https://github.com/archlinux/gluebuddy

A secure helper daemon that watches several aspects of the Arch Linux infrastructure and makes sure that certain conditions are met (read-only mirror)
https://github.com/archlinux/gluebuddy

rust

Last synced: 1 day ago
JSON representation

A secure helper daemon that watches several aspects of the Arch Linux infrastructure and makes sure that certain conditions are met (read-only mirror)

• Host: GitHub
• URL: https://github.com/archlinux/gluebuddy
• Owner: archlinux
• License: mit
• Created: 2020-05-24T20:50:47.000Z (about 5 years ago)
• Default Branch: main
• Last Pushed: 2022-06-07T20:20:25.000Z (about 3 years ago)
• Last Synced: 2025-01-25T17:19:00.242Z (5 months ago)
• Topics: rust
• Language: Rust
• Homepage: https://gitlab.archlinux.org/archlinux/gluebuddy
• Size: 175 KB
• Stars: 12
• Watchers: 13
• Forks: 8
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# gluebuddy

A secure helper daemon that watches several aspects of the Arch Linux infractructure and makes sure that certain conditions are met.

It glues Arch together. :)

## Usage

Gluebuddy requires the following environment variables to be set:

* GLUEBUDDY_GITLAB_TOKEN - Gitlab bot personal access token

* GLUEBUDDY_GITLAB_BOT_USERS - Optionally set gitlab bot users separated with commas

* GLUEBUDDY_KEYCLOAK_USERNAME - keycloak admin username

* GLUEBUDDY_KEYCLOAK_PASSWORD - keycloak admin password

* GLUEBUDDY_KEYCLOAK_REALM - Keycloak realm

* GLUEBUDDY_KEYCLOAK_URL - Keycloak base url (without trailing /)

## Service account Keycloak

To not use the admin user for obtaining the users/groups a service account can be used which needs to be created in Keycloak.

Create a new client, go to `Clients` and click `Create`:

* enter a client ID 

* make sure client protocl is set to `openid-connect`

In the client settings configure:

* Set Access Type to `Confidential`

* Set `Service Accounts Enabled` to `On`

* Specify a `redirect_uri` even though it is not required

* Click `Save` to save the changes

Go to the `Service Account Roles` tab, select `realm-management` in the `Client roles` dropdown and add:

* query-groups

* view-users

This allows the service account to view users and groups we need in gluebuddy, the username is the `client ID` and the password is the client secret which can be found in the `Credentials` tab.