43 lines
2.0 KiB
TOML
43 lines
2.0 KiB
TOML
# sherlock conifugration - lives in $XDG_CONFIG_HOME/sherlock/config.toml
|
|
|
|
# ── Providers ────────────────────────────────────────────────────────
|
|
# A [providers.<name>] block is a reusable OAuth/OIDC client. Services
|
|
# point at one via `provider = "<name>"`. Define a provider once and
|
|
# share it across every service it fronts.
|
|
#
|
|
# `sherlock-cli` is the Authentik provider sherlock authenticates the
|
|
# operator against for Authentik-fronted services (grafana, gssh, …).
|
|
# It is a Public client (PKCE, no secret); its redirect URI must be
|
|
# whitelisted as http://127.0.0.1:6990/callback.
|
|
[providers.sherlock-cli]
|
|
issuer = "https://id.example.com/application/o/sherlock-cli/"
|
|
client_id = "REPLACE_WITH_AUTHENTIK_SHERLOCK_CLI_CLIENT_ID"
|
|
|
|
# ── Services ─────────────────────────────────────────────────────────
|
|
# Each [services.<name>] is one MCP's target. <name> is also the wallet
|
|
# key (`sherlock logout <name>`). A service either:
|
|
# - references a shared provider: provider = "sherlock-cli"
|
|
# - or supplies its own identity: issuer + client_id (+ client_secret)
|
|
# `base_url` (the API origin the MCP calls) is always required.
|
|
|
|
# Gitea runs its OWN OAuth2 server, so it carries an inline identity
|
|
# rather than referencing the Authentik provider.
|
|
[services.gitea]
|
|
issuer = "https://gitea.example.com"
|
|
client_id = "REPLACE_WITH_GITEA_OAUTH2_APP_CLIENT_ID"
|
|
# client_secret = "" # set only if your Gitea enforces it on token exchange
|
|
base_url = "https://gitea.example.com"
|
|
|
|
# Grafana and Gssh both reuse the shared Authentik provider above.
|
|
[services.grafana]
|
|
provider = "sherlock-cli"
|
|
base_url = "https://grafana.example.com"
|
|
|
|
[services.gssh]
|
|
provider = "sherlock-cli"
|
|
base_url = "https://terminal.example.com"
|
|
|
|
[services.searxng]
|
|
provider = "sherlock-cli"
|
|
base_url = "https://search.example.com"
|