Use new oidc module for setting up oidc with Authelia

2024-08-29 14:07:49 -07:00 · 2024-08-29 14:07:49 -07:00 · 79648879ab
commit 79648879ab
parent 9a76c9efef
10 changed files with 167 additions and 9 deletions
--- a/core/authelia.tf
+++ b/core/authelia.tf
@ -114,6 +114,9 @@ namespace "default" {
    path "authelia/*" {
      capabilities = ["read"]
    }
+    path "secrets/authelia/*" {
+      capabilities = ["read"]
+    }
  }
 }
 EOH
@ -142,6 +145,22 @@ EOH
  }
 }

+# Enable oidc for nomad clients
+module "nomad_oidc_client" {
+  source = "./oidc_client"
+
+  name = "nomad"
+  oidc_client_config = {
+    description          = "Nomad"
+    authorization_policy = "two_factor"
+    redirect_uris = [
+      "https://nomad.${var.base_hostname}/oidc/callback",
+      "https://nomad.${var.base_hostname}/ui/settings/tokens",
+    ]
+    scopes = ["openid", "groups"]
+  }
+}
+
 resource "nomad_acl_auth_method" "nomad_authelia" {
  name           = "authelia"
  type           = "OIDC"
@ -151,8 +170,8 @@ resource "nomad_acl_auth_method" "nomad_authelia" {

  config {
    oidc_discovery_url = "https://authelia.${var.base_hostname}"
-    oidc_client_id     = "nomad"
-    oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"]
+    oidc_client_id     = module.nomad_oidc_client.client_id
+    oidc_client_secret = module.nomad_oidc_client.secret
    bound_audiences    = ["nomad"]
    oidc_scopes = [
      "groups",
--- a/core/authelia.yml
+++ b/core/authelia.yml
@ -249,4 +249,18 @@ identity_providers:
    # hmac_secret: <file>
    # issuer_private_key: <file>

-    clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}
+    clients:
+{{ range nomadVarList "authelia/access_control/oidc_clients" -}}
+{{- $name := (sprig_last (sprig_splitList "/" .Path)) -}}
+      {{ "-" | indent 6 }}
+{{ with nomadVar .Path }}
+
+{{- $im := .ItemsMap -}}
+{{- $im = sprig_set $im "redirect_uris" (.redirect_uris.Value | parseYAML) -}}
+{{- $im = sprig_set $im "scopes" (.scopes.Value | parseYAML) -}}
+{{- with nomadVar (printf "secrets/authelia/%s" $name) -}}
+{{- $im = sprig_set $im "secret" .secret_hash.Value -}}
+{{- end -}}
+{{ $im | toYAML | indent 8 }}
+{{ end }}
+{{ end }}
--- a/core/grafana.nomad
+++ b/core/grafana.nomad
@ -155,7 +155,6 @@ GF_SECURITY_ADMIN_PASSWORD={{ .admin_pw }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
 GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
-GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .oidc_secret }}
 {{ if .db_name -}}
 # Database storage
 GF_DATABASE_TYPE=mysql
@ -167,6 +166,10 @@ GF_DATABASE_PASSWORD={{ .db_pass }}
 SLACK_BOT_URL={{ .slack_bot_url }}
 SLACK_BOT_TOKEN={{ .slack_bot_token }}
 SLACK_HOOK_URL={{ .slack_hook_url }}
+{{ end -}}
+{{ with nomadVar "secrets/authelia/grafana" -}}
+GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ .client_id }}
+GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .secret }}
 {{ end -}}
        EOF
        env = true
--- a/core/grafana/grafana.ini
+++ b/core/grafana/grafana.ini
@ -261,7 +261,7 @@ log_queries =
 enabled = true
 name = Authelia
 ;allow_sign_up = true
-client_id = grafana
+client_id = from_env
 client_secret = from_env
 scopes = openid profile email groups
 auth_url = https://authelia.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}/api/oidc/authorization
--- a/core/metrics.tf
+++ b/core/metrics.tf
@ -93,3 +93,27 @@ EOH
    task   = "stunnel"
  }
 }
+
+module "grafana_oidc" {
+  source = "./oidc_client"
+
+  name = "grafana"
+  oidc_client_config = {
+    description = "Grafana"
+    scopes = [
+      "openid",
+      "groups",
+      "email",
+      "profile",
+    ]
+    redirect_uris = [
+      "https://grafana.thefij.rocks/login/generic_oauth",
+    ]
+  }
+
+  job_acl = {
+    job_id = "grafana"
+    group  = "grafana"
+    task   = "grafana"
+  }
+}
--- a/services/gitea.tf
+++ b/services/gitea.tf
@ -42,10 +42,19 @@ module "gitea" {
  ]

  use_smtp = true
+
  mysql_bootstrap = {
    enabled = true
  }

+  oidc_client_config = {
+    description = "Gitea"
+    redirect_uris = [
+      "https://git.thefij.rocks/user/oauth2/authelia/callback",
+    ]
+    scopes = ["openid", "email", "profile"]
+  }
+
  host_volumes = [
    {
      name      = "gitea-data"
@ -111,6 +120,49 @@ GITEA__mailer__PASSWD={{ .password }}
      mount       = false
      dest        = "env"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
-    }
+    },
+    {
+      data        = <<EOF
+{{ with nomadVar "secrets/authelia/git" -}}
+CLIENT_ID={{ .client_id }}
+SECRET={{ .secret }}
+{{- end }}
+EOF
+      dest        = "oauth.env"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+      mount       = false
+      change_mode = "script"
+      change_script = {
+        command = "/local/bootstrap_auth.sh"
+      }
+    },
+    {
+      data        = <<EOF
+#! /bin/bash
+source {{ env "NOMAD_SECRETS_DIR" }}/oauth.env
+auth_provider_id=$(su -- git gitea admin auth list | awk '/authelia/ { print $1 }')
+
+if [ -z "$auth_provider_id" ]; then
+  echo "Creating Authelia OAuth provider"
+  su -- git gitea admin auth add-oauth \
+    --name authelia \
+    --provider openidConnect \
+    --key "$CLIENT_ID" \
+    --secret "$SECRET" \
+    --auto-discover-url https://authelia.thefij.rocks/.well-known/openid-configuration \
+    --skip-local-2fa
+else
+  echo "Updating Authelia OAuth provider"
+  su -- git gitea admin auth update-oauth \
+    --id $auth_provider_id \
+    --key "$CLIENT_ID" \
+    --secret "$SECRET"
+fi
+EOF
+      dest        = "bootstrap_auth.sh"
+      perms       = "777"
+      change_mode = "noop"
+      mount       = false
+    },
  ]
 }
--- a/services/photoprism.tf
+++ b/services/photoprism.tf
@ -1,4 +1,4 @@
-module "photoprism_module" {
+module "photoprism" {
  source = "./service"

  name               = "photoprism"
@ -42,6 +42,14 @@ module "photoprism_module" {
    enabled = true
  }

+  oidc_client_config = {
+    description = "Photoprism"
+    redirect_uris = [
+      "https://photoprism.thefij.rocks/api/v1/oidc/redirect",
+    ]
+    scopes = ["openid", "email", "profile"]
+  }
+
  env = {
    PHOTOPRISM_DEBUG = true
    # UI
@ -80,8 +88,6 @@ module "photoprism_module" {
      PHOTOPRISM_DATABASE_USER={{ .db_user }}
      PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }}
      PHOTOPRISM_DATABASE_SERVER=127.0.0.1:3306
-      PHOTOPRISM_OIDC_CLIENT=photoprism
-      PHOTOPRISM_OIDC_SECRET={{ .oidc_secret }}
      {{- end }}
      {{ if eq (env "meta.hw_transcode.type") "raspberry" -}}
      PHOTOPRISM_FFMPEG_ENCODER=raspberry
@ -90,6 +96,10 @@ module "photoprism_module" {
      PHOTOPRISM_FFMPEG_ENCODER=intel
      PHOTOPRISM_INIT="intel tensorflow"
      {{- end }}
+      {{ with nomadVar "secrets/authelia/photoprism" -}}
+      PHOTOPRISM_OIDC_CLIENT={{ .client_id }}
+      PHOTOPRISM_OIDC_SECRET={{ .secret }}
+      {{- end }}
      EOF
      dest_prefix = "$${NOMAD_SECRETS_DIR}/"
      dest        = "env"
--- a/services/service/main.tf
+++ b/services/service/main.tf
@ -225,3 +225,23 @@ EOH
    task   = var.name
  }
 }
+
+module "oidc_client" {
+  count = var.oidc_client_config != null ? 1 : 0
+
+  source = "../../core/oidc_client"
+  name   = var.name
+
+  oidc_client_config = {
+    description          = var.oidc_client_config.description
+    authorization_policy = var.oidc_client_config.authorization_policy
+    redirect_uris        = var.oidc_client_config.redirect_uris
+    scopes               = var.oidc_client_config.scopes
+  }
+
+  job_acl = {
+    job_id = resource.nomad_job.service.id
+    group  = var.name
+    task   = var.name
+  }
+}
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@ -204,6 +204,9 @@ EOF
        %{~ if template.right_delimiter != null }
        right_delimiter = "${template.right_delimiter}"
        %{~ endif ~}
+        %{~ if template.perms != null }
+        perms = "${template.perms}"
+        %{~ endif ~}
        %{~ if template.change_mode != null }
        change_mode = "${template.change_mode}"
        %{~ endif ~}
--- a/services/service/vars.tf
+++ b/services/service/vars.tf
@ -176,6 +176,7 @@ variable "templates" {
    right_delimiter = optional(string)
    mount           = optional(bool, true)
    env             = optional(bool, false)
+    perms           = optional(string)
    change_mode     = optional(string)
    change_signal   = optional(string)
    change_script = optional(object({
@ -296,3 +297,15 @@ variable "service_check" {

  default = {}
 }
+
+variable "oidc_client_config" {
+  description = "Authelia oidc client configuration to enable oidc authentication"
+  type = object({
+    description          = string
+    authorization_policy = optional(string, "one_factor")
+    redirect_uris        = list(string)
+    scopes               = list(string)
+  })
+
+  default = null
+}