commit a236d3a0a624eb44aff091051ed7c1665222933d
Author: Chris Cowley <1736762+chriscowley@users.noreply.github.com>
Date:   Thu Jun 27 10:09:49 2024 +0200

    initial commit

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..bc5396c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+**/.envrc
+**/tfplan
+**/*tfstate*
+**/.terraform
diff --git a/authentik/.terraform.lock.hcl b/authentik/.terraform.lock.hcl
new file mode 100644
index 0000000..913ba7f
--- /dev/null
+++ b/authentik/.terraform.lock.hcl
@@ -0,0 +1,63 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.6.0"
+  constraints = "2024.6.0"
+  hashes = [
+    "h1:S9p9njz1sEpXMOY7vL6YGqOVMfYsX1AbUy2GhJ121C0=",
+    "zh:1faa2890439a76b18b05f6c7c753502615de5e34157dc77a2d2d4bbfd6ab4dc8",
+    "zh:288ce51c155380b55eb5b6cd82158b1d7e7193cede072f8be4735a4d6b1421fe",
+    "zh:397e2a61f36fadbcf7e07f914d27139c3d828323c77445194e6e6721e5f4fb3b",
+    "zh:3bdff2f4131fdc70eb5d0ae88f28e0c470b8dbde00735b239603347a451a2df0",
+    "zh:3c959ad7d3f4645e942ae4f33ab8736781df44e12f7185e35622e00625ee6f96",
+    "zh:66f8e918229a0b4d9654244d6bca921547ea7ee6582d302c37d96db3252315a3",
+    "zh:68b098049de3818290978c5db855a6fc52618dea9f7c180c5e4e322144a9d801",
+    "zh:6986198640803382504afeaac069a3f7c89262f44e03f6916005766095f4ac80",
+    "zh:6edfe344fa96e55de95dba04d58d08b332b59dadf93c822d38e321f4cb6fe4f5",
+    "zh:a4325ae5bed223665f39534397cfae9b4f9364b98523d200200f240deaf7f797",
+    "zh:cb60056969297c1aaaf213a477080780ef957926ec64913fab1db33409bc4c08",
+    "zh:e744a42dc4dba812846a837fc328f73e390531a64c16a1e280a5c1fea4c7e176",
+    "zh:f1ea072c1d3a7becdc4579bc85903642532639f134c8cf7e49e2e0f3bad5aee3",
+    "zh:f4a0c5a664d131d5c6a00e194b855e76ac5e6f0e0404e85e6fc3fa95029b10c1",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "2.31.0"
+  constraints = "2.31.0"
+  hashes = [
+    "h1:+KpzTrSzd864Fd6+qAQl4cu0/x9N5TqgLAxvyyLSp88=",
+    "zh:0d16b861edb2c021b3e9d759b8911ce4cf6d531320e5dc9457e2ea64d8c54ecd",
+    "zh:1bad69ed535a5f32dec70561eb481c432273b81045d788eb8b37f2e4a322cc40",
+    "zh:43c58e3912fcd5bb346b5cb89f31061508a9be3ca7dd4cd8169c066203bcdfb3",
+    "zh:4778123da9206918a92dfa73cc711475d2b9a8275ff25c13a30513c523ac9660",
+    "zh:8bfa67d2db03b3bfae62beebe6fb961aee8d91b7a766efdfe4d337b33dfd23dd",
+    "zh:9020bb5729db59a520ade5e24984b737e65f8b81751fbbd343926f6d44d22176",
+    "zh:90431dbfc5b92498bfbce38f0b989978c84421a6c33245b97788a46b563fbd6e",
+    "zh:b71a061dda1244f6a52500e703a9524b851e7b11bbf238c17bbd282f27d51cb2",
+    "zh:d6232a7651b834b89591b94bf4446050119dcde740247e6083a4d55a2cefd28a",
+    "zh:d89fba43e699e28e2b5e92fff2f75fc03dbc8de0df9dacefe1a8836f8f430753",
+    "zh:ef85c0b744f5ba1b10dadc3c11e331ba4225c45bb733e024d7218c24b02b0512",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.6.2"
+  hashes = [
+    "h1:UQlmHGddu39vVzG8kruMsde4GHlG+1S7OLqFApbJvtc=",
+    "zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec",
+    "zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53",
+    "zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114",
+    "zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad",
+    "zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b",
+    "zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916",
+    "zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150",
+    "zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544",
+    "zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7",
+    "zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af",
+  ]
+}
diff --git a/authentik/Makefile b/authentik/Makefile
new file mode 100644
index 0000000..b20c5fb
--- /dev/null
+++ b/authentik/Makefile
@@ -0,0 +1,8 @@
+init:
+	@terraform init
+
+plan:
+	@terraform plan -out tfplan
+
+apply:plan
+	@terraform apply tfplan
diff --git a/authentik/grafana.tf b/authentik/grafana.tf
new file mode 100644
index 0000000..e03dfa2
--- /dev/null
+++ b/authentik/grafana.tf
@@ -0,0 +1,84 @@
+data "authentik_flow" "default-provider-authorization-implicit-consent" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_scope_mapping" "scope-email" {
+  name = "authentik default OAuth Mapping: OpenID 'email'"
+}
+
+data "authentik_scope_mapping" "scope-profile" {
+  name = "authentik default OAuth Mapping: OpenID 'profile'"
+}
+
+data "authentik_scope_mapping" "scope-openid" {
+  name = "authentik default OAuth Mapping: OpenID 'openid'"
+}
+
+resource "random_id" "client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "grafana" {
+  name          = "Grafana"
+  #  Required. You can use the output of:
+  #     $ openssl rand -hex 16
+  client_id     = random_id.client_id.id
+
+  # Optional: will be generated if not provided
+  # client_secret = "my_client_secret"
+
+  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  redirect_uris = [
+    "https://grafana.lab.cowley.tech/login/generic_oauth"
+  ]
+
+  property_mappings = [
+    data.authentik_scope_mapping.scope-email.id,
+    data.authentik_scope_mapping.scope-profile.id,
+    data.authentik_scope_mapping.scope-openid.id,
+  ]
+}
+
+resource "authentik_application" "grafana" {
+  name              = "Grafana"
+  slug              = "grafana"
+  protocol_provider = authentik_provider_oauth2.grafana.id
+}
+
+resource "authentik_group" "grafana_admins" {
+  name    = "Grafana Admins"
+}
+
+resource "authentik_group" "grafana_editors" {
+  name    = "Grafana Editors"
+}
+
+resource "authentik_group" "grafana_viewers" {
+  name    = "Grafana Viewers"
+}
+
+resource "kubernetes_secret" "grafana-authentik" {
+  metadata {
+    name = "grafana-authentik"
+    namespace = "monitoring"
+  }
+  data = {
+    "GF_AUTH_GENERIC_OAUTH_ENABLED" = "true"
+    "GF_AUTH_GENERIC_OAUTH_CLIENT_ID" = authentik_provider_oauth2.grafana.client_id
+    "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET" = authentik_provider_oauth2.grafana.client_secret
+    "GF_AUTH_GENERIC_OAUTH_NAME" = "authentik"
+    "GF_AUTH_GENERIC_OAUTH_SCOPES" = "openid profile email"
+    "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP" = "true"
+    "GF_AUTH_GENERIC_OAUTH_AUTH_URL" = "https://auth.lab.cowley.tech/application/o/authorize/"
+    "GF_AUTH_GENERIC_OAUTH_TOKEN_URL" = "https://auth.lab.cowley.tech/application/o/token/"
+    "GF_AUTH_GENERIC_OAUTH_API_URL" = "https://auth.lab.cowley.tech/application/o/userinfo/"
+    "GF_AUTH_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
+    "GF_AUTH_GENERIC_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
+    # Optionally enable auto-login (bypasses Grafana login screen)
+    "GF_AUTH_OAUTH_AUTO_LOGIN" = "false"
+    # Optionally map user groups to Grafana roles
+    "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH" = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
+
+  }
+}
diff --git a/authentik/groups.tf b/authentik/groups.tf
new file mode 100644
index 0000000..0dd38e9
--- /dev/null
+++ b/authentik/groups.tf
@@ -0,0 +1,3 @@
+data "authentik_group" "admins" {
+  name = "authentik Admins"
+}
diff --git a/authentik/paperless-ngx.tf b/authentik/paperless-ngx.tf
new file mode 100644
index 0000000..0719554
--- /dev/null
+++ b/authentik/paperless-ngx.tf
@@ -0,0 +1,28 @@
+resource "random_id" "paperless_client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "paperless" {
+  name          = "Paperless"
+  #  Required. You can use the output of:
+  #     $ openssl rand -hex 16
+  client_id     = random_id.paperless_client_id.id
+
+  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  redirect_uris = [
+    "https://paperless.lab.cowley.tech/accounts/oidc/authentik/login/callback/"
+  ]
+
+#  property_mappings = [
+#    data.authentik_scope_mapping.scope-email.id,
+#    data.authentik_scope_mapping.scope-profile.id,
+#    data.authentik_scope_mapping.scope-openid.id,
+#  ]
+}
+
+resource "authentik_application" "paperless" {
+  name              = "Paperless"
+  slug              = "paperless"
+  protocol_provider = authentik_provider_oauth2.paperless.id
+}
diff --git a/authentik/provider.tf b/authentik/provider.tf
new file mode 100644
index 0000000..bf09968
--- /dev/null
+++ b/authentik/provider.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+      version = "2.31.0"
+    }
+    authentik = {
+      source = "goauthentik/authentik"
+      version = "2024.6.0"
+    }
+  }
+}
+provider "authentik" {}
+provider "kubernetes" {
+}
diff --git a/authentik/users.tf b/authentik/users.tf
new file mode 100644
index 0000000..ef31b5b
--- /dev/null
+++ b/authentik/users.tf
@@ -0,0 +1,11 @@
+resource "authentik_user" "chriscowley" {
+  username = "chriscowley"
+  name = "Chris Cowley"
+
+  email = "chriscowleysound@gmail.com"
+
+  groups = [
+    data.authentik_group.admins.id,
+    authentik_group.grafana_admins.id,
+  ]
+}