Bxl-rpi Identity provider for grafana

This commit is contained in:
Brieuc Dubois 2023-04-15 23:23:10 +02:00 committed by Bhasher
parent a66a33140e
commit 33a0eaab47
2 changed files with 45 additions and 3 deletions

View File

@ -46,15 +46,15 @@ access_control:
subject:
- "group:admin"
- domain: 'radarr.bhasher.com'
policy: two_factor
policy: one_factor
subject:
- "group:mediaserver"
- domain: 'sonarr.bhasher.com'
policy: two_factor
policy: one_factor
subject:
- "group:mediaserver"
- domain: 'jellyfin.bhasher.com'
policy: two_factor
policy: one_factor
subject:
- "group:mediaserver"
@ -99,3 +99,21 @@ password_policy:
require_lowercase: false
require_number: false
require_special: false
identity_providers:
oidc:
enforce_pkce: public_clients_only
clients:
- id: grafana
description: Grafana
secret: '$argon2id$v=19$m=65536,t=3,p=4$dQfNyInvlh1Lgw3JXi7G6A$M/WaNpHJkAyaQcXIMsOTl0+gBWGPPVBoCm7NpEQfTpI'
public: false
authorization_policy: one_factor
redirect_uris:
- https://grafana.bhasher.com/login/generic_oauth
scopes:
- openid
- profile
- groups
- email
userinfo_signing_algorithm: none

View File

@ -142,11 +142,32 @@ services:
- "traefik.http.routers.grafana.tls=true"
- "traefik.http.routers.grafana.tls.certresolver=http"
environment:
- GF_SERVER_ROOT_URL=https://grafana.bhasher.com
- GF_SMTP_ENABLED=true
- GF_SMTP_HOST=bdubois.io:465
- GF_SMTP_USER=${SMTP_USER}
- GF_SMTP_PASSWORD=${SMTP_PASSWORD}
- GF_SMTP_FROM_ADDRESS=grafana@bhasher.com
- GF_AUTH_LOGIN_DISABLE_LOGIN_FORM=true
- GF_AUTH_DISABLE_SIGNOUT_MENU=true
- GF_AUTH_OAUTH_AUTO_LOGIN=true
- GF_AUTH_GENERIC_OAUTH_ENABLED=true
- GF_AUTH_GENERIC_OAUTH_ICON=signin
- GF_AUTH_GENERIC_OAUTH_NAME=Authelia
- GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
- GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GRAFANA_OAUTH}
- GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email groups
- GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=false
- GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://idp.bhasher.com/api/oidc/authorization
- GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://idp.bhasher.com/api/oidc/token
- GF_AUTH_GENERIC_OAUTH_API_URL=https://idp.bhasher.com/api/oidc/userinfo
- GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
- GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=groups
- GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name
- GF_AUTH_GENERIC_OAUTH_USE_PKCE=false
- GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'admin') && 'Admin' || 'Viewer'
- GF_AUTH_GENERIC_OAUTH_GROUPS_PATH=groups
- GF_AUTH_GENERIC_OAUTH_ALLOWED_GROUPS=admin
volumes:
- $DATA/monitoring/grafana:/var/lib/grafana
@ -492,6 +513,8 @@ services:
- AUTHELIA_STORAGE_POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD}
- AUTHELIA_NOTIFIER_SMTP_USERNAME=${SMTP_USER}
- AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/secrets/oidc_certificate.pem
- AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_OIDC_HMAC}
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`idp.bhasher.com`)"
@ -504,3 +527,4 @@ services:
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
volumes:
- ./config/idp/authelia.configuration.yaml:/config/configuration.yml:ro
- $DATA/authelia:/secrets:ro