ab/homelab
1
1
Fork 1
Code Pull Requests 143 Actions Packages Wiki Activity

Update TF readmi
All checks were successful
Terraform / Terraform (push) Successful in 29s
Details
Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 8s
Details

Browse Source
This commit is contained in:
Ultradesu
2026-03-12 18:20:40 +00:00
parent 334af39f31
commit 40db3879ea
1 changed files with 67 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
terraform/authentik/README.md
View File

@@ -1,55 +1,81 @@
# Authentik Terraform Module # Authentik Terraform Configuration
Terraform module for managing Authentik applications with OAuth2/OpenID and Proxy providers, including automatic Outpost assignment. Root Terraform configuration for managing Authentik SSO — applications (OAuth2/OIDC, Proxy, SAML), groups, outposts, flows, certificates, and property mappings.
State is stored in Terraform Cloud (organization `ultradesu`, workspace `Authentik`).
## Structure
```
.
├── main.tf # Resources: groups, outposts, policy bindings, module calls
├── variables.tf # Input variable definitions
├── outputs.tf # Outputs (app details, groups, flows, wiki data)
├── providers.tf # Authentik provider (goauthentik/authentik 2025.12.1)
├── state.tf # Terraform Cloud backend
├── terraform.tfvars # General settings: authentik_url, outposts, flows, tags
├── oauth2-apps.auto.tfvars # OAuth2/OIDC application definitions
├── proxy-apps.auto.tfvars # Proxy application definitions
├── groups.auto.tfvars # Group definitions
└── modules/
├── oauth-provider/ # OAuth2/OIDC provider + application
├── proxy-provider/ # Proxy provider + application
└── saml-provider/ # SAML provider + application
```
## Usage ## Usage
```bash
# Set the API token
export TF_VAR_authentik_token="..."
terraform init
terraform plan
terraform apply
```
All `*.auto.tfvars` files are loaded automatically — no `-var-file` flags needed.
## Adding applications
OAuth2/OIDC — add to `oauth2-apps.auto.tfvars`:
```hcl ```hcl
module "authentik" { oauth_applications = {
source = "./authentik" "my-app" = {
name = "My App"
authentik_url = "https://auth.example.com" slug = "my-app"
authentik_token = var.authentik_token group = "Tools"
redirect_uris = ["https://my-app.example.com/callback"]
oauth_applications = { create_group = true
"gitlab" = { access_groups = ["admins"]
name = "GitLab OAuth"
slug = "gitlab"
redirect_uris = ["https://gitlab.example.com/users/auth/openid_connect/callback"]
}
}
proxy_applications = {
"portainer" = {
name = "Portainer"
slug = "portainer"
external_host = "https://portainer.example.com"
internal_host = "http://portainer:9000"
outpost = "k8s-outpost"
}
}
outposts = {
"k8s-outpost" = {
name = "Kubernetes Outpost"
type = "proxy"
service_connection = "k8s-local"
}
} }
} }
``` ```
## Structure Proxy — add to `proxy-apps.auto.tfvars`:
- `main.tf` - Main configuration ```hcl
- `variables.tf` - Input variables proxy_applications = {
- `outputs.tf` - Output values "my-proxy" = {
- `modules/oauth-provider/` - OAuth2/OIDC provider module name = "My Proxy"
- `modules/proxy-provider/` - Proxy provider module slug = "my-proxy"
- `terraform.tfvars.example` - Configuration example group = "Tools"
external_host = "https://my-proxy.example.com"
internal_host = "http://my-service.namespace.svc:80"
outpost = "kubernetes-outpost"
create_group = true
access_groups = ["admins"]
}
}
```
## CI/CD
Managed via Gitea Actions (`.gitea/workflows/authentik-apps.yaml`). Runs `terraform apply` on push to `main` when files in `terraform/authentik/` change. Also generates a wiki page with the applications list.
## Requirements ## Requirements
- Terraform >= 1.0 - Terraform >= 1.0
- Authentik provider >= 2023.10.0 - goauthentik/authentik provider 2025.12.1
- Authentik API token with admin permissions - Authentik API token with admin permissions