diff --git a/docs/plans/auth-system-replacement.md b/docs/plans/auth-system-replacement.md index dcd97c7..b6ef58a 100644 --- a/docs/plans/auth-system-replacement.md +++ b/docs/plans/auth-system-replacement.md @@ -151,11 +151,30 @@ Rationale: - Well above NixOS system users (typically <1000) - Avoids Podman/container issues with very high GIDs +### Completed (2026-02-08) - OAuth2/OIDC for Grafana + +**OAuth2 client deployed for Grafana on monitoring02:** +- Client ID: `grafana` +- Redirect URL: `https://grafana-test.home.2rjus.net/login/generic_oauth` +- Scope maps: `openid`, `profile`, `email`, `groups` for `users` group +- Role mapping: `admins` group → Grafana Admin, others → Viewer + +**Configuration locations:** +- Kanidm OAuth2 client: `services/kanidm/default.nix` +- Grafana OIDC config: `services/grafana/default.nix` +- Vault secret: `services/grafana/oauth2-client-secret` + +**Key findings:** +- PKCE is required by Kanidm - enable `use_pkce = true` in Grafana +- Must set `email_attribute_path`, `login_attribute_path`, `name_attribute_path` to extract from userinfo +- Users need: primary credential (password + TOTP for MFA), membership in `users` group, email address set +- Unix password is separate from primary credential (web login requires primary credential) + ### Next Steps 1. Enable PAM/NSS on production hosts (after test tier validation) 2. Configure TrueNAS LDAP client for NAS integration testing -3. Add OAuth2 clients (Grafana first) +3. Add OAuth2 clients for other services as needed ## References diff --git a/docs/plans/monitoring-migration-victoriametrics.md b/docs/plans/monitoring-migration-victoriametrics.md index 7fc926a..95b1c96 100644 --- a/docs/plans/monitoring-migration-victoriametrics.md +++ b/docs/plans/monitoring-migration-victoriametrics.md @@ -169,9 +169,30 @@ Once ready to cut over: - Destroy VM in Proxmox - Remove from terraform state +## Current Progress + +### monitoring02 Host Created (2026-02-08) + +Host deployed at 10.69.13.24 (test tier) with: +- 4 CPU cores, 8GB RAM, 60GB disk +- Vault integration enabled +- NATS-based remote deployment enabled + +### Grafana with Kanidm OIDC (2026-02-08) + +Grafana deployed on monitoring02 as a test instance (`grafana-test.home.2rjus.net`): +- Kanidm OIDC authentication (PKCE enabled) +- Role mapping: `admins` → Admin, others → Viewer +- Declarative datasources pointing to monitoring01 (Prometheus, Loki) +- Local Caddy for TLS termination via internal ACME CA + +This validates the Grafana + OIDC pattern before the full VictoriaMetrics migration. The existing +`services/monitoring/grafana.nix` on monitoring01 can be replaced with the new `services/grafana/` +module once monitoring02 becomes the primary monitoring host. + ## Open Questions -- [ ] What disk size for monitoring02? 100GB should allow 3+ months with VictoriaMetrics compression +- [ ] What disk size for monitoring02? Current 60GB may need expansion for 3+ months with VictoriaMetrics - [ ] Which dashboards to recreate declaratively? (Review monitoring01 Grafana for current set) ## VictoriaMetrics Service Configuration diff --git a/docs/user-management.md b/docs/user-management.md index a3ff69a..5a732c3 100644 --- a/docs/user-management.md +++ b/docs/user-management.md @@ -43,11 +43,21 @@ kanidm person posix set-password kanidm person posix set --shell /bin/zsh ``` +### Setting Email Address + +Email is required for OAuth2/OIDC login (e.g., Grafana): + +```bash +kanidm person update --mail +``` + ### Example: Full User Creation ```bash kanidm person create testuser "Test User" +kanidm person update testuser --mail testuser@home.2rjus.net kanidm group add-members ssh-users testuser +kanidm group add-members users testuser # Required for OAuth2 scopes kanidm person posix set testuser kanidm person posix set-password testuser kanidm person get testuser @@ -129,6 +139,40 @@ Kanidm auto-assigns UIDs/GIDs from its configured range. For manually assigned G | 65,536+ | Users (auto-assigned) | | 68,000 - 68,999 | Groups (manually assigned) | +## OAuth2/OIDC Login (Web Services) + +For OAuth2/OIDC login to web services like Grafana, users need: + +1. **Primary credential** - Password set via `credential update` (separate from unix password) +2. **MFA** - TOTP or passkey (Kanidm requires MFA for primary credentials) +3. **Group membership** - Member of `users` group (for OAuth2 scope mapping) +4. **Email address** - Set via `person update --mail` + +### Setting Up Primary Credential (Web Login) + +The primary credential is different from the unix/POSIX password: + +```bash +# Interactive credential setup +kanidm person credential update + +# In the interactive prompt: +# 1. Type 'password' to set a password +# 2. Type 'totp' to add TOTP (scan QR with authenticator app) +# 3. Type 'commit' to save +``` + +### Verifying OAuth2 Readiness + +```bash +kanidm person get +``` + +Check for: +- `mail:` - Email address set +- `memberof:` - Includes `users@home.2rjus.net` +- Primary credential status (check via `credential update` → `status`) + ## PAM/NSS Client Configuration Enable central authentication on a host: