diff --git a/.gitignore b/.gitignore index b74dc47..43814be 100644 --- a/.gitignore +++ b/.gitignore @@ -13,6 +13,7 @@ crash.*.log *.tfvars *.tfvars.json !*terraform.tfvars +!*.auto.tfvars # claude ai .claude/ diff --git a/terraform/authentik/.claude/settings.local.json b/terraform/authentik/.claude/settings.local.json index d297242..f1feb7a 100644 --- a/terraform/authentik/.claude/settings.local.json +++ b/terraform/authentik/.claude/settings.local.json @@ -11,7 +11,11 @@ "Bash(terraform plan:*)", "Bash(terraform state:*)", "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform plan:*)", - "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform force-unlock:*)" + "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform force-unlock:*)", + "Bash(git:*)", + "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform state:*)", + "Bash(terraform version:*)", + "Bash(curl:*)" ], "deny": [], "ask": [] diff --git a/terraform/authentik/groups.auto.tfvars b/terraform/authentik/groups.auto.tfvars new file mode 100644 index 0000000..5dd26f7 --- /dev/null +++ b/terraform/authentik/groups.auto.tfvars @@ -0,0 +1,10 @@ +groups = { + "admins" = { + name = "Administrators" + is_superuser = true + attributes = { + notes = "Managed by Terraform" + } + } +} + diff --git a/terraform/authentik/oauth2-apps.auto.tfvars b/terraform/authentik/oauth2-apps.auto.tfvars new file mode 100644 index 0000000..8ad73dc --- /dev/null +++ b/terraform/authentik/oauth2-apps.auto.tfvars @@ -0,0 +1,192 @@ +oauth_applications = { + "paperless" = { + name = "Paperless-NGX" + slug = "paperless" + group = "Tools" + meta_description = "Document management system" + meta_icon = "https://img.icons8.com/fluency/48/documents.png" + redirect_uris = ["https://docs.hexor.cy/accounts/oidc/authentik/login/callback/"] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + create_group = true + access_groups = ["admins"] + } + + "gitea" = { + name = "Gitea" + slug = "gitea" + group = "Tools" + meta_description = "Git repository hosting" + meta_icon = "https://img.icons8.com/?size=100&id=20906&format=png&color=000000" + redirect_uris = ["https://gt.hexor.cy/user/oauth2/Authentik/callback"] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=10" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + access_groups = ["admins"] + } + + "jellyfin" = { + name = "Jellyfin" + slug = "jellyfin" + group = "Media and Storage" + meta_description = "Media streaming server" + meta_icon = "https://img.icons8.com/plasticine/100/jellyfin.png" + redirect_uris = [ + "https://jf.hexor.cy/sso/OID/r/authentik", + "https://jf.hexor.cy/sso/OID/redirect/authentik" + ] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=10" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + access_groups = ["admins"] + } + + "argocd" = { + name = "ArgoCD" + slug = "argocd" + group = "Core" + meta_description = "GitOps deployment tool" + meta_icon = "https://img.icons8.com/color-glass/48/octopus.png" + redirect_uris = ["https://ag.hexor.cy/auth/callback"] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + signing_key = "1b1b5bec-034a-4d96-871a-133f11322360" + access_groups = ["admins"] + } + + "grafana" = { + name = "Grafana" + slug = "grafana" + group = "Core" + meta_description = "Monitoring and observability" + meta_icon = "https://img.icons8.com/fluency/48/grafana.png" + redirect_uris = ["https://gf.hexor.cy/login/generic_oauth"] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + access_groups = ["admins"] + } + + "immich" = { + name = "Immich" + slug = "immich" + group = "Media and Storage" + meta_description = "Photo and video management" + meta_icon = "https://img.icons8.com/fluency/48/photos.png" + redirect_uris = [ + "https://photos.hexor.cy/auth/login", + "https://photos.hexor.cy/user-settings", + "app.immich:///oauth-callback", + "http://photos.homenet:30283/auth/login", + "http://photos.homenet:30283/user-settings" + ] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + signing_key = "1b1b5bec-034a-4d96-871a-133f11322360" + access_groups = ["admins"] + create_group = true + } + + "pgadmin" = { + name = "Postgres WEB Admin" + slug = "pgadmin" + group = "Core" + meta_description = "PostgreSQL WEB administration" + meta_icon = "https://img.icons8.com/?size=100&id=JRnxU7ZWP4mi&format=png&color=000000" + redirect_uris = ["https://pg.hexor.cy/oauth2/authorize"] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + access_groups = ["admins"] + signing_key = "1b1b5bec-034a-4d96-871a-133f11322360" + } + + "home-assistant-lms" = { + name = "Home Assistant LMS" + slug = "home-assistant-lms" + group = "Internal" + meta_description = "Home Assistant Limassol" + meta_icon = "https://img.icons8.com/stickers/100/smart-home-automation.png" + redirect_uris = [ + "http://ha-lms:8123/auth/oidc/callback", + "http://ha-lms.homenet:8123/auth/oidc/callback", + ] + meta_launch_url = "http://ha-lms:8123/auth/oidc/welcome" + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + access_groups = ["admins"] + create_group = true + signing_key = "1b1b5bec-034a-4d96-871a-133f11322360" + } + "home-assistant-london" = { + name = "Home Assistant London" + slug = "home-assistant-london" + group = "Internal" + meta_description = "Home Assistant London" + meta_icon = "https://img.icons8.com/stickers/100/smart-home-automation.png" + redirect_uris = [ + "http://ha-london:8123/auth/oidc/callback", + "http://ha-london.tail2fe2d.ts.net:8123/auth/oidc/callback", + ] + meta_launch_url = "http://ha-london:8123/auth/oidc/welcome" + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + access_groups = ["admins"] + create_group = true + signing_key = "1b1b5bec-034a-4d96-871a-133f11322360" + } + + "openwebui" = { + name = "OpenWeb UI" + slug = "openwebui" + group = "Tools" + meta_description = "OpenWeb UI" + meta_icon = "https://ollama.com/public/ollama.png" + redirect_uris = [ + "https://ai.hexor.cy/oauth/oidc/callback", + ] + meta_launch_url = "https://ai.hexor.cy" + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + access_groups = ["admins"] + create_group = true + signing_key = "1b1b5bec-034a-4d96-871a-133f11322360" + } +} + diff --git a/terraform/authentik/proxy-apps.auto.tfvars b/terraform/authentik/proxy-apps.auto.tfvars new file mode 100644 index 0000000..e39a2b8 --- /dev/null +++ b/terraform/authentik/proxy-apps.auto.tfvars @@ -0,0 +1,195 @@ +proxy_applications = { + "k8s-dashboard" = { + name = "K8S dashboard" + slug = "k8s-dashboard-ns" + group = "Core" + external_host = "https://k8s.hexor.cy" + internal_host = "http://kubernetes-dashboard.kubernetes-dashboard.svc" + internal_host_ssl_validation = false + meta_description = "K8S dashboard chart" + mode = "proxy" + outpost = "kubernetes-outpost" + meta_icon = "https://img.icons8.com/color/48/kubernetes.png" + create_group = true + access_groups = ["admins"] + } + "filemanager" = { + name = "FM filemanager" + slug = "fm-filemanager" + group = "Core" + external_host = "https://fm.hexor.cy" + internal_host = "http://fb-filemanager-filebrowser.syncthing.svc" + internal_host_ssl_validation = false + meta_description = "K8S dashboard chart" + mode = "proxy" + outpost = "kubernetes-outpost" + meta_icon = "https://img.icons8.com/external-anggara-flat-anggara-putra/32/external-folder-basic-user-interface-anggara-flat-anggara-putra.png" + create_group = true + access_groups = ["admins"] + } + + "prometheus" = { + name = "Prometheus" + slug = "prometheus" + group = "Core" + external_host = "https://prom.hexor.cy" + internal_host = "http://prometheus-kube-prometheus-prometheus.prometheus.svc:9090" + meta_description = "" + meta_icon = "https://img.icons8.com/fluency/48/prometheus-app.png" + mode = "proxy" + outpost = "kubernetes-outpost" + internal_host_ssl_validation = false + create_group = true + access_groups = ["admins"] + } + + "kubernetes-secrets" = { + name = "kubernetes-secrets" + slug = "k8s-secret" + group = "Core" + external_host = "https://pass.hexor.cy" + internal_host = "http://secret-reader.k8s-secret.svc:80" + internal_host_ssl_validation = false + meta_description = "" + skip_path_regex = <<-EOT +/webhook +EOT + meta_icon = "https://img.icons8.com/ios-filled/50/password.png" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + "mtproxy-links" = { + name = "mtproxy-links" + slug = "mtproxy-links" + group = "Core" + external_host = "https://proxy.hexor.cy" + internal_host = "http://secret-reader.mtproxy.svc:80" + internal_host_ssl_validation = false + meta_description = "" + skip_path_regex = <<-EOT +/webhook +EOT + meta_icon = "https://img.icons8.com/ios-filled/50/password.png" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + # Tools applications + "qbittorrent" = { + name = "qBittorent" + slug = "qbittorent" + group = "Tools" + external_host = "https://qbt.hexor.cy" + internal_host = "http://qbittorrent.jellyfin.svc" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/nolan/64/qbittorrent--v2.png" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + # Media and Storage applications + "kopia" = { + name = "Kopia" + slug = "kopia" + group = "Media and Storage" + external_host = "https://backup.hexor.cy" + internal_host = "http://100.72.135.2:51515" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/external-flaticons-lineal-color-flat-icons/64/external-backup-productivity-flaticons-lineal-color-flat-icons.png" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + "syncthing-router" = { + name = "Syncthing" + slug = "syncthing" + group = "Media and Storage" + external_host = "https://ss.hexor.cy" + internal_host = "http://syncthing-router.syncthing.svc:80" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/?size=100&id=Id4NcEcXcYzF&format=png&color=000000" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + "truenas" = { + name = "TrueNAS" + slug = "truenas-proxy" + group = "Media and Storage" + external_host = "https://nas.hexor.cy" + internal_host = "http://10.0.5.107:81" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/dusk/64/nas.png" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + "khm" = { + name = "KHM" + slug = "khm" + group = "Media and Storage" + external_host = "https://khm.hexor.cy" + internal_host = "http://khm.khm.svc:8080" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/liquid-glass/48/key.png" + mode = "proxy" + outpost = "kubernetes-outpost" + access_groups = ["admins", "khm"] # Используем существующие группы + create_group = true + access_groups = ["admins"] + } + + "minecraft" = { + name = "Minecraft" + slug = "minecraft" + group = "Media and Storage" + external_host = "https://minecraft.hexor.cy" + internal_host = "http://minecraft-dynmap.minecraft.svc" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/color/48/minecraft-grass-cube.png" + mode = "proxy" + outpost = "kubernetes-outpost" + skip_path_regex = <<-EOT +/clients +EOT + } + "pasarguard" = { + name = "PasarGuard" + slug = "pasarguard" + group = "Tools" + external_host = "https://ps.hexor.cy" + internal_host = "https://pasarguard.pasarguard.svc:80" + internal_host_ssl_validation = false + meta_description = "" + skip_path_regex = <<-EOT +/ +/sub/ +/dashboard/ +/api/ +EOT + meta_icon = "https://img.icons8.com/?size=100&id=fqAD3lAB6zTe&format=png&color=000000" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } +} +