From 4ac5ad64bf7883c63ba02ecd1f1091cab08126f0 Mon Sep 17 00:00:00 2001
From: arf20 <aruizfernandez05@gmail.com>
Date: Fri, 13 Feb 2026 21:21:56 +0100
Subject: LDAP jellyfin

---
 arfnet2.html | 82 ++++++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 55 insertions(+), 27 deletions(-)

(limited to 'arfnet2.html')

diff --git a/arfnet2.html b/arfnet2.html
index f28d5c8..4abb8fd 100644
--- a/arfnet2.html
+++ b/arfnet2.html
@@ -82,7 +82,7 @@ and SSO</h3>
 <li>User certificates for extra secure clients mTLS</li>
 </ul>
 <p>Steps</p>
-<ul class="task-list">
+<ul>
 <li><label><input type="checkbox" checked="" />Migrate .lan zone to
 .int.arf20.com at ARFNET BIND (misc)</label></li>
 <li><label><input type="checkbox" checked="" />Deploy
@@ -91,26 +91,25 @@ piHole</label></li>
 clca</label></li>
 <li><label><input type="checkbox" checked="" />Deploy OpenXPKI with
 it</label></li>
+<li>[#] OpenXPKI ACME</li>
 <li><label><input type="checkbox" checked="" />Deploy OpenLDAP and set
 up schemas</label></li>
-<li><label><input type="checkbox" />OpenLDAP LDAPS with
+<li><label><input type="checkbox" checked="" />OpenLDAP LDAPS with
 cert</label></li>
 <li><label><input type="checkbox" checked="" />Deploy Keycloak and give
 it a cert</label></li>
 <li><label><input type="checkbox" checked="" />Connect Keycloak to
 OpenLDAP</label></li>
-<li><label><input type="checkbox" />DNS on all internal
-services</label></li>
-<li><label><input type="checkbox" />Reverse proxy all internal
+<li><label><input type="checkbox" checked="" />DNS on all internal
 services</label></li>
-<li><label><input type="checkbox" />Internal services
+<li>[#] Reverse proxy all internal services</li>
+<li><label><input type="checkbox" checked="" />Internal services
 dashboard</label></li>
-<li><label><input type="checkbox" />Give internal web service endpoints
-TLS certificates</label></li>
+<li><label><input type="checkbox" checked="" />Give internal web service
+endpoints TLS certificates</label></li>
+<li>[#] Connect non-SSO services to LDAP</li>
 <li><label><input type="checkbox" />Put SSO login on services where
 possible</label></li>
-<li><label><input type="checkbox" />Connect remaining services to
-LDAP</label></li>
 <li><label><input type="checkbox" />Kerberos and Keycloak</label></li>
 </ul>
 <h2 id="domain">Domain</h2>
@@ -837,8 +836,8 @@ unbound config)</li>
 <li>Samba SMB*</li>
 <li>MiniDLNA*</li>
 <li>FTP</li>
-<li>qBittorrent-nox</li>
-<li>jellyfin</li>
+<li>qBittorrent-nox :8085</li>
+<li>jellyfin :8096</li>
 <li>nginx</li>
 <li>mpd :8000</li>
 </ul>
@@ -852,7 +851,7 @@ unbound config)</li>
 </thead>
 <tbody>
 <tr class="odd">
-<td>dark.arf20.com</td>
+<td>default</td>
 <td>/d/FTPServer/</td>
 <td>Allow only VPS and private</td>
 </tr>
@@ -1420,24 +1419,11 @@ VPS) 92.60.77.4</h3>
 </tbody>
 </table>
 <hr />
-<h3 id="yero-debian-vps-dmz.192-yero">yero-debian VPS DMZ.192
-(yero)</h3>
-<ul>
-<li>SSH</li>
-<li>mariadb</li>
-<li>FiveM SuperioresRP</li>
-</ul>
-<h3 id="exo-debian-vps-dmz.195-exo">exo-debian VPS DMZ.195 (exo)</h3>
+<h3 id="exo-vps-vps-dmz.195-exo">exo-vps VPS DMZ.195 (exo)</h3>
 <ul>
 <li>SSH</li>
 <li>netbox</li>
 </ul>
-<h3 id="loofa-debian-vps-dmz.196-loofa">loofa-debian VPS DMZ.196
-(loofa)</h3>
-<ul>
-<li>SSH</li>
-<li>?</li>
-</ul>
 <p>*TODO</p>
 <h2 id="internal-name-and-number-assignation-table">Internal Name and
 Number Assignation Table</h2>
@@ -2167,6 +2153,48 @@ Number Assignation Table</h2>
 </tr>
 </tbody>
 </table>
+<h3 id="pki-authentication-and-authorization-architecture">PKI,
+authentication and authorization architecture</h3>
+<pre><code>                              +-------+
+                              | clCA  |
+                              +-------+
+                                  | 
+                                  v 
+                             +----------+          
+      + - - - - - - - - - - -| OpenXPKI |          
+                             +----------+          
+      |                           | LDAPS cert and cert store
+                                  v
+      |       +-----------------------------------------------------------+
+              |                      OpenLDAP                             |
+      |       +-----------------------------------------------------------+
+                ^           ^         ^         ^                
+      |         |           |         |         |                
+           +--------+ +----------+    |     +----------+              
+      |    |  app   | |   app    |    | +--&gt;| Kerberos |              
+           | secure | | SSO-less |    | |   +----------+              
+      |    +--------+ +----------+    | |                  
+                ^             ^    +----------+ OAuth2  +---------+
+      |         |             |    | Keycloak |--------&gt;| app     |
+                |             |    +----------+ /SAML   | SSO-ful |
+      |         |             |      ^                  +---------+
+                |             |      | 2FA                   
+      |         |             |      |
+           +--------+       +----------+
+      + - &gt;| client |       | clients  |
+           +--------+       +----------+
+       with cert from CA    password based </code></pre>
+<ul>
+<li>LDAP applications
+<ul>
+<li>Jellyfin</li>
+<li>pubnix*</li>
+</ul></li>
+<li>SSO applications
+<ul>
+<li>qBittorrent*</li>
+</ul></li>
+</ul>
 <h2 id="custom-arfnet-software">Custom ARFNET software</h2>
 <ul>
 <li><a href="https://cgit.arf20.com/arfnet2-cstims">cstims</a>: client,
-- 
cgit v1.2.3