/docker_matrix/templates/uffd-ldapd/Dockerfile
@@ -0,0 +1,24 @@
+FROM debian:bookworm-slim
+
+# Set environment variables
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install necessary dependencies and configure custom repository
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends wget gnupg ca-certificates \
+ && wget -O- "https://packages.cccv.de/docs/cccv-archive-key.gpg" | gpg --dearmor -o /etc/apt/trusted.gpg.d/cccv-archive-key.gpg \
+ && echo "deb https://packages.cccv.de/uffd bookworm main" > /etc/apt/sources.list.d/custom.list \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends uffd-ldapd ldap-utils \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+USER 999
+EXPOSE 389/tcp
+
+# Set default command
+CMD ["/usr/sbin/uffd-ldapd","--socket-address","0.0.0.0:389"]
+
+# Get all LDAP Entries
+# ldapsearch -x -H ldap://127.0.0.1 -D "cn=service,ou=system,{{ oidc_global.ldap_base_dn }}" -w "{{ ldapd_bind_pw }}" -b "ou=users,{{ oidc_global.ldap_base_dn }}" "(objectClass=*)"
+
diff --git a/webserver/docker_uffd/templates/uffd.cfg b/webserver/docker_uffd/templates/uffd.cfg
index d39d256f73eecf298af87a17f924f98e3507c9ab..2d94678ac18d1f6455910bf66d0f51d58f2b1f2c 100644
--- a/webserver/docker_uffd/templates/uffd.cfg
+++ b/webserver/docker_uffd/templates/uffd.cfg
@@ -167,7 +167,6 @@ SERVICES=[
'required_group': 'nextcloud_access',
'confidential': True
},
-
{
'title': 'VPN (Administration)',
'description': 'VPN Server für Administratoren',
@@ -176,7 +175,6 @@ SERVICES=[
'required_group': 'vpnserver_access',
'confidential': True
},
-
{
'title': 'Vaultwarden',
'description': 'Vaultwarden Passwortverwaltung',
@@ -187,7 +185,7 @@ SERVICES=[
},
{
'title': 'Warpapi',
- 'description': 'API für Services wie SpaceAPI etc.',
+ 'description': 'API für Services wie SpaceAPI etc.',
'url': 'https://api.{{ global_domains.warpzonems.domain }}',
'logo_url': 'https://gitlab.warpzone.ms/presse/media/-/raw/master/Logo/WZ_Blume_3c.svg'
},