technitium-pilot: document and wire native oidc sso
This commit is contained in:
@@ -6,4 +6,13 @@ TECHNITIUM_BIND_IP=10.5.30.8
|
|||||||
APPDATA_TECHNITIUM_ROOT=/mnt/tank/docker/appdata/technitium-pilot
|
APPDATA_TECHNITIUM_ROOT=/mnt/tank/docker/appdata/technitium-pilot
|
||||||
DNS_SERVER_DOMAIN=dns.home.paccoco.com
|
DNS_SERVER_DOMAIN=dns.home.paccoco.com
|
||||||
DNS_SERVER_ADMIN_PASSWORD=CHANGE_ME
|
DNS_SERVER_ADMIN_PASSWORD=CHANGE_ME
|
||||||
|
DNS_SERVER_SSO_ENABLED=false
|
||||||
|
DNS_SERVER_SSO_AUTHORITY=
|
||||||
|
DNS_SERVER_SSO_CLIENT_ID=
|
||||||
|
DNS_SERVER_SSO_CLIENT_SECRET=
|
||||||
|
DNS_SERVER_SSO_METADATA_ADDRESS=
|
||||||
|
DNS_SERVER_SSO_SCOPES=openid profile email groups
|
||||||
|
DNS_SERVER_SSO_ALLOW_SIGNUP=false
|
||||||
|
DNS_SERVER_SSO_ALLOW_SIGNUP_ONLY_FOR_MAPPED_USERS=true
|
||||||
|
DNS_SERVER_SSO_GROUP_MAP=authentik Admins=Administrators
|
||||||
DNS_SERVER_BLOCK_LIST_URLS=https://big.oisd.nl/
|
DNS_SERVER_BLOCK_LIST_URLS=https://big.oisd.nl/
|
||||||
|
|||||||
@@ -28,5 +28,7 @@ Notes:
|
|||||||
- The stack binds only to `TECHNITIUM_BIND_IP`, so PD must have that secondary address present on `LAN_INTERFACE` before `docker compose up`.
|
- The stack binds only to `TECHNITIUM_BIND_IP`, so PD must have that secondary address present on `LAN_INTERFACE` before `docker compose up`.
|
||||||
- The helper script adds the pilot IP alias read/write on the live host for the current boot only. That is deliberate for pilot safety.
|
- The helper script adds the pilot IP alias read/write on the live host for the current boot only. That is deliberate for pilot safety.
|
||||||
- Technitium reads the environment initialization only on first boot when `/etc/dns` is empty. If you need to re-seed initial settings, stop the container and clear the config directory first.
|
- Technitium reads the environment initialization only on first boot when `/etc/dns` is empty. If you need to re-seed initial settings, stop the container and clear the config directory first.
|
||||||
|
- SSO-capable deployments should set the `DNS_SERVER_SSO_*` variables. Keep a known local admin account as rollback because Technitium may only apply initial auth/env seeding cleanly on first boot or with an empty `/etc/dns` config dir.
|
||||||
|
- Authentik native OIDC callback for Technitium is `https://dns.paccoco.com/sso/callback`.
|
||||||
- The authoritative zone `home.paccoco.com` is now hosted in Technitium with `dns.home.paccoco.com -> 10.5.30.8`.
|
- The authoritative zone `home.paccoco.com` is now hosted in Technitium with `dns.home.paccoco.com -> 10.5.30.8`.
|
||||||
- Clients will resolve `dns.home.paccoco.com` only when they query Technitium directly, or after DHCP/cutover points them at Technitium.
|
- Clients will resolve `dns.home.paccoco.com` only when they query Technitium directly, or after DHCP/cutover points them at Technitium.
|
||||||
|
|||||||
@@ -11,6 +11,15 @@ services:
|
|||||||
environment:
|
environment:
|
||||||
DNS_SERVER_DOMAIN: ${DNS_SERVER_DOMAIN}
|
DNS_SERVER_DOMAIN: ${DNS_SERVER_DOMAIN}
|
||||||
DNS_SERVER_ADMIN_PASSWORD: ${DNS_SERVER_ADMIN_PASSWORD}
|
DNS_SERVER_ADMIN_PASSWORD: ${DNS_SERVER_ADMIN_PASSWORD}
|
||||||
|
DNS_SERVER_SSO_ENABLED: ${DNS_SERVER_SSO_ENABLED:-false}
|
||||||
|
DNS_SERVER_SSO_AUTHORITY: ${DNS_SERVER_SSO_AUTHORITY:-}
|
||||||
|
DNS_SERVER_SSO_CLIENT_ID: ${DNS_SERVER_SSO_CLIENT_ID:-}
|
||||||
|
DNS_SERVER_SSO_CLIENT_SECRET: ${DNS_SERVER_SSO_CLIENT_SECRET:-}
|
||||||
|
DNS_SERVER_SSO_METADATA_ADDRESS: ${DNS_SERVER_SSO_METADATA_ADDRESS:-}
|
||||||
|
DNS_SERVER_SSO_SCOPES: ${DNS_SERVER_SSO_SCOPES:-openid profile email groups}
|
||||||
|
DNS_SERVER_SSO_ALLOW_SIGNUP: ${DNS_SERVER_SSO_ALLOW_SIGNUP:-false}
|
||||||
|
DNS_SERVER_SSO_ALLOW_SIGNUP_ONLY_FOR_MAPPED_USERS: ${DNS_SERVER_SSO_ALLOW_SIGNUP_ONLY_FOR_MAPPED_USERS:-true}
|
||||||
|
DNS_SERVER_SSO_GROUP_MAP: ${DNS_SERVER_SSO_GROUP_MAP:-authentik Admins=Administrators}
|
||||||
DNS_SERVER_WEB_SERVICE_HTTP_PORT: "80"
|
DNS_SERVER_WEB_SERVICE_HTTP_PORT: "80"
|
||||||
DNS_SERVER_WEB_SERVICE_HTTPS_PORT: "443"
|
DNS_SERVER_WEB_SERVICE_HTTPS_PORT: "443"
|
||||||
DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS: "true"
|
DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS: "true"
|
||||||
|
|||||||
Reference in New Issue
Block a user