homelab/terraform
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

many things
Some checks failed
/ non-lab (push) Failing after 12m13s
Details

Browse source
This commit is contained in:
Chris Cowley 2025-02-19 10:59:18 +00:00
parent 846fca77c1
commit d908078ee6
51 changed files with 4649 additions and 276 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.forgejo/workflows/authentik.yaml
View file

@ -2,6 +2,8 @@ on:
push:
branches:
- 'main'
path:
- '**/authentik'
jobs:
authentik":

26
10-pre-k8s/.terraform.lock.hcl generated
View file

@ -1,11 +1,11 @@
# This file is maintained automatically by "terraform init".
# This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/backblaze/b2" {
provider "registry.opentofu.org/backblaze/b2" {
version = "0.8.6"
constraints = "0.8.6"
hashes = [
"h1:FUV3MlKORho03jB7xK4RHLqIoesXEpwDY3Q7j2niEtU=",
"h1:d1N+yXGYMvMlubgZMAtiN7UycJbd0IzEYkn/3iJuikU=",
"zh:301cb0e9ad3f094e6cb182ffd1496234273d3e9138d03cbf234baf4edabaf0fb",
"zh:3b39c96c0b3081c5d9f372a355527835d26792ffaf6dc06fb390d2c76d09c394",
"zh:736a6d688bb261a3154970f7b487e142e02b02d1e4d877cce763539f4222cc8d",
@ -13,11 +13,11 @@ provider "registry.terraform.io/backblaze/b2" {
]
}
provider "registry.terraform.io/community-terraform-providers/ignition" {
provider "registry.opentofu.org/community-terraform-providers/ignition" {
version = "2.2.2"
constraints = "2.2.2"
hashes = [
"h1:wyXgqs6swQUQ6Dow13ea1nmGRix+lXxPVP3s7qwnrO4=",
"h1:9Ik7Bt3+ZXR9WTmYJoy1cc4lHW2k4BqcWja3Le/Hey0=",
"zh:1c40157dfa3b035f4298f5f84dd0f4f9cfc321a19bc674620ee8f80f416ebd8c",
"zh:318435a26c18e32992e40ae91752256043bffb53fbfdc796d33fa03e0ad52784",
"zh:3535ce2f2dce787b37e76a49d1c8554f0fcf1a43041f1343a1314749b11136d0",
@ -33,11 +33,11 @@ provider "registry.terraform.io/community-terraform-providers/ignition" {
]
}
provider "registry.terraform.io/ivoronin/macaddress" {
provider "registry.opentofu.org/ivoronin/macaddress" {
version = "0.3.2"
constraints = "0.3.2"
hashes = [
"h1:jJ/LOHNgy5hDoVfE+Si4YoRQ0jpCGAAZFMF21lGE0nw=",
"h1:yk0ASl2cAoc/22tvpi9Kke+WvowgXGq0QwaP93IQ+S0=",
"zh:00cb168d9210ed88cfa7de8a33d5666b2cf6660a5d20a7a96348b8b902833eca",
"zh:1366458320df0b6f1132e59b5410931c0c5626bbf27b05b29dd311311a710e9b",
"zh:2e8102c7f6046665c95b806752d692843f2e846554f7eba85690cd2087c9048a",
@ -55,11 +55,11 @@ provider "registry.terraform.io/ivoronin/macaddress" {
]
}
provider "registry.terraform.io/poseidon/matchbox" {
provider "registry.opentofu.org/poseidon/matchbox" {
version = "0.5.2"
constraints = "0.5.2"
hashes = [
"h1:ZlO7fr0TYs0Gyfl5xx3fcVSlzcaorr1QWOYbTebSqO8=",
"h1:Ruxh/CtMiqESV+j+aivpaT2/UM0M3CF6oKXbuq2PfLk=",
"zh:2f51a49a5418cf22dc7201c22d0bd1ff7fc095eb97688f040491492e319fe076",
"zh:44db04a6867a1116a7a41919d94abf9d2725bc87130d8ee5f9055457639d1e94",
"zh:4e59679bcde22a111b45371e86941562ccdd7db3895762eb2f512419f9d6653d",
@ -68,11 +68,11 @@ provider "registry.terraform.io/poseidon/matchbox" {
]
}
provider "registry.terraform.io/siderolabs/talos" {
provider "registry.opentofu.org/siderolabs/talos" {
version = "0.4.0-alpha.0"
constraints = "0.4.0-alpha.0"
hashes = [
"h1:04PT2Q9ubBLFCXqMEahR9M3mPYjDfe9Tn05QaUNi6qs=",
"h1:LygqCd18h7jYuQAR6CzajEN9lhA4gPQn7SKHcxVhSxc=",
"zh:0f7561370fe15a33b7ded55fe27a21f6e45b2a4950502edfcdb583fd91771239",
"zh:0fa82a384b25a58b65523e0ea4768fa1212b1f5cfc0c9379d31162454fedcc9d",
"zh:1bdbf5927dd4e810f14e159fe0e5f4873b7144a58e5aee5d95e2e33b03280152",
@ -91,11 +91,11 @@ provider "registry.terraform.io/siderolabs/talos" {
]
}
provider "registry.terraform.io/tailscale/tailscale" {
provider "registry.opentofu.org/tailscale/tailscale" {
version = "0.13.11"
constraints = "0.13.11"
hashes = [
"h1:4trmz0fx3JthZewl82y3UzzMzGaTgpjdP7+MNsq5H0k=",
"h1:VzdUBi2ssTjRODk4BZ0qNR1G92mv0P2irNp69CqHN1Q=",
"zh:0ad8afd43061faadd0f72c03bad81d900fd43ed0051318e6312e2a29f34064e0",
"zh:19e74391245935ba0d37f03db66d913194e99233118df95323555277defb6aaf",
"zh:35e956483901dcb97672c3200d7326f0913b3ce981d33ed89ee2fe3622a4347c",

38
20-post-k8s/.terraform.lock.hcl generated
View file

@ -2,31 +2,29 @@
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/backblaze/b2" {
version = "0.8.6"
constraints = "0.8.6"
version = "0.8.12"
hashes = [
"h1:FUV3MlKORho03jB7xK4RHLqIoesXEpwDY3Q7j2niEtU=",
"zh:301cb0e9ad3f094e6cb182ffd1496234273d3e9138d03cbf234baf4edabaf0fb",
"zh:3b39c96c0b3081c5d9f372a355527835d26792ffaf6dc06fb390d2c76d09c394",
"zh:736a6d688bb261a3154970f7b487e142e02b02d1e4d877cce763539f4222cc8d",
"zh:ba26881679d2ce35b5f35f75309f5d480060fb29d655fd0e201dbbd55aabd345",
"h1:rA+Y9HyJGPV7kU52+9vKRM90RiGjdwj9Tas5ZImfsw0=",
"zh:bc9d25d21adeafba8edde8d6ffb6150cd5c86c207412c8941347966be3363de5",
"zh:c538eaea1b15379635b9d8a2cb862248813022bb0de5481741f18fcc77a10a1b",
"zh:cc2767797ad27b9a3b4ad97b6a2f3eeea9f50a6000bbcfa9b44189945dae30b3",
"zh:d83b5f0e632ea56570a0737c1896f049367201cc67f5de83baa24272ccdd56a4",
]
}
provider "registry.opentofu.org/hashicorp/kubernetes" {
version = "2.31.0"
constraints = "2.31.0"
version = "2.32.0"
hashes = [
"h1:MfkGdRph9sDol+ukIgIigdXuLLpC2JPUHH5oF2zEfTM=",
"zh:0dd25babf78a88a61dd329b8c18538a295ea63630f1b69575e7898c89307da39",
"zh:3138753e4b2ce6e9ffa5d65d73e9236169ff077c10089c7dc71031a0a139ff6d",
"zh:644f94692dc33de0bb1183c307ae373efbf4ef4cb92654ccc646a5716edf9593",
"zh:6cc630e43193220b1599e3227286cc4e3ca195910e8c56b6bacb50c5b5176dbf",
"zh:764173875e77aa482da4dca9fec5f77c455d028848edfc394aa7dac5dfed6afd",
"zh:7b1d380362d50ffbb3697483036ae351b0571e93b33754255cde6968e62b839f",
"zh:a1d93ca3d8d1ecdd3b69242d16ff21c91b34e2e98f02a3b2d02c908aeb45189b",
"zh:b471d0ab56dbf19c95fba68d2ef127bdb353be96a2be4c4a3dcd4d0db4b4180a",
"zh:d610f725ded4acd3d31a240472bb283aa5e657ed020395bdefea18d094b8c2bf",
"zh:d7f3ddd636ad5af6049922f212feb24830b7158410819c32073bf81c359cd2fa",
"h1:ZRCFOIecOlTIrpf1O/kmbFfBMQe9r8/HwiiK9kP0KEk=",
"zh:06d586c8fcd3ab8fe7f3ac99142ba48b9efbff8bebe05c52b3c7997f83146200",
"zh:12ce862493717118a6bf68328448d09023a60344da25633e124423cdd734263e",
"zh:33ee1cda5db58fd26576ba6be715282af30e04d25b38fd6752810fd206bc6422",
"zh:8f4e13c726a5fb84244eff7740b20678e7fb2d5df6ebc759101d4c58fb069112",
"zh:8fe15d350b5a018f535a93fa054bf4d05377a69f3b1e5cabe8c73d059a4b70cb",
"zh:953fc8c8a92ff0defafd22ee0aec12d483d7b80685de6838e513d4de7170a651",
"zh:a1ad6197105f9cda73c39f3b69dd688ec22708c736de05c03516561a88f4bbfc",
"zh:c1d60898c269f42ece0b3672901001ba26338c865f83a39b116c0d6c0cd8dbc1",
"zh:d26fcff2fda9421d9129fd407696481ecd2714ae3316e81ff977e2e40de068e5",
"zh:dc616b73095755245f211af0989bfcf2f76b43196bf7f8982183e4e3b1c3f6f6",
]
}

4
20-post-k8s/loki.tf
View file

@ -1,5 +1,5 @@
resource "b2_bucket" "cowley-tech-home-backup" {
bucket_name = "cowley-tech-k3s-logs"
resource "b2_bucket" "cowley-tech-home-logs" {
bucket_name = "cowley-tech-home-logs"
bucket_type = "allPrivate"
}

4
20-post-k8s/provider.tf
View file

@ -7,11 +7,11 @@ terraform {
required_providers {
b2 = {
source = "Backblaze/b2"
version = "0.8.6"
#version = "0.8.6"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.31.0"
#version = "2.31.0"
}
}
}

77
authentik.old/.terraform.lock.hcl generated Normal file
View file

@ -0,0 +1,77 @@
# This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/goauthentik/authentik" {
version = "2024.10.2"
constraints = "2024.10.2"
hashes = [
"h1:qjDOLb8+12kZHSM3VsItQCsZYJhDMD4bNKSZi15HQ28=",
"zh:06c6c9bb2716052fefc1013ed1a77a12159d5625fe43857700c282e80e2fbba1",
"zh:121e45b3d3675df24e2c1bb107e2ed15fc9f1ec8b602b9bdaebec71481addf0c",
"zh:2aec74c8df3e3eb56fb09edcb1c7f43c91f932b2ef2327aa855ba0819f11169e",
"zh:4f2bf009f43293a24cc8941d4bbab340a53f569a9331aa615a7934f500a64290",
"zh:64b150655b47c60e6ae72a2ee754f5019b2baabd4dc292a6b2b960b3a206e218",
"zh:78bf3fd7cbac489d23a620743e5af5b85b31fc548433cf86f0861878b68f2666",
"zh:7ce7a02671056d476d17652d780ee2bd309ce34eb77746719b7b277ca66b7c58",
"zh:84fdb911186918cbba86c1390ce18a4423f0d748216f2d9c8421801b34b41f16",
"zh:95db38fb110302707cd70471f5cb2bf361ed6d5987f7b6fe5f3c5855f9dc9b64",
"zh:9c24dbf6512637bb1d4201a901dddef0210b440ad8b02717ca1167b75afa6882",
"zh:a83bc8bfe87e44c788c3c974e764c7bfb1c5fb982f427a5b928c50e55b48dea6",
"zh:b5a4d5d1f2f0e8d65ad29a23bfd72d0d4e3e06e9bacea9463a10e67137833409",
"zh:d1e08a662ab7c80373bc13446c9b316a671fcddec6aeffef7ab3649d1bbfb76b",
"zh:e1c50a791f2d53f7b464ab122f92062547d5a4ad71297f5e7f0375453cd2034f",
]
}
provider "registry.opentofu.org/hashicorp/kubernetes" {
version = "2.31.0"
constraints = "2.31.0"
hashes = [
"h1:MfkGdRph9sDol+ukIgIigdXuLLpC2JPUHH5oF2zEfTM=",
"h1:z2qlqn6WbrjbezwQo4vvlwAgVUGz59klzDU4rlYhYi8=",
"zh:0dd25babf78a88a61dd329b8c18538a295ea63630f1b69575e7898c89307da39",
"zh:3138753e4b2ce6e9ffa5d65d73e9236169ff077c10089c7dc71031a0a139ff6d",
"zh:644f94692dc33de0bb1183c307ae373efbf4ef4cb92654ccc646a5716edf9593",
"zh:6cc630e43193220b1599e3227286cc4e3ca195910e8c56b6bacb50c5b5176dbf",
"zh:764173875e77aa482da4dca9fec5f77c455d028848edfc394aa7dac5dfed6afd",
"zh:7b1d380362d50ffbb3697483036ae351b0571e93b33754255cde6968e62b839f",
"zh:a1d93ca3d8d1ecdd3b69242d16ff21c91b34e2e98f02a3b2d02c908aeb45189b",
"zh:b471d0ab56dbf19c95fba68d2ef127bdb353be96a2be4c4a3dcd4d0db4b4180a",
"zh:d610f725ded4acd3d31a240472bb283aa5e657ed020395bdefea18d094b8c2bf",
"zh:d7f3ddd636ad5af6049922f212feb24830b7158410819c32073bf81c359cd2fa",
]
}
provider "registry.opentofu.org/hashicorp/local" {
version = "2.5.2"
hashes = [
"h1:6lS+5A/4WFAqY3/RHWFRBSiFVLPRjvLaUgxPQvjXLHU=",
"zh:25b95b76ceaa62b5c95f6de2fa6e6242edbf51e7fc6c057b7f7101aa4081f64f",
"zh:3c974fdf6b42ca6f93309cf50951f345bfc5726ec6013b8832bcd3be0eb3429e",
"zh:5de843bf6d903f5cca97ce1061e2e06b6441985c68d013eabd738a9e4b828278",
"zh:86beead37c7b4f149a54d2ae633c99ff92159c748acea93ff0f3603d6b4c9f4f",
"zh:8e52e81d3dc50c3f79305d257da7fde7af634fed65e6ab5b8e214166784a720e",
"zh:9882f444c087c69559873b2d72eec406a40ede21acb5ac334d6563bf3a2387df",
"zh:a4484193d110da4a06c7bffc44cc6b61d3b5e881cd51df2a83fdda1a36ea25d2",
"zh:a53342426d173e29d8ee3106cb68abecdf4be301a3f6589e4e8d42015befa7da",
"zh:d25ef2aef6a9004363fc6db80305d30673fc1f7dd0b980d41d863b12dacd382a",
"zh:fa2d522fb323e2121f65b79709fd596514b293d816a1d969af8f72d108888e4c",
]
}
provider "registry.opentofu.org/hashicorp/random" {
version = "3.6.3"
hashes = [
"h1:Ry0Lr0zaoicslZlcUR4rAySPpl/a7QupfMfuAxhW3fw=",
"zh:1bfd2e54b4eee8c761a40b6d99d45880b3a71abc18a9a7a5319204da9c8363b2",
"zh:21a15ac74adb8ba499aab989a4248321b51946e5431219b56fc827e565776714",
"zh:221acfac3f7a5bcd6cb49f79a1fca99da7679bde01017334bad1f951a12d85ba",
"zh:3026fcdc0c1258e32ab519df878579160b1050b141d6f7883b39438244e08954",
"zh:50d07a7066ea46873b289548000229556908c3be746059969ab0d694e053ee4c",
"zh:54280cdac041f2c2986a585f62e102bc59ef412cad5f4ebf7387c2b3a357f6c0",
"zh:632adf40f1f63b0c5707182853c10ae23124c00869ffff05f310aef2ed26fcf3",
"zh:b8c2876cce9a38501d14880a47e59a5182ee98732ad7e576e9a9ce686a46d8f5",
"zh:f27e6995e1e9fe3914a2654791fc8d67cdce44f17bf06e614ead7dfd2b13d3ae",
"zh:f423f2b7e5c814799ad7580b5c8ae23359d8d342264902f821c357ff2b3c6d3d",
]
}

8
authentik.old/Makefile Normal file
View file

@ -0,0 +1,8 @@
init:
@tofu init
plan:
@tofu plan -out tfplan
apply:plan
@tofu apply tfplan

48
authentik.old/books.tf Normal file
View file

@ -0,0 +1,48 @@
resource "random_id" "books_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "books" {
name = "AudioBookShelf"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.books_client_id.id
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
client_type = "public"
allowed_redirect_uris = [
{
url = "https://books.lab.cowley.tech/",
matched_mode = "strict"
},
{
matched_mode = "regex",
url = ".*"
}
]
sub_mode = "user_email"
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "books" {
name = "AudioBookShelf"
slug = "audiobookshelf"
protocol_provider = authentik_provider_oauth2.books.id
open_in_new_tab = true
}

58
authentik.old/chat.tf Normal file
View file

@ -0,0 +1,58 @@
resource "random_id" "chat_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "chat" {
name = "Chat"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.chat_client_id.id
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
allowed_redirect_uris = [
{
matched_mode = "strict",
url = "https://chat.lab.cowley.tech/oauth/oidc/callback",
},
{
matched_mode = "regex",
url = ".*"
}
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-openid.id,
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "chat" {
name = "Chat"
slug = "chat"
protocol_provider = authentik_provider_oauth2.chat.id
}
resource "kubernetes_secret" "chat" {
metadata {
name = "open-webui-authentik"
namespace = "ollama"
}
data = {
OAUTH_CLIENT_ID = authentik_provider_oauth2.chat.client_id
OAUTH_CLIENT_SECRET = authentik_provider_oauth2.chat.client_secret
OPENID_PROVIDER_URL = "https://auth.lab.cowley.tech/application/o/chat/.well-known/openid-configuration"
OAUTH_PROVIDER_NAME = "Authentik"
OAUTH_SCOPES = "openid email profile"
}
}

19
authentik/dashy.tf → authentik.old/dashy.tf
View file

@ -6,15 +6,22 @@ resource "authentik_provider_oauth2" "dashy" {
name = "Dashy"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.dashy_client_id.id
client_id = random_id.dashy_client_id.id
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
client_type = "public"
redirect_uris = [
"https://dash.lab.cowley.tech/",
".*"
allowed_redirect_uris = [
{
matched_mode = "strict",
url = "https://dash.lab.cowley.tech/",
},
{
matched_mode = "regex",
url = ".*"
}
]
sub_mode = "user_email"
@ -36,5 +43,5 @@ resource "authentik_application" "dashy" {
name = "Dashy"
slug = "dashy"
protocol_provider = authentik_provider_oauth2.dashy.id
open_in_new_tab = true
open_in_new_tab = true
}

21
authentik.old/data.tf Normal file
View file

@ -0,0 +1,21 @@
data "authentik_flow" "default-provider-authorization-implicit-consent" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
slug = "default-authentication-flow"
}
data "authentik_flow" "default-invalidation-flow" {
slug = "default-invalidation-flow"
}
data "authentik_property_mapping_provider_scope" "scope-email" {
name = "authentik default OAuth Mapping: OpenID 'email'"
}
data "authentik_property_mapping_provider_scope" "scope-profile" {
name = "authentik default OAuth Mapping: OpenID 'profile'"
}
data "authentik_property_mapping_provider_scope" "scope-openid" {
name = "authentik default OAuth Mapping: OpenID 'openid'"
}

28
authentik.old/docs.tf Normal file
View file

@ -0,0 +1,28 @@
#resource "authentik_provider_proxy" "docs" {
# name = "docs"
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
# external_host = "https://docs.lab.cowley.tech"
# internal_host = "http://homelab-docs.docs.svc.cluster.local"
#}
#resource "authentik_application" "docs" {
# name = "Homelab Docs"
# slug = "homelab-docs"
# protocol_provider = authentik_provider_proxy.docs.id
# meta_launch_url = "https://docs.lab.cowley.tech"
#}
#resource "authentik_outpost" "docs" {
# name = "docs"
# protocol_providers = [
# authentik_provider_proxy.docs.id
# ]
# config = jsonencode({
# "kubernetes_namespace": "docs",
# "kubernetes_ingress_class_name": "nginx",
# })
# service_connection = authentik_service_connection_kubernetes.local.id
#}
#
#resource "authentik_service_connection_kubernetes" "local" {
# name = "local"
# local = true
#}

0
authentik/foo.bar → authentik.old/foo.bar
View file

12
authentik/forgejo.tf → authentik.old/forgejo.tf
View file

@ -12,9 +12,13 @@ resource "authentik_provider_oauth2" "forgejo" {
# client_secret = "my_client_secret"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
redirect_uris = [
"https://code.lab.cowley.tech/user/oauth2/authentik/callback"
allowed_redirect_uris = [
{
matched_mode = "strict"
url = "https://code.lab.cowley.tech/user/oauth2/authentik/callback"
}
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
@ -47,7 +51,7 @@ resource "kubernetes_secret" "forgejo-oauth" {
namespace = "forgejo"
}
data = {
"key" = authentik_provider_oauth2.forgejo.client_id
"secret" = authentik_provider_oauth2.forgejo.client_secret
"key" = authentik_provider_oauth2.forgejo.client_id
"secret" = authentik_provider_oauth2.forgejo.client_secret
}
}

80
authentik.old/grafana.tf Normal file
View file

@ -0,0 +1,80 @@
resource "random_id" "client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "grafana" {
name = "Grafana"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.client_id.id
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
allowed_redirect_uris = [
{
matched_mode = "strict",
url = "https://grafana.lab.cowley.tech/login/generic_oauth"
},
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "grafana" {
name = "Grafana"
slug = "grafana"
protocol_provider = authentik_provider_oauth2.grafana.id
}
resource "authentik_group" "grafana_admins" {
name = "Grafana Admins"
}
resource "authentik_group" "grafana_editors" {
name = "Grafana Editors"
}
resource "authentik_group" "grafana_viewers" {
name = "Grafana Viewers"
}
resource "kubernetes_secret" "grafana-authentik" {
metadata {
name = "grafana-authentik"
namespace = "monitoring"
}
data = {
"GF_AUTH_GENERIC_OAUTH_ENABLED" = "true"
"GF_AUTH_GENERIC_OAUTH_CLIENT_ID" = authentik_provider_oauth2.grafana.client_id
"GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET" = authentik_provider_oauth2.grafana.client_secret
"GF_AUTH_GENERIC_OAUTH_NAME" = "authentik"
"GF_AUTH_GENERIC_OAUTH_SCOPES" = "openid profile email"
"GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP" = "true"
"GF_AUTH_GENERIC_OAUTH_AUTH_URL" = "https://auth.lab.cowley.tech/application/o/authorize/"
"GF_AUTH_GENERIC_OAUTH_TOKEN_URL" = "https://auth.lab.cowley.tech/application/o/token/"
"GF_AUTH_GENERIC_OAUTH_API_URL" = "https://auth.lab.cowley.tech/application/o/userinfo/"
"GF_AUTH_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
"GF_AUTH_GENERIC_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
# Optionally enable auto-login (bypasses Grafana login screen)
"GF_AUTH_OAUTH_AUTO_LOGIN" = "false"
# Optionally map user groups to Grafana roles
"GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH" = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
}
}

7
authentik.old/groups.tf Normal file
View file

@ -0,0 +1,7 @@
data "authentik_group" "admins" {
name = "authentik Admins"
}
resource "authentik_group" "arr-users" {
name = "arr_users"
}

69
authentik.old/immich.tf Normal file
View file

@ -0,0 +1,69 @@
#data "authentik_flow" "default-provider-authorization-implicit-consent" {
# slug = "default-provider-authorization-implicit-consent"
#}
#
#data "authentik_property_mapping_provider_scope" "scope-email" {
# name = "authentik default OAuth Mapping: OpenID 'email'"
#}
#
#data "authentik_property_mapping_provider_scope" "scope-profile" {
# name = "authentik default OAuth Mapping: OpenID 'profile'"
#}
#
#data "authentik_property_mapping_provider_scope" "scope-openid" {
# name = "authentik default OAuth Mapping: OpenID 'openid'"
#}
#
resource "random_id" "immich_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "immich" {
name = "Immich"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.immich_client_id.id
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
allowed_redirect_uris = [
{
matched_mode = "strict"
url = "app.immich:///oauth-callback",
},
{
matched_mode = "strict"
url = "https://photos.lab.cowley.tech/auth/login",
},
{
matched_mode = "strict"
url = "https://photos.lab.cowley.tech/user-settings",
}
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "immich" {
name = "Immich"
slug = "immich"
protocol_provider = authentik_provider_oauth2.immich.id
}
resource "local_file" "foo" {
content = authentik_provider_oauth2.immich.client_secret
filename = "${path.module}/foo.bar"
}

50
authentik.old/jellyfin.tf Normal file
View file

@ -0,0 +1,50 @@
resource "random_id" "jellyfin_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "jellyfin" {
name = "Jellyfin"
client_id = random_id.jellyfin_client_id.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
allowed_redirect_uris = [
{
matched_mode = "strict",
url = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik",
},
{
matched_mode = "regex",
url = ".*",
}
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "jellyfin" {
name = "Jellyfin"
slug = "jellyfin"
protocol_provider = authentik_provider_oauth2.jellyfin.id
meta_launch_url = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
}
resource "kubernetes_secret" "jellyfin_oidc" {
metadata {
name = "jellyfin-oidc"
namespace = "jellyfin"
}
data = {
client-secret = authentik_provider_oauth2.jellyfin.client_secret
}
}

0
authentik/lidarr.tf → authentik.old/lidarr.tf
View file

75
authentik.old/nextcloud.tf Normal file
View file

@ -0,0 +1,75 @@
#data "authentik_property_mapping_provider_scope" "nextcloud" {
# name = "Nextcloud Profile"
#}
resource "authentik_property_mapping_provider_scope" "nextcloud-scope" {
name = "Nextcloud Profile"
scope_name = "profile"
expression = <<EOF
# Extract all groups the user is a member of
groups = [group.name for group in user.ak_groups.all()]
# Nextcloud admins must be members of a group called "admin".
# This is static and cannot be changed.
# We append a fictional "admin" group to the user's groups if they are an admin in authentik.
# This group would only be visible in Nextcloud and does not exist in authentik.
if user.is_superuser and "Nextcloud Admin" not in groups:
groups.append("admin")
return {
"name": request.user.name,
"groups": groups,
# To set a quota set the "nextcloud_quota" property in the user's attributes
"quota": user.group_attributes().get("nextcloud_quota", None),
# To connect an already existing user, set the "nextcloud_user_id" property in the
# user's attributes to the username of the corresponding user on Nextcloud.
"user_id": user.attributes.get("nextcloud_user_id", str(user.uuid)),
}
EOF
}
resource "random_id" "nextcloud_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "nextcloud" {
name = "Nextcloud"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.nextcloud_client_id.id
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
sub_mode = "user_uuid"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
allowed_redirect_uris = [
{
matching_mode = "strict"
url = "https://cloud.lab.cowley.tech/apps/user_oidc/code",
}
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
authentik_property_mapping_provider_scope.nextcloud-scope.id
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "nextcloud" {
name = "Nextcloud"
slug = "nextcloud"
protocol_provider = authentik_provider_oauth2.nextcloud.id
}
resource "authentik_group" "nextcloud_admins" {
name = "Nextcloud Admins"
}

8
authentik/paperless-ngx.tf → authentik.old/paperless-ngx.tf
View file

@ -9,9 +9,13 @@ resource "authentik_provider_oauth2" "paperless" {
client_id = random_id.paperless_client_id.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
redirect_uris = [
"https://paperless.lab.cowley.tech/accounts/oidc/authentik/login/callback/"
allowed_redirect_uris = [
{
matching_mode = "strict",
url = "https://paperless.lab.cowley.tech/accounts/oidc/authentik/login/callback/"
}
]
property_mappings = [

0
authentik/paperless.tpl → authentik.old/paperless.tpl
View file

19
authentik.old/provider.tf Normal file
View file

@ -0,0 +1,19 @@
terraform {
backend "kubernetes" {
secret_suffix = "authentik-state"
namespace = "authentik"
}
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.31.0"
}
authentik = {
source = "goauthentik/authentik"
version = "2024.10.2"
}
}
}
provider "authentik" {}
provider "kubernetes" {
}

36
authentik.old/users.tf Normal file
View file

@ -0,0 +1,36 @@
resource "authentik_user" "chriscowley" {
username = "chriscowley"
name = "Chris Cowley"
email = "chriscowleysound@gmail.com"
groups = [
data.authentik_group.admins.id,
authentik_group.grafana_admins.id,
]
is_active = false
}
resource "authentik_user" "chris" {
username = "chris"
name = "Chris Cowley"
email = "chris@cowley.tech"
groups = [
data.authentik_group.admins.id,
authentik_group.grafana_admins.id,
authentik_group.nextcloud_admins.id,
authentik_group.arr-users.id
]
# attributes = jsonencode(
# {
# nextcloud_user_id = "chris"
# }
# )
}
resource "authentik_user" "nadege" {
username = "nadege"
name = "Nadege Cowley"
email = "nadege@cowley.tech"
}

49
authentik.old/wiki.tf Normal file
View file

@ -0,0 +1,49 @@
#resource "random_id" "wikijs_client_id" {
# byte_length = 16
#}
#
#resource "authentik_provider_oauth2" "wikijs" {
# name = "Wiki.js"
# # Required. You can use the output of:
# # $ openssl rand -hex 16
# client_id = random_id.wikijs_client_id.id
# authentication_flow = data.authentik_flow.default-authentication-flow.id
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
#
# client_type = "public"
#
# redirect_uris = [
# "https://wiki.lab.cowley.tech/",
# ".*"
# ]
#
# property_mappings = [
# data.authentik_property_mapping_provider_scope.scope-email.id,
# data.authentik_property_mapping_provider_scope.scope-profile.id,
# data.authentik_property_mapping_provider_scope.scope-openid.id,
# ]
# lifecycle {
# ignore_changes = [
# signing_key,
# authentication_flow,
# ]
# }
#}
#resource "kubernetes_secret" "wikijs-oauth" {
# metadata {
# name = "wikijs-oauth"
# namespace = "wikijs"
# }
# data = {
# "key" = authentik_provider_oauth2.wikijs.client_id
# "secret" = authentik_provider_oauth2.wikijs.client_secret
# }
#}
#resource "authentik_application" "wikijs" {
# name = "Wiki.js"
# slug = "wikijs"
# protocol_provider = authentik_provider_oauth2.wikijs.id
#
# meta_launch_url = "https://wiki.lab.cowley.tech/login/144cdcbe-d199-4f2c-93ae-cde7f662ce04"
# open_in_new_tab = true
#}

BIN
authentik/.nextcloud.tf.swp Normal file
View file

Binary file not shown.

86
authentik/.terraform.lock.hcl generated
View file

@ -2,25 +2,24 @@
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/goauthentik/authentik" {
version = "2024.8.2"
constraints = "2024.8.2"
version = "2024.12.0"
constraints = "2024.12.0"
hashes = [
"h1:+RVux9TSmkUsxIinptup4oOdfzObeXLaOnc0oi0Vat4=",
"h1:a/zGxz5mU9L/j0s0QuhBFDNw057ZzsEhD8aaH4YTsjI=",
"zh:1a08cf73a35237bf84e8761eb026b4175bc34bab4c6a206110cb9a3d06c86391",
"zh:1f5807c2ab22e21a9f4c1d19bc64c52150ac003c6a90417315d8fafb6cbfd09d",
"zh:20237b247cbee340d03629f3bb4e156e8ccf65db246eeffb4cad3dabe34f26bb",
"zh:416ee251d684360e993ea3bdd7b9b3abb869f1d27d3bfe7c53731d444493bad3",
"zh:4d76186b29969509fb950ddce03b80eba9bc3409b6bbd20f8a9e7623d84b63c0",
"zh:588bbeb5768dc0e6d6b3e7bc67709ef7bc4a7f48eeb659801bc8511d646141ac",
"zh:5f95796b207c90e4dcf5d9f2945929351c5709754ce66839279e87279a04204f",
"zh:60263694ce7e107f3f78d5cc727d6143082e0eaa97b15727af83aaed8305d351",
"zh:6ecc4bd586e37987cfa057fc3a3f87bd461e3215d9efb5654fdd639a8d5318e9",
"zh:9e05d3d930a92f160cd788a699b3e11c80b59cb67b5f0b4a9970a1f7e9b08045",
"zh:c6ecaafa4176f12c8930fe2225c34a6d64eb9eb9774b50df17714d2ae338068d",
"zh:d781b9de7ce45a0b67b177705f755746b3afb11c4cac9171825bd9ace4017da6",
"zh:df6d9bc87b752c4e75f5246b32a98049a3253762389fd8476a9b4f96729f9cdd",
"zh:ef6c1ce79965e212929674063de6280abae5ee5c064049880ab81ca0e27b7434",
"h1:0o3y2j790uXjLbMyr/DvSs9b69oHLDekl5txp4lBZuE=",
"zh:00e0f693660c75f66660a40626dfe2f1d1f4798adeccbecd3464e06652ef20b4",
"zh:1469a77658b14bf40d90aaa3d26ce614427281d2fe5d762b8f788804b2ae5d25",
"zh:19123fd8017728023ed776a33df02d06f7572b0825644e516d0a576e69822ef1",
"zh:35f854ef52128e89eac3a2c1bded5ab60aee57fa860d8ca4ebe914babf9912a1",
"zh:36720fa9ae37a6c8a3498d1412c63d368a1f048ca163f3102d1bdc3dd20fffae",
"zh:57686add2a2b35f658989fd1b0be506592aaa6b10e3d414bb9b90c37e303e425",
"zh:5a32b7673fe1b3a104291559c85f5dd2ec952ca6598398a15e3694eb84cf4ccc",
"zh:6a662f416894338d5c9459406810845a61caf4498000b1ecbb3437d21eecce10",
"zh:7f293416f649b4dea0d4f07b7ca2f4c437a37c340824e49c926eb402349fc1f6",
"zh:c1742ee5f8929345e5412768da9319ce47dc23590a0aa3577ea53c1b059606bf",
"zh:dec7ab67a9efdfafa9693e5c0e3af30b7caa0c56c79634586f34f5770f8fc40f",
"zh:e020e938821c6973a87737f5b57cb525e3f3349eb2b6eb04f39c1501ba24e7ab",
"zh:f2937300a967e71c989a004cf8d8db0bb2ecd35a6ab75b0813f3048322882568",
"zh:f51e95a89995027fbf598ac83d2ee7d1a07ca141f4e60502f01ba74173f2b0a3",
]
}
@ -28,7 +27,6 @@ provider "registry.opentofu.org/hashicorp/kubernetes" {
version = "2.31.0"
constraints = "2.31.0"
hashes = [
"h1:MfkGdRph9sDol+ukIgIigdXuLLpC2JPUHH5oF2zEfTM=",
"h1:z2qlqn6WbrjbezwQo4vvlwAgVUGz59klzDU4rlYhYi8=",
"zh:0dd25babf78a88a61dd329b8c18538a295ea63630f1b69575e7898c89307da39",
"zh:3138753e4b2ce6e9ffa5d65d73e9236169ff077c10089c7dc71031a0a139ff6d",
@ -44,37 +42,35 @@ provider "registry.opentofu.org/hashicorp/kubernetes" {
}
provider "registry.opentofu.org/hashicorp/local" {
version = "2.5.1"
version = "2.5.2"
hashes = [
"h1:8bCbJcRyrXb0YmskSdP0XtTLINolscfZ6oWaXgtXLHI=",
"h1:GgW5qncKu4KnXLE1ZYv5iwmhSYtTNzsOvJAOQIyFR7E=",
"zh:031c2c2070672b7e78e0aa15560839278dc57fe7cf1e58a617ac13c67b31d5fb",
"zh:1ef64ea4f8382cd538a76f3d319f405d18130dc3280f1c16d6aaa52a188ecaa4",
"zh:422ce45691b2f384dbd4596fdc8209d95cb43d85a82aaa0173089d38976d6e96",
"zh:7415fbd8da72d9363ba55dd8115837714f9534f5a9a518ec42268c2da1b9ed2f",
"zh:92aa22d071339c8ef595f18a9f9245c287266c80689f5746b26e10eaed04d542",
"zh:9cd0d99f5d3be835d6336c19c4057af6274e193e677ecf6370e5b0de12b4aafe",
"zh:a8c1525b389be5809a97f02aa7126e491ba518f97f57ed3095a3992f2134bb8f",
"zh:b336fa75f72643154b07c09b3968e417a41293358a54fe03efc0db715c5451e6",
"zh:c66529133599a419123ad2e42874afbd9aba82bd1de2b15cc68d2a1e665d4c8e",
"zh:c7568f75ba6cb7c3660b69eaab8b0e4278533bd9a7a4c33ee6590cc7e69743ea",
"h1:6lS+5A/4WFAqY3/RHWFRBSiFVLPRjvLaUgxPQvjXLHU=",
"zh:25b95b76ceaa62b5c95f6de2fa6e6242edbf51e7fc6c057b7f7101aa4081f64f",
"zh:3c974fdf6b42ca6f93309cf50951f345bfc5726ec6013b8832bcd3be0eb3429e",
"zh:5de843bf6d903f5cca97ce1061e2e06b6441985c68d013eabd738a9e4b828278",
"zh:86beead37c7b4f149a54d2ae633c99ff92159c748acea93ff0f3603d6b4c9f4f",
"zh:8e52e81d3dc50c3f79305d257da7fde7af634fed65e6ab5b8e214166784a720e",
"zh:9882f444c087c69559873b2d72eec406a40ede21acb5ac334d6563bf3a2387df",
"zh:a4484193d110da4a06c7bffc44cc6b61d3b5e881cd51df2a83fdda1a36ea25d2",
"zh:a53342426d173e29d8ee3106cb68abecdf4be301a3f6589e4e8d42015befa7da",
"zh:d25ef2aef6a9004363fc6db80305d30673fc1f7dd0b980d41d863b12dacd382a",
"zh:fa2d522fb323e2121f65b79709fd596514b293d816a1d969af8f72d108888e4c",
]
}
provider "registry.opentofu.org/hashicorp/random" {
version = "3.6.2"
version = "3.6.3"
hashes = [
"h1:9/mOE51WYYFajLHkN/lnbEcMsvC3CBwHWNrrnkF4TXA=",
"h1:PXvoOj9gj+Or+9k0tQWCQJKxnsVO0GqnQwVahgwRrsU=",
"zh:1f27612f7099441526d8af59f5b4bdcc35f46915df5d243043d7337ea5a3e38a",
"zh:2a58e66502825db8b4b96116c04bd0323bca1cf1f5752bdd8f9c26feb84d3b1e",
"zh:4f0a4fa479e29de0c3c90146fd58799c097f7a55401cb00560dd4e9b1e6fad9d",
"zh:9c93c0fe6ef685513734527e0c8078636b2cc07591427502a7260f4744b1af1d",
"zh:a466ff5219beb77fb3b18a3d7e7fe30e7edd4d95c8e5c87f4f4e3fe3eeb8c2d7",
"zh:ab33e6176d0c757ddb31e40e01a941e6918ad10f7a786c8e8e4f35e5cff81c96",
"zh:b6eabf377a1c12cb3f9ddd97aacdd5b49c1646dc959074124f81d40fcd216d7e",
"zh:ccec5d03d0d1c0f354be299cdd6a417b2700f1a6781df36bcce77246b2f57e50",
"zh:d2a7945eeb691fdd2b1474da76ddc2d1655e2aedbb14b57f06d4f5123d47adf9",
"zh:ed62351f4ad9d1469c6798b77dee5f63b18b29c473620a0046ba3d4f111b621d",
"h1:Ry0Lr0zaoicslZlcUR4rAySPpl/a7QupfMfuAxhW3fw=",
"zh:1bfd2e54b4eee8c761a40b6d99d45880b3a71abc18a9a7a5319204da9c8363b2",
"zh:21a15ac74adb8ba499aab989a4248321b51946e5431219b56fc827e565776714",
"zh:221acfac3f7a5bcd6cb49f79a1fca99da7679bde01017334bad1f951a12d85ba",
"zh:3026fcdc0c1258e32ab519df878579160b1050b141d6f7883b39438244e08954",
"zh:50d07a7066ea46873b289548000229556908c3be746059969ab0d694e053ee4c",
"zh:54280cdac041f2c2986a585f62e102bc59ef412cad5f4ebf7387c2b3a357f6c0",
"zh:632adf40f1f63b0c5707182853c10ae23124c00869ffff05f310aef2ed26fcf3",
"zh:b8c2876cce9a38501d14880a47e59a5182ee98732ad7e576e9a9ce686a46d8f5",
"zh:f27e6995e1e9fe3914a2654791fc8d67cdce44f17bf06e614ead7dfd2b13d3ae",
"zh:f423f2b7e5c814799ad7580b5c8ae23359d8d342264902f821c357ff2b3c6d3d",
]
}

106
authentik/chat.tf
View file

@ -1,50 +1,56 @@
#resource "random_id" "chat_client_id" {
# byte_length = 16
#}
#
#resource "authentik_provider_oauth2" "chat" {
# name = "Chat"
# # Required. You can use the output of:
# # $ openssl rand -hex 16
# client_id = random_id.chat_client_id.id
#
# # Optional: will be generated if not provided
# # client_secret = "my_client_secret"
#
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
#
# redirect_uris = [
# "https://chat.lab.cowley.tech/oauth/oidc/callback"
# ]
# property_mappings = [
# data.authentik_scope_mapping.scope-openid.id,
# data.authentik_scope_mapping.scope-email.id,
# data.authentik_scope_mapping.scope-profile.id,
# ]
# lifecycle {
# ignore_changes = [
# signing_key,
# authentication_flow,
# ]
# }
#}
#
#resource "authentik_application" "chat" {
# name = "Chat"
# slug = "chat"
# protocol_provider = authentik_provider_oauth2.chat.id
#}
#
#resource "kubernetes_secret" "chat" {
# metadata {
# name = "open-webui-authentik"
# namespace = "ollama"
# }
# data = {
# OAUTH_CLIENT_ID = authentik_provider_oauth2.chat.client_id
# OAUTH_CLIENT_SECRET = authentik_provider_oauth2.chat.client_secret
# OPENID_PROVIDER_URL = "https://auth.lab.cowley.tech/application/o/chat/.well-known/openid-configuration"
# OAUTH_PROVIDER_NAME = "Authentik"
# OAUTH_SCOPES = "openid email profile"
# }
#}
resource "random_id" "chat_client_id" {
byte_length = 16
}
resource "random_id" "chat_secret_key" {
byte_length = 16
}
resource "authentik_provider_oauth2" "chat" {
name = "Chat"
client_id = random_id.chat_client_id.id
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
allowed_redirect_uris = [
{
"matching_mode" = "strict"
"url" = "https://chat.lab.cowley.tech/oauth/oidc/callback"
}
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-openid.id,
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "chat" {
name = "Chat"
slug = "chat"
protocol_provider = authentik_provider_oauth2.chat.id
meta_launch_url = "https://chat.lab.cowley.tech"
}
resource "kubernetes_secret" "chat" {
metadata {
name = "open-webui-authentik"
namespace = "ollama"
}
data = {
OAUTH_CLIENT_ID = authentik_provider_oauth2.chat.client_id
OAUTH_CLIENT_SECRET = authentik_provider_oauth2.chat.client_secret
OPENID_PROVIDER_URL = "https://auth.lab.cowley.tech/application/o/chat/.well-known/openid-configuration"
WEBUI_SECRET_KEY = random_id.chat_secret_key.hex
}
}

6
authentik/data.tf
View file

@ -5,6 +5,12 @@ data "authentik_flow" "default-provider-authorization-implicit-consent" {
data "authentik_flow" "default-authentication-flow" {
slug = "default-authentication-flow"
}
data "authentik_flow" "default-invalidation-flow" {
slug = "default-invalidation-flow"
}
data "authentik_flow" "default-provider-invalidation-flow" {
slug = "default-provider-invalidation-flow"
}
data "authentik_property_mapping_provider_scope" "scope-email" {
name = "authentik default OAuth Mapping: OpenID 'email'"
}

29
authentik/grafana.tf
View file

@ -1,29 +1,22 @@
resource "random_id" "client_id" {
resource "random_id" "grafana_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "grafana" {
name = "Grafana"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.client_id.id
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
redirect_uris = [
"https://grafana.lab.cowley.tech/login/generic_oauth"
name = "Grafana"
client_id = random_id.grafana_client_id.id
allowed_redirect_uris = [
{
matching_mode = "strict",
url = "https://grafana.lab.cowley.tech/login/generic_oauth"
}
]
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
@ -31,13 +24,11 @@ resource "authentik_provider_oauth2" "grafana" {
]
}
}
resource "authentik_application" "grafana" {
name = "Grafana"
slug = "grafana"
protocol_provider = authentik_provider_oauth2.grafana.id
}
resource "authentik_group" "grafana_admins" {
name = "Grafana Admins"
}

45
authentik/hass.tf Normal file
View file

@ -0,0 +1,45 @@
#
#resource "authentik_provider_proxy" "hass" {
# name = "Home Assistant"
# internal_host = "http://homeassistant.homeassistant:8123"
# external_host = "https://hass.lab.cowley.tech"
#
# internal_host_ssl_validation = false
#
# authentication_flow = data.authentik_flow.default-authentication-flow.id
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
# invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
#
# access_token_validity = "hours=24"
#}
#
#resource "authentik_application" "hass" {
# name = "Home Assistant"
# slug = "homeassistant"
#
# protocol_provider = authentik_provider_proxy.hass.id
#}
resource "authentik_provider_proxy" "esphome" {
name = "ESP Home"
internal_host = "http://esphome.homeassistant:6052"
external_host = "https://esphome.lab.cowley.tech"
internal_host_ssl_validation = false
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
access_token_validity = "hours=24"
}
resource "authentik_application" "esphome" {
name = "ESP Home"
slug = "esphome"
protocol_provider = authentik_provider_proxy.esphome.id
}

83
authentik/immich.tf
View file

@ -18,42 +18,55 @@ resource "random_id" "immich_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "immich" {
data "authentik_provider_oauth2_config" "immich" {
name = "Immich"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.immich_client_id.id
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
redirect_uris = [
"app.immich:///oauth-callback",
"https://photos.lab.cowley.tech/auth/login",
"https://photos.lab.cowley.tech/user-settings",
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
#resource "authentik_provider_oauth2" "immich" {
# name = "Immich"
# # Required. You can use the output of:
# # $ openssl rand -hex 16
# client_id = random_id.immich_client_id.id
#
# # Optional: will be generated if not provided
# # client_secret = "my_client_secret"
#
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
# invalidation_flow = data.authentik_flow.default-invalidation-flow.id
#
# allowed_redirect_uris = [
# {
# matched_mode = "strict"
# url = "app.immich:///oauth-callback",
# },
# {
# matched_mode = "strict"
# url = "https://photos.lab.cowley.tech/auth/login",
# },
# {
# matched_mode = "strict"
# url = "https://photos.lab.cowley.tech/user-settings",
# }
# ]
# #property_mappings = [
# # data.authentik_property_mapping_provider_scope.scope-email.id,
# # data.authentik_property_mapping_provider_scope.scope-profile.id,
# # data.authentik_property_mapping_provider_scope.scope-openid.id,
# #]
# #lifecycle {
# # ignore_changes = [
# # signing_key,
# # authentication_flow,
# # ]
# #}
#}
resource "authentik_application" "immich" {
name = "Immich"
slug = "immich"
protocol_provider = authentik_provider_oauth2.immich.id
}
#resource "authentik_application" "immich" {
# name = "Immich"
# slug = "immich"
# protocol_provider = authentik_provider_oauth2.immich.id
#}
resource "local_file" "foo" {
content = authentik_provider_oauth2.immich.client_secret
filename = "${path.module}/foo.bar"
}
#resource "local_file" "foo" {
# content = authentik_provider_oauth2.immich.client_secret
# filename = "${path.module}/foo.bar"
#}

21
authentik/jellyfin.tf
View file

@ -3,14 +3,20 @@ resource "random_id" "jellyfin_client_id" {
}
resource "authentik_provider_oauth2" "jellyfin" {
name = "Jellyfin"
name = "Jellyfin"
client_id = random_id.jellyfin_client_id.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
redirect_uris = [
"https://jellyfin.lab.cowley.tech/sso/OID/start/authentik",
".*",
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
allowed_redirect_uris = [
{
matching_mode = "strict",
url = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
},
{
matching_mode = "strict",
url = "http://jellyfin:8096/sso/OID/start/authentik"
},
]
property_mappings = [
@ -20,6 +26,7 @@ resource "authentik_provider_oauth2" "jellyfin" {
]
lifecycle {
ignore_changes = [
allowed_redirect_uris,
signing_key,
authentication_flow,
]
@ -30,11 +37,11 @@ resource "authentik_application" "jellyfin" {
name = "Jellyfin"
slug = "jellyfin"
protocol_provider = authentik_provider_oauth2.jellyfin.id
meta_launch_url = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
meta_launch_url = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
}
resource "kubernetes_secret" "jellyfin_oidc" {
metadata {
name = "jellyfin-oidc"
name = "jellyfin-oidc"
namespace = "jellyfin"
}
data = {

22
authentik/longhorn.tf Normal file
View file

@ -0,0 +1,22 @@
resource "authentik_provider_proxy" "longhorn" {
name = "Longhorn"
internal_host = "http://longhorn-frontend.longhorn-system:80"
external_host = "https://storage.lab.cowley.tech"
internal_host_ssl_validation = false
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
#access_token_validity = "hours=24"
}
resource "authentik_application" "longhorn" {
name = "Longhorn"
slug = "longhorn"
protocol_provider = authentik_provider_proxy.longhorn.id
}

8
authentik/nextcloud.tf
View file

@ -42,9 +42,13 @@ resource "authentik_provider_oauth2" "nextcloud" {
sub_mode = "user_uuid"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
redirect_uris = [
"https://cloud.lab.cowley.tech/apps/user_oidc/code",
allowed_redirect_uris = [
{
matching_mode = "strict"
url = "https://cloud.lab.cowley.tech/apps/user_oidc/code",
}
]
property_mappings = [

67
authentik/outposts.tf Normal file
View file

@ -0,0 +1,67 @@
resource "authentik_outpost" "embedded_outpost" {
name = "authentik Embedded Outpost"
protocol_providers = [
authentik_provider_proxy.spotizerr.id,
authentik_provider_proxy.esphome.id,
#authentik_provider_proxy.tubearchivist.id,
]
service_connection = authentik_service_connection_kubernetes.local.id
# config = jsonencode({
# authentik_host = "https://auth.lab.cowley.tech"
# authentik_host_browser = ""
# authentik_host_insecure = false
# docker_map_ports = true
# kubernetes_disabled_components = []
# kubernetes_image_pull_secrets = []
# kubernetes_ingress_class_name = "nginx"
# kubernetes_ingress_annotations = {
# "cert-manager.io/cluster-issuer" = "letsencrypt"
# }
# kubernetes_ingress_secret_name = "authentik-outpost-tls"
# kubernetes_json_patches = null
# kubernetes_namespace = "authentik"
# kubernetes_replicas = 1
# kubernetes_service_type = "ClusterIP"
# log_level = "info"
# object_naming_template = "ak-outpost-%(name)s"
# refresh_interval = "minutes=5"
# })
}
resource "authentik_outpost" "internal" {
name = "Internal Outpost"
protocol_providers = [
authentik_provider_proxy.longhorn.id,
]
service_connection = authentik_service_connection_kubernetes.local.id
config = jsonencode({
authentik_host = "https://auth.lab.cowley.tech"
docker_map_ports = true
kubernetes_ingress_class_name = "traefik"
kubernetes_ingress_annotations = {
"cert-manager.io/cluster-issuer" = "letsencrypt"
}
kubernetes_ingress_secret_name = "authentk_internal_outpost_tls"
kubernetes_json_patches = null
kubernetes_namespace = "authentik"
kubernetes_replicas = 1
kubernetes_service_type = "ClusterIP"
log_level = "info"
object_naming_template = "ak-outpost-%(name)s"
refresh_interval = "minutes=5"
})
}
resource "authentik_service_connection_kubernetes" "local" {
name = "Local Kubernetes Cluster"
local = true
}
#resource "authentik_service_connection_kubernetes" "k3s" {
# name = "Homelab K3s Cluster"
# local = true
#}

72
authentik/paperless.tf Normal file
View file

@ -0,0 +1,72 @@
resource "random_id" "paperless_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "paperless" {
name = "Paperless"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.paperless_client_id.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
allowed_redirect_uris = [
{
matching_mode = "strict",
url = "https://paperless.lab.cowley.tech/accounts/oidc/authentik/login/callback/"
}
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "paperless" {
name = "Paperless"
slug = "paperless"
protocol_provider = authentik_provider_oauth2.paperless.id
}
#data "template_file" "paperless-config" {
# template = "${file("${path.module}/paperless.tpl")}"
# vars = {
# client_id = authentik_provider_oauth2.paperless.client_id
# }
#}
resource "kubernetes_namespace" "paperless" {
metadata {
name = "paperless-ngx"
}
lifecycle {
ignore_changes = [
metadata[0].labels
]
}
}
resource "kubernetes_secret" "paperless-env" {
metadata {
name = "paperless-env"
namespace = kubernetes_namespace.paperless.metadata[0].name
}
data = {
"PAPERLESS_APPS" = "allauth.socialaccount.providers.openid_connect"
"PAPERLESS_SOCIALACCOUNT_PROVIDERS" = templatefile(
"${path.module}/templates/paperless.tpl",
{
client_id = authentik_provider_oauth2.paperless.client_id,
client_secret = authentik_provider_oauth2.paperless.client_secret
}
)
}
}

2
authentik/provider.tf
View file

@ -10,7 +10,7 @@ terraform {
}
authentik = {
source = "goauthentik/authentik"
version = "2024.8.2"
version = "2024.12.0"
}
}
}

22
authentik/spotizerr.tf Normal file
View file

@ -0,0 +1,22 @@
resource "authentik_provider_proxy" "spotizerr" {
name = "Spotizerr"
internal_host = "http://spotizerr.jellyfin:7171"
external_host = "https://spotizerr.lab.cowley.tech"
internal_host_ssl_validation = false
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
access_token_validity = "hours=24"
}
resource "authentik_application" "spotizerr" {
name = "Spotizerr"
slug = "spotizerr"
protocol_provider = authentik_provider_proxy.spotizerr.id
}

16
authentik/templates/paperless.tpl Normal file
View file

@ -0,0 +1,16 @@
{
"openid_connect": {
"APPS": [
{
"provider_id": "authentik",
"name": "Authentik",
"client_id": "${client_id}",
"secret": "${client_secret}",
"settings": {
"server_url": "https://auth.lab.cowley.tech/application/o/paperless/.well-known/openid-configuration"
}
}
],
"OAUTH_PKCE_ENABLED": "True"
}
}

22
authentik/tubearchivist.tf Normal file
View file

@ -0,0 +1,22 @@
#resource "authentik_provider_proxy" "tubearchivist" {
# name = "Tube Archivist"
# internal_host = "http://tubearchivist.jellyfin:7171"
# external_host = "https://tubearchivist.lab.cowley.tech"
#
# internal_host_ssl_validation = false
#
# authentication_flow = data.authentik_flow.default-authentication-flow.id
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
# invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
#
# access_token_validity = "hours=24"
#}
#
#resource "authentik_application" "tubearchivist" {
# name = "Tube Archivist"
# slug = "tubearchivist"
#
# protocol_provider = authentik_provider_proxy.tubearchivist.id
#}
#
#

53
authentik/users.tf
View file

@ -1,15 +1,15 @@
resource "authentik_user" "chriscowley" {
username = "chriscowley"
name = "Chris Cowley"
email = "chriscowleysound@gmail.com"
groups = [
data.authentik_group.admins.id,
authentik_group.grafana_admins.id,
]
is_active = false
}
#resource "authentik_user" "chriscowley" {
# username = "chriscowley"
# name = "Chris Cowley"
#
# email = "chriscowleysound@gmail.com"
#
# groups = [
# data.authentik_group.admins.id,
# authentik_group.grafana_admins.id,
# ]
# is_active = false
#}
resource "authentik_user" "chris" {
username = "chris"
name = "Chris Cowley"
@ -19,18 +19,33 @@ resource "authentik_user" "chris" {
groups = [
data.authentik_group.admins.id,
authentik_group.grafana_admins.id,
authentik_group.nextcloud_admins.id,
#authentik_group.nextcloud_admins.id,
authentik_group.arr-users.id
]
# attributes = jsonencode(
# {
# nextcloud_user_id = "chris"
# }
# )
attributes = jsonencode(
{
nextcloud_user_id = "chris"
}
)
}
#
resource "authentik_user" "nadege" {
username = "nadege"
name = "Nadege Cowley"
email = "nadege@cowley.tech"
attributes = jsonencode(
{
nextcloud_user_id = "nadege"
}
)
}
resource "authentik_user" "nicolas" {
username = "nicolas"
name = "Nicolas Cowley"
email = "colas@cowley.tech"
attributes = jsonencode(
{
nextcloud_user_id = "nicolas"
}
)
}

49
authentik/wiki.tf
View file

@ -1,49 +0,0 @@
resource "random_id" "wikijs_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "wikijs" {
name = "Wiki.js"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.wikijs_client_id.id
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
client_type = "public"
redirect_uris = [
"https://wiki.lab.cowley.tech/",
".*"
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "kubernetes_secret" "wikijs-oauth" {
metadata {
name = "wikijs-oauth"
namespace = "wikijs"
}
data = {
"key" = authentik_provider_oauth2.wikijs.client_id
"secret" = authentik_provider_oauth2.wikijs.client_secret
}
}
resource "authentik_application" "wikijs" {
name = "Wiki.js"
slug = "wikijs"
protocol_provider = authentik_provider_oauth2.wikijs.id
meta_launch_url = "https://wiki.lab.cowley.tech/login/144cdcbe-d199-4f2c-93ae-cde7f662ce04"
open_in_new_tab = true
}

47
grafana/.terraform.lock.hcl generated Normal file
View file

@ -0,0 +1,47 @@
# This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/grafana/grafana" {
version = "3.17.1"
constraints = ">= 2.9.0"
hashes = [
"h1:M7ZHlbSfeAcW0x1mwUzfMrqJC5mIwbRwSS/EqCUVLIs=",
"zh:02832f4643d1f71191728d8b297f1fea005788965a1fbb74b46c295a8cb31616",
"zh:09d92b41c39ceb77aa1603253aa9588adf3c6acb29061bd4145c87e294f6d91e",
"zh:0b0633283278afab2889a72d7ae3d8b484365fc003b47eb35b8fbfaee4596c7b",
"zh:0bc44742cf5dc7659ab41194533a28d9eacb062eb2fe9ccd26e099e790bbe0d0",
"zh:1ccf6cb03c73e6ed92bfa59c37f57f7979e341c7ecd584d91477ff169f9b63e4",
"zh:1e98709b2db6d325ec9ad31c70f9b28e9a2f69009952aa56b838936d776f0220",
"zh:22859fc084108a25b2c9c2f6889b1ee1bb7451971db85e67f18d033aa4c610b3",
"zh:2eeb9909e750a983dfb2e5cce681f089f3daf556130f17fec444e7e2aff2309b",
"zh:3c67aa9ec3cde4ede2e28556bacd54285f50c26d3839476ea812f1fef45264b4",
"zh:7bd15a34be44d6af85d78cd742ea641c8db54706f1a2fc717d10e041ddfef6bf",
"zh:7dfbcce303bbb093e4d02e3ba935b283e296642978b1c7076b5a0be4fe85e9b8",
"zh:82d66a9631977ac61d99af4b9912100af8a05186c3f24ff4d3ee912012c76179",
"zh:83b79ff610cabf02f4f9ecdf18b6baad51d9ec1de16cc51870fdf1936537ab53",
"zh:9cb9bf37a93ccd18ab22eb16d27821ab3f1c0b89234e4e52f2a2c5011c6c17aa",
"zh:a42e4fb343bcbb59cb44466c7749546d1faf5d322e287ac75415cf2825326cef",
"zh:b2cd96cf156f37213f3f9bb695c329f2094979782d841e706a2cac782adb605a",
"zh:b98826b667a8ba7fb5bf8403184de62e75bc77d5e4a072c33e79fe30d512107f",
"zh:b9aca74cd9013cb664ffe9a0af4525cba11640f192d10a5f7a6d84f3aac1d7ea",
"zh:d9ce3f99772b5960563a4118b77dace774f178cca1ff3b97770c84b08f3d059a",
"zh:f1786045a34de8ad2e864eaccaecd00e81052de923351c63891dcd245cfc4415",
]
}
provider "registry.opentofu.org/hashicorp/kubernetes" {
version = "2.35.1"
hashes = [
"h1:HvgGiweJx159xJsHIgkMQl1eVTcISwGvd8ADXFU46Rk=",
"zh:0a569918d9e81755bdacb2380e70ed304c442e957a029984cbcd9ec88e5d3635",
"zh:1d4d1241cf51d7d4a036c774add1384bb1ba9ca16146334d17c730e1b41ad3e0",
"zh:243219f415f5d8caf32a4e6b6bf596c11cf7db5501ccb4ae77cc0b084bb5d108",
"zh:2f3a33cba73918adc6f580c76b252881f22beb75277df8ca26a01eb5411348f9",
"zh:3b5247f69e72d1e94ac965fa570f448436cedb278f3f29836f6a345aa1bbd5b6",
"zh:4206bca7bf30708e235535af50529565b14f30262dc43142153a1774ee5086af",
"zh:490c80454b8808bb937498aea98e4076a74887446b05feb6e200015613b5e065",
"zh:5e39824289f7b29711681bce98fbb6c27ed221b071a8c78fd0de7f6c2dae4371",
"zh:a7bf7892217bdb0464664f62485d89d014874b0dfb564e99c364fc6dd20c6a3b",
"zh:e8251170bad1c3e2d9c22d0f4dae7239f1a364f05732f7dff5c8e4ec76a95c5a",
]
}

8
grafana/Makefile Normal file
View file

@ -0,0 +1,8 @@
init:
@tofu init
plan:
@tofu plan -out tfplan
apply:plan
@tofu apply tfplan

20
grafana/dashboards.tf Normal file
View file

@ -0,0 +1,20 @@
resource "grafana_folder" "HomeAssistant" {
title = "Home Assistant"
}
resource "grafana_dashboard" "HomeEnergy" {
for_each = fileset("${path.module}/dashboards/HASS", "*.json")
config_json = file("${path.module}/dashboards/HASS/${each.key}")
folder = grafana_folder.HomeAssistant.id
}
resource "grafana_folder" "Kubernetes" {
title = "Kubernetes"
}
resource "grafana_dashboard" "Kubernetes" {
for_each = fileset("${path.module}/dashboards/kubernetes", "*.json")
config_json = file("${path.module}/dashboards/kubernetes/${each.key}")
folder = grafana_folder.Kubernetes.id
}

409
grafana/dashboards/HASS/energy.json Normal file
View file

@ -0,0 +1,409 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 28,
"links": [],
"panels": [
{
"datasource": {
"default": true,
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "light-blue",
"value": null
},
{
"color": "light-green",
"value": 18
},
{
"color": "#EAB839",
"value": 19.5
},
{
"color": "red",
"value": 20.5
}
]
},
"unit": "celsius"
},
"overrides": []
},
"gridPos": {
"h": 6,
"w": 6,
"x": 0,
"y": 0
},
"id": 3,
"options": {
"minVizHeight": 75,
"minVizWidth": 75,
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showThresholdLabels": false,
"showThresholdMarkers": true,
"sizing": "auto"
},
"pluginVersion": "11.2.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"editorMode": "code",
"expr": "homeassistant_sensor_temperature_celsius{entity=\"sensor.officesensor_temperature\"}",
"instant": false,
"legendFormat": "{{friendly_name}}",
"range": true,
"refId": "A"
}
],
"title": "Office",
"type": "gauge"
},
{
"datasource": {
"default": true,
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "light-blue",
"value": null
},
{
"color": "light-green",
"value": 18
},
{
"color": "#EAB839",
"value": 20
},
{
"color": "red",
"value": 22
}
]
},
"unit": "celsius"
},
"overrides": []
},
"gridPos": {
"h": 6,
"w": 6,
"x": 6,
"y": 0
},
"id": 5,
"options": {
"minVizHeight": 75,
"minVizWidth": 75,
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showThresholdLabels": false,
"showThresholdMarkers": true,
"sizing": "auto"
},
"pluginVersion": "11.2.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"editorMode": "code",
"expr": "homeassistant_sensor_temperature_celsius{entity=\"sensor.lounge_temperature\"}",
"instant": false,
"legendFormat": "{{friendly_name}}",
"range": true,
"refId": "A"
}
],
"title": "Lounge",
"type": "gauge"
},
{
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 6
},
"id": 4,
"title": "Row title",
"type": "row"
},
{
"datasource": {
"default": true,
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 44,
"gradientMode": "opacity",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "smooth",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "never",
"spanNulls": true,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "dashed"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "light-blue",
"value": null
},
{
"color": "light-green",
"value": 17
},
{
"color": "#EAB839",
"value": 19.5
},
{
"color": "red",
"value": 20.5
}
]
},
"unit": "celsius"
},
"overrides": []
},
"gridPos": {
"h": 8,
"w": 12,
"x": 0,
"y": 7
},
"id": 2,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "single",
"sort": "none"
}
},
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"editorMode": "code",
"expr": "homeassistant_sensor_temperature_celsius{entity!~\".*garage.*\"}",
"instant": false,
"interval": "5m",
"legendFormat": "{{friendly_name}}",
"range": true,
"refId": "A"
}
],
"title": "Room Temperature",
"type": "timeseries"
},
{
"datasource": {
"default": true,
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"fillOpacity": 100,
"gradientMode": "opacity",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"lineWidth": 1,
"scaleDistribution": {
"type": "linear"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "watt"
},
"overrides": []
},
"gridPos": {
"h": 8,
"w": 12,
"x": 12,
"y": 7
},
"id": 1,
"options": {
"barRadius": 0,
"barWidth": 0.97,
"fullHighlight": false,
"groupWidth": 0.7,
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"orientation": "auto",
"showValue": "auto",
"stacking": "normal",
"tooltip": {
"mode": "single",
"sort": "none"
},
"xTickLabelRotation": 0,
"xTickLabelSpacing": 100
},
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"editorMode": "code",
"expr": "homeassistant_sensor_power_w",
"instant": false,
"interval": "5m",
"legendFormat": "{{friendly_name}}",
"range": true,
"refId": "A"
}
],
"title": "Power Consumption",
"type": "barchart"
}
],
"schemaVersion": 39,
"refresh": "auto",
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-6h",
"to": "now"
},
"timepicker": {},
"timezone": "browser",
"title": "Home Assistant - Energy",
"uid": "aeb8o97zkjhmoa",
"version": 2,
"weekStart": ""
}

2186
grafana/dashboards/kubernetes/compute-resources-namespace-pods.json Normal file
View file

File diff suppressed because it is too large Load diff

786
grafana/dashboards/kubernetes/compute-resources-node.json Normal file
View file

@ -0,0 +1,786 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 32,
"links": [],
"panels": [
{
"datasource": {
"default": false,
"type": "datasource",
"uid": "-- Mixed --"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "smooth",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "never",
"spanNulls": true,
"stacking": {
"group": "A",
"mode": "normal"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "max capacity"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "red",
"mode": "fixed"
}
},
{
"id": "custom.stacking",
"value": {
"mode": "none"
}
},
{
"id": "custom.hideFrom",
"value": {
"legend": false,
"tooltip": true,
"viz": false
}
},
{
"id": "custom.lineStyle",
"value": {
"dash": [
10,
10
],
"fill": "dash"
}
}
]
}
]
},
"gridPos": {
"h": 6,
"w": 24,
"x": 0,
"y": 0
},
"id": 1,
"interval": "1m",
"options": {
"legend": {
"asTable": true,
"calcs": [
"lastNotNull"
],
"displayMode": "table",
"placement": "right",
"showLegend": true
},
"tooltip": {
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "v11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"editorMode": "code",
"expr": "sum(kube_node_status_capacity{node=~\"$node\", resource=\"cpu\"})",
"legendFormat": "max capacity",
"range": true,
"refId": "A"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(pod) (irate(container_cpu_usage_seconds_total{node=~\"$node\"}[$__interval]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "{{pod}}",
"range": true,
"refId": "B",
"useBackend": false
}
],
"title": "CPU Usage",
"type": "timeseries"
},
{
"datasource": {
"type": "datasource",
"uid": "-- Mixed --"
},
"fieldConfig": {
"defaults": {
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"inspect": false
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byRegexp",
"options": "/%/"
},
"properties": [
{
"id": "unit",
"value": "percentunit"
}
]
},
{
"matcher": {
"id": "byName",
"options": "Pod"
},
"properties": [
{
"id": "links",
"value": [
{
"title": "Drill down to pods",
"url": "/d/6581e46e4e5c7ba40a07646395ef7b23/k8s-resources-pod?${datasource:queryparam}&var-cluster=$cluster&var-namespace=$namespace&var-pod=${__data.fields.Pod}"
}
]
}
]
}
]
},
"gridPos": {
"h": 6,
"w": 24,
"x": 0,
"y": 6
},
"id": 2,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"showHeader": true
},
"pluginVersion": "11.2.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate{cluster=\"$cluster\", node=~\"$node\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "A"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests{cluster=\"$cluster\", node=~\"$node\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "B"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate{cluster=\"$cluster\", node=~\"$node\"}) by (pod) / sum(cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests{cluster=\"$cluster\", node=~\"$node\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "C"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits{cluster=\"$cluster\", node=~\"$node\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "D"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate{cluster=\"$cluster\", node=~\"$node\"}) by (pod) / sum(cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits{cluster=\"$cluster\", node=~\"$node\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "E"
}
],
"title": "CPU Quota",
"transformations": [
{
"id": "joinByField",
"options": {
"byField": "pod",
"mode": "outer"
}
},
{
"id": "organize",
"options": {
"excludeByName": {
"Time": true,
"Time 1": true,
"Time 2": true,
"Time 3": true,
"Time 4": true,
"Time 5": true
},
"renameByName": {
"Value #A": "CPU Usage",
"Value #B": "CPU Requests",
"Value #C": "CPU Requests %",
"Value #D": "CPU Limits",
"Value #E": "CPU Limits %",
"pod": "Pod"
}
}
}
],
"type": "table"
},
{
"datasource": {
"default": false,
"type": "datasource",
"uid": "-- Mixed --"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "smooth",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "never",
"spanNulls": true,
"stacking": {
"group": "A",
"mode": "normal"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "bytes"
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "max capacity"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "red",
"mode": "fixed"
}
},
{
"id": "custom.stacking",
"value": {
"mode": "none"
}
},
{
"id": "custom.hideFrom",
"value": {
"legend": false,
"tooltip": true,
"viz": false
}
},
{
"id": "custom.lineStyle",
"value": {
"dash": [
10,
10
],
"fill": "dash"
}
}
]
}
]
},
"gridPos": {
"h": 6,
"w": 24,
"x": 0,
"y": 12
},
"id": 3,
"interval": "1m",
"options": {
"legend": {
"asTable": true,
"calcs": [
"lastNotNull"
],
"displayMode": "table",
"placement": "right",
"showLegend": true
},
"tooltip": {
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "v11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(kube_node_status_capacity{cluster=\"$cluster\", node=~\"$node\", resource=\"memory\"})",
"legendFormat": "max capacity",
"refId": "A"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"editorMode": "code",
"expr": "sum(container_memory_working_set_bytes{cluster=\"$cluster\", node=~\"$node\", container!=\"\"}) by (pod)",
"legendFormat": "{{pod}}",
"range": true,
"refId": "B"
}
],
"title": "Memory Usage (w/o cache)",
"type": "timeseries"
},
{
"datasource": {
"type": "datasource",
"uid": "-- Mixed --"
},
"fieldConfig": {
"defaults": {
"custom": {
"align": "auto",
"cellOptions": {
"type": "auto"
},
"inspect": false
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "bytes"
},
"overrides": [
{
"matcher": {
"id": "byRegexp",
"options": "/%/"
},
"properties": [
{
"id": "unit",
"value": "percentunit"
}
]
},
{
"matcher": {
"id": "byName",
"options": "Pod"
},
"properties": [
{
"id": "links",
"value": [
{
"title": "Drill down to pods",
"url": "/d/6581e46e4e5c7ba40a07646395ef7b23/k8s-resources-pod?${datasource:queryparam}&var-cluster=$cluster&var-namespace=$namespace&var-pod=${__data.fields.Pod}"
}
]
}
]
}
]
},
"gridPos": {
"h": 6,
"w": 24,
"x": 0,
"y": 18
},
"id": 4,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"showHeader": true
},
"pluginVersion": "11.2.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(node_namespace_pod_container:container_memory_working_set_bytes{cluster=\"$cluster\", node=~\"$node\",container!=\"\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "A"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(cluster:namespace:pod_memory:active:kube_pod_container_resource_requests{cluster=\"$cluster\", node=~\"$node\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "B"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(node_namespace_pod_container:container_memory_working_set_bytes{cluster=\"$cluster\", node=~\"$node\",container!=\"\"}) by (pod) / sum(cluster:namespace:pod_memory:active:kube_pod_container_resource_requests{cluster=\"$cluster\", node=~\"$node\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "C"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(cluster:namespace:pod_memory:active:kube_pod_container_resource_limits{cluster=\"$cluster\", node=~\"$node\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "D"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(node_namespace_pod_container:container_memory_working_set_bytes{cluster=\"$cluster\", node=~\"$node\",container!=\"\"}) by (pod) / sum(cluster:namespace:pod_memory:active:kube_pod_container_resource_limits{cluster=\"$cluster\", node=~\"$node\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "E"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(node_namespace_pod_container:container_memory_rss{cluster=\"$cluster\", node=~\"$node\",container!=\"\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "F"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(node_namespace_pod_container:container_memory_cache{cluster=\"$cluster\", node=~\"$node\",container!=\"\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "G"
},
{
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"expr": "sum(node_namespace_pod_container:container_memory_swap{cluster=\"$cluster\", node=~\"$node\",container!=\"\"}) by (pod)",
"format": "table",
"instant": true,
"refId": "H"
}
],
"title": "Memory Quota",
"transformations": [
{
"id": "joinByField",
"options": {
"byField": "pod",
"mode": "outer"
}
},
{
"id": "organize",
"options": {
"excludeByName": {
"Time": true,
"Time 1": true,
"Time 2": true,
"Time 3": true,
"Time 4": true,
"Time 5": true,
"Time 6": true,
"Time 7": true,
"Time 8": true
},
"renameByName": {
"Value #A": "Memory Usage",
"Value #B": "Memory Requests",
"Value #C": "Memory Requests %",
"Value #D": "Memory Limits",
"Value #E": "Memory Limits %",
"Value #F": "Memory Usage (RSS)",
"Value #G": "Memory Usage (Cache)",
"Value #H": "Memory Usage (Swap)",
"pod": "Pod"
}
}
}
],
"type": "table"
}
],
"refresh": "10s",
"schemaVersion": 39,
"tags": [],
"templating": {
"list": [
{
"current": {
"selected": false,
"text": "default",
"value": "default"
},
"hide": 0,
"includeAll": false,
"label": "Data source",
"multi": false,
"name": "datasource",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": ".*",
"current": {
"isNone": true,
"selected": false,
"text": "None",
"value": ""
},
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"definition": "",
"hide": 2,
"includeAll": false,
"label": "cluster",
"multi": false,
"name": "cluster",
"options": [],
"query": "label_values(up{job=\"kube-state-metrics\"}, cluster)",
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 1,
"type": "query"
},
{
"current": {
"selected": true,
"text": "agent0",
"value": "agent0"
},
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"definition": "",
"hide": 0,
"includeAll": false,
"label": "node",
"multi": false,
"name": "node",
"options": [],
"query": "label_values(kube_node_info{cluster=\"$cluster\"}, node)",
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"type": "query"
}
]
},
"time": {
"from": "now-1h",
"to": "now"
},
"timepicker": {},
"timezone": "utc",
"title": "Compute Resources / Node (Pods)",
"uid": "aebch0rjzoum8d",
"version": 3,
"weekStart": ""
}

18
grafana/providers.tf Normal file
View file

@ -0,0 +1,18 @@
terraform {
backend "kubernetes" {
secret_suffix = "grafana-state"
namespace = "monitoring"
}
required_providers {
grafana = {
source = "grafana/grafana"
version = ">= 2.9.0"
}
}
}
provider "grafana" {
url = "https://grafana.lab.cowley.tech"
auth = var.grafana_admin_token
}
provider "kubernetes" {}

4
grafana/variables.tf Normal file
View file

@ -0,0 +1,4 @@
variable "grafana_admin_token" {
type = string
}