Fixed authentik

2026-03-12 21:22:45 +00:00
parent 40db3879ea
commit 89e788cf1a
5 changed files with 403 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -13,6 +13,7 @@ crash.*.log
 *.tfvars
 *.tfvars.json
 !*terraform.tfvars
+!*.auto.tfvars

 # claude ai
 .claude/
--- a/terraform/authentik/.claude/settings.local.json
+++ b/terraform/authentik/.claude/settings.local.json
@@ -11,7 +11,11 @@
      "Bash(terraform plan:*)",
      "Bash(terraform state:*)",
      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform plan:*)",
-      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform force-unlock:*)"
+      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform force-unlock:*)",
+      "Bash(git:*)",
+      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform state:*)",
+      "Bash(terraform version:*)",
+      "Bash(curl:*)"
    ],
    "deny": [],
    "ask": []
--- a/terraform/authentik/groups.auto.tfvars
+++ b/terraform/authentik/groups.auto.tfvars
@@ -0,0 +1,10 @@
+groups = {
+  "admins" = {
+    name         = "Administrators"
+    is_superuser = true
+    attributes = {
+      notes = "Managed by Terraform"
+    }
+  }
+}
+
--- a/terraform/authentik/oauth2-apps.auto.tfvars
+++ b/terraform/authentik/oauth2-apps.auto.tfvars
@@ -0,0 +1,192 @@
+oauth_applications = {
+  "paperless" = {
+    name                       = "Paperless-NGX"
+    slug                       = "paperless"
+    group                      = "Tools"
+    meta_description           = "Document management system"
+    meta_icon                  = "https://img.icons8.com/fluency/48/documents.png"
+    redirect_uris              = ["https://docs.hexor.cy/accounts/oidc/authentik/login/callback/"]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    create_group               = true
+    access_groups              = ["admins"]
+  }
+
+  "gitea" = {
+    name                       = "Gitea"
+    slug                       = "gitea"
+    group                      = "Tools"
+    meta_description           = "Git repository hosting"
+    meta_icon                  = "https://img.icons8.com/?size=100&id=20906&format=png&color=000000"
+    redirect_uris              = ["https://gt.hexor.cy/user/oauth2/Authentik/callback"]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=10"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+  }
+
+  "jellyfin" = {
+    name             = "Jellyfin"
+    slug             = "jellyfin"
+    group            = "Media and Storage"
+    meta_description = "Media streaming server"
+    meta_icon        = "https://img.icons8.com/plasticine/100/jellyfin.png"
+    redirect_uris = [
+      "https://jf.hexor.cy/sso/OID/r/authentik",
+      "https://jf.hexor.cy/sso/OID/redirect/authentik"
+    ]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=10"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+  }
+
+  "argocd" = {
+    name                       = "ArgoCD"
+    slug                       = "argocd"
+    group                      = "Core"
+    meta_description           = "GitOps deployment tool"
+    meta_icon                  = "https://img.icons8.com/color-glass/48/octopus.png"
+    redirect_uris              = ["https://ag.hexor.cy/auth/callback"]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+    access_groups              = ["admins"]
+  }
+
+  "grafana" = {
+    name                       = "Grafana"
+    slug                       = "grafana"
+    group                      = "Core"
+    meta_description           = "Monitoring and observability"
+    meta_icon                  = "https://img.icons8.com/fluency/48/grafana.png"
+    redirect_uris              = ["https://gf.hexor.cy/login/generic_oauth"]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+  }
+
+  "immich" = {
+    name             = "Immich"
+    slug             = "immich"
+    group            = "Media and Storage"
+    meta_description = "Photo and video management"
+    meta_icon        = "https://img.icons8.com/fluency/48/photos.png"
+    redirect_uris = [
+      "https://photos.hexor.cy/auth/login",
+      "https://photos.hexor.cy/user-settings",
+      "app.immich:///oauth-callback",
+      "http://photos.homenet:30283/auth/login",
+      "http://photos.homenet:30283/user-settings"
+    ]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+    access_groups              = ["admins"]
+    create_group               = true
+  }
+
+  "pgadmin" = {
+    name                       = "Postgres WEB Admin"
+    slug                       = "pgadmin"
+    group                      = "Core"
+    meta_description           = "PostgreSQL WEB administration"
+    meta_icon                  = "https://img.icons8.com/?size=100&id=JRnxU7ZWP4mi&format=png&color=000000"
+    redirect_uris              = ["https://pg.hexor.cy/oauth2/authorize"]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+  }
+
+  "home-assistant-lms" = {
+    name             = "Home Assistant LMS"
+    slug             = "home-assistant-lms"
+    group            = "Internal"
+    meta_description = "Home Assistant Limassol"
+    meta_icon        = "https://img.icons8.com/stickers/100/smart-home-automation.png"
+    redirect_uris = [
+      "http://ha-lms:8123/auth/oidc/callback",
+      "http://ha-lms.homenet:8123/auth/oidc/callback",
+    ]
+    meta_launch_url            = "http://ha-lms:8123/auth/oidc/welcome"
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+    create_group               = true
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+  }
+  "home-assistant-london" = {
+    name             = "Home Assistant London"
+    slug             = "home-assistant-london"
+    group            = "Internal"
+    meta_description = "Home Assistant London"
+    meta_icon        = "https://img.icons8.com/stickers/100/smart-home-automation.png"
+    redirect_uris = [
+      "http://ha-london:8123/auth/oidc/callback",
+      "http://ha-london.tail2fe2d.ts.net:8123/auth/oidc/callback",
+    ]
+    meta_launch_url            = "http://ha-london:8123/auth/oidc/welcome"
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+    create_group               = true
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+  }
+
+  "openwebui" = {
+    name             = "OpenWeb UI"
+    slug             = "openwebui"
+    group            = "Tools"
+    meta_description = "OpenWeb UI"
+    meta_icon        = "https://ollama.com/public/ollama.png"
+    redirect_uris = [
+      "https://ai.hexor.cy/oauth/oidc/callback",
+    ]
+    meta_launch_url            = "https://ai.hexor.cy"
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+    create_group               = true
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+  }
+}
+
--- a/terraform/authentik/proxy-apps.auto.tfvars
+++ b/terraform/authentik/proxy-apps.auto.tfvars
@@ -0,0 +1,195 @@
+proxy_applications = {
+  "k8s-dashboard" = {
+    name                         = "K8S dashboard"
+    slug                         = "k8s-dashboard-ns"
+    group                        = "Core"
+    external_host                = "https://k8s.hexor.cy"
+    internal_host                = "http://kubernetes-dashboard.kubernetes-dashboard.svc"
+    internal_host_ssl_validation = false
+    meta_description             = "K8S dashboard chart"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    meta_icon                    = "https://img.icons8.com/color/48/kubernetes.png"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+  "filemanager" = {
+    name                         = "FM filemanager"
+    slug                         = "fm-filemanager"
+    group                        = "Core"
+    external_host                = "https://fm.hexor.cy"
+    internal_host                = "http://fb-filemanager-filebrowser.syncthing.svc"
+    internal_host_ssl_validation = false
+    meta_description             = "K8S dashboard chart"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    meta_icon                    = "https://img.icons8.com/external-anggara-flat-anggara-putra/32/external-folder-basic-user-interface-anggara-flat-anggara-putra.png"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "prometheus" = {
+    name                         = "Prometheus"
+    slug                         = "prometheus"
+    group                        = "Core"
+    external_host                = "https://prom.hexor.cy"
+    internal_host                = "http://prometheus-kube-prometheus-prometheus.prometheus.svc:9090"
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/fluency/48/prometheus-app.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    internal_host_ssl_validation = false
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "kubernetes-secrets" = {
+    name                         = "kubernetes-secrets"
+    slug                         = "k8s-secret"
+    group                        = "Core"
+    external_host                = "https://pass.hexor.cy"
+    internal_host                = "http://secret-reader.k8s-secret.svc:80"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    skip_path_regex              = <<-EOT
+/webhook
+EOT
+    meta_icon                    = "https://img.icons8.com/ios-filled/50/password.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+  "mtproxy-links" = {
+    name                         = "mtproxy-links"
+    slug                         = "mtproxy-links"
+    group                        = "Core"
+    external_host                = "https://proxy.hexor.cy"
+    internal_host                = "http://secret-reader.mtproxy.svc:80"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    skip_path_regex              = <<-EOT
+/webhook
+EOT
+    meta_icon                    = "https://img.icons8.com/ios-filled/50/password.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  # Tools applications
+  "qbittorrent" = {
+    name                         = "qBittorent"
+    slug                         = "qbittorent"
+    group                        = "Tools"
+    external_host                = "https://qbt.hexor.cy"
+    internal_host                = "http://qbittorrent.jellyfin.svc"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/nolan/64/qbittorrent--v2.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  # Media and Storage applications
+  "kopia" = {
+    name                         = "Kopia"
+    slug                         = "kopia"
+    group                        = "Media and Storage"
+    external_host                = "https://backup.hexor.cy"
+    internal_host                = "http://100.72.135.2:51515"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/external-flaticons-lineal-color-flat-icons/64/external-backup-productivity-flaticons-lineal-color-flat-icons.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "syncthing-router" = {
+    name                         = "Syncthing"
+    slug                         = "syncthing"
+    group                        = "Media and Storage"
+    external_host                = "https://ss.hexor.cy"
+    internal_host                = "http://syncthing-router.syncthing.svc:80"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/?size=100&id=Id4NcEcXcYzF&format=png&color=000000"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "truenas" = {
+    name                         = "TrueNAS"
+    slug                         = "truenas-proxy"
+    group                        = "Media and Storage"
+    external_host                = "https://nas.hexor.cy"
+    internal_host                = "http://10.0.5.107:81"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/dusk/64/nas.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "khm" = {
+    name                         = "KHM"
+    slug                         = "khm"
+    group                        = "Media and Storage"
+    external_host                = "https://khm.hexor.cy"
+    internal_host                = "http://khm.khm.svc:8080"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/liquid-glass/48/key.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    access_groups                = ["admins", "khm"] # Используем существующие группы
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "minecraft" = {
+    name                         = "Minecraft"
+    slug                         = "minecraft"
+    group                        = "Media and Storage"
+    external_host                = "https://minecraft.hexor.cy"
+    internal_host                = "http://minecraft-dynmap.minecraft.svc"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/color/48/minecraft-grass-cube.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    skip_path_regex              = <<-EOT
+/clients
+EOT
+  }
+  "pasarguard" = {
+    name                         = "PasarGuard"
+    slug                         = "pasarguard"
+    group                        = "Tools"
+    external_host                = "https://ps.hexor.cy"
+    internal_host                = "https://pasarguard.pasarguard.svc:80"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    skip_path_regex              = <<-EOT
+/
+/sub/
+/dashboard/
+/api/
+EOT
+    meta_icon                    = "https://img.icons8.com/?size=100&id=fqAD3lAB6zTe&format=png&color=000000"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+}
+