Core Services
This section describes how to install, configure and expose the servies on which other applications will depend on. Such as identity providers.
Reverse Proxy
The first service we are gonna set up is a reverse proxy. This is a central component since any user-traffic must go through the reverse proxy, as it is the only service that is exposed to the internet. All other services are only reachable trough this proxy. Just as any other service running on the host, it will be isolated in a jail.
We are using Caddy for all our webserver and proxy-needs. It’s easy to configure and has many nice features built in.
Jail creation
After having bootstrapped a release. We can create a new Jail. The bastille command for creating a new jail is bastille create NAME RELEASE IP [INTERFACE]. We’re gonna call this jail simply caddy. Since we are using the 10.0.0.1/8 range of ips for our host-internal network, we’re gonna use 10.0.0.1 as the ip for the jail (we kinda treat it like a gateway).
Execute the following command to create the new jail
bastille create caddy 14.2-RELEASE 10.0.0.1/8 bastille0Caddy Installation
Afterwards we want to install caddy and enable its service and start it. We also install micro in the jail.
bastille pkg caddy install caddy
bastille sysrc caddy caddy_enable=YES
bastille service caddy 'caddy start'TODO: expose port 80&443 of the jail
Caddy Configuration
TODO
LDAP
We want centralized user management, and LDAP is still the best way to facilitate it. But on this scale, most LDAP implementations would be overkill. Thankfully, there is lldap which implements only the essentials of LDAP, while still providing a nice web interface and some selfservice features for users (e.g. changing their passwords).
Jail Creation
We want to isolate lldap by running it in its own jail. Let’s create it and give it the ip 10.0.0.10:
bastille create lldap 14.2-RELEASE 10.0.0.10/8 bastille0lldap setup
Next, we want to setup lldap in the jail. The setup for FreeBSD requires some extra steps (such as downloading an rc.d file for the service). For this, it is easier to to execute the commands directly in the jail instead of using bastille. We enter the jail with the console commmand:
bastille console lldapNow we can enter the following commands to install and start lldap.
# Start by downloading the lldap binaries and the rc.d script
# The fetch command is a part of the FreeBSD userland and
# made for this task.
fetch https://github.com/n-connect/rustd-hbbx/raw/refs/heads/main/x86_64-freebsd_lldap-v0.6.1.tar.gz
fetch https://github.com/lldap/lldap/raw/refs/heads/main/example_configs/freebsd/rc.d_lldap
# Unpack the binaries to /usr/local and rename the directory to lldap_server
tar -xvf x86_64-freebsd_lldap-v0.6.1.tar.gz -C /usr/local/
mv /usr/local/x86_64-freebsd/ /usr/local/lldap_server
# Move the rc.d script to /usr/local/etc/rc.d/lldap
# make it executable and enable the service
mv rc.d_lldap /usr/local/etc/rc.d/lldap
chmod +x /usr/local/etc/rc.d/lldap
sysrc lldap_enable="YES"
# Start the lldap service
service lldap startExit the jail, by exiting its shell.
exitNow we are back in our hosts shell.
We have to adjust our reverse proxy to expose the web-interface of lldap. Edit the Caddyfile in the caddy jail.
micro /usr/local/bastille/jails/caddy/root/usr/local/etc/caddy/CaddyfileAdd the following block to the Caddyfile. Replace <domain> with the domain pointing to this host
lldap.<domain> {
reverser_proxy 10.0.0.10:17170
}Restart caddy:
bastille service caddy 'caddy restart'Open a browser, go to lldap. and login with user admin and password password. Open Account Details and immediately change the password to something secure.
Caution
Only add users to the group lldap_admin which should be able to modify the passwords of other ldap admins(including the admin user)!
Also: only use the group lldap_password_managers for users which should be able to change passwords of other users - but exluding other admins.
SSO
TODO