blumeops/argocd/manifests/dex/external-secret.yaml

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: dex-config
  namespace: dex
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-blumeops
  target:
    name: dex-config
    creationPolicy: Owner
    template:
      data:
        config.yaml: |
          issuer: https://dex.ops.eblu.me
          storage:
            type: sqlite3
            config:
              file: /var/dex/dex.db
          web:
            http: 0.0.0.0:5556
          oauth2:
            skipApprovalScreen: true
          connectors:
            - type: gitea
              id: forgejo
              name: Forgejo
              config:
                baseURL: https://forge.ops.eblu.me
                clientID: "{{ .forgejoClientID }}"
                clientSecret: "{{ .forgejoClientSecret }}"
                redirectURI: https://dex.ops.eblu.me/callback
          staticClients:
            - id: grafana
              name: Grafana
              secret: "{{ .grafanaClientSecret }}"
              redirectURIs:
                - "https://grafana.ops.eblu.me/login/generic_oauth"
                - "https://grafana.tail8d86e.ts.net/login/generic_oauth"
  data:
    - secretKey: forgejoClientID
      remoteRef:
        key: "Dex (blumeops)"
        property: forgejo-client-id
    - secretKey: forgejoClientSecret
      remoteRef:
        key: "Dex (blumeops)"
        property: forgejo-client-secret
    - secretKey: grafanaClientSecret
      remoteRef:
        key: "Dex (blumeops)"
        property: grafana-client-secret