diff --git a/.gitignore b/.gitignore index 399e2f8..6c96ecc 100644 --- a/.gitignore +++ b/.gitignore @@ -10,13 +10,6 @@ crash.log crash.*.log -# Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -*.tfvars -*.tfvars.json - # Ignore override files as they are usually used to override resources locally and so # are not checked in override.tf diff --git a/terraform/authentik/groups.tfvars b/terraform/authentik/groups.tfvars new file mode 100644 index 0000000..5dd26f7 --- /dev/null +++ b/terraform/authentik/groups.tfvars @@ -0,0 +1,10 @@ +groups = { + "admins" = { + name = "Administrators" + is_superuser = true + attributes = { + notes = "Managed by Terraform" + } + } +} + diff --git a/terraform/authentik/oauth2-apps.tfvars b/terraform/authentik/oauth2-apps.tfvars new file mode 100644 index 0000000..1c9fa23 --- /dev/null +++ b/terraform/authentik/oauth2-apps.tfvars @@ -0,0 +1,128 @@ +oauth_applications = { + "paperless" = { + name = "Paperless-NGX" + slug = "paperless" + group = "Tools" + meta_description = "Document management system" + meta_icon = "https://img.icons8.com/fluency/48/documents.png" + redirect_uris = ["https://docs.hexor.cy/accounts/oidc/authentik/login/callback/"] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + create_group = true + access_groups = ["admins"] + } + + "gitea" = { + name = "Gitea" + slug = "gitea" + group = "Tools" + meta_description = "Git repository hosting" + meta_icon = "https://img.icons8.com/?size=100&id=20906&format=png&color=000000" + redirect_uris = ["https://gt.hexor.cy/user/oauth2/Authentik/callback"] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=10" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + access_groups = ["admins"] + } + + "jellyfin" = { + name = "Jellyfin" + slug = "jellyfin" + group = "Media and Storage" + meta_description = "Media streaming server" + meta_icon = "https://img.icons8.com/plasticine/100/jellyfin.png" + redirect_uris = [ + "https://jf.hexor.cy/sso/OID/r/authentik", + "https://jf.hexor.cy/sso/OID/redirect/authentik" + ] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=10" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + access_groups = ["admins"] + } + + "argocd" = { + name = "ArgoCD" + slug = "argocd" + group = "Core" + meta_description = "GitOps deployment tool" + meta_icon = "https://img.icons8.com/color-glass/48/octopus.png" + redirect_uris = ["https://ag.hexor.cy/auth/callback"] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + signing_key = "1b1b5bec-034a-4d96-871a-133f11322360" + access_groups = ["admins"] + } + + "grafana" = { + name = "Grafana" + slug = "grafana" + group = "Core" + meta_description = "Monitoring and observability" + meta_icon = "https://img.icons8.com/fluency/48/grafana.png" + redirect_uris = ["https://gf.hexor.cy/login/generic_oauth"] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + access_groups = ["admins"] + } + + "immich" = { + name = "Immich" + slug = "immich" + group = "Media and Storage" + meta_description = "Photo and video management" + meta_icon = "https://img.icons8.com/fluency/48/photos.png" + redirect_uris = [ + "https://photos.hexor.cy/auth/login", + "https://photos.hexor.cy/user-settings", + "app.immich:///oauth-callback", + "http://photos.homenet:30283/auth/login", + "http://photos.homenet:30283/user-settings" + ] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + signing_key = "1b1b5bec-034a-4d96-871a-133f11322360" + access_groups = ["admins"] + create_group = true + } + + "pgadmin" = { + name = "Postgres WEB Admin" + slug = "pgadmin" + group = "Core" + meta_description = "PostgreSQL WEB administration" + meta_icon = "https://img.icons8.com/?size=100&id=JRnxU7ZWP4mi&format=png&color=000000" + redirect_uris = ["https://pg.hexor.cy/oauth2/authorize"] + client_type = "confidential" + include_claims_in_id_token = true + access_code_validity = "minutes=1" + access_token_validity = "minutes=5" + refresh_token_validity = "days=30" + scope_mappings = ["openid", "profile", "email"] + access_groups = ["admins"] + signing_key = "1b1b5bec-034a-4d96-871a-133f11322360" + } +} + diff --git a/terraform/authentik/proxy-apps.tfvars b/terraform/authentik/proxy-apps.tfvars new file mode 100644 index 0000000..f82e199 --- /dev/null +++ b/terraform/authentik/proxy-apps.tfvars @@ -0,0 +1,201 @@ +proxy_applications = { + "k8s-dashboard" = { + name = "K8S dashboard" + slug = "k8s-dashboard-ns" + group = "Core" + external_host = "https://k8s.hexor.cy" + internal_host = "http://kubernetes-dashboard.kubernetes-dashboard.svc" + internal_host_ssl_validation = false + meta_description = "K8S dashboard chart" + mode = "proxy" + outpost = "kubernetes-outpost" + meta_icon = "https://img.icons8.com/color/48/kubernetes.png" + create_group = true + access_groups = ["admins"] + } + "filemanager" = { + name = "FM filemanager" + slug = "fm-filemanager" + group = "Core" + external_host = "https://fm.hexor.cy" + internal_host = "http://fb-filemanager-filebrowser.syncthing.svc" + internal_host_ssl_validation = false + meta_description = "K8S dashboard chart" + mode = "proxy" + outpost = "kubernetes-outpost" + meta_icon = "https://img.icons8.com/external-anggara-flat-anggara-putra/32/external-folder-basic-user-interface-anggara-flat-anggara-putra.png" + create_group = true + access_groups = ["admins"] + } + + "prometheus" = { + name = "Prometheus" + slug = "prometheus" + group = "Core" + external_host = "https://prom.hexor.cy" + internal_host = "http://prometheus-kube-prometheus-prometheus.prometheus.svc:9090" + meta_description = "" + meta_icon = "https://img.icons8.com/fluency/48/prometheus-app.png" + mode = "proxy" + outpost = "kubernetes-outpost" + internal_host_ssl_validation = false + create_group = true + access_groups = ["admins"] + } + + "kubernetes-secrets" = { + name = "kubernetes-secrets" + slug = "k8s-secret" + group = "Core" + external_host = "https://pass.hexor.cy" + internal_host = "http://secret-reader.k8s-secret.svc:80" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/ios-filled/50/password.png" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + # Tools applications + "vpn" = { + name = "VPN" + slug = "vpn" + group = "Tools" + external_host = "https://of.hexor.cy" + internal_host = "http://outfleet.vpn.svc" + internal_host_ssl_validation = false + meta_description = "" + skip_path_regex = <<-EOT +/u/ +/stat/ +/ss/ +/xray/ +EOT + meta_icon = "https://img.icons8.com/?size=100&id=fqAD3lAB6zTe&format=png&color=000000" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + "qbittorrent" = { + name = "qBittorent" + slug = "qbittorent" + group = "Tools" + external_host = "https://qbt.hexor.cy" + internal_host = "http://qbittorrent.jellyfin.svc" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/nolan/64/qbittorrent--v2.png" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + # Media and Storage applications + "kopia" = { + name = "Kopia" + slug = "kopia" + group = "Media and Storage" + external_host = "https://backup.hexor.cy" + internal_host = "http://100.72.135.2:51515" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/external-flaticons-lineal-color-flat-icons/64/external-backup-productivity-flaticons-lineal-color-flat-icons.png" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + "syncthing-master" = { + name = "Syncthing-master" + slug = "syncthing-master" + group = "Media and Storage" + external_host = "https://ss.hexor.cy" + internal_host = "https://syncthing-master.syncthing.svc:8384" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/?size=100&id=Id4NcEcXcYzF&format=png&color=000000" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + "syncthing-khv" = { + name = "Syncthing-khv" + slug = "syncthing-khv" + group = "Media and Storage" + external_host = "https://ss-khv.hexor.cy" + internal_host = "https://syncthing-khv.syncthing.svc:8384" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/?size=100&id=Id4NcEcXcYzF&format=png&color=000000" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + "truenas" = { + name = "TrueNAS" + slug = "truenas-proxy" + group = "Media and Storage" + external_host = "https://nas.hexor.cy" + internal_host = "http://10.0.5.107:81" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/dusk/64/nas.png" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } + + "hexound" = { + name = "Hexound" + slug = "hexound" + group = "Media and Storage" + external_host = "https://hexound.hexor.cy" + internal_host = "http://hexound.hexound.svc:80" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/fluency/48/audio-wave.png" + mode = "proxy" + outpost = "kubernetes-outpost" + } + + "khm" = { + name = "KHM" + slug = "khm" + group = "Media and Storage" + external_host = "https://khm.hexor.cy" + internal_host = "http://khm.khm.svc:8080" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/liquid-glass/48/key.png" + mode = "proxy" + outpost = "kubernetes-outpost" + access_groups = ["admins", "khm"] # Используем существующие группы + create_group = true + access_groups = ["admins"] + } + + "minecraft" = { + name = "Minecraft" + slug = "minecraft" + group = "Media and Storage" + external_host = "https://minecraft.hexor.cy" + internal_host = "http://minecraft-dynmap.minecraft.svc" + internal_host_ssl_validation = false + meta_description = "" + meta_icon = "https://img.icons8.com/color/48/minecraft-grass-cube.png" + mode = "proxy" + outpost = "kubernetes-outpost" + } +} + diff --git a/terraform/authentik/terraform.tfvars b/terraform/authentik/terraform.tfvars new file mode 100644 index 0000000..dd3ae58 --- /dev/null +++ b/terraform/authentik/terraform.tfvars @@ -0,0 +1,28 @@ +authentik_url = "https://idm.hexor.cy" + + +flows = { +} + +tags = { + environment = "production" + managed_by = "terraform" + project = "homelab" +} + + + +outposts = { + "kubernetes-outpost" = { + name = "authentik Embedded Outpost" + type = "proxy" + service_connection = "k8s-cluster" + config = { + authentik_host = "https://idm.hexor.cy" + authentik_host_insecure = false + log_level = "info" + error_reporting = true + #container_image = null + } + } +}