initial commit
This commit is contained in:
Chris Cowley
commit
a236d3a0a6
8 changed files with 216 additions and 0 deletions
4
.gitignore
vendored
Normal file
4
.gitignore
vendored
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
**/.envrc
|
||||
**/tfplan
|
||||
**/*tfstate*
|
||||
**/.terraform
|
||||
63
authentik/.terraform.lock.hcl
generated
Normal file
63
authentik/.terraform.lock.hcl
generated
Normal file
|
|
@ -0,0 +1,63 @@
|
|||
# This file is maintained automatically by "terraform init".
|
||||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/goauthentik/authentik" {
|
||||
version = "2024.6.0"
|
||||
constraints = "2024.6.0"
|
||||
hashes = [
|
||||
"h1:S9p9njz1sEpXMOY7vL6YGqOVMfYsX1AbUy2GhJ121C0=",
|
||||
"zh:1faa2890439a76b18b05f6c7c753502615de5e34157dc77a2d2d4bbfd6ab4dc8",
|
||||
"zh:288ce51c155380b55eb5b6cd82158b1d7e7193cede072f8be4735a4d6b1421fe",
|
||||
"zh:397e2a61f36fadbcf7e07f914d27139c3d828323c77445194e6e6721e5f4fb3b",
|
||||
"zh:3bdff2f4131fdc70eb5d0ae88f28e0c470b8dbde00735b239603347a451a2df0",
|
||||
"zh:3c959ad7d3f4645e942ae4f33ab8736781df44e12f7185e35622e00625ee6f96",
|
||||
"zh:66f8e918229a0b4d9654244d6bca921547ea7ee6582d302c37d96db3252315a3",
|
||||
"zh:68b098049de3818290978c5db855a6fc52618dea9f7c180c5e4e322144a9d801",
|
||||
"zh:6986198640803382504afeaac069a3f7c89262f44e03f6916005766095f4ac80",
|
||||
"zh:6edfe344fa96e55de95dba04d58d08b332b59dadf93c822d38e321f4cb6fe4f5",
|
||||
"zh:a4325ae5bed223665f39534397cfae9b4f9364b98523d200200f240deaf7f797",
|
||||
"zh:cb60056969297c1aaaf213a477080780ef957926ec64913fab1db33409bc4c08",
|
||||
"zh:e744a42dc4dba812846a837fc328f73e390531a64c16a1e280a5c1fea4c7e176",
|
||||
"zh:f1ea072c1d3a7becdc4579bc85903642532639f134c8cf7e49e2e0f3bad5aee3",
|
||||
"zh:f4a0c5a664d131d5c6a00e194b855e76ac5e6f0e0404e85e6fc3fa95029b10c1",
|
||||
]
|
||||
}
|
||||
|
||||
provider "registry.terraform.io/hashicorp/kubernetes" {
|
||||
version = "2.31.0"
|
||||
constraints = "2.31.0"
|
||||
hashes = [
|
||||
"h1:+KpzTrSzd864Fd6+qAQl4cu0/x9N5TqgLAxvyyLSp88=",
|
||||
"zh:0d16b861edb2c021b3e9d759b8911ce4cf6d531320e5dc9457e2ea64d8c54ecd",
|
||||
"zh:1bad69ed535a5f32dec70561eb481c432273b81045d788eb8b37f2e4a322cc40",
|
||||
"zh:43c58e3912fcd5bb346b5cb89f31061508a9be3ca7dd4cd8169c066203bcdfb3",
|
||||
"zh:4778123da9206918a92dfa73cc711475d2b9a8275ff25c13a30513c523ac9660",
|
||||
"zh:8bfa67d2db03b3bfae62beebe6fb961aee8d91b7a766efdfe4d337b33dfd23dd",
|
||||
"zh:9020bb5729db59a520ade5e24984b737e65f8b81751fbbd343926f6d44d22176",
|
||||
"zh:90431dbfc5b92498bfbce38f0b989978c84421a6c33245b97788a46b563fbd6e",
|
||||
"zh:b71a061dda1244f6a52500e703a9524b851e7b11bbf238c17bbd282f27d51cb2",
|
||||
"zh:d6232a7651b834b89591b94bf4446050119dcde740247e6083a4d55a2cefd28a",
|
||||
"zh:d89fba43e699e28e2b5e92fff2f75fc03dbc8de0df9dacefe1a8836f8f430753",
|
||||
"zh:ef85c0b744f5ba1b10dadc3c11e331ba4225c45bb733e024d7218c24b02b0512",
|
||||
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
|
||||
]
|
||||
}
|
||||
|
||||
provider "registry.terraform.io/hashicorp/random" {
|
||||
version = "3.6.2"
|
||||
hashes = [
|
||||
"h1:UQlmHGddu39vVzG8kruMsde4GHlG+1S7OLqFApbJvtc=",
|
||||
"zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec",
|
||||
"zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53",
|
||||
"zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114",
|
||||
"zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad",
|
||||
"zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b",
|
||||
"zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916",
|
||||
"zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6",
|
||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||
"zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150",
|
||||
"zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544",
|
||||
"zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7",
|
||||
"zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af",
|
||||
]
|
||||
}
|
||||
8
authentik/Makefile
Normal file
8
authentik/Makefile
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
init:
|
||||
@terraform init
|
||||
|
||||
plan:
|
||||
@terraform plan -out tfplan
|
||||
|
||||
apply:plan
|
||||
@terraform apply tfplan
|
||||
84
authentik/grafana.tf
Normal file
84
authentik/grafana.tf
Normal file
|
|
@ -0,0 +1,84 @@
|
|||
data "authentik_flow" "default-provider-authorization-implicit-consent" {
|
||||
slug = "default-provider-authorization-implicit-consent"
|
||||
}
|
||||
|
||||
data "authentik_scope_mapping" "scope-email" {
|
||||
name = "authentik default OAuth Mapping: OpenID 'email'"
|
||||
}
|
||||
|
||||
data "authentik_scope_mapping" "scope-profile" {
|
||||
name = "authentik default OAuth Mapping: OpenID 'profile'"
|
||||
}
|
||||
|
||||
data "authentik_scope_mapping" "scope-openid" {
|
||||
name = "authentik default OAuth Mapping: OpenID 'openid'"
|
||||
}
|
||||
|
||||
resource "random_id" "client_id" {
|
||||
byte_length = 16
|
||||
}
|
||||
|
||||
resource "authentik_provider_oauth2" "grafana" {
|
||||
name = "Grafana"
|
||||
# Required. You can use the output of:
|
||||
# $ openssl rand -hex 16
|
||||
client_id = random_id.client_id.id
|
||||
|
||||
# Optional: will be generated if not provided
|
||||
# client_secret = "my_client_secret"
|
||||
|
||||
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
|
||||
|
||||
redirect_uris = [
|
||||
"https://grafana.lab.cowley.tech/login/generic_oauth"
|
||||
]
|
||||
|
||||
property_mappings = [
|
||||
data.authentik_scope_mapping.scope-email.id,
|
||||
data.authentik_scope_mapping.scope-profile.id,
|
||||
data.authentik_scope_mapping.scope-openid.id,
|
||||
]
|
||||
}
|
||||
|
||||
resource "authentik_application" "grafana" {
|
||||
name = "Grafana"
|
||||
slug = "grafana"
|
||||
protocol_provider = authentik_provider_oauth2.grafana.id
|
||||
}
|
||||
|
||||
resource "authentik_group" "grafana_admins" {
|
||||
name = "Grafana Admins"
|
||||
}
|
||||
|
||||
resource "authentik_group" "grafana_editors" {
|
||||
name = "Grafana Editors"
|
||||
}
|
||||
|
||||
resource "authentik_group" "grafana_viewers" {
|
||||
name = "Grafana Viewers"
|
||||
}
|
||||
|
||||
resource "kubernetes_secret" "grafana-authentik" {
|
||||
metadata {
|
||||
name = "grafana-authentik"
|
||||
namespace = "monitoring"
|
||||
}
|
||||
data = {
|
||||
"GF_AUTH_GENERIC_OAUTH_ENABLED" = "true"
|
||||
"GF_AUTH_GENERIC_OAUTH_CLIENT_ID" = authentik_provider_oauth2.grafana.client_id
|
||||
"GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET" = authentik_provider_oauth2.grafana.client_secret
|
||||
"GF_AUTH_GENERIC_OAUTH_NAME" = "authentik"
|
||||
"GF_AUTH_GENERIC_OAUTH_SCOPES" = "openid profile email"
|
||||
"GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP" = "true"
|
||||
"GF_AUTH_GENERIC_OAUTH_AUTH_URL" = "https://auth.lab.cowley.tech/application/o/authorize/"
|
||||
"GF_AUTH_GENERIC_OAUTH_TOKEN_URL" = "https://auth.lab.cowley.tech/application/o/token/"
|
||||
"GF_AUTH_GENERIC_OAUTH_API_URL" = "https://auth.lab.cowley.tech/application/o/userinfo/"
|
||||
"GF_AUTH_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
|
||||
"GF_AUTH_GENERIC_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
|
||||
# Optionally enable auto-login (bypasses Grafana login screen)
|
||||
"GF_AUTH_OAUTH_AUTO_LOGIN" = "false"
|
||||
# Optionally map user groups to Grafana roles
|
||||
"GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH" = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
|
||||
|
||||
}
|
||||
}
|
||||
3
authentik/groups.tf
Normal file
3
authentik/groups.tf
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
data "authentik_group" "admins" {
|
||||
name = "authentik Admins"
|
||||
}
|
||||
28
authentik/paperless-ngx.tf
Normal file
28
authentik/paperless-ngx.tf
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
resource "random_id" "paperless_client_id" {
|
||||
byte_length = 16
|
||||
}
|
||||
|
||||
resource "authentik_provider_oauth2" "paperless" {
|
||||
name = "Paperless"
|
||||
# Required. You can use the output of:
|
||||
# $ openssl rand -hex 16
|
||||
client_id = random_id.paperless_client_id.id
|
||||
|
||||
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
|
||||
|
||||
redirect_uris = [
|
||||
"https://paperless.lab.cowley.tech/accounts/oidc/authentik/login/callback/"
|
||||
]
|
||||
|
||||
# property_mappings = [
|
||||
# data.authentik_scope_mapping.scope-email.id,
|
||||
# data.authentik_scope_mapping.scope-profile.id,
|
||||
# data.authentik_scope_mapping.scope-openid.id,
|
||||
# ]
|
||||
}
|
||||
|
||||
resource "authentik_application" "paperless" {
|
||||
name = "Paperless"
|
||||
slug = "paperless"
|
||||
protocol_provider = authentik_provider_oauth2.paperless.id
|
||||
}
|
||||
15
authentik/provider.tf
Normal file
15
authentik/provider.tf
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
terraform {
|
||||
required_providers {
|
||||
kubernetes = {
|
||||
source = "hashicorp/kubernetes"
|
||||
version = "2.31.0"
|
||||
}
|
||||
authentik = {
|
||||
source = "goauthentik/authentik"
|
||||
version = "2024.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
provider "authentik" {}
|
||||
provider "kubernetes" {
|
||||
}
|
||||
11
authentik/users.tf
Normal file
11
authentik/users.tf
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
resource "authentik_user" "chriscowley" {
|
||||
username = "chriscowley"
|
||||
name = "Chris Cowley"
|
||||
|
||||
email = "chriscowleysound@gmail.com"
|
||||
|
||||
groups = [
|
||||
data.authentik_group.admins.id,
|
||||
authentik_group.grafana_admins.id,
|
||||
]
|
||||
}
|
||||
Loading…
Add table
Reference in a new issue