diff --git a/gitea/cm.yaml b/gitea/cm.yaml new file mode 100644 index 0000000..9b3ba47 --- /dev/null +++ b/gitea/cm.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-config + namespace: gitea +data: + GITEA____APP_NAME: "git@CASCADE" + GITEA____RUN_MODE: "prod" + GITEA____RUN_USER: "git" + GITEA____WORK_PATH: "/app/gitea" + + MINIO__server__ROOT_URL: https://git.strudelline.net/ + MINIO__server__DOMAIN: git.strudelline.net + + GITEA__actions__DEFAULT_ACTIONS_URL: "https://github.com" + GITEA__actions__ENABLED: "true" + + GITEA__attachment__PATH: "/data/gitea/attachments" + + GITEA__cron__update_checker__ENABLED: "true" + + GITEA__database__CHARSET: "utf8" + GITEA__database__DB_TYPE: "sqlite3" + GITEA__database__HOST: "localhost:3306" + GITEA__database__LOG_SQL: "false" + GITEA__database__NAME: "gitea" + GITEA__database__PASSWD: "" + GITEA__database__PATH: "/data/gitea/gitea.db" + GITEA__database__SCHEMA: "" + GITEA__database__SSL_MODE: "disable" + GITEA__database__USER: "root" + + GITEA__indexer__ISSUE_INDEXER_PATH: "/data/gitea/indexers/issues.bleve" + + GITEA__lfs__PATH: "/data/git/lfs" + + GITEA__log__LEVEL: "info" + GITEA__log__MODE: "console" + GITEA__log__ROOT_PATH: "/data/gitea/log" + + GITEA__openid__ENABLE_OPENID_SIGNIN: "true" + GITEA__openid__ENABLE_OPENID_SIGNUP: "false" + + GITEA__picture__AVATAR_UPLOAD_PATH: "/data/gitea/avatars" + GITEA__picture__REPOSITORY_AVATAR_UPLOAD_PATH: "/data/gitea/repo-avatars" + + GITEA__repository__ROOT: "/data/git/repositories" + GITEA__repository__local__LOCAL_COPY_PATH: "/data/gitea/tmp/local-repo" + GITEA__repository__pull-request__DEFAULT_MERGE_STYLE: "merge" + GITEA__repository__signing__DEFAULT_TRUST_MODEL: "committer" + GITEA__repository__upload__TEMP_PATH: "/data/gitea/uploads" + + GITEA__security__INSTALL_LOCK: "true" + GITEA__security__PASSWORD_HASH_ALGO: "pbkdf2" + GITEA__security__REVERSE_PROXY_LIMIT: "1" + GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES: "*" + + GITEA__server__APP_DATA_PATH: "/data/gitea" + GITEA__server__DISABLE_SSH: "false" + GITEA__server__DOMAIN: "git.strudelline.net" + GITEA__server__HTTP_PORT: "3000" + GITEA__server__LFS_START_SERVER: "true" + GITEA__server__OFFLINE_MODE: "false" + GITEA__server__ROOT_URL: "https://git.strudelline.net/" + GITEA__server__SSH_DOMAIN: "git-ssh.strudelline.net" + GITEA__server__SSH_LISTEN_PORT: "2222" + GITEA__server__SSH_PORT: "2222" + + GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "false" + GITEA__service__DEFAULT_ALLOW_CREATE_ORGANIZATION: "true" + GITEA__service__DEFAULT_ENABLE_TIMETRACKING: "true" + GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE: "false" + GITEA__service__DISABLE_REGISTRATION: "true" + GITEA__service__ENABLE_CAPTCHA: "false" + GITEA__service__ENABLE_NOTIFY_MAIL: "false" + GITEA__service__NO_REPLY_ADDRESS: "noreply.localhost" + GITEA__service__REGISTER_EMAIL_CONFIRM: "false" + GITEA__service__REQUIRE_SIGNIN_VIEW: "false" + + GITEA__session__PROVIDER: "file" + GITEA__session__PROVIDER_CONFIG: "/data/gitea/sessions" diff --git a/keycloak/ingress.yaml b/keycloak/ingress.yaml index 4e7410a..4fcdde2 100644 --- a/keycloak/ingress.yaml +++ b/keycloak/ingress.yaml @@ -4,11 +4,35 @@ metadata: name: keycloak-cascade namespace: keycloak spec: - ingressClassName: istio + ingressClassName: haproxy rules: - host: auth.werts.us http: paths: + - path: /oauth2 + pathType: Prefix + backend: + service: + name: oauth2-proxy + port: + name: http + - path: / + pathType: Prefix + backend: + service: + name: cascade-service + port: + number: 80 + - host: auth.strudelline.net + http: + paths: + - path: /oauth2 + pathType: Prefix + backend: + service: + name: oauth2-proxy + port: + name: http - path: / pathType: Prefix backend: @@ -16,7 +40,3 @@ spec: name: cascade-service port: number: 80 - tls: - - hosts: - - auth.werts.us - secretName: wildcard-tls diff --git a/keycloak/keycloak-sts.yaml b/keycloak/keycloak-sts.yaml index b6adcc4..c245aa8 100644 --- a/keycloak/keycloak-sts.yaml +++ b/keycloak/keycloak-sts.yaml @@ -141,6 +141,10 @@ spec: - mountPath: /opt/keycloak/themes name: themes dnsPolicy: ClusterFirst + hostAliases: + - hostnames: + - cascade.strudelline.net + ip: 172.16.34.1 restartPolicy: Always schedulerName: default-scheduler securityContext: {} diff --git a/keycloak/oauth2-proxy.yaml b/keycloak/oauth2-proxy.yaml new file mode 100644 index 0000000..ed762d0 --- /dev/null +++ b/keycloak/oauth2-proxy.yaml @@ -0,0 +1,70 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: oauth2-proxy + name: oauth2-proxy + namespace: keycloak +spec: + replicas: 3 + selector: + matchLabels: + app: oauth2-proxy + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: oauth2-proxy + spec: + containers: + - args: + - --http-address=0.0.0.0:4180 + - --config=/config.cfg + image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: http + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: oauth2-proxy + ports: + - containerPort: 4180 + name: http + protocol: TCP + volumeMounts: + - mountPath: /config.cfg + name: oauth2-proxy-config + subPath: oauth2-proxy.cfg + terminationGracePeriodSeconds: 2 + volumes: + - name: oauth2-proxy-config + secret: + defaultMode: 420 + optional: false + secretName: oauth2-proxy-oidc-secret +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: oauth2-proxy + name: oauth2-proxy + namespace: keycloak +spec: + ports: + - name: http + port: 4180 + protocol: TCP + targetPort: 4180 + selector: + app: oauth2-proxy diff --git a/keycloak/tf/.gitignore b/keycloak/tf/.gitignore new file mode 100644 index 0000000..b49eecc --- /dev/null +++ b/keycloak/tf/.gitignore @@ -0,0 +1,2 @@ +*.backup +*.tfstate diff --git a/keycloak/tf/appwrite-cloud.tf b/keycloak/tf/appwrite-cloud.tf new file mode 100644 index 0000000..2d89d6a --- /dev/null +++ b/keycloak/tf/appwrite-cloud.tf @@ -0,0 +1,15 @@ +module "werts_appwrite_cloud_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "appwrite_cloud" + keepers = { epoch = 1 } + redirect_uris = ["https://cloud.appwrite.io/v1/account/sessions/oauth2/callback/oidc/6514da21c115f4a89bcd"] + + vault_secret_name = "k8s-ns/appwrite_cloud/werts-oidc" +} + +output "appwrite_cloud_client_id" { + value = module.werts_appwrite_cloud_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-budibase.tf b/keycloak/tf/client-budibase.tf new file mode 100644 index 0000000..f6a17ae --- /dev/null +++ b/keycloak/tf/client-budibase.tf @@ -0,0 +1,15 @@ +module "werts_budibase_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "budibase" + keepers = { epoch = 1 } + redirect_uris = ["https://bb.strudelline.net/api/global/auth/oidc/callback"] + + vault_secret_name = "k8s-ns/budibase/werts-oidc" +} + +output "budibase_client_id" { + value = module.werts_budibase_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-concourse.tf b/keycloak/tf/client-concourse.tf new file mode 100644 index 0000000..8d7ad70 --- /dev/null +++ b/keycloak/tf/client-concourse.tf @@ -0,0 +1,13 @@ +module "werts_concourse_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "concourse" + keepers = { epoch = 1 } + redirect_uris = ["https://cc.strudelline.net/*"] +} + +output "concourse_client_id" { + value = module.werts_concourse_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-debugger.tf b/keycloak/tf/client-debugger.tf new file mode 100644 index 0000000..7988a03 --- /dev/null +++ b/keycloak/tf/client-debugger.tf @@ -0,0 +1,13 @@ +module "werts_debugger_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "debugger" + keepers = { epoch = 1 } + redirect_uris = ["https://debug.werts.us/*"] +} + +output "debugger_client_id" { + value = module.werts_debugger_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-frigate.tf b/keycloak/tf/client-frigate.tf new file mode 100644 index 0000000..4c8ae87 --- /dev/null +++ b/keycloak/tf/client-frigate.tf @@ -0,0 +1,16 @@ +module "client_frigate" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "frigate" + keepers = { epoch = 1 } + redirect_uris = ["https://frigate.strudelline.net/oauth2/callback"] + + kubernetes_secret_name = "oidc-client" + kubernetes_secret_namespace = "frigate" +} + +output "frigate_client_id" { + value = module.client_frigate + sensitive = true +} diff --git a/keycloak/tf/client-gitea.tf b/keycloak/tf/client-gitea.tf new file mode 100644 index 0000000..b39f35d --- /dev/null +++ b/keycloak/tf/client-gitea.tf @@ -0,0 +1,13 @@ +module "client_gitea" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "gitea" + keepers = { epoch = 1 } + redirect_uris = ["https://git.strudelline.net/user/oauth2/werts/callback"] +} + +output "gitea_client_id" { + value = module.client_gitea + sensitive = true +} diff --git a/keycloak/tf/client-grafana.tf b/keycloak/tf/client-grafana.tf new file mode 100644 index 0000000..1128c17 --- /dev/null +++ b/keycloak/tf/client-grafana.tf @@ -0,0 +1,13 @@ +module "client_grafana" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "grafana" + keepers = { epoch = 1 } + redirect_uris = ["https://grafana.strudelline.net/login/generic_oauth"] +} + +output "grafana_client_id" { + value = module.client_grafana + sensitive = true +} diff --git a/keycloak/tf/client-grist.tf b/keycloak/tf/client-grist.tf new file mode 100644 index 0000000..ea0724e --- /dev/null +++ b/keycloak/tf/client-grist.tf @@ -0,0 +1,15 @@ +module "werts_grist_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "grist" + keepers = { epoch = 1 } + redirect_uris = ["https://grist.strudelline.net/oauth2/callback"] + + vault_secret_name = "k8s-ns/grist/werts-oidc" +} + +output "grist_client_id" { + value = module.werts_grist_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-harbor.tf b/keycloak/tf/client-harbor.tf new file mode 100644 index 0000000..f07f5ef --- /dev/null +++ b/keycloak/tf/client-harbor.tf @@ -0,0 +1,16 @@ +module "werts_harbor_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "harbor" + keepers = { epoch = 1 } + # vvvvvvvvvvvvvvv REMEMBER TO CHANGE THE REDIRECT vvvvvvvvvvvvvvv + redirect_uris = ["https://harbor.strudelline.net/*"] + + kubernetes_secret_name = "oidc-client" +} + +output "harbor_client_id" { + value = module.werts_harbor_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-jenkins.tf b/keycloak/tf/client-jenkins.tf new file mode 100644 index 0000000..8eca123 --- /dev/null +++ b/keycloak/tf/client-jenkins.tf @@ -0,0 +1,13 @@ +module "client_jenkins" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "jenkins" + keepers = { epoch = 1 } + redirect_uris = ["https://jenkins.strudelline.net/securityRealm/finishLogin"] +} + +output "jenkins_client_id" { + value = module.client_jenkins + sensitive = true +} diff --git a/keycloak/tf/client-longhorn.tf b/keycloak/tf/client-longhorn.tf new file mode 100644 index 0000000..6b683b3 --- /dev/null +++ b/keycloak/tf/client-longhorn.tf @@ -0,0 +1,16 @@ +module "client_longhorn" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "longhorn" + keepers = { epoch = 1 } + redirect_uris = ["https://longhorn.strudelline.net/oauth2/callback"] + + kubernetes_secret_name = "oidc-client" + kubernetes_secret_namespace = "longhorn-system" +} + +output "longhorn" { + value = module.client_longhorn + sensitive = true +} diff --git a/keycloak/tf/client-mastodon.tf b/keycloak/tf/client-mastodon.tf new file mode 100644 index 0000000..208108f --- /dev/null +++ b/keycloak/tf/client-mastodon.tf @@ -0,0 +1,15 @@ +module "werts_mastodon_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "mastodon" + keepers = { epoch = 1 } + redirect_uris = ["https://mastodon.werts.us/auth/auth/openid_connect/callback"] + + vault_secret_name = "k8s-ns/mastodon/werts-oidc" +} + +output "mastodon_client_id" { + value = module.werts_mastodon_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-matrix.tf b/keycloak/tf/client-matrix.tf new file mode 100644 index 0000000..35fc870 --- /dev/null +++ b/keycloak/tf/client-matrix.tf @@ -0,0 +1,18 @@ +module "werts_matrix_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "matrix" + keepers = { epoch = 1 } + redirect_uris = ["https://chat.werts.us/_synapse/client/oidc/callback"] + + vault_secret_name = "k8s-ns/synapse/werts-oidc" + + backchannel_logout_url = "https://chat.werts.us/_synapse/client/oidc/backchannel_logout" + backchannel_logout_session_required = true +} + +output "matrix_client_id" { + value = module.werts_matrix_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-minio.tf b/keycloak/tf/client-minio.tf new file mode 100644 index 0000000..aa6f220 --- /dev/null +++ b/keycloak/tf/client-minio.tf @@ -0,0 +1,15 @@ +module "werts_minio_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "minio" + keepers = { epoch = 1 } + redirect_uris = ["https://minio-admin.strudelline.net/oauth_callback"] + + vault_secret_name = "noctowl-docker-services/minio/werts-oidc" +} + +output "minio_client_id" { + value = module.werts_minio_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-nodered1.tf b/keycloak/tf/client-nodered1.tf new file mode 100644 index 0000000..2f84ecf --- /dev/null +++ b/keycloak/tf/client-nodered1.tf @@ -0,0 +1,10 @@ +module "werts_nodered1_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "node-red-1" + keepers = { epoch = 1 } + redirect_uris = ["https://red-1.werts.us/oauth2/callback"] + + vault_secret_name = "k8s-ns/node-red/node-red-1-werts-oidc" +} diff --git a/keycloak/tf/client-oauth-proxy.tf b/keycloak/tf/client-oauth-proxy.tf new file mode 100644 index 0000000..6a147cc --- /dev/null +++ b/keycloak/tf/client-oauth-proxy.tf @@ -0,0 +1,19 @@ +module "werts_oauth_proxy_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "oauthproxy" + keepers = { epoch = 1 } + redirect_uris = [ + "https://auth.werts.us/oauth2/callback", + "https://auth.strudelline.net/oauth2/callback", + ] + + kubernetes_secret_name = "oidc-client" + kubernetes_secret_namespace = "keycloak" +} + +output "oauth_proxy_client_id" { + value = module.werts_oauth_proxy_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-peertube.tf b/keycloak/tf/client-peertube.tf new file mode 100644 index 0000000..0bc8c9e --- /dev/null +++ b/keycloak/tf/client-peertube.tf @@ -0,0 +1,15 @@ +module "werts_peertube_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "peertube" + keepers = { epoch = 1 } + redirect_uris = ["https://tube.werts.us/plugins/auth-openid-connect/router/code-cb"] + + vault_secret_name = "k8s-ns/peertube/werts-oidc" +} + +output "peertube_client_id" { + value = module.werts_peertube_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-pleroma.tf b/keycloak/tf/client-pleroma.tf new file mode 100644 index 0000000..c164cc6 --- /dev/null +++ b/keycloak/tf/client-pleroma.tf @@ -0,0 +1,15 @@ +module "werts_pleroma_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "pleroma" + keepers = { epoch = 1 } + redirect_uris = ["http://toots.werts.us/oauth/keycloak/callback"] + + #vault_secret_name = "k8s-ns/pleroma/werts-oidc" +} + +output "pleroma_client_id" { + value = module.werts_pleroma_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-tubearchivist.tf b/keycloak/tf/client-tubearchivist.tf new file mode 100644 index 0000000..2aae739 --- /dev/null +++ b/keycloak/tf/client-tubearchivist.tf @@ -0,0 +1,16 @@ +module "client_tubearchivist" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "tubearchivist" + keepers = { epoch = 1 } + redirect_uris = ["https://tubearchivist.strudelline.net/oauth2/callback"] + + kubernetes_secret_name = "oidc-client" + kubernetes_secret_namespace = "tubearchivist" +} + +output "tubearchivist" { + value = module.client_tubearchivist + sensitive = true +} diff --git a/keycloak/tf/client-tubesync.tf b/keycloak/tf/client-tubesync.tf new file mode 100644 index 0000000..5cb2777 --- /dev/null +++ b/keycloak/tf/client-tubesync.tf @@ -0,0 +1,16 @@ +module "client_tubesync" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "tubesync" + keepers = { epoch = 1 } + redirect_uris = ["https://tubesync.strudelline.net/oauth2/callback"] + + kubernetes_secret_name = "oidc-client" + kubernetes_secret_namespace = "tubesync" +} + +output "tubesync" { + value = module.client_tubesync + sensitive = true +} diff --git a/keycloak/tf/client-windmill-k8s.tf b/keycloak/tf/client-windmill-k8s.tf new file mode 100644 index 0000000..27e3bc3 --- /dev/null +++ b/keycloak/tf/client-windmill-k8s.tf @@ -0,0 +1,14 @@ +module "k8s_windmill_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "k8s-windmill" + keepers = { epoch = 1 } + # vvvvvvvvvvvvvvv REMEMBER TO CHANGE THE REDIRECT vvvvvvvvvvvvvvv + redirect_uris = ["https://windmill.strudelline.net/user/login_callback/keycloak"] +} + +output "k8s_windmill_client_id" { + value = module.k8s_windmill_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-windmill.tf b/keycloak/tf/client-windmill.tf new file mode 100644 index 0000000..c739eb8 --- /dev/null +++ b/keycloak/tf/client-windmill.tf @@ -0,0 +1,16 @@ +module "werts_windmill_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "windmill" + keepers = { epoch = 1 } + # vvvvvvvvvvvvvvv REMEMBER TO CHANGE THE REDIRECT vvvvvvvvvvvvvvv + redirect_uris = ["https://windmill.strudelline.net/user/login_callback/keycloak_werts"] + + vault_secret_name = "k8s-ns/windmill/werts-oidc" +} + +output "windmill_client_id" { + value = module.werts_windmill_oidc_client + sensitive = true +} diff --git a/keycloak/tf/main.tf b/keycloak/tf/main.tf new file mode 100644 index 0000000..3010272 --- /dev/null +++ b/keycloak/tf/main.tf @@ -0,0 +1,8 @@ +#resource "keycloak_realm" "master" { +# realm = "master" +# enabled = true +# +# default_signature_algorithm = "RS256" +# display_name = "Keycloak" +# display_name_html = "