feat: init

.gitignore

@@ -0,0 +1 @@
+cerca/

Caddyfile

@@ -0,0 +1,39 @@
+:1312 {
+	handle {
+		forward_auth rauthy:8080 {
+			uri /auth/v1/clients/cerca-forward-auth/forward_auth?redirect_state=302&danger_cookie_insecure=true
+			copy_headers {
+				X-Forwarded-User
+				X-Forwarded-User-Email
+				X-Forwarded-User-Family-Name
+				X-Forwarded-User-Given-Name
+				X-Forwarded-User-Groups
+				X-Forwarded-User-Roles
+			}
+
+			trusted_proxies private_ranges
+		}
+
+		reverse_proxy cerca:8272
+	}
+
+	handle /oidc/rauthy/callback {
+		rewrite * /auth/v1/clients/cerca-forward-auth/forward_auth/callback
+		reverse_proxy rauthy:8080
+	}
+
+	handle /auth/v1/clients/cerca-forward-auth/* {
+		reverse_proxy rauthy:8080 {
+			header_up X-Forwarded-Method {method}
+			header_up X-Forwarded-Uri {uri}
+		}
+	}
+}
+
+:1080 {
+	reverse_proxy mailcrab:1080
+}
+
+:8080 {
+	reverse_proxy rauthy:8080
+}

README.md

@@ -0,0 +1,78 @@
+# **PMC THUNDERDOME**: CERCA x RAUTHY 
+
+## Motivation
+
+A DIY test zone for `cerca`/`rauthy` integration. If we're gonna do it, let's
+do it good. This test harness sets up a way to quickly test forward
+authentication support in `cerca` as provided by `rauthy`.
+
+This setup gets all the moving parts up and running locally and automagically.
+A typical issue with adding SSO support to a software is that the maintainers
+can't test it later on when there is a bug. This is an attempt to mitigate
+that.
+
+Here's the general setup in a nutshell.
+
+```
+cerca <-------> |
+                |
+mailcrab <---> caddy <---> browser
+                |
+rauthy <------> |
+```
+
+## Setup
+
+Install [`docker compose`](https://docs.docker.com/compose/install/).
+
+```
+git clone https://git.coopcloud.tech/decentral1se/cerca-rauthy-pmc-thunderdome
+cd cerca-rauthy-pmc-thunderdome
+git clone https://github.com/cblgh/cerca.git
+docker compose up --watch
+```
+
+Rauthy login details are: `admin@localhost` / `1234test`. The admin URL is:
+
+> [localhost:8080/auth/v1/admin](http://localhost:8080/auth/v1/admin)
+
+You can test the Cerca forward authentication protection by visiting:
+
+> [localhost:1312](http://localhost:1312)
+
+Here's a breakdown of all the relevant URLs available:
+
+* [`localhost:1312`](http://localhost:1312): `cerca` (behind forward auth)
+* [`localhost:8080`](http://localhost:8080): `rauthy`
+* [`localhost:1080`](http://localhost:1080): `mailcrab` (`rauthy` mail catcher)
+
+## Hacking
+
+### Cerca live reload
+
+The `--watch` flag allows Docker to automatically pick up when you compile a
+new `./cerca/cerca` and swap that into the container and restart `cerca`.
+
+It's a bit involved but you'll need `musl-tools` and
+[`watchexec`](https://watchexec.github.io/) installed. The `cerca` container is
+running `alpine` and you're most likely not running alpine on your workstation.
+So, we need compile your patched `cerca` in a specific way to get it to run on
+the container.
+
+I'm running the `docker compose up --watch` in one terminal split and this
+command in another terminal split. Then I can just hack on `cerca` and it the
+new binary is built, passed into the container and reloaded.
+
+```
+cd ./cerca
+watchexec "CC=$(which musl-gcc) go build -v --ldflags '-w -linkmode external -extldflags \"-static\"' ./cmd/cerca"
+```
+
+### Reload Caddy without restart
+
+You can hack the `Caddyfile` and reload the changes on the fly.
+
+```
+docker compose exec -w /etc/caddy caddy caddy fmt --overwrite && \
+  docker compose exec -w /etc/caddy caddy caddy reload
+```

cerca.Dockerfile

@@ -0,0 +1,26 @@
+FROM golang:1.26-alpine AS build
+
+RUN apk add --no-cache \
+  gcc \
+  git \
+  musl-dev
+
+COPY ./cerca /build
+
+WORKDIR /build
+
+RUN CGO_ENABLED=1 go build -v ./cmd/cerca
+
+FROM alpine:3.22
+
+RUN apk add --no-cache bash
+
+COPY --from=build /build/cerca /usr/bin/cerca
+
+VOLUME /app
+
+RUN mkdir -p /app/data
+
+RUN /usr/bin/cerca write-defaults -config /app/cerca.toml -data-dir /app/data
+
+ENTRYPOINT ["/usr/bin/cerca", "-config", "/app/cerca.toml"]

clients.json

@@ -0,0 +1,19 @@
+[
+    {
+        "id": "cerca-forward-auth",
+        "name": "cerca-forward-auth",
+        "redirect_uris": ["http://localhost:1312/oidc/rauthy/callback"],
+        "allowed_origins": ["http://localhost:1312"],
+        "enabled": true,
+        "secret": {"Plain": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
+        "flows_enabled": ["authorization_code"],
+        "access_token_alg": "RS256",
+        "id_token_alg": "RS256",
+        "auth_code_lifetime": 300,
+        "access_token_lifetime": 1800,
+        "scopes": ["openid", "profile", "groups"],
+        "default_scopes": ["openid", "profile"],
+        "force_mfa": false,
+        "backchannel_logout_uri": "https://localhost:1312/oidc/rauthy/logout"
+    }
+]

compose.yml

@@ -0,0 +1,43 @@
+services:
+  caddy:
+    image: caddy:2.11.2-alpine
+    ports:
+      - "1312:1312" # cerca
+      - "8080:8080" # rauthy
+      - "1080:1080" # mailcrab
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile
+    depends_on:
+      - cerca
+      - mailcrab
+      - rauthy
+
+  cerca:
+    build:
+      context: .
+      dockerfile: cerca.Dockerfile
+    develop:
+      watch:
+        - action: sync+restart
+          path: ./cerca/cerca
+          target: /usr/bin/cerca
+    volumes:
+      - cerca-data:/app
+    depends_on:
+      - rauthy
+
+  mailcrab:
+    image: marlonb/mailcrab:v1.6.5
+
+  rauthy:
+    image: ghcr.io/sebadob/rauthy:0.35.0
+    volumes:
+      - ./rauthy.toml:/app/config.toml
+      - ./clients.json:/app/bootstrap/clients.json
+      - rauthy-data:/app/data
+    depends_on:
+      - mailcrab
+
+volumes:
+  cerca-data:
+  rauthy-data:

rauthy.toml

@@ -0,0 +1,45 @@
+[bootstrap]
+admin_email = 'admin@localhost'
+bootstrap_dir = '/app/bootstrap'
+password_plain = '1234test'
+
+[auth_headers]
+enable = true
+
+[server]
+scheme = 'http'
+pub_url = 'localhost:8080'
+trusted_proxies = [
+  '192.168.0.0/16', 
+  '172.0.0.0/8', 
+  '10.0.0.0/8',
+]
+
+[logging]
+level = 'info'
+
+[email]
+smtp_port = 1025
+smtp_url = 'mailcrab'
+danger_insecure = true
+
+[user_values.preferred_username]
+preferred_username = 'required'
+immutable = true
+
+[encryption]
+keys = ['bVCyTsGaggVy5yqQ/UzluN29DZW41M3hTSkx6Y3NtZmRuQkR2TnJxUTYzcjQ=']
+key_active = 'bVCyTsGaggVy5yqQ'
+
+[cluster]
+node_id = 1
+nodes = ["1 localhost:8100 localhost:8200"]
+secret_raft = "SuperSecureSecret1337"
+secret_api = "SuperSecureSecret1337"
+
+[mfa]
+admin_force_mfa = false
+
+[webauthn]
+rp_id = 'localhost'
+rp_origin = 'http://localhost:8080'