From 24be0b06c85a8df25357d27f6f143de7e4c34fd3 Mon Sep 17 00:00:00 2001
From: kenpat <kenpat7177@gmail.com>
Date: Mon, 15 Jun 2026 08:54:08 -0500
Subject: [PATCH] phase 8: forgejo sync config, authentik-ldap SSO service,
 runbook update

---
 RUNBOOK.md                             | 77 ++++++++++++++++++++++++++
 apps/authentik-ldap/docker-compose.yml | 32 +++++++++++
 apps/forgejo/docker-compose.yml        | 13 ++++-
 3 files changed, 119 insertions(+), 3 deletions(-)
 create mode 100644 apps/authentik-ldap/docker-compose.yml

diff --git a/RUNBOOK.md b/RUNBOOK.md
index af9b0fd..d7de579 100644
--- a/RUNBOOK.md
+++ b/RUNBOOK.md
@@ -1379,3 +1379,80 @@ kscloud1 (Hetzner) is planned to be replaced by an Oracle Cloud VPS. When the ne
 | `cloudflared/docker-compose.yml` | `TUNNEL_TOKEN` (inline) |
 
 Do not commit `.env` files, webhook URLs, or database files to this repo.
+
+---
+
+## Phase 8: Forgejo Sync + osTicket Authentik LDAP SSO (2026-06-14/15)
+
+### Forgejo Sync (monk → kscloud1)
+
+Monk is authoritative. kscloud1 Forgejo is a read replica synced every 6 hours.
+
+**Sync script:** `~/kitestacks-live/docker/forgejo/sync-to-cloud.sh`
+**Cron:** `0 */6 * * *` on monk, logs to `/tmp/forgejo-sync.log`
+
+Manual sync:
+```bash
+~/kitestacks-live/docker/forgejo/sync-to-cloud.sh
+```
+
+To re-do a full restore from scratch (e.g., after kscloud1 rebuild):
+```bash
+# On monk: create dump
+docker exec -u git forgejo /app/gitea/gitea dump --type zip -f /tmp/forgejo-backup.zip
+docker cp forgejo:/tmp/forgejo-backup.zip /tmp/forgejo-backup.zip
+# Transfer and restore on cloud host — see claude-memory for detailed steps
+```
+
+### osTicket Authentik LDAP SSO
+
+Staff log into `tasks.kitestacks.com/scp/` using their **Authentik credentials** (not a separate osTicket password).
+
+**Architecture:**
+```
+osticket-app → authentik-ldap-proxy:389 (socat) → authentik-ldap:3389 → auth.kitestacks.com
+```
+
+**Services deployed:**
+- `~/kitestacks-live/docker/authentik-ldap/` — LDAP outpost + socat proxy on monk
+- `/opt/kitestacks/docker/authentik-ldap/` — LDAP outpost on kscloud1
+
+**LDAP search account:** `cn=ldap-svc,ou=users,dc=ldap,dc=goauthentik,dc=io`
+Password stored in Authentik and in osTicket's `ost_config` (namespace `plugin.2`, key `bind_pw`, encrypted).
+
+**auth-ldap.phar** at `/data/upload/include/plugins/auth-ldap.phar` inside the osticket-app container has been patched (original at `.phar.orig`). Do NOT replace it with the upstream version — the patch is required for PHP 7.3 + PEAR compatibility.
+
+**If LDAP login stops working:**
+```bash
+# Check LDAP outpost is running and connected
+docker logs authentik-ldap --since 5m | grep -v debug
+docker logs authentik-ldap-proxy 2>&1 | tail -5
+
+# Test bind from osticket-app container
+docker exec osticket-app php -r "
+  \$c = @ldap_connect('authentik-ldap-proxy');
+  ldap_set_option(\$c, LDAP_OPT_PROTOCOL_VERSION, 3);
+  \$r = @ldap_bind(\$c, 'cn=ldap-svc,ou=users,dc=ldap,dc=goauthentik,dc=io', 'PASSWORD');
+  echo \$r ? 'OK' : ldap_error(\$c);
+"
+# Verify kscloud1 outpost reachable
+nc -zv 100.123.254.52 3389
+```
+
+**Reset a staff member's Authentik password:**
+```bash
+docker exec authentik ak shell -c "
+from authentik.core.models import User
+u = User.objects.get(username='kenpat7177')
+u.set_password('NewPassword123!')
+u.save()
+print('done')
+"
+```
+
+**Clear osTicket login lockout:**
+```bash
+docker run --rm --network host mariadb:10.11 mysql \
+  -h 100.123.254.52 -u osticket -p<DB_PASS> osticket \
+  -e "DELETE FROM ost_session;"
+```
diff --git a/apps/authentik-ldap/docker-compose.yml b/apps/authentik-ldap/docker-compose.yml
new file mode 100644
index 0000000..6f5eb76
--- /dev/null
+++ b/apps/authentik-ldap/docker-compose.yml
@@ -0,0 +1,32 @@
+services:
+  authentik-ldap:
+    image: ghcr.io/goauthentik/ldap:2025.2.4
+    container_name: authentik-ldap
+    restart: unless-stopped
+    environment:
+      AUTHENTIK_HOST: https://auth.kitestacks.com
+      AUTHENTIK_INSECURE: "false"
+      # Token from Authentik outpost "osTicket LDAP Outpost"
+      # Regenerate via: Authentik admin → Outposts → osTicket LDAP Outpost → token
+      AUTHENTIK_TOKEN: REDACTED
+    networks:
+      - kitestacks
+      - osticket_default
+
+  # socat proxy: bridges standard LDAP port 389 → outpost port 3389
+  # Required because Net_LDAP2 (osTicket's LDAP library) always uses port 389
+  authentik-ldap-proxy:
+    image: alpine/socat
+    container_name: authentik-ldap-proxy
+    restart: unless-stopped
+    command: TCP-LISTEN:389,fork,reuseaddr TCP:authentik-ldap:3389
+    depends_on:
+      - authentik-ldap
+    networks:
+      - osticket_default
+
+networks:
+  kitestacks:
+    external: true
+  osticket_default:
+    external: true
diff --git a/apps/forgejo/docker-compose.yml b/apps/forgejo/docker-compose.yml
index 16def87..f03ed1c 100644
--- a/apps/forgejo/docker-compose.yml
+++ b/apps/forgejo/docker-compose.yml
@@ -9,9 +9,16 @@ services:
     environment:
       - USER_UID=1000
       - USER_GID=1000
-      - FORGEJO__server__DOMAIN=192.168.1.205
-      - FORGEJO__server__ROOT_URL=http://192.168.1.205:3006
-      - FORGEJO__server__SSH_DOMAIN=192.168.1.205
+      - FORGEJO__server__DOMAIN=gitforge.kitestacks.com
+      - FORGEJO__server__ROOT_URL=https://gitforge.kitestacks.com/
+      - FORGEJO__server__SSH_DOMAIN=gitforge.kitestacks.com
       - FORGEJO__server__SSH_PORT=2222
     volumes:
       - ./data:/data
+    networks:
+      - default
+      - kitestacks
+
+networks:
+  kitestacks:
+    external: true