forked from authentricity/authentricity
Dockerize, readme update
This commit is contained in:
parent
15eece9f46
commit
80c9892b0b
17
Dockerfile
Normal file
17
Dockerfile
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
ARG ALPINE=3.18
|
||||||
|
FROM golang:1.20-alpine${ALPINE} AS build
|
||||||
|
WORKDIR /app
|
||||||
|
COPY go.mod go.sum .
|
||||||
|
RUN go mod download
|
||||||
|
|
||||||
|
ADD . /app
|
||||||
|
RUN go build -o ./authentricity-webui ./cmd/authentricity-webui
|
||||||
|
RUN go build -o ./authentricity-admin ./cmd/authentricity-admin
|
||||||
|
|
||||||
|
FROM alpine:${ALPINE}
|
||||||
|
|
||||||
|
WORKDIR /bin
|
||||||
|
COPY --from=build /app/authentricity-webui /app/authentricity-admin .
|
||||||
|
|
||||||
|
WORKDIR /
|
||||||
|
CMD ["/bin/authentricity-webui"]
|
48
README.md
48
README.md
|
@ -17,8 +17,52 @@ Unix logins. This component implements the systemd
|
||||||
[User/Group Varlink API](https://systemd.io/USER_GROUP_API/) to support user and group
|
[User/Group Varlink API](https://systemd.io/USER_GROUP_API/) to support user and group
|
||||||
lookups.
|
lookups.
|
||||||
|
|
||||||
|
It is intended to be deployed as a systemd service. See [module.nix](./module.nix), which
|
||||||
|
can be used to deploy this on NixOS for details
|
||||||
|
|
||||||
|
For both performance and resilience resaons, user information is cached locally:
|
||||||
|
|
||||||
|
* Information less than 60s old is considered up-to-date and Consul is not re-queried for it,
|
||||||
|
speeding up user information requests and reducing Consul load, and
|
||||||
|
* In cases where Consul is unable to service requests, then the cache will be considered valid
|
||||||
|
indefinitely
|
||||||
|
|
||||||
|
A future version may limit the amount of time locally cached information is considered valid.
|
||||||
|
|
||||||
|
TODO: Provide raw systemd unit files
|
||||||
|
|
||||||
#### authentricity-webui
|
#### authentricity-webui
|
||||||
SSO portal and user administration UI
|
This implements
|
||||||
|
|
||||||
|
* A login system, and single-domain shared cookie SSO system
|
||||||
|
* A portal which lets users add & remove SSH keys, change their password, etc,
|
||||||
|
and
|
||||||
|
* A UI which lets users explore other users and groups, and which lets admins manage
|
||||||
|
users and groups
|
||||||
|
* A UI which lets admins manipulate users and groups
|
||||||
|
|
||||||
|
This can be deployed as either
|
||||||
|
|
||||||
|
* A systemd service (see [module.nix](./module.nix)), or
|
||||||
|
* A [container](https://git.shinra.systems/authentricity/-/packages/container/authentricity/)
|
||||||
|
|
||||||
|
TODO: Provide raw systemd unit files
|
||||||
|
TODO: Provide example Kubernetes manifests/Kustomize chart?
|
||||||
|
|
||||||
#### authentricity-admin
|
#### authentricity-admin
|
||||||
Command line administation tool (performing direct database accesses)
|
Command line administation tool (performing direct database accesses)
|
||||||
|
|
||||||
|
### Future Components
|
||||||
|
* Radius server
|
||||||
|
* Likely minimal feature set at first (PAP, no EAP, etc)
|
||||||
|
* TACACS+ server
|
||||||
|
* For networking appliances
|
||||||
|
* Separate cookie used for the Web UI from the auth proxy
|
||||||
|
* We can then domain scope the Web UI cookie down to just the UI itself,
|
||||||
|
protecting better against Cookie theft attacks
|
||||||
|
* We can use asymmetric crypto for the domain-wide cookie and distribute the public
|
||||||
|
keys to auth proxies via Consul
|
||||||
|
* JWT/OAuth 2.0/OpenID Connect issuer
|
||||||
|
* Integration of tokens into the Unix auth flow
|
||||||
|
* Return something like a Kerberos TGT that can be exchanged for service JWTs?
|
||||||
|
* Minimal authentication proxy without the Web UI?
|
||||||
|
|
Loading…
Reference in a new issue