diff --git a/host_vars/webserver b/host_vars/webserver
index 199f1998cdb8284675ba4419fad0705ff254cbba..00df526b82bbaedce1646f7be994024370bf236d 100644
--- a/host_vars/webserver
+++ b/host_vars/webserver
@@ -81,6 +81,7 @@ alert:
- { name: "hackmd-app-1" }
- { name: "hackmd-db-1" }
- { name: "icinga-app-1" }
+ - { name: "icinga-auth-1" }
- { name: "icinga-db-1" }
- { name: "icinga-graphite-1" }
- { name: "ldap-openldap-1" }
@@ -99,8 +100,8 @@ alert:
- { name: "mail-mailman-core-1" }
- { name: "mail-mailman-web-1" }
- { name: "mail-mailman-nginx-1" }
- - { name: "matrix-ma1sd-1" }
- { name: "matrix-db-1" }
+ - { name: "matrix-ldap-1" }
- { name: "matrix-purgemediacache-1" }
- { name: "matrix-synapse-1" }
- { name: "matterbridge-cw-1" }
diff --git a/webserver/docker_icinga/Documentation.md b/webserver/docker_icinga/Documentation.md
new file mode 100644
index 0000000000000000000000000000000000000000..8325eb8f046323ef16a1652c28833963e79f706e
--- /dev/null
+++ b/webserver/docker_icinga/Documentation.md
@@ -0,0 +1,5 @@
+
+Authentication via uffd
+
+Client-ID: icinga
+Redirect-URIs: https://icinga.warpzone.ms/_oauth
diff --git a/webserver/docker_icinga/tasks/main.yml b/webserver/docker_icinga/tasks/main.yml
index 6319c40e154826e4440dc270ca396e98802a9371..223a2d50ed7c712cb42929d515a3a41f0f61c9af 100644
--- a/webserver/docker_icinga/tasks/main.yml
+++ b/webserver/docker_icinga/tasks/main.yml
@@ -2,12 +2,13 @@
- include_tasks: ../functions/get_secret.yml
with_items:
- - { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
- - { path: "{{ basedir }}/icinga_admin_pass", length: 12 }
- - { path: "{{ basedir }}/icinga_api_user", length: 8 }
- - { path: "{{ basedir }}/icinga_api_pass", length: 8 }
- - { path: "{{ basedir }}/mysql_admin_pass", length: 12 }
- - { path: "{{ basedir }}/mysql_user_pass", length: 12 }
+ - { path: "{{ basedir }}/forward_auth_secret", type: create, length: 64 }
+ - { path: "{{ basedir }}/oauth_client_secret", type: create, length: 64 }
+ - { path: "{{ basedir }}/icinga_admin_pass", type: create, length: 12 }
+ - { path: "{{ basedir }}/icinga_api_user", type: create, length: 8 }
+ - { path: "{{ basedir }}/icinga_api_pass", type: create, length: 8 }
+ - { path: "{{ basedir }}/mysql_admin_pass", type: create, length: 12 }
+ - { path: "{{ basedir }}/mysql_user_pass", type: create, length: 12 }
- { path: "{{ basedir }}/matrix_notification_access_token", length: -1 }
@@ -18,6 +19,7 @@
name:
- logrotate
+
- name: icinga LogRotate config erstellen
template:
src: logrotate
@@ -48,25 +50,30 @@
- check_rbl_helper.sh
- notify_by_pushover.sh
- etc/locale.gen
+ - etc/oauth_header.conf
- graphite-conf/storage-schemas.conf
notify: restart icinga docker
register: dockerconfig
+
- stat:
path: "{{ basedir }}/etc/icingaweb2/CONFIGURED"
register: configured
+
- name: "start {{ servicename }} docker (init)"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: present
when: configured.stat.exists == False
+
- name: "wait for {{ servicename }} docker (init)"
wait_for:
path: "{{ basedir }}/etc/icingaweb2/CONFIGURED"
when: configured.stat.exists == False
+
- name: "stop {{ servicename }} docker (init)"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
diff --git a/webserver/docker_icinga/templates/Dockerfile b/webserver/docker_icinga/templates/Dockerfile
index 88bee5136aa8171152b2c897ba200a90329f7f3a..adc7e8b4a8cb0a90305e49a11ebf1a1e5d4aee5d 100644
--- a/webserver/docker_icinga/templates/Dockerfile
+++ b/webserver/docker_icinga/templates/Dockerfile
@@ -1,4 +1,4 @@
-FROM jordan/icinga2:2.14.0
+FROM jordan/icinga2:2.14.3
# Install additional Packages
RUN apt-get update \
diff --git a/webserver/docker_icinga/templates/docker-compose.yml b/webserver/docker_icinga/templates/docker-compose.yml
index c6f8aa15b564c7f562bd8e2d323453ead52d3fe4..948b8f5d4fe4431ec4232731193ea1d5e58de7b4 100644
--- a/webserver/docker_icinga/templates/docker-compose.yml
+++ b/webserver/docker_icinga/templates/docker-compose.yml
@@ -5,19 +5,20 @@ services:
build: .
restart: always
hostname: "{{ domain }}"
+ depends_on:
+ - db
+ - graphite
ports:
- "{{ api_port }}:5665"
volumes:
- "{{ basedir }}/data:/var/lib/icinga2"
- "{{ basedir }}/etc/locale.gen:/etc/locale.gen"
+ - "{{ basedir }}/etc/oauth_header.conf:/etc/apache2/conf-enabled/oauth_header.conf"
- "{{ basedir }}/etc/icinga:/etc/icinga2"
- "{{ basedir }}/etc/icingaweb2:/etc/icingaweb2"
- "{{ basedir }}/log/apache2:/var/log/apache2"
- "{{ basedir }}/log/icinga2:/var/log/icinga2"
- "{{ basedir }}/log/icingaweb2:/var/log/icingaweb2"
- depends_on:
- - db
- - graphite
environment:
TZ: "Europe/Berlin"
APACHE2_HTTP: BOTH
@@ -36,9 +37,12 @@ services:
ICINGA2_FEATURE_GRAPHITE_HOST: graphite
ICINGA2_FEATURE_GRAPHITE_PORT: 2003
ICINGA2_FEATURE_DIRECTOR: 0
+ ICINGA2_IDO_MYSQL_SKIP_DB_CREATION: 1
+ ICINGAWEB2_MYSQL_SKIP_DB_CREATION: 1
labels:
- com.centurylinklabs.watchtower.enable=false
- traefik.enable=true
+ - traefik.http.routers.{{ servicename }}.middlewares={{ servicename }}-auth
- traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
- traefik.http.routers.{{ servicename }}.entrypoints=websecure
- traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
@@ -46,6 +50,32 @@ services:
- default
- web
+
+ auth:
+ image: thomseddon/traefik-forward-auth:2.2
+ restart: always
+ environment:
+ LOG_LEVEL: info
+ DEFAULT_ACTION: auth
+ DEFAULT_PROVIDER: generic-oauth
+ SECRET: {{ forward_auth_secret }}
+ PROVIDERS_GENERIC_OAUTH_AUTH_URL: {{ oauth_global.authorize_url }}
+ PROVIDERS_GENERIC_OAUTH_TOKEN_URL: {{ oauth_global.token_url }}
+ PROVIDERS_GENERIC_OAUTH_USER_URL: {{ oauth_global.userinfo_url }}
+ PROVIDERS_GENERIC_OAUTH_CLIENT_ID: {{ servicename }}
+ PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET: {{ oauth_client_secret }}
+ PROVIDERS_GENERIC_OAUTH_SCOPE: profile
+ PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE: header
+ labels:
+ - traefik.enable=true
+ - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.address=http://auth:4181
+ - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.authResponseHeaders=X-Forwarded-User
+ - traefik.http.services.{{ servicename }}-auth.loadbalancer.server.port=4181
+ networks:
+ - default
+ - web
+
+
db:
image: mariadb:11
@@ -63,9 +93,10 @@ services:
networks:
- default
+
graphite:
- image: graphiteapp/graphite-statsd:1.1.8-7
+ image: graphiteapp/graphite-statsd:latest
restart: always
volumes:
- "{{ basedir }}/graphite-conf/storage-schemas.conf:/opt/graphite/conf/storage-schemas.conf"
@@ -80,6 +111,7 @@ services:
networks:
- default
+
networks:
web:
external: true
diff --git a/webserver/docker_icinga/templates/etc/icingaweb2/authentication.ini b/webserver/docker_icinga/templates/etc/icingaweb2/authentication.ini
index f2b8ec57694962efd7f54eaa87573a157b2b77fd..6e215426502fc50fc820f7ec63bf161fd69ed296 100644
--- a/webserver/docker_icinga/templates/etc/icingaweb2/authentication.ini
+++ b/webserver/docker_icinga/templates/etc/icingaweb2/authentication.ini
@@ -4,9 +4,5 @@
backend = "db"
resource = "icingaweb_db"
-[ldap-users]
-backend = "ldap"
-resource = "icingaweb_ldap"
-user_class = inetOrgPerson
-user_name_attribute = uid
-filter = "memberOf={{ ldap_group_active_dn }}"
+[autologin]
+backend = external
diff --git a/webserver/docker_icinga/templates/etc/icingaweb2/groups.ini b/webserver/docker_icinga/templates/etc/icingaweb2/groups.ini
index cc78bdddc7d5feb470c33809098e8455fd2695d5..94271c6ac7337932470a368ee3fe5288f7580517 100644
--- a/webserver/docker_icinga/templates/etc/icingaweb2/groups.ini
+++ b/webserver/docker_icinga/templates/etc/icingaweb2/groups.ini
@@ -3,13 +3,4 @@
backend = "db"
resource = "icingaweb_db"
-[ldap-groups]
-backend = "ldap"
-user_backend = "ldap-users"
-resource = "icingaweb_ldap"
-group_class = groupOfUniqueNames
-group_member_attribute = uniqueMember
-group_name_attribute = cn
-base_dn = "{{ ldap_group_dn }}"
-
diff --git a/webserver/docker_icinga/templates/etc/icingaweb2/resources.ini b/webserver/docker_icinga/templates/etc/icingaweb2/resources.ini
index 4da1e50dff2499020510c7fc1279536e502d69a9..f23c59159168cf659210b83df4ddc0f2fce12c18 100644
--- a/webserver/docker_icinga/templates/etc/icingaweb2/resources.ini
+++ b/webserver/docker_icinga/templates/etc/icingaweb2/resources.ini
@@ -21,11 +21,3 @@ password = {{ mysql_user_pass }}
charset = "utf8"
persistent = "0"
-[icingaweb_ldap]
-type = ldap
-hostname = "{{ int_ip4 }}"
-port = 389
-root_dn = "{{ ldap_base_dn }}"
-bind_dn = "{{ ldap_readonly_bind_dn}}"
-bind_pw = "{{ ldap_readonly_pass }}"
-
diff --git a/webserver/docker_icinga/templates/etc/icingaweb2/roles.ini b/webserver/docker_icinga/templates/etc/icingaweb2/roles.ini
index 56df6207760a4c5414271d499e144cd9e01065e8..4a746626e46e56776ddb2b3fd32d78e921b6806a 100644
--- a/webserver/docker_icinga/templates/etc/icingaweb2/roles.ini
+++ b/webserver/docker_icinga/templates/etc/icingaweb2/roles.ini
@@ -3,7 +3,7 @@ users = icingaadmin
permissions = "*"
groups = "Administrators"
-[ldap-active]
-groups = active
+[Users]
+users = "*"
+groups = admin
permissions = "application/*, module/*, monitoring/*"
-
diff --git a/webserver/docker_icinga/templates/etc/oauth_header.conf b/webserver/docker_icinga/templates/etc/oauth_header.conf
new file mode 100644
index 0000000000000000000000000000000000000000..e640e9934224efaa1c75916974d5a68a245a45af
--- /dev/null
+++ b/webserver/docker_icinga/templates/etc/oauth_header.conf
@@ -0,0 +1,8 @@
+
+# Integratin der vorgeschalteten OAuth Anmeldung
+# Umgebungsvariable REMOTE_USER aus dem Header X-Forwarded-User setzen, damit das Autologin funktioniert
+# Der User wird in der Datenbank automatisch angelegt
+SetEnvIfNoCase X-Forwarded-User "(.*)" REMOTE_USER=$1
+
+# Abmelden Seite auf Abmelden im SSO umbiegen
+Redirect "/icingaweb2/authentication/logout" {{ oauth_global.logout_url }}