capitano/abcdesktop
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Configure Authentik OAuth2 and disable anonymous login in od.config

Browse Source
This commit is contained in:
capitano
2025-09-28 23:13:51 +02:00
parent d16288a03c
commit 5d976b9ea2
2 changed files with 402 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

355
od.config Normal file
View File

@@ -0,0 +1,355 @@
[global]
default_host_url = 'http://localhost'
websocketrouting = 'http_origin'
server.socket_host = '0.0.0.0'
server.socket_port = 8000
server.geolocation_ipaddr = '127.0.0.1'
jwt_token_user = {
'exp': 360,
'jwtuserprivatekeyfile': '/config.usersigning/abcdesktop_jwt_user_signing_private_key.pem',
'jwtuserpublickeyfile' : '/config.usersigning/abcdesktop_jwt_user_signing_public_key.pem' }
jwt_token_desktop = {
'exp': 420,
'jwtdesktopprivatekeyfile': '/config.signing/abcdesktop_jwt_desktop_signing_private_key.pem',
'jwtdesktoppublickeyfile' : '/config.signing/abcdesktop_jwt_desktop_signing_public_key.pem',
'payloaddesktoppublickeyfile' : '/config.payload/abcdesktop_jwt_desktop_payload_public_key.pem' }
controllers = { 'ManagerController': { 'permitip': [ '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', 'fd00::/8', '169.254.0.0/16', '127.0.0.0/8' ] },
'StoreController': { 'wrapped_key': {} },
'ComposerController' : { 'requestsallowed' : { 'getdesktopdescription': False } },
'DesktopController' : { 'requestsallowed' : { 'dns': False }, 'permitip': [ '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', 'fd00::/8', '169.254.0.0/16', '127.0.0.0/8' ] } }
OAUTHLIB_INSECURE_TRANSPORT = True
OAUTHLIB_RELAX_TOKEN_SCOPE = True
fail2ban = { 'enable' : False,
'banexpireafterseconds': 600,
'failsbeforeban' : 5,
'protectednetworks' : ['192.168.1.0/24'] }
auth.logmein = { 'enable' : False,
'network_list' : ['0.0.0.0/0'],
'permit_querystring' : True,
'http_attribut' : 'ABCDESKTOPUSERCERT' }
auth.prelogin = { 'enable' : False,
'url' : 'https://FQHN/index.session.mustache.html',
'network_list' : ['0.0.0.0/0'],
'http_attribut ' : 'abcuserid',
'http_attribut_to_force_auth_prelogin': 'MUST_USE_PRELOGIN' }
language = [ 'de_AT', 'de_BE', 'de_CH', 'de_DE', 'de_LI', 'de_LU', 'en_AG', 'en_AU', 'en_BW', 'en_CA', 'en_DK', 'en_GB', 'en_HK', 'en_IE', 'en_IN', 'en_NG', 'en_NZ', 'en_PH', 'en_SG', 'en_US', 'en_ZA', 'en_ZM', 'en_ZW', 'fr_BE', 'fr_CA', 'fr_CH', 'fr_FR', 'fr_LU' ]
webrtc.enable = False
webrtc.rtc_constraints = { 'video': False, 'audio': True }
K8S_BOUND_PVC_TIMEOUT_SECONDS = 60
K8S_BOUND_PVC_MAX_EVENT = 5
K8S_CREATE_POD_TIMEOUT_SECONDS = 300
K8S_CREATE_EPHEMERALCONTAINER_TIMEOUT_SECONDS = 120
executeclasses = {
'default':{
'description': '1 CPU cores and 2Gi',
'nodeSelector':None,
'resources':{
'requests':{'memory':"512Mi",'cpu':"100m"},
'limits': {'memory':"2Gi",'cpu':"1000m"}
}
},
'bronze':{
'description': '1 core / 2 Gi / 0 GPU',
'nodeSelector':None,
'resources':{
'requests':{'memory':"64Mi",'cpu':"100m"},
'limits': {'memory':"2Gi",'cpu':"1000m"}
}
},
'silver':{
'description': '2 cores / 4 Gi / 1 GPU',
'nodeSelector':None,
'resources':{
'requests':{'memory':"64Mi",'cpu':"100m"},
'limits': {'memory':"4Gi",'cpu':"2000m", 'nvidia.com/gpu':'1' }
}
},
'gold':{
'description': '4 cores / 8 Gi / 1 GPU',
'nodeSelector':None,
'resources':{
'requests':{'memory':"128Mi",'cpu':"100m"},
'limits':{'memory':"8Gi",'cpu':"4000m", 'nvidia.com/gpu':'1' } } } }
desktop.secretslocalaccount = '/etc/localaccount'
desktop.appendpathtomounthomevolume = ''
desktop.pod = {
'spec' : {
'shareProcessNamespace': False,
'shareProcessMemory': True,
'securityContext': {
'supplementalGroups': [ '{{ supplementalGroups }}' ],
'runAsUser': '{{ uidNumber }}',
'runAsGroup': '{{ gidNumber }}'
},
'tolerations': []
},
'default_volumes': {
'shm': { 'name': 'shm', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '512Mi' } },
'run': { 'name': 'run', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '1M' } },
'tmp': { 'name': 'tmp', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '8Gi' } },
'log': { 'name': 'log', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '8Gi' } },
'rundbus': { 'name': 'rundbus', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '8M' } },
'runuser': { 'name': 'runuser', 'emptyDir': { 'medium': 'Memory', 'sizeLimit': '8M' } },
'x11socket': { 'name': 'x11socket', 'emptyDir': { 'medium': 'Memory' } },
'pulseaudiosocket' : { 'name': 'pulseaudiosocket', 'emptyDir': { 'medium': 'Memory' } },
'cupsdsocket': { 'name': 'cupsdsocket', 'emptyDir': { 'medium': 'Memory' } }
},
'default_volumes_mount': {
'shm': { 'name': 'shm', 'mountPath' : '/dev/shm' },
'run': { 'name': 'run', 'mountPath': '/var/run/desktop' },
'tmp': { 'name': 'tmp', 'mountPath': '/tmp' },
'log': { 'name': 'log', 'mountPath': '/var/log/desktop' },
'rundbus': { 'name': 'rundbus', 'mountPath': '/var/run/dbus' },
'runuser': { 'name': 'runuser', 'mountPath': '/run/user/' },
'x11socket': { 'name': 'x11socket', 'mountPath': '/tmp/.X11-unix' },
'pulseaudiosocket': { 'name': 'pulseaudiosocket', 'mountPath': '/tmp/.pulseaudio' },
'cupsdsocket': { 'name': 'cupsdsocket', 'mountPath': '/tmp/.cupsd' }
},
'graphical' : {
'image': { 'default': 'ghcr.io/abcdesktopio/oc.user.ubuntu.sudo.24.04:4.1' },
'imagePullPolicy': 'Always',
'enable': True,
'acl': { 'permit': [ 'all' ] },
'waitportbin' : '/composer/node/wait-port/node_modules/.bin/wait-port',
'resources': {
'requests': { 'memory': "256Mi", 'cpu': "100m" },
'limits' : { 'memory': "4Gi", 'cpu': "2000m" }
},
'securityContext': {
'readOnlyRootFilesystem': False,
'allowPrivilegeEscalation': True
},
'tcpport': 6081,
'secrets_requirement' : [ 'abcdesktop/vnc', 'abcdesktop/kerberos'],
'waitfor_services' : [ 'xserver', 'novnc', 'spawner-service', 'plasmashell' ],
'waitfor_processes' : [ 'kwin_x11', 'plasmashell', 'kactivitymanagerd', 'kded5', 'kscreen_backend_launcher' ],
'waitfor_listeningservices': [ 'graphical', 'spawner' ]
},
'spawner' : {
'enable': True,
'tcpport': 29786,
'waitportbin' : '/composer/node/wait-port/node_modules/.bin/wait-port',
'acl': { 'permit': [ 'all' ] }
},
'broadcast' : {
'enable': True,
'tcpport': 29784,
'acl': { 'permit': [ 'all' ] }
},
'webshell' : {
'enable': True,
'tcpport': 29781,
'acl': { 'permit': [ 'all' ] }
},
'printer' : {
'image': 'ghcr.io/abcdesktopio/oc.cupsd:4.1',
'imagePullPolicy': 'IfNotPresent',
'enable': True,
'tcpport': 681,
'securityContext': { 'runAsUser': 0, 'runAsGroup': 0 },
'resources': {
'requests': { 'memory': "64Mi", 'cpu': "5m" },
'limits' : { 'memory': "512Mi", 'cpu': "200m" }
},
'acl': { 'permit': [ 'all' ] }
},
'printerfile' : {
'enable': True,
'tcpport': 29782,
'acl': { 'permit': [ 'all' ] }
},
'filer' : {
'image': 'ghcr.io/abcdesktopio/oc.filer:4.1',
'imagePullPolicy': 'IfNotPresent',
'enable': True,
'tcpport': 29783,
'resources': {
'requests': { 'memory': "32Mi", 'cpu': "5m" },
'limits' : { 'memory': "256Mi",'cpu': "100m" }
},
'acl': { 'permit': [ 'all' ] }
},
'storage' : {
'image': 'k8s.gcr.io/pause:3.8',
'imagePullPolicy': 'IfNotPresent',
'enable': True,
'acl': { 'permit': [ 'all' ] },
'resources': {
'requests': { 'memory': "8Mi", 'cpu': "5m" },
'limits' : { 'memory': "32Mi", 'cpu': "5m" }
}
},
'sound': {
'image': 'ghcr.io/abcdesktopio/oc.pulseaudio:4.1',
'imagePullPolicy': 'IfNotPresent',
'enable': True,
'tcpport': 29788,
'acl': { 'permit': [ 'all' ] },
'resources': {
'requests': { 'memory': "64Mi", 'cpu': "50m" },
'limits' : { 'memory': "256Mi", 'cpu': "500m" }
}
},
'init': {
'image': 'busybox',
'enable': True,
'imagePullPolicy': 'IfNotPresent',
'securityContext': { 'runAsUser': 0 },
'acl': { 'permit': [ 'all' ] },
'resources': {
'requests': { 'memory': "8Mi", 'cpu': "5m" },
'limits' : { 'memory': "32Mi", 'cpu': "10m" }
},
'command': [ 'sh', '-c', 'chmod 750 ~ && chown {{ uidNumber }}:{{ gidNumber }} ~' ]
},
'ephemeral_container': {
'enable': True,
'acl': { 'permit': [ 'all' ] },
'securityContext': {
'supplementalGroups': [ '{{ supplementalGroups }}' ] ,
'readOnlyRootFilesystem': False,
'allowPrivilegeEscalation': True,
'runAsUser':'{{ uidNumber }}',
'runAsGroup':'{{ gidNumber }}'
}
},
'pod_application' : {
'enable': True,
'securityContext': {
'supplementalGroups': [ '{{ supplementalGroups }}' ] ,
'readOnlyRootFilesystem': False,
'allowPrivilegeEscalation': True,
'runAsUser':'{{ uidNumber }}',
'runAsGroup':'{{ gidNumber }}'
},
'tolerations': [],
'acl': { 'permit': [ 'all' ] } } }
desktop.policies = { 'rules': { } }
desktop.homedirectorytype = 'persistentVolumeClaim'
desktop.persistentvolumeclaim = {
'metadata': {
'name': '{{ provider }}-{{ userid }}',
},
'spec': {
'storageClassName': 'proxmox-csi',
'resources': {
'requests': {
'storage': '5Gi'
}
},
'accessModes': [ 'ReadWriteMany' ] } }
desktop.nodeselector = { 'abcdesktoprole': 'worker' }
desktop.envlocal = { 'WEBSOCKIFY_HEARTBEAT':'30', 'LIBOVERLAY_SCROLLBAR':'0', 'UBUNTU_MENUPROXY':'0', 'X11LISTEN':'tcp', 'ABCDESKTOP_BG_COLOR': '#7fb3cf' }
desktop.removehomedirectory = False
desktop.removepersistentvolume = False
desktop.removepersistentvolumeclaim = False
desktop.username = 'balloon'
desktop.userid = 4096
desktop.groupid = 4096
desktop.userhomedirectory = '/home/balloon'
dock = {
'webshell': {
'name': u'WebShell',
'acl': { 'permit': [ 'all' ] },
'keyword': u'terminal,shell,webshell,bash,cmd',
'showinview': u'dock',
'launch': u'frontendjs.webshell',
'displayname': u'Web Shell',
'execmode': u'frontendjs',
'cat': u'utilities,development',
'id': u'webshell.d',
'icon': u'webshell.svg' } }
desktop.zoom = 1
front.menuconfig = { 'settings': True, 'appstore': True, 'screenshot':True, 'download': True, 'logout': True, 'disconnect': True }
desktop.defaultbackgroundcolors = [ '#6EC6F0', '#333333', '#666666', '#CD3C14', '#4BB4E6', '#50BE87', '#A885D8', '#FFB4E6' ]
tipsinfo = { 'networkmap': False }
logging = {
"version": 1,
"disable_existing_loggers": False,
'formatters': {
'access': {
'format': '%%(message)s - user: %%(userid)s',
'datefmt': '%%Y-%%m-%%d %%H:%%M:%%S'
},
'standard': {
'format': '%%(asctime)s %%(nodename)s %%(thread)d %%(module)s [%%(levelname)-7s] %%(name)s.%%(funcName)s:%%(userid)s %%(message)s',
'datefmt': '%%Y-%%m-%%d %%H:%%M:%%S'
},
'syslog': {
'format': '%%(asctime)s %%(nodename)s %%(thread)s %%(levelname)s %%(module)s %%(process)d %%(name)s.%%(funcName)s:%%(userid)s %%(message)s',
'datefmt': '%%Y-%%m-%%d %%H:%%M:%%S'
},
'graylog': {
'format': '%%(levelname)s %%(nodename)s %%(thread)s %%(module)s %%(process)d %%(name)s.%%(funcName)s:%%(userid)s %%(message)s'
}
},
'filters': {
'odcontext': {
'()': 'oc.logging.OdContextFilter'
}
},
'handlers': {
'stdout': {
'class': 'logging.StreamHandler',
'filters': [ 'odcontext' ],
'level': 'INFO',
'formatter': 'standard',
'stream': 'ext://sys.stdout'
},
'stderr': {
'class': 'logging.StreamHandler',
'filters': [ 'odcontext' ],
'level': 'ERROR',
'formatter': 'standard',
'stream': 'ext://sys.stderr'
},
'trace': {
'class': 'logging.handlers.RotatingFileHandler',
'level': 'INFO',
'filters': [ 'odcontext' ],
'formatter': 'standard',
'filename': 'logs/trace.log',
'maxBytes': 10485760,
'backupCount': 20,
'encoding': 'utf8',
'mode': 'w'
},
'cherrypy_access': {
'class': 'logging.handlers.RotatingFileHandler',
'filters': [ 'odcontext' ],
'formatter': 'access',
'filename': 'logs/access.log',
'maxBytes': 10485760,
'backupCount': 20,
'encoding': 'utf8'
}
},
'loggers': {
'urllib3.connectionpool': {
'level': 'ERROR',
},
'kubernetes': {
'handlers': [ 'stderr', 'stdout', 'trace' ],
'level': 'ERROR',
'propagate': False
},
'cherrypy.access': {
'handlers': [ 'cherrypy_access' ],
'level': 'INFO',
'propagate': False
},
'requests_oauthlib' : {
'handlers': [ 'stderr', 'stdout', 'trace' ],
'level': 'ERROR',
'propagate': False
},
'cherrypy' : {
'handlers': [ 'stderr', 'stdout', 'trace' ],
'level': 'ERROR',
}
},
'root': {
'level': 'INFO',
'handlers': [ 'stderr', 'stdout', 'trace' ]
}}
authmanagers = {'external': {'providers': {'authentik': {'displayname': 'Authentik', 'textcolor': '#000000', 'backgroundcolor': '#FFFFFF', 'icon': 'img/auth/google_icon.svg', 'enabled': True, 'client_id': 'kdbZ0vt2lHJ9F8sLinSPeGEl5zoyT8xweVaRLnu0', 'client_secret': 'z9t868XgnGhvVXHLN5nmXR9EGLnHC72Mz2tXBvSexNaj56c6Whn5PjeG3W2oAaiM0RV6ehwIXtwIjrgxPTLDofz90GJZ90SFkPDqh1crBCLM6rhstQF00xR9QxHZn8Re', 'userinfo_auth': True, 'scope': ['openid', 'email', 'profile'], 'username_claim': 'preferred_username', 'userinfo_url': 'https://authentik.giaco.net/application/o/userinfo/', 'redirect_uri_prefix': 'https://morrow.giaco.net/API/auth/oauth', 'redirect_uri_querystring': 'manager=external&provider=authentik', 'authorization_base_url': 'https://authentik.giaco.net/application/o/authorize/', 'token_url': 'https://authentik.giaco.net/application/o/token/', 'policies': {'acl': {'permit': ['all']}}}}}}