Add kanidm

Cargo.toml

@@ -21,7 +21,7 @@ members = [
     #    "crates/payment_adapter_pay_u",
     # artifacts
     #    "crates/db-seed",
-    #    "crates/api",
+    # "crates/api",
     #    "crates/web",
     # vendor
     #    "vendor/t_pay",

config/ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCy7lO5xlCHc4jB
+th4dqWOtYrhdzMvsooFkQSK7GvVNFrzuhMXZp3iE6ZrXdE4Aku0n8ogR/NpI9stZ
+9PnrjvTXS6qfVhM0ctmR4b8HhgO+tXVBMicxCK4k+TPYySqorUvzhtmiHy5cWXB/
+1EB/bb/XN/NG/iv5UQU2j3byOBHWeWUZehWSrRdoYUrw5a5iGPvWCXurXh5I/RYc
+xp0dGF/JQ73tqhTd96g+nmSPZfhGSuGdcxcR0F9fGNP3cJStBXlM56hfHThfzonq
+2EUc3L6R77nk+UAieP0bA6PgyT7PNs6mWI7JFDPkNggtU1KivnzF+nL0cFRpFGKk
+2yoWLCs3AgMBAAECggEAQPq7/SM/63DRoUd5+FujjzviqG3PQMhjJP1il4BaxPwU
+8KnXEAv5gIs1aDkceqjg5zj0oVOqEgVOJAULHbh0whsAg4zGvK1YxdmtfhX1FjTf
+uCV2hiAY3eSCJ6AmlcsZYf7+2hloxLDWYhW6towstwPinU2AurHpqr6++4fRMomW
+RD8lU0RDkh1CtQYyfZ2HZ1U0MD3AMn2Pc5olGGyNmPv8YlkpQpUukAsL2hmYYSdR
+plrXqGEy7+Z4lXtFMcl4O+1OagIgzxrcO85aT/Nhz/L1vtngcbNw7TYtKMJ2Qe3L
+iCsTUQPictuzClmOh5Fnp4hPoIQQBJJOUnSdgPoxgQKBgQD35AnVk0RYBAmC299Y
+DZocc/erJdK0uS+kjs4+P0JgK4djHE8lwPwKd5asBrWy5yx8NFCO/ISyGLnNMIO8
+3c+lv20XvTCXkAxnwJ7vKEQ3L1Kc9m7E5nfCMVb5YbjCDRcKWDuDlPzpJ1JEz0gQ
+o1AYX0cMIVhmg6ajXqigYnbojwKBgQC4yMjdcarCw++b09/2xejrNKvkmVC4o7RL
+xBQoSG9GjFYnuMVs9vchHsjGrUmWDqoyqnwhpgXwugIAMdgpgL8kH7RzpBHbkhtU
+8vOnuLrCCSfv6G94GRzS9PTsQBRew/k+WLZvJmrlTEUF0bt6x2nA+zlkJeubigSm
+Ap3B1S9W2QKBgQDueuL/JmuEpXWk//RRWNyfbO2jKIMaPGJaVMyT0/X+YUIhllWK
+g6u2QjChFN9u2rnQT+AEf2kFkYYGohrK8zXWRmAki20ZEorsscH1YO6njI5U1Tvh
+j7s9Boye5GWDwmYdHJ88ynO5touOCUBSSVs/50GJqPbLwPHqj6F4kuHEfwKBgGIQ
+TGkY1aKfER4FhyoTRdTtEvwyUSBr4FcFLB1ks4khGOfjqwJ03hn5mFu3wwGbrr9M
+squ4zBZA4KbxzOHZrZaiLMXiIIgCNfcTKDOuWY54BXXQSLfXu/BIh2KJb0YLgs6P
+jeHW5Yviug6oi3JROdJsgLyhUzQsPuNLKCWh2YmhAoGANCt8O/622XtvGgWLWyiM
+9p7dMROpoj4XX+6+Nl1qhycCzxiDoHUHkh4vns9DlWgniVWFzVahHxdcluf+CFPA
+Gp9bzPc5C9U8aqKZCQiG1KvsYw/hTHimXVQC8zZrN55HJpt9f0BaB35iCgRifFgb
+Z3h6lYM7ArSxD9bON/mgi2I=
+-----END PRIVATE KEY-----

config/ca.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUDkcNMspZCufA/N0UL3yb4RdrRuIwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCUEwxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjQxNjAxMjNaFw0yNTA2
+MjQxNjAxMjNaMEUxCzAJBgNVBAYTAlBMMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCy7lO5xlCHc4jBth4dqWOtYrhdzMvsooFkQSK7GvVN
+FrzuhMXZp3iE6ZrXdE4Aku0n8ogR/NpI9stZ9PnrjvTXS6qfVhM0ctmR4b8HhgO+
+tXVBMicxCK4k+TPYySqorUvzhtmiHy5cWXB/1EB/bb/XN/NG/iv5UQU2j3byOBHW
+eWUZehWSrRdoYUrw5a5iGPvWCXurXh5I/RYcxp0dGF/JQ73tqhTd96g+nmSPZfhG
+SuGdcxcR0F9fGNP3cJStBXlM56hfHThfzonq2EUc3L6R77nk+UAieP0bA6PgyT7P
+Ns6mWI7JFDPkNggtU1KivnzF+nL0cFRpFGKk2yoWLCs3AgMBAAGjUzBRMB0GA1Ud
+DgQWBBR809KyhcwUbdddm3gSRy2XYthIyzAfBgNVHSMEGDAWgBR809KyhcwUbddd
+m3gSRy2XYthIyzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBL
+3xZelDDjnJg6u0i4IrwfWSGCWEblT7NBltOBoMKK2zcFMgIjkjYy1Nq+16bzo/yO
+BAdWKmFZQTgtIvbP9wbv/DPpQOy162fq9UCvgRJA8UMaerg0DXnktiHWgtmjGS9d
+vTQbkZT4as+sH/Kva6SaDlbUgRuuOt1Qyz4onslkX1megU9Lz1qpTlV7njYXWTN9
+4Sa3nPnujg0U5FDihE00w4VS7yFJqzhpaXK6ptPhcxkdD5PDrn9Rb9NvfKibao3m
+iLhZfLBozeXikzhDqCM9p3e25ewSxv1xU0M2lCpfSUDOt1n/+bLkKk2g9x4bpvWu
+cg+ZhAmx+KpuFRO6LSL9
+-----END CERTIFICATE-----

config/kanidm.toml

@@ -0,0 +1,107 @@
+#   The webserver bind address. Requires TLS certificates.
+#   If the port is set to 443 you may require the
+#   NET_BIND_SERVICE capability.
+#   Defaults to "127.0.0.1:8443"
+bindaddress = "[::]:8443"
+# bindaddress = "[::]:80"
+#
+#   The read-only ldap server bind address. Requires
+#   TLS certificates. If set to 636 you may require
+#   the NET_BIND_SERVICE capability.
+#   Defaults to "" (disabled)
+# ldapbindaddress = "[::]:3636"
+#
+#   HTTPS requests can be reverse proxied by a loadbalancer.
+#   To preserve the original IP of the caller, these systems
+#   will often add a header such as "Forwarded" or
+#   "X-Forwarded-For". If set to true, then this header is
+#   respected as the "authoritative" source of the IP of the
+#   connected client. If you are not using a load balancer
+#   then you should leave this value as default.
+#   Defaults to false
+# trust_x_forward_for = false
+#
+#   The path to the kanidm database.
+db_path = "/data/kanidm.db"
+#
+#   If you have a known filesystem, kanidm can tune the 
+#   database page size to match. Valid choices are:
+#   [zfs, other]
+#   If you are unsure about this leave it as the default
+#   (other). After changing this
+#   value you must run a vacuum task.
+#   - zfs:
+#     * sets database pagesize to 64k. You must set
+#       recordsize=64k on the zfs filesystem.
+#   - other:
+#     * sets database pagesize to 4k, matching most
+#       filesystems block sizes.
+# db_fs_type = "zfs"
+#
+#   The number of entries to store in the in-memory cache.
+#   Minimum value is 256. If unset
+#   an automatic heuristic is used to scale this.
+#   You should only adjust this value if you experience
+#   memory pressure on your system.
+# db_arc_size = 2048
+#
+#   TLS chain and key in pem format. Both must be present
+
+# docker run --rm -i -t -v kanidmd:/data \
+#  kanidm/server:latest \
+#  kanidmd cert-generate
+
+tls_chain = "/data/ca.pem"
+tls_key = "/data/ca.key"
+verify_ca = false
+
+#
+#   The log level of the server. May be one of info, debug, trace
+#
+#   NOTE: this can be overridden by the environment variable
+#   `KANIDM_LOG_LEVEL` at runtime
+#   Defaults to "info"
+# log_level = "info"
+#
+#   The DNS domain name of the server. This is used in a
+#   number of security-critical contexts
+#   such as webauthn, so it *must* match your DNS
+#   hostname. It is used to create
+#   security principal names such as `william@idm.example.com`
+#   so that in a (future) trust configuration it is possible
+#   to have unique Security Principal Names (spns) throughout
+#   the topology.
+#
+#   ⚠️  WARNING ⚠️
+#
+#   Changing this value WILL break many types of registered
+#   credentials for accounts including but not limited to
+#   webauthn, oauth tokens, and more.
+#   If you change this value you *must* run
+#   `kanidmd domain_name_change` immediately after.
+# domain = "idm.example.com"
+domain = "localhost"
+#
+#   The origin for webauthn. This is the url to the server,
+#   with the port included if it is non-standard (any port
+#   except 443). This must match or be a descendent of the
+#   domain name you configure above. If these two items are
+#   not consistent, the server WILL refuse to start!
+#   origin = "https://idm.example.com"
+origin = "https://localhost:8443"
+# origin = "https://idm.example.com:8443"
+#
+[online_backup]
+#   The path to the output folder for online backups
+path = "/data/kanidm/backups/"
+#   The schedule to run online backups (see https://crontab.guru/)
+#   every day at 22:00 UTC (default)
+schedule = "00 22 * * *"
+#    four times a day at 3 minutes past the hour, every 6th hours
+# schedule = "03 */6 * * *"
+#   We also support non standard cron syntax, with the following format:
+#   sec  min   hour   day of month   month   day of week   year
+#   (it's very similar to the standard cron syntax, it just allows to specify the seconds
+#   at the beginning and the year at the end)
+#   Number of backups to keep (default 7)
+# versions = 7

docker-compose.yml

@@ -1,5 +1,16 @@
 version: '3'
 services:
+  kanidm-server:
+    image: kanidm/server:latest
+    volumes:
+      - kanidmd:/data
+      - ./config/kanidm.toml:/data/server.toml
+      - ./config/ca.pem:/data/ca.pem
+      - ./config/ca.key:/data/ca.key
+    ports:
+      - 636:3636
+      - 443:8443
+      - 8400:80
   quickwit:
     image: quickwit/quickwit:v0.5.2
     command: run
@@ -35,3 +46,6 @@ services:
       - '3000:3000'
     volumes:
       - ./grafana/plugins:/var/lib/grafana/plugins
+
+volumes:
+  kanidmd: