Cyber/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
3326 commits 23 branches 0 tags 13 MiB
Commit graph

50 commits

Author SHA1 Message Date
Jelle van der Waa
f741bc6a20
Terraform uptimerobot monitors 
Add our uptimerobot to terraform so it's managed in code and we can
easily extend it. This currently only adds our to be monitored sites and
leaves the status page as is now.

Deleting resources on uptimerobot will cause terraform unable to run
see: https://github.com/louy/terraform-provider-uptimerobot/issues/82

References: #209
 2021-05-18 22:51:16 +02:00
Jan Alexander Steffens (heftig)
745795594f
keycloak: Enable add_to_id_token for matrix role mapper 
Synapse only inspects the userinfo.
 2021-04-15 15:02:53 +02:00
Jan Alexander Steffens (heftig)
3e475457c5 matrix: Integrate with Keycloak 
Closes https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/94
 2021-04-15 12:37:34 +00:00
Jelle van der Waa
a434870b9f
Restrict Grafana access to DevOps 
As our grafana now contains Loki logs, we don't want non devops to view
logs which potentially contain sensitive data. As Grafana does not have
a system to easily restrict data sources to roles we use Keycloak.
 2021-04-08 21:01:22 +02:00
Sven-Hendrik Haase
75146bcc8b
Fix mode of .terraform.lock.hcl 2021-03-19 13:53:50 +01:00
Jelle van der Waa
3124cfd933
Add hedgedoc as new service 
This adds a collaborative markdown editor as newly offered service which
is available via login for all Arch Linux Staff with an option to allow
anonymous edits by users (not default). Users are managed via keycloak
and require the Staff role to be allowed in, non staff keycloak users
currently will receive an internal server error due to an upstream
issue.
 2021-02-01 21:59:30 +01:00
Kristian Klausen
56865f8c9e Migrate all services to use implicit TLS for SMTP Submission 2020-12-24 23:43:57 +00:00
Sven-Hendrik Haase
649568e703 Restrict Grafana access to Arch Linux Staff group on Keycloak (fixes #151) 2020-12-11 19:59:57 +00:00
Sven-Hendrik Haase
e049e89e9a
Upgrade to Terraform 0.14 
This process didn't need any source changes but it added the new Terraform lockfiles.
 2020-12-10 21:53:50 +01:00
Frederik Schwan
80c22539b9
introduce terraform fmt to the CI to improve readability 2020-10-22 13:45:19 +02:00
Sven-Hendrik Haase
1f9c854d46
Import config from Keycloak 
This is now possible because of terraform-provider-keycloak 2.0.0 :D
 2020-09-23 01:34:02 +02:00
Kristian Klausen
2fd1c89a04 keycloak: Bump provider version 2020-09-22 22:30:54 +00:00
Kristian Klausen
e52dbab833 keycloak: Register "required action" webauthn-register 2020-09-22 22:30:54 +00:00
Kristian Klausen
04e5d83034 keycloak: Add WebAuthn policy 
Fix #120
 2020-09-22 22:30:53 +00:00
Sven-Hendrik Haase
6b33a0d4b7 Implement new Keycloak group structure 2020-09-22 22:12:06 +00:00
Jelle van der Waa
76e334c635
Add a new Support groups 
Expand the Support group with subgroups for the Wiki, Forum, Security
Tracker and Archweb. The subgroups are just a placeholder for groups for
the roles which a user can be in for the service. New onboarded users
should be assigned to correct groups for their Support staff team.
 2020-09-10 22:32:29 +02:00
Jelle van der Waa
7183361c64 Setup Oauth for Grafana 
Configure Grafana to use Keycloak OpenID Connect for authentication. For
now only DevOps is configured as admin and Arch Staff as general Viewer
roles.
 2020-09-09 21:17:33 +00:00
Sven-Hendrik Haase
c1c24c5c37 keycloak: Redo all flows 
We had to redesign all flows when discovering that we can't design flows exactly the way we wanted in Keycloak.
 2020-09-08 15:29:58 +00:00
Sven-Hendrik Haase
880a794af9 keycloak: Add fallthroughs to doc everywhere 2020-09-08 15:29:58 +00:00
Kristian Klausen
7ea76e73cf keycloak: Force OTP Setup for staff and external contributors 
Broken by the last commit
 2020-09-08 15:29:58 +00:00
Kristian Klausen
ef1e7b13a3 keycloak: Enable WebAuthn 
Registering a new required action is currently not supported, so it
needs to be done manually.
See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/354

Configuring the WebAuthn policy is currently not supported, so it needs
to be done manully.
See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/355

Fix #28
 2020-09-08 15:29:58 +00:00
Sven-Hendrik Haase
d2375c228a
keycloak: Set display_name_html explicitly so that the custom theme works 
I know this seems a bit weird but this is how the Keycloak templates work. :P
 2020-08-29 04:39:17 +02:00
Ira ㋡
103550f780
Set the login, account and admin theme to "archlinux" 2020-08-27 16:25:47 +09:00
Sven-Hendrik Haase
65400adeca
Upgrade to terraform 0.13 2020-08-27 07:17:09 +02:00
Levente Polyak
6bad158de4
keycloak: do not allow full scope for openid gitlab client 
We do not want full scope to be allowed for the gitlab openid client. In
fact we already have it disabled, however the latest provider seems to
have changed something which makes terraform to have the desire to
change this to true. Set it explicitly to false to avoid changing
behavior.
 2020-08-20 12:05:51 +02:00
Levente Polyak
a5fbc14b95
Revert "matrix: Integrate with Keycloak" 
This reverts commit 8e4eac7df4.

Revert this feature as its part of a keycloak change that must go
through review via a merge request.
 2020-08-20 11:50:18 +02:00
Jan Alexander Steffens (heftig)
8e4eac7df4
matrix: Integrate with Keycloak 2020-08-19 20:24:16 +02:00
Jan Alexander Steffens (heftig)
4bb27da470
keycloak.tf: Add missing signature_algorithm 
`terraform plan` tried to remove it.
 2020-08-19 20:24:15 +02:00
Jelle van der Waa
5ac750c909
Add a prometheus exporter to Keycloak 
Install keycloak-metrics-spi and configure it to provide prometheus
endpoints available as auth/realms/$realm/metrics. The prometheus
metrics are behind basic_auth as some metrics might be sensitive or can
be used by attackers. #23
 2020-08-18 17:28:09 +02:00
Sven-Hendrik Haase
d0712657b9
keycloak: Switch to new account management page 2020-07-30 04:06:24 +02:00
Sven-Hendrik Haase
6d05d9a784
Enable Keycloak event logging (fixes #68) 2020-07-17 17:04:09 +02:00
Sven-Hendrik Haase
87af88cb22 Force OTP for some roles after identity provider login (#2) 2020-07-17 13:35:17 +00:00
Sven-Hendrik Haase
8942802cca Add GitHub OAuth for Keycloak 2020-06-03 10:07:31 +00:00
Sven-Hendrik Haase
68eff09373
keycloak: Add Support group 2020-05-27 05:16:46 +02:00
Sven-Hendrik Haase
f06f1470e8
keycloak: Add recaptcha support (fixes #35) 2020-05-26 03:31:28 +02:00
Sven-Hendrik Haase
8ab0fdc9d0
keycloak: Some consistency fixes 2020-05-26 03:28:00 +02:00
Sven-Hendrik Haase
7f4d43f401
keycloak: Take a different approach for conditional OTP 
It's pretty complicated to express what we want but we eventually succeeded. We even found a bug in Keycloak while implementing this and had to patch the package.
 2020-05-25 18:06:32 +02:00
Sven-Hendrik Haase
93ba6a14c3
keycloak: Re-order stuff to make sure that Staff and External Contributor rules are checked first 
If they are not checked first, we will run into a situation where we ask the user twice to provide an OTP.
 2020-05-24 03:21:44 +02:00
Sven-Hendrik Haase
7564aac571
keycloak: Fix flow order and set Arch Browser as default login flow 2020-05-24 00:19:00 +02:00
Sven-Hendrik Haase
0d6c79ddc2
keycloak: Add Arch Browser authentication flow 2020-05-23 18:20:58 +02:00
Sven-Hendrik Haase
144d9e3319
keycloak: Cleanup Terraform config 2020-05-23 13:20:46 +02:00
Sven-Hendrik Haase
3400f088bd
keycloak: Add External Contributors role 2020-05-23 13:18:43 +02:00
Sven-Hendrik Haase
66527e98b5
keycloak: Rename some things around and add staff role 2020-05-22 23:51:40 +02:00
Sven-Hendrik Haase
9dc5a14c34
Make an Arch Linux Staff supergroup 2020-05-19 17:28:52 +02:00
Sven-Hendrik Haase
8074f8d407
Set basic password policy and add bruteforce protection 2020-05-19 12:55:25 +02:00
Sven-Hendrik Haase
07482482d1
Properly map SAML username to GitLab username 2020-05-02 06:40:14 +02:00
Sven-Hendrik Haase
bbb2284bed
Get rid of name mapper 
GitLab will automatically construct the full name from LastName and FirstName.
 2020-05-02 06:31:30 +02:00
Sven-Hendrik Haase
eacdda3e99
Fix for archlinux realm 2020-05-02 02:40:31 +02:00
Sven-Hendrik Haase
25a4192946
Use archlinux realm for applications instead of master 2020-05-02 00:04:33 +02:00
Frederik Schwan
f42fd92b83
Merge wip-keyclaok into master 2020-04-30 14:30:35 +02:00