diff --git a/kubernetes/apps/default/authelia/app/config/configuration.yaml b/kubernetes/apps/default/authelia/app/config/configuration.yaml index 5e3877aee..51d81caac 100644 --- a/kubernetes/apps/default/authelia/app/config/configuration.yaml +++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml @@ -23,17 +23,17 @@ access_control: rules: # bypass Authelia WAN + LAN - domain: - - auth.${SECRET_CLUSTER_DOMAIN} + - auth.${SECRET_PUBLIC_DOMAIN} policy: bypass # One factor auth for LAN - domain: - - "*.${SECRET_CLUSTER_DOMAIN}" + - "*.${SECRET_PUBLIC_DOMAIN}" policy: one_factor subject: ["group:admins", "group:users"] networks: - private # Deny public resources - - domain: ["navidrome.${SECRET_CLUSTER_DOMAIN}"] + - domain: ["navidrome.${SECRET_PUBLIC_DOMAIN}"] resources: ["^/metrics.*$"] policy: deny identity_providers: @@ -43,41 +43,49 @@ identity_providers: allowed_origins_from_client_redirect_uris: true clients: - id: gitea - secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}" + secret: "${GITEA_OAUTH_CLIENT_SECRET}" public: false authorization_policy: two_factor scopes: ["openid", "profile", "groups", "email"] redirect_uris: [ - "https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback", + "https://gitea.${SECRET_PUBLIC_DOMAIN}/user/oauth2/authelia/callback", ] userinfo_signing_algorithm: none - id: grafana description: Grafana - secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}" + secret: "${GRAFANA_OAUTH_CLIENT_SECRET}" public: false authorization_policy: two_factor pre_configured_consent_duration: 1y scopes: ["openid", "profile", "groups", "email"] redirect_uris: - ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"] + ["https://grafana.${SECRET_PUBLIC_DOMAIN}/login/generic_oauth"] userinfo_signing_algorithm: none - id: outline description: Outline - secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}" + secret: "${OUTLINE_OAUTH_CLIENT_SECRET}" public: false authorization_policy: two_factor pre_configured_consent_duration: 1y scopes: ["openid", "profile", "email", "offline_access"] redirect_uris: - ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"] + ["https://docs.${SECRET_PUBLIC_DOMAIN}/auth/oidc.callback"] userinfo_signing_algorithm: none - id: immich description: Immich - secret: "${SECRET_IMMICH_OAUTH_CLIENT_SECRET}" + secret: "${IMMICH_OAUTH_CLIENT_SECRET}" public: false authorization_policy: one_factor pre_configured_consent_duration: 1y scopes: ["openid", "profile", "email"] - redirect_uris: ["https://photos.${SECRET_CLUSTER_DOMAIN}/auth/login", "app.immich:/"] + redirect_uris: ["https://photos.${SECRET_PUBLIC_DOMAIN}/auth/login", "app.immich:/"] userinfo_signing_algorithm: none + - id: jellyfin + description: jellyfin + public: false + secret: "${JELLYFIN_OAUTH_CLIENT_SECRET}" + authorization_policy: two_factor + pre_configured_consent_duration: 1y + scopes: ["openid", "profile", "groups", "email"] + redirect_uris: [ "https://jellyfin.${SECRET_PUBLIC_DOMAIN}/sso/OID/redirect/authelia" ] diff --git a/kubernetes/apps/default/authelia/app/externalsecret.yaml b/kubernetes/apps/default/authelia/app/externalsecret.yaml index e7f116c30..8267fc14d 100644 --- a/kubernetes/apps/default/authelia/app/externalsecret.yaml +++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml @@ -31,6 +31,7 @@ spec: IMMICH_OAUTH_CLIENT_SECRET: "{{ .IMMICH_OAUTH_CLIENT_SECRET }}" WEAVEGITOPS_OAUTH_CLIENT_SECRET: "{{ .WEAVEGITOPS_OAUTH_CLIENT_SECRET }}" GITEA_OAUTH_CLIENT_SECRET: "{{ .GITEA_OAUTH_CLIENT_SECRET }}" + SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}" # Postgres Init INIT_POSTGRES_DBNAME: *dbName INIT_POSTGRES_HOST: *dbHost diff --git a/kubernetes/apps/default/authelia/app/kustomization.yaml b/kubernetes/apps/default/authelia/app/kustomization.yaml index 6da9fe140..b3598ff77 100644 --- a/kubernetes/apps/default/authelia/app/kustomization.yaml +++ b/kubernetes/apps/default/authelia/app/kustomization.yaml @@ -13,3 +13,5 @@ configMapGenerator: - ./config/configuration.yaml generatorOptions: disableNameSuffixHash: true + annotations: + kustomize.toolkit.fluxcd.io/substitute: disabled diff --git a/kubernetes/apps/default/outline/app/externalsecret.yaml b/kubernetes/apps/default/outline/app/externalsecret.yaml index 1125e153e..0ffdb0711 100644 --- a/kubernetes/apps/default/outline/app/externalsecret.yaml +++ b/kubernetes/apps/default/outline/app/externalsecret.yaml @@ -20,6 +20,7 @@ spec: SECRET_KEY: "{{ .OUTLINE_SECRET_KEY }}" UTILS_SECRET: "{{ .OUTLINE_UTILS_SECRET }}" DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}:5432/outline + OIDC_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}" PGSSLMODE: require # Postgres Init INIT_POSTGRES_DBNAME: outline @@ -28,6 +29,8 @@ spec: INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: + - extract: + key: authelia - extract: key: generic - extract: diff --git a/kubernetes/apps/default/outline/app/helmrelease.yaml b/kubernetes/apps/default/outline/app/helmrelease.yaml index e607c9737..f6fed83d7 100644 --- a/kubernetes/apps/default/outline/app/helmrelease.yaml +++ b/kubernetes/apps/default/outline/app/helmrelease.yaml @@ -59,7 +59,6 @@ spec: FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400" OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization" OIDC_CLIENT_ID: outline - OIDC_CLIENT_SECRET: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}" OIDC_DISPLAY_NAME: Authelia OIDC_SCOPES: "openid profile email offline_access" OIDC_TOKEN_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token" diff --git a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml index 7264d7e7a..3dfde65af 100644 --- a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml @@ -30,6 +30,10 @@ spec: rbac: pspEnabled: false env: + GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo + GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization + GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana + GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token GF_EXPLORE_ENABLED: true GF_PANELS_DISABLE_SANITIZE_HTML: true GF_LOG_FILTERS: rendering:debug @@ -48,14 +52,9 @@ spec: auth.generic_oauth: enabled: true name: Authelia - client_id: grafana icon: signin - client_secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}" scopes: "openid profile email groups" empty_scopes: false - auth_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization" - token_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token" - api_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo" login_attribute_path: preferred_username groups_attribute_path: groups name_attribute_path: name diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index a6f898296..9b13b4130 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -10,20 +10,14 @@ stringData: SECRET_DOMAIN: ENC[AES256_GCM,data:UtdBDs6+azVHO7Y=,iv:ZnWrBW+vW6HiMs1PbgY2LjcwUwuUh1HxYjqvOXvCrDk=,tag:r6uDIJhVoTIcizIfRW+lHw==,type:str] SECRET_CLUSTER_DOMAIN: ENC[AES256_GCM,data:Go+HZnPQCW5GKPqRB0MnmQ==,iv:bUGmzu42TVxhF94pGZuEi++A5a72wgGmWbOjmgau6Cg=,tag:eUIyZ/wcsOXYamTgiQYMjA==,type:str] SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY: ENC[AES256_GCM,data:ecukkFOK40WWIxJ48sXrxJUBaHx2BnzqxkIT+cXYZg4=,iv:y6AfslVPufBfrIL3GQqTw0cDAan64mB9J7RY9OzKQqw=,tag:+V4Rgz26wey2UtA32S0PJQ==,type:str] - SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:lHrRfoAtj/sY7aFiWibf7ejrwn5ANa62d85kyPKxpZhXhdiz5jHcAw==,iv:D4ac1ltRrsHEM1z/bG0gHQZ4TntCK4fEj8BoYxDv7XM=,tag:yXVYJNpbM46ri9kW8MwxwQ==,type:str] - SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str] - SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str] - SECRET_HEADLAMP_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:zePwrGzHP031q94WsHA7Tbogo68=,iv:HFOngwMcgBcK8e4WikwBNmbTqxvdb6rsTFobA5EsdW8=,tag:OpGUsIk8bvQyGRNtwRBiIg==,type:str] SECRET_INVIDIOUS_DB_USER: ENC[AES256_GCM,data:snjA33syqy4X,iv:OF8LJSTdcIGgwAJPmS0HdCz0adsTuTwZ5zfuvJrA7fs=,tag:E4EnsKWITN4l6qnuxZ3A5g==,type:str] SECRET_INVIDIOUS_HMAC_KEY: ENC[AES256_GCM,data:dNq8v26ZwiAVg8OekIgbfOfuTIP1Lv1mLXJb2ynuTc69FwzsBwToZA==,iv:3ukBQ3cHdaCFGNemvUx4du7EOZ3T/Akz7COOeGGK90A=,tag:Rry0pJoG1LdSnZVT/0+ulQ==,type:str] - SECRET_IMMICH_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:+MEpqgBm2kK0qOq0jl/BDKEUYB4=,iv:VDU2Dggxb/qoEoDcjNrk3O5gCprEMAdRvyW/DivTo9w=,tag:Dse5KTLDLduVGT0LSIBjVA==,type:str] SECRET_INVIDIOUS_DB_PASSWORD: ENC[AES256_GCM,data:jmHWk/hXAb9E97CEa4w=,iv:RYnGwoCy+RyVDdKVOXWFWPB/dqF2vPlx7ofRApEAsMg=,tag:nEydKLEw6mHJetEVa+NFzQ==,type:str] SECRET_KOMF_MAL_CLIENT_ID: ENC[AES256_GCM,data:HuKHFrICgCj6nbcbix8u7qGeggFmmKht7Elk9dINZtE=,iv:c3mqFdFkIO9dctZ3ooPh4ajOZaY0ZudEeNWbG+lryPI=,tag:jWG2+pgkAf/XUgJyUvdrNg==,type:str] SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str] SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str] SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str] SECRET_NITTER_HMAC: ENC[AES256_GCM,data:pOA1LqHV9rcY3xAv5JMuSCMz1rk=,iv:3LkFNu/M3r1K/xBE/f7Kbf526eA4cgyGr4Wu/c+gxD0=,tag:ibJ8U+Pa66B2UmWwP/ZhNQ==,type:str] - SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str] SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str] SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:HYnqUw3owZ6lQSgAVhY68Pi64pv4iNHePVNgOq3a,iv:3I2C4k3ge3WGmNB7NPE7bxucjuhBs386gPTYSLhu5IA=,tag:AryVw5aecht3NO7gN2vNyQ==,type:str] SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:vAVoafxfbareIodsClVGDQ==,iv:1zojUukd2WQEE3ZBpGrIHaDwkWfAqmF1esjxCGWz3mQ=,tag:8HvBGXkTBJwhel89qffWgA==,type:str] @@ -44,8 +38,8 @@ sops: WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-14T00:12:27Z" - mac: ENC[AES256_GCM,data:HyYwq36qmwZaN/gg1fcA5cS2DHxAOW9D3umq/LOy1jxG2AixinSIRZTyi7j9reskocFNEKrEfZOSFUClbTzDX6RLJNQHwkPifXddPizk66+3KkKEQ7fkLhKmOo0gBI0fl72WR/YcD8YDDe1+/YAdUIect7ywSg7DIp8wcowTijc=,iv:3zTM2TgIejuLfDki9nnedY3jjhLpoimTMYLQJ2ATvBg=,tag:LPtlm8LF8J9PF0N1zoy8jA==,type:str] + lastmodified: "2024-01-25T11:50:04Z" + mac: ENC[AES256_GCM,data:2RLxoAB6RrUaJZD2PjSY94GFUedNYuUIpxbDb72lGQYnq0FA6/8g0Z1BKyjwJnhevkTMMP1hDTuoj0NxRCwWfkEFc3+diNq13jZmQPnjUUnFQLHnKNQ5W3kdea3oHeu4BIOacFBYEgfXUuKw/q1zqqErkdViW7Z/92D5+L1rlb8=,iv:pvsipNvuev8wBtGWSinDl61TQfrvtIEUeKducva8hao=,tag:QoDb33RDXmHyjP7dURVtMA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1