Use new oidc module for setting up oidc with Authelia
This commit is contained in:
parent
9a76c9efef
commit
79648879ab
@ -114,6 +114,9 @@ namespace "default" {
|
|||||||
path "authelia/*" {
|
path "authelia/*" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
path "secrets/authelia/*" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
EOH
|
EOH
|
||||||
@ -142,6 +145,22 @@ EOH
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Enable oidc for nomad clients
|
||||||
|
module "nomad_oidc_client" {
|
||||||
|
source = "./oidc_client"
|
||||||
|
|
||||||
|
name = "nomad"
|
||||||
|
oidc_client_config = {
|
||||||
|
description = "Nomad"
|
||||||
|
authorization_policy = "two_factor"
|
||||||
|
redirect_uris = [
|
||||||
|
"https://nomad.${var.base_hostname}/oidc/callback",
|
||||||
|
"https://nomad.${var.base_hostname}/ui/settings/tokens",
|
||||||
|
]
|
||||||
|
scopes = ["openid", "groups"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "nomad_acl_auth_method" "nomad_authelia" {
|
resource "nomad_acl_auth_method" "nomad_authelia" {
|
||||||
name = "authelia"
|
name = "authelia"
|
||||||
type = "OIDC"
|
type = "OIDC"
|
||||||
@ -151,8 +170,8 @@ resource "nomad_acl_auth_method" "nomad_authelia" {
|
|||||||
|
|
||||||
config {
|
config {
|
||||||
oidc_discovery_url = "https://authelia.${var.base_hostname}"
|
oidc_discovery_url = "https://authelia.${var.base_hostname}"
|
||||||
oidc_client_id = "nomad"
|
oidc_client_id = module.nomad_oidc_client.client_id
|
||||||
oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"]
|
oidc_client_secret = module.nomad_oidc_client.secret
|
||||||
bound_audiences = ["nomad"]
|
bound_audiences = ["nomad"]
|
||||||
oidc_scopes = [
|
oidc_scopes = [
|
||||||
"groups",
|
"groups",
|
||||||
|
@ -249,4 +249,18 @@ identity_providers:
|
|||||||
# hmac_secret: <file>
|
# hmac_secret: <file>
|
||||||
# issuer_private_key: <file>
|
# issuer_private_key: <file>
|
||||||
|
|
||||||
clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}
|
clients:
|
||||||
|
{{ range nomadVarList "authelia/access_control/oidc_clients" -}}
|
||||||
|
{{- $name := (sprig_last (sprig_splitList "/" .Path)) -}}
|
||||||
|
{{ "-" | indent 6 }}
|
||||||
|
{{ with nomadVar .Path }}
|
||||||
|
|
||||||
|
{{- $im := .ItemsMap -}}
|
||||||
|
{{- $im = sprig_set $im "redirect_uris" (.redirect_uris.Value | parseYAML) -}}
|
||||||
|
{{- $im = sprig_set $im "scopes" (.scopes.Value | parseYAML) -}}
|
||||||
|
{{- with nomadVar (printf "secrets/authelia/%s" $name) -}}
|
||||||
|
{{- $im = sprig_set $im "secret" .secret_hash.Value -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{ $im | toYAML | indent 8 }}
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
@ -155,7 +155,6 @@ GF_SECURITY_ADMIN_PASSWORD={{ .admin_pw }}
|
|||||||
GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
|
GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
|
||||||
GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
|
GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
|
||||||
GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
|
GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
|
||||||
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .oidc_secret }}
|
|
||||||
{{ if .db_name -}}
|
{{ if .db_name -}}
|
||||||
# Database storage
|
# Database storage
|
||||||
GF_DATABASE_TYPE=mysql
|
GF_DATABASE_TYPE=mysql
|
||||||
@ -167,6 +166,10 @@ GF_DATABASE_PASSWORD={{ .db_pass }}
|
|||||||
SLACK_BOT_URL={{ .slack_bot_url }}
|
SLACK_BOT_URL={{ .slack_bot_url }}
|
||||||
SLACK_BOT_TOKEN={{ .slack_bot_token }}
|
SLACK_BOT_TOKEN={{ .slack_bot_token }}
|
||||||
SLACK_HOOK_URL={{ .slack_hook_url }}
|
SLACK_HOOK_URL={{ .slack_hook_url }}
|
||||||
|
{{ end -}}
|
||||||
|
{{ with nomadVar "secrets/authelia/grafana" -}}
|
||||||
|
GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ .client_id }}
|
||||||
|
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .secret }}
|
||||||
{{ end -}}
|
{{ end -}}
|
||||||
EOF
|
EOF
|
||||||
env = true
|
env = true
|
||||||
|
@ -261,7 +261,7 @@ log_queries =
|
|||||||
enabled = true
|
enabled = true
|
||||||
name = Authelia
|
name = Authelia
|
||||||
;allow_sign_up = true
|
;allow_sign_up = true
|
||||||
client_id = grafana
|
client_id = from_env
|
||||||
client_secret = from_env
|
client_secret = from_env
|
||||||
scopes = openid profile email groups
|
scopes = openid profile email groups
|
||||||
auth_url = https://authelia.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}/api/oidc/authorization
|
auth_url = https://authelia.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}/api/oidc/authorization
|
||||||
|
@ -93,3 +93,27 @@ EOH
|
|||||||
task = "stunnel"
|
task = "stunnel"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module "grafana_oidc" {
|
||||||
|
source = "./oidc_client"
|
||||||
|
|
||||||
|
name = "grafana"
|
||||||
|
oidc_client_config = {
|
||||||
|
description = "Grafana"
|
||||||
|
scopes = [
|
||||||
|
"openid",
|
||||||
|
"groups",
|
||||||
|
"email",
|
||||||
|
"profile",
|
||||||
|
]
|
||||||
|
redirect_uris = [
|
||||||
|
"https://grafana.thefij.rocks/login/generic_oauth",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
job_acl = {
|
||||||
|
job_id = "grafana"
|
||||||
|
group = "grafana"
|
||||||
|
task = "grafana"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -42,10 +42,19 @@ module "gitea" {
|
|||||||
]
|
]
|
||||||
|
|
||||||
use_smtp = true
|
use_smtp = true
|
||||||
|
|
||||||
mysql_bootstrap = {
|
mysql_bootstrap = {
|
||||||
enabled = true
|
enabled = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
oidc_client_config = {
|
||||||
|
description = "Gitea"
|
||||||
|
redirect_uris = [
|
||||||
|
"https://git.thefij.rocks/user/oauth2/authelia/callback",
|
||||||
|
]
|
||||||
|
scopes = ["openid", "email", "profile"]
|
||||||
|
}
|
||||||
|
|
||||||
host_volumes = [
|
host_volumes = [
|
||||||
{
|
{
|
||||||
name = "gitea-data"
|
name = "gitea-data"
|
||||||
@ -111,6 +120,49 @@ GITEA__mailer__PASSWD={{ .password }}
|
|||||||
mount = false
|
mount = false
|
||||||
dest = "env"
|
dest = "env"
|
||||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
data = <<EOF
|
||||||
|
{{ with nomadVar "secrets/authelia/git" -}}
|
||||||
|
CLIENT_ID={{ .client_id }}
|
||||||
|
SECRET={{ .secret }}
|
||||||
|
{{- end }}
|
||||||
|
EOF
|
||||||
|
dest = "oauth.env"
|
||||||
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||||
|
mount = false
|
||||||
|
change_mode = "script"
|
||||||
|
change_script = {
|
||||||
|
command = "/local/bootstrap_auth.sh"
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
data = <<EOF
|
||||||
|
#! /bin/bash
|
||||||
|
source {{ env "NOMAD_SECRETS_DIR" }}/oauth.env
|
||||||
|
auth_provider_id=$(su -- git gitea admin auth list | awk '/authelia/ { print $1 }')
|
||||||
|
|
||||||
|
if [ -z "$auth_provider_id" ]; then
|
||||||
|
echo "Creating Authelia OAuth provider"
|
||||||
|
su -- git gitea admin auth add-oauth \
|
||||||
|
--name authelia \
|
||||||
|
--provider openidConnect \
|
||||||
|
--key "$CLIENT_ID" \
|
||||||
|
--secret "$SECRET" \
|
||||||
|
--auto-discover-url https://authelia.thefij.rocks/.well-known/openid-configuration \
|
||||||
|
--skip-local-2fa
|
||||||
|
else
|
||||||
|
echo "Updating Authelia OAuth provider"
|
||||||
|
su -- git gitea admin auth update-oauth \
|
||||||
|
--id $auth_provider_id \
|
||||||
|
--key "$CLIENT_ID" \
|
||||||
|
--secret "$SECRET"
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
dest = "bootstrap_auth.sh"
|
||||||
|
perms = "777"
|
||||||
|
change_mode = "noop"
|
||||||
|
mount = false
|
||||||
|
},
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
module "photoprism_module" {
|
module "photoprism" {
|
||||||
source = "./service"
|
source = "./service"
|
||||||
|
|
||||||
name = "photoprism"
|
name = "photoprism"
|
||||||
@ -42,6 +42,14 @@ module "photoprism_module" {
|
|||||||
enabled = true
|
enabled = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
oidc_client_config = {
|
||||||
|
description = "Photoprism"
|
||||||
|
redirect_uris = [
|
||||||
|
"https://photoprism.thefij.rocks/api/v1/oidc/redirect",
|
||||||
|
]
|
||||||
|
scopes = ["openid", "email", "profile"]
|
||||||
|
}
|
||||||
|
|
||||||
env = {
|
env = {
|
||||||
PHOTOPRISM_DEBUG = true
|
PHOTOPRISM_DEBUG = true
|
||||||
# UI
|
# UI
|
||||||
@ -80,8 +88,6 @@ module "photoprism_module" {
|
|||||||
PHOTOPRISM_DATABASE_USER={{ .db_user }}
|
PHOTOPRISM_DATABASE_USER={{ .db_user }}
|
||||||
PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }}
|
PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }}
|
||||||
PHOTOPRISM_DATABASE_SERVER=127.0.0.1:3306
|
PHOTOPRISM_DATABASE_SERVER=127.0.0.1:3306
|
||||||
PHOTOPRISM_OIDC_CLIENT=photoprism
|
|
||||||
PHOTOPRISM_OIDC_SECRET={{ .oidc_secret }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{ if eq (env "meta.hw_transcode.type") "raspberry" -}}
|
{{ if eq (env "meta.hw_transcode.type") "raspberry" -}}
|
||||||
PHOTOPRISM_FFMPEG_ENCODER=raspberry
|
PHOTOPRISM_FFMPEG_ENCODER=raspberry
|
||||||
@ -90,6 +96,10 @@ module "photoprism_module" {
|
|||||||
PHOTOPRISM_FFMPEG_ENCODER=intel
|
PHOTOPRISM_FFMPEG_ENCODER=intel
|
||||||
PHOTOPRISM_INIT="intel tensorflow"
|
PHOTOPRISM_INIT="intel tensorflow"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{ with nomadVar "secrets/authelia/photoprism" -}}
|
||||||
|
PHOTOPRISM_OIDC_CLIENT={{ .client_id }}
|
||||||
|
PHOTOPRISM_OIDC_SECRET={{ .secret }}
|
||||||
|
{{- end }}
|
||||||
EOF
|
EOF
|
||||||
dest_prefix = "$${NOMAD_SECRETS_DIR}/"
|
dest_prefix = "$${NOMAD_SECRETS_DIR}/"
|
||||||
dest = "env"
|
dest = "env"
|
||||||
|
@ -225,3 +225,23 @@ EOH
|
|||||||
task = var.name
|
task = var.name
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module "oidc_client" {
|
||||||
|
count = var.oidc_client_config != null ? 1 : 0
|
||||||
|
|
||||||
|
source = "../../core/oidc_client"
|
||||||
|
name = var.name
|
||||||
|
|
||||||
|
oidc_client_config = {
|
||||||
|
description = var.oidc_client_config.description
|
||||||
|
authorization_policy = var.oidc_client_config.authorization_policy
|
||||||
|
redirect_uris = var.oidc_client_config.redirect_uris
|
||||||
|
scopes = var.oidc_client_config.scopes
|
||||||
|
}
|
||||||
|
|
||||||
|
job_acl = {
|
||||||
|
job_id = resource.nomad_job.service.id
|
||||||
|
group = var.name
|
||||||
|
task = var.name
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -204,6 +204,9 @@ EOF
|
|||||||
%{~ if template.right_delimiter != null }
|
%{~ if template.right_delimiter != null }
|
||||||
right_delimiter = "${template.right_delimiter}"
|
right_delimiter = "${template.right_delimiter}"
|
||||||
%{~ endif ~}
|
%{~ endif ~}
|
||||||
|
%{~ if template.perms != null }
|
||||||
|
perms = "${template.perms}"
|
||||||
|
%{~ endif ~}
|
||||||
%{~ if template.change_mode != null }
|
%{~ if template.change_mode != null }
|
||||||
change_mode = "${template.change_mode}"
|
change_mode = "${template.change_mode}"
|
||||||
%{~ endif ~}
|
%{~ endif ~}
|
||||||
|
@ -176,6 +176,7 @@ variable "templates" {
|
|||||||
right_delimiter = optional(string)
|
right_delimiter = optional(string)
|
||||||
mount = optional(bool, true)
|
mount = optional(bool, true)
|
||||||
env = optional(bool, false)
|
env = optional(bool, false)
|
||||||
|
perms = optional(string)
|
||||||
change_mode = optional(string)
|
change_mode = optional(string)
|
||||||
change_signal = optional(string)
|
change_signal = optional(string)
|
||||||
change_script = optional(object({
|
change_script = optional(object({
|
||||||
@ -296,3 +297,15 @@ variable "service_check" {
|
|||||||
|
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "oidc_client_config" {
|
||||||
|
description = "Authelia oidc client configuration to enable oidc authentication"
|
||||||
|
type = object({
|
||||||
|
description = string
|
||||||
|
authorization_policy = optional(string, "one_factor")
|
||||||
|
redirect_uris = list(string)
|
||||||
|
scopes = list(string)
|
||||||
|
})
|
||||||
|
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user