Configure Grafana OAuth

container-config/synapse/homeserver.yaml

@@ -1,4 +1,5 @@
 server_name: strypsteen.me
+public_baseurl: https://matrix.strypsteen.com/
 report_stats: false
 log_config: /etc/synapse/log_config.yaml
 signing_key_path: /data/signing.key
@@ -17,4 +18,3 @@ turn_uris: ['turn:turn.strypsteen.com']
 turn_allow_guests: false
 delete_stale_devices_after: 1y
 max_upload_size: 500M
-enable_authenticated_media: true

infra/etc/containers/systemd/grafana.container

@@ -4,6 +4,14 @@ Network=nginx.network
 Volume=grafana.volume:/var/lib/grafana:U,Z
 Environment=GF_ANALYTICS_REPORTING_ENABLED=false
 Environment=GF_AUTH_DISABLE_LOGIN_FORM=true
+Environment=GF_AUTH_GENERIC_OAUTH_ENABLED=true
+Environment=GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
+Environment=GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.strypsteen.com/realms/master/protocol/openid-connect/auth
+Environment=GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.strypsteen.com/realms/master/protocol/openid-connect/token
+Environment=GF_AUTH_GENERIC_OAUTH_SCOPES=email,openid,profile
+Environment=GF_AUTH_GENERIC_OAUTH_SKIP_ORG_ROLE_SYNC=true
+Environment=GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN=true
+Environment=GF_AUTH_GENERIC_OAUTH_USE_PKCE=true
 Environment=GF_DATABASE_WAL=true
 Environment=GF_LOG_LEVEL=warn
 Environment=GF_SERVER_ROOT_URL=https://monitoring.strypsteen.com
@@ -11,6 +19,7 @@ Environment=GF_SMTP_ENABLED=true
 Environment=GF_SMTP_HOST=vps.strypsteen.com:465
 Environment=GF_SMTP_USER=monitoring
 Environment=GF_SMTP_FROM_ADDRESS=monitoring@strypsteen.me
+Secret=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET,type=env
 Secret=GF_SMTP_PASSWORD,type=env
 AutoUpdate=registry
 [Install]

laptop/var/usrlocal/bin/enter-sandbox

@@ -1,3 +1,4 @@
 #!/bin/sh
 set -e
+systemctl --user start sandboxed-toolbox
 podman exec -it -e TERM=xterm-256color systemd-sandboxed-toolbox machinectl shell mathieu@

vps/etc/hostname

@@ -1 +1 @@
-vps.strypsteen.com
+vps