homelab/terraform
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Quite a bit
All checks were successful
/ non-lab (push) Successful in 5m20s
Details

Browse source
This commit is contained in:
Chris Cowley 2025-04-01 08:01:18 +00:00
parent d908078ee6
commit ca415c6959
15 changed files with 10601 additions and 64 deletions
Download patch file Download diff file Expand all files Collapse all files

82
authentik/dashy.tf Normal file
View file

@ -0,0 +1,82 @@
resource "random_id" "dashy_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "dashy" {
name = "Dashy"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.dashy_client_id.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
sub_mode = "user_email"
client_type = "public"
allowed_redirect_uris = [
{
matching_mode = "strict",
url = "https://dash.lab.cowley.tech/"
},
{
"matching_mode" = "regex"
"url" = ".*"
},
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
#resource "authentik_provider_oauth2" "dashy" {
# name = "Dashy"
# # Required. You can use the output of:
# # $ openssl rand -hex 16
# client_id = random_id.dashy_client_id.id
# #authentication_flow = data.authentik_flow.default-authentication-flow.id
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
# invalidation_flow = data.authentik_flow.default-invalidation-flow.id
#
# client_type = "public"
#
# allowed_redirect_uris = [
# {
# matched_mode = "strict",
# url = "https://dash.lab.cowley.tech/",
# },
# # {
# # matched_mode = "regex",
# # url = ".*"
# # }
# ]
#
# sub_mode = "user_email"
#
# property_mappings = [
# data.authentik_property_mapping_provider_scope.scope-email.id,
# data.authentik_property_mapping_provider_scope.scope-profile.id,
# data.authentik_property_mapping_provider_scope.scope-openid.id,
# ]
# lifecycle {
# ignore_changes = [
# signing_key,
# authentication_flow,
# ]
# }
#}
#
resource "authentik_application" "dashy" {
name = "Dashy"
slug = "dashy"
protocol_provider = authentik_provider_oauth2.dashy.id
open_in_new_tab = true
}

76
authentik/nextcloud.tf
View file

@ -31,44 +31,44 @@ resource "random_id" "nextcloud_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "nextcloud" {
name = "Nextcloud"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.nextcloud_client_id.id
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
sub_mode = "user_uuid"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
allowed_redirect_uris = [
{
matching_mode = "strict"
url = "https://cloud.lab.cowley.tech/apps/user_oidc/code",
}
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
authentik_property_mapping_provider_scope.nextcloud-scope.id
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "nextcloud" {
name = "Nextcloud"
slug = "nextcloud"
protocol_provider = authentik_provider_oauth2.nextcloud.id
}
#resource "authentik_provider_oauth2" "nextcloud" {
# name = "Nextcloud"
# # Required. You can use the output of:
# # $ openssl rand -hex 16
# client_id = random_id.nextcloud_client_id.id
#
# # Optional: will be generated if not provided
# # client_secret = "my_client_secret"
#
# sub_mode = "user_uuid"
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
# invalidation_flow = data.authentik_flow.default-invalidation-flow.id
#
# allowed_redirect_uris = [
# {
# matching_mode = "strict"
# url = "https://cloud.lab.cowley.tech/apps/user_oidc/code",
# }
# ]
#
# property_mappings = [
# data.authentik_property_mapping_provider_scope.scope-email.id,
# authentik_property_mapping_provider_scope.nextcloud-scope.id
# ]
#
# lifecycle {
# ignore_changes = [
# signing_key,
# authentication_flow,
# ]
# }
#}
#
#resource "authentik_application" "nextcloud" {
# name = "Nextcloud"
# slug = "nextcloud"
# protocol_provider = authentik_provider_oauth2.nextcloud.id
#}
resource "authentik_group" "nextcloud_admins" {
name = "Nextcloud Admins"

4
authentik/outposts.tf
View file

@ -1,9 +1,11 @@
resource "authentik_outpost" "embedded_outpost" {
name = "authentik Embedded Outpost"
protocol_providers = [
authentik_provider_proxy.spotizerr.id,
authentik_provider_proxy.esphome.id,
authentik_provider_proxy.pinchflat.id,
authentik_provider_proxy.paperless-gpt.id,
#authentik_provider_proxy.tubearchivist.id,
#authentik_provider_proxy.spotizerr.id,
]
service_connection = authentik_service_connection_kubernetes.local.id

20
authentik/paperless-gpt.tf Normal file
View file

@ -0,0 +1,20 @@
resource "authentik_provider_proxy" "paperless-gpt" {
name = "Paperless-gpt"
internal_host = "http://paperless-gpt.paperless-ngx:8080"
external_host = "https://paperless-gpt.lab.cowley.tech"
internal_host_ssl_validation = false
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
access_token_validity = "hours=24"
}
resource "authentik_application" "paperless-gpt" {
name = "Paperless-gpt"
slug = "paperless-gpt"
protocol_provider = authentik_provider_proxy.paperless-gpt.id
}

20
authentik/pinchflat.tf Normal file
View file

@ -0,0 +1,20 @@
resource "authentik_provider_proxy" "pinchflat" {
name = "Pinchflat"
internal_host = "http://pinchflat.jellyfin:8945"
external_host = "https://pinchflat.lab.cowley.tech"
internal_host_ssl_validation = false
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
access_token_validity = "hours=24"
}
resource "authentik_application" "pinchflat" {
name = "Pinchflat"
slug = "pinchflat"
protocol_provider = authentik_provider_proxy.pinchflat.id
}

44
authentik/spotizerr.tf
View file

@ -1,22 +1,22 @@
resource "authentik_provider_proxy" "spotizerr" {
name = "Spotizerr"
internal_host = "http://spotizerr.jellyfin:7171"
external_host = "https://spotizerr.lab.cowley.tech"
internal_host_ssl_validation = false
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
access_token_validity = "hours=24"
}
resource "authentik_application" "spotizerr" {
name = "Spotizerr"
slug = "spotizerr"
protocol_provider = authentik_provider_proxy.spotizerr.id
}
#resource "authentik_provider_proxy" "spotizerr" {
# name = "Spotizerr"
# internal_host = "http://spotizerr.jellyfin:7171"
# external_host = "https://spotizerr.lab.cowley.tech"
#
# internal_host_ssl_validation = false
#
# authentication_flow = data.authentik_flow.default-authentication-flow.id
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
# invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
#
# access_token_validity = "hours=24"
#}
#
#resource "authentik_application" "spotizerr" {
# name = "Spotizerr"
# slug = "spotizerr"
#
# protocol_provider = authentik_provider_proxy.spotizerr.id
#}
#
#

2
authentik/tubearchivist.tf
View file

@ -18,5 +18,3 @@
#
# protocol_provider = authentik_provider_proxy.tubearchivist.id
#}
#
#