From e017135180114108ed01116a5f6c1fafdcb39e43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 23 Dec 2022 08:22:28 +0100 Subject: [PATCH] Add basic OIDC for grafana --- hosts/auth/default.nix | 24 +++++++++++++++++++++++- hosts/auth/secrets.yaml | 6 ++++-- hosts/grafana/default.nix | 27 ++++++++++++++++++--------- hosts/grafana/secrets.yaml | 5 +++-- packages.nix | 2 +- 5 files changed, 49 insertions(+), 15 deletions(-) diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix index 9f9d09e1..02de7b57 100644 --- a/hosts/auth/default.nix +++ b/hosts/auth/default.nix @@ -13,6 +13,8 @@ }; services = { + dex.settings.oauth2.skipApprovalScreen = true; + nginx = { enable = true; virtualHosts."auth.c3d2.de" = { @@ -29,7 +31,11 @@ portunus = { enable = true; dex = { - # enable = true; + enable = true; + oidcClients = [ { + callbackURL = "https://grafana.hq.c3d2.de/login/generic_oauth"; + id = "grafana"; + } ]; }; domain = "auth.c3d2.de"; ldap = { @@ -43,6 +49,22 @@ sops = { defaultSopsFile = ./secrets.yaml; + secrets."dex/environment" = libz.sops.permissionForUser "dex"; secrets."portunus/seed" = libz.sops.permissionForUser "portunus"; }; + + systemd.services.dex.serviceConfig = { + DynamicUser = lib.mkForce false; + EnvironmentFile = config.sops.secrets."dex/environment".path; + StateDirectory = "dex"; + User = "dex"; + }; + + users = { + groups.dex = { }; + users.dex = { + group = "dex"; + isSystemUser = true; + }; + }; } diff --git a/hosts/auth/secrets.yaml b/hosts/auth/secrets.yaml index 8ca31992..8e4da9c1 100644 --- a/hosts/auth/secrets.yaml +++ b/hosts/auth/secrets.yaml @@ -1,3 +1,5 @@ +dex: + environment: ENC[AES256_GCM,data:X213Nj0ftMSdEG7Z18hceghX3w9wBV2q4Z/q7enbZm/rbZKM2L2SBZnCtf7NGoFuZbePe95HR+puKCzmHKHt891So6Uq11OA5DvMvl3IdNKkXpHwS8HicIZWTGwtle0CaESzJqI7LJl1ajzXFX/fo3RClGz8V9D5cFza54N/29xKrxyRd+vu9zlXN6ZX/w==,iv:wHLq9shvvrzImMRoYInlWQVACNGqazDEHqkcp25zHHw=,tag:xhaX0oK0qxuQigWXrwRfwQ==,type:str] portunus: seed: ENC[AES256_GCM,data:bF4cxon5Wy9+i9jib+JfzW7++mMWYbt5U85S9b1YK6YYsvF2/4LKW8BwsCBsECKCqicSvejDID9DEGMXRhcojUWu07q/LBI8ADYhw8siBeTMYgb5V433Nt8EODJa8XUhpxWSl/PgLNZKw0+vSK4hQRZjAcmWl6Djy01LD0kyhU4rAwxY8FozlfaLtJN007LHhhGFA+r/l+nHuW+wBg7XVC3/7d0THS6krf44USBEyIdoYPbpLOhkyitcmGxHlT+AknUvgghyTnqxUIsPdhFq9LWPRSpxaCcH6mbFFsqBfQwfZ58BOW3Oqz3e7RDm4Z8LOJSL/3RDgEBJ3sNKHvPZp8x6lCaV9PZZGSKIOhp6534fY2s1LuPqIQGW+Qf+08j3XlpUuFkEURP+IdkEiJtk952cMN6SnN/QFhxM6Nr+s1JRzwbtuvmjQSPWQHC484XsizqVbyiLFMjX9QsKvnHeZeACspnZKdFSTWRZ2reRa1Lv6acIjWn+uv8S4sUt1o3zfcWFb5xG95NYhyBLFExsVzC/RWD/fD4jR/1ZAUF+vGl20SZzlj7MbRLg7JIwxVFoFgZLz915ZTbHbxDeX/OOhqd+GOBe8wsm+DJf8H939jNo+iPTWlHfY8zZOFQpdtkpt3uISpGBsBfMFtYInrBDXDNPr1SEbQPEAgjbYJWPC/FIgcIkGtRu4mN8Cl4IgPnTgSJ9WYpGkfuxb/PNvR4XN9bbjE4h9i7bCeA7nNPSFa3vItbVps0jM7TyWyha168K/gJ+nk9+iqK79m6SxaAHQ6A5P60V7XZpIDteWKuxV/I/1Tty1JLsN8khiHnrrqMqrxX3vyjXCwX1N16w7gMwLnQJkMO3M5pRhUsfaRm+lyBLWDVrN8o5PqZ+KZtldvqeZW+tknmvvUtYB6lYbcEdy9/4W6oNLBvINodKijQmOO66/RhiAu8q4qNI6JIpqdzl0CdKI86xoykfUGXbqm1heEloutcNxkEfR8D3Vn98rKc0IVB+uD8XROD53ZV1w2LbpzjHNJMITCebKufRjBZvVfMl8Q==,iv:xIAxj2D3HurNzQg/JjKCQ4KEwjKJ/PuDGM2RLRFuMX4=,tag:i5s0OMkvIgY4rgLQygVsaQ==,type:str] sops: @@ -24,8 +26,8 @@ sops: OHlKSmZ0WGpJNTNlbGJZdWsvV2JVSjQKChNZeeT4l/ZiBMC0SZXY8wsNnZBtM9vw WfVljqnQTMODkoLjfxcvET2xZjSHSI0wjULjMAgg67lRUEG2bxMp3g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-08-01T23:50:16Z" - mac: ENC[AES256_GCM,data:P7fUSy+q+jXqKq3uYLVZmOIh4WT19bd59zPel6ltuq9SpUTkrybr+AFqRdQs+DhADKF45X98lNUCvsyAXaXyP2ADQCcCeuWx/AQNjUaGiZ39LnHXAfn9r3o2xml8sXD7yri6BHDnCoaCNA/caAsaOz+yKB3vJw3PU5hWmm4os7s=,iv:nFSPrHTl/lJQkFJktkgkAbQVdQ6sqxFWbwl+dPwSfag=,tag:vk44cvyxy89dh+nonnKe7A==,type:str] + lastmodified: "2022-12-23T05:29:41Z" + mac: ENC[AES256_GCM,data:PgiZ9mg5ffLrkLO4RhxRScDiL0SQoF60cTMzxITOx1UtIjXWqmB/OM7rnOwlwVtyHY0OLe5XTVQ+yjVRD2Zv6ri0EJKU/0NZperunFdp/91iIswmzWJjwxD9luRw2h5Fjnq64xgWDJtpIMDIJy5PtxiTh1hO3p38m572BWiQPFI=,iv:8IXRzC61ZXZBnxoiULTWO6dnAPUAEqOuuLnBWHCrQ5k=,tag:N7zTvbL8qTJOi8YC6DKNGA==,type:str] pgp: - created_at: "2022-07-31T16:18:25Z" enc: | diff --git a/hosts/grafana/default.nix b/hosts/grafana/default.nix index ea10b44b..7e131d98 100644 --- a/hosts/grafana/default.nix +++ b/hosts/grafana/default.nix @@ -41,9 +41,18 @@ }; settings = { - "auth.anonymous" = { - enabled = false; - org_name = "Chaos"; + analytics.reporting_enabled = false; + "auth.generic_oauth" = { + enabled = true; + allow_sign_up = true; + api_url = "https://auth.c3d2.de/dex/userinfo"; + auth_url = "https://auth.c3d2.de/dex/auth"; + client_id = "grafana"; + client_secret = "$__file{${config.sops.secrets."grafana/client-secret".path}}"; + icon = "signin"; + name = "auth.c3d2.de"; + scopes = "openid profile email"; + token_url = "https://auth.c3d2.de/dex/token"; }; security = { admin_password = "$__file{${config.sops.secrets."grafana/admin-password".path}}"; @@ -89,15 +98,15 @@ sops = { defaultSopsFile = ./secrets.yaml; - secrets = { - "grafana/admin-password" = { - group = config.systemd.services.grafana.serviceConfig.User; - owner = config.systemd.services.grafana.serviceConfig.User; - }; - "grafana/secret-key" = { + secrets = let + grafanaUser = { group = config.systemd.services.grafana.serviceConfig.User; owner = config.systemd.services.grafana.serviceConfig.User; }; + in { + "grafana/admin-password" = grafanaUser; + "grafana/client-secret" = grafanaUser; + "grafana/secret-key" = grafanaUser; }; }; diff --git a/hosts/grafana/secrets.yaml b/hosts/grafana/secrets.yaml index 99a48bc5..03d9a6fa 100644 --- a/hosts/grafana/secrets.yaml +++ b/hosts/grafana/secrets.yaml @@ -1,5 +1,6 @@ grafana: admin-password: ENC[AES256_GCM,data:eohgvOafD8g=,iv:7gYI4ITOOg+/ahP9OKJHd09dRC5ZbM8t4909IrAfHbY=,tag:6NJRgaWyKSvohfYZY1gHhg==,type:str] + client-secret: ENC[AES256_GCM,data:1Ijj2s3tT0U/bkVUlu0hUKDvrOrEvR/cywPwSpsUCacBH+7jUyLdq2xg6yAKjX/IOgtH0ZMHHN9aIRbq7JugBQ==,iv:tTA8zPUEzuptn6SxMQ2RJSG+OmRw9T+gAzVBp344pkc=,tag:PqN/uW8yoMrX0SaKODAFhg==,type:str] secret-key: ENC[AES256_GCM,data:0FYJ2sEN6/tEf7v6eNvFtT2AX8xxqrU5rbolJTPLxG3WZ3ZV8GjC0zRmuy/zw7MOOB4UKKcHI+kR6WzBYRartw==,iv:ehA4KC3rE6QaiX0fbNTNiydk4Ly2zyASr3utGcWqkHE=,tag:muafXs36mdiT2rLDt9eldw==,type:str] sops: kms: [] @@ -25,8 +26,8 @@ sops: eVN5KzdSQktNNjRyekZUK1U5SnVwbzAKbEYEDJz+gBILvt8KWLzkZ3gQwdQCBAH6 KSYuY9d0BrznamgUjNt9zCxWBuzIqZbL5PbTrK30EdVG66d5U+bkTg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-10-27T19:29:47Z" - mac: ENC[AES256_GCM,data:IuIBWaRQGtn+QSYRgRE2r3hYPSut9mO8rTb7Fz2pRcOjaitUD9jd1LpvGzRSsOHEfOArxJlv99njqVq9NA26cJUB7aWDxhL4DG4XXHf0vabUk8wSE1gdFwxDZRH5bvK11riuZnkoBSTGiFqlw9TvIZnASsHAmAgyI+WIGnNERfI=,iv:vUj8k1iyVAkYHVcQXOLXrE5QdFNpIxrDA6dNBisPpZE=,tag:DW671BahNqve1cKA6Yn0IQ==,type:str] + lastmodified: "2022-12-19T22:58:27Z" + mac: ENC[AES256_GCM,data:4RKDTIYpf4urFwnKJC4iYF+xsu7sbZiX7VtDhR+Jl9HeHEjsOWYonA0DSInKhvn0z3zl4VnKJL8DEGh6cmkAv3atHVffoURTIPzKiAjy2uVsIAM1TrmF+JCnM7MpxIJrcrOsNDDA0ZIRFtiGeQTjRmj8uWrUZQXR8jiXIgT9PUU=,iv:5QimYM48Q/oeOU653UYnVlymm3TOElKLdy5zaTTpCxQ=,tag:KVm9r1VDZBiZFkg9ohwj6A==,type:str] pgp: - created_at: "2022-10-27T18:39:31Z" enc: | diff --git a/packages.nix b/packages.nix index a5851d56..ebd2d1a6 100644 --- a/packages.nix +++ b/packages.nix @@ -182,7 +182,7 @@ lib.attrsets.mapAttrs "microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" '' #!${pkgs.runtimeShell} -e - ${lib.optionalString (! builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) '' + ${lib.optionalString (!builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) '' echo "MicroVM must be configured to proper server" >&2 exit 1 ''}