Ryan Malloy
cda49f2912
Core OAuth infrastructure: - permissions.py: 5-level permission model (read_only → full_admin) Maps all 94 tools to permission levels Maps OAuth groups to permission sets - audit.py: Centralized logging with OAuth user identity - auth.py: OIDCProxy configuration for Authentik/OIDC providers - middleware.py: Permission checking decorator and tool wrapper Server integration: - config.py: Add OAuth settings (oauth_enabled, oauth_issuer_url, etc.) Validate OAuth config completeness, require HTTP transport - server.py: Integrate auth provider, add HTTP transport support Show OAuth status in startup banner Deployment: - docker-compose.oauth.yml: Authentik stack (server, worker, postgres, redis) - .env.example: Document all OAuth and Authentik environment variables Permission model: - vsphere-readers: READ_ONLY (32 tools) - vsphere-operators: + POWER_OPS (14 tools) - vsphere-admins: + VM_LIFECYCLE (33 tools) - vsphere-host-admins: + HOST_ADMIN (6 tools) - vsphere-super-admins: + FULL_ADMIN (9 tools)
128 lines
5.3 KiB
YAML
128 lines
5.3 KiB
YAML
# OAuth-enabled deployment with Authentik
|
|
# Usage: docker compose -f docker-compose.yml -f docker-compose.oauth.yml up
|
|
#
|
|
# This overlay adds Authentik identity provider for OAuth authentication.
|
|
# Requires AUTHENTIK_* environment variables to be set.
|
|
|
|
services:
|
|
# ─────────────────────────────────────────────────────────────────────────
|
|
# PostgreSQL for Authentik
|
|
# ─────────────────────────────────────────────────────────────────────────
|
|
authentik-db:
|
|
image: postgres:16-alpine
|
|
container_name: mcvsphere-authentik-db
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_DB: authentik
|
|
POSTGRES_USER: authentik
|
|
POSTGRES_PASSWORD: ${AUTHENTIK_DB_PASSWORD:?AUTHENTIK_DB_PASSWORD required}
|
|
volumes:
|
|
- authentik-db-data:/var/lib/postgresql/data
|
|
networks:
|
|
- authentik-internal
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U authentik"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────
|
|
# Redis for Authentik
|
|
# ─────────────────────────────────────────────────────────────────────────
|
|
authentik-redis:
|
|
image: redis:7-alpine
|
|
container_name: mcvsphere-authentik-redis
|
|
restart: unless-stopped
|
|
command: ["redis-server", "--save", "60", "1", "--loglevel", "warning"]
|
|
volumes:
|
|
- authentik-redis-data:/data
|
|
networks:
|
|
- authentik-internal
|
|
healthcheck:
|
|
test: ["CMD", "redis-cli", "ping"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────
|
|
# Authentik Server
|
|
# ─────────────────────────────────────────────────────────────────────────
|
|
authentik-server:
|
|
image: ghcr.io/goauthentik/server:2024.10.4
|
|
container_name: mcvsphere-authentik-server
|
|
restart: unless-stopped
|
|
command: server
|
|
environment:
|
|
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?AUTHENTIK_SECRET_KEY required}
|
|
AUTHENTIK_REDIS__HOST: authentik-redis
|
|
AUTHENTIK_POSTGRESQL__HOST: authentik-db
|
|
AUTHENTIK_POSTGRESQL__USER: authentik
|
|
AUTHENTIK_POSTGRESQL__NAME: authentik
|
|
AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
|
|
# Bootstrap admin user (first run only)
|
|
AUTHENTIK_BOOTSTRAP_EMAIL: ${AUTHENTIK_BOOTSTRAP_EMAIL:-admin@localhost}
|
|
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD:-}
|
|
ports:
|
|
- "${AUTHENTIK_PORT:-9000}:9000"
|
|
- "${AUTHENTIK_HTTPS_PORT:-9443}:9443"
|
|
volumes:
|
|
- authentik-media:/media
|
|
- authentik-templates:/templates
|
|
depends_on:
|
|
authentik-db:
|
|
condition: service_healthy
|
|
authentik-redis:
|
|
condition: service_healthy
|
|
networks:
|
|
- authentik-internal
|
|
- mcvsphere-network
|
|
healthcheck:
|
|
test: ["CMD", "ak", "healthcheck"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 60s
|
|
labels:
|
|
# Caddy reverse proxy (if using caddy-docker-proxy)
|
|
caddy: ${AUTHENTIK_HOST:-auth.localhost}
|
|
caddy.reverse_proxy: "{{upstreams 9000}}"
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────
|
|
# Authentik Worker (background tasks)
|
|
# ─────────────────────────────────────────────────────────────────────────
|
|
authentik-worker:
|
|
image: ghcr.io/goauthentik/server:2024.10.4
|
|
container_name: mcvsphere-authentik-worker
|
|
restart: unless-stopped
|
|
command: worker
|
|
environment:
|
|
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
|
|
AUTHENTIK_REDIS__HOST: authentik-redis
|
|
AUTHENTIK_POSTGRESQL__HOST: authentik-db
|
|
AUTHENTIK_POSTGRESQL__USER: authentik
|
|
AUTHENTIK_POSTGRESQL__NAME: authentik
|
|
AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
|
|
volumes:
|
|
- authentik-media:/media
|
|
- authentik-templates:/templates
|
|
depends_on:
|
|
authentik-db:
|
|
condition: service_healthy
|
|
authentik-redis:
|
|
condition: service_healthy
|
|
networks:
|
|
- authentik-internal
|
|
|
|
networks:
|
|
authentik-internal:
|
|
driver: bridge
|
|
mcvsphere-network:
|
|
external: true
|
|
name: ${COMPOSE_PROJECT_NAME:-mcvsphere}_default
|
|
|
|
volumes:
|
|
authentik-db-data:
|
|
authentik-redis-data:
|
|
authentik-media:
|
|
authentik-templates:
|