diff --git a/Cargo.toml b/Cargo.toml index e41e6b8..72f7acb 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -21,7 +21,7 @@ members = [ # "crates/payment_adapter_pay_u", # artifacts # "crates/db-seed", - # "crates/api", + # "crates/api", # "crates/web", # vendor # "vendor/t_pay", diff --git a/config/ca.key b/config/ca.key new file mode 100644 index 0000000..2c37d78 --- /dev/null +++ b/config/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCy7lO5xlCHc4jB +th4dqWOtYrhdzMvsooFkQSK7GvVNFrzuhMXZp3iE6ZrXdE4Aku0n8ogR/NpI9stZ +9PnrjvTXS6qfVhM0ctmR4b8HhgO+tXVBMicxCK4k+TPYySqorUvzhtmiHy5cWXB/ +1EB/bb/XN/NG/iv5UQU2j3byOBHWeWUZehWSrRdoYUrw5a5iGPvWCXurXh5I/RYc +xp0dGF/JQ73tqhTd96g+nmSPZfhGSuGdcxcR0F9fGNP3cJStBXlM56hfHThfzonq +2EUc3L6R77nk+UAieP0bA6PgyT7PNs6mWI7JFDPkNggtU1KivnzF+nL0cFRpFGKk +2yoWLCs3AgMBAAECggEAQPq7/SM/63DRoUd5+FujjzviqG3PQMhjJP1il4BaxPwU +8KnXEAv5gIs1aDkceqjg5zj0oVOqEgVOJAULHbh0whsAg4zGvK1YxdmtfhX1FjTf +uCV2hiAY3eSCJ6AmlcsZYf7+2hloxLDWYhW6towstwPinU2AurHpqr6++4fRMomW +RD8lU0RDkh1CtQYyfZ2HZ1U0MD3AMn2Pc5olGGyNmPv8YlkpQpUukAsL2hmYYSdR +plrXqGEy7+Z4lXtFMcl4O+1OagIgzxrcO85aT/Nhz/L1vtngcbNw7TYtKMJ2Qe3L +iCsTUQPictuzClmOh5Fnp4hPoIQQBJJOUnSdgPoxgQKBgQD35AnVk0RYBAmC299Y +DZocc/erJdK0uS+kjs4+P0JgK4djHE8lwPwKd5asBrWy5yx8NFCO/ISyGLnNMIO8 +3c+lv20XvTCXkAxnwJ7vKEQ3L1Kc9m7E5nfCMVb5YbjCDRcKWDuDlPzpJ1JEz0gQ +o1AYX0cMIVhmg6ajXqigYnbojwKBgQC4yMjdcarCw++b09/2xejrNKvkmVC4o7RL +xBQoSG9GjFYnuMVs9vchHsjGrUmWDqoyqnwhpgXwugIAMdgpgL8kH7RzpBHbkhtU +8vOnuLrCCSfv6G94GRzS9PTsQBRew/k+WLZvJmrlTEUF0bt6x2nA+zlkJeubigSm +Ap3B1S9W2QKBgQDueuL/JmuEpXWk//RRWNyfbO2jKIMaPGJaVMyT0/X+YUIhllWK +g6u2QjChFN9u2rnQT+AEf2kFkYYGohrK8zXWRmAki20ZEorsscH1YO6njI5U1Tvh +j7s9Boye5GWDwmYdHJ88ynO5touOCUBSSVs/50GJqPbLwPHqj6F4kuHEfwKBgGIQ +TGkY1aKfER4FhyoTRdTtEvwyUSBr4FcFLB1ks4khGOfjqwJ03hn5mFu3wwGbrr9M +squ4zBZA4KbxzOHZrZaiLMXiIIgCNfcTKDOuWY54BXXQSLfXu/BIh2KJb0YLgs6P +jeHW5Yviug6oi3JROdJsgLyhUzQsPuNLKCWh2YmhAoGANCt8O/622XtvGgWLWyiM +9p7dMROpoj4XX+6+Nl1qhycCzxiDoHUHkh4vns9DlWgniVWFzVahHxdcluf+CFPA +Gp9bzPc5C9U8aqKZCQiG1KvsYw/hTHimXVQC8zZrN55HJpt9f0BaB35iCgRifFgb +Z3h6lYM7ArSxD9bON/mgi2I= +-----END PRIVATE KEY----- diff --git a/config/ca.pem b/config/ca.pem new file mode 100644 index 0000000..86888b2 --- /dev/null +++ b/config/ca.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDazCCAlOgAwIBAgIUDkcNMspZCufA/N0UL3yb4RdrRuIwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCUEwxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjQxNjAxMjNaFw0yNTA2 +MjQxNjAxMjNaMEUxCzAJBgNVBAYTAlBMMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCy7lO5xlCHc4jBth4dqWOtYrhdzMvsooFkQSK7GvVN +FrzuhMXZp3iE6ZrXdE4Aku0n8ogR/NpI9stZ9PnrjvTXS6qfVhM0ctmR4b8HhgO+ +tXVBMicxCK4k+TPYySqorUvzhtmiHy5cWXB/1EB/bb/XN/NG/iv5UQU2j3byOBHW +eWUZehWSrRdoYUrw5a5iGPvWCXurXh5I/RYcxp0dGF/JQ73tqhTd96g+nmSPZfhG +SuGdcxcR0F9fGNP3cJStBXlM56hfHThfzonq2EUc3L6R77nk+UAieP0bA6PgyT7P +Ns6mWI7JFDPkNggtU1KivnzF+nL0cFRpFGKk2yoWLCs3AgMBAAGjUzBRMB0GA1Ud +DgQWBBR809KyhcwUbdddm3gSRy2XYthIyzAfBgNVHSMEGDAWgBR809KyhcwUbddd +m3gSRy2XYthIyzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBL +3xZelDDjnJg6u0i4IrwfWSGCWEblT7NBltOBoMKK2zcFMgIjkjYy1Nq+16bzo/yO +BAdWKmFZQTgtIvbP9wbv/DPpQOy162fq9UCvgRJA8UMaerg0DXnktiHWgtmjGS9d +vTQbkZT4as+sH/Kva6SaDlbUgRuuOt1Qyz4onslkX1megU9Lz1qpTlV7njYXWTN9 +4Sa3nPnujg0U5FDihE00w4VS7yFJqzhpaXK6ptPhcxkdD5PDrn9Rb9NvfKibao3m +iLhZfLBozeXikzhDqCM9p3e25ewSxv1xU0M2lCpfSUDOt1n/+bLkKk2g9x4bpvWu +cg+ZhAmx+KpuFRO6LSL9 +-----END CERTIFICATE----- diff --git a/config/kanidm.toml b/config/kanidm.toml new file mode 100644 index 0000000..6aaf3d4 --- /dev/null +++ b/config/kanidm.toml @@ -0,0 +1,107 @@ +# The webserver bind address. Requires TLS certificates. +# If the port is set to 443 you may require the +# NET_BIND_SERVICE capability. +# Defaults to "127.0.0.1:8443" +bindaddress = "[::]:8443" +# bindaddress = "[::]:80" +# +# The read-only ldap server bind address. Requires +# TLS certificates. If set to 636 you may require +# the NET_BIND_SERVICE capability. +# Defaults to "" (disabled) +# ldapbindaddress = "[::]:3636" +# +# HTTPS requests can be reverse proxied by a loadbalancer. +# To preserve the original IP of the caller, these systems +# will often add a header such as "Forwarded" or +# "X-Forwarded-For". If set to true, then this header is +# respected as the "authoritative" source of the IP of the +# connected client. If you are not using a load balancer +# then you should leave this value as default. +# Defaults to false +# trust_x_forward_for = false +# +# The path to the kanidm database. +db_path = "/data/kanidm.db" +# +# If you have a known filesystem, kanidm can tune the +# database page size to match. Valid choices are: +# [zfs, other] +# If you are unsure about this leave it as the default +# (other). After changing this +# value you must run a vacuum task. +# - zfs: +# * sets database pagesize to 64k. You must set +# recordsize=64k on the zfs filesystem. +# - other: +# * sets database pagesize to 4k, matching most +# filesystems block sizes. +# db_fs_type = "zfs" +# +# The number of entries to store in the in-memory cache. +# Minimum value is 256. If unset +# an automatic heuristic is used to scale this. +# You should only adjust this value if you experience +# memory pressure on your system. +# db_arc_size = 2048 +# +# TLS chain and key in pem format. Both must be present + +# docker run --rm -i -t -v kanidmd:/data \ +# kanidm/server:latest \ +# kanidmd cert-generate + +tls_chain = "/data/ca.pem" +tls_key = "/data/ca.key" +verify_ca = false + +# +# The log level of the server. May be one of info, debug, trace +# +# NOTE: this can be overridden by the environment variable +# `KANIDM_LOG_LEVEL` at runtime +# Defaults to "info" +# log_level = "info" +# +# The DNS domain name of the server. This is used in a +# number of security-critical contexts +# such as webauthn, so it *must* match your DNS +# hostname. It is used to create +# security principal names such as `william@idm.example.com` +# so that in a (future) trust configuration it is possible +# to have unique Security Principal Names (spns) throughout +# the topology. +# +# ⚠️ WARNING ⚠️ +# +# Changing this value WILL break many types of registered +# credentials for accounts including but not limited to +# webauthn, oauth tokens, and more. +# If you change this value you *must* run +# `kanidmd domain_name_change` immediately after. +# domain = "idm.example.com" +domain = "localhost" +# +# The origin for webauthn. This is the url to the server, +# with the port included if it is non-standard (any port +# except 443). This must match or be a descendent of the +# domain name you configure above. If these two items are +# not consistent, the server WILL refuse to start! +# origin = "https://idm.example.com" +origin = "https://localhost:8443" +# origin = "https://idm.example.com:8443" +# +[online_backup] +# The path to the output folder for online backups +path = "/data/kanidm/backups/" +# The schedule to run online backups (see https://crontab.guru/) +# every day at 22:00 UTC (default) +schedule = "00 22 * * *" +# four times a day at 3 minutes past the hour, every 6th hours +# schedule = "03 */6 * * *" +# We also support non standard cron syntax, with the following format: +# sec min hour day of month month day of week year +# (it's very similar to the standard cron syntax, it just allows to specify the seconds +# at the beginning and the year at the end) +# Number of backups to keep (default 7) +# versions = 7 diff --git a/docker-compose.yml b/docker-compose.yml index cac616e..e0fedd0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,16 @@ version: '3' services: + kanidm-server: + image: kanidm/server:latest + volumes: + - kanidmd:/data + - ./config/kanidm.toml:/data/server.toml + - ./config/ca.pem:/data/ca.pem + - ./config/ca.key:/data/ca.key + ports: + - 636:3636 + - 443:8443 + - 8400:80 quickwit: image: quickwit/quickwit:v0.5.2 command: run @@ -35,3 +46,6 @@ services: - '3000:3000' volumes: - ./grafana/plugins:/var/lib/grafana/plugins + +volumes: + kanidmd: