DARI Infrastructure Management Guide

Expert guidance for working with the DARI IT infrastructure management system. Provides centralized user management, VPN access with OTP, Linux account provisioning, and LDAP-based authentication.

What This Skill Does

Helps you understand and work with a complex multi-service Docker infrastructure that integrates:

Django REST API backend with Django Ninja

SvelteKit SSR frontend

OpenLDAP for Linux authentication

OpenVPN with OTP (Google Authenticator)

Celery task queue for user lifecycle management

Caddy reverse proxy with IP whitelisting

When to Use This Skill

Use this skill when you need to:

Understand the architecture and data flow of the DARI system

Add new features or modify existing API endpoints

Debug authentication issues (LDAP, VPN OTP, session management)

Work with user lifecycle tasks (registration, deactivation, removal)

Deploy or configure the system in dev/production environments

Troubleshoot LDAP synchronization or VPN authentication

Architecture Overview

Multi-Service Docker Architecture

**Frontend**: SvelteKit application with SSR (port 3000 internally)

**Backend**: Django + Django Ninja REST API (port 8080 internally)

**Database**: PostgreSQL 13

**LDAP**: OpenLDAP server for Linux authentication (port 636)

**VPN**: OpenVPN server with OTP authentication (port 1194/udp)

**Reverse Proxy**: Caddy server handling HTTPS and access control

**Task Queue**: Celery with RabbitMQ for async tasks

Key Integration Points

1. **LDAP Authentication**: All regular users authenticate via LDAP with SSHA-hashed passwords

2. **LDAP Sync**: Backend maintains LDAP directory synchronized with Django database

3. **VPN Auth**: OpenVPN uses `openvpn-auth-ldap` plugin + PAM for OTP validation

4. **Session Management**: Frontend uses cookies for Django session authentication

5. **IP Whitelisting**: Caddy restricts routes to configured networks (default: 10.125.0.0/16, 164.125.0.0/16)

Data Flow

**Registration**: User registers → Backend atomically creates Django User + Profile + LinuxInfo, LDAP entry with SSHA password, home directory with proper ownership. First user automatically becomes superuser.

**Login**: User logs in via frontend → Backend authenticates via LDAP (regular users) or Django auth (guest users) → Creates session.

**Password Management**: User changes password → Backend updates LDAP password (SSHA hash).

**VPN Setup**: User enables VPN → Backend generates Google Authenticator QR code → Stores in `/etc/qr/` → VPN validates OTP + LDAP password via two plugins in sequence.

Step-by-Step Development Workflow

1. Initial Environment Setup

Read `.env.example` to understand required environment variables:

```bash

cp .env.example .env

Edit .env with required credentials (DB, LDAP, secrets)

```

Critical variables: `SECRET_KEY`, `LDAP_ADMIN_PASSWORD`, `LDAP_DOMAIN`, `RABBITMQ_DEFAULT_USER/PASS`, `SITE_DOMAIN`.

2. Start Development Environment

Use `compose-dev.yml` for hot-reload and debug mode:

```bash

docker compose -f compose-dev.yml up --build

Frontend: http://localhost:8080

Backend DEBUG=True, source code mounted for hot-reload

```

3. Working with Backend (Django)

**Key files**:

`backend/backend/api.py` - Main API endpoints (Django Ninja)

`backend/backend/utils.py` - `LDAPOps` class for LDAP operations

`backend/auth/models.py` - Django models (Profile, LinuxInfo, VPNInfo, LinuxGroup, Server)

`backend/auth/tasks.py` - Celery scheduled tasks (user removal, deactivation)

**Common operations**:

```bash

Enter backend container

docker compose exec backend bash

Run migrations after model changes

python manage.py makemigrations

python manage.py migrate

Django shell for debugging

python manage.py shell

Test Celery tasks

celery -A backend inspect active

```

**API endpoints** (`/api/` prefix):

`/register` - Create user with Linux/LDAP account

`/login` - Authenticate via LDAP (regular) or Django (guest)

`/password` - Change LDAP password (requires old password)

`/qr` - Generate VPN OTP QR code

`/group` - Manage LDAP groups with member sync

`/user` - Update user attributes (admin only, includes password reset)

`/guest` - Create/update guest accounts (admin only)

4. Working with Frontend (SvelteKit)

**Key files**:

`frontend/src/lib/fetch.js` - API client with cookie-based auth

`frontend/src/routes/+layout.server.js` - Root layout server load (session validation, redirects)

**Route groups**:

`(nonadmin)/` - Regular user pages (profile, VPN, Linux accounts)

`admin/` - Admin pages (user management, groups, servers, settings)

`init/` - Initial setup page for first admin

`login/`, `logout/` - Authentication

```bash

Enter frontend container (dev mode)

docker compose -f compose-dev.yml exec frontend sh

Install dependencies

cd /app && pnpm install

Build for production

pnpm run build

```

5. LDAP Operations

**LDAP structure**:

Domain derived from `LDAP_DOMAIN` env var (e.g., "dari" → `dc=dari`)

Admin: `cn=admin,dc=dari` with `LDAP_ADMIN_PASSWORD`

Two OUs: `ou=users` and `ou=groups`

Users: `cn=<username>,ou=users,dc=dari` (posixAccount + inetOrgPerson)

Groups: `cn=<groupname>,ou=groups,dc=dari` (posixGroup)

Passwords: SSHA hashes in `userPassword` attribute

**Key `LDAPOps` methods** (in `backend/backend/utils.py`):

`add_user()` - Create LDAP entry with optional SSHA password

`set_password()` - Update user's LDAP password

`authenticate_user()` - Validate username/password against LDAP

6. VPN OTP Flow

1. User requests QR via `/api/qr` → Backend runs `google-authenticator` → Stores secret in `/etc/qr/<username>`

2. VPN server uses two authentication plugins in sequence:

- `openvpn-auth-ldap.so` - Validates username/password against LDAP

- `openvpn-plugin-auth-pam.so` - Validates OTP code via Google Authenticator PAM module

3. VPN access granted only if both LDAP password and OTP are valid

**Config files**: `vpn/auth-ldap.conf`, `vpn/server.conf`

7. User Lifecycle Management (Celery Tasks)

Scheduled tasks in `backend/auth/tasks.py` run daily at midnight:

`remove_users()` - Archives and deletes expired users after 6 months

`deactivate_users()` - Marks users inactive after expiration date

**Test Celery**:

```bash

docker compose exec backend bash

celery -A backend inspect active

```

8. Database Operations

```bash

Access PostgreSQL

docker compose exec db psql -U dari -d dari

Backup database

docker compose exec db pg_dump -U dari dari > backup.sql

Restore database

docker compose exec -T db psql -U dari dari < backup.sql

```

9. Production Deployment

Use `compose.yml` for production:

```bash

docker compose up -d --build

View logs

docker compose logs -f [service_name]

```

**Volume mounts** (in `./db/`):

`postgres_data/` - PostgreSQL database

`ldap_data/`, `ldap_config/`, `ldap_certs/` - LDAP directory and auto-generated TLS certs

`caddy_data/`, `caddy_config/` - Caddy certificates

`vpn_easy_rsa/` - VPN PKI and auto-generated certificates

`ovpn/` - Generated OpenVPN client profiles

`qr/` - VPN OTP secrets

`ip_addresses` - Server IP whitelist file

**Home directories**:

Production: `/mnt/dari-home/<username>` (mounted volume)

Development: `./dari-home/<username>` (local directory)

10. Access Control

Caddy enforces IP whitelist (default: 10.125.0.0/16, 164.125.0.0/16) for all routes except `/guest/{uuid}`. Add IPs via admin interface → backend writes to `/etc/ip_addresses`.

Important Notes

**User Types**: Regular users authenticate via LDAP (SSHA passwords), guest users via Django (Django password hashes).

**Password Management**: Regular users change passwords via `/api/password` (requires old password). Admins reset via `/api/user` PATCH endpoint.

**Atomic User Creation**: `/api/register` endpoint creates Django User + Profile + LinuxInfo + LDAP entry + home directory in one transaction.

**First User**: Automatically becomes superuser. Force to `/init` if sitename not configured.

**External Authentication**: No longer required. System uses LDAP-based authentication with passwords managed directly in LDAP.

Testing

The `test/` directory contains Docker configuration for testing LDAP/PAM integration with nslcd on a client container.

Troubleshooting Checklist

1. **Authentication failures**: Check LDAP server logs, verify SSHA password hash format, test with `LDAPOps.authenticate_user()` in Django shell

2. **VPN OTP issues**: Verify QR code generated in `/etc/qr/`, check `openvpn-auth-ldap.conf` and PAM config

3. **Celery tasks not running**: Check RabbitMQ connection, verify `celery_beat` and `celery_worker` containers running

4. **Session issues**: Verify `sessionid` and `csrftoken` cookies set, check `API_BASE_URL` in frontend `fetch.js`

5. **IP whitelist blocking**: Add IP via admin interface or directly edit `./db/ip_addresses`

DARI Infrastructure Management Guide

DARI Infrastructure Management Guide

What This Skill Does

When to Use This Skill

Architecture Overview

Multi-Service Docker Architecture

Key Integration Points

Data Flow

Step-by-Step Development Workflow

1. Initial Environment Setup

Edit .env with required credentials (DB, LDAP, secrets)

2. Start Development Environment

Frontend: http://localhost:8080

Backend DEBUG=True, source code mounted for hot-reload

3. Working with Backend (Django)

Enter backend container

Run migrations after model changes

Django shell for debugging

Test Celery tasks

4. Working with Frontend (SvelteKit)

Enter frontend container (dev mode)

Install dependencies

Build for production

5. LDAP Operations

6. VPN OTP Flow

7. User Lifecycle Management (Celery Tasks)

8. Database Operations

Access PostgreSQL

Backup database

Restore database

9. Production Deployment

View logs

10. Access Control

Important Notes

Testing

Troubleshooting Checklist

Reviews (0)