From db2918ef1b3ca2e078a68066459bbb97ae87e529 Mon Sep 17 00:00:00 2001
From: Ezri Brimhall <ezri@ezri.dev>
Date: Tue, 1 Oct 2024 18:53:40 -0600
Subject: [PATCH] Updated group vars for nginx

---
 group_vars/all.yml        |  1 +
 group_vars/containers.yml | 18 ++++++++++++++++++
 group_vars/nginx.yml      | 12 ++++++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 group_vars/containers.yml

diff --git a/group_vars/all.yml b/group_vars/all.yml
index aecd31e..ae6c7dd 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -4,5 +4,6 @@
 user_source: "local"
 
 kanidm_uri: "https://idm.ezri.dev"
+ldap_uri: "ldaps://idm.ezri.dev"
 
 kanidm_supplemental: []
diff --git a/group_vars/containers.yml b/group_vars/containers.yml
new file mode 100644
index 0000000..1e2b57b
--- /dev/null
+++ b/group_vars/containers.yml
@@ -0,0 +1,18 @@
+sso_type: ldap
+
+allowed_groups:
+  - sysadmin@idm.ezri.dev
+
+sudo_groups:
+  - sysadmin@idm.ezri.dev
+
+uses_passkey_auth: no
+uses_passkey_2fa: no
+uses_totp_2fa: yes
+totp_2fa_nullok: yes
+
+ldap_user_search_base: >-
+  dc=idm,dc=ezri,dc=dev
+ldap_group_search_base: >-
+  dc=idm,dc=ezri,dc=dev?subtree?(|(objectClass=posixAccount)(objecctClass=posixGroup))
+ldap_access_filter: "(memberof=sysadmin@idm.ezri.dev)"
diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml
index 3573578..c11492f 100644
--- a/group_vars/nginx.yml
+++ b/group_vars/nginx.yml
@@ -12,6 +12,7 @@ sites_available:
     enabled: yes
     cert_domain: ezri.dev
     upstream: http://10.242.2.2:9001
+    max_upload: 0
 
   - fqdn: git.ezri.dev
     enabled: yes
@@ -111,10 +112,20 @@ sites_available:
     enabled: yes
     cert_domain: ezri.dev
     upstream: http://10.242.2.2:30032
+    restricted: yes
     allowed_ips:
       - 10.242.0.0/23
       - 10.242.3.0/24
 
+  - fqdn: sysadmin-exercise.internal.ezri.dev
+    enabled: yes
+    cert_domain: internal.ezri.dev
+    upstream: http://10.242.2.207:8888
+    restricted: yes
+    allowed_ips:
+      - 10.242.0.0/16
+      - 129.123.107.0/24
+
 streams_available:
   - fqdn: git.ezri.dev
     enabled: yes
@@ -132,6 +143,7 @@ streams_available:
     upstream_ssl: yes
     restricted: yes
     allowed_ips:
+      - 10.242.0.107
       - 10.242.2.2
       - 10.242.0.1
       - 10.242.2.1