Open delroth opened 4 months ago
My first pick would be kanidm. Our packaging in nixpkgs is great, and we have a great relationship with the upstream.
Sounds even better then!
kanidm + oauth2_proxy sounds like the right pairing for the described use case.
Edit: Actually, alertmanager seems to have native oauth2 support. https://prometheus.io/docs/alerting/latest/configuration/#oauth2
The alternative would be a simpler setup that binds to GitHub accounts, like https://dexidp.io/docs/connectors/github/, in which case we would use GitHub as an identity provider.
Some of our admin interfaces are currently stuck on Wireguard because they don't support (or badly support) HTTP authentication / authorization. Most notably right now: Alertmanager.
We should setup some kind of auth proxy - my first pick would be Authentik, but no strong preference. Then we can move some of the services behind it, and possibly also replace some stuff that currently have their own user accounts (Grafana? maybe even Hydra?).