Switch Grafana to OIDC from proxy auth

core/metrics/grafana.nomad

@@ -26,7 +26,7 @@ job "grafana" {
       tags = [
         "traefik.enable=true",
         "traefik.http.routers.grafana.entryPoints=websecure",
-        "traefik.http.routers.grafana.middlewares=authelia@nomad",
+        # "traefik.http.routers.grafana.middlewares=authelia@nomad",
       ]
     }
 
@@ -162,6 +162,7 @@ GF_SMTP_PASSWORD={{ .smtp_password }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
 GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
+GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .oidc_secret }}
 {{ if .db_name -}}
 # Database storage
 GF_DATABASE_TYPE=mysql

core/metrics/grafana/grafana.ini

@@ -258,15 +258,20 @@ log_queries =
 
 #################################### Generic OAuth ##########################
 [auth.generic_oauth]
-;enabled = true
+enabled = true
-;name = Cloudron
+name = Authelia
 ;allow_sign_up = true
-;client_id = some_id
+client_id = grafana
-;client_secret = some_secret
+client_secret = from_env
-;scopes = user:email,read:org
+scopes = openid profile email groups
-;auth_url = https://foo.bar/login/oauth/authorize
+auth_url = https://authelia.thefij.rocks/api/oidc/authorization
-;token_url = https://foo.bar/login/oauth/access_token
+token_url = https://authelia.thefij.rocks/api/oidc/token
-;api_url = https://foo.bar/user
+api_url = https://authelia.thefij.rocks/api/oidc/userinfo
+login_attribute_path = preferred_username
+groups_attribute_path = groups
+name_attribute_path = name
+use_pkce = true
+
 ;team_ids =
 ;allowed_organizations =
 
@@ -282,7 +287,7 @@ log_queries =
 #################################### Auth Proxy ##########################
 [auth.proxy]
 {{ with nomadService "traefik" -}}
-enabled = true
+enabled = false
 header_name = Remote-User
 header_property = username
 auto_sign_up = true