diff options
| author | arf20 <aruizfernandez05@gmail.com> | 2026-02-12 03:41:28 +0100 |
|---|---|---|
| committer | arf20 <aruizfernandez05@gmail.com> | 2026-02-12 03:41:28 +0100 |
| commit | 13d4760f9f2421daf295de53d0bba9185716f744 (patch) | |
| tree | 5498f35225bc4427800df7b8ef8324437e5e6bc8 /arfnet2.md | |
| parent | 1268fc89d97578875e43e64deda8eed13455f4b7 (diff) | |
| download | arfnet2-13d4760f9f2421daf295de53d0bba9185716f744.tar.gz arfnet2-13d4760f9f2421daf295de53d0bba9185716f744.zip | |
keycloak stuff
Diffstat (limited to 'arfnet2.md')
| -rw-r--r-- | arfnet2.md | 52 |
1 files changed, 37 insertions, 15 deletions
@@ -45,19 +45,33 @@ After the disastrous ISP [schism](http://arf20.com/explanation.txt) - Site to Site wireguard - Establish telephony -### \*Stage 7: CA, PKI, LDAP and SSO +### \*Stage 7: CA, PKI, LDAP, IAM and SSO + +Objectives - Unify all logins - Single authentication and authorization LDAP store - SSO on as many services as possible - Private CA PKI server certs for private endpoint security - - User certificates for extra secure endpoints - -### \*Stage 8: Internal DNS - - - Drop OPNsense unbound, use BIND - - Use .local.arf20.com zone or something - - PiHole + - User certificates for extra secure clients mTLS + +Steps + + - [X] Migrate .lan zone to .int.arf20.com at ARFNET BIND (misc) + - [X] Deploy piHole + - [X] Create Root CA with clca + - [X] Deploy OpenXPKI with it + - [X] Deploy OpenLDAP and set up schemas + - [ ] OpenLDAP LDAPS with cert + - [X] Deploy Keycloak and give it a cert + - [X] Connect Keycloak to OpenLDAP + - [ ] DNS on all internal services + - [ ] Reverse proxy all internal services + - [ ] Internal services dashboard + - [ ] Give internal web service endpoints TLS certificates + - [ ] Put SSO login on services where possible + - [ ] Connect remaining services to LDAP + - [ ] Kerberos and Keycloak ## Domain @@ -402,6 +416,7 @@ RAID attached here (with the grey stuff) (local only) - vaultwarden :8000 - OpenLDAP slapd :389 - ldap-account-manager :8389 + - Keycloak :8443 | vhost | webroot/proxy | Comment | |-------|---------------|---------| @@ -534,6 +549,10 @@ Certificate Authority PKI - clientd - apache2 :80 +### pihole DMZ.25 Debian 13 CT + +Pihole + --- ### mail (ARFNET-IONOS VPS) 5.250.186.185 2001:ba0:210:d600::1 @@ -606,16 +625,18 @@ DMZ IPv4s and IPv6 ends in the same way | DMZ.11 | game.lan | | | DMZ.12 | comm.lan | | | DMZ.13 | misc.lan | | +| DMZ.17 | [reserved] | | | DMZ.15 | (t2) | T/2 SDE build box | | DMZ.16 | pubnix | | | DMZ.17 | [reserved] | for future raspi | -| DMZ.18 | ata.lan | Linksys ATA | -| DMZ.19 | cucmelan | Cisco CallManager | -| DMZ.20 | callbox.lan | 5G gNodeB | -| DMZ.21 | dn42.lan | DN42 edge router | -| DMZ.22 | open5gs.lan | Open5GS 5G core | -| DMZ.23 | dn42-services.lan | DN42 service machine | -| DMZ.24 | ca.lan | Certificate Authority | +| DMZ.18 | ata | Linksys ATA | +| DMZ.19 | cucm | Cisco CallManager | +| DMZ.20 | callbox| 5G gNodeB | +| DMZ.21 | dn42 | DN42 edge router | +| DMZ.22 | open5gs | Open5GS 5G core | +| DMZ.23 | dn42-services | DN42 service machine | +| DMZ.24 | ca | Certificate Authority | +| DMZ.25 | pihole | pihole | | | | | | DMZ.192 | yero-debian | yero.lan | | DMZ.195 | exo-debian | exo.lan | @@ -735,4 +756,5 @@ Site-B:PiSoNet - [cstims](https://cgit.arf20.com/arfnet2-cstims): client, service, ticket and invoice management system - [lists](https://cgit.arf20.com/arfnet2-lists): mailing list browser - [status](https://cgit.arf20.com/arfnet2-status): status monitor + - [search](https://cgit.arf20.com/arfnet2-search): fast file indexer and search |