icinga auf ldap login umgestellt

host_vars/webserver

@@ -81,6 +81,7 @@ alert:
     - { name: "hackmd-app-1" }
     - { name: "hackmd-db-1" }
     - { name: "icinga-app-1" }
+    - { name: "icinga-auth-1" }
     - { name: "icinga-db-1" }
     - { name: "icinga-graphite-1" }
     - { name: "ldap-openldap-1" }
@@ -99,8 +100,8 @@ alert:
     - { name: "mail-mailman-core-1" }
     - { name: "mail-mailman-web-1" }
     - { name: "mail-mailman-nginx-1" }
-    - { name: "matrix-ma1sd-1" }
     - { name: "matrix-db-1" }
+    - { name: "matrix-ldap-1" }
     - { name: "matrix-purgemediacache-1" }
     - { name: "matrix-synapse-1" }
     - { name: "matterbridge-cw-1" }

webserver/docker_icinga/Documentation.md

+
+Authentication via uffd 
+
+Client-ID: icinga
+Redirect-URIs: https://icinga.warpzone.ms/_oauth

webserver/docker_icinga/tasks/main.yml

@@ -2,12 +2,13 @@
 
 - include_tasks: ../functions/get_secret.yml
   with_items:
-    - { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
-    - { path: "{{ basedir }}/icinga_admin_pass",  length: 12 }
-    - { path: "{{ basedir }}/icinga_api_user",  length: 8 }
-    - { path: "{{ basedir }}/icinga_api_pass",  length: 8 }
-    - { path: "{{ basedir }}/mysql_admin_pass",  length: 12 }
-    - { path: "{{ basedir }}/mysql_user_pass",  length: 12 }
+    - { path: "{{ basedir }}/forward_auth_secret", type: create, length: 64 }
+    - { path: "{{ basedir }}/oauth_client_secret", type: create, length: 64 }
+    - { path: "{{ basedir }}/icinga_admin_pass",   type: create, length: 12 }
+    - { path: "{{ basedir }}/icinga_api_user",     type: create, length: 8  }
+    - { path: "{{ basedir }}/icinga_api_pass",     type: create, length: 8  }
+    - { path: "{{ basedir }}/mysql_admin_pass",    type: create, length: 12 }
+    - { path: "{{ basedir }}/mysql_user_pass",     type: create, length: 12 }
     - { path: "{{ basedir }}/matrix_notification_access_token",  length: -1 }
 
 
@@ -18,6 +19,7 @@
     name: 
       - logrotate
 
+
 - name: icinga LogRotate config erstellen 
   template: 
     src: logrotate 
@@ -48,25 +50,30 @@
     - check_rbl_helper.sh
     - notify_by_pushover.sh
     - etc/locale.gen
+    - etc/oauth_header.conf
     - graphite-conf/storage-schemas.conf
   notify: restart icinga docker
   register: dockerconfig
 
+
 - stat:
     path: "{{ basedir }}/etc/icingaweb2/CONFIGURED"
   register: configured
 
+
 - name: "start {{ servicename }} docker (init)"
   community.docker.docker_compose_v2:
     project_src: "{{ basedir }}"
     state: present
   when: configured.stat.exists == False
 
+
 - name: "wait for {{ servicename }} docker (init)"
   wait_for:
     path: "{{ basedir }}/etc/icingaweb2/CONFIGURED"
   when: configured.stat.exists == False
 
+
 - name: "stop {{ servicename }} docker (init)"
   community.docker.docker_compose_v2:
     project_src: "{{ basedir }}"

webserver/docker_icinga/templates/Dockerfile

-FROM jordan/icinga2:2.14.0
+FROM jordan/icinga2:2.14.3
 
 # Install additional Packages
 RUN apt-get update \

webserver/docker_icinga/templates/docker-compose.yml

@@ -5,19 +5,20 @@ services:
     build: .
     restart: always
     hostname: "{{ domain }}"
+    depends_on:
+      - db
+      - graphite
     ports:
       - "{{ api_port }}:5665"
     volumes:
       - "{{ basedir }}/data:/var/lib/icinga2"
       - "{{ basedir }}/etc/locale.gen:/etc/locale.gen"
+      - "{{ basedir }}/etc/oauth_header.conf:/etc/apache2/conf-enabled/oauth_header.conf"
       - "{{ basedir }}/etc/icinga:/etc/icinga2"
       - "{{ basedir }}/etc/icingaweb2:/etc/icingaweb2"
       - "{{ basedir }}/log/apache2:/var/log/apache2"
       - "{{ basedir }}/log/icinga2:/var/log/icinga2"
       - "{{ basedir }}/log/icingaweb2:/var/log/icingaweb2"
-    depends_on:
-      - db
-      - graphite
     environment:
       TZ: "Europe/Berlin"
       APACHE2_HTTP: BOTH
@@ -36,9 +37,12 @@ services:
       ICINGA2_FEATURE_GRAPHITE_HOST: graphite
       ICINGA2_FEATURE_GRAPHITE_PORT: 2003
       ICINGA2_FEATURE_DIRECTOR: 0
+      ICINGA2_IDO_MYSQL_SKIP_DB_CREATION: 1
+      ICINGAWEB2_MYSQL_SKIP_DB_CREATION: 1
     labels:
       - com.centurylinklabs.watchtower.enable=false
       - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.middlewares={{ servicename }}-auth
       - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
       - traefik.http.routers.{{ servicename }}.entrypoints=websecure
       - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
@@ -46,6 +50,32 @@ services:
       - default
       - web
 
+
+  auth:
+    image: thomseddon/traefik-forward-auth:2.2
+    restart: always
+    environment: 
+      LOG_LEVEL: info
+      DEFAULT_ACTION: auth
+      DEFAULT_PROVIDER: generic-oauth
+      SECRET: {{ forward_auth_secret }}
+      PROVIDERS_GENERIC_OAUTH_AUTH_URL: {{ oauth_global.authorize_url }}
+      PROVIDERS_GENERIC_OAUTH_TOKEN_URL: {{ oauth_global.token_url }}
+      PROVIDERS_GENERIC_OAUTH_USER_URL: {{ oauth_global.userinfo_url }}
+      PROVIDERS_GENERIC_OAUTH_CLIENT_ID: {{ servicename }}
+      PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET: {{ oauth_client_secret }}
+      PROVIDERS_GENERIC_OAUTH_SCOPE: profile
+      PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE: header
+    labels:
+      - traefik.enable=true
+      - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.address=http://auth:4181
+      - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.authResponseHeaders=X-Forwarded-User
+      - traefik.http.services.{{ servicename }}-auth.loadbalancer.server.port=4181
+    networks:
+      - default
+      - web
+
+
   db:
 
     image: mariadb:11
@@ -63,9 +93,10 @@ services:
     networks:
       - default
 
+
   graphite:
 
-    image: graphiteapp/graphite-statsd:1.1.8-7
+    image: graphiteapp/graphite-statsd:latest
     restart: always
     volumes:
       - "{{ basedir }}/graphite-conf/storage-schemas.conf:/opt/graphite/conf/storage-schemas.conf"
@@ -80,6 +111,7 @@ services:
     networks:
       - default
 
+
 networks:
   web:
     external: true

webserver/docker_icinga/templates/etc/icingaweb2/authentication.ini

@@ -4,9 +4,5 @@
 backend             = "db"
 resource            = "icingaweb_db"
 
-[ldap-users]
-backend             = "ldap"
-resource            = "icingaweb_ldap"
-user_class          = inetOrgPerson
-user_name_attribute = uid
-filter              = "memberOf={{ ldap_group_active_dn }}"
+[autologin]
+backend = external

webserver/docker_icinga/templates/etc/icingaweb2/groups.ini

@@ -3,13 +3,4 @@
 backend = "db"
 resource = "icingaweb_db"
 
-[ldap-groups]
-backend             = "ldap"
-user_backend        = "ldap-users"
-resource            = "icingaweb_ldap"
-group_class         = groupOfUniqueNames
-group_member_attribute = uniqueMember
-group_name_attribute = cn
-base_dn              = "{{ ldap_group_dn }}"
-
 

webserver/docker_icinga/templates/etc/icingaweb2/resources.ini

@@ -21,11 +21,3 @@ password = {{ mysql_user_pass }}
 charset = "utf8"
 persistent = "0"
 
-[icingaweb_ldap]
-type = ldap
-hostname = "{{ int_ip4 }}"
-port = 389
-root_dn = "{{ ldap_base_dn }}"
-bind_dn = "{{ ldap_readonly_bind_dn}}"
-bind_pw = "{{ ldap_readonly_pass }}"
-

webserver/docker_icinga/templates/etc/icingaweb2/roles.ini

@@ -3,7 +3,7 @@ users = icingaadmin
 permissions = "*"
 groups = "Administrators"
 
-[ldap-active]
-groups = active
+[Users]
+users = "*"
+groups = admin
 permissions = "application/*, module/*, monitoring/*"
-

webserver/docker_icinga/templates/etc/oauth_header.conf

+
+# Integratin der vorgeschalteten OAuth Anmeldung
+# Umgebungsvariable REMOTE_USER aus dem Header X-Forwarded-User setzen, damit das Autologin funktioniert
+# Der User wird in der Datenbank automatisch angelegt
+SetEnvIfNoCase X-Forwarded-User "(.*)" REMOTE_USER=$1
+
+# Abmelden Seite auf Abmelden im SSO umbiegen 
+Redirect "/icingaweb2/authentication/logout" {{ oauth_global.logout_url }}