From 1c3e1d0a9119788439d9e24554cdc36a9e42c07f Mon Sep 17 00:00:00 2001
From: Lucy Hochkamp <git@xyno.systems>
Date: Sun, 23 Feb 2025 23:01:52 +0100
Subject: [PATCH] ds9 http auth

---
 hosts/ds9/containers.nix | 24 +++++++++++++++++++++---
 hosts/ds9/default.nix    | 28 +++++++++++++++++++++++++++-
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/hosts/ds9/containers.nix b/hosts/ds9/containers.nix
index 0f64b9bb..6282a1a4 100644
--- a/hosts/ds9/containers.nix
+++ b/hosts/ds9/containers.nix
@@ -171,9 +171,27 @@ in
   virtualisation.oci-containers.containers.grafana = {
     image = "grafana/grafana-oss:latest";
     extraOptions = [ "--network=podman" "--network=db-net" ];
-    volumes = [
-      "grafana-data:/var/lib/grafana"
-    ];
+    volumes =
+      let
+        ini = pkgs.writeText "grafana.ini" ''
+          [users]
+          allow_sign_up = false
+          auto_assign_org = true
+          auto_assign_org_role = Editor
+        
+          [auth.proxy]
+          enabled = true
+          headers = Name:X-Authentik-Username Email:X-Authentik-Email Groups:X-Authentik-Groups
+          header_name = X-Authentik-Username
+          header_property = username
+          auto_sign_up = true
+        '';
+      in
+      [
+        "grafana-data:/var/lib/grafana"
+        "${ini}:/etc/grafana/grafana.ini"
+
+      ];
     environment = {
       GF_SERVER_ROOT_URL = "https://grafana.hailsatan.eu/";
       GF_INSTALL_PLUGINS = "";
diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix
index 29e346e5..ea70ff80 100644
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@@ -161,6 +161,28 @@ in
           }
         }
       }
+      (podmanRedirWithAuth) {
+        route {
+        # always forward outpost path to actual outpost
+          reverse_proxy /outpost.goauthentik.io/* http://authentik-server:9000 {
+            transport http {
+              resolvers 10.88.0.1 # podman dns
+            }
+          }
+          forward_auth http://authentik-server:9000 {
+            transport http {
+              resolvers 10.88.0.1 # podman dns
+            }
+            uri /outpost.goauthentik.io/auth/caddy
+            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+          }
+          reverse_proxy {args[:]} {
+            transport http {
+              resolvers 10.88.0.1 # podman dns
+            }
+          }
+        }
+      }
     '';
     globalConfig = ''
       acme_dns desec {
@@ -180,6 +202,10 @@ in
       handle @auth {
         import podmanRedir http://authentik-server:9000
       }
+      @grafana host grafana.hailsatan.eu
+      handle @grafana {
+        import podmanRedirWithAuth http://grafana:3000 
+      }
       handle {
         abort
       }
@@ -199,7 +225,7 @@ in
       }
       @grafana host grafana.hailsatan.eu
       handle @grafana {
-        import podmanRedir http://grafana:3000 
+        import podmanRedirWithAuth http://grafana:3000 
       }
       @node-red host node-red.hailsatan.eu
       handle @node-red {