common/docker_ldap/notes/acl-allow-user-self-read.ldif

-dn: olcDatabase={1}hdb,cn=config
-changetype: modify
-add: olcAccess
-olcAccess: to * by self read by * search

common/docker_ldap/notes/acl-allow-user-self-read.sh

-#!/bin/bash 
-
-ldapmodify -Y EXTERNAL -H ldapi:// -f /opt/helper/acl-allow-user-self-read.ldif 
-ldapsearch -Y EXTERNAL -H ldapi:// -b "cn=config" "olcDatabase={1}hdb" 

common/docker_ldap/notes/search_admin.sh

-#!/bin/bash 
-# Usage: sh search_admin.sh "(objectClass=*)" 
-ldapsearch -h {{ int_ip4 }} -b "{{ ldap_base_dn }}" -D "{{ ldap_admin_bind_dn }}" -w "{{ ldap_admin_pass }}" -s sub "$1"

common/docker_ldap/notes/search_user.sh

-#!/bin/bash 
-# Usage: sh search_user.sh "testuser" "(objectClass=*)" 
-ldapsearch -h {{ int_ip4 }} -b "{{ ldap_base_dn }}" -D "uid=$1,ou=users,{{ ldap_base_dn }}" -W -s sub "$2"

common/docker_ldap/tasks/main.yml

----
-
-- include_tasks: ../functions/get_secret.yml
-  with_items:
-   - { path: /srv/ldap/secret/ldap_admin_pass,  length: 24 }
-   - { path: /srv/ldap/secret/ldap_readonly_pass,  length: 24 }
-
-- name: create folder struct for ldap
-  file:
-    path: "/srv/ldap/{{ item.path }}"
-    state: "directory"
-    recurse: yes
-  with_items:
-    - { path: 'database' }
-    - { path: 'config' }
-
-- name: Docker Compose Konfig-Datei erstellen
-  template:
-    src: "{{ item }}"
-    dest: "/srv/ldap/{{ item }}"
-  with_items:
-    - docker-compose.yml
-    - Dockerfile 
-    - syncrepl_exporter.yml 
-  register: config
-
-- name: "stop {{ servicename}} docker"
-  community.docker.docker_compose_v2:
-    project_src: "{{ basedir }}"
-    state: absent
-  when: config.changed
-
-- name: "start {{ servicename}} docker"
-  community.docker.docker_compose_v2:
-    project_src: "{{ basedir }}"
-    state: present
-

common/docker_ldap/templates/Dockerfile

-FROM golang:1.21.6
-
-RUN go get github.com/ThoreKr/syncrepl_exporter 
-
-EXPOSE 9328
-CMD ["/go/bin/syncrepl_exporter","--path.config=/syncrepl_exporter.yml"]

common/docker_ldap/templates/docker-compose.yml

-services:
-
-  openldap:
-    image: osixia/openldap:1.3.0
-    restart: always
-    command: --loglevel debug 
-    volumes:
-      - /srv/ldap/database:/var/lib/ldap
-      - /srv/ldap/config:/etc/ldap/slapd.d
-    ports:
-      - {{ int_ip4 }}:389:389
-      - {{ int_ip4 }}:636:636      
-    environment:
-      - HOSTNAME={{ inventory_hostname }}-sync
-      - LDAP_BACKEND=hdb 
-      - LDAP_ORGANISATION={{ ldap_org }}
-      - LDAP_DOMAIN={{ ldap_domain }}
-      - LDAP_ADMIN_PASSWORD={{ ldap_admin_pass }}
-      - LDAP_CONFIG_PASSWORD={{ ldap_admin_pass }}
-      - LDAP_READONLY_USER=true
-      - LDAP_READONLY_USER_USERNAME=readonly
-      - LDAP_READONLY_USER_PASSWORD={{ ldap_readonly_pass }}
-      - LDAP_TLS_VERIFY_CLIENT=never
-    networks:
-      - default
-    
-  
-  phpldapadmin:
-    image: osixia/phpldapadmin:0.9.0
-    restart: always
-    depends_on:
-      - openldap
-    environment:
-      - PHPLDAPADMIN_LDAP_HOSTS=openldap
-      - PHPLDAPADMIN_HTTPS=false
-      - PHPLDAPADMIN_TRUST_PROXY_SSL=true
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
-      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
-      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80 
-    networks:
-      - default
-      - web
-    
-    
-networks:
-  web:
-    external: true    

common/docker_ldap/templates/syncrepl_exporter.yml

----
-
-    ldap:
-      host: 'openldap'
-      port: '636'
-      basedn: '{{ ldap_base_dn }}'
-      starttls: false
-      bind: true
-      bindcn: '{{ ldap_readonly_bind_dn }}'
-      bindpass: '{{ ldap_readonly_pass }}'

group_vars/prod

-# Globale Variablen für alle produktiven Server
-
-# Ports des LDAP Servers 
-ldap_port_default: 389
-ldap_port_secure: 636
-
-# IP Adresse des LDAP Servers
-# Extern läuft auf dem webserver
-ldap_ip_ext: 10.42.1.1
-
-
-# Basis-Informationen der LDAP Konfiguration 
-ldap_org: Warpzone
-ldap_domain: warpzone.ms
-ldap_base_dn: dc=warpzone,dc=ms
-ldap_admin_bind_dn: cn=admin,dc=warpzone,dc=ms
-ldap_readonly_bind_dn: cn=readonly,dc=warpzone,dc=ms
-ldap_group_dn: ou=groups,dc=warpzone,dc=ms
-ldap_group_active_dn: cn=active,ou=groups,dc=warpzone,dc=ms
 
 # SMTP Settings 
 smtp_domain: warpzone.ms

group_vars/test

+
 # SMTP Settings 
 smtp_domain: test-warpzone.de
 smtp_host: mailserver.test-warpzone.de

host_vars/webserver

@@ -36,8 +36,6 @@ webserver_domains:
   - "gitlab.warpzone.ms"
   - "matrix.warpzone.ms"
   - "mailserver.warpzone.ms"
-  - "ldap.warpzone.ms"
-  - "keycloak.warpzone.ms"
   - "md.warpzone.ms"
   - "privatebin.warpzone.ms"
 #  - "turn.warpzone.ms"
@@ -81,10 +79,9 @@ alert:
     - { name: "hackmd-app-1" }
     - { name: "hackmd-db-1" }
     - { name: "icinga-app-1" }
+    - { name: "icinga-auth-1" }
     - { name: "icinga-db-1" }
     - { name: "icinga-graphite-1" }
-    - { name: "ldap-openldap-1" }
-    - { name: "ldap-phpldapadmin-1" }
     - { name: "mail-admin-1" }
     - { name: "mail-antispam-1" }
     - { name: "mail-certdumper-1" }
@@ -99,8 +96,8 @@ alert:
     - { name: "mail-mailman-core-1" }
     - { name: "mail-mailman-web-1" }
     - { name: "mail-mailman-nginx-1" }
-    - { name: "matrix-ma1sd-1" }
     - { name: "matrix-db-1" }
+    - { name: "matrix-ldap-1" }
     - { name: "matrix-purgemediacache-1" }
     - { name: "matrix-synapse-1" }
     - { name: "matterbridge-cw-1" }

site.yml

@@ -291,12 +291,6 @@
         basedir: "/srv/{{ servicename }}",
         domain: "uffd.warpzone.ms",
       }
-    - {
-        role: common/docker_ldap, tags: [ ldap, docker_services ],
-        servicename: ldap,
-        basedir: /srv/ldap,
-        domain: "ldap.warpzone.ms"
-      }
     - { 
         role: common/docker_traefik, tags: [ traefik, docker_services ],
         servicename: traefik,
@@ -342,12 +336,6 @@
         basedir: /srv/hackmd, 
         domain: "md.warpzone.ms"
       }
-    - { 
-        role: webserver/docker_keycloak, tags: [ keycloak, docker_services ],
-        servicename: "keycloak",
-        basedir: /srv/keycloak, 
-        domain: "keycloak.warpzone.ms"
-      }
     - { 
         role: webserver/docker_mail, tags: [ mail, docker_services ],
         servicename: mail,

webserver/docker_gitlab/Documentation.md

+
+# Gitlab Access with uffd as Access Provider 
+
+Redirect URL: https://gitlab.warpzone.ms/users/auth/openid_connect/callback
+
+## Browsing without login 
+
+https://gitlab.warpzone.ms/explore
+
+## Features not supported in Community edition 
+
+- Set Admin Flag 
+- Manage Groups 
+

webserver/docker_gitlab/tasks/main.yml

@@ -2,9 +2,9 @@
 
 - include_tasks: ../functions/get_secret.yml
   with_items:
-   - { path: /srv/shared/noreply_email_pass,  length: -1 }
-   - { path: /srv/ldap/secret/ldap_readonly_pass,  length: -1 }
-   - { path: /srv/gitlab/runner_registration_token,  length: -1 }
+    - { path: /srv/shared/noreply_email_pass,  length: -1 }
+    - { path: /srv/gitlab/secret/oidc_client_secret,  length: 32 }
+    - { path: /srv/gitlab/secret/runner_registration_token,  length: -1 }
 
 # Benötigte Verzeichnisstrukturen erstellen
 

webserver/docker_gitlab/templates/conf/gitlab.rb

@@ -455,7 +455,7 @@ gitlab_rails['object_store']['objects']['pages']['bucket'] = nil
 
 # gitlab_rails['ldap_enabled'] = false
 # gitlab_rails['prevent_ldap_sign_in'] = false
-gitlab_rails['ldap_enabled'] = true
+# gitlab_rails['ldap_enabled'] = true
 
 
 ###! **remember to close this block with 'EOS' below**
@@ -503,24 +503,24 @@ gitlab_rails['ldap_enabled'] = true
 #     sync_ssh_keys: false
 # EOS
 
-gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
-  main:
-    label: 'LDAP'
-    host: '{{ ldap_ip_ext }}'
-    port: 389
-    uid: 'uid'
-    method: 'plain'
-    bind_dn: '{{ ldap_readonly_bind_dn }}'
-    password: '{{ ldap_readonly_pass }}'
-    base: '{{ ldap_base_dn }}'
-    user_filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
-    attributes:
-      username: ['uid', 'cn']
-      email: ['mail', 'email']
-      name: 'cn'
-      first_name: 'givenName'
-      last_name: 'sn'
-EOS
+# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
+#   main:
+#     label: 'LDAP'
+#     host: '{{ ldap_ip_ext }}'
+#     port: 389
+#     uid: 'uid'
+#     method: 'plain'
+#     bind_dn: '{{ ldap_readonly_bind_dn }}'
+#     password: '{ { ldap_readonly_pass } }'
+#     base: '{{ ldap_base_dn }}'
+#     user_filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
+#     attributes:
+#       username: ['uid', 'cn']
+#       email: ['mail', 'email']
+#       name: 'cn'
+#       first_name: 'givenName'
+#       last_name: 'sn'
+# EOS
 
 
 ### Smartcard authentication settings
@@ -555,6 +555,45 @@ EOS
 #   }
 # ]
 
+
+gitlab_rails['omniauth_enabled'] = true
+gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
+gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
+gitlab_rails['omniauth_auto_link_ldap_user'] = true
+gitlab_rails['omniauth_auto_link_saml_user'] = true
+gitlab_rails['omniauth_block_auto_created_users'] = false
+gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
+gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email']
+gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
+
+gitlab_rails['omniauth_providers'] = [
+  {
+    name: "openid_connect",
+    label: "uffd",
+    args: {
+      name: "openid_connect",
+      scope: ["openid", "profile", "email", "groups"],
+      response_type: "code",
+      issuer: "{{ oidc_global.provider_url }}",
+      discovery: true,
+      uid_field: "preferred_username",
+      gitlab_username_claim: "name",
+      send_scope_to_token_endpoint: "true",
+      client_options: {
+        identifier: "gitlab",
+        secret: "{{ oidc_client_secret }}",
+        redirect_uri: "https://{{ domain }}/users/auth/openid_connect/callback",
+        gitlab: {
+          groups_attribute: "groups",
+          required_groups: ["gitlab_access"],
+          admin_groups: ["gitlab_admin"]
+        }
+      }
+    }
+  }
+]
+
+
 ### Backup Settings
 ###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html
 

webserver/docker_gitlab/templates/docker-compose.yml

@@ -3,7 +3,7 @@ services:
   app:
 
     # Version pinned due to upgrade problems with 17.9.x  
-    image: gitlab/gitlab-ce:17.8.6-ce.0
+    image: gitlab/gitlab-ce:17.8.7-ce.0
     restart: always
     ports:
       - "444:22"

webserver/docker_icinga/Documentation.md

+
+Authentication via uffd 
+
+Client-ID: icinga
+Redirect-URIs: https://icinga.warpzone.ms/_oauth

webserver/docker_icinga/tasks/main.yml

@@ -2,12 +2,13 @@
 
 - include_tasks: ../functions/get_secret.yml
   with_items:
-    - { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
-    - { path: "{{ basedir }}/icinga_admin_pass",  length: 12 }
-    - { path: "{{ basedir }}/icinga_api_user",  length: 8 }
-    - { path: "{{ basedir }}/icinga_api_pass",  length: 8 }
-    - { path: "{{ basedir }}/mysql_admin_pass",  length: 12 }
-    - { path: "{{ basedir }}/mysql_user_pass",  length: 12 }
+    - { path: "{{ basedir }}/forward_auth_secret", type: create, length: 64 }
+    - { path: "{{ basedir }}/oauth_client_secret", type: create, length: 64 }
+    - { path: "{{ basedir }}/icinga_admin_pass",   type: create, length: 12 }
+    - { path: "{{ basedir }}/icinga_api_user",     type: create, length: 8  }
+    - { path: "{{ basedir }}/icinga_api_pass",     type: create, length: 8  }
+    - { path: "{{ basedir }}/mysql_admin_pass",    type: create, length: 12 }
+    - { path: "{{ basedir }}/mysql_user_pass",     type: create, length: 12 }
     - { path: "{{ basedir }}/matrix_notification_access_token",  length: -1 }
 
 
@@ -18,6 +19,7 @@
     name: 
       - logrotate
 
+
 - name: icinga LogRotate config erstellen 
   template: 
     src: logrotate 
@@ -48,25 +50,30 @@
     - check_rbl_helper.sh
     - notify_by_pushover.sh
     - etc/locale.gen
+    - etc/oauth_header.conf
     - graphite-conf/storage-schemas.conf
   notify: restart icinga docker
   register: dockerconfig
 
+
 - stat:
     path: "{{ basedir }}/etc/icingaweb2/CONFIGURED"
   register: configured
 
+
 - name: "start {{ servicename }} docker (init)"
   community.docker.docker_compose_v2:
     project_src: "{{ basedir }}"
     state: present
   when: configured.stat.exists == False
 
+
 - name: "wait for {{ servicename }} docker (init)"
   wait_for:
     path: "{{ basedir }}/etc/icingaweb2/CONFIGURED"
   when: configured.stat.exists == False
 
+
 - name: "stop {{ servicename }} docker (init)"
   community.docker.docker_compose_v2:
     project_src: "{{ basedir }}"

webserver/docker_icinga/templates/Dockerfile

-FROM jordan/icinga2:2.14.0
+FROM jordan/icinga2:2.14.3
 
 # Install additional Packages
 RUN apt-get update \

webserver/docker_icinga/templates/docker-compose.yml

@@ -5,19 +5,20 @@ services:
     build: .
     restart: always
     hostname: "{{ domain }}"
+    depends_on:
+      - db
+      - graphite
     ports:
       - "{{ api_port }}:5665"
     volumes:
       - "{{ basedir }}/data:/var/lib/icinga2"
       - "{{ basedir }}/etc/locale.gen:/etc/locale.gen"
+      - "{{ basedir }}/etc/oauth_header.conf:/etc/apache2/conf-enabled/oauth_header.conf"
       - "{{ basedir }}/etc/icinga:/etc/icinga2"
       - "{{ basedir }}/etc/icingaweb2:/etc/icingaweb2"
       - "{{ basedir }}/log/apache2:/var/log/apache2"
       - "{{ basedir }}/log/icinga2:/var/log/icinga2"
       - "{{ basedir }}/log/icingaweb2:/var/log/icingaweb2"
-    depends_on:
-      - db
-      - graphite
     environment:
       TZ: "Europe/Berlin"
       APACHE2_HTTP: BOTH
@@ -36,9 +37,12 @@ services:
       ICINGA2_FEATURE_GRAPHITE_HOST: graphite
       ICINGA2_FEATURE_GRAPHITE_PORT: 2003
       ICINGA2_FEATURE_DIRECTOR: 0
+      ICINGA2_IDO_MYSQL_SKIP_DB_CREATION: 1
+      ICINGAWEB2_MYSQL_SKIP_DB_CREATION: 1
     labels:
       - com.centurylinklabs.watchtower.enable=false
       - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.middlewares={{ servicename }}-auth
       - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
       - traefik.http.routers.{{ servicename }}.entrypoints=websecure
       - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
@@ -46,6 +50,32 @@ services:
       - default
       - web
 
+
+  auth:
+    image: thomseddon/traefik-forward-auth:2.2
+    restart: always
+    environment: 
+      LOG_LEVEL: info
+      DEFAULT_ACTION: auth
+      DEFAULT_PROVIDER: generic-oauth
+      SECRET: {{ forward_auth_secret }}
+      PROVIDERS_GENERIC_OAUTH_AUTH_URL: {{ oauth_global.authorize_url }}
+      PROVIDERS_GENERIC_OAUTH_TOKEN_URL: {{ oauth_global.token_url }}
+      PROVIDERS_GENERIC_OAUTH_USER_URL: {{ oauth_global.userinfo_url }}
+      PROVIDERS_GENERIC_OAUTH_CLIENT_ID: {{ servicename }}
+      PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET: {{ oauth_client_secret }}
+      PROVIDERS_GENERIC_OAUTH_SCOPE: profile
+      PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE: header
+    labels:
+      - traefik.enable=true
+      - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.address=http://auth:4181
+      - traefik.http.middlewares.{{ servicename }}-auth.forwardauth.authResponseHeaders=X-Forwarded-User
+      - traefik.http.services.{{ servicename }}-auth.loadbalancer.server.port=4181
+    networks:
+      - default
+      - web
+
+
   db:
 
     image: mariadb:11
@@ -63,9 +93,10 @@ services:
     networks:
       - default
 
+
   graphite:
 
-    image: graphiteapp/graphite-statsd:1.1.8-7
+    image: graphiteapp/graphite-statsd:latest
     restart: always
     volumes:
       - "{{ basedir }}/graphite-conf/storage-schemas.conf:/opt/graphite/conf/storage-schemas.conf"
@@ -80,6 +111,7 @@ services:
     networks:
       - default
 
+
 networks:
   web:
     external: true