From 1b05728817f61aa3ae25099b908bdc3104234162 Mon Sep 17 00:00:00 2001 From: Petru Paler Date: Tue, 4 Nov 2025 12:58:15 +0000 Subject: [PATCH] Switch to Pocket ID. --- docs/TODO | 1 + services/adminer.hcl | 2 +- services/beancount.hcl | 2 +- services/evcc.hcl | 2 +- services/grafana.hcl | 21 ++++++++++++--------- services/jupyter.hcl | 2 +- services/loki.hcl | 2 +- services/media.hcl | 10 +++++----- services/netbox.hcl | 8 ++++---- services/postgres.hcl | 16 ++++++++-------- services/prometheus.hcl | 2 +- services/traefik.hcl | 9 ++++++++- services/unifi.hcl | 2 +- services/urbit.hcl | 2 +- services/webodm.hcl | 4 ++-- services/whoami.hcl | 2 +- services/wiki.hcl | 16 ++++++++-------- 17 files changed, 57 insertions(+), 46 deletions(-) diff --git a/docs/TODO b/docs/TODO index 01cddd2..02c74ca 100644 --- a/docs/TODO +++ b/docs/TODO @@ -1,5 +1,6 @@ * remote docker images used, can't come up if internet is down * local docker images pulled from gitea, can't come up if gitea isn't up (yet) +* traefik-oidc-auth plugin downloaded from GitHub at startup (cached in /data/services/traefik/plugins-storage) * renovate system of some kind * vector (or other log ingestion) everywhere, consider moving it off docker if possible * monitor backup-persist success/fail diff --git a/services/adminer.hcl b/services/adminer.hcl index c653327..51be546 100644 --- a/services/adminer.hcl +++ b/services/adminer.hcl @@ -27,7 +27,7 @@ job "adminer" { tags = [ "traefik.enable=true", "traefik.http.routers.adminer.entryPoints=websecure", - "traefik.http.routers.adminer.middlewares=authentik@file", + "traefik.http.routers.adminer.middlewares=oidc-auth@file", ] } } diff --git a/services/beancount.hcl b/services/beancount.hcl index 87e6fdd..66ac43e 100644 --- a/services/beancount.hcl +++ b/services/beancount.hcl @@ -37,7 +37,7 @@ job "beancount" { tags = [ "traefik.enable=true", "traefik.http.routers.finances.entryPoints=websecure", - "traefik.http.routers.finances.middlewares=authentik@file", + "traefik.http.routers.finances.middlewares=oidc-auth@file", ] } diff --git a/services/evcc.hcl b/services/evcc.hcl index 3af811f..000128c 100644 --- a/services/evcc.hcl +++ b/services/evcc.hcl @@ -49,7 +49,7 @@ job "evcc" { tags = [ "traefik.enable=true", "traefik.http.routers.evcc.entryPoints=websecure", - "traefik.http.routers.evcc.middlewares=authentik@file", + "traefik.http.routers.evcc.middlewares=oidc-auth@file", ] } } diff --git a/services/grafana.hcl b/services/grafana.hcl index 81e1944..4513e3b 100644 --- a/services/grafana.hcl +++ b/services/grafana.hcl @@ -25,19 +25,22 @@ job "grafana" { GF_SERVER_ROOT_URL = "https://grafana.v.paler.net" GF_AUTH_BASIC_ENABLED = "false" GF_AUTH_GENERIC_OAUTH_ENABLED = "true" - GF_AUTH_GENERIC_OAUTH_NAME = "authentik" - GF_AUTH_GENERIC_OAUTH_CLIENT_ID = "E78NG1AZeW6FaAox0mUhaTSrHeqFgNkWG12My2zx" - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = "N7u2RfFZ5KVLdEkhlpUTzymGxeK5rLo9SYZLSGGBXJDr46p5g5uv1qZ4Jm2d1rP4aJX4PSzauZlxHhkG2byiBFMbdo6K742KXcEimZsOBFiNKeWOHxofYerBnPuoECQW" - GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email offline_access" - GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://authentik.v.paler.net/application/o/authorize/" - GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://authentik.v.paler.net/application/o/token/" - GF_AUTH_GENERIC_OAUTH_API_URL = "https://authentik.v.paler.net/application/o/userinfo/" - GF_AUTH_SIGNOUT_REDIRECT_URL = "https://authentik.v.paler.net/application/o/grafana/end-session/" + GF_AUTH_GENERIC_OAUTH_NAME = "Pocket ID" + GF_AUTH_GENERIC_OAUTH_CLIENT_ID = "99e44cf2-ecc6-4e82-8882-129c017f8a4a" + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = "NjJ9Uro4MK7siqLGSmkiQmjFuESulqQN" + GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email groups" + GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://pocket-id.v.paler.net/authorize" + GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://pocket-id.v.paler.net/api/oidc/token" + GF_AUTH_GENERIC_OAUTH_API_URL = "https://pocket-id.v.paler.net/api/oidc/userinfo" + GF_AUTH_SIGNOUT_REDIRECT_URL = "https://pocket-id.v.paler.net/logout" # Optionally enable auto-login (bypasses Grafana login screen) GF_AUTH_OAUTH_AUTO_LOGIN = "true" # Optionally map user groups to Grafana roles - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" + GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH = "contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'residents') && 'Editor' || 'Viewer'" GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN = "true" + GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH = "email" + GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH = "preferred_username" + GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH = "name" #GF_LOG_LEVEL = "debug" } diff --git a/services/jupyter.hcl b/services/jupyter.hcl index e01940d..1d0f273 100644 --- a/services/jupyter.hcl +++ b/services/jupyter.hcl @@ -38,7 +38,7 @@ job "jupyter" { tags = [ "traefik.enable=true", "traefik.http.routers.jupyter.entryPoints=websecure", - "traefik.http.routers.jupyter.middlewares=authentik@file", + "traefik.http.routers.jupyter.middlewares=oidc-auth@file", ] } } diff --git a/services/loki.hcl b/services/loki.hcl index 58d05ce..b464ae3 100644 --- a/services/loki.hcl +++ b/services/loki.hcl @@ -126,7 +126,7 @@ EOH tags = [ "traefik.enable=true", "traefik.http.routers.loki.entryPoints=websecure", - "traefik.http.routers.loki.middlewares=authentik@file", + "traefik.http.routers.loki.middlewares=oidc-auth@file", "metrics", ] } diff --git a/services/media.hcl b/services/media.hcl index 13d3b28..59c98fd 100644 --- a/services/media.hcl +++ b/services/media.hcl @@ -44,7 +44,7 @@ job "media" { tags = [ "traefik.enable=true", "traefik.http.routers.radarr.entryPoints=websecure", - "traefik.http.routers.radarr.middlewares=authentik@file", + "traefik.http.routers.radarr.middlewares=oidc-auth@file", ] } } @@ -78,7 +78,7 @@ job "media" { tags = [ "traefik.enable=true", "traefik.http.routers.sonarr.entryPoints=websecure", - "traefik.http.routers.sonarr.middlewares=authentik@file", + "traefik.http.routers.sonarr.middlewares=oidc-auth@file", ] } } @@ -112,7 +112,7 @@ job "media" { tags = [ "traefik.enable=true", "traefik.http.routers.bazarr.entryPoints=websecure", - "traefik.http.routers.bazarr.middlewares=authentik@file", + "traefik.http.routers.bazarr.middlewares=oidc-auth@file", ] } } @@ -148,7 +148,7 @@ job "media" { tags = [ "traefik.enable=true", "traefik.http.routers.plex.entryPoints=websecure", - "traefik.http.routers.plex.middlewares=authentik@file", + "traefik.http.routers.plex.middlewares=oidc-auth@file", ] } } @@ -187,7 +187,7 @@ job "media" { tags = [ "traefik.enable=true", "traefik.http.routers.torrent.entryPoints=websecure", - "traefik.http.routers.torrent.middlewares=authentik@file", + "traefik.http.routers.torrent.middlewares=oidc-auth@file", ] } } diff --git a/services/netbox.hcl b/services/netbox.hcl index 6843960..146be6d 100644 --- a/services/netbox.hcl +++ b/services/netbox.hcl @@ -39,10 +39,10 @@ job "netbox" { REMOTE_AUTH_ENABLED = "true" REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth" - SOCIAL_AUTH_OIDC_ENDPOINT = "https://authentik.v.paler.net/application/o/netbox/" - SOCIAL_AUTH_OIDC_KEY = "XiPhZmWy2mp8hQyHLXCwk7njRNPSLTp2vSHhvWYI" - SOCIAL_AUTH_OIDC_SECRET = "Kkop2dStx0gN52V1LfPnoxcaemuur6zMsvRnqpWSDe2qSngJVcqWfvFXaNeTbdURRB6TPwjlaNJ5BXR2ChcSmokWGTGargu84Ox1D6M2zXTsfLFj9B149Mhblos4mJL1" - LOGOUT_REDIRECT_URL = "https://authentik.v.paler.net/application/o/netbox/end-session/" + SOCIAL_AUTH_OIDC_ENDPOINT = "https://pocket-id.v.paler.net/" + SOCIAL_AUTH_OIDC_KEY = "6ce1f1bb-d5e8-4ba5-b136-2643dc8bcbcf" + SOCIAL_AUTH_OIDC_SECRET = "Af7sJvCn9BuijoJXrB5aWv6fTmEqLCAf" + LOGOUT_REDIRECT_URL = "https://pocket-id.v.paler.net/logout" } resources { diff --git a/services/postgres.hcl b/services/postgres.hcl index 621cf1f..0e23a57 100644 --- a/services/postgres.hcl +++ b/services/postgres.hcl @@ -91,15 +91,15 @@ job "postgres" { PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER = "True" PGADMIN_CONFIG_OAUTH2_CONFIG = <