many things

authentik/.terraform.lock.hcl

@@ -2,24 +2,24 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/goauthentik/authentik" {
-  version     = "2024.6.0"
-  constraints = "2024.6.0"
+  version     = "2024.8.2"
+  constraints = "2024.8.2"
   hashes = [
-    "h1:S9p9njz1sEpXMOY7vL6YGqOVMfYsX1AbUy2GhJ121C0=",
-    "zh:1faa2890439a76b18b05f6c7c753502615de5e34157dc77a2d2d4bbfd6ab4dc8",
-    "zh:288ce51c155380b55eb5b6cd82158b1d7e7193cede072f8be4735a4d6b1421fe",
-    "zh:397e2a61f36fadbcf7e07f914d27139c3d828323c77445194e6e6721e5f4fb3b",
-    "zh:3bdff2f4131fdc70eb5d0ae88f28e0c470b8dbde00735b239603347a451a2df0",
-    "zh:3c959ad7d3f4645e942ae4f33ab8736781df44e12f7185e35622e00625ee6f96",
-    "zh:66f8e918229a0b4d9654244d6bca921547ea7ee6582d302c37d96db3252315a3",
-    "zh:68b098049de3818290978c5db855a6fc52618dea9f7c180c5e4e322144a9d801",
-    "zh:6986198640803382504afeaac069a3f7c89262f44e03f6916005766095f4ac80",
-    "zh:6edfe344fa96e55de95dba04d58d08b332b59dadf93c822d38e321f4cb6fe4f5",
-    "zh:a4325ae5bed223665f39534397cfae9b4f9364b98523d200200f240deaf7f797",
-    "zh:cb60056969297c1aaaf213a477080780ef957926ec64913fab1db33409bc4c08",
-    "zh:e744a42dc4dba812846a837fc328f73e390531a64c16a1e280a5c1fea4c7e176",
-    "zh:f1ea072c1d3a7becdc4579bc85903642532639f134c8cf7e49e2e0f3bad5aee3",
-    "zh:f4a0c5a664d131d5c6a00e194b855e76ac5e6f0e0404e85e6fc3fa95029b10c1",
+    "h1:+RVux9TSmkUsxIinptup4oOdfzObeXLaOnc0oi0Vat4=",
+    "zh:1a08cf73a35237bf84e8761eb026b4175bc34bab4c6a206110cb9a3d06c86391",
+    "zh:1f5807c2ab22e21a9f4c1d19bc64c52150ac003c6a90417315d8fafb6cbfd09d",
+    "zh:20237b247cbee340d03629f3bb4e156e8ccf65db246eeffb4cad3dabe34f26bb",
+    "zh:416ee251d684360e993ea3bdd7b9b3abb869f1d27d3bfe7c53731d444493bad3",
+    "zh:4d76186b29969509fb950ddce03b80eba9bc3409b6bbd20f8a9e7623d84b63c0",
+    "zh:588bbeb5768dc0e6d6b3e7bc67709ef7bc4a7f48eeb659801bc8511d646141ac",
+    "zh:5f95796b207c90e4dcf5d9f2945929351c5709754ce66839279e87279a04204f",
+    "zh:60263694ce7e107f3f78d5cc727d6143082e0eaa97b15727af83aaed8305d351",
+    "zh:6ecc4bd586e37987cfa057fc3a3f87bd461e3215d9efb5654fdd639a8d5318e9",
+    "zh:9e05d3d930a92f160cd788a699b3e11c80b59cb67b5f0b4a9970a1f7e9b08045",
+    "zh:c6ecaafa4176f12c8930fe2225c34a6d64eb9eb9774b50df17714d2ae338068d",
+    "zh:d781b9de7ce45a0b67b177705f755746b3afb11c4cac9171825bd9ace4017da6",
+    "zh:df6d9bc87b752c4e75f5246b32a98049a3253762389fd8476a9b4f96729f9cdd",
+    "zh:ef6c1ce79965e212929674063de6280abae5ee5c064049880ab81ca0e27b7434",
   ]
 }
 

authentik/chat.tf

@@ -1,50 +1,50 @@
-resource "random_id" "chat_client_id" {
-  byte_length = 16
-}
-
-resource "authentik_provider_oauth2" "chat" {
-  name = "Chat"
-  #  Required. You can use the output of:
-  #     $ openssl rand -hex 16
-  client_id = random_id.chat_client_id.id
-
-  # Optional: will be generated if not provided
-  # client_secret = "my_client_secret"
-
-  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
-
-  redirect_uris = [
-    "https://chat.lab.cowley.tech/oauth/oidc/callback"
-  ]
-  property_mappings = [
-    data.authentik_scope_mapping.scope-openid.id,
-    data.authentik_scope_mapping.scope-email.id,
-    data.authentik_scope_mapping.scope-profile.id,
-  ]
-  lifecycle {
-    ignore_changes = [
-      signing_key,
-      authentication_flow,
-    ]
-  }
-}
-
-resource "authentik_application" "chat" {
-  name              = "Chat"
-  slug              = "chat"
-  protocol_provider = authentik_provider_oauth2.chat.id
-}
-
-resource "kubernetes_secret" "chat" {
-  metadata {
-    name      = "open-webui-authentik"
-    namespace = "ollama"
-  }
-  data = {
-    OAUTH_CLIENT_ID     = authentik_provider_oauth2.chat.client_id
-    OAUTH_CLIENT_SECRET = authentik_provider_oauth2.chat.client_secret
-    OPENID_PROVIDER_URL = "https://auth.lab.cowley.tech/application/o/chat/.well-known/openid-configuration"
-    OAUTH_PROVIDER_NAME = "Authentik"
-    OAUTH_SCOPES        = "openid email profile"
-  }
-}
+#resource "random_id" "chat_client_id" {
+#  byte_length = 16
+#}
+#
+#resource "authentik_provider_oauth2" "chat" {
+#  name = "Chat"
+#  #  Required. You can use the output of:
+#  #     $ openssl rand -hex 16
+#  client_id = random_id.chat_client_id.id
+#
+#  # Optional: will be generated if not provided
+#  # client_secret = "my_client_secret"
+#
+#  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+#
+#  redirect_uris = [
+#    "https://chat.lab.cowley.tech/oauth/oidc/callback"
+#  ]
+#  property_mappings = [
+#    data.authentik_scope_mapping.scope-openid.id,
+#    data.authentik_scope_mapping.scope-email.id,
+#    data.authentik_scope_mapping.scope-profile.id,
+#  ]
+#  lifecycle {
+#    ignore_changes = [
+#      signing_key,
+#      authentication_flow,
+#    ]
+#  }
+#}
+#
+#resource "authentik_application" "chat" {
+#  name              = "Chat"
+#  slug              = "chat"
+#  protocol_provider = authentik_provider_oauth2.chat.id
+#}
+#
+#resource "kubernetes_secret" "chat" {
+#  metadata {
+#    name      = "open-webui-authentik"
+#    namespace = "ollama"
+#  }
+#  data = {
+#    OAUTH_CLIENT_ID     = authentik_provider_oauth2.chat.client_id
+#    OAUTH_CLIENT_SECRET = authentik_provider_oauth2.chat.client_secret
+#    OPENID_PROVIDER_URL = "https://auth.lab.cowley.tech/application/o/chat/.well-known/openid-configuration"
+#    OAUTH_PROVIDER_NAME = "Authentik"
+#    OAUTH_SCOPES        = "openid email profile"
+#  }
+#}

authentik/dashy.tf

@@ -0,0 +1,40 @@
+resource "random_id" "dashy_client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "dashy" {
+  name = "Dashy"
+  #  Required. You can use the output of:
+  #     $ openssl rand -hex 16
+  client_id = random_id.dashy_client_id.id
+  authentication_flow = data.authentik_flow.default-authentication-flow.id
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  client_type = "public"
+
+  redirect_uris = [
+    "https://dash.lab.cowley.tech/",
+    ".*"
+  ]
+
+  sub_mode = "user_email"
+
+  property_mappings = [
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
+  ]
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
+}
+
+resource "authentik_application" "dashy" {
+  name              = "Dashy"
+  slug              = "dashy"
+  protocol_provider = authentik_provider_oauth2.dashy.id
+  open_in_new_tab = true
+}

authentik/data.tf

@@ -0,0 +1,18 @@
+data "authentik_flow" "default-provider-authorization-implicit-consent" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_flow" "default-authentication-flow" {
+  slug = "default-authentication-flow"
+}
+data "authentik_property_mapping_provider_scope" "scope-email" {
+  name = "authentik default OAuth Mapping: OpenID 'email'"
+}
+
+data "authentik_property_mapping_provider_scope" "scope-profile" {
+  name = "authentik default OAuth Mapping: OpenID 'profile'"
+}
+
+data "authentik_property_mapping_provider_scope" "scope-openid" {
+  name = "authentik default OAuth Mapping: OpenID 'openid'"
+}

authentik/forgejo.tf

@@ -0,0 +1,53 @@
+resource "random_id" "forgejo_client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "forgejo" {
+  name = "Forgejo"
+  #  Required. You can use the output of:
+  #     $ openssl rand -hex 16
+  client_id = random_id.forgejo_client_id.id
+
+  # Optional: will be generated if not provided
+  # client_secret = "my_client_secret"
+
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  redirect_uris = [
+    "https://code.lab.cowley.tech/user/oauth2/authentik/callback"
+  ]
+  property_mappings = [
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
+  ]
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
+}
+
+resource "authentik_application" "forgejo" {
+  name              = "ForgeJo"
+  slug              = "forgejo"
+  protocol_provider = authentik_provider_oauth2.forgejo.id
+}
+
+resource "authentik_group" "forgejo-admins" {
+  name = "gitadmin"
+}
+resource "authentik_group" "forgejo-users" {
+  name = "gituser"
+}
+resource "kubernetes_secret" "forgejo-oauth" {
+  metadata {
+    name      = "forgejo-oauth"
+    namespace = "forgejo"
+  }
+  data = {
+    "key" = authentik_provider_oauth2.forgejo.client_id
+    "secret" =  authentik_provider_oauth2.forgejo.client_secret
+  }
+}

authentik/grafana.tf

@@ -1,18 +1,3 @@
-data "authentik_flow" "default-provider-authorization-implicit-consent" {
-  slug = "default-provider-authorization-implicit-consent"
-}
-
-data "authentik_scope_mapping" "scope-email" {
-  name = "authentik default OAuth Mapping: OpenID 'email'"
-}
-
-data "authentik_scope_mapping" "scope-profile" {
-  name = "authentik default OAuth Mapping: OpenID 'profile'"
-}
-
-data "authentik_scope_mapping" "scope-openid" {
-  name = "authentik default OAuth Mapping: OpenID 'openid'"
-}
 
 resource "random_id" "client_id" {
   byte_length = 16
@@ -34,9 +19,9 @@ resource "authentik_provider_oauth2" "grafana" {
   ]
 
   property_mappings = [
-    data.authentik_scope_mapping.scope-email.id,
-    data.authentik_scope_mapping.scope-profile.id,
-    data.authentik_scope_mapping.scope-openid.id,
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
   ]
 
   lifecycle {

authentik/groups.tf

@@ -1,3 +1,7 @@
 data "authentik_group" "admins" {
   name = "authentik Admins"
 }
+
+resource "authentik_group" "arr-users" {
+  name = "arr_users"
+}

authentik/immich.tf

@@ -2,15 +2,15 @@
 #  slug = "default-provider-authorization-implicit-consent"
 #}
 #
-#data "authentik_scope_mapping" "scope-email" {
+#data "authentik_property_mapping_provider_scope" "scope-email" {
 #  name = "authentik default OAuth Mapping: OpenID 'email'"
 #}
 #
-#data "authentik_scope_mapping" "scope-profile" {
+#data "authentik_property_mapping_provider_scope" "scope-profile" {
 #  name = "authentik default OAuth Mapping: OpenID 'profile'"
 #}
 #
-#data "authentik_scope_mapping" "scope-openid" {
+#data "authentik_property_mapping_provider_scope" "scope-openid" {
 #  name = "authentik default OAuth Mapping: OpenID 'openid'"
 #}
 #
@@ -30,14 +30,14 @@ resource "authentik_provider_oauth2" "immich" {
   authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
 
   redirect_uris = [
-    "app.immich:/",
+    "app.immich:///oauth-callback",
     "https://photos.lab.cowley.tech/auth/login",
     "https://photos.lab.cowley.tech/user-settings",
   ]
   property_mappings = [
-    data.authentik_scope_mapping.scope-email.id,
-    data.authentik_scope_mapping.scope-profile.id,
-    data.authentik_scope_mapping.scope-openid.id,
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
   ]
   lifecycle {
     ignore_changes = [

authentik/jellyfin.tf

@@ -0,0 +1,42 @@
+resource "random_id" "jellyfin_client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "jellyfin" {
+  name = "Jellyfin"
+  client_id = random_id.jellyfin_client_id.id
+
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  redirect_uris = [
+    "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
+  ]
+
+  property_mappings = [
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
+  ]
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
+}
+
+resource "authentik_application" "jellyfin" {
+  name              = "Jellyfin"
+  slug              = "jellyfin"
+  protocol_provider = authentik_provider_oauth2.jellyfin.id
+  meta_launch_url = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
+}
+resource "kubernetes_secret" "jellyfin_oidc" {
+  metadata {
+    name = "jellyfin-oidc"
+    namespace = "jellyfin"
+  }
+  data = {
+    client-secret = authentik_provider_oauth2.jellyfin.client_secret
+  }
+}

authentik/lidarr.tf

@@ -0,0 +1,20 @@
+#resource "authentik_provider_proxy" "lidarr" {
+#  name = "lidarr"
+#  internal_host = "http://lidarr.jellyfin:8686"
+#  external_host = "https://lidarr.lab.cowley.tech"
+#  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+#}
+#
+#resource "authentik_outpost" "lidarr" {
+#  name = "lidarr-outpost"
+#  protocol_providers = [
+#    authentik_provider_proxy.lidarr.id
+#  ]
+#}
+#
+#resource "authentik_application" "lidarr" {
+#  name = "Lidarr"
+#  slug = "lidarr"
+#
+#  protocol_provider = authentik_provider_proxy.lidarr.id
+#}

authentik/nextcloud.tf

@@ -1,7 +1,7 @@
-#data "authentik_scope_mapping" "nextcloud" {
+#data "authentik_property_mapping_provider_scope" "nextcloud" {
 #  name = "Nextcloud Profile"
 #}
-resource "authentik_scope_mapping" "nextcloud-scope" {
+resource "authentik_property_mapping_provider_scope" "nextcloud-scope" {
   name       = "Nextcloud Profile"
   scope_name = "profile"
   expression = <<EOF
@@ -48,8 +48,8 @@ resource "authentik_provider_oauth2" "nextcloud" {
   ]
 
   property_mappings = [
-    data.authentik_scope_mapping.scope-email.id,
-    authentik_scope_mapping.nextcloud-scope.id
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    authentik_property_mapping_provider_scope.nextcloud-scope.id
   ]
 
   lifecycle {

authentik/paperless-ngx.tf

@@ -15,9 +15,9 @@ resource "authentik_provider_oauth2" "paperless" {
   ]
 
   property_mappings = [
-    data.authentik_scope_mapping.scope-email.id,
-    data.authentik_scope_mapping.scope-profile.id,
-    data.authentik_scope_mapping.scope-openid.id,
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
   ]
   lifecycle {
     ignore_changes = [

authentik/provider.tf

@@ -10,7 +10,7 @@ terraform {
     }
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2024.6.0"
+      version = "2024.8.2"
     }
   }
 }

authentik/users.tf

@@ -20,6 +20,7 @@ resource "authentik_user" "chris" {
     data.authentik_group.admins.id,
     authentik_group.grafana_admins.id,
     authentik_group.nextcloud_admins.id,
+    authentik_group.arr-users.id
   ]
 #  attributes = jsonencode(
 #    {