diff --git a/testserver/docker_vpnserver/Documentation.md b/testserver/docker_vpnserver/Documentation.md index c1c789427af0d7e45b944e2b669c6aa62eb15eb1..b47eec0b29d814a6ceed1d4f893e05244354016f 100644 --- a/testserver/docker_vpnserver/Documentation.md +++ b/testserver/docker_vpnserver/Documentation.md @@ -1,8 +1,32 @@ -1. /srv/vpnserver und /srv/vpnserver/secrets erstellen, "wg genkey > wg_private_key" in /srv/vpnserver/secrets -2. deployen -3. uffd configurieren - 1. neuen Dienst erstellen - 2. OAuth2 Client-ID erstellen - - Client-ID: vpnserver - - Client-Secret: /srv/vpnserver/secrets/oauth_client_secret - - Redirect-URIs: https://<vpnserver-domain>/user/oauth2/uffd/callback \ No newline at end of file + + +# Overview + +* Authentication to VPNServer is only possible with an account in uffd, regular authentication is disabled (can be enabled as fallback) +* All users with group 'vpnserver_access' can access the VPNServer + +# Setup OIDC Authentication via uffd + +Uffd Reference: https://git.cccv.de/uffd + + +## Setup VPNServer + +* Wireguard secret initial erstellen: ```wg genkey > wg_private_key``` in /srv/vpnserver/secrets + + +## Setup in uffd + +Create Groups: + +- vpnserver_access: General Access to VPNServer + +Create a Service / OAuth Client: + +Only Users with goup nextcloud_access can access Nextcloud + +Client-ID: vpnserver +Client-Secret: from file oauth_client_secret on the server +Redirect-URIs: +* https://vpn.test-warpzone.de/callback + diff --git a/testserver/docker_vpnserver/tasks/main.yml b/testserver/docker_vpnserver/tasks/main.yml index 997783a7eba99d9c3614ae95887a8f4e3df0d7b0..21147c81c7ecf13df78b4d7a73aa1949456b7f34 100644 --- a/testserver/docker_vpnserver/tasks/main.yml +++ b/testserver/docker_vpnserver/tasks/main.yml @@ -22,7 +22,7 @@ dest: "{{ basedir }}/{{ item }}" with_items: - docker-compose.yml - - config.yml + - config.yaml register: config diff --git a/testserver/docker_vpnserver/templates/config.yml b/testserver/docker_vpnserver/templates/config.yaml similarity index 50% rename from testserver/docker_vpnserver/templates/config.yml rename to testserver/docker_vpnserver/templates/config.yaml index c4c8cf961aee1b5982432b21bc3a57103e4808ac..8f0a143d10b075154099b6420d47b2345573dd3f 100644 --- a/testserver/docker_vpnserver/templates/config.yml +++ b/testserver/docker_vpnserver/templates/config.yaml @@ -1,8 +1,8 @@ # You can disable the builtin admin account by leaving out 'adminPassword'. Requires another backend to be configured. -adminPassword: "{{ wg_admin_pass }}" +# adminPassword: "{{ wg_admin_pass }}" # adminUsername sets the user for the Basic/Simple Auth admin account if adminPassword is set. # Every user of the basic and simple backend with a username matching adminUsername will have admin privileges. -adminUsername: "vpnadmin" +# adminUsername: "vpnadmin" # Configure zero or more authentication backends auth: oidc: @@ -17,7 +17,7 @@ auth: # The path can be almost anything as long as it doesn't # conflict with a path that the web UI uses. # /callback is recommended. - redirectURL: "{{ oidc_global.provider_url }}/callback" + redirectURL: "https://{{ domain }}/callback" # List of scopes to request claims for. Must include 'openid'. # Must include 'email' if 'emailDomains' is used. Can include 'profile' to show the user's name in the UI. # Add custom ones if required for 'claimMapping'. @@ -26,20 +26,3 @@ auth: - openid - profile - email - - groups - # You can optionally restrict access to users with an email address - # that matches an allowed domain. - # If empty or omitted then all email domains will be allowed. - # This is an advanced feature that allows you to define OIDC claim mapping expressions. - # This feature is used to define wg-access-server admins based off a claim in your OIDC token. - # A JSON-like object of claimKey: claimValue pairs as returned by the issuer is passed to the evaluation function. - # See https://github.com/Knetic/govaluate/blob/9aa49832a739dcd78a5542ff189fb82c3e423116/MANUAL.md for the syntax. - claimMapping: - # This example works if you have a custom group_membership claim which is a list of strings - admin: "'vpnserver_admin' in group_membership" - access: "'vpnserver_access' in group_membership" - # Let wg-access-server retrieve the claims from the ID Token instead of querying the UserInfo endpoint. - # Some OIDC authorization provider implementations (e.g. ADFS) only publish claims in the ID Token. - claimsFromIDToken: false - # require this claim to be "true" to allow access for the user - accessClaim: "access" \ No newline at end of file diff --git a/testserver/docker_vpnserver/templates/docker-compose.yml b/testserver/docker_vpnserver/templates/docker-compose.yml index 6616554ce3314078f7f3e2c19928e0383f2dc656..ac2089742132cf9f8a2b588365a2ad3f93975c3f 100644 --- a/testserver/docker_vpnserver/templates/docker-compose.yml +++ b/testserver/docker_vpnserver/templates/docker-compose.yml @@ -10,15 +10,12 @@ services: net.ipv6.conf.all.forwarding: 1 volumes: - "{{ basedir }}/data:/data" - - "{{ basedir }}/config.yaml:/config.yml" # if you have a custom config file + - "{{ basedir }}/config.yaml:/config.yaml" ports: - # - "8000:8000/tcp" - "51820:51820/udp" devices: - "/dev/net/tun:/dev/net/tun" environment: - - "WG_ADMIN_USERNAME=vpnadmin" - - "WG_ADMIN_PASSWORD={{ wg_admin_pass }}" - "WG_WIREGUARD_PRIVATE_KEY={{ wg_private_key }}" - "WG_VPN_CIDRV6=0" # to disable IPv6 - "WG_EXTERNAL_HOST={{ domain }}" diff --git a/testserver/docker_wordpress/Documentation.md b/testserver/docker_wordpress/Documentation.md index 5ebd4b77d1a7d6d83801fe47a2a98c6552e885a0..997e4da1a4f20d2cbdefc858d5bfd7d1cb43c444 100644 --- a/testserver/docker_wordpress/Documentation.md +++ b/testserver/docker_wordpress/Documentation.md @@ -40,15 +40,15 @@ Pluin settings: Create Groups: -- wordpress_access: General Access to Nextcloud +- wordpress_access: General Access to Wordpress - wordpress_admin: This Group will be Mapped to the Group admin in Wordpress Create a Service / OAuth Client: -Only Users with goup nextcloud_access can access Nextcloud +Only Users with goup wordpress_access can access Wordpress Client-ID: wordpress -Client-Secret: from file nextcloud_oidc_secret on the server +Client-Secret: from file wordpress_client_secret on the server Redirect-URIs: * https://www.test-warpzone.de/wp-admin/admin-ajax.php?action=openid-connect-authorize