Add kanidm

This commit is contained in:
eraden 2024-06-25 08:36:17 +02:00
parent d3b5e85427
commit 918a906b64
5 changed files with 171 additions and 1 deletions

28
config/ca.key Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCy7lO5xlCHc4jB
th4dqWOtYrhdzMvsooFkQSK7GvVNFrzuhMXZp3iE6ZrXdE4Aku0n8ogR/NpI9stZ
9PnrjvTXS6qfVhM0ctmR4b8HhgO+tXVBMicxCK4k+TPYySqorUvzhtmiHy5cWXB/
1EB/bb/XN/NG/iv5UQU2j3byOBHWeWUZehWSrRdoYUrw5a5iGPvWCXurXh5I/RYc
xp0dGF/JQ73tqhTd96g+nmSPZfhGSuGdcxcR0F9fGNP3cJStBXlM56hfHThfzonq
2EUc3L6R77nk+UAieP0bA6PgyT7PNs6mWI7JFDPkNggtU1KivnzF+nL0cFRpFGKk
2yoWLCs3AgMBAAECggEAQPq7/SM/63DRoUd5+FujjzviqG3PQMhjJP1il4BaxPwU
8KnXEAv5gIs1aDkceqjg5zj0oVOqEgVOJAULHbh0whsAg4zGvK1YxdmtfhX1FjTf
uCV2hiAY3eSCJ6AmlcsZYf7+2hloxLDWYhW6towstwPinU2AurHpqr6++4fRMomW
RD8lU0RDkh1CtQYyfZ2HZ1U0MD3AMn2Pc5olGGyNmPv8YlkpQpUukAsL2hmYYSdR
plrXqGEy7+Z4lXtFMcl4O+1OagIgzxrcO85aT/Nhz/L1vtngcbNw7TYtKMJ2Qe3L
iCsTUQPictuzClmOh5Fnp4hPoIQQBJJOUnSdgPoxgQKBgQD35AnVk0RYBAmC299Y
DZocc/erJdK0uS+kjs4+P0JgK4djHE8lwPwKd5asBrWy5yx8NFCO/ISyGLnNMIO8
3c+lv20XvTCXkAxnwJ7vKEQ3L1Kc9m7E5nfCMVb5YbjCDRcKWDuDlPzpJ1JEz0gQ
o1AYX0cMIVhmg6ajXqigYnbojwKBgQC4yMjdcarCw++b09/2xejrNKvkmVC4o7RL
xBQoSG9GjFYnuMVs9vchHsjGrUmWDqoyqnwhpgXwugIAMdgpgL8kH7RzpBHbkhtU
8vOnuLrCCSfv6G94GRzS9PTsQBRew/k+WLZvJmrlTEUF0bt6x2nA+zlkJeubigSm
Ap3B1S9W2QKBgQDueuL/JmuEpXWk//RRWNyfbO2jKIMaPGJaVMyT0/X+YUIhllWK
g6u2QjChFN9u2rnQT+AEf2kFkYYGohrK8zXWRmAki20ZEorsscH1YO6njI5U1Tvh
j7s9Boye5GWDwmYdHJ88ynO5touOCUBSSVs/50GJqPbLwPHqj6F4kuHEfwKBgGIQ
TGkY1aKfER4FhyoTRdTtEvwyUSBr4FcFLB1ks4khGOfjqwJ03hn5mFu3wwGbrr9M
squ4zBZA4KbxzOHZrZaiLMXiIIgCNfcTKDOuWY54BXXQSLfXu/BIh2KJb0YLgs6P
jeHW5Yviug6oi3JROdJsgLyhUzQsPuNLKCWh2YmhAoGANCt8O/622XtvGgWLWyiM
9p7dMROpoj4XX+6+Nl1qhycCzxiDoHUHkh4vns9DlWgniVWFzVahHxdcluf+CFPA
Gp9bzPc5C9U8aqKZCQiG1KvsYw/hTHimXVQC8zZrN55HJpt9f0BaB35iCgRifFgb
Z3h6lYM7ArSxD9bON/mgi2I=
-----END PRIVATE KEY-----

21
config/ca.pem Normal file
View File

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUDkcNMspZCufA/N0UL3yb4RdrRuIwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCUEwxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjQxNjAxMjNaFw0yNTA2
MjQxNjAxMjNaMEUxCzAJBgNVBAYTAlBMMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCy7lO5xlCHc4jBth4dqWOtYrhdzMvsooFkQSK7GvVN
FrzuhMXZp3iE6ZrXdE4Aku0n8ogR/NpI9stZ9PnrjvTXS6qfVhM0ctmR4b8HhgO+
tXVBMicxCK4k+TPYySqorUvzhtmiHy5cWXB/1EB/bb/XN/NG/iv5UQU2j3byOBHW
eWUZehWSrRdoYUrw5a5iGPvWCXurXh5I/RYcxp0dGF/JQ73tqhTd96g+nmSPZfhG
SuGdcxcR0F9fGNP3cJStBXlM56hfHThfzonq2EUc3L6R77nk+UAieP0bA6PgyT7P
Ns6mWI7JFDPkNggtU1KivnzF+nL0cFRpFGKk2yoWLCs3AgMBAAGjUzBRMB0GA1Ud
DgQWBBR809KyhcwUbdddm3gSRy2XYthIyzAfBgNVHSMEGDAWgBR809KyhcwUbddd
m3gSRy2XYthIyzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBL
3xZelDDjnJg6u0i4IrwfWSGCWEblT7NBltOBoMKK2zcFMgIjkjYy1Nq+16bzo/yO
BAdWKmFZQTgtIvbP9wbv/DPpQOy162fq9UCvgRJA8UMaerg0DXnktiHWgtmjGS9d
vTQbkZT4as+sH/Kva6SaDlbUgRuuOt1Qyz4onslkX1megU9Lz1qpTlV7njYXWTN9
4Sa3nPnujg0U5FDihE00w4VS7yFJqzhpaXK6ptPhcxkdD5PDrn9Rb9NvfKibao3m
iLhZfLBozeXikzhDqCM9p3e25ewSxv1xU0M2lCpfSUDOt1n/+bLkKk2g9x4bpvWu
cg+ZhAmx+KpuFRO6LSL9
-----END CERTIFICATE-----

107
config/kanidm.toml Normal file
View File

@ -0,0 +1,107 @@
# The webserver bind address. Requires TLS certificates.
# If the port is set to 443 you may require the
# NET_BIND_SERVICE capability.
# Defaults to "127.0.0.1:8443"
bindaddress = "[::]:8443"
# bindaddress = "[::]:80"
#
# The read-only ldap server bind address. Requires
# TLS certificates. If set to 636 you may require
# the NET_BIND_SERVICE capability.
# Defaults to "" (disabled)
# ldapbindaddress = "[::]:3636"
#
# HTTPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# will often add a header such as "Forwarded" or
# "X-Forwarded-For". If set to true, then this header is
# respected as the "authoritative" source of the IP of the
# connected client. If you are not using a load balancer
# then you should leave this value as default.
# Defaults to false
# trust_x_forward_for = false
#
# The path to the kanidm database.
db_path = "/data/kanidm.db"
#
# If you have a known filesystem, kanidm can tune the
# database page size to match. Valid choices are:
# [zfs, other]
# If you are unsure about this leave it as the default
# (other). After changing this
# value you must run a vacuum task.
# - zfs:
# * sets database pagesize to 64k. You must set
# recordsize=64k on the zfs filesystem.
# - other:
# * sets database pagesize to 4k, matching most
# filesystems block sizes.
# db_fs_type = "zfs"
#
# The number of entries to store in the in-memory cache.
# Minimum value is 256. If unset
# an automatic heuristic is used to scale this.
# You should only adjust this value if you experience
# memory pressure on your system.
# db_arc_size = 2048
#
# TLS chain and key in pem format. Both must be present
# docker run --rm -i -t -v kanidmd:/data \
# kanidm/server:latest \
# kanidmd cert-generate
tls_chain = "/data/ca.pem"
tls_key = "/data/ca.key"
verify_ca = false
#
# The log level of the server. May be one of info, debug, trace
#
# NOTE: this can be overridden by the environment variable
# `KANIDM_LOG_LEVEL` at runtime
# Defaults to "info"
# log_level = "info"
#
# The DNS domain name of the server. This is used in a
# number of security-critical contexts
# such as webauthn, so it *must* match your DNS
# hostname. It is used to create
# security principal names such as `william@idm.example.com`
# so that in a (future) trust configuration it is possible
# to have unique Security Principal Names (spns) throughout
# the topology.
#
# ⚠️ WARNING ⚠️
#
# Changing this value WILL break many types of registered
# credentials for accounts including but not limited to
# webauthn, oauth tokens, and more.
# If you change this value you *must* run
# `kanidmd domain_name_change` immediately after.
# domain = "idm.example.com"
domain = "localhost"
#
# The origin for webauthn. This is the url to the server,
# with the port included if it is non-standard (any port
# except 443). This must match or be a descendent of the
# domain name you configure above. If these two items are
# not consistent, the server WILL refuse to start!
# origin = "https://idm.example.com"
origin = "https://localhost:8443"
# origin = "https://idm.example.com:8443"
#
[online_backup]
# The path to the output folder for online backups
path = "/data/kanidm/backups/"
# The schedule to run online backups (see https://crontab.guru/)
# every day at 22:00 UTC (default)
schedule = "00 22 * * *"
# four times a day at 3 minutes past the hour, every 6th hours
# schedule = "03 */6 * * *"
# We also support non standard cron syntax, with the following format:
# sec min hour day of month month day of week year
# (it's very similar to the standard cron syntax, it just allows to specify the seconds
# at the beginning and the year at the end)
# Number of backups to keep (default 7)
# versions = 7

View File

@ -1,5 +1,16 @@
version: '3' version: '3'
services: services:
kanidm-server:
image: kanidm/server:latest
volumes:
- kanidmd:/data
- ./config/kanidm.toml:/data/server.toml
- ./config/ca.pem:/data/ca.pem
- ./config/ca.key:/data/ca.key
ports:
- 636:3636
- 443:8443
- 8400:80
quickwit: quickwit:
image: quickwit/quickwit:v0.5.2 image: quickwit/quickwit:v0.5.2
command: run command: run
@ -35,3 +46,6 @@ services:
- '3000:3000' - '3000:3000'
volumes: volumes:
- ./grafana/plugins:/var/lib/grafana/plugins - ./grafana/plugins:/var/lib/grafana/plugins
volumes:
kanidmd: