keycloak stuff

3 files changed, 103 insertions, 39 deletions

diff --git a/arfnet2.html b/arfnet2.html
index e1d5757..f28d5c8 100644
--- a/arfnet2.html
+++ b/arfnet2.html
@@ -71,20 +71,47 @@ secure</li>
 <li>Site to Site wireguard</li>
 <li>Establish telephony</li>
 </ul>
-<h3 id="stage-7-ca-pki-ldap-and-sso">*Stage 7: CA, PKI, LDAP and
-SSO</h3>
+<h3 id="stage-7-ca-pki-ldap-iam-and-sso">*Stage 7: CA, PKI, LDAP, IAM
+and SSO</h3>
+<p>Objectives</p>
 <ul>
 <li>Unify all logins</li>
 <li>Single authentication and authorization LDAP store</li>
 <li>SSO on as many services as possible</li>
 <li>Private CA PKI server certs for private endpoint security</li>
-<li>User certificates for extra secure endpoints</li>
+<li>User certificates for extra secure clients mTLS</li>
 </ul>
-<h3 id="stage-8-internal-dns">*Stage 8: Internal DNS</h3>
-<ul>
-<li>Drop OPNsense unbound, use BIND</li>
-<li>Use .local.arf20.com zone or something</li>
-<li>PiHole</li>
+<p>Steps</p>
+<ul class="task-list">
+<li><label><input type="checkbox" checked="" />Migrate .lan zone to
+.int.arf20.com at ARFNET BIND (misc)</label></li>
+<li><label><input type="checkbox" checked="" />Deploy
+piHole</label></li>
+<li><label><input type="checkbox" checked="" />Create Root CA with
+clca</label></li>
+<li><label><input type="checkbox" checked="" />Deploy OpenXPKI with
+it</label></li>
+<li><label><input type="checkbox" checked="" />Deploy OpenLDAP and set
+up schemas</label></li>
+<li><label><input type="checkbox" />OpenLDAP LDAPS with
+cert</label></li>
+<li><label><input type="checkbox" checked="" />Deploy Keycloak and give
+it a cert</label></li>
+<li><label><input type="checkbox" checked="" />Connect Keycloak to
+OpenLDAP</label></li>
+<li><label><input type="checkbox" />DNS on all internal
+services</label></li>
+<li><label><input type="checkbox" />Reverse proxy all internal
+services</label></li>
+<li><label><input type="checkbox" />Internal services
+dashboard</label></li>
+<li><label><input type="checkbox" />Give internal web service endpoints
+TLS certificates</label></li>
+<li><label><input type="checkbox" />Put SSO login on services where
+possible</label></li>
+<li><label><input type="checkbox" />Connect remaining services to
+LDAP</label></li>
+<li><label><input type="checkbox" />Kerberos and Keycloak</label></li>
 </ul>
 <h2 id="domain">Domain</h2>
 <p>arf20.com</p>
@@ -1059,6 +1086,7 @@ http://ca.lan:80</td>
 <li>vaultwarden :8000</li>
 <li>OpenLDAP slapd :389</li>
 <li>ldap-account-manager :8389</li>
+<li>Keycloak :8443</li>
 </ul>
 <table>
 <thead>
@@ -1315,6 +1343,8 @@ CT</h3>
 </ul></li>
 <li>apache2 :80</li>
 </ul>
+<h3 id="pihole-dmz.25-debian-13-ct">pihole DMZ.25 Debian 13 CT</h3>
+<p>Pihole</p>
 <hr />
 <h3 id="mail-arfnet-ionos-vps-5.250.186.185-2001ba0210d6001">mail
 (ARFNET-IONOS VPS) 5.250.186.185 2001:ba0:210:d600::1</h3>
@@ -1487,55 +1517,65 @@ Number Assignation Table</h2>
 <td></td>
 </tr>
 <tr class="even">
+<td>DMZ.17</td>
+<td>[reserved]</td>
+<td></td>
+</tr>
+<tr class="odd">
 <td>DMZ.15</td>
 <td>(t2)</td>
 <td>T/2 SDE build box</td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>DMZ.16</td>
 <td>pubnix</td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>DMZ.17</td>
 <td>[reserved]</td>
 <td>for future raspi</td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>DMZ.18</td>
-<td>ata.lan</td>
+<td>ata</td>
 <td>Linksys ATA</td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>DMZ.19</td>
-<td>cucmelan</td>
+<td>cucm</td>
 <td>Cisco CallManager</td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>DMZ.20</td>
-<td>callbox.lan</td>
+<td>callbox</td>
 <td>5G gNodeB</td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>DMZ.21</td>
-<td>dn42.lan</td>
+<td>dn42</td>
 <td>DN42 edge router</td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>DMZ.22</td>
-<td>open5gs.lan</td>
+<td>open5gs</td>
 <td>Open5GS 5G core</td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>DMZ.23</td>
-<td>dn42-services.lan</td>
+<td>dn42-services</td>
 <td>DN42 service machine</td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>DMZ.24</td>
-<td>ca.lan</td>
+<td>ca</td>
 <td>Certificate Authority</td>
 </tr>
+<tr class="odd">
+<td>DMZ.25</td>
+<td>pihole</td>
+<td>pihole</td>
+</tr>
 <tr class="even">
 <td></td>
 <td></td>
@@ -2135,6 +2175,8 @@ service, ticket and invoice management system</li>
 list browser</li>
 <li><a href="https://cgit.arf20.com/arfnet2-status">status</a>: status
 monitor</li>
+<li><a href="https://cgit.arf20.com/arfnet2-search">search</a>: fast
+file indexer and search</li>
 </ul>
 	</body>
 </html>
diff --git a/arfnet2.md b/arfnet2.md
index 78a1db9..fa3d3be 100644
--- a/arfnet2.md
+++ b/arfnet2.md
@@ -45,19 +45,33 @@ After the disastrous ISP [schism](http://arf20.com/explanation.txt)
  - Site to Site wireguard
  - Establish telephony
 
-### \*Stage 7: CA, PKI, LDAP and SSO
+### \*Stage 7: CA, PKI, LDAP, IAM and SSO
+
+Objectives
 
  - Unify all logins
  - Single authentication and authorization LDAP store
  - SSO on as many services as possible
  - Private CA PKI server certs for private endpoint security
- - User certificates for extra secure endpoints
-
-### \*Stage 8: Internal DNS
-
- - Drop OPNsense unbound, use BIND
- - Use .local.arf20.com zone or something
- - PiHole
+ - User certificates for extra secure clients mTLS
+
+Steps
+
+ - [X] Migrate .lan zone to .int.arf20.com at ARFNET BIND (misc)
+ - [X] Deploy piHole
+ - [X] Create Root CA with clca
+ - [X] Deploy OpenXPKI with it
+ - [X] Deploy OpenLDAP and set up schemas
+ - [ ] OpenLDAP LDAPS with cert
+ - [X] Deploy Keycloak and give it a cert
+ - [X] Connect Keycloak to OpenLDAP
+ - [ ] DNS on all internal services
+ - [ ] Reverse proxy all internal services
+ - [ ] Internal services dashboard
+ - [ ] Give internal web service endpoints TLS certificates
+ - [ ] Put SSO login on services where possible
+ - [ ] Connect remaining services to LDAP
+ - [ ] Kerberos and Keycloak
 
 ## Domain
 
@@ -402,6 +416,7 @@ RAID attached here (with the grey stuff) (local only)
  - vaultwarden :8000
  - OpenLDAP slapd :389
  - ldap-account-manager :8389
+ - Keycloak :8443
 
 | vhost | webroot/proxy | Comment |
 |-------|---------------|---------|
@@ -534,6 +549,10 @@ Certificate Authority PKI
    - clientd
  - apache2 :80
 
+### pihole DMZ.25 Debian 13 CT
+
+Pihole
+
 ---
 
 ### mail (ARFNET-IONOS VPS) 5.250.186.185 2001:ba0:210:d600::1
@@ -606,16 +625,18 @@ DMZ IPv4s and IPv6 ends in the same way
 | DMZ.11 | game.lan | |
 | DMZ.12 | comm.lan | |
 | DMZ.13 | misc.lan | |
+| DMZ.17 | [reserved] | |
 | DMZ.15 | (t2) | T/2 SDE build box |
 | DMZ.16 | pubnix | |
 | DMZ.17 | [reserved] | for future raspi |
-| DMZ.18 | ata.lan | Linksys ATA |
-| DMZ.19 | cucmelan | Cisco CallManager |
-| DMZ.20 | callbox.lan | 5G gNodeB |
-| DMZ.21 | dn42.lan | DN42 edge router |
-| DMZ.22 | open5gs.lan | Open5GS 5G core |
-| DMZ.23 | dn42-services.lan | DN42 service machine |
-| DMZ.24 | ca.lan | Certificate Authority |
+| DMZ.18 | ata | Linksys ATA |
+| DMZ.19 | cucm | Cisco CallManager |
+| DMZ.20 | callbox| 5G gNodeB |
+| DMZ.21 | dn42 | DN42 edge router |
+| DMZ.22 | open5gs | Open5GS 5G core |
+| DMZ.23 | dn42-services | DN42 service machine |
+| DMZ.24 | ca | Certificate Authority |
+| DMZ.25 | pihole | pihole |
 | | | |
 | DMZ.192 | yero-debian | yero.lan |
 | DMZ.195 | exo-debian | exo.lan |
@@ -735,4 +756,5 @@ Site-B:PiSoNet
  - [cstims](https://cgit.arf20.com/arfnet2-cstims): client, service, ticket and invoice management system
  - [lists](https://cgit.arf20.com/arfnet2-lists): mailing list browser
  - [status](https://cgit.arf20.com/arfnet2-status): status monitor
+ - [search](https://cgit.arf20.com/arfnet2-search): fast file indexer and search
 
diff --git a/arfnet2.pdf b/arfnet2.pdf
index 59df365..d0bfe65 100644
--- a/arfnet2.pdf
+++ b/arfnet2.pdf