switch to authentik oidc endpoint

2024-12-05 14:04:53 +01:00
parent dde85a43e1
commit 99de812ed5
4 changed files with 24 additions and 16 deletions
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -46,4 +46,8 @@ import protected droppy host:8989
 import protected filebrowser host:8002
 import protected jupyter host:9999

-import sites/*.caddy
+import sites/root.caddy
+import sites/authentik.caddy
+import sites/ha.caddy
+import sites/geo.caddy
+import sites/test.caddy
--- a/caddy/conf/auth.caddy
+++ b/caddy/conf/auth.caddy
@@ -2,15 +2,18 @@
 	order authenticate before respond
 	order authorize before reverse_proxy
 	security {
-		oauth identity provider google {
-			realm google
-			driver google
+		oauth identity provider generic {
+			realm generic
+			driver generic
 			client_id {$OAUTH_CLIENT_ID}
 			client_secret {$OAUTH_CLIENT_SECRET}
 			scopes openid email profile
+
+			base_auth_url https://authentik.rik.veenboer.xyz
+			metadata_url http://host:12345/.well-known
 		}
 		authentication portal myportal {
-			enable identity provider google
+			enable identity provider generic
 			cookie domain veenboer.xyz
 			ui {
 				links {
@@ -19,12 +22,12 @@
 			}

 			transform user {
-				match realm google
+				match realm generic
 				action add role authp/user
 			}

 			transform user {
-				match realm google
+				match realm generic

 				# Give this account admin role in the auth portal
 				match email rik.veenboer@gmail.com
@@ -32,7 +35,7 @@
 			}
 		}
 		authorization policy mypolicy {
-			set auth url https://auth.rik.veenboer.xyz/oauth2/google
+			set auth url https://auth.rik.veenboer.xyz/oauth2/generic
 			allow roles authp/admin authp/user
 			validate bearer header
 			inject headers with claims
--- a/caddy/conf/layer4.caddy
+++ b/caddy/conf/layer4.caddy
@@ -1,9 +1,10 @@
-(layer4) {layer4 {
-	:443 {
-		@openvpn openvpn
-		route @openvpn {
-			proxy host:444 # Proxy OpenVPN traffic to its backend
+(layer4) {
+	layer4 {
+		:443 {
+			@openvpn openvpn
+			route @openvpn {
+				proxy host:444 # Proxy OpenVPN traffic to its backend
+			}
 		}
 	}
 }
-}
--- a/docker-compose.caddy.yml
+++ b/docker-compose.caddy.yml
@@ -9,8 +9,8 @@ services:
        - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:?}
        - GEO_ACCOUNT_ID=${MAXMIND_ACCOUNT_ID:?}
        - GEO_API_KEY=${MAXMIND_API_KEY:?}
-        - OAUTH_CLIENT_ID=889676430308-ivr6b4fmneivn70ri2ugm1gkbgoh5qdq.apps.googleusercontent.com
-        - OAUTH_CLIENT_SECRET=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
+        - OAUTH_CLIENT_ID=MJJ44TzracJ8J24xVsUvO12KvAbzxiev9G0t9sYl
+        - OAUTH_CLIENT_SECRET=vrUGfNfqzooKujOyvTLDZffOTakEgNeCIlILaBU2aF9QtaDHJWaYVY3MLGlkF2jlFFn4W0a1eSJcZpJMxojO4i7U6b9CqbdTr5Al2LvK3FQnFbViUn2MN0qKibv8VVO1
        image: caddy
        ports:
        - 443:443