59 lines
1.6 KiB
HCL
59 lines
1.6 KiB
HCL
#data "authentik_flow" "default-provider-authorization-implicit-consent" {
|
|
# slug = "default-provider-authorization-implicit-consent"
|
|
#}
|
|
#
|
|
#data "authentik_scope_mapping" "scope-email" {
|
|
# name = "authentik default OAuth Mapping: OpenID 'email'"
|
|
#}
|
|
#
|
|
#data "authentik_scope_mapping" "scope-profile" {
|
|
# name = "authentik default OAuth Mapping: OpenID 'profile'"
|
|
#}
|
|
#
|
|
#data "authentik_scope_mapping" "scope-openid" {
|
|
# name = "authentik default OAuth Mapping: OpenID 'openid'"
|
|
#}
|
|
#
|
|
resource "random_id" "immich_client_id" {
|
|
byte_length = 16
|
|
}
|
|
|
|
resource "authentik_provider_oauth2" "immich" {
|
|
name = "Immich"
|
|
# Required. You can use the output of:
|
|
# $ openssl rand -hex 16
|
|
client_id = random_id.immich_client_id.id
|
|
|
|
# Optional: will be generated if not provided
|
|
# client_secret = "my_client_secret"
|
|
|
|
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
|
|
|
|
redirect_uris = [
|
|
"app.immich:/",
|
|
"https://photos.lab.cowley.tech/auth/login",
|
|
"https://photos.lab.cowley.tech/user-settings",
|
|
]
|
|
property_mappings = [
|
|
data.authentik_scope_mapping.scope-email.id,
|
|
data.authentik_scope_mapping.scope-profile.id,
|
|
data.authentik_scope_mapping.scope-openid.id,
|
|
]
|
|
lifecycle {
|
|
ignore_changes = [
|
|
signing_key,
|
|
authentication_flow,
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "authentik_application" "immich" {
|
|
name = "Immich"
|
|
slug = "immich"
|
|
protocol_provider = authentik_provider_oauth2.immich.id
|
|
}
|
|
|
|
resource "local_file" "foo" {
|
|
content = authentik_provider_oauth2.immich.client_secret
|
|
filename = "${path.module}/foo.bar"
|
|
}
|