From 13d4760f9f2421daf295de53d0bba9185716f744 Mon Sep 17 00:00:00 2001 From: arf20 Date: Thu, 12 Feb 2026 03:41:28 +0100 Subject: keycloak stuff --- arfnet2.md | 52 +++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 15 deletions(-) (limited to 'arfnet2.md') diff --git a/arfnet2.md b/arfnet2.md index 78a1db9..fa3d3be 100644 --- a/arfnet2.md +++ b/arfnet2.md @@ -45,19 +45,33 @@ After the disastrous ISP [schism](http://arf20.com/explanation.txt) - Site to Site wireguard - Establish telephony -### \*Stage 7: CA, PKI, LDAP and SSO +### \*Stage 7: CA, PKI, LDAP, IAM and SSO + +Objectives - Unify all logins - Single authentication and authorization LDAP store - SSO on as many services as possible - Private CA PKI server certs for private endpoint security - - User certificates for extra secure endpoints - -### \*Stage 8: Internal DNS - - - Drop OPNsense unbound, use BIND - - Use .local.arf20.com zone or something - - PiHole + - User certificates for extra secure clients mTLS + +Steps + + - [X] Migrate .lan zone to .int.arf20.com at ARFNET BIND (misc) + - [X] Deploy piHole + - [X] Create Root CA with clca + - [X] Deploy OpenXPKI with it + - [X] Deploy OpenLDAP and set up schemas + - [ ] OpenLDAP LDAPS with cert + - [X] Deploy Keycloak and give it a cert + - [X] Connect Keycloak to OpenLDAP + - [ ] DNS on all internal services + - [ ] Reverse proxy all internal services + - [ ] Internal services dashboard + - [ ] Give internal web service endpoints TLS certificates + - [ ] Put SSO login on services where possible + - [ ] Connect remaining services to LDAP + - [ ] Kerberos and Keycloak ## Domain @@ -402,6 +416,7 @@ RAID attached here (with the grey stuff) (local only) - vaultwarden :8000 - OpenLDAP slapd :389 - ldap-account-manager :8389 + - Keycloak :8443 | vhost | webroot/proxy | Comment | |-------|---------------|---------| @@ -534,6 +549,10 @@ Certificate Authority PKI - clientd - apache2 :80 +### pihole DMZ.25 Debian 13 CT + +Pihole + --- ### mail (ARFNET-IONOS VPS) 5.250.186.185 2001:ba0:210:d600::1 @@ -606,16 +625,18 @@ DMZ IPv4s and IPv6 ends in the same way | DMZ.11 | game.lan | | | DMZ.12 | comm.lan | | | DMZ.13 | misc.lan | | +| DMZ.17 | [reserved] | | | DMZ.15 | (t2) | T/2 SDE build box | | DMZ.16 | pubnix | | | DMZ.17 | [reserved] | for future raspi | -| DMZ.18 | ata.lan | Linksys ATA | -| DMZ.19 | cucmelan | Cisco CallManager | -| DMZ.20 | callbox.lan | 5G gNodeB | -| DMZ.21 | dn42.lan | DN42 edge router | -| DMZ.22 | open5gs.lan | Open5GS 5G core | -| DMZ.23 | dn42-services.lan | DN42 service machine | -| DMZ.24 | ca.lan | Certificate Authority | +| DMZ.18 | ata | Linksys ATA | +| DMZ.19 | cucm | Cisco CallManager | +| DMZ.20 | callbox| 5G gNodeB | +| DMZ.21 | dn42 | DN42 edge router | +| DMZ.22 | open5gs | Open5GS 5G core | +| DMZ.23 | dn42-services | DN42 service machine | +| DMZ.24 | ca | Certificate Authority | +| DMZ.25 | pihole | pihole | | | | | | DMZ.192 | yero-debian | yero.lan | | DMZ.195 | exo-debian | exo.lan | @@ -735,4 +756,5 @@ Site-B:PiSoNet - [cstims](https://cgit.arf20.com/arfnet2-cstims): client, service, ticket and invoice management system - [lists](https://cgit.arf20.com/arfnet2-lists): mailing list browser - [status](https://cgit.arf20.com/arfnet2-status): status monitor + - [search](https://cgit.arf20.com/arfnet2-search): fast file indexer and search -- cgit v1.2.3