From 6c05da2b58c714626654fef8261f20921bfe4eee Mon Sep 17 00:00:00 2001
From: Iurii Tatishchev <itatishch@gmail.com>
Date: Sat, 18 Nov 2023 22:19:13 -0800
Subject: [PATCH] authentik, monitoring: add grafana oauth blueprint and
 provisioning

---
 .../services/authentik/app_config.yml         | 44 +++++++++------
 .../blueprints/services-oauth2.yaml.j2        | 56 +++++++++++++++++++
 .../services/monitoring/app_config.yml        | 32 ++++++-----
 .../templates/grafana_config/grafana.ini.j2   | 41 +++++++++-----
 4 files changed, 128 insertions(+), 45 deletions(-)
 create mode 100644 roles/alpina/collections/services/authentik/templates/blueprints/services-oauth2.yaml.j2

diff --git a/roles/alpina/collections/services/authentik/app_config.yml b/roles/alpina/collections/services/authentik/app_config.yml
index 69febc8..d5dcaa4 100644
--- a/roles/alpina/collections/services/authentik/app_config.yml
+++ b/roles/alpina/collections/services/authentik/app_config.yml
@@ -1,19 +1,27 @@
 $ANSIBLE_VAULT;1.2;AES256;alpina
-33343634343761393265346336326263346166326365656461353361373738343262613534363664
-6238313838623436643730393465353361343730343938380a373235363835313561333934366361
-61626630616365633134393337376464303537623839623639626561383036663432336537396338
-6230366561373638350a636634613436346237373166626162656535306234346439666161633634
-63633436376562373739396261313133383161353463393737346436623239346232393034363335
-38363962306463386464633338363162623832363431373765656232343931376363653464313438
-62316635623236633762353061326539343435393737333563313331393134643439393463623637
-64633262656366333537663663346239653533353132343066383438333636396238393135623530
-35323439666437313936343733376336383961653864396133373831316139353163613337306533
-63366233333865653166336466343830336239346532373466376261333530666230633434393933
-30383032613466393833353065653465633633663333663132636164303264316163343961653562
-36356138343130316636333231613033646565353863323132643432656239636538366462353338
-37353936326661303064313635633865663939316631623764393235383630353132343135616338
-32623938616136326561323033336134636364623165646566646662353066623432363538386364
-30663734366136313933666332323538346266306133383838323839363233653435643862316136
-33353436313834356230313164623838363363336266323637353263353763326235636161383836
-63323839363438333538326130653063313734303237623234376235396638343531623661626661
-3364616438373366663837613933376361653664363532653833
\ No newline at end of file
+34666662336362656236356334333333396363393966626563643264306538333865623964373561
+3038373931313365383531333762616439396136633230610a626435336166633261323266656366
+36323335633865663538326331393635313766333639643861383738633835316533666463666363
+6139323764386533390a363361636361636163373162626135393662666436323265646233653039
+61353439356331393564363232303734626431333239633930373431616261306537393762383261
+64336234653536316236383065636364326433393334316531316438323430306437666431323063
+61383036336536343831633134636437633830346463336132653737376231666630383766656230
+37376137336264363765653535303166626138646366353466616333613964323762306166376537
+39633534336366333333316664326262353964386134333138316466303030636633383137613862
+32646332323039386365653736666435373436633531323034633064633033646466306331383835
+34386636386334396262666531356534663136393639623863326338643531346537353833663166
+35613438306432623731633566393661376533653731373130306262393137663533333230653165
+30653531636534656636393832383139626330383234376636313162373462313762666439323031
+39393063303566353733666237666165633562333962386331626164343434643964343735313265
+62313739376138656163623836663864616539336362626166336362633032326264313766346561
+62396132386333663030333639623130376130353837326630383162323931396638366331393632
+37383864666561323566383936353935396232363532356462366135313066633037306534393638
+33333439613065333432303466303635363933313036306364393434333737353361393830663032
+37636335393361343166343361396235316465373665663533663135373863663837313135343262
+66326539653033313431396163303135373462373564623863346630353964303061303434303137
+61613330363366346131396630656565333539353231623939383132303138353566653732306463
+64303961653865333738613834353333313063393064343535353562383862666561393465386135
+36373633303262343034393431613938363338346163396233663939613565306430663061623130
+66323464373438366265373937303636313530376138356433643632353461376365333535303531
+37616662323033633834343366626166363536383830356638633465333233663631396133653036
+3233323563333632303365333661386435353830313435666132
\ No newline at end of file
diff --git a/roles/alpina/collections/services/authentik/templates/blueprints/services-oauth2.yaml.j2 b/roles/alpina/collections/services/authentik/templates/blueprints/services-oauth2.yaml.j2
new file mode 100644
index 0000000..6f47347
--- /dev/null
+++ b/roles/alpina/collections/services/authentik/templates/blueprints/services-oauth2.yaml.j2
@@ -0,0 +1,56 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - OAuth2 Services
+entries:
+  {% set apps = {
+    "Grafana": {
+      "redirect_uris": "https://grafana."~ domain ~"/login/generic_oauth",
+      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
+      "client_secret": auth_grafana_client_secret,
+    },
+  } -%}
+  # TODO: Add Minio
+
+  {% for app in apps.keys() -%}
+  - identifiers:
+      name: {{ app }}
+    model: authentik_providers_oauth2.oauth2provider
+    id: {{ app | lower }}
+    attrs:
+      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      client_type: confidential
+      client_id: {{ app | lower }}
+      client_secret: {{ apps[app]["client_secret"] }}
+      property_mappings:
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+      redirect_uris: {{ apps[app]["redirect_uris"] }}
+
+  - identifiers:
+      slug: {{ app | lower }}
+    model: authentik_core.application
+    attrs:
+      name: {{ app }}
+      group: "Services"
+      meta_description: "Hello, I'm {{ app }}!"
+      meta_publisher: Alpina
+      icon: "{{ apps[app]["icon"] }}"
+      open_in_new_tab: true
+      provider: !KeyOf {{ app | lower }}
+
+  - identifiers:
+      name: "{{ app }} Admins"
+    model: authentik_core.group
+    id: "{{ app }} Admins"
+
+  - identifiers:
+      group: !KeyOf "{{ app }} Admins"
+      target: !Find [authentik_core.application, [slug, {{ app | lower }}]]
+    model: authentik_policies.policybinding
+    attrs:
+      order: 0
+
+  {% endfor %}
diff --git a/roles/alpina/collections/services/monitoring/app_config.yml b/roles/alpina/collections/services/monitoring/app_config.yml
index 2ca2d5e..7e3414b 100644
--- a/roles/alpina/collections/services/monitoring/app_config.yml
+++ b/roles/alpina/collections/services/monitoring/app_config.yml
@@ -1,15 +1,19 @@
 $ANSIBLE_VAULT;1.2;AES256;alpina
-66386535313437306461333238623131623734376539643632333632373636306662653731393565
-3038663166396536643834646131663765633264353533370a633331383631313235353430373763
-61636665643539313232343964313536333134326661633263643032316262333238616638323866
-3839633561613937660a373435383534356164396663383262306633333837373930633162666231
-30396334353130393335393061376335623335383631623866633962373930636331663365666131
-38633830396237363436393061663435616165393137333634613265396136353232306465333731
-38623161373232386664323338636261343537313761623439636136366432323835363936316265
-66666462623032316631306333336435643062303134656332323630313639613436643136666130
-36663166623935373466353438613839663237633765343164303237646261313038383530613930
-38303533346337653237326236326132373939376435346564363939353231626434663537613764
-61653866366165393066643837643835643265656634633162623562386563326438393430303530
-64366635366361653434313234613737666464336361656336653639343336393661656662393434
-32666264373637613566623136623037383263346237353866323434313061393433396664336335
-3633383430623238656465643465663763323864626134393331
\ No newline at end of file
+61306635623363343430383032666564666533343661386663346334626137646137653533636461
+6466643635383162343463303536323563646439323333390a366134333630373464666334333037
+33303361383334353833633364313430636435326361343461616664623261616566306165663966
+6262323130623766380a336135333361656665356433346366386664623361343832363537633237
+34303437303035653136323964643761383261646131346466643663323665323166643364646262
+37363564346639393765376630313361663835343736336361313365313234303935393066646561
+61356432666130653230396435663064623462333537363962386534626566386630303638393332
+66353165643032373766633564653237333663663465363431343132353738663636373037656136
+39366430353632633461373939326330306530353762643764396233323835333030613165613334
+35623361656638356462363264336565383133346533343666663532306139653965383831393733
+30656462303234616566646336376234396430353466363062383935353162333363626565653665
+64343234333132663138633935656565303235626235633562363566393861363436323331643935
+33343030366563383735363233613830303930303762626365376338316436396238313565373562
+36343737373164653836613436646638336638393636303534303262643336356533313630306632
+64303138333834616662666332303266373932396263666239653133313936336531666536616338
+37613764376232333438383465346463313531613030323463666532383666376238303161356136
+39303236343837643039376266636334353530623764633161373434313962366430326166366333
+3733656135343438393961663334653330646562643865303339
\ No newline at end of file
diff --git a/roles/alpina/collections/services/monitoring/templates/grafana_config/grafana.ini.j2 b/roles/alpina/collections/services/monitoring/templates/grafana_config/grafana.ini.j2
index 1f0b65d..f994a40 100644
--- a/roles/alpina/collections/services/monitoring/templates/grafana_config/grafana.ini.j2
+++ b/roles/alpina/collections/services/monitoring/templates/grafana_config/grafana.ini.j2
@@ -2,18 +2,33 @@
 domain = grafana.{{ domain }}
 root_url = https://%(domain)s/
 
-[security]
-admin_user = CaZzzer
-admin_email = {{ grafana_admin_email }}
-admin_password = {{ grafana_admin_password }}
+;[security]
+;admin_user =
+;admin_email =
+;admin_password =
 
-# TODO: Set up Authentik OAuth
 ; https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/
-;[auth]
-;disable_login_form = true
-;signout_redirect_url =
-;
-;[auth.generic_oauth]
-;name = Authentik
-;enabled = true
-;allow_sign_up = true
+[auth]
+disable_login_form = true
+signout_redirect_url = https://auth.{{ domain }}/application/o/grafana/end-session/
+
+[auth.generic_oauth]
+name = Authentik
+enabled = true
+allow_sign_up = true
+
+client_id = grafana
+client_secret = {{ auth_grafana_client_secret }}
+
+scopes = openid profile email
+auth_url = https://auth.{{ domain }}/application/o/authorize/
+token_url = https://auth.{{ domain }}/application/o/token/
+api_url = https://auth.{{ domain }}/application/o/userinfo/
+
+email_attribute_path = email
+login_attribute_path = preferred_username
+name_attribute_path = name
+
+# Optionally map user groups to Grafana roles
+allow_assign_grafana_admin = true
+role_attribute_path = contains(groups[*], 'Grafana Admins') && 'GrafanaAdmin' || 'Viewer'