mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

chore: disable auto login on oauth2-proxy and grafana (better for sign-out)

Browse source
This commit is contained in:
oddlama 2023-06-23 23:27:34 +02:00
parent ccd62a730a
commit df2e046295
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 15 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -159,9 +159,11 @@ kanidm system oauth2 show-basic-secret grafana
# Generate new oauth2 app for proxied webapps # Generate new oauth2 app for proxied webapps
kanidm group create web-sentinel-access kanidm group create web-sentinel-access
kanidm group create web-sentinel-adguardhome-access kanidm group create web-sentinel-adguardhome-access
kanidm group create web-sentinel-influxdb-access
kanidm system oauth2 create web-sentinel "Web services" https://oauth2.${personalDomain} kanidm system oauth2 create web-sentinel "Web services" https://oauth2.${personalDomain}
kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid email kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid email
kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome
kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-influxdb-access access_influxdb
kanidm system oauth2 show-basic-secret web-sentinel kanidm system oauth2 show-basic-secret web-sentinel
# Add new user # Add new user
kanidm login --name idm_admin kanidm login --name idm_admin
@ -170,8 +172,10 @@ kanidm person update myuser --legalname "Full Name" --mail "myuser@example.com"
kanidm group add-members grafana-access myuser kanidm group add-members grafana-access myuser
kanidm group add-members grafana-server-admins myuser kanidm group add-members grafana-server-admins myuser
kanidm group add-members web-sentinel-access myuser kanidm group add-members web-sentinel-access myuser
kanidm group add-members web-sentinel-adguardhome-access myuser
kanidm group add-members web-sentinel-influxdb-access myuser
# TODO influxdb temporary pw d0lRidLSqZ03W5BBjQ7Id3oM2zVE5jLrRUKcMXeYDk5WGabb
``` ```

3
hosts/sentinel/oauth2.nix
View file

@ -31,7 +31,8 @@
extraConfig = { extraConfig = {
oidc-issuer-url = "https://${config.proxiedDomains.kanidm}/oauth2/openid/${clientId}"; oidc-issuer-url = "https://${config.proxiedDomains.kanidm}/oauth2/openid/${clientId}";
skip-provider-button = true; provider-display-name = "Kanidm";
#skip-provider-button = true;
}; };
}; };
} }

12
hosts/ward/microvms/grafana/default.nix
View file

@ -64,8 +64,6 @@ in {
virtualHosts.${grafanaDomain} = { virtualHosts.${grafanaDomain} = {
forceSSL = true; forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain; useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
oauth2.enable = true;
oauth2.allowedGroups = ["access_grafana"];
locations."/" = { locations."/" = {
proxyPass = "http://grafana"; proxyPass = "http://grafana";
proxyWebsockets = true; proxyWebsockets = true;
@ -103,7 +101,7 @@ in {
name = "Kanidm"; name = "Kanidm";
icon = "signin"; icon = "signin";
allow_sign_up = true; allow_sign_up = true;
auto_login = true; #auto_login = true;
client_id = "grafana"; client_id = "grafana";
#client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}"; #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
client_secret = "aZKNCM6KpjBy4RqwKJXMLXzyx9rKH6MZTFk4wYrKWuBqLj6t"; # TODO temporary test not a real secret client_secret = "aZKNCM6KpjBy4RqwKJXMLXzyx9rKH6MZTFk4wYrKWuBqLj6t"; # TODO temporary test not a real secret
@ -122,12 +120,6 @@ in {
provision = { provision = {
enable = true; enable = true;
datasources.settings.datasources = [ datasources.settings.datasources = [
#{
# name = "Prometheus";
# type = "prometheus";
# url = "http://127.0.0.1:9090";
# orgId = 1;
#}
{ {
name = "InfluxDB"; name = "InfluxDB";
type = "influxdb"; type = "influxdb";
@ -137,6 +129,8 @@ in {
basicAuth = true; basicAuth = true;
basicAuthUser = "${nodeName}+grafana-influxdb-basic-auth-password"; basicAuthUser = "${nodeName}+grafana-influxdb-basic-auth-password";
secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-influxdb-basic-auth-password.path}}"; secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-influxdb-basic-auth-password.path}}";
#secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token.path}}";
jsonData.version = "Flux";
} }
{ {
name = "Loki"; name = "Loki";

16
hosts/ward/microvms/influxdb/default.nix
View file

@ -9,6 +9,8 @@
influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}"; influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}";
influxdbPort = 8086; influxdbPort = 8086;
in { in {
microvm.mem = 1024;
imports = [ imports = [
../../../../modules/proxy-via-sentinel.nix ../../../../modules/proxy-via-sentinel.nix
]; ];
@ -45,23 +47,15 @@ in {
virtualHosts.${influxdbDomain} = { virtualHosts.${influxdbDomain} = {
forceSSL = true; forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert influxdbDomain; useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert influxdbDomain;
oauth2.enable = true;
oauth2.allowedGroups = ["access_influxdb"];
locations."/" = { locations."/" = {
proxyPass = "http://influxdb"; proxyPass = "http://influxdb";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
satisfy any;
auth_basic "Authentication required"; auth_basic "Authentication required";
auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path}; auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path};
proxy_read_timeout 1800s;
proxy_connect_timeout 1600s;
access_log off;
'';
};
locations."= /ready" = {
proxyPass = "http://influxdb";
extraConfig = ''
auth_basic off;
access_log off; access_log off;
''; '';
}; };