feat: grafanna sso

2024-05-10 15:50:45 +02:00 · 2024-05-10 15:50:45 +02:00 · 275435664c
commit 275435664c
parent f9ff70a9d9
4 changed files with 48 additions and 2 deletions
--- a/nomad-job/authelia.nomad.hcl
+++ b/nomad-job/authelia.nomad.hcl
@ -152,6 +152,22 @@ identity_providers:
          - 'profile'
          - 'email'
        userinfo_signed_response_alg: 'none'
+      - client_id: 'grafana'
+        client_name: 'Grafana'
+        client_secret:{{ with secret "secrets/data/authelia/grafana"}} {{ .Data.data.hash }} {{end}}
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://grafana.ducamps.eu/login/generic_oauth'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'groups'
+          - 'email'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'

 log:
  level: 'trace'
--- a/nomad-job/grafana.nomad
+++ b/nomad-job/grafana.nomad
@ -10,6 +10,10 @@ job "grafana" {
  meta {
    forcedeploiement = 2
  }
+
+  vault {
+    policies = ["grafana"]
+  }
  group "grafana" {
    network {
      port "http" {
@ -43,10 +47,34 @@ job "grafana" {
        image = "docker.service.consul:5000/grafana/grafana"
        ports = ["http"]
        volumes = [
-          "/mnt/diskstation/nomad/grafana/config:/etc/grafana",
+          "local/grafana.ini:/etc/grafana/grafana.ini",
          "/mnt/diskstation/nomad/grafana/lib:/var/lib/grafana"
        ]
      }
+      template {
+        data = <<EOH
+force_migration=true 
+[server]
+root_url = https://grafana.ducamps.eu
+[auth.generic_oauth]
+enabled = true
+name = Authelia
+icon = signin
+client_id = grafana
+client_secret = {{ with secret "secrets/data/authelia/grafana"}} {{ .Data.data.password }} {{end}}
+scopes = openid profile email groups
+empty_scopes = false
+auth_url = https://auth.ducamps.eu/api/oidc/authorization
+token_url = https://auth.ducamps.eu/api/oidc/token
+api_url = https://auth.ducamps.eu/api/oidc/userinfo
+login_attribute_path = preferred_username
+groups_attribute_path = groups
+name_attribute_path = name
+use_pkce = true
+role_attribute_path=contains(groups[*], 'GrafanaAdmins') && 'Admin' || contains(groups[*], 'GrafanaUsers') && 'Viewer'
+EOH
+        destination = "local/grafana.ini"
+      }
      resources {
        memory = 250
      }
--- a/script/generate-vault-secret
+++ b/script/generate-vault-secret
@ -71,7 +71,8 @@ def main() -> None:
    listAutheliaSecret=[
        "authelia/ttrss",
        "authelia/immich",
-        "authelia/mealie"
+        "authelia/mealie",
+        "authelia/grafana"
    ]

    token=os.getenv('VAULT_TOKEN',"")
--- a/terraform/vault/nomad.tf
+++ b/terraform/vault/nomad.tf
@ -8,6 +8,7 @@ locals {
    "droneci",
    "traefik",
    "gitea",
+    "grafana",
    "nextcloud",
    "paperless",
    "pihole",