mirror of
https://github.com/auricom/home-cluster.git
synced 2025-09-17 18:24:14 +02:00
♻️ remove hardcoded authelia secrets
This commit is contained in:
auricom
@@ -23,17 +23,17 @@ access_control:
|
||||
rules:
|
||||
# bypass Authelia WAN + LAN
|
||||
- domain:
|
||||
- auth.${SECRET_CLUSTER_DOMAIN}
|
||||
- auth.${SECRET_PUBLIC_DOMAIN}
|
||||
policy: bypass
|
||||
# One factor auth for LAN
|
||||
- domain:
|
||||
- "*.${SECRET_CLUSTER_DOMAIN}"
|
||||
- "*.${SECRET_PUBLIC_DOMAIN}"
|
||||
policy: one_factor
|
||||
subject: ["group:admins", "group:users"]
|
||||
networks:
|
||||
- private
|
||||
# Deny public resources
|
||||
- domain: ["navidrome.${SECRET_CLUSTER_DOMAIN}"]
|
||||
- domain: ["navidrome.${SECRET_PUBLIC_DOMAIN}"]
|
||||
resources: ["^/metrics.*$"]
|
||||
policy: deny
|
||||
identity_providers:
|
||||
@@ -43,41 +43,49 @@ identity_providers:
|
||||
allowed_origins_from_client_redirect_uris: true
|
||||
clients:
|
||||
- id: gitea
|
||||
secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
|
||||
secret: "${GITEA_OAUTH_CLIENT_SECRET}"
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
scopes: ["openid", "profile", "groups", "email"]
|
||||
redirect_uris:
|
||||
[
|
||||
"https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback",
|
||||
"https://gitea.${SECRET_PUBLIC_DOMAIN}/user/oauth2/authelia/callback",
|
||||
]
|
||||
userinfo_signing_algorithm: none
|
||||
- id: grafana
|
||||
description: Grafana
|
||||
secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
|
||||
secret: "${GRAFANA_OAUTH_CLIENT_SECRET}"
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
pre_configured_consent_duration: 1y
|
||||
scopes: ["openid", "profile", "groups", "email"]
|
||||
redirect_uris:
|
||||
["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
|
||||
["https://grafana.${SECRET_PUBLIC_DOMAIN}/login/generic_oauth"]
|
||||
userinfo_signing_algorithm: none
|
||||
- id: outline
|
||||
description: Outline
|
||||
secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
|
||||
secret: "${OUTLINE_OAUTH_CLIENT_SECRET}"
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
pre_configured_consent_duration: 1y
|
||||
scopes: ["openid", "profile", "email", "offline_access"]
|
||||
redirect_uris:
|
||||
["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
|
||||
["https://docs.${SECRET_PUBLIC_DOMAIN}/auth/oidc.callback"]
|
||||
userinfo_signing_algorithm: none
|
||||
- id: immich
|
||||
description: Immich
|
||||
secret: "${SECRET_IMMICH_OAUTH_CLIENT_SECRET}"
|
||||
secret: "${IMMICH_OAUTH_CLIENT_SECRET}"
|
||||
public: false
|
||||
authorization_policy: one_factor
|
||||
pre_configured_consent_duration: 1y
|
||||
scopes: ["openid", "profile", "email"]
|
||||
redirect_uris: ["https://photos.${SECRET_CLUSTER_DOMAIN}/auth/login", "app.immich:/"]
|
||||
redirect_uris: ["https://photos.${SECRET_PUBLIC_DOMAIN}/auth/login", "app.immich:/"]
|
||||
userinfo_signing_algorithm: none
|
||||
- id: jellyfin
|
||||
description: jellyfin
|
||||
public: false
|
||||
secret: "${JELLYFIN_OAUTH_CLIENT_SECRET}"
|
||||
authorization_policy: two_factor
|
||||
pre_configured_consent_duration: 1y
|
||||
scopes: ["openid", "profile", "groups", "email"]
|
||||
redirect_uris: [ "https://jellyfin.${SECRET_PUBLIC_DOMAIN}/sso/OID/redirect/authelia" ]
|
||||
|
||||
@@ -31,6 +31,7 @@ spec:
|
||||
IMMICH_OAUTH_CLIENT_SECRET: "{{ .IMMICH_OAUTH_CLIENT_SECRET }}"
|
||||
WEAVEGITOPS_OAUTH_CLIENT_SECRET: "{{ .WEAVEGITOPS_OAUTH_CLIENT_SECRET }}"
|
||||
GITEA_OAUTH_CLIENT_SECRET: "{{ .GITEA_OAUTH_CLIENT_SECRET }}"
|
||||
SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
|
||||
# Postgres Init
|
||||
INIT_POSTGRES_DBNAME: *dbName
|
||||
INIT_POSTGRES_HOST: *dbHost
|
||||
|
||||
@@ -13,3 +13,5 @@ configMapGenerator:
|
||||
- ./config/configuration.yaml
|
||||
generatorOptions:
|
||||
disableNameSuffixHash: true
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/substitute: disabled
|
||||
|
||||
@@ -20,6 +20,7 @@ spec:
|
||||
SECRET_KEY: "{{ .OUTLINE_SECRET_KEY }}"
|
||||
UTILS_SECRET: "{{ .OUTLINE_UTILS_SECRET }}"
|
||||
DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}:5432/outline
|
||||
OIDC_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
|
||||
PGSSLMODE: require
|
||||
# Postgres Init
|
||||
INIT_POSTGRES_DBNAME: outline
|
||||
@@ -28,6 +29,8 @@ spec:
|
||||
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
|
||||
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: authelia
|
||||
- extract:
|
||||
key: generic
|
||||
- extract:
|
||||
|
||||
@@ -59,7 +59,6 @@ spec:
|
||||
FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400"
|
||||
OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"
|
||||
OIDC_CLIENT_ID: outline
|
||||
OIDC_CLIENT_SECRET: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
|
||||
OIDC_DISPLAY_NAME: Authelia
|
||||
OIDC_SCOPES: "openid profile email offline_access"
|
||||
OIDC_TOKEN_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token"
|
||||
|
||||
@@ -30,6 +30,10 @@ spec:
|
||||
rbac:
|
||||
pspEnabled: false
|
||||
env:
|
||||
GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo
|
||||
GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization
|
||||
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
|
||||
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token
|
||||
GF_EXPLORE_ENABLED: true
|
||||
GF_PANELS_DISABLE_SANITIZE_HTML: true
|
||||
GF_LOG_FILTERS: rendering:debug
|
||||
@@ -48,14 +52,9 @@ spec:
|
||||
auth.generic_oauth:
|
||||
enabled: true
|
||||
name: Authelia
|
||||
client_id: grafana
|
||||
icon: signin
|
||||
client_secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
|
||||
scopes: "openid profile email groups"
|
||||
empty_scopes: false
|
||||
auth_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"
|
||||
token_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token"
|
||||
api_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo"
|
||||
login_attribute_path: preferred_username
|
||||
groups_attribute_path: groups
|
||||
name_attribute_path: name
|
||||
|
||||
@@ -10,20 +10,14 @@ stringData:
|
||||
SECRET_DOMAIN: ENC[AES256_GCM,data:UtdBDs6+azVHO7Y=,iv:ZnWrBW+vW6HiMs1PbgY2LjcwUwuUh1HxYjqvOXvCrDk=,tag:r6uDIJhVoTIcizIfRW+lHw==,type:str]
|
||||
SECRET_CLUSTER_DOMAIN: ENC[AES256_GCM,data:Go+HZnPQCW5GKPqRB0MnmQ==,iv:bUGmzu42TVxhF94pGZuEi++A5a72wgGmWbOjmgau6Cg=,tag:eUIyZ/wcsOXYamTgiQYMjA==,type:str]
|
||||
SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY: ENC[AES256_GCM,data:ecukkFOK40WWIxJ48sXrxJUBaHx2BnzqxkIT+cXYZg4=,iv:y6AfslVPufBfrIL3GQqTw0cDAan64mB9J7RY9OzKQqw=,tag:+V4Rgz26wey2UtA32S0PJQ==,type:str]
|
||||
SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:lHrRfoAtj/sY7aFiWibf7ejrwn5ANa62d85kyPKxpZhXhdiz5jHcAw==,iv:D4ac1ltRrsHEM1z/bG0gHQZ4TntCK4fEj8BoYxDv7XM=,tag:yXVYJNpbM46ri9kW8MwxwQ==,type:str]
|
||||
SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str]
|
||||
SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str]
|
||||
SECRET_HEADLAMP_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:zePwrGzHP031q94WsHA7Tbogo68=,iv:HFOngwMcgBcK8e4WikwBNmbTqxvdb6rsTFobA5EsdW8=,tag:OpGUsIk8bvQyGRNtwRBiIg==,type:str]
|
||||
SECRET_INVIDIOUS_DB_USER: ENC[AES256_GCM,data:snjA33syqy4X,iv:OF8LJSTdcIGgwAJPmS0HdCz0adsTuTwZ5zfuvJrA7fs=,tag:E4EnsKWITN4l6qnuxZ3A5g==,type:str]
|
||||
SECRET_INVIDIOUS_HMAC_KEY: ENC[AES256_GCM,data:dNq8v26ZwiAVg8OekIgbfOfuTIP1Lv1mLXJb2ynuTc69FwzsBwToZA==,iv:3ukBQ3cHdaCFGNemvUx4du7EOZ3T/Akz7COOeGGK90A=,tag:Rry0pJoG1LdSnZVT/0+ulQ==,type:str]
|
||||
SECRET_IMMICH_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:+MEpqgBm2kK0qOq0jl/BDKEUYB4=,iv:VDU2Dggxb/qoEoDcjNrk3O5gCprEMAdRvyW/DivTo9w=,tag:Dse5KTLDLduVGT0LSIBjVA==,type:str]
|
||||
SECRET_INVIDIOUS_DB_PASSWORD: ENC[AES256_GCM,data:jmHWk/hXAb9E97CEa4w=,iv:RYnGwoCy+RyVDdKVOXWFWPB/dqF2vPlx7ofRApEAsMg=,tag:nEydKLEw6mHJetEVa+NFzQ==,type:str]
|
||||
SECRET_KOMF_MAL_CLIENT_ID: ENC[AES256_GCM,data:HuKHFrICgCj6nbcbix8u7qGeggFmmKht7Elk9dINZtE=,iv:c3mqFdFkIO9dctZ3ooPh4ajOZaY0ZudEeNWbG+lryPI=,tag:jWG2+pgkAf/XUgJyUvdrNg==,type:str]
|
||||
SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str]
|
||||
SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str]
|
||||
SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str]
|
||||
SECRET_NITTER_HMAC: ENC[AES256_GCM,data:pOA1LqHV9rcY3xAv5JMuSCMz1rk=,iv:3LkFNu/M3r1K/xBE/f7Kbf526eA4cgyGr4Wu/c+gxD0=,tag:ibJ8U+Pa66B2UmWwP/ZhNQ==,type:str]
|
||||
SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str]
|
||||
SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str]
|
||||
SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:HYnqUw3owZ6lQSgAVhY68Pi64pv4iNHePVNgOq3a,iv:3I2C4k3ge3WGmNB7NPE7bxucjuhBs386gPTYSLhu5IA=,tag:AryVw5aecht3NO7gN2vNyQ==,type:str]
|
||||
SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:vAVoafxfbareIodsClVGDQ==,iv:1zojUukd2WQEE3ZBpGrIHaDwkWfAqmF1esjxCGWz3mQ=,tag:8HvBGXkTBJwhel89qffWgA==,type:str]
|
||||
@@ -44,8 +38,8 @@ sops:
|
||||
WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
|
||||
pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-01-14T00:12:27Z"
|
||||
mac: ENC[AES256_GCM,data:HyYwq36qmwZaN/gg1fcA5cS2DHxAOW9D3umq/LOy1jxG2AixinSIRZTyi7j9reskocFNEKrEfZOSFUClbTzDX6RLJNQHwkPifXddPizk66+3KkKEQ7fkLhKmOo0gBI0fl72WR/YcD8YDDe1+/YAdUIect7ywSg7DIp8wcowTijc=,iv:3zTM2TgIejuLfDki9nnedY3jjhLpoimTMYLQJ2ATvBg=,tag:LPtlm8LF8J9PF0N1zoy8jA==,type:str]
|
||||
lastmodified: "2024-01-25T11:50:04Z"
|
||||
mac: ENC[AES256_GCM,data:2RLxoAB6RrUaJZD2PjSY94GFUedNYuUIpxbDb72lGQYnq0FA6/8g0Z1BKyjwJnhevkTMMP1hDTuoj0NxRCwWfkEFc3+diNq13jZmQPnjUUnFQLHnKNQ5W3kdea3oHeu4BIOacFBYEgfXUuKw/q1zqqErkdViW7Z/92D5+L1rlb8=,iv:pvsipNvuev8wBtGWSinDl61TQfrvtIEUeKducva8hao=,tag:QoDb33RDXmHyjP7dURVtMA==,type:str]
|
||||
pgp: []
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.8.1
|
||||
|
||||
Reference in New Issue
Block a user