Bxl-rpi Identity provider for grafana

2023-04-15 23:23:10 +02:00 · 2023-04-15 23:23:10 +02:00 · 33a0eaab47
parent a66a33140e
commit 33a0eaab47
2 changed files with 45 additions and 3 deletions
--- a/bxl-rpi/config/idp/authelia.configuration.yaml
+++ b/bxl-rpi/config/idp/authelia.configuration.yaml
@ -46,15 +46,15 @@ access_control:
    subject:
    - "group:admin"
  - domain: 'radarr.bhasher.com'
-    policy: two_factor
+    policy: one_factor
    subject:
    - "group:mediaserver"
  - domain: 'sonarr.bhasher.com'
-    policy: two_factor
+    policy: one_factor
    subject:
    - "group:mediaserver"
  - domain: 'jellyfin.bhasher.com'
-    policy: two_factor
+    policy: one_factor
    subject:
    - "group:mediaserver"

@ -99,3 +99,21 @@ password_policy:
    require_lowercase: false
    require_number: false
    require_special: false
+
+identity_providers:
+  oidc:
+    enforce_pkce: public_clients_only
+    clients:
+    - id: grafana
+      description: Grafana
+      secret: '$argon2id$v=19$m=65536,t=3,p=4$dQfNyInvlh1Lgw3JXi7G6A$M/WaNpHJkAyaQcXIMsOTl0+gBWGPPVBoCm7NpEQfTpI'
+      public: false
+      authorization_policy: one_factor
+      redirect_uris:
+      - https://grafana.bhasher.com/login/generic_oauth
+      scopes:
+      - openid
+      - profile
+      - groups
+      - email
+      userinfo_signing_algorithm: none
--- a/bxl-rpi/docker-compose.yaml
+++ b/bxl-rpi/docker-compose.yaml
@ -142,11 +142,32 @@ services:
    - "traefik.http.routers.grafana.tls=true"
    - "traefik.http.routers.grafana.tls.certresolver=http"
    environment:
+    - GF_SERVER_ROOT_URL=https://grafana.bhasher.com
    - GF_SMTP_ENABLED=true
    - GF_SMTP_HOST=bdubois.io:465
    - GF_SMTP_USER=${SMTP_USER}
    - GF_SMTP_PASSWORD=${SMTP_PASSWORD}
    - GF_SMTP_FROM_ADDRESS=grafana@bhasher.com
+    - GF_AUTH_LOGIN_DISABLE_LOGIN_FORM=true
+    - GF_AUTH_DISABLE_SIGNOUT_MENU=true
+    - GF_AUTH_OAUTH_AUTO_LOGIN=true
+    - GF_AUTH_GENERIC_OAUTH_ENABLED=true
+    - GF_AUTH_GENERIC_OAUTH_ICON=signin
+    - GF_AUTH_GENERIC_OAUTH_NAME=Authelia
+    - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
+    - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GRAFANA_OAUTH}
+    - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email groups
+    - GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=false
+    - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://idp.bhasher.com/api/oidc/authorization
+    - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://idp.bhasher.com/api/oidc/token
+    - GF_AUTH_GENERIC_OAUTH_API_URL=https://idp.bhasher.com/api/oidc/userinfo
+    - GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
+    - GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=groups
+    - GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name
+    - GF_AUTH_GENERIC_OAUTH_USE_PKCE=false
+    - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'admin') && 'Admin' || 'Viewer'
+    - GF_AUTH_GENERIC_OAUTH_GROUPS_PATH=groups
+    - GF_AUTH_GENERIC_OAUTH_ALLOWED_GROUPS=admin
    volumes:
    - $DATA/monitoring/grafana:/var/lib/grafana 

@ -492,6 +513,8 @@ services:
    - AUTHELIA_STORAGE_POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    - AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD}
    - AUTHELIA_NOTIFIER_SMTP_USERNAME=${SMTP_USER}
+    - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/secrets/oidc_certificate.pem
+    - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_OIDC_HMAC}
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.authelia.rule=Host(`idp.bhasher.com`)"
@ -504,3 +527,4 @@ services:
    - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
    volumes:
    - ./config/idp/authelia.configuration.yaml:/config/configuration.yml:ro
+    - $DATA/authelia:/secrets:ro