Merge branch 'master' of ssh://gitlab.warpzone.ms:444/infrastruktur/ansible-warpzone

group_vars/prod

@@ -136,4 +136,5 @@ oauth_global:
 
 oidc_global:
   provider_url: https://uffd.warpzone.ms
-  logout_url: https://uffd.warpzone.ms/logout
+  logout_url: https://uffd.warpzone.ms/logout
\ No newline at end of file
+  ldap_base_dn: "dc=warpzone,dc=ms"

group_vars/test

@@ -47,10 +47,11 @@ oauth_global:
 oidc_global:
   provider_url: https://uffd.test-warpzone.de
   logout_url: https://uffd.test-warpzone.de/logout
+  ldap_base_dn: "dc=test-warpzone,dc=de"
 
 # Matrix Settings 
 matrix:
-  domain: matrix.warpzone.ms
-  public_url: https://matrix.warpzone.ms
-  identity_server: https://matrix.warpzone.ms
-  notifications_room_id: "!QxrpmOPYwofaPFqKMY:matrix.warpzone.ms"
+  domain: matrix.test-warpzone.de
+  public_url: https://matrix.test-warpzone.de
+  identity_server: https://matrix.test-warpzone.de
+  notifications_room_id: "!QxrpmOPYwofaPFqKMY:matrix.test-warpzone.de"
\ No newline at end of file

host_vars/test-warpzone-de

@@ -58,6 +58,7 @@ administratorenteam:
   - "void"
   - "sandhome"
   - "jabertwo"
+  - "supervirus"
 
 # Docker konfigurationen 
 docker:

keyfiles/supervirus.pub

+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6+Ex8TM4gP+Nph5Cy5zK6z2mceI9i7vsh0ec4oTfDC htk@ridcully
\ No newline at end of file

testserver/docker_matrix/tasks/main.yml

@@ -3,6 +3,8 @@
 - include_tasks: ../functions/get_secret.yml
   with_items:
    - { path: /srv/shared/noreply_email_pass, length: -1 }
+   - { path: /srv/matrix/uffd_api_secret, length: 32 }
+   - { path: /srv/matrix/ldap_bind_pw, length: 32 }
    - { path: /srv/matrix/matrix_macaroon_secret_key, length: 32 }
    - { path: /srv/matrix/matrix_registration_shared_secret, length: 32 }
    - { path: /srv/matrix/matrix_form_secret, length: 32 }
@@ -30,6 +32,7 @@
     group: "999"
   with_items:
     - "/srv/matrix/db/"
+    - "/srv/matrix/uffd-ldapd/"
 
 
 - name: Konfig-Dateien erstellen
@@ -40,6 +43,7 @@
     - docker-compose.yml
     - synapse-data/homeserver.log.config
     - synapse-data/homeserver.yaml
+    - uffd-ldapd/Dockerfile
   register: configs
 
 

testserver/docker_matrix/templates/docker-compose.yml

@@ -23,6 +23,18 @@ services:
     networks:
       - default
 
+  ldap:
+
+    build: uffd-ldapd/
+    restart: always
+    environment:
+       SERVER_API_URL: "{{ oidc_global.provider_url }}"
+       SERVER_API_USER: "matrixldap"
+       SERVER_API_SECRET: "{{ uffd_api_secret }}"
+       SERVER_BASE_DN: "{{ oidc_global.ldap_base_dn }}"    
+       SERVER_BIND_PASSWORD: "{{ ldap_bind_pw}}"
+    networks:
+      - default
 
   synapse:
 
@@ -32,6 +44,7 @@ services:
     cpuset: "0"
     depends_on:
       - db
+      - ldap
     volumes:
       - /srv/matrix/synapse-data/:/data
     environment:

testserver/docker_matrix/templates/synapse-data/homeserver.yaml

@@ -86,29 +86,41 @@ max_spider_size: 10M
 enable_registration: false
 
 password_config:
-  enabled: false
+  enabled: true
 
+# OIDC Single Sign-On with uffd 
 oidc_providers:
-  - idp_id: uffd
-    idp_name: uffd
+  - idp_id: "uffd"
+    idp_name: "warpzone SSO (uffd)"
     discover: true
     enable_registration: true
     allow_existing_users: true
+    user_profile_method: "userinfo_endpoint"
     issuer: "{{ oidc_global.provider_url }}"
-    client_id: "matrix" # TO BE FILLED
-    client_secret: "{{ matrix_oidc_secret }}" # TO BE FILLED
+    client_id: "matrix" 
+    client_secret: "{{ matrix_oidc_secret }}" 
     scopes: 
       - "openid"
       - "profile"
       - "email"
     user_mapping_provider:
       config:
-        subject_claim: "preferred_username"
-        subject_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
         localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
         display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
         email_template: "{% raw %}{{ user.email }}{% endraw %}"
 
+# Password login with uffd-ldapd 
+modules:
+ - module: "ldap_auth_provider.LdapAuthProviderModule"
+   config:
+     enabled: true
+     uri: "ldap://ldap:389"
+     start_tls: false
+     base: "ou=users,{{ oidc_global.ldap_base_dn }}"
+     attributes:
+        uid: "uid"
+        mail: "mail"
+        name: "displayName"
 
 auto_join_rooms:
   - "#warpzone:{{ matrix.domain }}"

testserver/docker_matrix/templates/uffd-ldapd/Dockerfile

+FROM debian:bookworm-slim
+
+# Set environment variables
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install necessary dependencies and configure custom repository
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends wget gnupg ca-certificates \
+    && wget -O- "https://packages.cccv.de/docs/cccv-archive-key.gpg" | gpg --dearmor -o /etc/apt/trusted.gpg.d/cccv-archive-key.gpg  \
+    && echo "deb https://packages.cccv.de/uffd bookworm main" > /etc/apt/sources.list.d/custom.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends uffd-ldapd ldap-utils \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+USER 999
+EXPOSE 389/tcp
+
+# Set default command
+CMD ["/usr/sbin/uffd-ldapd","--socket-address","0.0.0.0:389"]
+
+# Get all LDAP Entries
+# ldapsearch -x -H ldap://127.0.0.1 -D "cn=service,ou=system,{{ oidc_global.ldap_base_dn }}" -w "{{ ldap_bind_pw }}" -b "ou=users,{{ oidc_global.ldap_base_dn }}" "(objectClass=*)"
+

webserver/docker_vpnserver/templates/docker-compose.yml

@@ -23,7 +23,7 @@ services:
       - "WG_VPN_CIDRV6=0" # to disable IPv6
       - "WG_EXTERNAL_HOST={{ domain }}"
       - "WG_DNS_ENABLED=true"
-      - "WG_DNS_UPSTREAM=10.0.0.1"
+      - "WG_DNS_UPSTREAM=192.168.0.201"
       - "WG_LOG_LEVEL=info"
     labels:
       - traefik.enable=true