mweinelt
commented
4 months ago My first pick would be kanidm. Our packaging in nixpkgs is great, and we have a great relationship with the upstream.
Open delroth opened 4 months ago
mweinelt
commented
4 months ago My first pick would be kanidm. Our packaging in nixpkgs is great, and we have a great relationship with the upstream.
delroth
commented
4 months ago Sounds even better then!
mweinelt
commented
4 months ago kanidm + oauth2_proxy sounds like the right pairing for the described use case.
Edit: Actually, alertmanager seems to have native oauth2 support. https://prometheus.io/docs/alerting/latest/configuration/#oauth2
mweinelt
commented
4 months ago The alternative would be a simpler setup that binds to GitHub accounts, like https://dexidp.io/docs/connectors/github/, in which case we would use GitHub as an identity provider.
Some of our admin interfaces are currently stuck on Wireguard because they don't support (or badly support) HTTP authentication / authorization. Most notably right now: Alertmanager.
We should setup some kind of auth proxy - my first pick would be Authentik, but no strong preference. Then we can move some of the services behind it, and possibly also replace some stuff that currently have their own user accounts (Grafana? maybe even Hydra?).