phase 8: forgejo sync config, authentik-ldap SSO service, runbook update
This commit is contained in:
parent
bd76c9f448
commit
24be0b06c8
3 changed files with 119 additions and 3 deletions
77
RUNBOOK.md
77
RUNBOOK.md
|
|
@ -1379,3 +1379,80 @@ kscloud1 (Hetzner) is planned to be replaced by an Oracle Cloud VPS. When the ne
|
|||
| `cloudflared/docker-compose.yml` | `TUNNEL_TOKEN` (inline) |
|
||||
|
||||
Do not commit `.env` files, webhook URLs, or database files to this repo.
|
||||
|
||||
---
|
||||
|
||||
## Phase 8: Forgejo Sync + osTicket Authentik LDAP SSO (2026-06-14/15)
|
||||
|
||||
### Forgejo Sync (monk → kscloud1)
|
||||
|
||||
Monk is authoritative. kscloud1 Forgejo is a read replica synced every 6 hours.
|
||||
|
||||
**Sync script:** `~/kitestacks-live/docker/forgejo/sync-to-cloud.sh`
|
||||
**Cron:** `0 */6 * * *` on monk, logs to `/tmp/forgejo-sync.log`
|
||||
|
||||
Manual sync:
|
||||
```bash
|
||||
~/kitestacks-live/docker/forgejo/sync-to-cloud.sh
|
||||
```
|
||||
|
||||
To re-do a full restore from scratch (e.g., after kscloud1 rebuild):
|
||||
```bash
|
||||
# On monk: create dump
|
||||
docker exec -u git forgejo /app/gitea/gitea dump --type zip -f /tmp/forgejo-backup.zip
|
||||
docker cp forgejo:/tmp/forgejo-backup.zip /tmp/forgejo-backup.zip
|
||||
# Transfer and restore on cloud host — see claude-memory for detailed steps
|
||||
```
|
||||
|
||||
### osTicket Authentik LDAP SSO
|
||||
|
||||
Staff log into `tasks.kitestacks.com/scp/` using their **Authentik credentials** (not a separate osTicket password).
|
||||
|
||||
**Architecture:**
|
||||
```
|
||||
osticket-app → authentik-ldap-proxy:389 (socat) → authentik-ldap:3389 → auth.kitestacks.com
|
||||
```
|
||||
|
||||
**Services deployed:**
|
||||
- `~/kitestacks-live/docker/authentik-ldap/` — LDAP outpost + socat proxy on monk
|
||||
- `/opt/kitestacks/docker/authentik-ldap/` — LDAP outpost on kscloud1
|
||||
|
||||
**LDAP search account:** `cn=ldap-svc,ou=users,dc=ldap,dc=goauthentik,dc=io`
|
||||
Password stored in Authentik and in osTicket's `ost_config` (namespace `plugin.2`, key `bind_pw`, encrypted).
|
||||
|
||||
**auth-ldap.phar** at `/data/upload/include/plugins/auth-ldap.phar` inside the osticket-app container has been patched (original at `.phar.orig`). Do NOT replace it with the upstream version — the patch is required for PHP 7.3 + PEAR compatibility.
|
||||
|
||||
**If LDAP login stops working:**
|
||||
```bash
|
||||
# Check LDAP outpost is running and connected
|
||||
docker logs authentik-ldap --since 5m | grep -v debug
|
||||
docker logs authentik-ldap-proxy 2>&1 | tail -5
|
||||
|
||||
# Test bind from osticket-app container
|
||||
docker exec osticket-app php -r "
|
||||
\$c = @ldap_connect('authentik-ldap-proxy');
|
||||
ldap_set_option(\$c, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||
\$r = @ldap_bind(\$c, 'cn=ldap-svc,ou=users,dc=ldap,dc=goauthentik,dc=io', 'PASSWORD');
|
||||
echo \$r ? 'OK' : ldap_error(\$c);
|
||||
"
|
||||
# Verify kscloud1 outpost reachable
|
||||
nc -zv 100.123.254.52 3389
|
||||
```
|
||||
|
||||
**Reset a staff member's Authentik password:**
|
||||
```bash
|
||||
docker exec authentik ak shell -c "
|
||||
from authentik.core.models import User
|
||||
u = User.objects.get(username='kenpat7177')
|
||||
u.set_password('NewPassword123!')
|
||||
u.save()
|
||||
print('done')
|
||||
"
|
||||
```
|
||||
|
||||
**Clear osTicket login lockout:**
|
||||
```bash
|
||||
docker run --rm --network host mariadb:10.11 mysql \
|
||||
-h 100.123.254.52 -u osticket -p<DB_PASS> osticket \
|
||||
-e "DELETE FROM ost_session;"
|
||||
```
|
||||
|
|
|
|||
32
apps/authentik-ldap/docker-compose.yml
Normal file
32
apps/authentik-ldap/docker-compose.yml
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
services:
|
||||
authentik-ldap:
|
||||
image: ghcr.io/goauthentik/ldap:2025.2.4
|
||||
container_name: authentik-ldap
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
AUTHENTIK_HOST: https://auth.kitestacks.com
|
||||
AUTHENTIK_INSECURE: "false"
|
||||
# Token from Authentik outpost "osTicket LDAP Outpost"
|
||||
# Regenerate via: Authentik admin → Outposts → osTicket LDAP Outpost → token
|
||||
AUTHENTIK_TOKEN: REDACTED
|
||||
networks:
|
||||
- kitestacks
|
||||
- osticket_default
|
||||
|
||||
# socat proxy: bridges standard LDAP port 389 → outpost port 3389
|
||||
# Required because Net_LDAP2 (osTicket's LDAP library) always uses port 389
|
||||
authentik-ldap-proxy:
|
||||
image: alpine/socat
|
||||
container_name: authentik-ldap-proxy
|
||||
restart: unless-stopped
|
||||
command: TCP-LISTEN:389,fork,reuseaddr TCP:authentik-ldap:3389
|
||||
depends_on:
|
||||
- authentik-ldap
|
||||
networks:
|
||||
- osticket_default
|
||||
|
||||
networks:
|
||||
kitestacks:
|
||||
external: true
|
||||
osticket_default:
|
||||
external: true
|
||||
|
|
@ -9,9 +9,16 @@ services:
|
|||
environment:
|
||||
- USER_UID=1000
|
||||
- USER_GID=1000
|
||||
- FORGEJO__server__DOMAIN=192.168.1.205
|
||||
- FORGEJO__server__ROOT_URL=http://192.168.1.205:3006
|
||||
- FORGEJO__server__SSH_DOMAIN=192.168.1.205
|
||||
- FORGEJO__server__DOMAIN=gitforge.kitestacks.com
|
||||
- FORGEJO__server__ROOT_URL=https://gitforge.kitestacks.com/
|
||||
- FORGEJO__server__SSH_DOMAIN=gitforge.kitestacks.com
|
||||
- FORGEJO__server__SSH_PORT=2222
|
||||
volumes:
|
||||
- ./data:/data
|
||||
networks:
|
||||
- default
|
||||
- kitestacks
|
||||
|
||||
networks:
|
||||
kitestacks:
|
||||
external: true
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue