homelab/terraform
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

many things
Some checks failed
/ non-lab (push) Failing after 12m13s
Details

Browse source
This commit is contained in:
Chris Cowley 2025-02-19 10:59:18 +00:00
parent 846fca77c1
commit d908078ee6
51 changed files with 4649 additions and 276 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
authentik/.nextcloud.tf.swp Normal file
View file

Binary file not shown.

86
authentik/.terraform.lock.hcl generated
View file

@ -2,25 +2,24 @@
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/goauthentik/authentik" {
version = "2024.8.2"
constraints = "2024.8.2"
version = "2024.12.0"
constraints = "2024.12.0"
hashes = [
"h1:+RVux9TSmkUsxIinptup4oOdfzObeXLaOnc0oi0Vat4=",
"h1:a/zGxz5mU9L/j0s0QuhBFDNw057ZzsEhD8aaH4YTsjI=",
"zh:1a08cf73a35237bf84e8761eb026b4175bc34bab4c6a206110cb9a3d06c86391",
"zh:1f5807c2ab22e21a9f4c1d19bc64c52150ac003c6a90417315d8fafb6cbfd09d",
"zh:20237b247cbee340d03629f3bb4e156e8ccf65db246eeffb4cad3dabe34f26bb",
"zh:416ee251d684360e993ea3bdd7b9b3abb869f1d27d3bfe7c53731d444493bad3",
"zh:4d76186b29969509fb950ddce03b80eba9bc3409b6bbd20f8a9e7623d84b63c0",
"zh:588bbeb5768dc0e6d6b3e7bc67709ef7bc4a7f48eeb659801bc8511d646141ac",
"zh:5f95796b207c90e4dcf5d9f2945929351c5709754ce66839279e87279a04204f",
"zh:60263694ce7e107f3f78d5cc727d6143082e0eaa97b15727af83aaed8305d351",
"zh:6ecc4bd586e37987cfa057fc3a3f87bd461e3215d9efb5654fdd639a8d5318e9",
"zh:9e05d3d930a92f160cd788a699b3e11c80b59cb67b5f0b4a9970a1f7e9b08045",
"zh:c6ecaafa4176f12c8930fe2225c34a6d64eb9eb9774b50df17714d2ae338068d",
"zh:d781b9de7ce45a0b67b177705f755746b3afb11c4cac9171825bd9ace4017da6",
"zh:df6d9bc87b752c4e75f5246b32a98049a3253762389fd8476a9b4f96729f9cdd",
"zh:ef6c1ce79965e212929674063de6280abae5ee5c064049880ab81ca0e27b7434",
"h1:0o3y2j790uXjLbMyr/DvSs9b69oHLDekl5txp4lBZuE=",
"zh:00e0f693660c75f66660a40626dfe2f1d1f4798adeccbecd3464e06652ef20b4",
"zh:1469a77658b14bf40d90aaa3d26ce614427281d2fe5d762b8f788804b2ae5d25",
"zh:19123fd8017728023ed776a33df02d06f7572b0825644e516d0a576e69822ef1",
"zh:35f854ef52128e89eac3a2c1bded5ab60aee57fa860d8ca4ebe914babf9912a1",
"zh:36720fa9ae37a6c8a3498d1412c63d368a1f048ca163f3102d1bdc3dd20fffae",
"zh:57686add2a2b35f658989fd1b0be506592aaa6b10e3d414bb9b90c37e303e425",
"zh:5a32b7673fe1b3a104291559c85f5dd2ec952ca6598398a15e3694eb84cf4ccc",
"zh:6a662f416894338d5c9459406810845a61caf4498000b1ecbb3437d21eecce10",
"zh:7f293416f649b4dea0d4f07b7ca2f4c437a37c340824e49c926eb402349fc1f6",
"zh:c1742ee5f8929345e5412768da9319ce47dc23590a0aa3577ea53c1b059606bf",
"zh:dec7ab67a9efdfafa9693e5c0e3af30b7caa0c56c79634586f34f5770f8fc40f",
"zh:e020e938821c6973a87737f5b57cb525e3f3349eb2b6eb04f39c1501ba24e7ab",
"zh:f2937300a967e71c989a004cf8d8db0bb2ecd35a6ab75b0813f3048322882568",
"zh:f51e95a89995027fbf598ac83d2ee7d1a07ca141f4e60502f01ba74173f2b0a3",
]
}
@ -28,7 +27,6 @@ provider "registry.opentofu.org/hashicorp/kubernetes" {
version = "2.31.0"
constraints = "2.31.0"
hashes = [
"h1:MfkGdRph9sDol+ukIgIigdXuLLpC2JPUHH5oF2zEfTM=",
"h1:z2qlqn6WbrjbezwQo4vvlwAgVUGz59klzDU4rlYhYi8=",
"zh:0dd25babf78a88a61dd329b8c18538a295ea63630f1b69575e7898c89307da39",
"zh:3138753e4b2ce6e9ffa5d65d73e9236169ff077c10089c7dc71031a0a139ff6d",
@ -44,37 +42,35 @@ provider "registry.opentofu.org/hashicorp/kubernetes" {
}
provider "registry.opentofu.org/hashicorp/local" {
version = "2.5.1"
version = "2.5.2"
hashes = [
"h1:8bCbJcRyrXb0YmskSdP0XtTLINolscfZ6oWaXgtXLHI=",
"h1:GgW5qncKu4KnXLE1ZYv5iwmhSYtTNzsOvJAOQIyFR7E=",
"zh:031c2c2070672b7e78e0aa15560839278dc57fe7cf1e58a617ac13c67b31d5fb",
"zh:1ef64ea4f8382cd538a76f3d319f405d18130dc3280f1c16d6aaa52a188ecaa4",
"zh:422ce45691b2f384dbd4596fdc8209d95cb43d85a82aaa0173089d38976d6e96",
"zh:7415fbd8da72d9363ba55dd8115837714f9534f5a9a518ec42268c2da1b9ed2f",
"zh:92aa22d071339c8ef595f18a9f9245c287266c80689f5746b26e10eaed04d542",
"zh:9cd0d99f5d3be835d6336c19c4057af6274e193e677ecf6370e5b0de12b4aafe",
"zh:a8c1525b389be5809a97f02aa7126e491ba518f97f57ed3095a3992f2134bb8f",
"zh:b336fa75f72643154b07c09b3968e417a41293358a54fe03efc0db715c5451e6",
"zh:c66529133599a419123ad2e42874afbd9aba82bd1de2b15cc68d2a1e665d4c8e",
"zh:c7568f75ba6cb7c3660b69eaab8b0e4278533bd9a7a4c33ee6590cc7e69743ea",
"h1:6lS+5A/4WFAqY3/RHWFRBSiFVLPRjvLaUgxPQvjXLHU=",
"zh:25b95b76ceaa62b5c95f6de2fa6e6242edbf51e7fc6c057b7f7101aa4081f64f",
"zh:3c974fdf6b42ca6f93309cf50951f345bfc5726ec6013b8832bcd3be0eb3429e",
"zh:5de843bf6d903f5cca97ce1061e2e06b6441985c68d013eabd738a9e4b828278",
"zh:86beead37c7b4f149a54d2ae633c99ff92159c748acea93ff0f3603d6b4c9f4f",
"zh:8e52e81d3dc50c3f79305d257da7fde7af634fed65e6ab5b8e214166784a720e",
"zh:9882f444c087c69559873b2d72eec406a40ede21acb5ac334d6563bf3a2387df",
"zh:a4484193d110da4a06c7bffc44cc6b61d3b5e881cd51df2a83fdda1a36ea25d2",
"zh:a53342426d173e29d8ee3106cb68abecdf4be301a3f6589e4e8d42015befa7da",
"zh:d25ef2aef6a9004363fc6db80305d30673fc1f7dd0b980d41d863b12dacd382a",
"zh:fa2d522fb323e2121f65b79709fd596514b293d816a1d969af8f72d108888e4c",
]
}
provider "registry.opentofu.org/hashicorp/random" {
version = "3.6.2"
version = "3.6.3"
hashes = [
"h1:9/mOE51WYYFajLHkN/lnbEcMsvC3CBwHWNrrnkF4TXA=",
"h1:PXvoOj9gj+Or+9k0tQWCQJKxnsVO0GqnQwVahgwRrsU=",
"zh:1f27612f7099441526d8af59f5b4bdcc35f46915df5d243043d7337ea5a3e38a",
"zh:2a58e66502825db8b4b96116c04bd0323bca1cf1f5752bdd8f9c26feb84d3b1e",
"zh:4f0a4fa479e29de0c3c90146fd58799c097f7a55401cb00560dd4e9b1e6fad9d",
"zh:9c93c0fe6ef685513734527e0c8078636b2cc07591427502a7260f4744b1af1d",
"zh:a466ff5219beb77fb3b18a3d7e7fe30e7edd4d95c8e5c87f4f4e3fe3eeb8c2d7",
"zh:ab33e6176d0c757ddb31e40e01a941e6918ad10f7a786c8e8e4f35e5cff81c96",
"zh:b6eabf377a1c12cb3f9ddd97aacdd5b49c1646dc959074124f81d40fcd216d7e",
"zh:ccec5d03d0d1c0f354be299cdd6a417b2700f1a6781df36bcce77246b2f57e50",
"zh:d2a7945eeb691fdd2b1474da76ddc2d1655e2aedbb14b57f06d4f5123d47adf9",
"zh:ed62351f4ad9d1469c6798b77dee5f63b18b29c473620a0046ba3d4f111b621d",
"h1:Ry0Lr0zaoicslZlcUR4rAySPpl/a7QupfMfuAxhW3fw=",
"zh:1bfd2e54b4eee8c761a40b6d99d45880b3a71abc18a9a7a5319204da9c8363b2",
"zh:21a15ac74adb8ba499aab989a4248321b51946e5431219b56fc827e565776714",
"zh:221acfac3f7a5bcd6cb49f79a1fca99da7679bde01017334bad1f951a12d85ba",
"zh:3026fcdc0c1258e32ab519df878579160b1050b141d6f7883b39438244e08954",
"zh:50d07a7066ea46873b289548000229556908c3be746059969ab0d694e053ee4c",
"zh:54280cdac041f2c2986a585f62e102bc59ef412cad5f4ebf7387c2b3a357f6c0",
"zh:632adf40f1f63b0c5707182853c10ae23124c00869ffff05f310aef2ed26fcf3",
"zh:b8c2876cce9a38501d14880a47e59a5182ee98732ad7e576e9a9ce686a46d8f5",
"zh:f27e6995e1e9fe3914a2654791fc8d67cdce44f17bf06e614ead7dfd2b13d3ae",
"zh:f423f2b7e5c814799ad7580b5c8ae23359d8d342264902f821c357ff2b3c6d3d",
]
}

106
authentik/chat.tf
View file

@ -1,50 +1,56 @@
#resource "random_id" "chat_client_id" {
# byte_length = 16
#}
#
#resource "authentik_provider_oauth2" "chat" {
# name = "Chat"
# # Required. You can use the output of:
# # $ openssl rand -hex 16
# client_id = random_id.chat_client_id.id
#
# # Optional: will be generated if not provided
# # client_secret = "my_client_secret"
#
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
#
# redirect_uris = [
# "https://chat.lab.cowley.tech/oauth/oidc/callback"
# ]
# property_mappings = [
# data.authentik_scope_mapping.scope-openid.id,
# data.authentik_scope_mapping.scope-email.id,
# data.authentik_scope_mapping.scope-profile.id,
# ]
# lifecycle {
# ignore_changes = [
# signing_key,
# authentication_flow,
# ]
# }
#}
#
#resource "authentik_application" "chat" {
# name = "Chat"
# slug = "chat"
# protocol_provider = authentik_provider_oauth2.chat.id
#}
#
#resource "kubernetes_secret" "chat" {
# metadata {
# name = "open-webui-authentik"
# namespace = "ollama"
# }
# data = {
# OAUTH_CLIENT_ID = authentik_provider_oauth2.chat.client_id
# OAUTH_CLIENT_SECRET = authentik_provider_oauth2.chat.client_secret
# OPENID_PROVIDER_URL = "https://auth.lab.cowley.tech/application/o/chat/.well-known/openid-configuration"
# OAUTH_PROVIDER_NAME = "Authentik"
# OAUTH_SCOPES = "openid email profile"
# }
#}
resource "random_id" "chat_client_id" {
byte_length = 16
}
resource "random_id" "chat_secret_key" {
byte_length = 16
}
resource "authentik_provider_oauth2" "chat" {
name = "Chat"
client_id = random_id.chat_client_id.id
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
allowed_redirect_uris = [
{
"matching_mode" = "strict"
"url" = "https://chat.lab.cowley.tech/oauth/oidc/callback"
}
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-openid.id,
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "chat" {
name = "Chat"
slug = "chat"
protocol_provider = authentik_provider_oauth2.chat.id
meta_launch_url = "https://chat.lab.cowley.tech"
}
resource "kubernetes_secret" "chat" {
metadata {
name = "open-webui-authentik"
namespace = "ollama"
}
data = {
OAUTH_CLIENT_ID = authentik_provider_oauth2.chat.client_id
OAUTH_CLIENT_SECRET = authentik_provider_oauth2.chat.client_secret
OPENID_PROVIDER_URL = "https://auth.lab.cowley.tech/application/o/chat/.well-known/openid-configuration"
WEBUI_SECRET_KEY = random_id.chat_secret_key.hex
}
}

40
authentik/dashy.tf
View file

@ -1,40 +0,0 @@
resource "random_id" "dashy_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "dashy" {
name = "Dashy"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.dashy_client_id.id
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
client_type = "public"
redirect_uris = [
"https://dash.lab.cowley.tech/",
".*"
]
sub_mode = "user_email"
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "dashy" {
name = "Dashy"
slug = "dashy"
protocol_provider = authentik_provider_oauth2.dashy.id
open_in_new_tab = true
}

6
authentik/data.tf
View file

@ -5,6 +5,12 @@ data "authentik_flow" "default-provider-authorization-implicit-consent" {
data "authentik_flow" "default-authentication-flow" {
slug = "default-authentication-flow"
}
data "authentik_flow" "default-invalidation-flow" {
slug = "default-invalidation-flow"
}
data "authentik_flow" "default-provider-invalidation-flow" {
slug = "default-provider-invalidation-flow"
}
data "authentik_property_mapping_provider_scope" "scope-email" {
name = "authentik default OAuth Mapping: OpenID 'email'"
}

1
authentik/foo.bar
View file

@ -1 +0,0 @@
Zo7QLQh2eAe2XCUv6yOKZ0GRcW3k9zCFEqLUmHe0Mq3SyMED27YMGM1gKKe4xi2iqY4m4RPQ9eWI4NUygmWLISuaUnpa6GNZACrnnC4wcde1fEqzG4GwXawZ2HOQE51V

53
authentik/forgejo.tf
View file

@ -1,53 +0,0 @@
resource "random_id" "forgejo_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "forgejo" {
name = "Forgejo"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.forgejo_client_id.id
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
redirect_uris = [
"https://code.lab.cowley.tech/user/oauth2/authentik/callback"
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "authentik_application" "forgejo" {
name = "ForgeJo"
slug = "forgejo"
protocol_provider = authentik_provider_oauth2.forgejo.id
}
resource "authentik_group" "forgejo-admins" {
name = "gitadmin"
}
resource "authentik_group" "forgejo-users" {
name = "gituser"
}
resource "kubernetes_secret" "forgejo-oauth" {
metadata {
name = "forgejo-oauth"
namespace = "forgejo"
}
data = {
"key" = authentik_provider_oauth2.forgejo.client_id
"secret" = authentik_provider_oauth2.forgejo.client_secret
}
}

29
authentik/grafana.tf
View file

@ -1,29 +1,22 @@
resource "random_id" "client_id" {
resource "random_id" "grafana_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "grafana" {
name = "Grafana"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.client_id.id
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
redirect_uris = [
"https://grafana.lab.cowley.tech/login/generic_oauth"
name = "Grafana"
client_id = random_id.grafana_client_id.id
allowed_redirect_uris = [
{
matching_mode = "strict",
url = "https://grafana.lab.cowley.tech/login/generic_oauth"
}
]
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
@ -31,13 +24,11 @@ resource "authentik_provider_oauth2" "grafana" {
]
}
}
resource "authentik_application" "grafana" {
name = "Grafana"
slug = "grafana"
protocol_provider = authentik_provider_oauth2.grafana.id
}
resource "authentik_group" "grafana_admins" {
name = "Grafana Admins"
}

45
authentik/hass.tf Normal file
View file

@ -0,0 +1,45 @@
#
#resource "authentik_provider_proxy" "hass" {
# name = "Home Assistant"
# internal_host = "http://homeassistant.homeassistant:8123"
# external_host = "https://hass.lab.cowley.tech"
#
# internal_host_ssl_validation = false
#
# authentication_flow = data.authentik_flow.default-authentication-flow.id
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
# invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
#
# access_token_validity = "hours=24"
#}
#
#resource "authentik_application" "hass" {
# name = "Home Assistant"
# slug = "homeassistant"
#
# protocol_provider = authentik_provider_proxy.hass.id
#}
resource "authentik_provider_proxy" "esphome" {
name = "ESP Home"
internal_host = "http://esphome.homeassistant:6052"
external_host = "https://esphome.lab.cowley.tech"
internal_host_ssl_validation = false
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
access_token_validity = "hours=24"
}
resource "authentik_application" "esphome" {
name = "ESP Home"
slug = "esphome"
protocol_provider = authentik_provider_proxy.esphome.id
}

83
authentik/immich.tf
View file

@ -18,42 +18,55 @@ resource "random_id" "immich_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "immich" {
data "authentik_provider_oauth2_config" "immich" {
name = "Immich"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.immich_client_id.id
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
redirect_uris = [
"app.immich:///oauth-callback",
"https://photos.lab.cowley.tech/auth/login",
"https://photos.lab.cowley.tech/user-settings",
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
#resource "authentik_provider_oauth2" "immich" {
# name = "Immich"
# # Required. You can use the output of:
# # $ openssl rand -hex 16
# client_id = random_id.immich_client_id.id
#
# # Optional: will be generated if not provided
# # client_secret = "my_client_secret"
#
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
# invalidation_flow = data.authentik_flow.default-invalidation-flow.id
#
# allowed_redirect_uris = [
# {
# matched_mode = "strict"
# url = "app.immich:///oauth-callback",
# },
# {
# matched_mode = "strict"
# url = "https://photos.lab.cowley.tech/auth/login",
# },
# {
# matched_mode = "strict"
# url = "https://photos.lab.cowley.tech/user-settings",
# }
# ]
# #property_mappings = [
# # data.authentik_property_mapping_provider_scope.scope-email.id,
# # data.authentik_property_mapping_provider_scope.scope-profile.id,
# # data.authentik_property_mapping_provider_scope.scope-openid.id,
# #]
# #lifecycle {
# # ignore_changes = [
# # signing_key,
# # authentication_flow,
# # ]
# #}
#}
resource "authentik_application" "immich" {
name = "Immich"
slug = "immich"
protocol_provider = authentik_provider_oauth2.immich.id
}
#resource "authentik_application" "immich" {
# name = "Immich"
# slug = "immich"
# protocol_provider = authentik_provider_oauth2.immich.id
#}
resource "local_file" "foo" {
content = authentik_provider_oauth2.immich.client_secret
filename = "${path.module}/foo.bar"
}
#resource "local_file" "foo" {
# content = authentik_provider_oauth2.immich.client_secret
# filename = "${path.module}/foo.bar"
#}

21
authentik/jellyfin.tf
View file

@ -3,14 +3,20 @@ resource "random_id" "jellyfin_client_id" {
}
resource "authentik_provider_oauth2" "jellyfin" {
name = "Jellyfin"
name = "Jellyfin"
client_id = random_id.jellyfin_client_id.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
redirect_uris = [
"https://jellyfin.lab.cowley.tech/sso/OID/start/authentik",
".*",
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
allowed_redirect_uris = [
{
matching_mode = "strict",
url = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
},
{
matching_mode = "strict",
url = "http://jellyfin:8096/sso/OID/start/authentik"
},
]
property_mappings = [
@ -20,6 +26,7 @@ resource "authentik_provider_oauth2" "jellyfin" {
]
lifecycle {
ignore_changes = [
allowed_redirect_uris,
signing_key,
authentication_flow,
]
@ -30,11 +37,11 @@ resource "authentik_application" "jellyfin" {
name = "Jellyfin"
slug = "jellyfin"
protocol_provider = authentik_provider_oauth2.jellyfin.id
meta_launch_url = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
meta_launch_url = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
}
resource "kubernetes_secret" "jellyfin_oidc" {
metadata {
name = "jellyfin-oidc"
name = "jellyfin-oidc"
namespace = "jellyfin"
}
data = {

20
authentik/lidarr.tf
View file

@ -1,20 +0,0 @@
#resource "authentik_provider_proxy" "lidarr" {
# name = "lidarr"
# internal_host = "http://lidarr.jellyfin:8686"
# external_host = "https://lidarr.lab.cowley.tech"
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
#}
#
#resource "authentik_outpost" "lidarr" {
# name = "lidarr-outpost"
# protocol_providers = [
# authentik_provider_proxy.lidarr.id
# ]
#}
#
#resource "authentik_application" "lidarr" {
# name = "Lidarr"
# slug = "lidarr"
#
# protocol_provider = authentik_provider_proxy.lidarr.id
#}

22
authentik/longhorn.tf Normal file
View file

@ -0,0 +1,22 @@
resource "authentik_provider_proxy" "longhorn" {
name = "Longhorn"
internal_host = "http://longhorn-frontend.longhorn-system:80"
external_host = "https://storage.lab.cowley.tech"
internal_host_ssl_validation = false
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
#access_token_validity = "hours=24"
}
resource "authentik_application" "longhorn" {
name = "Longhorn"
slug = "longhorn"
protocol_provider = authentik_provider_proxy.longhorn.id
}

8
authentik/nextcloud.tf
View file

@ -42,9 +42,13 @@ resource "authentik_provider_oauth2" "nextcloud" {
sub_mode = "user_uuid"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
redirect_uris = [
"https://cloud.lab.cowley.tech/apps/user_oidc/code",
allowed_redirect_uris = [
{
matching_mode = "strict"
url = "https://cloud.lab.cowley.tech/apps/user_oidc/code",
}
]
property_mappings = [

67
authentik/outposts.tf Normal file
View file

@ -0,0 +1,67 @@
resource "authentik_outpost" "embedded_outpost" {
name = "authentik Embedded Outpost"
protocol_providers = [
authentik_provider_proxy.spotizerr.id,
authentik_provider_proxy.esphome.id,
#authentik_provider_proxy.tubearchivist.id,
]
service_connection = authentik_service_connection_kubernetes.local.id
# config = jsonencode({
# authentik_host = "https://auth.lab.cowley.tech"
# authentik_host_browser = ""
# authentik_host_insecure = false
# docker_map_ports = true
# kubernetes_disabled_components = []
# kubernetes_image_pull_secrets = []
# kubernetes_ingress_class_name = "nginx"
# kubernetes_ingress_annotations = {
# "cert-manager.io/cluster-issuer" = "letsencrypt"
# }
# kubernetes_ingress_secret_name = "authentik-outpost-tls"
# kubernetes_json_patches = null
# kubernetes_namespace = "authentik"
# kubernetes_replicas = 1
# kubernetes_service_type = "ClusterIP"
# log_level = "info"
# object_naming_template = "ak-outpost-%(name)s"
# refresh_interval = "minutes=5"
# })
}
resource "authentik_outpost" "internal" {
name = "Internal Outpost"
protocol_providers = [
authentik_provider_proxy.longhorn.id,
]
service_connection = authentik_service_connection_kubernetes.local.id
config = jsonencode({
authentik_host = "https://auth.lab.cowley.tech"
docker_map_ports = true
kubernetes_ingress_class_name = "traefik"
kubernetes_ingress_annotations = {
"cert-manager.io/cluster-issuer" = "letsencrypt"
}
kubernetes_ingress_secret_name = "authentk_internal_outpost_tls"
kubernetes_json_patches = null
kubernetes_namespace = "authentik"
kubernetes_replicas = 1
kubernetes_service_type = "ClusterIP"
log_level = "info"
object_naming_template = "ak-outpost-%(name)s"
refresh_interval = "minutes=5"
})
}
resource "authentik_service_connection_kubernetes" "local" {
name = "Local Kubernetes Cluster"
local = true
}
#resource "authentik_service_connection_kubernetes" "k3s" {
# name = "Homelab K3s Cluster"
# local = true
#}

10
authentik/paperless-ngx.tf → authentik/paperless.tf
View file

@ -9,9 +9,13 @@ resource "authentik_provider_oauth2" "paperless" {
client_id = random_id.paperless_client_id.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-invalidation-flow.id
redirect_uris = [
"https://paperless.lab.cowley.tech/accounts/oidc/authentik/login/callback/"
allowed_redirect_uris = [
{
matching_mode = "strict",
url = "https://paperless.lab.cowley.tech/accounts/oidc/authentik/login/callback/"
}
]
property_mappings = [
@ -58,7 +62,7 @@ resource "kubernetes_secret" "paperless-env" {
data = {
"PAPERLESS_APPS" = "allauth.socialaccount.providers.openid_connect"
"PAPERLESS_SOCIALACCOUNT_PROVIDERS" = templatefile(
"${path.module}/paperless.tpl",
"${path.module}/templates/paperless.tpl",
{
client_id = authentik_provider_oauth2.paperless.client_id,
client_secret = authentik_provider_oauth2.paperless.client_secret

2
authentik/provider.tf
View file

@ -10,7 +10,7 @@ terraform {
}
authentik = {
source = "goauthentik/authentik"
version = "2024.8.2"
version = "2024.12.0"
}
}
}

22
authentik/spotizerr.tf Normal file
View file

@ -0,0 +1,22 @@
resource "authentik_provider_proxy" "spotizerr" {
name = "Spotizerr"
internal_host = "http://spotizerr.jellyfin:7171"
external_host = "https://spotizerr.lab.cowley.tech"
internal_host_ssl_validation = false
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
access_token_validity = "hours=24"
}
resource "authentik_application" "spotizerr" {
name = "Spotizerr"
slug = "spotizerr"
protocol_provider = authentik_provider_proxy.spotizerr.id
}

0
authentik/paperless.tpl → authentik/templates/paperless.tpl
View file

22
authentik/tubearchivist.tf Normal file
View file

@ -0,0 +1,22 @@
#resource "authentik_provider_proxy" "tubearchivist" {
# name = "Tube Archivist"
# internal_host = "http://tubearchivist.jellyfin:7171"
# external_host = "https://tubearchivist.lab.cowley.tech"
#
# internal_host_ssl_validation = false
#
# authentication_flow = data.authentik_flow.default-authentication-flow.id
# authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
# invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
#
# access_token_validity = "hours=24"
#}
#
#resource "authentik_application" "tubearchivist" {
# name = "Tube Archivist"
# slug = "tubearchivist"
#
# protocol_provider = authentik_provider_proxy.tubearchivist.id
#}
#
#

53
authentik/users.tf
View file

@ -1,15 +1,15 @@
resource "authentik_user" "chriscowley" {
username = "chriscowley"
name = "Chris Cowley"
email = "chriscowleysound@gmail.com"
groups = [
data.authentik_group.admins.id,
authentik_group.grafana_admins.id,
]
is_active = false
}
#resource "authentik_user" "chriscowley" {
# username = "chriscowley"
# name = "Chris Cowley"
#
# email = "chriscowleysound@gmail.com"
#
# groups = [
# data.authentik_group.admins.id,
# authentik_group.grafana_admins.id,
# ]
# is_active = false
#}
resource "authentik_user" "chris" {
username = "chris"
name = "Chris Cowley"
@ -19,18 +19,33 @@ resource "authentik_user" "chris" {
groups = [
data.authentik_group.admins.id,
authentik_group.grafana_admins.id,
authentik_group.nextcloud_admins.id,
#authentik_group.nextcloud_admins.id,
authentik_group.arr-users.id
]
# attributes = jsonencode(
# {
# nextcloud_user_id = "chris"
# }
# )
attributes = jsonencode(
{
nextcloud_user_id = "chris"
}
)
}
#
resource "authentik_user" "nadege" {
username = "nadege"
name = "Nadege Cowley"
email = "nadege@cowley.tech"
attributes = jsonencode(
{
nextcloud_user_id = "nadege"
}
)
}
resource "authentik_user" "nicolas" {
username = "nicolas"
name = "Nicolas Cowley"
email = "colas@cowley.tech"
attributes = jsonencode(
{
nextcloud_user_id = "nicolas"
}
)
}

49
authentik/wiki.tf
View file

@ -1,49 +0,0 @@
resource "random_id" "wikijs_client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "wikijs" {
name = "Wiki.js"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = random_id.wikijs_client_id.id
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
client_type = "public"
redirect_uris = [
"https://wiki.lab.cowley.tech/",
".*"
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
]
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
}
resource "kubernetes_secret" "wikijs-oauth" {
metadata {
name = "wikijs-oauth"
namespace = "wikijs"
}
data = {
"key" = authentik_provider_oauth2.wikijs.client_id
"secret" = authentik_provider_oauth2.wikijs.client_secret
}
}
resource "authentik_application" "wikijs" {
name = "Wiki.js"
slug = "wikijs"
protocol_provider = authentik_provider_oauth2.wikijs.id
meta_launch_url = "https://wiki.lab.cowley.tech/login/144cdcbe-d199-4f2c-93ae-cde7f662ce04"
open_in_new_tab = true
}