From 8c2585242868a4372eb77f4712e4252c4e4f3dd9 Mon Sep 17 00:00:00 2001 From: kenpat Date: Mon, 15 Jun 2026 08:51:54 -0500 Subject: [PATCH] 2026-06-15: Forgejo sync fixed, osTicket LDAP SSO complete, capstone started --- MEMORY.md | 2 +- project-kitestacks-migration.md | 57 +++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 1 deletion(-) diff --git a/MEMORY.md b/MEMORY.md index 568c1fe..ff0cb8e 100644 --- a/MEMORY.md +++ b/MEMORY.md @@ -1,4 +1,4 @@ -- [KiteStacks migration + Hetzner cloud failover (COMPLETE)](project-kitestacks-migration.md) — monk primary, kscloud1 cloud replica, Oracle VPS migration STALLED (capacity). 2026-06-13/14: osTicket live at tasks.kitestacks.com on both hosts, DB unified onto kscloud1 (100.123.254.52:3306, Tailscale), new private repo kenpat/osticket-capstone created. Forgejo SSO button renamed to Authentik. kscloud1 Forgejo has wrong ROOT_URL + only 1 repo — fix during Oracle migration. +- [KiteStacks migration + Hetzner cloud failover (COMPLETE)](project-kitestacks-migration.md) — monk primary, kscloud1 cloud replica, Oracle VPS STALLED (Chicago capacity). 2026-06-14/15: Forgejo synced (13 repos both hosts, ROOT_URL fixed, cron sync). osTicket Authentik LDAP SSO WORKING — auth-ldap.phar triple-patched, authentik-ldap+socat-proxy containers on monk, authentik-ldap on kscloud1. Per Scholas capstone IN PROGRESS. - [Forgejo doc redaction rule](feedback-forgejo-redaction.md) — always redact IPs, ports, and passwords in any homelab Forgejo repo files before committing. - [A+ Core 2 study plan](project-a-plus-core2.md) — exam goal June 28 2026, started 2026-06-11 9:15 PM, Professor Messer diagnostic first, CertMaster next week. - [Per Scholas IT Support Capstone](project_per_scholas_capstone.md) — 5-phase migration/ticketing team challenge, connected to osTicket+MariaDB on kscloud1. AI=junior assistant, must verify with evidence. diff --git a/project-kitestacks-migration.md b/project-kitestacks-migration.md index c411ffe..9dce622 100644 --- a/project-kitestacks-migration.md +++ b/project-kitestacks-migration.md @@ -551,3 +551,60 @@ against the public hostname can hit the wrong DB; use monk's local needs 3rd-party OAuth2/SAML plugin) - NOT YET DONE. - End-user ticket submission uses osTicket's native client portal signup (works out of the box, no SSO needed). + +## 2026-06-14/15: Forgejo sync fixed + osTicket Authentik LDAP SSO complete + +### Forgejo sync (monk → kscloud1) - FIXED +- Ran `docker exec -u git forgejo /app/gitea/gitea dump` on monk, scp'd to kscloud1 +- Restored: 13 repos + DB synced, ROOT_URL fixed on kscloud1 to `https://gitforge.kitestacks.com/` +- kscloud1 Forgejo docker-compose updated (correct ROOT_URL + SSH port 2222) +- Sync script: `~/kitestacks-live/docker/forgejo/sync-to-cloud.sh` (rsync repos + DB dump) +- Cron: `0 */6 * * *` runs sync-to-cloud.sh, logs to `/tmp/forgejo-sync.log` +- Authentik redirect URI fixed: updated `_redirect_uris` in shared Postgres from + `authentik/callback` → `Authentik/callback` (matched renamed Forgejo source name) + +### osTicket Authentik LDAP SSO - COMPLETE (2026-06-14/15) +Uses Authentik's LDAP outpost + osTicket's built-in auth-ldap.phar plugin. + +**Authentik side:** +- LDAPProvider "osTicket LDAP" (pk=11, base_dn=DC=ldap,DC=goauthentik,DC=io) +- Application "osTicket LDAP" (slug=osticket-ldap, backchannel provider) +- Outpost "osTicket LDAP Outpost" (pk=5c42f5ba-64bd-434e-a47f-7ce9da13227a) +- Outpost service token: `jjYRKWuGtoeq9r0qeifbCnXGHDjhCJU2MLnkCvMMduIGA1kQKz85qnt7u5Zf` +- ldap-svc user (search account): DN=`cn=ldap-svc,ou=users,dc=ldap,dc=goauthentik,dc=io` + password=`IlgQaxBPv9rdoq03CsoY53tH`, member of homelab-admin group + +**Docker services added on monk:** +- `~/kitestacks-live/docker/authentik-ldap/docker-compose.yml` + - `authentik-ldap` (ghcr.io/goauthentik/ldap:2025.2.4) on kitestacks+osticket_default networks + - `authentik-ldap-proxy` (alpine/socat) bridges port 389→3389 on osticket_default + so osticket-app can reach standard LDAP port without phar URI workaround + +**Docker services added on kscloud1:** +- `/opt/kitestacks/docker/authentik-ldap/docker-compose.yml` + - Same authentik-ldap container, bound to 100.123.254.52:3389 (Tailscale) + 127.0.0.1:3389 + +**auth-ldap.phar patches (3 patches applied, original backed up as auth-ldap.phar.orig):** +1. `authentication.php` - `getConnection()`: adds binddn/bindpw from plugin config to + Net_LDAP2 params so initial connect uses credentials (not anonymous, which Authentik rejects) +2. `config.php` - validation block: sets include_path to phar's include dir before + `require_once Net/LDAP2.php` so sub-files resolve correctly in FPM context +3. ALL `include/Net/LDAP2/*.php` files: guards `require_once 'PEAR.php'` with + `if (!class_exists('PEAR', false))` to prevent fatal conflict between osTicket's + `/include/pear/PEAR.php` and PHP global `/usr/local/lib/php/PEAR.php` + +**osTicket LDAP plugin config (namespace plugin.2 in ost_config):** +- servers: `authentik-ldap-proxy` (via socat on port 389) +- bind_dn: `cn=ldap-svc,ou=users,dc=ldap,dc=goauthentik,dc=io` +- bind_pw: encrypted with `Crypto::encrypt(pass, SECRET_SALT, 'plugin.2')` +- search_base: `ou=users,dc=ldap,dc=goauthentik,dc=io` +- schema: auto, auth-staff: 1, auth-client: 0, domain: ldap.goauthentik.io + +**Staff login:** username=`kenpat7177`, password=Authentik password (reset to `KiteStacks2026!`) + on `tasks.kitestacks.com/scp/login.php` + +### Per Scholas IT Support Capstone - IN PROGRESS +See [[project-per-scholas-capstone]]. Next steps: +- Create capstone incident tickets in osTicket (5-phase challenge) +- Set up osTicket user/client portal for non-staff users (Phase 3 end-user access) +- Each capstone ticket maps to a phase scenario (migration event, incident response, etc.)