fic/server
Archived
1
0
Fork 0
Code Issues Pull requests 10 Releases Wiki Activity

fickit: Add dexidp on frontend

Browse source
This commit is contained in:
nemunaire 2021-09-05 12:39:36 +02:00
commit 75d288000f
7 changed files with 362 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

63
fickit-frontend.yml
View file

@ -88,6 +88,17 @@ onboot:
- name: eth0
bindNS:
net: /run/netns/sshd
- name: auth-ip-setup
image: linuxkit/ip:b98c32fab9c8997c5d05677af979f05dfcd8b3f1
command: ["/bin/sh", "-c", "ip a add 172.17.1.4/24 dev vethin-auth; ip link set vethin-auth up;" ]
net: new
runtime:
interfaces:
- name: vethin-auth
add: veth
peer: veth-auth
bindNS:
net: /run/netns/auth
- name: bridge-setup
image: linuxkit/ip:b98c32fab9c8997c5d05677af979f05dfcd8b3f1
command: ["/bin/sh", "-c", "ip a add 172.17.1.1/24 dev br0; ip link set veth-nginx master br0; ip link set veth-frontend master br0; ip link set br0 up; ip link set veth-nginx up; ip link set veth-frontend up;" ]
@ -223,6 +234,37 @@ services:
# - /etc/unbound/unbound.d:/etc/unbound/unbound.d:ro
# net: /run/netns/nginx
- name: dexidp
image: ghcr.io/dexidp/dex:v2.30.0
net: /run/netns/auth
binds:
- /etc/hosts:/etc/hosts:ro
- /var/lib/fic/pki/shared/dex-config.yaml:/etc/dex/config.docker.yaml:ro
- /var/lib/fic/dex:/var/dex
- /www/dex-templates/theme/styles.css:/srv/dex/web/themes/light/styles.css
- /www/dex-templates/templates/header.html:/srv/dex/web/templates/header.html
- /var/lib/fic/pki/shared/dex-password.tpl:/srv/dex/web/templates/password.html
- /www/htdocs-frontend/img/fic.png:/srv/dex/web/themes/light/favicon.png
runtime:
mkdir:
- /var/lib/fic/dex
- name: vouch-proxy
image: quay.io/vouch/vouch-proxy:alpine-0.34
env:
- VOUCH_ALLOWALLUSERS=true
- VOUCH_COOKIE_DOMAIN=fic.srs.epita.fr
- VOUCH_DOCUMENT_ROOT=/challenge_access
- VOUCH_LOGLEVEL=debug
- OAUTH_PROVIDER=oidc
- OAUTH_CLIENT_ID=epita-challenge
- OAUTH_CLIENT_SECRET=N4n7AXzK9kpXt3TmSn8wAgtxqxhGORgcubLaE2g
- OAUTH_CALLBACK_URL=https://fic.srs.epita.fr/challenge_access/auth
- OAUTH_AUTH_URL=https://fic.srs.epita.fr/auth
- OAUTH_TOKEN_URL=http://127.0.0.1:5556/token
- OAUTH_USER_INFO_URL=http://127.0.0.1:5556/userinfo
- OAUTH_SCOPES=openid,email
net: /run/netns/auth
files:
- path: etc/init.d/015-setup-sshd
@ -231,8 +273,11 @@ files:
- path: etc/init.d/016-copy-dex-config
contents: |
#!/bin/sh
[ -f /var/lib/fic/dex-config.yaml ] || {
cp /etc/dex/config.auth.yaml /var/lib/fic/dex-config.yaml
[ -f /var/lib/fic/pki/shared/dex-config.yaml ] || {
cp /etc/dex/config.auth.yaml /var/lib/fic/pki/shared/dex-config.yaml
}
[ -f /var/lib/fic/pki/shared/dex-password.tpl ] || {
cp /www/dex-templates/templates/password.html /var/lib/fic/pki/shared/dex-password.tpl
}
mode: "0555"
@ -273,6 +318,18 @@ files:
source: configs/nginx/get-team/oidc.conf
mode: "0400"
- path: etc/dex/config.auth.yaml
source: configs/dex.yaml
mode: "0400"
- path: www/dex-templates/theme/styles.css
source: configs/dex-templates/theme/styles.css
mode: "0444"
- path: www/dex-templates/templates/header.html
source: configs/dex-templates/templates/header.html
mode: "0444"
- path: www/dex-templates/templates/password.html
source: configs/dex-templates/templates/password.html
mode: "0444"
- path: usr/bin/iptables
source: configs/nsenter_iptables.sh
@ -375,6 +432,8 @@ files:
[0:0] -A OUTPUT -o bond-frontal -p udp -m udp --sport domain -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
[0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 5556 -j ACCEPT
[0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9090 -j ACCEPT
[0:0] -A OUTPUT -o internet -j ACCEPT
[0:0] -A OUTPUT -j LOG
[0:0] -A OUTPUT -j REJECT