Did things
This commit is contained in:
Aner Zakobar
+11
@@ -72,6 +72,11 @@ First Name Attribute: cn
|
||||
Surname Attribute: sn
|
||||
Email Attribute: mail
|
||||
|
||||
* AUTHELIA
|
||||
|
||||
https://github.com/authelia/authelia/blob/57d5fbd3f5c82e83296023dc1de6e4f5ff063c00/examples/compose/lite/authelia/configuration.yml
|
||||
This fucking sucks
|
||||
https://gist.github.com/james-d-elliott/5152d27c0781aee856a3383f1284998e
|
||||
|
||||
* EVERYTHING
|
||||
https://www.talkingquickly.co.uk/gitea-sso-with-keycloak-openldap-openid-connect
|
||||
@@ -79,3 +84,9 @@ https://www.talkingquickly.co.uk/gitea-sso-with-keycloak-openldap-openid-connect
|
||||
* DRONE AND GITEA
|
||||
?
|
||||
https://dev.to/ruanbekker/self-hosted-cicd-with-gitea-and-drone-ci-200l
|
||||
|
||||
* DAV
|
||||
|
||||
https://gitlab.com/davical-project/davical/-/blob/master/config/example-config.php
|
||||
|
||||
Line 800 ish for auth from reverse proxy
|
||||
|
||||
@@ -42,19 +42,23 @@ access_control:
|
||||
rules:
|
||||
- domain:
|
||||
- "auth.zakobar.com"
|
||||
policy: bypass
|
||||
policy: "bypass"
|
||||
- domain:
|
||||
- "dav.{{ .Values.homey.url }}"
|
||||
policy: "one_factor"
|
||||
- domain:
|
||||
- "ldapadmin.{{ .Values.homey.url }}"
|
||||
subject:
|
||||
- 'group:admins'
|
||||
policy: "two_factor"
|
||||
- domain:
|
||||
- "ldapadmin.{{ .Values.homey.url }}"
|
||||
- "longhorn.{{ .Values.homey.url }}"
|
||||
- "*.admin.{{ .Values.homey.url }}"
|
||||
subject:
|
||||
- 'group:admins'
|
||||
policy: "two_factor"
|
||||
- domain:
|
||||
- "*.admin.{{ .Values.homey.url }}"
|
||||
policy: "deny"
|
||||
# - domain:
|
||||
# - "git.{{ .Values.homey.url }}"
|
||||
# policy: "one_factor"
|
||||
notifier:
|
||||
filesystem:
|
||||
filename: "/var/lib/authelia/emails.txt"
|
||||
|
||||
+216
-3
@@ -50,7 +50,6 @@ spec:
|
||||
containers:
|
||||
- name: openldap
|
||||
image: osixia/openldap
|
||||
imagePullPolicy: "Always"
|
||||
env:
|
||||
- name: LDAP_ORGANISATION
|
||||
value: {{ .Values.homey.organization }}
|
||||
@@ -233,7 +232,6 @@ spec:
|
||||
---
|
||||
{{- $_ := set $ "homey_gitea_oauth2_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret") $))}}
|
||||
{{ include "homey.randomsecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret" "secretval" .homey_gitea_oauth2_jwt_secret) $) }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
@@ -293,7 +291,7 @@ spec:
|
||||
# lifecycle:
|
||||
# postStart:
|
||||
# exec:
|
||||
# {{- $gitea_cmd := (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=%[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) (.homey_openldap_ro | replace "\"" ""))}}
|
||||
# {{- $gitea_cmd := (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=kk[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) (.homey_openldap_ro | replace "\"" ""))}}
|
||||
# command: ["/bin/sh", "-c", "{{$gitea_cmd}}"]
|
||||
volumes:
|
||||
- name: gitea-persistent-storage
|
||||
@@ -343,3 +341,218 @@ spec:
|
||||
port:
|
||||
number: 3000
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: davical-postgres-pvc
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
storageClassName: longhorn
|
||||
|
||||
---
|
||||
{{- $_ := set $ "homey_davical_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-postgres-pass") $))}}
|
||||
{{ include "homey.randomsecret" (merge (dict "secretname" "davical-postgres-pass" "secretval" .homey_davical_postgres_pass) $) }}
|
||||
---
|
||||
# apiVersion: extensions/v1beta1
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: davical-postgres-config
|
||||
labels:
|
||||
app: davical-postgres
|
||||
data:
|
||||
POSTGRES_DB: postgres
|
||||
POSTGRES_USER: postgres
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: davical-postgres
|
||||
labels:
|
||||
app: davical-postgres
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: davical-postgres
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: davical-postgres
|
||||
name: davical-postgres
|
||||
spec:
|
||||
containers:
|
||||
- name: davical-postgres
|
||||
image: postgres:10.4
|
||||
imagePullPolicy: "IfNotPresent"
|
||||
ports:
|
||||
- containerPort: 5432
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: davical-postgres-config
|
||||
env:
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: davical-postgres-pass
|
||||
key: password
|
||||
volumeMounts:
|
||||
- mountPath: /var/lib/postgresql/data
|
||||
subPath: data
|
||||
name: davical-postgredb
|
||||
volumes:
|
||||
- name: davical-postgredb
|
||||
persistentVolumeClaim:
|
||||
claimName: davical-postgres-pvc
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: davical-postgres
|
||||
labels:
|
||||
app: davical-postgres
|
||||
spec:
|
||||
ports:
|
||||
- port: 5432
|
||||
selector:
|
||||
app: davical-postgres
|
||||
---
|
||||
{{- $_ := set $ "homey_davical_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-admin-pass") $))}}
|
||||
{{ include "homey.randomsecret" (merge (dict "secretname" "davical-admin-pass" "secretval" .homey_davical_admin_pass) $) }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: davical-conf
|
||||
data:
|
||||
config.php: |-
|
||||
{{ tpl (.Files.Get "files/davical-config.php" | indent 4) . }}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: davical
|
||||
labels:
|
||||
app: davical
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: davical
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: davical
|
||||
spec:
|
||||
containers:
|
||||
- name: davical
|
||||
image: anerisgreat/davical-multiarch-docker:latest
|
||||
imagePullPolicy: "Always"
|
||||
ports:
|
||||
- containerPort: 80
|
||||
name: dav
|
||||
env:
|
||||
- name: PGHOST
|
||||
value: "davical-postgres"
|
||||
- name: PGUSER
|
||||
value: "postgres"
|
||||
- name: PGPASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: davical-postgres-pass
|
||||
key: password
|
||||
- name: PGDATABASE
|
||||
value: "davical"
|
||||
- name: PGPORT
|
||||
value: "5432"
|
||||
- name: HOST_NAME
|
||||
value:
|
||||
"dav.{{ .Values.homey.url }}"
|
||||
- name: DAVICAL_ADMIN_PASS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: davical-admin-pass
|
||||
key: password
|
||||
- name: ROOT_PGUSER
|
||||
value: "postgres"
|
||||
- name: ROOT_PGPASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: davical-postgres-pass
|
||||
key: password
|
||||
- name: RUN_MIGRATIONS_AT_STARTUP
|
||||
value: "true"
|
||||
volumeMounts:
|
||||
- name: davical-conf
|
||||
mountPath: /etc/davical/config.php
|
||||
subPath: config.php
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: davical-conf
|
||||
configMap:
|
||||
name: davical-conf
|
||||
items:
|
||||
- key: config.php
|
||||
path: config.php
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: davical
|
||||
spec:
|
||||
selector:
|
||||
app: davical
|
||||
ports:
|
||||
- name: dav
|
||||
protocol: TCP
|
||||
port: 80
|
||||
targetPort: 80
|
||||
selector:
|
||||
app: davical
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: davical
|
||||
annotations:
|
||||
kubernetes.io/ingress.allow-http: "false"
|
||||
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/auth-method: GET
|
||||
nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
|
||||
nginx.ingress.kubernetes.io/auth-snippet: |
|
||||
proxy_set_header X-Forwarded-Method $request_method;
|
||||
auth_request_set $user $upstream_http_remote_user;
|
||||
auth_request_set $groups $upstream_http_remote_groups;
|
||||
auth_request_set $name $upstream_http_remote_name;
|
||||
auth_request_set $email $upstream_http_remote_email;
|
||||
proxy_set_header Remote-User $user;
|
||||
proxy_set_header Remote-Fullname $name;
|
||||
proxy_set_header Remote-Email $email;
|
||||
proxy_set_header Redirect-Remote-User $user;
|
||||
proxy_set_header Redirect-Remote-Fullname $name;
|
||||
proxy_set_header Redirect-Remote-Email $email;
|
||||
spec:
|
||||
ingressClassName: {{ .Values.homey.ingress_class }}
|
||||
tls:
|
||||
- hosts:
|
||||
- dav.{{ .Values.homey.url }}
|
||||
secretName: {{ .Values.homey.certname }}
|
||||
rules:
|
||||
- host: dav.{{ .Values.homey.url }}
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: davical
|
||||
port:
|
||||
number: 80
|
||||
---
|
||||
|
||||
@@ -26,6 +26,7 @@ spec:
|
||||
name: phpldapadmin
|
||||
ports:
|
||||
- containerPort: 80
|
||||
name: http
|
||||
restartPolicy: Always
|
||||
---
|
||||
apiVersion: v1
|
||||
@@ -36,6 +37,7 @@ spec:
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 80
|
||||
name: http
|
||||
selector:
|
||||
app: phpldapadmin
|
||||
---
|
||||
|
||||
Reference in New Issue
Block a user