From 0ceb513216a978bf5e59795d645e61dca7b54375 Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Fri, 7 Jul 2023 00:40:19 -0700
Subject: [PATCH] Switch Grafana to OIDC from proxy auth

---
 core/metrics/grafana.nomad       |  3 ++-
 core/metrics/grafana/grafana.ini | 23 ++++++++++++++---------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/core/metrics/grafana.nomad b/core/metrics/grafana.nomad
index 7eca11b..dd41b5a 100644
--- a/core/metrics/grafana.nomad
+++ b/core/metrics/grafana.nomad
@@ -26,7 +26,7 @@ job "grafana" {
       tags = [
         "traefik.enable=true",
         "traefik.http.routers.grafana.entryPoints=websecure",
-        "traefik.http.routers.grafana.middlewares=authelia@nomad",
+        # "traefik.http.routers.grafana.middlewares=authelia@nomad",
       ]
     }
 
@@ -162,6 +162,7 @@ GF_SMTP_PASSWORD={{ .smtp_password }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
 GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
+GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .oidc_secret }}
 {{ if .db_name -}}
 # Database storage
 GF_DATABASE_TYPE=mysql
diff --git a/core/metrics/grafana/grafana.ini b/core/metrics/grafana/grafana.ini
index 8558a1f..d2f4f10 100644
--- a/core/metrics/grafana/grafana.ini
+++ b/core/metrics/grafana/grafana.ini
@@ -258,15 +258,20 @@ log_queries =
 
 #################################### Generic OAuth ##########################
 [auth.generic_oauth]
-;enabled = true
-;name = Cloudron
+enabled = true
+name = Authelia
 ;allow_sign_up = true
-;client_id = some_id
-;client_secret = some_secret
-;scopes = user:email,read:org
-;auth_url = https://foo.bar/login/oauth/authorize
-;token_url = https://foo.bar/login/oauth/access_token
-;api_url = https://foo.bar/user
+client_id = grafana
+client_secret = from_env
+scopes = openid profile email groups
+auth_url = https://authelia.thefij.rocks/api/oidc/authorization
+token_url = https://authelia.thefij.rocks/api/oidc/token
+api_url = https://authelia.thefij.rocks/api/oidc/userinfo
+login_attribute_path = preferred_username
+groups_attribute_path = groups
+name_attribute_path = name
+use_pkce = true
+
 ;team_ids =
 ;allowed_organizations =
 
@@ -282,7 +287,7 @@ log_queries =
 #################################### Auth Proxy ##########################
 [auth.proxy]
 {{ with nomadService "traefik" -}}
-enabled = true
+enabled = false
 header_name = Remote-User
 header_property = username
 auto_sign_up = true