Deployed rsauth2-proxy

2026-05-05 14:56:56 +01:00
parent 37c77a899d
commit 9622b7d7bc
17 changed files with 389 additions and 79 deletions
@@ -0,0 +1,133 @@
+# =============================================================================
+# Realm
+# =============================================================================
+
+resource "keycloak_realm" "hexor" {
+  realm   = "hexor"
+  enabled = true
+
+  display_name = "Hexor"
+
+  login_theme   = "keycloak"
+  account_theme = "keycloak.v3"
+
+  registration_allowed     = false
+  reset_password_allowed   = true
+  remember_me              = true
+  verify_email             = false
+  login_with_email_allowed = true
+  duplicate_emails_allowed = false
+
+  ssl_required = "external"
+}
+
+# =============================================================================
+# Google Identity Provider
+# =============================================================================
+
+resource "keycloak_oidc_google_identity_provider" "google" {
+  realm         = keycloak_realm.hexor.id
+  client_id     = var.google_client_id
+  client_secret = var.google_client_secret
+
+  trust_email = true
+  sync_mode   = "IMPORT"
+}
+
+# =============================================================================
+# Default groups
+# =============================================================================
+
+resource "keycloak_group" "users" {
+  realm_id = keycloak_realm.hexor.id
+  name     = "users"
+}
+
+resource "keycloak_default_groups" "default" {
+  realm_id  = keycloak_realm.hexor.id
+  group_ids = [keycloak_group.users.id]
+}
+
+# =============================================================================
+# rsauth2-proxy client (production)
+# =============================================================================
+
+resource "keycloak_openid_client" "rsauth2_proxy" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = "rsauth2-proxy"
+
+  name                         = "rsauth2-proxy"
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = false
+
+  valid_redirect_uris = [
+    "https://oauth.hexor.cy/callback",
+  ]
+
+  web_origins = [
+    "https://oauth.hexor.cy",
+  ]
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_groups" {
+  realm_id   = keycloak_realm.hexor.id
+  client_id  = keycloak_openid_client.rsauth2_proxy.id
+  name       = "groups"
+  claim_name = "groups"
+  full_path  = false
+}
+
+resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.rsauth2_proxy.id
+
+  default_scopes = [
+    "openid",
+    "profile",
+    "email",
+  ]
+}
+
+# =============================================================================
+# rsauth2-proxy client (localhost testing)
+# =============================================================================
+
+resource "keycloak_openid_client" "rsauth2_proxy_dev" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = "rsauth2-proxy-dev"
+
+  name                         = "rsauth2-proxy (dev)"
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = false
+
+  valid_redirect_uris = [
+    "http://localhost:8080/callback",
+  ]
+
+  web_origins = [
+    "http://localhost:8080",
+  ]
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" {
+  realm_id   = keycloak_realm.hexor.id
+  client_id  = keycloak_openid_client.rsauth2_proxy_dev.id
+  name       = "groups"
+  claim_name = "groups"
+  full_path  = false
+}
+
+resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.rsauth2_proxy_dev.id
+
+  default_scopes = [
+    "openid",
+    "profile",
+    "email",
+  ]
+}