diff --git a/README.md b/README.md index 6686b2b..6d6fe57 100644 --- a/README.md +++ b/README.md @@ -159,9 +159,11 @@ kanidm system oauth2 show-basic-secret grafana # Generate new oauth2 app for proxied webapps kanidm group create web-sentinel-access kanidm group create web-sentinel-adguardhome-access +kanidm group create web-sentinel-influxdb-access kanidm system oauth2 create web-sentinel "Web services" https://oauth2.${personalDomain} kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid email kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome +kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-influxdb-access access_influxdb kanidm system oauth2 show-basic-secret web-sentinel # Add new user kanidm login --name idm_admin @@ -170,8 +172,10 @@ kanidm person update myuser --legalname "Full Name" --mail "myuser@example.com" kanidm group add-members grafana-access myuser kanidm group add-members grafana-server-admins myuser kanidm group add-members web-sentinel-access myuser +kanidm group add-members web-sentinel-adguardhome-access myuser +kanidm group add-members web-sentinel-influxdb-access myuser - +# TODO influxdb temporary pw d0lRidLSqZ03W5BBjQ7Id3oM2zVE5jLrRUKcMXeYDk5WGabb ``` diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix index 1df1d8e..7587833 100644 --- a/hosts/sentinel/oauth2.nix +++ b/hosts/sentinel/oauth2.nix @@ -31,7 +31,8 @@ extraConfig = { oidc-issuer-url = "https://${config.proxiedDomains.kanidm}/oauth2/openid/${clientId}"; - skip-provider-button = true; + provider-display-name = "Kanidm"; + #skip-provider-button = true; }; }; } diff --git a/hosts/ward/microvms/grafana/default.nix b/hosts/ward/microvms/grafana/default.nix index 0dfa03a..1be7164 100644 --- a/hosts/ward/microvms/grafana/default.nix +++ b/hosts/ward/microvms/grafana/default.nix @@ -64,8 +64,6 @@ in { virtualHosts.${grafanaDomain} = { forceSSL = true; useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain; - oauth2.enable = true; - oauth2.allowedGroups = ["access_grafana"]; locations."/" = { proxyPass = "http://grafana"; proxyWebsockets = true; @@ -103,7 +101,7 @@ in { name = "Kanidm"; icon = "signin"; allow_sign_up = true; - auto_login = true; + #auto_login = true; client_id = "grafana"; #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}"; client_secret = "aZKNCM6KpjBy4RqwKJXMLXzyx9rKH6MZTFk4wYrKWuBqLj6t"; # TODO temporary test not a real secret @@ -122,12 +120,6 @@ in { provision = { enable = true; datasources.settings.datasources = [ - #{ - # name = "Prometheus"; - # type = "prometheus"; - # url = "http://127.0.0.1:9090"; - # orgId = 1; - #} { name = "InfluxDB"; type = "influxdb"; @@ -137,6 +129,8 @@ in { basicAuth = true; basicAuthUser = "${nodeName}+grafana-influxdb-basic-auth-password"; secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-influxdb-basic-auth-password.path}}"; + #secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token.path}}"; + jsonData.version = "Flux"; } { name = "Loki"; diff --git a/hosts/ward/microvms/influxdb/default.nix b/hosts/ward/microvms/influxdb/default.nix index 612b635..56724a2 100644 --- a/hosts/ward/microvms/influxdb/default.nix +++ b/hosts/ward/microvms/influxdb/default.nix @@ -9,6 +9,8 @@ influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}"; influxdbPort = 8086; in { + microvm.mem = 1024; + imports = [ ../../../../modules/proxy-via-sentinel.nix ]; @@ -45,23 +47,15 @@ in { virtualHosts.${influxdbDomain} = { forceSSL = true; useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert influxdbDomain; + oauth2.enable = true; + oauth2.allowedGroups = ["access_influxdb"]; locations."/" = { proxyPass = "http://influxdb"; proxyWebsockets = true; extraConfig = '' + satisfy any; auth_basic "Authentication required"; auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path}; - - proxy_read_timeout 1800s; - proxy_connect_timeout 1600s; - - access_log off; - ''; - }; - locations."= /ready" = { - proxyPass = "http://influxdb"; - extraConfig = '' - auth_basic off; access_log off; ''; };