chore: disable auto login on oauth2-proxy and grafana (better for sign-out)

README.md

@@ -159,9 +159,11 @@ kanidm system oauth2 show-basic-secret grafana
 # Generate new oauth2 app for proxied webapps
 kanidm group create web-sentinel-access
 kanidm group create web-sentinel-adguardhome-access
+kanidm group create web-sentinel-influxdb-access
 kanidm system oauth2 create web-sentinel "Web services" https://oauth2.${personalDomain}
 kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid email
 kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome
+kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-influxdb-access access_influxdb
 kanidm system oauth2 show-basic-secret web-sentinel
 # Add new user
 kanidm login --name idm_admin
@@ -170,8 +172,10 @@ kanidm person update myuser --legalname "Full Name" --mail "myuser@example.com"
 kanidm group add-members grafana-access myuser
 kanidm group add-members grafana-server-admins myuser
 kanidm group add-members web-sentinel-access myuser
+kanidm group add-members web-sentinel-adguardhome-access myuser
+kanidm group add-members web-sentinel-influxdb-access myuser
 
-
+# TODO influxdb temporary pw d0lRidLSqZ03W5BBjQ7Id3oM2zVE5jLrRUKcMXeYDk5WGabb
 ```
 
 

hosts/sentinel/oauth2.nix

@@ -31,7 +31,8 @@
 
     extraConfig = {
       oidc-issuer-url = "https://${config.proxiedDomains.kanidm}/oauth2/openid/${clientId}";
-      skip-provider-button = true;
+      provider-display-name = "Kanidm";
+      #skip-provider-button = true;
     };
   };
 }

hosts/ward/microvms/grafana/default.nix

@@ -64,8 +64,6 @@ in {
       virtualHosts.${grafanaDomain} = {
         forceSSL = true;
         useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
-        oauth2.enable = true;
-        oauth2.allowedGroups = ["access_grafana"];
         locations."/" = {
           proxyPass = "http://grafana";
           proxyWebsockets = true;
@@ -103,7 +101,7 @@ in {
         name = "Kanidm";
         icon = "signin";
         allow_sign_up = true;
-        auto_login = true;
+        #auto_login = true;
         client_id = "grafana";
         #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
         client_secret = "aZKNCM6KpjBy4RqwKJXMLXzyx9rKH6MZTFk4wYrKWuBqLj6t"; # TODO temporary test not a real secret
@@ -122,12 +120,6 @@ in {
     provision = {
       enable = true;
       datasources.settings.datasources = [
-        #{
-        #  name = "Prometheus";
-        #  type = "prometheus";
-        #  url = "http://127.0.0.1:9090";
-        #  orgId = 1;
-        #}
         {
           name = "InfluxDB";
           type = "influxdb";
@@ -137,6 +129,8 @@ in {
           basicAuth = true;
           basicAuthUser = "${nodeName}+grafana-influxdb-basic-auth-password";
           secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-influxdb-basic-auth-password.path}}";
+          #secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token.path}}";
+          jsonData.version = "Flux";
         }
         {
           name = "Loki";

hosts/ward/microvms/influxdb/default.nix

@@ -9,6 +9,8 @@
   influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}";
   influxdbPort = 8086;
 in {
+  microvm.mem = 1024;
+
   imports = [
     ../../../../modules/proxy-via-sentinel.nix
   ];
@@ -45,23 +47,15 @@ in {
       virtualHosts.${influxdbDomain} = {
         forceSSL = true;
         useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert influxdbDomain;
+        oauth2.enable = true;
+        oauth2.allowedGroups = ["access_influxdb"];
         locations."/" = {
           proxyPass = "http://influxdb";
           proxyWebsockets = true;
           extraConfig = ''
+            satisfy any;
             auth_basic "Authentication required";
             auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path};
-
-            proxy_read_timeout 1800s;
-            proxy_connect_timeout 1600s;
-
-            access_log off;
-          '';
-        };
-        locations."= /ready" = {
-          proxyPass = "http://influxdb";
-          extraConfig = ''
-            auth_basic off;
             access_log off;
           '';
         };