initial commit

2024-06-27 10:09:49 +02:00 · 2024-06-27 10:09:49 +02:00 · a236d3a0a6
commit a236d3a0a6
8 changed files with 216 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,4 @@
 **/.envrc
 **/tfplan
 **/*tfstate*
 **/.terraform
--- a/authentik/.terraform.lock.hcl
+++ b/authentik/.terraform.lock.hcl
@ -0,0 +1,63 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/goauthentik/authentik" {
  version     = "2024.6.0"
  constraints = "2024.6.0"
  hashes = [
    "h1:S9p9njz1sEpXMOY7vL6YGqOVMfYsX1AbUy2GhJ121C0=",
    "zh:1faa2890439a76b18b05f6c7c753502615de5e34157dc77a2d2d4bbfd6ab4dc8",
    "zh:288ce51c155380b55eb5b6cd82158b1d7e7193cede072f8be4735a4d6b1421fe",
    "zh:397e2a61f36fadbcf7e07f914d27139c3d828323c77445194e6e6721e5f4fb3b",
    "zh:3bdff2f4131fdc70eb5d0ae88f28e0c470b8dbde00735b239603347a451a2df0",
    "zh:3c959ad7d3f4645e942ae4f33ab8736781df44e12f7185e35622e00625ee6f96",
    "zh:66f8e918229a0b4d9654244d6bca921547ea7ee6582d302c37d96db3252315a3",
    "zh:68b098049de3818290978c5db855a6fc52618dea9f7c180c5e4e322144a9d801",
    "zh:6986198640803382504afeaac069a3f7c89262f44e03f6916005766095f4ac80",
    "zh:6edfe344fa96e55de95dba04d58d08b332b59dadf93c822d38e321f4cb6fe4f5",
    "zh:a4325ae5bed223665f39534397cfae9b4f9364b98523d200200f240deaf7f797",
    "zh:cb60056969297c1aaaf213a477080780ef957926ec64913fab1db33409bc4c08",
    "zh:e744a42dc4dba812846a837fc328f73e390531a64c16a1e280a5c1fea4c7e176",
    "zh:f1ea072c1d3a7becdc4579bc85903642532639f134c8cf7e49e2e0f3bad5aee3",
    "zh:f4a0c5a664d131d5c6a00e194b855e76ac5e6f0e0404e85e6fc3fa95029b10c1",
  ]
 }
 provider "registry.terraform.io/hashicorp/kubernetes" {
  version     = "2.31.0"
  constraints = "2.31.0"
  hashes = [
    "h1:+KpzTrSzd864Fd6+qAQl4cu0/x9N5TqgLAxvyyLSp88=",
    "zh:0d16b861edb2c021b3e9d759b8911ce4cf6d531320e5dc9457e2ea64d8c54ecd",
    "zh:1bad69ed535a5f32dec70561eb481c432273b81045d788eb8b37f2e4a322cc40",
    "zh:43c58e3912fcd5bb346b5cb89f31061508a9be3ca7dd4cd8169c066203bcdfb3",
    "zh:4778123da9206918a92dfa73cc711475d2b9a8275ff25c13a30513c523ac9660",
    "zh:8bfa67d2db03b3bfae62beebe6fb961aee8d91b7a766efdfe4d337b33dfd23dd",
    "zh:9020bb5729db59a520ade5e24984b737e65f8b81751fbbd343926f6d44d22176",
    "zh:90431dbfc5b92498bfbce38f0b989978c84421a6c33245b97788a46b563fbd6e",
    "zh:b71a061dda1244f6a52500e703a9524b851e7b11bbf238c17bbd282f27d51cb2",
    "zh:d6232a7651b834b89591b94bf4446050119dcde740247e6083a4d55a2cefd28a",
    "zh:d89fba43e699e28e2b5e92fff2f75fc03dbc8de0df9dacefe1a8836f8f430753",
    "zh:ef85c0b744f5ba1b10dadc3c11e331ba4225c45bb733e024d7218c24b02b0512",
    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
  ]
 }
 provider "registry.terraform.io/hashicorp/random" {
  version = "3.6.2"
  hashes = [
    "h1:UQlmHGddu39vVzG8kruMsde4GHlG+1S7OLqFApbJvtc=",
    "zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec",
    "zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53",
    "zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114",
    "zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad",
    "zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b",
    "zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916",
    "zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
    "zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150",
    "zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544",
    "zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7",
    "zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af",
  ]
 }
--- a/authentik/Makefile
+++ b/authentik/Makefile
@ -0,0 +1,8 @@
 init:
 	@terraform init
 plan:
 	@terraform plan -out tfplan
 apply:plan
 	@terraform apply tfplan
--- a/authentik/grafana.tf
+++ b/authentik/grafana.tf
@ -0,0 +1,84 @@
 data "authentik_flow" "default-provider-authorization-implicit-consent" {
  slug = "default-provider-authorization-implicit-consent"
 }
 data "authentik_scope_mapping" "scope-email" {
  name = "authentik default OAuth Mapping: OpenID 'email'"
 }
 data "authentik_scope_mapping" "scope-profile" {
  name = "authentik default OAuth Mapping: OpenID 'profile'"
 }
 data "authentik_scope_mapping" "scope-openid" {
  name = "authentik default OAuth Mapping: OpenID 'openid'"
 }
 resource "random_id" "client_id" {
  byte_length = 16
 }
 resource "authentik_provider_oauth2" "grafana" {
  name          = "Grafana"
  #  Required. You can use the output of:
  #     $ openssl rand -hex 16
  client_id     = random_id.client_id.id
  # Optional: will be generated if not provided
  # client_secret = "my_client_secret"
  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
  redirect_uris = [
    "https://grafana.lab.cowley.tech/login/generic_oauth"
  ]
  property_mappings = [
    data.authentik_scope_mapping.scope-email.id,
    data.authentik_scope_mapping.scope-profile.id,
    data.authentik_scope_mapping.scope-openid.id,
  ]
 }
 resource "authentik_application" "grafana" {
  name              = "Grafana"
  slug              = "grafana"
  protocol_provider = authentik_provider_oauth2.grafana.id
 }
 resource "authentik_group" "grafana_admins" {
  name    = "Grafana Admins"
 }
 resource "authentik_group" "grafana_editors" {
  name    = "Grafana Editors"
 }
 resource "authentik_group" "grafana_viewers" {
  name    = "Grafana Viewers"
 }
 resource "kubernetes_secret" "grafana-authentik" {
  metadata {
    name = "grafana-authentik"
    namespace = "monitoring"
  }
  data = {
    "GF_AUTH_GENERIC_OAUTH_ENABLED" = "true"
    "GF_AUTH_GENERIC_OAUTH_CLIENT_ID" = authentik_provider_oauth2.grafana.client_id
    "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET" = authentik_provider_oauth2.grafana.client_secret
    "GF_AUTH_GENERIC_OAUTH_NAME" = "authentik"
    "GF_AUTH_GENERIC_OAUTH_SCOPES" = "openid profile email"
    "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP" = "true"
    "GF_AUTH_GENERIC_OAUTH_AUTH_URL" = "https://auth.lab.cowley.tech/application/o/authorize/"
    "GF_AUTH_GENERIC_OAUTH_TOKEN_URL" = "https://auth.lab.cowley.tech/application/o/token/"
    "GF_AUTH_GENERIC_OAUTH_API_URL" = "https://auth.lab.cowley.tech/application/o/userinfo/"
    "GF_AUTH_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
    "GF_AUTH_GENERIC_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
    # Optionally enable auto-login (bypasses Grafana login screen)
    "GF_AUTH_OAUTH_AUTO_LOGIN" = "false"
    # Optionally map user groups to Grafana roles
    "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH" = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
  }
 }
--- a/authentik/groups.tf
+++ b/authentik/groups.tf
@ -0,0 +1,3 @@
 data "authentik_group" "admins" {
  name = "authentik Admins"
 }
--- a/authentik/paperless-ngx.tf
+++ b/authentik/paperless-ngx.tf
@ -0,0 +1,28 @@
 resource "random_id" "paperless_client_id" {
  byte_length = 16
 }
 resource "authentik_provider_oauth2" "paperless" {
  name          = "Paperless"
  #  Required. You can use the output of:
  #     $ openssl rand -hex 16
  client_id     = random_id.paperless_client_id.id
  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
  redirect_uris = [
    "https://paperless.lab.cowley.tech/accounts/oidc/authentik/login/callback/"
  ]
 #  property_mappings = [
 #    data.authentik_scope_mapping.scope-email.id,
 #    data.authentik_scope_mapping.scope-profile.id,
 #    data.authentik_scope_mapping.scope-openid.id,
 #  ]
 }
 resource "authentik_application" "paperless" {
  name              = "Paperless"
  slug              = "paperless"
  protocol_provider = authentik_provider_oauth2.paperless.id
 }
--- a/authentik/provider.tf
+++ b/authentik/provider.tf
@ -0,0 +1,15 @@
 terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.31.0"
    }
    authentik = {
      source = "goauthentik/authentik"
      version = "2024.6.0"
    }
  }
 }
 provider "authentik" {}
 provider "kubernetes" {
 }
--- a/authentik/users.tf
+++ b/authentik/users.tf
@ -0,0 +1,11 @@
 resource "authentik_user" "chriscowley" {
  username = "chriscowley"
  name = "Chris Cowley"
  email = "chriscowleysound@gmail.com"
  groups = [
    data.authentik_group.admins.id,
    authentik_group.grafana_admins.id,
  ]
 }