Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
eacdda3e
Verified
Commit
eacdda3e
authored
May 02, 2020
by
Sven-Hendrik Haase
Browse files
Fix for archlinux realm
parent
5ae977a3
Changes
4
Hide whitespace changes
Inline
Side-by-side
one-shots/keycloak-keyfetcher/get_fingerprint.sh
View file @
eacdda3e
#!/usr/bin/env bash
curl
-s
https://accounts.archlinux.org/auth/realms/
master
/protocol/saml/descriptor | xmllint
--xpath
'//*[local-name()="X509Certificate"]/text()'
- |
base64
-d
|
sha1sum
|
cut
-d
' '
-f1
|
sed
-e
's/.\{2\}/&:/g'
|
sed
's/:$//'
|
tr
'[:lower:]'
'[:upper:]'
curl
-s
https://accounts.archlinux.org/auth/realms/
archlinux
/protocol/saml/descriptor | xmllint
--xpath
'//*[local-name()="X509Certificate"]/text()'
- |
base64
-d
|
sha1sum
|
cut
-d
' '
-f1
|
sed
-e
's/.\{2\}/&:/g'
|
sed
's/:$//'
|
tr
'[:lower:]'
'[:upper:]'
roles/gitlab/tasks/main.yml
View file @
eacdda3e
...
...
@@ -22,7 +22,7 @@
# 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run
# one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field.
# 2. In order to logout properly we need to configure the "After sign out path" and set it to
# https://accounts.archlinux.org/auth/realms/
master
/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
# https://accounts.archlinux.org/auth/realms/
archlinux
/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
# https://gitlab.com/gitlab-org/gitlab/issues/14414
GITLAB_OMNIBUS_CONFIG
:
|
external_url 'https://{{ gitlab_domain }}'
...
...
@@ -30,6 +30,7 @@
letsencrypt['contact_emails'] = ['webmaster@archlinux.org']
gitlab_rails['lfs_enabled'] = true
gitlab_rails['gitlab_shell_ssh_port'] = 222
gitlab_rails['gitlab_default_can_create_group'] = false
gitlab_rails['initial_root_password'] = "{{ vault_gitlab_root_password }}"
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = 'mail.archlinux.org'
...
...
@@ -54,9 +55,9 @@
admin_groups: ['DevOps'],
args: {
assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback',
idp_cert_fingerprint: '
83:AB:61:8E:8C:8A:78:F6:D9:A6:8E:25:6F:DA:04:4D:77:0E:CD:B2
',
idp_sso_target_url: 'https://accounts.archlinux.org/auth/realms/
master
/protocol/saml/clients/saml_gitlab',
idp_slo_target_url: 'https://accounts.archlinux.org/auth/realms/
master
/protocol/saml',
idp_cert_fingerprint: '
75:43:93:1D:7A:F3:B6:16:51:FA:90:3C:E6:46:93:EA:DF:B6:28:8B
',
idp_sso_target_url: 'https://accounts.archlinux.org/auth/realms/
archlinux
/protocol/saml/clients/saml_gitlab',
idp_slo_target_url: 'https://accounts.archlinux.org/auth/realms/
archlinux
/protocol/saml',
issuer: 'saml_gitlab',
attribute_statements: {
first_name: ['first_name'],
...
...
roles/keycloak/templates/nginx.d.conf.j2
View file @
eacdda3e
...
...
@@ -36,6 +36,6 @@ server {
}
location = / {
return 301 https://$server_name/auth/;
return 301 https://$server_name/auth/
realms/archlinux/account
;
}
}
tf-stage2/keycloak.tf
View file @
eacdda3e
...
...
@@ -42,6 +42,7 @@ resource "keycloak_realm" "archlinux" {
reset_password_allowed
=
true
verify_email
=
true
login_with_email_allowed
=
true
smtp_server
{
host
=
"mail.archlinux.org"
...
...
@@ -82,6 +83,22 @@ resource "keycloak_saml_client" "saml_gitlab" {
assertion_consumer_post_url
=
var
.
gitlab_instance
.
saml_redirect_url
}
// This client is only used for the return URL redirect hack!
// See roles/gitlab/tasks/main.yml
resource
"keycloak_openid_client"
"openid_gitlab"
{
realm_id
=
"archlinux"
client_id
=
"openid_gitlab"
name
=
"Arch Linux Accounts"
enabled
=
true
access_type
=
"PUBLIC"
standard_flow_enabled
=
true
valid_redirect_uris
=
[
"https://gitlab.archlinux.org"
]
}
resource
"keycloak_saml_user_property_protocol_mapper"
"gitlab_saml_email"
{
realm_id
=
"archlinux"
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment