Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2024-10-27 20:44:07 +00:00
Code Issues Projects Releases Wiki Activity

Dex prototype

Browse Source
This commit is contained in:
Spoffy 2024-07-25 17:09:58 +01:00
parent cde560f632
commit 3b8da882ab
4 changed files with 137 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
docker-compose-examples/grist-traefik-oidc-auth/configs/dex/config.yaml Normal file
View File

@ -0,0 +1,61 @@
# This file uses Go template formatting.
issuer: {{ getenv "DEX_ISSUER" "http://127.0.0.1:5556/dex" }}
storage:
type: sqlite3
config:
file: {{ getenv "DEX_STORAGE_SQLITE3_CONFIG_FILE" "/var/dex/dex.db" }}
web:
{{- if getenv "DEX_WEB_HTTPS" "" }}
https: {{ .Env.DEX_WEB_HTTPS }}
tlsKey: {{ getenv "DEX_WEB_TLS_KEY" | required "$DEX_WEB_TLS_KEY in case of web.https is enabled" }}
tlsCert: {{ getenv "DEX_WEB_TLS_CERT" | required "$DEX_WEB_TLS_CERT in case of web.https is enabled" }}
{{- end }}
http: {{ getenv "DEX_WEB_HTTP" "0.0.0.0:5556" }}
{{- if getenv "DEX_TELEMETRY_HTTP" }}
telemetry:
http: {{ .Env.DEX_TELEMETRY_HTTP }}
{{- end }}
expiry:
deviceRequests: {{ getenv "DEX_EXPIRY_DEVICE_REQUESTS" "5m" }}
signingKeys: {{ getenv "DEX_EXPIRY_SIGNING_KEYS" "6h" }}
idTokens: {{ getenv "DEX_EXPIRY_ID_TOKENS" "24h" }}
authRequests: {{ getenv "DEX_EXPIRY_AUTH_REQUESTS" "24h" }}
logger:
level: {{ getenv "DEX_LOG_LEVEL" "info" }}
format: {{ getenv "DEX_LOG_FORMAT" "text" }}
oauth2:
responseTypes: {{ getenv "DEX_OAUTH2_RESPONSE_TYPES" "[code]" }}
skipApprovalScreen: {{ getenv "DEX_OAUTH2_SKIP_APPROVAL_SCREEN" "false" }}
alwaysShowLoginScreen: {{ getenv "DEX_OAUTH2_ALWAYS_SHOW_LOGIN_SCREEN" "false" }}
{{- if getenv "DEX_OAUTH2_PASSWORD_CONNECTOR" "" }}
passwordConnector: {{ .Env.DEX_OAUTH2_PASSWORD_CONNECTOR }}
{{- end }}
enablePasswordDB: {{ getenv "DEX_ENABLE_PASSWORD_DB" "true" }}
staticPasswords:
- email: "admin@example.com"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
username: "admin"
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
staticClients:
- id: grist-client
secret: app-secret
name: 'Private Client'
redirectURIs:
- 'https://example.com/oidc/callback'
connectors:
{{- if getenv "DEX_CONNECTORS_ENABLE_MOCK" }}
- type: mockCallback
id: mock
name: Example
{{- end }}

36
docker-compose-examples/grist-traefik-oidc-auth/configs/traefik-dynamic-config.yml
View File

@ -1,36 +1,2 @@
http:
# Declaring the user list
middlewares:
grist-basic-auth:
basicAuth:
# The header that Grist will listen for authenticated usernames on.
headerField: "X-Forwarded-User"
# This is the list of users, in the format username:password.
# Passwords can be created using `htpasswd`
# E.g: `htpasswd -nB test@example.org`
users:
# The default username is "test@example.org". The default password is "test".
- "test@example.org:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
routers:
# General router for almost all Grist traffic.
general:
entrypoints:
- web
- websecure
rule: "HostRegexp(`.*`)"
service: grist@docker
tls:
certresolver: letsencrypt
# Separate Traefik router for the login pages.
# This allows a user to visit the site without hitting the basic auth login page.
login:
entrypoints:
- web
- websecure
rule: "PathPrefix(`/auth/login`) || PathPrefix(`/_oauth`)"
middlewares:
- grist-basic-auth
service: grist@docker
tls:
certresolver: letsencrypt
# Declaring the user list

114
docker-compose-examples/grist-traefik-oidc-auth/docker-compose.yml
View File

@ -16,31 +16,38 @@ secrets:
file: ./secrets/SESSION_SECRET
STORAGE_ENCRYPTION_KEY:
file: ./secrets/STORAGE_ENCRYPTION_KEY
STORAGE_PASSWORD:
file: ./secrets/STORAGE_PASSWORD
# These secrets are for using Authelia as an OIDC provider
HMAC_SECRET:
file: ./secrets/HMAC_SECRET
services:
# grist:
# image: gristlabs/grist:latest
# environment:
# # Use Python 3 instead of 2.
# PYTHON_VERSION: 3
# # Sets the header to look at for authentication
# GRIST_FORWARD_AUTH_HEADER: X-Forwarded-User
# # Forces Grist to only use a single team called 'Example'
# GRIST_SINGLE_ORG: my-grist-team # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation
# # Force users to login (disable anonymous access)
# GRIST_FORCE_LOGIN: true
# # Base URL Grist redirects to when navigating. Change this to your domain.
# APP_HOME_URL: https://localhost
# # Default email for the "Admin" account
# GRIST_DEFAULT_EMAIL: test@example.org
# volumes:
# # Where to store persistent data, such as documents.
# - ./grist_local_data:/persist
# labels:
# - "traefik.http.services.grist.loadbalancer.server.port=8484"
grist:
image: gristlabs/grist:latest
ports:
- 8484:8484
environment:
GRIST_OIDC_IDP_ISSUER: http://dex:5556
GRIST_OIDC_IDP_CLIENT_ID: grist-client
GRIST_OIDC_IDP_CLIENT_SECRET: app-secret
GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: true
# Forces Grist to only use a single team called 'Example'
GRIST_SINGLE_ORG: my-grist-team # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation
# Force users to login (disable anonymous access)
GRIST_FORCE_LOGIN: true
# Base URL Grist redirects to when navigating. Change this to your domain.
APP_HOME_URL: https://grist.localhost
# Default email for the "Admin" account
GRIST_DEFAULT_EMAIL: test@example.org
volumes:
# Where to store persistent data, such as documents.
- ./grist_local_data:/persist
labels:
- "traefik.http.services.grist.loadbalancer.server.port=8484"
- "traefik.http.routers.grist.rule=Host(`grist.localhost`)"
- "traefik.http.routers.grist.service=grist"
- "traefik.http.routers.grist.tls.certresolver=letsencrypt"
#
# traefik:
# image: traefik:latest
# ports:
@ -59,25 +66,54 @@ services:
# # Traefik needs docker access when configured via docker labels.
# - /var/run/docker.sock:/var/run/docker.sock
# depends_on:
# - grist
authelia:
image: authelia/authelia:4
# grist:
# condition: service_started
# authelia:
# condition: service_started
# authelia:
# image: authelia/authelia:4
# ports:
# - 9091:9091
# secrets:
# - HMAC_SECRET
# - JWT_SECRET
# - SESSION_SECRET
# - STORAGE_ENCRYPTION_KEY
# environment:
# AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
# AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
# AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
# # Domain Grist is hosted at. Custom variable that's interpolated into the Authelia config
# APP_DOMAIN: 'grist.localhost'
# volumes:
# - ./configs/authelia:/config
# command:
# - 'authelia'
# - '--config=/config/configuration.yml'
# # Enables passing environment variables down to the Authelia config.
# - '--config.experimental.filters=template'
# labels:
# - "traefik.http.services.authelia.loadbalancer.server.port=9091"
# - "traefik.http.routers.authelia.rule=Host(`auth.grist.localhost`)"
# - "traefik.http.routers.authelia.service=authelia"
# - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
dex:
image: dexidp/dex:latest
ports:
- 9091:9091
secrets:
- JWT_SECRET
- SESSION_SECRET
- STORAGE_ENCRYPTION_KEY
- 5556:5556
- 5557:5557
environment:
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
APP_DOMAIN: 'grist.localhost'
DEX_ISSUER: http://auth.grist.localhost:5556/
DEX_STORAGE_SQLITE3_CONFIG_FILE: /dex_db/dex.db
DEX_ENABLE_PASSWORD_DB: true
DEX_OAUTH2_PASSWORD_CONNECTOR: local
volumes:
- ./configs/authelia:/config
- ./configs/dex:/config
- ./dex_db:/dex_db
command:
- 'authelia'
- '--config=/config/configuration.yml'
- '--config.experimental.filters=template'
- dex
- serve
- /config/config.yaml

0
docker-compose-examples/grist-traefik-oidc-auth/secrets/HMAC_SECRET Normal file
View File