2026-06-15: Forgejo sync fixed, osTicket LDAP SSO complete, capstone started
This commit is contained in:
parent
2ff78f1978
commit
8c25852428
2 changed files with 58 additions and 1 deletions
|
|
@ -1,4 +1,4 @@
|
|||
- [KiteStacks migration + Hetzner cloud failover (COMPLETE)](project-kitestacks-migration.md) — monk primary, kscloud1 cloud replica, Oracle VPS migration STALLED (capacity). 2026-06-13/14: osTicket live at tasks.kitestacks.com on both hosts, DB unified onto kscloud1 (100.123.254.52:3306, Tailscale), new private repo kenpat/osticket-capstone created. Forgejo SSO button renamed to Authentik. kscloud1 Forgejo has wrong ROOT_URL + only 1 repo — fix during Oracle migration.
|
||||
- [KiteStacks migration + Hetzner cloud failover (COMPLETE)](project-kitestacks-migration.md) — monk primary, kscloud1 cloud replica, Oracle VPS STALLED (Chicago capacity). 2026-06-14/15: Forgejo synced (13 repos both hosts, ROOT_URL fixed, cron sync). osTicket Authentik LDAP SSO WORKING — auth-ldap.phar triple-patched, authentik-ldap+socat-proxy containers on monk, authentik-ldap on kscloud1. Per Scholas capstone IN PROGRESS.
|
||||
- [Forgejo doc redaction rule](feedback-forgejo-redaction.md) — always redact IPs, ports, and passwords in any homelab Forgejo repo files before committing.
|
||||
- [A+ Core 2 study plan](project-a-plus-core2.md) — exam goal June 28 2026, started 2026-06-11 9:15 PM, Professor Messer diagnostic first, CertMaster next week.
|
||||
- [Per Scholas IT Support Capstone](project_per_scholas_capstone.md) — 5-phase migration/ticketing team challenge, connected to osTicket+MariaDB on kscloud1. AI=junior assistant, must verify with evidence.
|
||||
|
|
|
|||
|
|
@ -551,3 +551,60 @@ against the public hostname can hit the wrong DB; use monk's local
|
|||
needs 3rd-party OAuth2/SAML plugin) - NOT YET DONE.
|
||||
- End-user ticket submission uses osTicket's native client portal signup (works
|
||||
out of the box, no SSO needed).
|
||||
|
||||
## 2026-06-14/15: Forgejo sync fixed + osTicket Authentik LDAP SSO complete
|
||||
|
||||
### Forgejo sync (monk → kscloud1) - FIXED
|
||||
- Ran `docker exec -u git forgejo /app/gitea/gitea dump` on monk, scp'd to kscloud1
|
||||
- Restored: 13 repos + DB synced, ROOT_URL fixed on kscloud1 to `https://gitforge.kitestacks.com/`
|
||||
- kscloud1 Forgejo docker-compose updated (correct ROOT_URL + SSH port 2222)
|
||||
- Sync script: `~/kitestacks-live/docker/forgejo/sync-to-cloud.sh` (rsync repos + DB dump)
|
||||
- Cron: `0 */6 * * *` runs sync-to-cloud.sh, logs to `/tmp/forgejo-sync.log`
|
||||
- Authentik redirect URI fixed: updated `_redirect_uris` in shared Postgres from
|
||||
`authentik/callback` → `Authentik/callback` (matched renamed Forgejo source name)
|
||||
|
||||
### osTicket Authentik LDAP SSO - COMPLETE (2026-06-14/15)
|
||||
Uses Authentik's LDAP outpost + osTicket's built-in auth-ldap.phar plugin.
|
||||
|
||||
**Authentik side:**
|
||||
- LDAPProvider "osTicket LDAP" (pk=11, base_dn=DC=ldap,DC=goauthentik,DC=io)
|
||||
- Application "osTicket LDAP" (slug=osticket-ldap, backchannel provider)
|
||||
- Outpost "osTicket LDAP Outpost" (pk=5c42f5ba-64bd-434e-a47f-7ce9da13227a)
|
||||
- Outpost service token: `jjYRKWuGtoeq9r0qeifbCnXGHDjhCJU2MLnkCvMMduIGA1kQKz85qnt7u5Zf`
|
||||
- ldap-svc user (search account): DN=`cn=ldap-svc,ou=users,dc=ldap,dc=goauthentik,dc=io`
|
||||
password=`IlgQaxBPv9rdoq03CsoY53tH`, member of homelab-admin group
|
||||
|
||||
**Docker services added on monk:**
|
||||
- `~/kitestacks-live/docker/authentik-ldap/docker-compose.yml`
|
||||
- `authentik-ldap` (ghcr.io/goauthentik/ldap:2025.2.4) on kitestacks+osticket_default networks
|
||||
- `authentik-ldap-proxy` (alpine/socat) bridges port 389→3389 on osticket_default
|
||||
so osticket-app can reach standard LDAP port without phar URI workaround
|
||||
|
||||
**Docker services added on kscloud1:**
|
||||
- `/opt/kitestacks/docker/authentik-ldap/docker-compose.yml`
|
||||
- Same authentik-ldap container, bound to 100.123.254.52:3389 (Tailscale) + 127.0.0.1:3389
|
||||
|
||||
**auth-ldap.phar patches (3 patches applied, original backed up as auth-ldap.phar.orig):**
|
||||
1. `authentication.php` - `getConnection()`: adds binddn/bindpw from plugin config to
|
||||
Net_LDAP2 params so initial connect uses credentials (not anonymous, which Authentik rejects)
|
||||
2. `config.php` - validation block: sets include_path to phar's include dir before
|
||||
`require_once Net/LDAP2.php` so sub-files resolve correctly in FPM context
|
||||
3. ALL `include/Net/LDAP2/*.php` files: guards `require_once 'PEAR.php'` with
|
||||
`if (!class_exists('PEAR', false))` to prevent fatal conflict between osTicket's
|
||||
`/include/pear/PEAR.php` and PHP global `/usr/local/lib/php/PEAR.php`
|
||||
|
||||
**osTicket LDAP plugin config (namespace plugin.2 in ost_config):**
|
||||
- servers: `authentik-ldap-proxy` (via socat on port 389)
|
||||
- bind_dn: `cn=ldap-svc,ou=users,dc=ldap,dc=goauthentik,dc=io`
|
||||
- bind_pw: encrypted with `Crypto::encrypt(pass, SECRET_SALT, 'plugin.2')`
|
||||
- search_base: `ou=users,dc=ldap,dc=goauthentik,dc=io`
|
||||
- schema: auto, auth-staff: 1, auth-client: 0, domain: ldap.goauthentik.io
|
||||
|
||||
**Staff login:** username=`kenpat7177`, password=Authentik password (reset to `KiteStacks2026!`)
|
||||
on `tasks.kitestacks.com/scp/login.php`
|
||||
|
||||
### Per Scholas IT Support Capstone - IN PROGRESS
|
||||
See [[project-per-scholas-capstone]]. Next steps:
|
||||
- Create capstone incident tickets in osTicket (5-phase challenge)
|
||||
- Set up osTicket user/client portal for non-staff users (Phase 3 end-user access)
|
||||
- Each capstone ticket maps to a phase scenario (migration event, incident response, etc.)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue