MCP/mcvsphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mcvsphere/.env.example
Ryan Malloy cda49f2912 implement OAuth authentication with Authentik support 
Core OAuth infrastructure:
- permissions.py: 5-level permission model (read_only → full_admin)
  Maps all 94 tools to permission levels
  Maps OAuth groups to permission sets
- audit.py: Centralized logging with OAuth user identity
- auth.py: OIDCProxy configuration for Authentik/OIDC providers
- middleware.py: Permission checking decorator and tool wrapper

Server integration:
- config.py: Add OAuth settings (oauth_enabled, oauth_issuer_url, etc.)
  Validate OAuth config completeness, require HTTP transport
- server.py: Integrate auth provider, add HTTP transport support
  Show OAuth status in startup banner

Deployment:
- docker-compose.oauth.yml: Authentik stack (server, worker, postgres, redis)
- .env.example: Document all OAuth and Authentik environment variables

Permission model:
- vsphere-readers: READ_ONLY (32 tools)
- vsphere-operators: + POWER_OPS (14 tools)
- vsphere-admins: + VM_LIFECYCLE (33 tools)
- vsphere-host-admins: + HOST_ADMIN (6 tools)
- vsphere-super-admins: + FULL_ADMIN (9 tools)
2025-12-27 01:12:58 -07:00

93 lines
5.0 KiB
Plaintext
Raw Permalink Blame History

# mcvsphere Configuration
# Copy this file to .env and fill in your values
# Docker Compose project name (prevents environment clashes)
COMPOSE_PROJECT=mcvsphere
# ─────────────────────────────────────────────────────────────────────────────
# VMware vCenter/ESXi Connection (Required)
# ─────────────────────────────────────────────────────────────────────────────
VCENTER_HOST=your-vcenter-ip-or-hostname
VCENTER_USER=administrator@vsphere.local
VCENTER_PASSWORD=your-password
# ─────────────────────────────────────────────────────────────────────────────
# VMware Optional Settings
# ─────────────────────────────────────────────────────────────────────────────
# Datacenter name (auto-selects first if not specified)
# VCENTER_DATACENTER=your-datacenter-name
# Cluster name (auto-selects first if not specified)
# VCENTER_CLUSTER=your-cluster-name
# Datastore name (auto-selects largest if not specified)
# VCENTER_DATASTORE=your-datastore-name
# Default network for VMs
VCENTER_NETWORK=VM Network
# Skip SSL certificate verification (set to true for self-signed certs)
VCENTER_INSECURE=true
# ─────────────────────────────────────────────────────────────────────────────
# MCP Server Settings
# ─────────────────────────────────────────────────────────────────────────────
# API key for authentication (optional, but recommended for production)
# MCP_API_KEY=your-secret-api-key
# Transport type: stdio (Claude Desktop), sse (web/Docker), http (OAuth)
MCP_TRANSPORT=sse
# Server binding (only used with SSE/HTTP transport)
MCP_HOST=0.0.0.0
MCP_PORT=8080
# ─────────────────────────────────────────────────────────────────────────────
# Logging Configuration
# ─────────────────────────────────────────────────────────────────────────────
# Log level: DEBUG, INFO, WARNING, ERROR
LOG_LEVEL=INFO
# Log file path (logs to console if not specified)
# LOG_FILE=/app/logs/mcvsphere.log
# ─────────────────────────────────────────────────────────────────────────────
# OAuth/OIDC Configuration (Optional - requires Authentik or other OIDC provider)
# ─────────────────────────────────────────────────────────────────────────────
# Enable OAuth authentication (requires MCP_TRANSPORT=http or sse)
OAUTH_ENABLED=false
# OIDC issuer URL (Authentik application URL)
# Example: https://auth.example.com/application/o/mcvsphere/
# OAUTH_ISSUER_URL=
# OAuth client credentials (from Authentik application)
# OAUTH_CLIENT_ID=
# OAUTH_CLIENT_SECRET=
# OAuth scopes to request (comma-separated or JSON array)
# OAUTH_SCOPES=["openid", "profile", "email", "groups"]
# OAuth groups required for access (empty = any authenticated user)
# OAUTH_REQUIRED_GROUPS=["vsphere-readers"]
# ─────────────────────────────────────────────────────────────────────────────
# Authentik Deployment (for docker-compose.oauth.yml)
# ─────────────────────────────────────────────────────────────────────────────
# Authentik secret key (generate with: openssl rand -base64 36)
# AUTHENTIK_SECRET_KEY=
# Authentik PostgreSQL password
# AUTHENTIK_DB_PASSWORD=
# Authentik bootstrap admin (first run only)
# AUTHENTIK_BOOTSTRAP_EMAIL=admin@localhost
# AUTHENTIK_BOOTSTRAP_PASSWORD=
# Authentik ports
# AUTHENTIK_PORT=9000
# AUTHENTIK_HTTPS_PORT=9443
# Authentik hostname (for Caddy reverse proxy)
# AUTHENTIK_HOST=auth.localhost
Reference in New Issue View Git Blame Copy Permalink