Erich Blume
625af2a1ec
Wire up OIDC authentication via jellyfin-plugin-sso so all Authentik users can access Jellyfin, with admins group mapped to Jellyfin admin. - Authentik blueprint: OAuth2 provider + application (no policy binding) - ExternalSecret + worker env var for client secret - Ansible: fetch client secret, install SSO-Auth plugin, deploy config - Local login left enabled (no branding override) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
289 lines
10 KiB
YAML
289 lines
10 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: authentik-blueprints
|
|
namespace: authentik
|
|
data:
|
|
common.yaml: |
|
|
version: 1
|
|
metadata:
|
|
name: BlumeOps Common Identity
|
|
labels:
|
|
blueprints.goauthentik.io/description: "Shared groups and identity resources"
|
|
entries:
|
|
# admins group — gates access to admin-only applications
|
|
- model: authentik_core.group
|
|
id: admins-group
|
|
identifiers:
|
|
name: admins
|
|
attrs:
|
|
name: admins
|
|
|
|
mfa.yaml: |
|
|
version: 1
|
|
metadata:
|
|
name: BlumeOps MFA Enforcement
|
|
labels:
|
|
blueprints.goauthentik.io/description: "Require MFA on default authentication flow"
|
|
entries:
|
|
# Require MFA — force_setup prompts users without MFA to enroll.
|
|
- model: authentik_stages_authenticator_validate.authenticatorvalidatestage
|
|
identifiers:
|
|
name: default-authentication-mfa-validation
|
|
attrs:
|
|
not_configured_action: configure
|
|
device_classes:
|
|
- totp
|
|
- webauthn
|
|
- static
|
|
configuration_stages:
|
|
- !Find [authentik_stages_authenticator_totp.authenticatortotpstage, [name, default-authenticator-totp-setup]]
|
|
- !Find [authentik_stages_authenticator_static.authenticatorstaticstage, [name, default-authenticator-static-setup]]
|
|
|
|
grafana.yaml: |
|
|
version: 1
|
|
metadata:
|
|
name: BlumeOps Grafana SSO
|
|
labels:
|
|
blueprints.goauthentik.io/description: "Grafana OIDC provider and application"
|
|
entries:
|
|
# OAuth2 provider for Grafana
|
|
- model: authentik_providers_oauth2.oauth2provider
|
|
id: grafana-provider
|
|
identifiers:
|
|
name: Grafana
|
|
attrs:
|
|
name: Grafana
|
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
|
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
|
client_type: confidential
|
|
client_id: grafana
|
|
client_secret: !Env AUTHENTIK_GRAFANA_CLIENT_SECRET
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: https://grafana.ops.eblu.me/login/generic_oauth
|
|
- matching_mode: strict
|
|
url: https://grafana.tail8d86e.ts.net/login/generic_oauth
|
|
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
|
property_mappings:
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
|
sub_mode: hashed_user_id
|
|
include_claims_in_id_token: true
|
|
|
|
# Grafana application — linked to the OAuth2 provider
|
|
- model: authentik_core.application
|
|
id: grafana-app
|
|
identifiers:
|
|
slug: grafana
|
|
attrs:
|
|
name: Grafana
|
|
slug: grafana
|
|
provider: !KeyOf grafana-provider
|
|
meta_launch_url: https://grafana.ops.eblu.me
|
|
policy_engine_mode: any
|
|
|
|
# Policy binding — restrict Grafana to admins group
|
|
- model: authentik_policies.policybinding
|
|
identifiers:
|
|
order: 0
|
|
target: !KeyOf grafana-app
|
|
group: !Find [authentik_core.group, [name, admins]]
|
|
attrs:
|
|
target: !KeyOf grafana-app
|
|
group: !Find [authentik_core.group, [name, admins]]
|
|
order: 0
|
|
enabled: true
|
|
negate: false
|
|
timeout: 30
|
|
|
|
forgejo.yaml: |
|
|
version: 1
|
|
metadata:
|
|
name: BlumeOps Forgejo SSO
|
|
labels:
|
|
blueprints.goauthentik.io/description: "Forgejo OIDC provider and application"
|
|
entries:
|
|
# OAuth2 provider for Forgejo
|
|
- model: authentik_providers_oauth2.oauth2provider
|
|
id: forgejo-provider
|
|
identifiers:
|
|
name: Forgejo
|
|
attrs:
|
|
name: Forgejo
|
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
|
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
|
client_type: confidential
|
|
client_id: forgejo
|
|
client_secret: !Env AUTHENTIK_FORGEJO_CLIENT_SECRET
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: https://forge.ops.eblu.me/user/oauth2/authentik/callback
|
|
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
|
property_mappings:
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
|
sub_mode: hashed_user_id
|
|
include_claims_in_id_token: true
|
|
|
|
# Forgejo application — linked to the OAuth2 provider
|
|
- model: authentik_core.application
|
|
id: forgejo-app
|
|
identifiers:
|
|
slug: forgejo
|
|
attrs:
|
|
name: Forgejo
|
|
slug: forgejo
|
|
provider: !KeyOf forgejo-provider
|
|
meta_launch_url: https://forge.ops.eblu.me
|
|
policy_engine_mode: any
|
|
|
|
# Policy binding — restrict Forgejo to admins group
|
|
- model: authentik_policies.policybinding
|
|
identifiers:
|
|
order: 0
|
|
target: !KeyOf forgejo-app
|
|
group: !Find [authentik_core.group, [name, admins]]
|
|
attrs:
|
|
target: !KeyOf forgejo-app
|
|
group: !Find [authentik_core.group, [name, admins]]
|
|
order: 0
|
|
enabled: true
|
|
negate: false
|
|
timeout: 30
|
|
|
|
zot.yaml: |
|
|
version: 1
|
|
metadata:
|
|
name: BlumeOps Zot SSO
|
|
labels:
|
|
blueprints.goauthentik.io/description: "Zot OIDC provider, application, and CI identity"
|
|
entries:
|
|
# artifact-workloads group (CI push identity)
|
|
- model: authentik_core.group
|
|
id: artifact-workloads-group
|
|
identifiers:
|
|
name: artifact-workloads
|
|
attrs:
|
|
name: artifact-workloads
|
|
|
|
# Service account for CI push (admin sets password via UI after deploy)
|
|
- model: authentik_core.user
|
|
id: zot-ci-user
|
|
identifiers:
|
|
username: zot-ci
|
|
attrs:
|
|
username: zot-ci
|
|
name: Zot CI Service Account
|
|
type: service_account
|
|
is_active: true
|
|
groups:
|
|
- !KeyOf artifact-workloads-group
|
|
|
|
# OAuth2 provider for Zot
|
|
- model: authentik_providers_oauth2.oauth2provider
|
|
id: zot-provider
|
|
identifiers:
|
|
name: Zot
|
|
attrs:
|
|
name: Zot
|
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
|
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
|
client_type: confidential
|
|
client_id: zot
|
|
client_secret: !Env AUTHENTIK_ZOT_CLIENT_SECRET
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: https://registry.ops.eblu.me/zot/auth/callback/oidc
|
|
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
|
property_mappings:
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
|
sub_mode: hashed_user_id
|
|
include_claims_in_id_token: true
|
|
|
|
# Zot application — linked to the OAuth2 provider
|
|
- model: authentik_core.application
|
|
id: zot-app
|
|
identifiers:
|
|
slug: zot
|
|
attrs:
|
|
name: Zot Registry
|
|
slug: zot
|
|
provider: !KeyOf zot-provider
|
|
meta_launch_url: https://registry.ops.eblu.me
|
|
policy_engine_mode: any
|
|
|
|
# Policy binding — allow admins group access to Zot
|
|
- model: authentik_policies.policybinding
|
|
identifiers:
|
|
order: 0
|
|
target: !KeyOf zot-app
|
|
group: !Find [authentik_core.group, [name, admins]]
|
|
attrs:
|
|
target: !KeyOf zot-app
|
|
group: !Find [authentik_core.group, [name, admins]]
|
|
order: 0
|
|
enabled: true
|
|
negate: false
|
|
timeout: 30
|
|
|
|
# Policy binding — allow artifact-workloads group access to Zot (CI push)
|
|
- model: authentik_policies.policybinding
|
|
identifiers:
|
|
order: 1
|
|
target: !KeyOf zot-app
|
|
group: !KeyOf artifact-workloads-group
|
|
attrs:
|
|
target: !KeyOf zot-app
|
|
group: !KeyOf artifact-workloads-group
|
|
order: 1
|
|
enabled: true
|
|
negate: false
|
|
timeout: 30
|
|
|
|
jellyfin.yaml: |
|
|
version: 1
|
|
metadata:
|
|
name: BlumeOps Jellyfin SSO
|
|
labels:
|
|
blueprints.goauthentik.io/description: "Jellyfin OIDC provider and application"
|
|
entries:
|
|
# OAuth2 provider for Jellyfin
|
|
- model: authentik_providers_oauth2.oauth2provider
|
|
id: jellyfin-provider
|
|
identifiers:
|
|
name: Jellyfin
|
|
attrs:
|
|
name: Jellyfin
|
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
|
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
|
client_type: confidential
|
|
client_id: jellyfin
|
|
client_secret: !Env AUTHENTIK_JELLYFIN_CLIENT_SECRET
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: https://jellyfin.ops.eblu.me/sso/OID/redirect/authentik
|
|
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
|
property_mappings:
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
|
sub_mode: hashed_user_id
|
|
include_claims_in_id_token: true
|
|
|
|
# Jellyfin application — all authenticated users allowed (no policy binding)
|
|
- model: authentik_core.application
|
|
id: jellyfin-app
|
|
identifiers:
|
|
slug: jellyfin
|
|
attrs:
|
|
name: Jellyfin
|
|
slug: jellyfin
|
|
provider: !KeyOf jellyfin-provider
|
|
meta_launch_url: https://jellyfin.ops.eblu.me
|
|
policy_engine_mode: all
|