Use new oidc module for setting up oidc with Authelia
This commit is contained in:
parent
9a76c9efef
commit
79648879ab
@ -114,6 +114,9 @@ namespace "default" {
|
||||
path "authelia/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
path "secrets/authelia/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
}
|
||||
}
|
||||
EOH
|
||||
@ -142,6 +145,22 @@ EOH
|
||||
}
|
||||
}
|
||||
|
||||
# Enable oidc for nomad clients
|
||||
module "nomad_oidc_client" {
|
||||
source = "./oidc_client"
|
||||
|
||||
name = "nomad"
|
||||
oidc_client_config = {
|
||||
description = "Nomad"
|
||||
authorization_policy = "two_factor"
|
||||
redirect_uris = [
|
||||
"https://nomad.${var.base_hostname}/oidc/callback",
|
||||
"https://nomad.${var.base_hostname}/ui/settings/tokens",
|
||||
]
|
||||
scopes = ["openid", "groups"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_acl_auth_method" "nomad_authelia" {
|
||||
name = "authelia"
|
||||
type = "OIDC"
|
||||
@ -151,8 +170,8 @@ resource "nomad_acl_auth_method" "nomad_authelia" {
|
||||
|
||||
config {
|
||||
oidc_discovery_url = "https://authelia.${var.base_hostname}"
|
||||
oidc_client_id = "nomad"
|
||||
oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"]
|
||||
oidc_client_id = module.nomad_oidc_client.client_id
|
||||
oidc_client_secret = module.nomad_oidc_client.secret
|
||||
bound_audiences = ["nomad"]
|
||||
oidc_scopes = [
|
||||
"groups",
|
||||
|
@ -249,4 +249,18 @@ identity_providers:
|
||||
# hmac_secret: <file>
|
||||
# issuer_private_key: <file>
|
||||
|
||||
clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}
|
||||
clients:
|
||||
{{ range nomadVarList "authelia/access_control/oidc_clients" -}}
|
||||
{{- $name := (sprig_last (sprig_splitList "/" .Path)) -}}
|
||||
{{ "-" | indent 6 }}
|
||||
{{ with nomadVar .Path }}
|
||||
|
||||
{{- $im := .ItemsMap -}}
|
||||
{{- $im = sprig_set $im "redirect_uris" (.redirect_uris.Value | parseYAML) -}}
|
||||
{{- $im = sprig_set $im "scopes" (.scopes.Value | parseYAML) -}}
|
||||
{{- with nomadVar (printf "secrets/authelia/%s" $name) -}}
|
||||
{{- $im = sprig_set $im "secret" .secret_hash.Value -}}
|
||||
{{- end -}}
|
||||
{{ $im | toYAML | indent 8 }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
@ -155,7 +155,6 @@ GF_SECURITY_ADMIN_PASSWORD={{ .admin_pw }}
|
||||
GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
|
||||
GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
|
||||
GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
|
||||
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .oidc_secret }}
|
||||
{{ if .db_name -}}
|
||||
# Database storage
|
||||
GF_DATABASE_TYPE=mysql
|
||||
@ -167,6 +166,10 @@ GF_DATABASE_PASSWORD={{ .db_pass }}
|
||||
SLACK_BOT_URL={{ .slack_bot_url }}
|
||||
SLACK_BOT_TOKEN={{ .slack_bot_token }}
|
||||
SLACK_HOOK_URL={{ .slack_hook_url }}
|
||||
{{ end -}}
|
||||
{{ with nomadVar "secrets/authelia/grafana" -}}
|
||||
GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ .client_id }}
|
||||
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .secret }}
|
||||
{{ end -}}
|
||||
EOF
|
||||
env = true
|
||||
|
@ -261,7 +261,7 @@ log_queries =
|
||||
enabled = true
|
||||
name = Authelia
|
||||
;allow_sign_up = true
|
||||
client_id = grafana
|
||||
client_id = from_env
|
||||
client_secret = from_env
|
||||
scopes = openid profile email groups
|
||||
auth_url = https://authelia.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}/api/oidc/authorization
|
||||
|
@ -93,3 +93,27 @@ EOH
|
||||
task = "stunnel"
|
||||
}
|
||||
}
|
||||
|
||||
module "grafana_oidc" {
|
||||
source = "./oidc_client"
|
||||
|
||||
name = "grafana"
|
||||
oidc_client_config = {
|
||||
description = "Grafana"
|
||||
scopes = [
|
||||
"openid",
|
||||
"groups",
|
||||
"email",
|
||||
"profile",
|
||||
]
|
||||
redirect_uris = [
|
||||
"https://grafana.thefij.rocks/login/generic_oauth",
|
||||
]
|
||||
}
|
||||
|
||||
job_acl = {
|
||||
job_id = "grafana"
|
||||
group = "grafana"
|
||||
task = "grafana"
|
||||
}
|
||||
}
|
||||
|
@ -42,10 +42,19 @@ module "gitea" {
|
||||
]
|
||||
|
||||
use_smtp = true
|
||||
|
||||
mysql_bootstrap = {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
oidc_client_config = {
|
||||
description = "Gitea"
|
||||
redirect_uris = [
|
||||
"https://git.thefij.rocks/user/oauth2/authelia/callback",
|
||||
]
|
||||
scopes = ["openid", "email", "profile"]
|
||||
}
|
||||
|
||||
host_volumes = [
|
||||
{
|
||||
name = "gitea-data"
|
||||
@ -111,6 +120,49 @@ GITEA__mailer__PASSWD={{ .password }}
|
||||
mount = false
|
||||
dest = "env"
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||
},
|
||||
{
|
||||
data = <<EOF
|
||||
{{ with nomadVar "secrets/authelia/git" -}}
|
||||
CLIENT_ID={{ .client_id }}
|
||||
SECRET={{ .secret }}
|
||||
{{- end }}
|
||||
EOF
|
||||
dest = "oauth.env"
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||
mount = false
|
||||
change_mode = "script"
|
||||
change_script = {
|
||||
command = "/local/bootstrap_auth.sh"
|
||||
}
|
||||
},
|
||||
{
|
||||
data = <<EOF
|
||||
#! /bin/bash
|
||||
source {{ env "NOMAD_SECRETS_DIR" }}/oauth.env
|
||||
auth_provider_id=$(su -- git gitea admin auth list | awk '/authelia/ { print $1 }')
|
||||
|
||||
if [ -z "$auth_provider_id" ]; then
|
||||
echo "Creating Authelia OAuth provider"
|
||||
su -- git gitea admin auth add-oauth \
|
||||
--name authelia \
|
||||
--provider openidConnect \
|
||||
--key "$CLIENT_ID" \
|
||||
--secret "$SECRET" \
|
||||
--auto-discover-url https://authelia.thefij.rocks/.well-known/openid-configuration \
|
||||
--skip-local-2fa
|
||||
else
|
||||
echo "Updating Authelia OAuth provider"
|
||||
su -- git gitea admin auth update-oauth \
|
||||
--id $auth_provider_id \
|
||||
--key "$CLIENT_ID" \
|
||||
--secret "$SECRET"
|
||||
fi
|
||||
EOF
|
||||
dest = "bootstrap_auth.sh"
|
||||
perms = "777"
|
||||
change_mode = "noop"
|
||||
mount = false
|
||||
},
|
||||
]
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
module "photoprism_module" {
|
||||
module "photoprism" {
|
||||
source = "./service"
|
||||
|
||||
name = "photoprism"
|
||||
@ -42,6 +42,14 @@ module "photoprism_module" {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
oidc_client_config = {
|
||||
description = "Photoprism"
|
||||
redirect_uris = [
|
||||
"https://photoprism.thefij.rocks/api/v1/oidc/redirect",
|
||||
]
|
||||
scopes = ["openid", "email", "profile"]
|
||||
}
|
||||
|
||||
env = {
|
||||
PHOTOPRISM_DEBUG = true
|
||||
# UI
|
||||
@ -80,8 +88,6 @@ module "photoprism_module" {
|
||||
PHOTOPRISM_DATABASE_USER={{ .db_user }}
|
||||
PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }}
|
||||
PHOTOPRISM_DATABASE_SERVER=127.0.0.1:3306
|
||||
PHOTOPRISM_OIDC_CLIENT=photoprism
|
||||
PHOTOPRISM_OIDC_SECRET={{ .oidc_secret }}
|
||||
{{- end }}
|
||||
{{ if eq (env "meta.hw_transcode.type") "raspberry" -}}
|
||||
PHOTOPRISM_FFMPEG_ENCODER=raspberry
|
||||
@ -90,6 +96,10 @@ module "photoprism_module" {
|
||||
PHOTOPRISM_FFMPEG_ENCODER=intel
|
||||
PHOTOPRISM_INIT="intel tensorflow"
|
||||
{{- end }}
|
||||
{{ with nomadVar "secrets/authelia/photoprism" -}}
|
||||
PHOTOPRISM_OIDC_CLIENT={{ .client_id }}
|
||||
PHOTOPRISM_OIDC_SECRET={{ .secret }}
|
||||
{{- end }}
|
||||
EOF
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}/"
|
||||
dest = "env"
|
||||
|
@ -225,3 +225,23 @@ EOH
|
||||
task = var.name
|
||||
}
|
||||
}
|
||||
|
||||
module "oidc_client" {
|
||||
count = var.oidc_client_config != null ? 1 : 0
|
||||
|
||||
source = "../../core/oidc_client"
|
||||
name = var.name
|
||||
|
||||
oidc_client_config = {
|
||||
description = var.oidc_client_config.description
|
||||
authorization_policy = var.oidc_client_config.authorization_policy
|
||||
redirect_uris = var.oidc_client_config.redirect_uris
|
||||
scopes = var.oidc_client_config.scopes
|
||||
}
|
||||
|
||||
job_acl = {
|
||||
job_id = resource.nomad_job.service.id
|
||||
group = var.name
|
||||
task = var.name
|
||||
}
|
||||
}
|
||||
|
@ -204,6 +204,9 @@ EOF
|
||||
%{~ if template.right_delimiter != null }
|
||||
right_delimiter = "${template.right_delimiter}"
|
||||
%{~ endif ~}
|
||||
%{~ if template.perms != null }
|
||||
perms = "${template.perms}"
|
||||
%{~ endif ~}
|
||||
%{~ if template.change_mode != null }
|
||||
change_mode = "${template.change_mode}"
|
||||
%{~ endif ~}
|
||||
|
@ -176,6 +176,7 @@ variable "templates" {
|
||||
right_delimiter = optional(string)
|
||||
mount = optional(bool, true)
|
||||
env = optional(bool, false)
|
||||
perms = optional(string)
|
||||
change_mode = optional(string)
|
||||
change_signal = optional(string)
|
||||
change_script = optional(object({
|
||||
@ -296,3 +297,15 @@ variable "service_check" {
|
||||
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "oidc_client_config" {
|
||||
description = "Authelia oidc client configuration to enable oidc authentication"
|
||||
type = object({
|
||||
description = string
|
||||
authorization_policy = optional(string, "one_factor")
|
||||
redirect_uris = list(string)
|
||||
scopes = list(string)
|
||||
})
|
||||
|
||||
default = null
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user