Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

monitoring/grafana: OIDC-SSO via Authelia (Stufe-1-Proof)

Browse Source 
- generic_oauth gegen Authelia (client_id grafana, PKCE, client_secret via __FILE aus /mnt/user/appdata/secrets/grafana_oidc_client_secret)
- Traefik-Middleware authelia@file entfernt -> OIDC ist jetzt die Auth; lokaler Grafana-Admin bleibt Fallback
- Authelia-Client wurde host-seitig angelegt (Secret nur als Host-Datei + Hash in Authelia-Config)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Micha
2026-06-06 13:11:00 +02:00
parent 6e65f81503
commit 30f076c85a
1 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
monitoring/docker-compose.yml
+19 -1
View File
@@ -129,6 +129,20 @@ services:
GF_USERS_ALLOW_SIGN_UP: "false" GF_USERS_ALLOW_SIGN_UP: "false"
GF_AUTH_ANONYMOUS_ENABLED: "false" GF_AUTH_ANONYMOUS_ENABLED: "false"
GF_PLUGINS_PREINSTALL_DISABLED: "true" GF_PLUGINS_PREINSTALL_DISABLED: "true"
# --- Authelia OIDC SSO (2026-06-06) ---
GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
GF_AUTH_GENERIC_OAUTH_NAME: Authelia
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET__FILE: /run/secrets/grafana_oidc_client_secret
GF_AUTH_GENERIC_OAUTH_SCOPES: "openid profile email groups"
GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.kaleschke.info/api/oidc/authorization
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.kaleschke.info/api/oidc/token
GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.kaleschke.info/api/oidc/userinfo
GF_AUTH_GENERIC_OAUTH_USE_PKCE: "true"
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: "true"
# Proof: alle OIDC-Logins als Admin; spaeter ueber groups verfeinern
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "'Admin'"
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT: "false"
entrypoint: entrypoint:
- /bin/sh - /bin/sh
- -c - -c
@@ -145,6 +159,7 @@ services:
secrets: secrets:
- monitoring_grafana_admin_password - monitoring_grafana_admin_password
- monitoring_grafana_influxdb_token - monitoring_grafana_influxdb_token
- grafana_oidc_client_secret
expose: expose:
- "3000" - "3000"
security_opt: security_opt:
@@ -160,7 +175,8 @@ services:
- traefik.http.routers.monitoring-grafana.entrypoints=websecure - traefik.http.routers.monitoring-grafana.entrypoints=websecure
- traefik.http.routers.monitoring-grafana.tls=true - traefik.http.routers.monitoring-grafana.tls=true
- traefik.http.routers.monitoring-grafana.tls.certresolver=le - traefik.http.routers.monitoring-grafana.tls.certresolver=le
- traefik.http.routers.monitoring-grafana.middlewares=authelia@file,secure-headers@file # ForwardAuth bewusst entfernt 2026-06-06: Grafana macht jetzt eigenes OIDC-SSO gegen Authelia
- traefik.http.routers.monitoring-grafana.middlewares=secure-headers@file
- traefik.http.services.monitoring-grafana.loadbalancer.server.port=3000 - traefik.http.services.monitoring-grafana.loadbalancer.server.port=3000
grafana-dashboard-importer: grafana-dashboard-importer:
@@ -364,5 +380,7 @@ secrets:
file: /mnt/user/appdata/secrets/monitoring_grafana_admin_password.txt file: /mnt/user/appdata/secrets/monitoring_grafana_admin_password.txt
monitoring_grafana_influxdb_token: monitoring_grafana_influxdb_token:
file: /mnt/user/appdata/secrets/monitoring_grafana_influxdb_token.txt file: /mnt/user/appdata/secrets/monitoring_grafana_influxdb_token.txt
grafana_oidc_client_secret:
file: /mnt/user/appdata/secrets/grafana_oidc_client_secret
influxdb3_admin_token: influxdb3_admin_token:
file: /mnt/user/appdata/secrets/influxdb3_admin_token.json file: /mnt/user/appdata/secrets/influxdb3_admin_token.json