authentik, minio: initial integration with blueprints for admin policy

authentik: refactor oauth apps blueprints with group policies
authentik: refactor groups and proxied apps blueprints
2024-12-21 00:42:22 -08:00 · 2024-12-20 21:51:20 -08:00 · 2024-12-20 21:37:19 -08:00 · 2024-12-20 19:57:59 -08:00 · 2024-12-20 15:25:42 -08:00 · 2024-10-30 18:24:34 -07:00
13 changed files with 243 additions and 297 deletions
--- a/.idea/jsonSchemas.xml
+++ b/.idea/jsonSchemas.xml
@@ -31,7 +31,7 @@
                <list>
                  <Item>
                    <option name="directory" value="true" />
-                    <option name="path" value="roles/alpina/collections/services/authentik/templates/blueprints" />
+                    <option name="path" value="roles/alpina/templates/services/authentik/blueprints" />
                    <option name="mappingKind" value="Directory" />
                  </Item>
                </list>
@@ -140,25 +140,6 @@
            </SchemaInfo>
          </value>
        </entry>
-        <entry key="prometheus.rules.json">
-          <value>
-            <SchemaInfo>
-              <option name="name" value="prometheus.rules.json" />
-              <option name="relativePathToSchema" value="https://json.schemastore.org/prometheus.rules.json" />
-              <option name="applicationDefined" value="true" />
-              <option name="patterns">
-                <list>
-                  <Item>
-                    <option name="path" value="roles/alpina/templates/services/monitoring/prometheus_config/container-alerts.yml" />
-                  </Item>
-                  <Item>
-                    <option name="path" value="roles/alpina/templates/services/monitoring/prometheus_config/container.alerts.yml" />
-                  </Item>
-                </list>
-              </option>
-            </SchemaInfo>
-          </value>
-        </entry>
      </map>
    </state>
  </component>
--- a/group_vars/alpina/vars.yml
+++ b/group_vars/alpina/vars.yml
@@ -14,6 +14,9 @@ authentik_secret_key: "{{ vault_authentik_secret_key }}"
 authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}"

 auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}"
+auth_gitea_client_secret: "{{ vault_auth_gitea_client_secret }}"
+auth_nextcloud_client_secret: "{{ vault_auth_nextcloud_client_secret }}"
+auth_minio_client_secret: "{{ vault_auth_minio_client_secret }}"
 arrstack_password: "{{ vault_arrstack_password }}"

 # Minio
--- a/group_vars/alpina/vault.yml
+++ b/group_vars/alpina/vault.yml
@@ -1,88 +1,113 @@
 $ANSIBLE_VAULT;1.1;AES256
-66313038633762313266633234323232303734353935383962356166316262303532666530653432
-6639323962333630623362663535306136633937316666610a393739383862626234636235626563
-39333239663065303536633839306530626132633136383236643430653037353032653938386565
-6164623333306630620a663539643737393637653466643162383930376636653366333062346432
-35633666303436313139626337316337636335393636343137616661363030373264386534303762
-32646336313635386439623932636537613365633561306165396535393862363764326436666337
-65393363343230656635666666613139336432613563383730363030643630643861393035393033
-30383866366563663337333330333132646631613764303261616336326439386133386431666233
-61663866653839623634313836306362383066653135333535643630343939323235613963393837
-38623439353038643130646664373063656130333533633936643066363030313534373038646166
-37633739353562303631663565626636393136636332313932396237393866343762386565626164
-63393932656533366137353864343238646234346461323162653465326334333136303333313362
-33646362613436643733643763623337386661346531666136623635303166633838353132386264
-66386136616531633138316631663437306130626665626333386137356431326334323361383737
-37393465626264386336373936323564333031356562393239623636616338626563323065316634
-31313461343030323637363432666130306338353934633164316332613065303237326234666264
-35383666636236393030353732663866363738613463633832313336356637613838336263343330
-34343061386539633635323565613061373930326665636361316636363232626239343233376238
-36653834646132333938373637346633613365626636303836646435306166316138666139626134
-36356663333237646234393437396334663366396630393562303536323866376432643539646264
-36343433633563396363623435323466386337313762643136316665663936366232366233666165
-31656531643230363231313166343461373462663536333165633432326634623435623762616665
-63343534396232303266303062666563636432323739656434653138366437303030393535343930
-38326562336338663565343762313132303138383461353034326638376230623232313365363038
-38663830336131306336336162383335616132666239343931643838376165643063383034363761
-62633034396163306539383039316164333664316566376436653432383837363437653766643933
-61333830653263306366306234653166636634333162386362333734626338333766363939643335
-66613466626130363233393738663763636665656632336634333963636436643430613430316439
-66333964636233613233393434633938333964376334346637303135346334653536393635393563
-34316230353838626566326436323836373630356138323632383635663432336563316464633637
-62316361323138653234616634633633326231626462313964326339353839663738656132393731
-36353030633637373633376134373739646639623264346362363030383064323336346538356264
-32373739616166633462623134353538363036323833393837393335396131316233373335356531
-36613262303639633031306238376165366432653664613233663562326336303433646664616337
-66356334633863383631376365383634326430623165383337336166326662623738383966663436
-34343136326332626536653963656534336366376366326636353364333437383435633335313535
-65343831333562616362373832666136633764303731323632333032376634636663626364373765
-61306339306439666362656361653837313038616538646637383734386435646539303565366332
-63366630303139623464323539303365393666333230646138393131336131626635333466333633
-62393261313539363836643666343735653466616433396333326439663931663666333164643465
-31393930343733313062643366643661313532636432616338666361623964303961363730643531
-38613934646238666663336233356631323738663962336634623436613564616535623161303664
-65366464636235356435333666643036316639646437376463366562346231386436663736633364
-30316138393062363162353962313366323936323433396332383337326530326538653764336536
-61646232313633626632643530636565376435343562663338613336353533666165613665323564
-36396339383637643532633630613135653262306662383737353939636533646531656639643733
-39353464336161623266646533633837373334336535663532646439316533393436333430653133
-32353066386562653563313733343233303534396663656233656462636661356331346134306332
-30633862643232333362353238633632336135623861383931653334333161623764333865613135
-30633830636136306335646338613261616265653166393939306365306261313933363639363333
-39303063633033336637306233326232373665623430386332333765326539653035336565313330
-30343836336165313932626633326565356664393162363561326466623133313663616161383166
-66646230383033336630363536623734653764333665383261663362633339356462626161373061
-30316138653563616563303762663166366230313062626631623964323434663561303939333934
-63313037386264653866373535643233666339663433616438363237613733633633363236396438
-64353664333634396531346465623064626338613136666161666663323762333135316265326662
-66376237316563333834383431323033366135383937383465666666613835303938393936303764
-38636239303535326166363261386339356330366533323938333066386236396665356362383134
-37323066666233633035666262366133396134633165633633386233633166313465623335626536
-37333931666135333638306665633539613362646633623831386538646262383565396633323037
-39306561666238643438616238356632633165343732663261663836623333356165343663613239
-35303436633666376637366233323662613933313234646265633738663561386664333462656238
-39393662633037663764663639396132636337323636633631353565616666663463393663373465
-35373731643164373065623138346432396661613065303230386634393864336333356134366464
-30653438653933323839326539613038326461623735393361346230333835326631356134376366
-32626230643163393932356231623365653832333237353237303438616439323463376539333236
-64663166306536353262613731373136633432376564636331396435313735616638306363643762
-61623038633564356165353562336462396138313534393636653233373732343437383632313266
-66343434633431383162633135313639656666386139306165343536333265623633373062363038
-36326236366130303034633339626235353661316237613232333432336264373131376364323334
-34343039623165663861363463323466333863333764663439366233636132656238363961623463
-66363336633061363237623238383338323430616261303430313535396666636165356166363166
-38376363396636643239636238666532396537623737623538383130623239666630376661303536
-36613334663164303361366165653964323132393135376666646663323538653066326461333932
-65663730626164636334626264393539623637313661383963663733383636363663386665386332
-65363735646633613762343230653731646261653937633032383332653264643532386263333865
-31373435313230346336616230306336643763613439666365303363613865313331366537316431
-35613439643036663136303164626134646332333465383264353036353564333035633262303166
-34393138343463646532323136623562386237376333636531626561393633376238393138303239
-66386365303166383736323435336432383634616239353565623962333939373266376632333734
-62356230323531316564316439376137346431636462303062333933303965616232313739643665
-33653962333037306333363534313933666163393465306534653837303164346333333665353032
-66336333656335353239356232383561663831323763376663666365383834353166373461383631
-38666665343036353437323961636534303537386266303133356465633262393132333134663034
-66303939393562633363373131303730663634303162396565656266613163646331333230306234
-37366137323230613331623239383765383230633134306466633839363765633961626265356365
-623166373834383030373932623664303765
+62376365353162306161343336623464386634383663663165393632366666633530373636633032
+6536633438613664316163613236663334663635363665630a666135396430306536646534616535
+65383432356339643063373232393861333366393038666134346363646130626130633861646536
+3134613738333465300a363031626561376533343730353361646462306434663564336538666565
+38643166326439356138653163323030626539393265613833303661313036336562373938323663
+39336533383636626464343461653836313734393430306238336561323038306238646236393835
+62643638636137646162616239636561666432376561393338336663366438346530346666396662
+63626432326263383561633532613039643862303135643262383636666161663539643465616566
+66303364333133393932643666656263613063373162373265353433616337636337363363353938
+31613638633462383031356433393765353439373434356366336234316361393862343763643333
+61623233633664396564376462336131353061303831316466306632663261666161323137333633
+39623938633861356136636532373139356339636334373137303034646431363438613936636438
+38363463386664643439313564313364613962346631343663633837326532613933336462636265
+32616161663065316661313335373234353161653732303965613731633665646532386139383732
+32363834636532363262646433616563363232643864653365643736353434346130383963393564
+34333861326633393763653639663666333061613161393864323165303638353962333531333661
+36316534303365626562643366393836356337303533313237613534313565643832373438373530
+32393065653538393762333232636235316439653935663437616236326162313464323037336630
+39323262333530363230353334356461343866346438626533633339386162336337623137393366
+32373361393231343134626237323062663634323939613461633866353561636334613234336532
+61306235363037306466656463653836396434313830333031366630373364343637376662346663
+65663132346239343937636261643238623364633062356163323364363466666661346364356239
+32653266303837663237333136316464626161626136336333363964636461616138323962313166
+64643930333964303639393439666432366435386464326561323165353333623765653132383636
+34326633663331376563613766383734613762653834356561616461303361373662653337623863
+37633135393861366137613137633265306137326536363632373962353233373735663065653534
+37333038363330633931353233623236313332336234393333616238353137656363643230633966
+32636336663762636130343933373834386465396536316439386465623130396266393438396262
+63636561623533366166393831383035373935643037326265636634646339336264383937366334
+37373961663330326131343531356238363632663861376362643561643966636364653235303032
+33363861396336666332356130353638373135376336373236383730373665623336373830643137
+35613234343966383264643834353162353533373939346561363438376339656239323364353036
+63623630643930363739326236653435613538393438326331383366666332383763356631356533
+39393363366261393231386239363161313939396431323630323062393962313933633462303439
+35623831356638333431313430343832616438343134613538343064323535613539663431643830
+32623363343733623837366236393136393864353332316538306463346337363264613763326463
+65366536326463303062663262636563306565323861666661376338633334383138626364333039
+34333734656331346334316465333339333535333632383963663633383361383661643235383866
+32326634643633366566306137383066653334323935363066316366313934373663383234316438
+35346139633239323431386536656464666161656434316238356333323665333661623364653865
+33636139333866356630323031323162323834303062363637313430313164326636383436383465
+35333434613632353265633935343164613266383463633631323763633565353039306134656431
+37616430633736326139366438613666346434646363313032366231616436616535393334613264
+34646132303061383034363139613362626235383938393535626339353438626635396561346166
+36666530613634336666653638353734323336366639626465346135323838343565383335313233
+62356631666135666434363061666234396337323838303866343839383164643939323862616632
+34646433333031653939313434613435623036346631643265643663613537323061343733326534
+64626663306338623533333132613333386562306162343438653266356666663535623036616666
+64613866663261386233343236353931353766323833623631373438353664393137613032366461
+63623164353435336564613739353863383037326465363462376536663934626362393132313465
+66353965643763656564366630353131313465656265613434363538343331313666613564313036
+35396436633233623261323432666237303335333339393363636362376536343837346264383935
+30346163353338336661646536643536623262343762303766393438343666623063326463346566
+34663538656133353639333830316562376137643666323832363666623766366131303830626531
+62313832316533663261353365343733636236643333396561333636303065653732646665386136
+31386535663732386165623037373763333731343461393431306339393634346130646462646661
+61646539613964666437623631643333333435353039633531313364366338316365396131346331
+30363963633236653364643061316237326362653462656563656165346134656338383738613932
+65333432393534643331396563643865656435373563613939616234636533383731336561623037
+61373839343132376465343332343165316361383831333538313531333063633632643832633536
+33313464643239323963346338386566313031306233336562616638353365666237346262666134
+33646134393531346637376133393039326638316334626333363162313239393239663865323730
+30343731363031303565643833313135643036666461366666376132663433343662333730373137
+65636236313561613637343262653833666135653832363466613138363332393061653032333933
+66376263663830333937336566333461333431393336333161623233353332396437396664316137
+64363737323036366635613938346261383634353237346337613933303334623434623439616533
+32353465336237396133643039613730646661643039363836333733353033343236373864626634
+37666562653233336464633337353963363361646334373863653032353137363738613561613135
+66356132393630613031316466663837633633383033633064326565303837633062336531373866
+34666537303033323362363163353666383962333536303135363666653930326166323637636266
+34306537343238353833313635306663643737653531313435383064383133366364646331306261
+66363763353534643833316533383364353632343439393032313437633734323031383438633333
+31616362343332373333626135396435366235313465346639326564353265643133313339376639
+63333233653833653333373162633033623035633832333566653536343832373035636664643839
+38393864666430313162366337653836333135333738653763653261343233663666373865383366
+65343038646166343934376633613337306436336130626363396339313236653731653265383661
+34633332343639333533316631643763363664666563353137383639616132313363383137383132
+33343635386139366230363464363731383166393430396533613438366661353439353537346530
+62366461653534333834386637363364346432333964306639376339313531383431323930333530
+37383665373937303732643636383539393039663363623337663938303139663039366536323031
+66613036326263316239646535656163626232626130336465303166336336316435343262373631
+39613536336366366435326230653339356635636432303862306636613935306432323966313234
+65623938316162393931343337326334666235666362313739343564633339653962313062393431
+35373338306332326133333638636137386337343261386663333261333030343635336532373134
+38626136383936393339613534386539663035316335656566656639613837313239626431386362
+62643733326636323635373363333964643132323562633430626666616531656639383231336432
+61653439376663613161396465343638623639653135363863336363343230636336346434326234
+32343962666337646435653035333431333632363239616535333835393761353366386561356366
+37356530333763346137653566643134376136656638386334343038376439643037623338643333
+66626537633931333465383062303766333436346433636434653139333966613865656234346539
+36376239393632653536306363313633636464343366373862343039306235303766623462633932
+32313537306530343032663365626330363838396566356534343766383865653231613538323461
+37303439393733376539613061663937633665663963613236323764653835656563346565636531
+30363239376139343166346664306234363031623031663266643966636265666163353536346132
+65623638323065633361373330386334636332306634636336613365663133373835666135396230
+38373939366534663336376135646237633232646261383964383735353533303862623064313333
+33633533653537376138623635663465336131383838663237653933623634343761623731366335
+64653233366335656365656336303862656663303138643531356661373831633062633734363661
+39306633323337356366383863643034656135393432386638353761323337373631353436383664
+34623631306663636439376464383831323566666266613536613661633266343732646264306162
+36353030343538316330313831626232353165323038363034666161336338316536353832353966
+35336365393563643733363535393763613865663436616130343066303638353431653039356661
+34393936363764393032646133326432656230353232623339646165663932366130363734663762
+34303433376666383639663661356334653939663739643139363237623031666632623239343562
+30656438623236616637643132613666343133393436346635316638633664316363323832393862
+39643831363633643562323664613666393033656132333964643639333230353763383330343835
+64383530373332343838666536303363313033303931646232343037303863343835366139326135
+34336330343365663837396134653566633536643832373433393035366531323035616462363639
+66336133346139336264346636643735383136343336303133313031653230366166396239303335
+64656535326465363563396532376538336434643964336264303061393139656139376635633730
+62326664613766393435383464363538393937313236363630656337356264633134353464393835
+32653133383732656235
--- a/roles/alpina/templates/apps/nextcloud/.env.j2
+++ b/roles/alpina/templates/apps/nextcloud/.env.j2
@@ -1 +1 @@
-NEXTCLOUD_VERSION=29-apache
+NEXTCLOUD_VERSION=30-apache
--- a/roles/alpina/templates/apps/nextcloud/.env.notify_push.j2
+++ b/roles/alpina/templates/apps/nextcloud/.env.notify_push.j2
--- a/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
@@ -5,46 +5,80 @@ metadata:
  name: Alpina - OAuth2 Apps
 entries:
  {% set apps = {
+    "Grafana": {
+      "redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth",
+      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
+      "client_secret": auth_grafana_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
+    "Minio": {
+      "redirect_uri": "https://minio."~ domain ~"/oauth_callback",
+      "icon": "https://minio."~ domain ~"/logo192.png",
+      "client_secret": auth_minio_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
    "Gitea": {
-      "redirect_uris": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
+      "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
      "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
+      "client_secret": auth_gitea_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
    },
    "Nextcloud": {
-      "redirect_uris": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
+      "redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
      "icon": "https://nc."~ domain ~"/apps/theming/favicon",
+      "client_secret": auth_nextcloud_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
    },
  } -%}
  {% for app in apps.keys() -%}
  - identifiers:
      name: {{ app }}
    model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
+    id: {{ app }}
    attrs:
-      access_code_validity: minutes=1
-      access_token_validity: minutes=5
      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      client_type: confidential
-      issuer_mode: per_provider
-      sub_mode: hashed_user_id
+      client_id: {{ app | lower }}
+      client_secret: {{ apps[app]["client_secret"] }}
      property_mappings:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
-      refresh_token_validity: days=30
+        {% if app == "Minio" -%}
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, minio]]
+        {%- endif %}
+
+      redirect_uris:
+        - matching_mode: strict
+          url: {{ apps[app]["redirect_uri"] }}
+      # Necessary for JWKS to be generated correctly
      signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]

  - identifiers:
      slug: {{ app | lower }}
    model: authentik_core.application
-    id: {{ app | lower }}
+    id: app-{{ app }}
    attrs:
      name: {{ app }}
-      group: "Apps"
+      group: "{{ apps[app]["ui_group"] }}"
      meta_description: "Hello, I'm {{ app }}!"
      meta_publisher: Alpina
      icon: "{{ apps[app]["icon"] }}"
      open_in_new_tab: true
-      policy_engine_mode: any
-      provider: !KeyOf {{ app | lower }}
+      provider: !KeyOf {{ app }}
+
+  {% for group in apps[app]["allowed_for_groups"] -%}
+  - identifiers:
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
+    model: authentik_policies.policybinding
+    attrs:
+      order: 10
+  {% endfor %}
+
  {% endfor %}
--- a/roles/alpina/templates/services/authentik/blueprints/apps-proxy.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/apps-proxy.yaml.j2
@@ -4,61 +4,47 @@ metadata:
    blueprints.goauthentik.io/instantiate: "true"
  name: Alpina - Proxied Apps
 entries:
-  - identifiers:
-      name: arrstack
-    model: authentik_core.group
-    id: arrstack
-    attrs:
-      arrstack_username: "arr"
-      arrstack_password: "{{ arrstack_password }}"
-
-  # TODO: Probably refactor this into a jinja macro
+  # TODO: Possibly refactor this into a jinja macro (?)
  {% set apps = {
-    "uptime-kuma": {
+    "Uptime Kuma": {
      "host": "uptime",
-      "name": "Uptime Kuma",
      "icon": "https://uptime."~ domain ~"/icon.svg",
      "unauthenticated_paths": "^/icon.svg$",
-      "group": "Services",
-      "create_admin_group": true,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
    },
-    "qbit": {
+    "qBit": {
      "host": "qbit",
-      "name": "qBit",
      "icon": "https://qbit."~ domain ~"/images/qbittorrent-tray.svg",
      "unauthenticated_paths": "^/images/qbittorrent-tray.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
    },
-    "prowlarr": {
+    "Prowlarr": {
      "host": "prowlarr",
-      "name": "Prowlarr",
      "icon": "https://prowlarr."~ domain ~"/Content/Images/logo.svg",
      "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
    },
-    "sonarr": {
+    "Sonarr": {
      "host": "sonarr",
-      "name": "Sonarr",
      "icon": "https://sonarr."~ domain ~"/Content/Images/logo.svg",
      "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
    },
-    "radarr": {
+    "Radarr": {
      "host": "radarr",
-      "name": "Radarr",
      "icon": "https://radarr."~ domain ~"/Content/Images/logo.svg",
      "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
    },
  } -%}
-
  {% for app in apps.keys() -%}
  - identifiers:
-      name: {{ apps[app]["name"] }}
+      name: {{ app }}
    model: authentik_providers_proxy.proxyprovider
    id: {{ app }}
    attrs:
@@ -68,39 +54,26 @@ entries:
      skip_path_regex: "{{ apps[app]["unauthenticated_paths"] }}"

  - identifiers:
-      slug: {{ app }}
+      slug: {{ app | lower | replace(" ", "-") }}
    model: authentik_core.application
+    id: app-{{ app }}
    attrs:
-      name: {{ apps[app]["name"] }}
-      group: {{ apps[app]["group"] }}
-      meta_description: "Hello, I'm {{ apps[app]["name"] }}!"
+      name: {{ app }}
+      group: {{ apps[app]["ui_group"] }}
+      meta_description: "Hello, I'm {{ app }}!"
      meta_publisher: Alpina
      icon: "{{ apps[app]["icon"] }}"
      open_in_new_tab: true
      provider: !KeyOf {{ app }}

-  {% if apps[app]["create_admin_group"] -%}
+  {% for group in apps[app]["allowed_for_groups"] -%}
  - identifiers:
-      name: "{{ apps[app]["name"] }} Admins"
-    model: authentik_core.group
-    id: "{{ app }} Admins"
-
-  - identifiers:
-      group: !KeyOf "{{ app }} Admins"
-      target: !Find [authentik_core.application, [ slug, {{ app }}] ]
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
    model: authentik_policies.policybinding
    attrs:
-      order: 0
-  {% endif %}
-
-  {% if apps[app]["group"] == "Arrstack" -%}
-  - identifiers:
-      group: !KeyOf arrstack
-      target: !Find [authentik_core.application, [slug, {{ app }}]]
-    model: authentik_policies.policybinding
-    attrs:
-      order: 0
-  {% endif %}
+      order: 10
+  {% endfor %}

  {% endfor %}

--- a/roles/alpina/templates/services/authentik/blueprints/default-groups.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/default-groups.yaml.j2
@@ -0,0 +1,40 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Default Groups
+entries:
+  - identifiers:
+      name: "admins"
+    model: authentik_core.group
+    id: "admins"
+    attrs:
+      is_superuser: true
+
+  - identifiers:
+      name: "users"
+    model: authentik_core.group
+    id: "users"
+
+  - identifiers:
+      name: "arrstack"
+    model: authentik_core.group
+    id: "arrstack"
+    attrs:
+      arrstack_username: "arr"
+      arrstack_password: "{{ arrstack_password }}"
+
+  - identifiers:
+      scope_name: "minio"
+    model: authentik_providers_oauth2.scopemapping
+    id: "scope-minio"
+    attrs:
+      name: "Minio Policy"
+      expression: |
+        policy = "default"
+        if ak_is_group_member(request.user, name="admins"):
+            policy = "consoleAdmin"
+
+        return {
+          "policy": policy,
+        }
--- a/roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2
@@ -1,56 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Alpina - OAuth2 Services
-entries:
-  {% set apps = {
-    "Grafana": {
-      "redirect_uris": "https://grafana."~ domain ~"/login/generic_oauth",
-      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
-      "client_secret": auth_grafana_client_secret,
-    },
-  } -%}
-  # TODO: Add Minio
-
-  {% for app in apps.keys() -%}
-  - identifiers:
-      name: {{ app }}
-    model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
-    attrs:
-      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-      client_type: confidential
-      client_id: {{ app | lower }}
-      client_secret: {{ apps[app]["client_secret"] }}
-      property_mappings:
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
-
-  - identifiers:
-      slug: {{ app | lower }}
-    model: authentik_core.application
-    attrs:
-      name: {{ app }}
-      group: "Services"
-      meta_description: "Hello, I'm {{ app }}!"
-      meta_publisher: Alpina
-      icon: "{{ apps[app]["icon"] }}"
-      open_in_new_tab: true
-      provider: !KeyOf {{ app | lower }}
-
-  - identifiers:
-      name: "{{ app }} Admins"
-    model: authentik_core.group
-    id: "{{ app }} Admins"
-
-  - identifiers:
-      group: !KeyOf "{{ app }} Admins"
-      target: !Find [authentik_core.application, [slug, {{ app | lower }}]]
-    model: authentik_policies.policybinding
-    attrs:
-      order: 0
-
-  {% endfor %}
--- a/roles/alpina/templates/services/minio/.env.minio.j2
+++ b/roles/alpina/templates/services/minio/.env.minio.j2
@@ -5,11 +5,16 @@ MINIO_DOMAIN=s3.{{ domain }}
 MINIO_SERVER_URL=https://s3.{{ domain }}
 MINIO_BROWSER_REDIRECT_URL=https://minio.{{ domain }}

-#MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
-#MINIO_IDENTITY_OPENID_CLIENT_ID=
-#MINIO_IDENTITY_OPENID_CLIENT_SECRET=
-#MINIO_IDENTITY_OPENID_CLAIM_NAME=
-#MINIO_IDENTITY_OPENID_CLAIM_PREFIX=
-#MINIO_IDENTITY_OPENID_SCOPES=
-#MINIO_IDENTITY_OPENID_REDIRECT_URI=
+# https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
+MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
+MINIO_IDENTITY_OPENID_CLIENT_ID=minio
+MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ auth_minio_client_secret }}
+# defaults to "policy"
+#MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
+MINIO_IDENTITY_OPENID_DISPLAY_NAME=Authentik
+# no need to specify scopes,
+# as it defaults to the ones advertised at the discovery url
+#MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,minio
+#MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=off
+#MINIO_IDENTITY_OPENID_CLAIM_USERINFO=on
 #MINIO_IDENTITY_OPENID_COMMENT=
--- a/roles/alpina/templates/services/monitoring/docker-compose.yml.j2
+++ b/roles/alpina/templates/services/monitoring/docker-compose.yml.j2
@@ -66,7 +66,6 @@ services:
    command:
      - --config.file=/etc/prometheus/prometheus.yml
      - --storage.tsdb.retention.time=30d
-      - --web.external-url=https://prom.{{ domain }}/
    volumes:
      - ./prometheus_config:/etc/prometheus:ro
      - {{ base_volume_path }}/monitoring/prometheus_configs:/etc/prometheus/extra:ro
--- a/roles/alpina/templates/services/monitoring/grafana_config/dashboards/example.dashboard.py
+++ b/roles/alpina/templates/services/monitoring/grafana_config/dashboards/example.dashboard.py
@@ -1,51 +0,0 @@
-from grafanalib.core import (
-    Dashboard, TimeSeries, GaugePanel,
-    Target, GridPos,
-    OPS_FORMAT
-)
-
-dashboard = Dashboard(
-    title="Python generated example dashboard",
-    description="Example dashboard using the Random Walk and default Prometheus datasource",
-    tags=[
-        'example'
-    ],
-    timezone="browser",
-    panels=[
-        TimeSeries(
-            title="Random Walk",
-            dataSource='default',
-            targets=[
-                Target(
-                    datasource='grafana',
-                    expr='example',
-                ),
-            ],
-            gridPos=GridPos(h=8, w=16, x=0, y=0),
-        ),
-        GaugePanel(
-            title="Random Walk",
-            dataSource='default',
-            targets=[
-                Target(
-                    datasource='grafana',
-                    expr='example',
-                ),
-            ],
-            gridPos=GridPos(h=4, w=4, x=17, y=0),
-        ),
-        TimeSeries(
-            title="Prometheus http requests",
-            dataSource='prometheus',
-            targets=[
-                Target(
-                    expr='rate(prometheus_http_requests_total[5m])',
-                    legendFormat="{{ handler }}",
-                    refId='A',
-                ),
-            ],
-            unit=OPS_FORMAT,
-            gridPos=GridPos(h=8, w=16, x=0, y=10),
-        ),
-    ],
-).auto_panel_ids()
--- a/roles/alpina/templates/services/monitoring/prometheus_config/prometheus.yml.j2
+++ b/roles/alpina/templates/services/monitoring/prometheus_config/prometheus.yml.j2
@@ -30,13 +30,6 @@ scrape_configs:
    static_configs:
      - targets: ["promtail:9080"]

-  - job_name: 'demo'
-    static_configs:
-      - targets:
-          - 'demo.promlabs.com:10000'
-          - 'demo.promlabs.com:10001'
-          - 'demo.promlabs.com:10002'
-
 rule_files:
  - "/etc/prometheus/extra/rules/*.yml"
  - "/etc/prometheus/extra/rules/*.json"
Author	SHA1	Message	Date
Yuri Tatishchev	dbdd2cfe11	authentik, minio: initial integration with blueprints for admin policy	2024-12-21 00:42:22 -08:00
Yuri Tatishchev	1be4868f09	authentik: refactor oauth apps blueprints with group policies	2024-12-20 21:51:20 -08:00
Yuri Tatishchev	ee24d69906	authentik: refactor groups and proxied apps blueprints	2024-12-20 21:37:19 -08:00
Yuri Tatishchev	f0a10cc1d2	authentik: refactor oauth2 app blueprints	2024-12-20 19:57:59 -08:00
Yuri Tatishchev	263f7eea17	updates: nextcloud	2024-12-20 15:25:42 -08:00
Yuri Tatishchev	3006e3e424	monitoring: container, node dashboard improvements; separate common.py logic	2024-10-30 18:24:34 -07:00
Yuri Tatishchev	0e43a68754	monitoring: add grafanalib, containers dashboard	2024-10-30 18:24:28 -07:00
Yuri Tatishchev	fc6e485a61	refactor: separate templating for j2 and normal files	2024-10-30 18:11:26 -07:00