Switch to Pocket ID.

2025-11-04 12:58:15 +00:00
parent 520a417316
commit 1b05728817
17 changed files with 57 additions and 46 deletions
--- a/docs/TODO
+++ b/docs/TODO
@@ -1,5 +1,6 @@
 * remote docker images used, can't come up if internet is down
 * local docker images pulled from gitea, can't come up if gitea isn't up (yet)
+* traefik-oidc-auth plugin downloaded from GitHub at startup (cached in /data/services/traefik/plugins-storage)
 * renovate system of some kind
 * vector (or other log ingestion) everywhere, consider moving it off docker if possible
 * monitor backup-persist success/fail
--- a/services/adminer.hcl
+++ b/services/adminer.hcl
@@ -27,7 +27,7 @@ job "adminer" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.adminer.entryPoints=websecure",
-          "traefik.http.routers.adminer.middlewares=authentik@file",
+          "traefik.http.routers.adminer.middlewares=oidc-auth@file",
        ]
      }
    }
--- a/services/beancount.hcl
+++ b/services/beancount.hcl
@@ -37,7 +37,7 @@ job "beancount" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.finances.entryPoints=websecure",
-          "traefik.http.routers.finances.middlewares=authentik@file",
+          "traefik.http.routers.finances.middlewares=oidc-auth@file",
        ]
      }

--- a/services/evcc.hcl
+++ b/services/evcc.hcl
@@ -49,7 +49,7 @@ job "evcc" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.evcc.entryPoints=websecure",
-          "traefik.http.routers.evcc.middlewares=authentik@file",
+          "traefik.http.routers.evcc.middlewares=oidc-auth@file",
        ]
      }
    }
--- a/services/grafana.hcl
+++ b/services/grafana.hcl
@@ -25,19 +25,22 @@ job "grafana" {
        GF_SERVER_ROOT_URL = "https://grafana.v.paler.net"
        GF_AUTH_BASIC_ENABLED = "false"
        GF_AUTH_GENERIC_OAUTH_ENABLED = "true"
-        GF_AUTH_GENERIC_OAUTH_NAME = "authentik"
-        GF_AUTH_GENERIC_OAUTH_CLIENT_ID = "E78NG1AZeW6FaAox0mUhaTSrHeqFgNkWG12My2zx"
-        GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = "N7u2RfFZ5KVLdEkhlpUTzymGxeK5rLo9SYZLSGGBXJDr46p5g5uv1qZ4Jm2d1rP4aJX4PSzauZlxHhkG2byiBFMbdo6K742KXcEimZsOBFiNKeWOHxofYerBnPuoECQW"
-        GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email offline_access"
-        GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://authentik.v.paler.net/application/o/authorize/"
-        GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://authentik.v.paler.net/application/o/token/"
-        GF_AUTH_GENERIC_OAUTH_API_URL = "https://authentik.v.paler.net/application/o/userinfo/"
-        GF_AUTH_SIGNOUT_REDIRECT_URL = "https://authentik.v.paler.net/application/o/grafana/end-session/"
+        GF_AUTH_GENERIC_OAUTH_NAME = "Pocket ID"
+        GF_AUTH_GENERIC_OAUTH_CLIENT_ID = "99e44cf2-ecc6-4e82-8882-129c017f8a4a"
+        GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = "NjJ9Uro4MK7siqLGSmkiQmjFuESulqQN"
+        GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email groups"
+        GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://pocket-id.v.paler.net/authorize"
+        GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://pocket-id.v.paler.net/api/oidc/token"
+        GF_AUTH_GENERIC_OAUTH_API_URL = "https://pocket-id.v.paler.net/api/oidc/userinfo"
+        GF_AUTH_SIGNOUT_REDIRECT_URL = "https://pocket-id.v.paler.net/logout"
        # Optionally enable auto-login (bypasses Grafana login screen)
        GF_AUTH_OAUTH_AUTO_LOGIN = "true"
        # Optionally map user groups to Grafana roles
-        GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
+        GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH = "contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'residents') && 'Editor' || 'Viewer'"
        GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN = "true"
+        GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH = "email"
+        GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH = "preferred_username"
+        GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH = "name"
        #GF_LOG_LEVEL = "debug"
      }

--- a/services/jupyter.hcl
+++ b/services/jupyter.hcl
@@ -38,7 +38,7 @@ job "jupyter" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.jupyter.entryPoints=websecure",
-          "traefik.http.routers.jupyter.middlewares=authentik@file",
+          "traefik.http.routers.jupyter.middlewares=oidc-auth@file",
        ]
      }
    }
--- a/services/loki.hcl
+++ b/services/loki.hcl
@@ -126,7 +126,7 @@ EOH
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.loki.entryPoints=websecure",
-          "traefik.http.routers.loki.middlewares=authentik@file",
+          "traefik.http.routers.loki.middlewares=oidc-auth@file",
          "metrics",
        ]
      }
--- a/services/media.hcl
+++ b/services/media.hcl
@@ -44,7 +44,7 @@ job "media" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.radarr.entryPoints=websecure",
-          "traefik.http.routers.radarr.middlewares=authentik@file",
+          "traefik.http.routers.radarr.middlewares=oidc-auth@file",
        ]
      }
    }
@@ -78,7 +78,7 @@ job "media" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.sonarr.entryPoints=websecure",
-          "traefik.http.routers.sonarr.middlewares=authentik@file",
+          "traefik.http.routers.sonarr.middlewares=oidc-auth@file",
        ]
      }
    }
@@ -112,7 +112,7 @@ job "media" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.bazarr.entryPoints=websecure",
-          "traefik.http.routers.bazarr.middlewares=authentik@file",
+          "traefik.http.routers.bazarr.middlewares=oidc-auth@file",
        ]
      }
    }
@@ -148,7 +148,7 @@ job "media" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.plex.entryPoints=websecure",
-          "traefik.http.routers.plex.middlewares=authentik@file",
+          "traefik.http.routers.plex.middlewares=oidc-auth@file",
        ]
      }
    }
@@ -187,7 +187,7 @@ job "media" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.torrent.entryPoints=websecure",
-          "traefik.http.routers.torrent.middlewares=authentik@file",
+          "traefik.http.routers.torrent.middlewares=oidc-auth@file",
        ]
      }
    }
--- a/services/netbox.hcl
+++ b/services/netbox.hcl
@@ -39,10 +39,10 @@ job "netbox" {
        REMOTE_AUTH_ENABLED = "true"
        REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth"

-        SOCIAL_AUTH_OIDC_ENDPOINT = "https://authentik.v.paler.net/application/o/netbox/"
-        SOCIAL_AUTH_OIDC_KEY = "XiPhZmWy2mp8hQyHLXCwk7njRNPSLTp2vSHhvWYI"
-        SOCIAL_AUTH_OIDC_SECRET = "Kkop2dStx0gN52V1LfPnoxcaemuur6zMsvRnqpWSDe2qSngJVcqWfvFXaNeTbdURRB6TPwjlaNJ5BXR2ChcSmokWGTGargu84Ox1D6M2zXTsfLFj9B149Mhblos4mJL1"
-        LOGOUT_REDIRECT_URL = "https://authentik.v.paler.net/application/o/netbox/end-session/"
+        SOCIAL_AUTH_OIDC_ENDPOINT = "https://pocket-id.v.paler.net/"
+        SOCIAL_AUTH_OIDC_KEY = "6ce1f1bb-d5e8-4ba5-b136-2643dc8bcbcf"
+        SOCIAL_AUTH_OIDC_SECRET = "Af7sJvCn9BuijoJXrB5aWv6fTmEqLCAf"
+        LOGOUT_REDIRECT_URL = "https://pocket-id.v.paler.net/logout"
      }

      resources {
--- a/services/postgres.hcl
+++ b/services/postgres.hcl
@@ -91,15 +91,15 @@ job "postgres" {
        PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER = "True"
        PGADMIN_CONFIG_OAUTH2_CONFIG = <<EOH
        [{
-            'OAUTH2_NAME' : 'authentik',
+            'OAUTH2_NAME' : 'pocket-id',
            'OAUTH2_DISPLAY_NAME' : 'SSO',
-            'OAUTH2_CLIENT_ID' : 'o4p3B03ayTQ2kpwmM7GswbcfO78JHCTdoZqKJEut',
-            'OAUTH2_CLIENT_SECRET' : '7UYHONOCVdjpRMK9Ojwds0qPPpxCiztbIRhK7FJ2IFBpUgN6tnmpEjlkPYimiGKfaHLhy4XE7kQm7Et1Jm0hgyia0iB1VIlp623ckppbwkM6IfpTE1LfEmTMtPrxSngx',
-            'OAUTH2_TOKEN_URL' : 'https://authentik.v.paler.net/application/o/token/',
-            'OAUTH2_AUTHORIZATION_URL' : 'https://authentik.v.paler.net/application/o/authorize/',
-            'OAUTH2_API_BASE_URL' : 'https://authentik.v.paler.net/',
-            'OAUTH2_USERINFO_ENDPOINT' : 'https://authentik.v.paler.net/application/o/userinfo/',
-            'OAUTH2_SERVER_METADATA_URL' : 'https://authentik.v.paler.net/application/o/pgadmin/.well-known/openid-configuration',
+            'OAUTH2_CLIENT_ID' : '180133da-1bd7-4cde-9c18-2f277e962dab',
+            'OAUTH2_CLIENT_SECRET' : 'ELYNAfiWSGYJQUXUDOdpm7tTtyLbrs4E',
+            'OAUTH2_TOKEN_URL' : 'https://pocket-id.v.paler.net/api/oidc/token',
+            'OAUTH2_AUTHORIZATION_URL' : 'https://pocket-id.v.paler.net/authorize',
+            'OAUTH2_API_BASE_URL' : 'https://pocket-id.v.paler.net/',
+            'OAUTH2_USERINFO_ENDPOINT' : 'https://pocket-id.v.paler.net/api/oidc/userinfo',
+            'OAUTH2_SERVER_METADATA_URL' : 'https://pocket-id.v.paler.net/.well-known/openid-configuration',
            'OAUTH2_SCOPE' : 'openid email profile',
            'OAUTH2_ICON' : 'fa-database',
            'OAUTH2_BUTTON_COLOR' : '#00ff00'
--- a/services/prometheus.hcl
+++ b/services/prometheus.hcl
@@ -54,7 +54,7 @@ job "prometheus" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.prometheus.entryPoints=websecure",
-          "traefik.http.routers.prometheus.middlewares=authentik@file",
+          "traefik.http.routers.prometheus.middlewares=oidc-auth@file",
        ]

        check {
--- a/services/traefik.hcl
+++ b/services/traefik.hcl
@@ -34,7 +34,7 @@ job "traefik" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.api.entryPoints=websecure",
-          "traefik.http.routers.api.middlewares=authentik@file",
+          "traefik.http.routers.api.middlewares=oidc-auth@file",
          "traefik.http.routers.api.rule=Host(`traefik.v.paler.net`)",
          "traefik.http.routers.api.service=api@internal",
        ]
@@ -63,6 +63,7 @@ job "traefik" {
        volumes = [
          "local/traefik.yml:/etc/traefik/traefik.yml",
          "/data/services/traefik:/config",
+          "/data/services/traefik/plugins-storage:/plugins-storage",
        ]
      }

@@ -75,6 +76,12 @@ global:
 #log:
 #  level: debug

+experimental:
+  plugins:
+    traefik-oidc-auth:
+      moduleName: "github.com/sevensolutions/traefik-oidc-auth"
+      version: "v0.16.0"
+
 api:
  dashboard: true

--- a/services/unifi.hcl
+++ b/services/unifi.hcl
@@ -69,7 +69,7 @@ job "unifi" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.unifi.entryPoints=websecure",
-          "traefik.http.routers.unifi.middlewares=authentik@file",
+          "traefik.http.routers.unifi.middlewares=oidc-auth@file",
          "traefik.http.services.unifi.loadbalancer.server.scheme=https",
        ]
      }
--- a/services/urbit.hcl
+++ b/services/urbit.hcl
@@ -39,7 +39,7 @@ job "urbit" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.urbit.entryPoints=websecure",
-          "traefik.http.routers.urbit.middlewares=authentik@file",
+          "traefik.http.routers.urbit.middlewares=oidc-auth@file",
        ]
      }

--- a/services/webodm.hcl
+++ b/services/webodm.hcl
@@ -73,7 +73,7 @@ EOH
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.webodm.entryPoints=websecure",
-          "traefik.http.routers.webodm.middlewares=authentik@file",
+          "traefik.http.routers.webodm.middlewares=oidc-auth@file",
        ]
      }
    }
@@ -97,7 +97,7 @@ EOH
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.clusterodm.entryPoints=websecure",
-          "traefik.http.routers.clusterodm.middlewares=authentik@file",
+          "traefik.http.routers.clusterodm.middlewares=oidc-auth@file",
        ]
      }

--- a/services/whoami.hcl
+++ b/services/whoami.hcl
@@ -22,7 +22,7 @@ job "whoami" {
          "traefik.enable=true",
          "traefik.http.routers.whoami.rule=Host(`test.alo.land`)",
          "traefik.http.routers.whoami.entryPoints=websecure",
-          "traefik.http.routers.whoami.middlewares=authentik@file",
+          "traefik.http.routers.whoami.middlewares=oidc-auth@file",
        ]
      }
    }
--- a/services/wiki.hcl
+++ b/services/wiki.hcl
@@ -36,7 +36,7 @@ job "wiki" {
            "--listen",
            "host=0.0.0.0",
            "port=${NOMAD_PORT_captainslog}",
-            "authenticated-user-header=X-authentik-username",
+            "authenticated-user-header=X-Oidc-Username",
            "readers=ppetru",
            "writers=ppetru",
            "admin=ppetru",
@@ -64,7 +64,7 @@ job "wiki" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.captainslog.entryPoints=websecure",
-          "traefik.http.routers.captainslog.middlewares=authentik@file",
+          "traefik.http.routers.captainslog.middlewares=oidc-auth@file",
        ]
      }

@@ -85,7 +85,7 @@ job "wiki" {
            "--listen",
            "host=0.0.0.0",
            "port=${NOMAD_PORT_alo}",
-            "authenticated-user-header=X-authentik-username",
+            "authenticated-user-header=X-Oidc-Username",
            "readers=ppetru,ines",
            "writers=ppetru,ines",
            "admin=ppetru",
@@ -112,7 +112,7 @@ job "wiki" {
          "traefik.enable=true",
          "traefik.http.routers.alowiki.rule=Host(`wiki.alo.land`)",
          "traefik.http.routers.alowiki.entryPoints=websecure",
-          "traefik.http.routers.alowiki.middlewares=authentik@file",
+          "traefik.http.routers.alowiki.middlewares=oidc-auth@file",
        ]
      }

@@ -133,7 +133,7 @@ job "wiki" {
            "--listen",
            "host=0.0.0.0",
            "port=${NOMAD_PORT_pispace}",
-            "authenticated-user-header=X-authentik-username",
+            "authenticated-user-header=X-Oidc-Username",
            "readers=ppetru,ines",
            "writers=ppetru,ines",
            "admin=ppetru",
@@ -160,7 +160,7 @@ job "wiki" {
          "traefik.enable=true",
          "traefik.http.routers.pispace.rule=Host(`pi.paler.net`)",
          "traefik.http.routers.pispace.entryPoints=websecure",
-          "traefik.http.routers.pispace.middlewares=authentik@file",
+          "traefik.http.routers.pispace.middlewares=oidc-auth@file",
        ]
      }

@@ -181,7 +181,7 @@ job "wiki" {
            "--listen",
            "host=0.0.0.0",
            "port=${NOMAD_PORT_grok}",
-            "authenticated-user-header=X-authentik-username",
+            "authenticated-user-header=X-Oidc-Username",
            "readers=ppetru",
            "writers=ppetru",
            "admin=ppetru",
@@ -207,7 +207,7 @@ job "wiki" {
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.groktw.entryPoints=websecure",
-          "traefik.http.routers.groktw.middlewares=authentik@file",
+          "traefik.http.routers.groktw.middlewares=oidc-auth@file",
        ]
      }