diff --git a/inventories/vagrant/host_vars/backend/authentik.yml b/inventories/vagrant/host_vars/backend/authentik.yml index bff6b13..915ae5a 100644 --- a/inventories/vagrant/host_vars/backend/authentik.yml +++ b/inventories/vagrant/host_vars/backend/authentik.yml @@ -25,11 +25,24 @@ authentik_proxy_outposts: authentik_host_browser: "https://authentik.local.test/" log_level: "info" +authentik_ldap_apps: +- slug: ldap + name: LDAP + base_dn: "dc=local,dc=test" + search_group: admins + +authentik_ldap_outpost: + name: "ldap-outpost" + token: "vagrant-ldap-outpost-token-change-in-production" + config: + authentik_host: "https://authentik.local.test/" + log_level: "info" + authentik_oidc_apps: - slug: nextcloud name: Nextcloud - client_id_env: NEXTCLOUD_OIDC_CLIENT_ID - client_secret_env: NEXTCLOUD_OIDC_CLIENT_SECRET + client_id: test1234 + client_secret: test1234 redirect_uris: - url: "https://nextcloud.local.test/apps/user_oidc/code" matching_mode: strict @@ -38,14 +51,24 @@ authentik_oidc_apps: authorization_slug: default-provider-authorization-implicit-consent invalidation_slug: default-provider-invalidation-flow scopes: [openid, email, profile, offline_access] + - slug: opencloud + name: OpenCloud + client_type: public + client_id: opencloud + redirect_uris: + - url: "https://opencloud.local.test/oidc-callback.html" + matching_mode: strict + - url: "https://opencloud.local.test/" + matching_mode: strict + scopes: [openid, email, profile, offline_access] authentik_entra_sources: - slug: entra-id name: "Login with Entra" tenant_mode: multi # Use 'single' with real tenant ID in production - # tenant_id_env: ENTRA_TENANT_ID # Not needed for multi-tenant mode - client_id_env: ENTRA_CLIENT_ID - client_secret_env: ENTRA_CLIENT_SECRET + # tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # Not needed for multi-tenant mode + client_id: "placeholder-change-in-production" + client_secret: "placeholder-change-in-production" scopes: - openid - profile @@ -54,16 +77,15 @@ authentik_entra_sources: authentik_login_sources: - slug: entra-id +authentik_groups: + - name: admins + authentik_local_users: - username: akadmin name: "Authentik Admin" email: "admin@local.test" - password_env: AKADMIN_PASSWORD + password: "admin" is_active: true groups: - authentik Admins - -authentik_blueprint_env: - AKADMIN_PASSWORD: "admin" - NEXTCLOUD_OIDC_CLIENT_ID: test1234 - NEXTCLOUD_OIDC_CLIENT_SECRET: test1234 \ No newline at end of file + - admins \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/nextcloud.yml b/inventories/vagrant/host_vars/backend/nextcloud.yml index e4a81e3..2da636f 100644 --- a/inventories/vagrant/host_vars/backend/nextcloud.yml +++ b/inventories/vagrant/host_vars/backend/nextcloud.yml @@ -30,34 +30,38 @@ nextcloud_s3_ssl: false nextcloud_s3_usepath_style: true # Extra hosts for container DNS resolution (Vagrant only) +nextcloud_extra_networks: + - ldap + nextcloud_extra_hosts: - "storage.local.test:192.168.56.11" - "keycloak.local.test:192.168.56.11" - "authentik.local.test:192.168.56.11" - - "389ds:192.168.56.11" + # - "389ds:192.168.56.11" # only needed when using 389ds LDAP directly -# LDAP backend (pre-create users synced from Keycloak via 389ds) +# LDAP backend (Authentik LDAP outpost) nextcloud_ldap_enabled: true nextcloud_ldap_config: - ldapHost: "ldaps://389ds" - ldapPort: "3636" - ldapAgentName: "cn=Directory Manager" + ldapHost: "ldap://authentik-outpost-ldap-ldap-1" + ldapPort: "3389" + ldapAgentName: "cn=akadmin,ou=users,dc=local,dc=test" ldapAgentPassword: "admin" ldapBase: "dc=local,dc=test" ldapBaseUsers: "ou=users,dc=local,dc=test" ldapTLS: "0" turnOffCertCheck: "1" - ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))" - ldapUserFilterObjectclass: "inetOrgPerson" - ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))" + ldapUserFilter: "(&(objectClass=user)(cn=*))" + ldapUserFilterObjectclass: "user" + ldapLoginFilter: "(&(objectClass=user)(cn=%uid))" ldapLoginFilterUsername: "1" - ldapUserDisplayName: "displayName" + ldapUserDisplayName: "cn" ldapEmailAttribute: "mail" - ldapExpertUsernameAttr: "uid" - ldapExpertUUIDUserAttr: "nsuniqueid" + ldapExpertUsernameAttr: "cn" + ldapExpertUUIDUserAttr: "uid" + ldapExpertUUIDGroupAttr: "uid" ldapBaseGroups: "ou=groups,dc=local,dc=test" - ldapGroupFilter: "(&(objectClass=groupOfNames))" - ldapGroupFilterObjectclass: "groupOfNames" + ldapGroupFilter: "(&(objectClass=group))" + ldapGroupFilterObjectclass: "group" ldapGroupDisplayName: "cn" ldapGroupMemberAssocAttr: "member" ldapAdminGroup: "admins" @@ -65,6 +69,34 @@ nextcloud_ldap_config: ldapPagingSize: "500" ldapExperiencedAdmin: "1" ldapConfigurationActive: "1" +# LDAP backend (389ds via Keycloak federation) +# nextcloud_ldap_config: +# ldapHost: "ldaps://389ds" +# ldapPort: "3636" +# ldapAgentName: "cn=Directory Manager" +# ldapAgentPassword: "admin" +# ldapBase: "dc=local,dc=test" +# ldapBaseUsers: "ou=users,dc=local,dc=test" +# ldapTLS: "0" +# turnOffCertCheck: "1" +# ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))" +# ldapUserFilterObjectclass: "inetOrgPerson" +# ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))" +# ldapLoginFilterUsername: "1" +# ldapUserDisplayName: "displayName" +# ldapEmailAttribute: "mail" +# ldapExpertUsernameAttr: "uid" +# ldapExpertUUIDUserAttr: "nsuniqueid" +# ldapBaseGroups: "ou=groups,dc=local,dc=test" +# ldapGroupFilter: "(&(objectClass=groupOfNames))" +# ldapGroupFilterObjectclass: "groupOfNames" +# ldapGroupDisplayName: "cn" +# ldapGroupMemberAssocAttr: "member" +# ldapAdminGroup: "admins" +# ldapCacheTTL: "600" +# ldapPagingSize: "500" +# ldapExperiencedAdmin: "1" +# ldapConfigurationActive: "1" # OIDC providers for login nextcloud_oidc_providers: diff --git a/inventories/vagrant/host_vars/backend/opencloud.yml b/inventories/vagrant/host_vars/backend/opencloud.yml index f8fcc79..4288f67 100644 --- a/inventories/vagrant/host_vars/backend/opencloud.yml +++ b/inventories/vagrant/host_vars/backend/opencloud.yml @@ -1,19 +1,20 @@ opencloud_domain: "opencloud.local.test" opencloud_admin_password: "admin" +opencloud_extra_networks: + - ldap opencloud_extra_hosts: - "opencloud.local.test:host-gateway" - - "keycloak.local.test:host-gateway" + - "authentik.local.test:192.168.56.11" - "storage.local.test:192.168.56.11" - "office.local.test:host-gateway" - "drawio.local.test:host-gateway" - - "389ds:192.168.56.11" -# OIDC configuration (Keycloak) -opencloud_oidc_issuer: "https://keycloak.local.test/realms/vagrant" +# OIDC configuration (Authentik) +opencloud_oidc_issuer: "https://authentik.local.test/application/o/opencloud/" opencloud_oidc_client_id: "opencloud" opencloud_oidc_client_secret: "opencloud-secret-change-in-production" -opencloud_oidc_account_edit_url: "https://keycloak.local.test/realms/vagrant/account" -opencloud_oidc_autoprovision_accounts: false +opencloud_oidc_account_edit_url: "https://authentik.local.test/if/user/#/settings" +opencloud_oidc_autoprovision_accounts: true # S3 storage configuration using Garage opencloud_use_s3_storage: true @@ -26,12 +27,18 @@ opencloud_s3_bucket: "opencloud" opencloud_collabora_domain: "office.local.test" opencloud_wopi_domain: "wopi.opencloud.local.test" -# LDAP backend (users synced from Keycloak via 389ds) -opencloud_ldap_uri: "ldaps://389ds:3636" -opencloud_ldap_bind_dn: "cn=Directory Manager" +# LDAP backend (Authentik LDAP outpost) +opencloud_ldap_uri: "ldap://authentik-outpost-ldap-ldap-1:3389" +opencloud_ldap_bind_dn: "cn=akadmin,ou=users,dc=local,dc=test" opencloud_ldap_bind_password: "admin" opencloud_ldap_user_base_dn: "ou=users,dc=local,dc=test" opencloud_ldap_group_base_dn: "ou=groups,dc=local,dc=test" +opencloud_ldap_user_schema_id: "uid" +opencloud_ldap_user_schema_id_is_octet_string: false +opencloud_ldap_user_schema_username: "cn" +opencloud_ldap_user_schema_display_name: "cn" +opencloud_ldap_group_schema_id: "uid" +opencloud_ldap_group_schema_id_is_octet_string: false # Draw.io integration opencloud_drawio_url: "https://drawio.local.test" @@ -48,6 +55,6 @@ opencloud_role_mapping: # CSP configuration opencloud_csp_extra_connect_src: - - "https://keycloak.local.test/" + - "https://authentik.local.test/" opencloud_csp_extra_frame_src: - "https://drawio.local.test/" \ No newline at end of file diff --git a/inventories/vagrant/hosts.yml b/inventories/vagrant/hosts.yml index 5dcd0c6..68c5f62 100644 --- a/inventories/vagrant/hosts.yml +++ b/inventories/vagrant/hosts.yml @@ -57,6 +57,10 @@ all: hosts: backend: + authentik_outpost_ldap_servers: + hosts: + backend: + garage_servers: hosts: backend: diff --git a/playbooks/site.yml b/playbooks/site.yml index 4e75791..db16227 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -41,18 +41,24 @@ roles: - digitalboard.core.collabora -- name: Deploy nextcloud service - hosts: nextcloud_servers - become: yes - roles: - - digitalboard.core.nextcloud - - name: Deploy authentik service hosts: authentik_servers become: yes roles: - digitalboard.core.authentik +- name: Deploy authentik LDAP outpost + hosts: authentik_outpost_ldap_servers + become: yes + roles: + - digitalboard.core.authentik_outpost_ldap + +- name: Deploy nextcloud service + hosts: nextcloud_servers + become: yes + roles: + - digitalboard.core.nextcloud + - name: Deploy drawio service hosts: drawio_servers become: yes