many things
This commit is contained in:
Chris Cowley
parent
18a08d623b
commit
a7fad6c9c6
43 changed files with 1246 additions and 54 deletions
71
authentik/nextcloud.tf
Normal file
71
authentik/nextcloud.tf
Normal file
|
|
@ -0,0 +1,71 @@
|
|||
#data "authentik_scope_mapping" "nextcloud" {
|
||||
# name = "Nextcloud Profile"
|
||||
#}
|
||||
resource "authentik_scope_mapping" "nextcloud-scope" {
|
||||
name = "Nextcloud Profile"
|
||||
scope_name = "profile"
|
||||
expression = <<EOF
|
||||
# Extract all groups the user is a member of
|
||||
groups = [group.name for group in user.ak_groups.all()]
|
||||
|
||||
# Nextcloud admins must be members of a group called "admin".
|
||||
# This is static and cannot be changed.
|
||||
# We append a fictional "admin" group to the user's groups if they are an admin in authentik.
|
||||
# This group would only be visible in Nextcloud and does not exist in authentik.
|
||||
if user.is_superuser and "Nextcloud Admin" not in groups:
|
||||
groups.append("admin")
|
||||
|
||||
return {
|
||||
"name": request.user.name,
|
||||
"groups": groups,
|
||||
# To set a quota set the "nextcloud_quota" property in the user's attributes
|
||||
"quota": user.group_attributes().get("nextcloud_quota", None),
|
||||
# To connect an already existing user, set the "nextcloud_user_id" property in the
|
||||
# user's attributes to the username of the corresponding user on Nextcloud.
|
||||
"user_id": user.attributes.get("nextcloud_user_id", str(user.uuid)),
|
||||
}
|
||||
EOF
|
||||
}
|
||||
|
||||
resource "random_id" "nextcloud_client_id" {
|
||||
byte_length = 16
|
||||
}
|
||||
|
||||
resource "authentik_provider_oauth2" "nextcloud" {
|
||||
name = "Nextcloud"
|
||||
# Required. You can use the output of:
|
||||
# $ openssl rand -hex 16
|
||||
client_id = random_id.nextcloud_client_id.id
|
||||
|
||||
# Optional: will be generated if not provided
|
||||
# client_secret = "my_client_secret"
|
||||
|
||||
sub_mode = "user_uuid"
|
||||
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
|
||||
|
||||
redirect_uris = [
|
||||
"https://cloud.lab.cowley.tech/apps/user_oidc/code",
|
||||
]
|
||||
|
||||
property_mappings = [
|
||||
data.authentik_scope_mapping.scope-email.id,
|
||||
authentik_scope_mapping.nextcloud-scope.id
|
||||
]
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [
|
||||
signing_key,
|
||||
authentication_flow,
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
resource "authentik_application" "nextcloud" {
|
||||
name = "Nextcloud"
|
||||
slug = "nextcloud"
|
||||
protocol_provider = authentik_provider_oauth2.nextcloud.id
|
||||
}
|
||||
|
||||
resource "authentik_group" "nextcloud_admins" {
|
||||
name = "Nextcloud Admins"
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue