many things

authentik/.terraform.lock.hcl

@@ -41,6 +41,23 @@ provider "registry.opentofu.org/hashicorp/kubernetes" {
   ]
 }
 
+provider "registry.opentofu.org/hashicorp/local" {
+  version = "2.5.1"
+  hashes = [
+    "h1:8bCbJcRyrXb0YmskSdP0XtTLINolscfZ6oWaXgtXLHI=",
+    "zh:031c2c2070672b7e78e0aa15560839278dc57fe7cf1e58a617ac13c67b31d5fb",
+    "zh:1ef64ea4f8382cd538a76f3d319f405d18130dc3280f1c16d6aaa52a188ecaa4",
+    "zh:422ce45691b2f384dbd4596fdc8209d95cb43d85a82aaa0173089d38976d6e96",
+    "zh:7415fbd8da72d9363ba55dd8115837714f9534f5a9a518ec42268c2da1b9ed2f",
+    "zh:92aa22d071339c8ef595f18a9f9245c287266c80689f5746b26e10eaed04d542",
+    "zh:9cd0d99f5d3be835d6336c19c4057af6274e193e677ecf6370e5b0de12b4aafe",
+    "zh:a8c1525b389be5809a97f02aa7126e491ba518f97f57ed3095a3992f2134bb8f",
+    "zh:b336fa75f72643154b07c09b3968e417a41293358a54fe03efc0db715c5451e6",
+    "zh:c66529133599a419123ad2e42874afbd9aba82bd1de2b15cc68d2a1e665d4c8e",
+    "zh:c7568f75ba6cb7c3660b69eaab8b0e4278533bd9a7a4c33ee6590cc7e69743ea",
+  ]
+}
+
 provider "registry.opentofu.org/hashicorp/random" {
   version = "3.6.2"
   hashes = [

authentik/chat.tf

@@ -0,0 +1,50 @@
+resource "random_id" "chat_client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "chat" {
+  name = "Chat"
+  #  Required. You can use the output of:
+  #     $ openssl rand -hex 16
+  client_id = random_id.chat_client_id.id
+
+  # Optional: will be generated if not provided
+  # client_secret = "my_client_secret"
+
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  redirect_uris = [
+    "https://chat.lab.cowley.tech/oauth/oidc/callback"
+  ]
+  property_mappings = [
+    data.authentik_scope_mapping.scope-openid.id,
+    data.authentik_scope_mapping.scope-email.id,
+    data.authentik_scope_mapping.scope-profile.id,
+  ]
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
+}
+
+resource "authentik_application" "chat" {
+  name              = "Chat"
+  slug              = "chat"
+  protocol_provider = authentik_provider_oauth2.chat.id
+}
+
+resource "kubernetes_secret" "chat" {
+  metadata {
+    name      = "open-webui-authentik"
+    namespace = "ollama"
+  }
+  data = {
+    OAUTH_CLIENT_ID     = authentik_provider_oauth2.chat.client_id
+    OAUTH_CLIENT_SECRET = authentik_provider_oauth2.chat.client_secret
+    OPENID_PROVIDER_URL = "https://auth.lab.cowley.tech/application/o/chat/.well-known/openid-configuration"
+    OAUTH_PROVIDER_NAME = "Authentik"
+    OAUTH_SCOPES        = "openid email profile"
+  }
+}

authentik/foo.bar

@@ -0,0 +1 @@
+Zo7QLQh2eAe2XCUv6yOKZ0GRcW3k9zCFEqLUmHe0Mq3SyMED27YMGM1gKKe4xi2iqY4m4RPQ9eWI4NUygmWLISuaUnpa6GNZACrnnC4wcde1fEqzG4GwXawZ2HOQE51V

authentik/grafana.tf

@@ -19,15 +19,15 @@ resource "random_id" "client_id" {
 }
 
 resource "authentik_provider_oauth2" "grafana" {
-  name          = "Grafana"
+  name = "Grafana"
   #  Required. You can use the output of:
   #     $ openssl rand -hex 16
-  client_id     = random_id.client_id.id
+  client_id = random_id.client_id.id
 
   # Optional: will be generated if not provided
   # client_secret = "my_client_secret"
 
-  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
 
   redirect_uris = [
     "https://grafana.lab.cowley.tech/login/generic_oauth"
@@ -38,6 +38,13 @@ resource "authentik_provider_oauth2" "grafana" {
     data.authentik_scope_mapping.scope-profile.id,
     data.authentik_scope_mapping.scope-openid.id,
   ]
+
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
 }
 
 resource "authentik_application" "grafana" {
@@ -47,33 +54,33 @@ resource "authentik_application" "grafana" {
 }
 
 resource "authentik_group" "grafana_admins" {
-  name    = "Grafana Admins"
+  name = "Grafana Admins"
 }
 
 resource "authentik_group" "grafana_editors" {
-  name    = "Grafana Editors"
+  name = "Grafana Editors"
 }
 
 resource "authentik_group" "grafana_viewers" {
-  name    = "Grafana Viewers"
+  name = "Grafana Viewers"
 }
 
 resource "kubernetes_secret" "grafana-authentik" {
   metadata {
-    name = "grafana-authentik"
+    name      = "grafana-authentik"
     namespace = "monitoring"
   }
   data = {
-    "GF_AUTH_GENERIC_OAUTH_ENABLED" = "true"
-    "GF_AUTH_GENERIC_OAUTH_CLIENT_ID" = authentik_provider_oauth2.grafana.client_id
-    "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET" = authentik_provider_oauth2.grafana.client_secret
-    "GF_AUTH_GENERIC_OAUTH_NAME" = "authentik"
-    "GF_AUTH_GENERIC_OAUTH_SCOPES" = "openid profile email"
-    "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP" = "true"
-    "GF_AUTH_GENERIC_OAUTH_AUTH_URL" = "https://auth.lab.cowley.tech/application/o/authorize/"
-    "GF_AUTH_GENERIC_OAUTH_TOKEN_URL" = "https://auth.lab.cowley.tech/application/o/token/"
-    "GF_AUTH_GENERIC_OAUTH_API_URL" = "https://auth.lab.cowley.tech/application/o/userinfo/"
-    "GF_AUTH_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
+    "GF_AUTH_GENERIC_OAUTH_ENABLED"        = "true"
+    "GF_AUTH_GENERIC_OAUTH_CLIENT_ID"      = authentik_provider_oauth2.grafana.client_id
+    "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET"  = authentik_provider_oauth2.grafana.client_secret
+    "GF_AUTH_GENERIC_OAUTH_NAME"           = "authentik"
+    "GF_AUTH_GENERIC_OAUTH_SCOPES"         = "openid profile email"
+    "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP"  = "true"
+    "GF_AUTH_GENERIC_OAUTH_AUTH_URL"       = "https://auth.lab.cowley.tech/application/o/authorize/"
+    "GF_AUTH_GENERIC_OAUTH_TOKEN_URL"      = "https://auth.lab.cowley.tech/application/o/token/"
+    "GF_AUTH_GENERIC_OAUTH_API_URL"        = "https://auth.lab.cowley.tech/application/o/userinfo/"
+    "GF_AUTH_SIGNOUT_REDIRECT_URL"         = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
     "GF_AUTH_GENERIC_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
     # Optionally enable auto-login (bypasses Grafana login screen)
     "GF_AUTH_OAUTH_AUTO_LOGIN" = "false"

authentik/immich.tf

@@ -0,0 +1,59 @@
+#data "authentik_flow" "default-provider-authorization-implicit-consent" {
+#  slug = "default-provider-authorization-implicit-consent"
+#}
+#
+#data "authentik_scope_mapping" "scope-email" {
+#  name = "authentik default OAuth Mapping: OpenID 'email'"
+#}
+#
+#data "authentik_scope_mapping" "scope-profile" {
+#  name = "authentik default OAuth Mapping: OpenID 'profile'"
+#}
+#
+#data "authentik_scope_mapping" "scope-openid" {
+#  name = "authentik default OAuth Mapping: OpenID 'openid'"
+#}
+#
+resource "random_id" "immich_client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "immich" {
+  name = "Immich"
+  #  Required. You can use the output of:
+  #     $ openssl rand -hex 16
+  client_id = random_id.immich_client_id.id
+
+  # Optional: will be generated if not provided
+  # client_secret = "my_client_secret"
+
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  redirect_uris = [
+    "app.immich:/",
+    "https://photos.lab.cowley.tech/auth/login",
+    "https://photos.lab.cowley.tech/user-settings",
+  ]
+  property_mappings = [
+    data.authentik_scope_mapping.scope-email.id,
+    data.authentik_scope_mapping.scope-profile.id,
+    data.authentik_scope_mapping.scope-openid.id,
+  ]
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
+}
+
+resource "authentik_application" "immich" {
+  name              = "Immich"
+  slug              = "immich"
+  protocol_provider = authentik_provider_oauth2.immich.id
+}
+
+resource "local_file" "foo" {
+  content  = authentik_provider_oauth2.immich.client_secret
+  filename = "${path.module}/foo.bar"
+}

authentik/nextcloud.tf

@@ -0,0 +1,71 @@
+#data "authentik_scope_mapping" "nextcloud" {
+#  name = "Nextcloud Profile"
+#}
+resource "authentik_scope_mapping" "nextcloud-scope" {
+  name       = "Nextcloud Profile"
+  scope_name = "profile"
+  expression = <<EOF
+# Extract all groups the user is a member of
+groups = [group.name for group in user.ak_groups.all()]
+
+# Nextcloud admins must be members of a group called "admin".
+# This is static and cannot be changed.
+# We append a fictional "admin" group to the user's groups if they are an admin in authentik.
+# This group would only be visible in Nextcloud and does not exist in authentik.
+if user.is_superuser and "Nextcloud Admin" not in groups:
+    groups.append("admin")
+
+return {
+    "name": request.user.name,
+    "groups": groups,
+    # To set a quota set the "nextcloud_quota" property in the user's attributes
+    "quota": user.group_attributes().get("nextcloud_quota", None),
+    # To connect an already existing user, set the "nextcloud_user_id" property in the
+    # user's attributes to the username of the corresponding user on Nextcloud.
+    "user_id": user.attributes.get("nextcloud_user_id", str(user.uuid)),
+ }
+EOF
+}
+
+resource "random_id" "nextcloud_client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "nextcloud" {
+  name = "Nextcloud"
+  #  Required. You can use the output of:
+  #     $ openssl rand -hex 16
+  client_id = random_id.nextcloud_client_id.id
+
+  # Optional: will be generated if not provided
+  # client_secret = "my_client_secret"
+
+  sub_mode           = "user_uuid"
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  redirect_uris = [
+    "https://cloud.lab.cowley.tech/apps/user_oidc/code",
+  ]
+
+  property_mappings = [
+    data.authentik_scope_mapping.scope-email.id,
+    authentik_scope_mapping.nextcloud-scope.id
+  ]
+
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
+}
+
+resource "authentik_application" "nextcloud" {
+  name              = "Nextcloud"
+  slug              = "nextcloud"
+  protocol_provider = authentik_provider_oauth2.nextcloud.id
+}
+
+resource "authentik_group" "nextcloud_admins" {
+  name = "Nextcloud Admins"
+}

authentik/paperless-ngx.tf

@@ -3,22 +3,28 @@ resource "random_id" "paperless_client_id" {
 }
 
 resource "authentik_provider_oauth2" "paperless" {
-  name          = "Paperless"
+  name = "Paperless"
   #  Required. You can use the output of:
   #     $ openssl rand -hex 16
-  client_id     = random_id.paperless_client_id.id
+  client_id = random_id.paperless_client_id.id
 
-  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
 
   redirect_uris = [
     "https://paperless.lab.cowley.tech/accounts/oidc/authentik/login/callback/"
   ]
 
-#  property_mappings = [
-#    data.authentik_scope_mapping.scope-email.id,
-#    data.authentik_scope_mapping.scope-profile.id,
-#    data.authentik_scope_mapping.scope-openid.id,
-#  ]
+  property_mappings = [
+    data.authentik_scope_mapping.scope-email.id,
+    data.authentik_scope_mapping.scope-profile.id,
+    data.authentik_scope_mapping.scope-openid.id,
+  ]
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
 }
 
 resource "authentik_application" "paperless" {
@@ -26,3 +32,37 @@ resource "authentik_application" "paperless" {
   slug              = "paperless"
   protocol_provider = authentik_provider_oauth2.paperless.id
 }
+
+#data "template_file" "paperless-config" {
+#  template = "${file("${path.module}/paperless.tpl")}"
+#  vars = {
+#    client_id = authentik_provider_oauth2.paperless.client_id
+#  }
+#}
+
+resource "kubernetes_namespace" "paperless" {
+  metadata {
+    name = "paperless-ngx"
+  }
+  lifecycle {
+    ignore_changes = [
+      metadata[0].labels
+    ]
+  }
+}
+resource "kubernetes_secret" "paperless-env" {
+  metadata {
+    name      = "paperless-env"
+    namespace = kubernetes_namespace.paperless.metadata[0].name
+  }
+  data = {
+    "PAPERLESS_APPS" = "allauth.socialaccount.providers.openid_connect"
+    "PAPERLESS_SOCIALACCOUNT_PROVIDERS" = templatefile(
+      "${path.module}/paperless.tpl",
+      {
+        client_id     = authentik_provider_oauth2.paperless.client_id,
+        client_secret = authentik_provider_oauth2.paperless.client_secret
+      }
+    )
+  }
+}

authentik/paperless.tpl

@@ -0,0 +1,16 @@
+{
+      "openid_connect": {
+        "APPS": [
+          {
+            "provider_id": "authentik",
+            "name": "Authentik",
+            "client_id": "${client_id}",
+            "secret": "${client_secret}",
+            "settings": {
+              "server_url": "https://auth.lab.cowley.tech/application/o/paperless/.well-known/openid-configuration"
+            }
+          }
+        ],
+        "OAUTH_PKCE_ENABLED": "True"
+      }
+    }

authentik/provider.tf

@@ -5,11 +5,11 @@ terraform {
   }
   required_providers {
     kubernetes = {
-      source = "hashicorp/kubernetes"
+      source  = "hashicorp/kubernetes"
       version = "2.31.0"
     }
     authentik = {
-      source = "goauthentik/authentik"
+      source  = "goauthentik/authentik"
       version = "2024.6.0"
     }
   }

authentik/users.tf

@@ -1,6 +1,6 @@
 resource "authentik_user" "chriscowley" {
   username = "chriscowley"
-  name = "Chris Cowley"
+  name     = "Chris Cowley"
 
   email = "chriscowleysound@gmail.com"
 
@@ -8,4 +8,28 @@ resource "authentik_user" "chriscowley" {
     data.authentik_group.admins.id,
     authentik_group.grafana_admins.id,
   ]
+  is_active = false
+}
+resource "authentik_user" "chris" {
+  username = "chris"
+  name     = "Chris Cowley"
+
+  email = "chris@cowley.tech"
+
+  groups = [
+    data.authentik_group.admins.id,
+    authentik_group.grafana_admins.id,
+    authentik_group.nextcloud_admins.id,
+  ]
+#  attributes = jsonencode(
+#    {
+#      nextcloud_user_id = "chris"
+#    }
+#  )
+}
+
+resource "authentik_user" "nadege" {
+  username = "nadege"
+  name     = "Nadege Cowley"
+  email    = "nadege@cowley.tech"
 }