mirror/ infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-05-27 14:46:13 +02:00
Code Issues
3,573 Commits 20 Branches 0 Tags 17 MiB
Commit Graph

54 Commits

Author SHA1 Message Date
Sven-Hendrik Haase 729fd21542 keycloak: Enable account registation (fixes 39) 2021-09-04 15:16:15 +02:00
Ira ㋡ 249ae2a728 Make terms and conditions required by default via terraform provider 2021-09-04 13:01:55 +02:00
Evangelos Foutras faba3a3d7c
misc/get_key.py: load vault file without chdir'ing 
Now that misc/get_key.py checks if the vault file passed to it exists,
we cannot pass paths only resolvable from the root directory. Instead,
use paths that make sense relative to the current directory and avoid
calling chdir when loading the vault file.

Fixes: 7754214604 ("Rewrite get_key.py to use click instead of typer")
 2021-07-07 15:18:41 +03:00
Thorben Günther e7aa7f09a7 grafana: Use builtin functionality to restrict access 
This reverts commit 649568e7 ("Restrict Grafana access to Arch Linux
Staff group on Keycloak (fixes #151)").
 2021-07-06 22:53:04 +02:00
Jelle van der Waa f741bc6a20
Terraform uptimerobot monitors 
Add our uptimerobot to terraform so it's managed in code and we can
easily extend it. This currently only adds our to be monitored sites and
leaves the status page as is now.

Deleting resources on uptimerobot will cause terraform unable to run
see: https://github.com/louy/terraform-provider-uptimerobot/issues/82

References: #209
 2021-05-18 22:51:16 +02:00
Jan Alexander Steffens (heftig) 745795594f
keycloak: Enable add_to_id_token for matrix role mapper 
Synapse only inspects the userinfo.
 2021-04-15 15:02:53 +02:00
Jan Alexander Steffens (heftig) 3e475457c5 matrix: Integrate with Keycloak 
Closes https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/94
 2021-04-15 12:37:34 +00:00
Jelle van der Waa a434870b9f
Restrict Grafana access to DevOps 
As our grafana now contains Loki logs, we don't want non devops to view
logs which potentially contain sensitive data. As Grafana does not have
a system to easily restrict data sources to roles we use Keycloak.
 2021-04-08 21:01:22 +02:00
Sven-Hendrik Haase 75146bcc8b
Fix mode of .terraform.lock.hcl 2021-03-19 13:53:50 +01:00
Jelle van der Waa 3124cfd933
Add hedgedoc as new service 
This adds a collaborative markdown editor as newly offered service which
is available via login for all Arch Linux Staff with an option to allow
anonymous edits by users (not default). Users are managed via keycloak
and require the Staff role to be allowed in, non staff keycloak users
currently will receive an internal server error due to an upstream
issue.
 2021-02-01 21:59:30 +01:00
Kristian Klausen 56865f8c9e Migrate all services to use implicit TLS for SMTP Submission 2020-12-24 23:43:57 +00:00
Sven-Hendrik Haase 649568e703 Restrict Grafana access to Arch Linux Staff group on Keycloak (fixes #151) 2020-12-11 19:59:57 +00:00
Sven-Hendrik Haase e049e89e9a
Upgrade to Terraform 0.14 
This process didn't need any source changes but it added the new Terraform lockfiles.
 2020-12-10 21:53:50 +01:00
Frederik Schwan 80c22539b9
introduce terraform fmt to the CI to improve readability 2020-10-22 13:45:19 +02:00
Sven-Hendrik Haase 1f9c854d46
Import config from Keycloak 
This is now possible because of terraform-provider-keycloak 2.0.0 :D
 2020-09-23 01:34:02 +02:00
Kristian Klausen 2fd1c89a04 keycloak: Bump provider version 2020-09-22 22:30:54 +00:00
Kristian Klausen e52dbab833 keycloak: Register "required action" webauthn-register 2020-09-22 22:30:54 +00:00
Kristian Klausen 04e5d83034 keycloak: Add WebAuthn policy 
Fix #120
 2020-09-22 22:30:53 +00:00
Sven-Hendrik Haase 6b33a0d4b7 Implement new Keycloak group structure 2020-09-22 22:12:06 +00:00
Jelle van der Waa 76e334c635
Add a new Support groups 
Expand the Support group with subgroups for the Wiki, Forum, Security
Tracker and Archweb. The subgroups are just a placeholder for groups for
the roles which a user can be in for the service. New onboarded users
should be assigned to correct groups for their Support staff team.
 2020-09-10 22:32:29 +02:00
Jelle van der Waa 7183361c64 Setup Oauth for Grafana 
Configure Grafana to use Keycloak OpenID Connect for authentication. For
now only DevOps is configured as admin and Arch Staff as general Viewer
roles.
 2020-09-09 21:17:33 +00:00
Sven-Hendrik Haase c1c24c5c37 keycloak: Redo all flows 
We had to redesign all flows when discovering that we can't design flows exactly the way we wanted in Keycloak.
 2020-09-08 15:29:58 +00:00
Sven-Hendrik Haase 880a794af9 keycloak: Add fallthroughs to doc everywhere 2020-09-08 15:29:58 +00:00
Kristian Klausen 7ea76e73cf keycloak: Force OTP Setup for staff and external contributors 
Broken by the last commit
 2020-09-08 15:29:58 +00:00
Kristian Klausen ef1e7b13a3 keycloak: Enable WebAuthn 
Registering a new required action is currently not supported, so it
needs to be done manually.
See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/354

Configuring the WebAuthn policy is currently not supported, so it needs
to be done manully.
See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/355

Fix #28
 2020-09-08 15:29:58 +00:00
Sven-Hendrik Haase d2375c228a
keycloak: Set display_name_html explicitly so that the custom theme works 
I know this seems a bit weird but this is how the Keycloak templates work. :P
 2020-08-29 04:39:17 +02:00
Ira ㋡ 103550f780
Set the login, account and admin theme to "archlinux" 2020-08-27 16:25:47 +09:00
Sven-Hendrik Haase 65400adeca
Upgrade to terraform 0.13 2020-08-27 07:17:09 +02:00
Levente Polyak 6bad158de4
keycloak: do not allow full scope for openid gitlab client 
We do not want full scope to be allowed for the gitlab openid client. In
fact we already have it disabled, however the latest provider seems to
have changed something which makes terraform to have the desire to
change this to true. Set it explicitly to false to avoid changing
behavior.
 2020-08-20 12:05:51 +02:00
Levente Polyak a5fbc14b95
Revert "matrix: Integrate with Keycloak" 
This reverts commit 8e4eac7df4.

Revert this feature as its part of a keycloak change that must go
through review via a merge request.
 2020-08-20 11:50:18 +02:00
Jan Alexander Steffens (heftig) 8e4eac7df4
matrix: Integrate with Keycloak 2020-08-19 20:24:16 +02:00
Jan Alexander Steffens (heftig) 4bb27da470
keycloak.tf: Add missing signature_algorithm 
`terraform plan` tried to remove it.
 2020-08-19 20:24:15 +02:00
Jelle van der Waa 5ac750c909
Add a prometheus exporter to Keycloak 
Install keycloak-metrics-spi and configure it to provide prometheus
endpoints available as auth/realms/$realm/metrics. The prometheus
metrics are behind basic_auth as some metrics might be sensitive or can
be used by attackers. #23
 2020-08-18 17:28:09 +02:00
Sven-Hendrik Haase d0712657b9
keycloak: Switch to new account management page 2020-07-30 04:06:24 +02:00
Sven-Hendrik Haase 6d05d9a784
Enable Keycloak event logging (fixes #68) 2020-07-17 17:04:09 +02:00
Sven-Hendrik Haase 87af88cb22 Force OTP for some roles after identity provider login (#2) 2020-07-17 13:35:17 +00:00
Sven-Hendrik Haase 8942802cca Add GitHub OAuth for Keycloak 2020-06-03 10:07:31 +00:00
Sven-Hendrik Haase 68eff09373
keycloak: Add Support group 2020-05-27 05:16:46 +02:00
Sven-Hendrik Haase f06f1470e8
keycloak: Add recaptcha support (fixes #35) 2020-05-26 03:31:28 +02:00
Sven-Hendrik Haase 8ab0fdc9d0
keycloak: Some consistency fixes 2020-05-26 03:28:00 +02:00
Sven-Hendrik Haase 7f4d43f401
keycloak: Take a different approach for conditional OTP 
It's pretty complicated to express what we want but we eventually succeeded. We even found a bug in Keycloak while implementing this and had to patch the package.
 2020-05-25 18:06:32 +02:00
Sven-Hendrik Haase 93ba6a14c3
keycloak: Re-order stuff to make sure that Staff and External Contributor rules are checked first 
If they are not checked first, we will run into a situation where we ask the user twice to provide an OTP.
 2020-05-24 03:21:44 +02:00
Sven-Hendrik Haase 7564aac571
keycloak: Fix flow order and set Arch Browser as default login flow 2020-05-24 00:19:00 +02:00
Sven-Hendrik Haase 0d6c79ddc2
keycloak: Add Arch Browser authentication flow 2020-05-23 18:20:58 +02:00
Sven-Hendrik Haase 144d9e3319
keycloak: Cleanup Terraform config 2020-05-23 13:20:46 +02:00
Sven-Hendrik Haase 3400f088bd
keycloak: Add External Contributors role 2020-05-23 13:18:43 +02:00
Sven-Hendrik Haase 66527e98b5
keycloak: Rename some things around and add staff role 2020-05-22 23:51:40 +02:00
Sven-Hendrik Haase 9dc5a14c34
Make an Arch Linux Staff supergroup 2020-05-19 17:28:52 +02:00
Sven-Hendrik Haase 8074f8d407
Set basic password policy and add bruteforce protection 2020-05-19 12:55:25 +02:00
Sven-Hendrik Haase 07482482d1
Properly map SAML username to GitLab username 2020-05-02 06:40:14 +02:00