ds9 http auth

2025-02-23 23:01:52 +01:00 · 2025-02-23 23:01:52 +01:00 · 1c3e1d0a91
commit 1c3e1d0a91
parent f6d88dc51f
2 changed files with 48 additions and 4 deletions
--- a/hosts/ds9/containers.nix
+++ b/hosts/ds9/containers.nix
@ -171,9 +171,27 @@ in
  virtualisation.oci-containers.containers.grafana = {
    image = "grafana/grafana-oss:latest";
    extraOptions = [ "--network=podman" "--network=db-net" ];
-    volumes = [
-      "grafana-data:/var/lib/grafana"
-    ];
+    volumes =
+      let
+        ini = pkgs.writeText "grafana.ini" ''
+          [users]
+          allow_sign_up = false
+          auto_assign_org = true
+          auto_assign_org_role = Editor
+        
+          [auth.proxy]
+          enabled = true
+          headers = Name:X-Authentik-Username Email:X-Authentik-Email Groups:X-Authentik-Groups
+          header_name = X-Authentik-Username
+          header_property = username
+          auto_sign_up = true
+        '';
+      in
+      [
+        "grafana-data:/var/lib/grafana"
+        "${ini}:/etc/grafana/grafana.ini"
+
+      ];
    environment = {
      GF_SERVER_ROOT_URL = "https://grafana.hailsatan.eu/";
      GF_INSTALL_PLUGINS = "";
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -161,6 +161,28 @@ in
          }
        }
      }
+      (podmanRedirWithAuth) {
+        route {
+        # always forward outpost path to actual outpost
+          reverse_proxy /outpost.goauthentik.io/* http://authentik-server:9000 {
+            transport http {
+              resolvers 10.88.0.1 # podman dns
+            }
+          }
+          forward_auth http://authentik-server:9000 {
+            transport http {
+              resolvers 10.88.0.1 # podman dns
+            }
+            uri /outpost.goauthentik.io/auth/caddy
+            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+          }
+          reverse_proxy {args[:]} {
+            transport http {
+              resolvers 10.88.0.1 # podman dns
+            }
+          }
+        }
+      }
    '';
    globalConfig = ''
      acme_dns desec {
@ -180,6 +202,10 @@ in
      handle @auth {
        import podmanRedir http://authentik-server:9000
      }
+      @grafana host grafana.hailsatan.eu
+      handle @grafana {
+        import podmanRedirWithAuth http://grafana:3000 
+      }
      handle {
        abort
      }
@ -199,7 +225,7 @@ in
      }
      @grafana host grafana.hailsatan.eu
      handle @grafana {
-        import podmanRedir http://grafana:3000 
+        import podmanRedirWithAuth http://grafana:3000 
      }
      @node-red host node-red.hailsatan.eu
      handle @node-red {