diff --git a/docker-30/kanidm/readme.md b/docker-30/kanidm/readme.md new file mode 100644 index 0000000..e0fea5f --- /dev/null +++ b/docker-30/kanidm/readme.md @@ -0,0 +1,74 @@ +## add user to k8s group + +based on: https://blog.kammel.dev/post/k8s_home_lab_2025_06/ + +```bash +export GROUP_NAME=k8s_users +kanidm group create ${GROUP_NAME} +kanidm group add-members ${GROUP_NAME} novakj + + +export OAUTH2_NAME=k8s +kanidm system oauth2 create-public ${OAUTH2_NAME} ${OAUTH2_NAME} http://localhost:8000 +kanidm system oauth2 add-redirect-url ${OAUTH2_NAME} http://localhost:8000 +kanidm system oauth2 update-scope-map ${OAUTH2_NAME} ${GROUP_NAME} email openid profile groups +kanidm system oauth2 enable-localhost-redirects ${OAUTH2_NAME} + + +kubectl oidc-login setup \ + --oidc-issuer-url=https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s \ + --oidc-client-id=k8s + + + +kubectl config set-credentials oidc \ + --exec-api-version=client.authentication.k8s.io/v1 \ + --exec-interactive-mode=Never \ + --exec-command=kubectl \ + --exec-arg=oidc-login \ + --exec-arg=get-token \ + --exec-arg="--oidc-issuer-url=https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s" \ + --exec-arg="--oidc-client-id=k8s" + +kubectl create clusterrolebinding oidc-cluster-admin \ + --clusterrole=cluster-admin \ + --user='https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s#35842461-a1c4-4ad6-8b29-697c5ddbfe84' + +``` +## commands + +```bash +# recover admin password +# on the docker host +docker exec -i -t kanidmd kanidmd recover-account admin +docker exec -i -t kanidmd kanidmd recover-account idm_admin + +# kanidm mangement commands (could be run on any logged in client) +kanidm person credential create-reset-token novakj +kanidm person get novakj | grep memberof +kanidm group get kanidm group get +kanidm group get idm_all_accounts +kanidm group get idm_all_persons +kanidm group account-policy credential-type-minimum idm_all_accounts any +kanidm person get novakj | grep memberof +kanidm group get idm_people_self_name_write +``` + + + +```bash + +docker run -d --name=kanidmd --restart=always \ + -p '8443:8443' \ + -p '3636:3636' \ + --volume /srv/docker/kanidm/data:/data \ + docker.io/kanidm/server:latest + +docker run --rm -i -t -v --restart=always \ + -p '8443:8443' \ + -p '3636:3636' \ + --volume /srv/docker/kanidm/data:/data \ + docker.io/kanidm/server:latest \ + kanidmd cert-generate + +``` \ No newline at end of file diff --git a/docker-30/kanidm/server.toml b/docker-30/kanidm/server.toml new file mode 100644 index 0000000..c4de357 --- /dev/null +++ b/docker-30/kanidm/server.toml @@ -0,0 +1,136 @@ +# The server configuration file version. +version = "2" + +# The webserver bind address. Requires TLS certificates. +# If the port is set to 443 you may require the +# NET_BIND_SERVICE capability. This accepts a single address +# or an array of addresses to listen on. +# Defaults to "127.0.0.1:8443" +bindaddress = "0.0.0.0:8443" +# +# The read-only ldap server bind address. Requires +# TLS certificates. If set to 636 you may require the +# NET_BIND_SERVICE capability. This accepts a single address +# or an array of addresses to listen on. +# Defaults to "" (disabled) +# ldapbindaddress = "0.0.0.0:3636" +# +# The path to the kanidm database. +db_path = "/data/kanidm.db" +# +# If you have a known filesystem, kanidm can tune the +# database page size to match. Valid choices are: +# [zfs, other] +# If you are unsure about this leave it as the default +# (other). After changing this +# value you must run a vacuum task. +# - zfs: +# * sets database pagesize to 64k. You must set +# recordsize=64k on the zfs filesystem. +# - other: +# * sets database pagesize to 4k, matching most +# filesystems block sizes. +# db_fs_type = "zfs" +# +# The number of entries to store in the in-memory cache. +# Minimum value is 256. If unset +# an automatic heuristic is used to scale this. +# You should only adjust this value if you experience +# memory pressure on your system. +# db_arc_size = 2048 +# +# TLS chain and key in pem format. Both must be present. +# If the server receives a SIGHUP, these files will be +# re-read and reloaded if their content is valid. +tls_chain = "/data/chain.pem" +tls_key = "/data/key.pem" +# +# The log level of the server. May be one of info, debug, trace +# +# NOTE: this can be overridden by the environment variable +# `KANIDM_LOG_LEVEL` at runtime +# Defaults to "info" +# log_level = "info" +# +# The DNS domain name of the server. This is used in a +# number of security-critical contexts +# such as webauthn, so it *must* match your DNS +# hostname. It is used to create +# security principal names such as `william@idm.example.com` +# so that in a (future) trust configuration it is possible +# to have unique Security Principal Names (spns) throughout +# the topology. +# +# ⚠️ WARNING ⚠️ +# +# Changing this value WILL break many types of registered +# credentials for accounts including but not limited to +# webauthn, oauth tokens, and more. +# If you change this value you *must* run +# `kanidmd domain rename` immediately after. +domain = "idm.home.hrajfrisbee.cz" +# +# The origin for webauthn. This is the url to the server, +# with the port included if it is non-standard (any port +# except 443). This must match or be a descendent of the +# domain name you configure above. If these two items are +# not consistent, the server WILL refuse to start! +# origin = "https://idm.example.com" +# # OR +# origin = "https://idm.example.com:8443" +origin = "https://idm.home.hrajfrisbee.cz" + +# HTTPS requests can be reverse proxied by a loadbalancer. +# To preserve the original IP of the caller, these systems +# will often add a header such as "Forwarded" or +# "X-Forwarded-For". Some other proxies can use the PROXY +# protocol v2 header. While we support the PROXY protocol +# v1 header, we STRONGLY discourage it's use as it has +# significantly greater overheads compared to v2 during +# processing. +# This setting allows configuration of the list of trusted +# IPs or IP ranges which can supply this header information, +# and which format the information is provided in. +# Defaults to "none" (no trusted sources) +# Only one option can be used at a time. +# [http_client_address_info] +# proxy-v2 = ["127.0.0.1", "127.0.0.0/8"] +# # OR +# [http_client_address_info] +# x-forward-for = ["127.0.0.1", "127.0.0.0/8"] +# # OR +# [http_client_address_info] +# # AVOID IF POSSIBLE!!! +# proxy-v1 = ["127.0.0.1", "127.0.0.0/8"] + +# LDAPS requests can be reverse proxied by a loadbalancer. +# To preserve the original IP of the caller, these systems +# can add a header such as the PROXY protocol v2 header. +# While we support the PROXY protocol v1 header, we STRONGLY +# discourage it's use as it has significantly greater +# overheads compared to v2 during processing. +# This setting allows configuration of the list of trusted +# IPs or IP ranges which can supply this header information, +# and which format the information is provided in. +# Defaults to "none" (no trusted sources) +# [ldap_client_address_info] +# proxy-v2 = ["127.0.0.1", "127.0.0.0/8"] +# # OR +# [ldap_client_address_info] +# # AVOID IF POSSIBLE!!! +# proxy-v1 = ["127.0.0.1", "127.0.0.0/8"] + +[online_backup] +# The path to the output folder for online backups +path = "/data/kanidm/backups/" +# The schedule to run online backups (see https://crontab.guru/) +# every day at 22:00 UTC (default) +schedule = "00 22 * * *" +# four times a day at 3 minutes past the hour, every 6th hours +# schedule = "03 */6 * * *" +# We also support non standard cron syntax, with the following format: +# sec min hour day of month month day of week year +# (it's very similar to the standard cron syntax, it just allows to specify the seconds +# at the beginning and the year at the end) +# Number of backups to keep (default 7) +# versions = 7 \ No newline at end of file diff --git a/docker-30/readme.md b/docker-30/readme.md index e69de29..221a428 100644 --- a/docker-30/readme.md +++ b/docker-30/readme.md @@ -0,0 +1,17 @@ +# docker-30 + +## taiscale + +```bash +# Add signing key +curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/$(lsb_release -cs).noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null + +# Add repo +echo "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/ubuntu $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/tailscale.list + +# Install +sudo apt update && sudo apt install tailscale + +# Start +sudo tailscale up +``` \ No newline at end of file