ab/homelab
1
0
Fork 1
Code Pull Requests Actions Packages Wiki Activity

Added Authentik TF code
Some checks failed
Terraform / Terraform (push) Has been cancelled
Details
Check with kubeconform / lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
AB from home.homenet
2025-09-16 15:35:29 +03:00
parent e516f95f77
commit a8c089d9ec
5 changed files with 367 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
terraform/authentik/groups.tfvars Normal file
View File

@@ -0,0 +1,10 @@
groups = {
"admins" = {
name = "Administrators"
is_superuser = true
attributes = {
notes = "Managed by Terraform"
}
}
}

128
terraform/authentik/oauth2-apps.tfvars Normal file
View File

@@ -0,0 +1,128 @@
oauth_applications = {
"paperless" = {
name = "Paperless-NGX"
slug = "paperless"
group = "Tools"
meta_description = "Document management system"
meta_icon = "https://img.icons8.com/fluency/48/documents.png"
redirect_uris = ["https://docs.hexor.cy/accounts/oidc/authentik/login/callback/"]
client_type = "confidential"
include_claims_in_id_token = true
access_code_validity = "minutes=1"
access_token_validity = "minutes=5"
refresh_token_validity = "days=30"
scope_mappings = ["openid", "profile", "email"]
create_group = true
access_groups = ["admins"]
}
"gitea" = {
name = "Gitea"
slug = "gitea"
group = "Tools"
meta_description = "Git repository hosting"
meta_icon = "https://img.icons8.com/?size=100&id=20906&format=png&color=000000"
redirect_uris = ["https://gt.hexor.cy/user/oauth2/Authentik/callback"]
client_type = "confidential"
include_claims_in_id_token = true
access_code_validity = "minutes=1"
access_token_validity = "minutes=10"
refresh_token_validity = "days=30"
scope_mappings = ["openid", "profile", "email"]
access_groups = ["admins"]
}
"jellyfin" = {
name = "Jellyfin"
slug = "jellyfin"
group = "Media and Storage"
meta_description = "Media streaming server"
meta_icon = "https://img.icons8.com/plasticine/100/jellyfin.png"
redirect_uris = [
"https://jf.hexor.cy/sso/OID/r/authentik",
"https://jf.hexor.cy/sso/OID/redirect/authentik"
]
client_type = "confidential"
include_claims_in_id_token = true
access_code_validity = "minutes=1"
access_token_validity = "minutes=10"
refresh_token_validity = "days=30"
scope_mappings = ["openid", "profile", "email"]
access_groups = ["admins"]
}
"argocd" = {
name = "ArgoCD"
slug = "argocd"
group = "Core"
meta_description = "GitOps deployment tool"
meta_icon = "https://img.icons8.com/color-glass/48/octopus.png"
redirect_uris = ["https://ag.hexor.cy/auth/callback"]
client_type = "confidential"
include_claims_in_id_token = true
access_code_validity = "minutes=1"
access_token_validity = "minutes=5"
refresh_token_validity = "days=30"
scope_mappings = ["openid", "profile", "email"]
signing_key = "1b1b5bec-034a-4d96-871a-133f11322360"
access_groups = ["admins"]
}
"grafana" = {
name = "Grafana"
slug = "grafana"
group = "Core"
meta_description = "Monitoring and observability"
meta_icon = "https://img.icons8.com/fluency/48/grafana.png"
redirect_uris = ["https://gf.hexor.cy/login/generic_oauth"]
client_type = "confidential"
include_claims_in_id_token = true
access_code_validity = "minutes=1"
access_token_validity = "minutes=5"
refresh_token_validity = "days=30"
scope_mappings = ["openid", "profile", "email"]
access_groups = ["admins"]
}
"immich" = {
name = "Immich"
slug = "immich"
group = "Media and Storage"
meta_description = "Photo and video management"
meta_icon = "https://img.icons8.com/fluency/48/photos.png"
redirect_uris = [
"https://photos.hexor.cy/auth/login",
"https://photos.hexor.cy/user-settings",
"app.immich:///oauth-callback",
"http://photos.homenet:30283/auth/login",
"http://photos.homenet:30283/user-settings"
]
client_type = "confidential"
include_claims_in_id_token = true
access_code_validity = "minutes=1"
access_token_validity = "minutes=5"
refresh_token_validity = "days=30"
scope_mappings = ["openid", "profile", "email"]
signing_key = "1b1b5bec-034a-4d96-871a-133f11322360"
access_groups = ["admins"]
create_group = true
}
"pgadmin" = {
name = "Postgres WEB Admin"
slug = "pgadmin"
group = "Core"
meta_description = "PostgreSQL WEB administration"
meta_icon = "https://img.icons8.com/?size=100&id=JRnxU7ZWP4mi&format=png&color=000000"
redirect_uris = ["https://pg.hexor.cy/oauth2/authorize"]
client_type = "confidential"
include_claims_in_id_token = true
access_code_validity = "minutes=1"
access_token_validity = "minutes=5"
refresh_token_validity = "days=30"
scope_mappings = ["openid", "profile", "email"]
access_groups = ["admins"]
signing_key = "1b1b5bec-034a-4d96-871a-133f11322360"
}
}

201
terraform/authentik/proxy-apps.tfvars Normal file
View File

@@ -0,0 +1,201 @@
proxy_applications = {
"k8s-dashboard" = {
name = "K8S dashboard"
slug = "k8s-dashboard-ns"
group = "Core"
external_host = "https://k8s.hexor.cy"
internal_host = "http://kubernetes-dashboard.kubernetes-dashboard.svc"
internal_host_ssl_validation = false
meta_description = "K8S dashboard chart"
mode = "proxy"
outpost = "kubernetes-outpost"
meta_icon = "https://img.icons8.com/color/48/kubernetes.png"
create_group = true
access_groups = ["admins"]
}
"filemanager" = {
name = "FM filemanager"
slug = "fm-filemanager"
group = "Core"
external_host = "https://fm.hexor.cy"
internal_host = "http://fb-filemanager-filebrowser.syncthing.svc"
internal_host_ssl_validation = false
meta_description = "K8S dashboard chart"
mode = "proxy"
outpost = "kubernetes-outpost"
meta_icon = "https://img.icons8.com/external-anggara-flat-anggara-putra/32/external-folder-basic-user-interface-anggara-flat-anggara-putra.png"
create_group = true
access_groups = ["admins"]
}
"prometheus" = {
name = "Prometheus"
slug = "prometheus"
group = "Core"
external_host = "https://prom.hexor.cy"
internal_host = "http://prometheus-kube-prometheus-prometheus.prometheus.svc:9090"
meta_description = ""
meta_icon = "https://img.icons8.com/fluency/48/prometheus-app.png"
mode = "proxy"
outpost = "kubernetes-outpost"
internal_host_ssl_validation = false
create_group = true
access_groups = ["admins"]
}
"kubernetes-secrets" = {
name = "kubernetes-secrets"
slug = "k8s-secret"
group = "Core"
external_host = "https://pass.hexor.cy"
internal_host = "http://secret-reader.k8s-secret.svc:80"
internal_host_ssl_validation = false
meta_description = ""
meta_icon = "https://img.icons8.com/ios-filled/50/password.png"
mode = "proxy"
outpost = "kubernetes-outpost"
create_group = true
access_groups = ["admins"]
}
# Tools applications
"vpn" = {
name = "VPN"
slug = "vpn"
group = "Tools"
external_host = "https://of.hexor.cy"
internal_host = "http://outfleet.vpn.svc"
internal_host_ssl_validation = false
meta_description = ""
skip_path_regex = <<-EOT
/u/
/stat/
/ss/
/xray/
EOT
meta_icon = "https://img.icons8.com/?size=100&id=fqAD3lAB6zTe&format=png&color=000000"
mode = "proxy"
outpost = "kubernetes-outpost"
create_group = true
access_groups = ["admins"]
}
"qbittorrent" = {
name = "qBittorent"
slug = "qbittorent"
group = "Tools"
external_host = "https://qbt.hexor.cy"
internal_host = "http://qbittorrent.jellyfin.svc"
internal_host_ssl_validation = false
meta_description = ""
meta_icon = "https://img.icons8.com/nolan/64/qbittorrent--v2.png"
mode = "proxy"
outpost = "kubernetes-outpost"
create_group = true
access_groups = ["admins"]
}
# Media and Storage applications
"kopia" = {
name = "Kopia"
slug = "kopia"
group = "Media and Storage"
external_host = "https://backup.hexor.cy"
internal_host = "http://100.72.135.2:51515"
internal_host_ssl_validation = false
meta_description = ""
meta_icon = "https://img.icons8.com/external-flaticons-lineal-color-flat-icons/64/external-backup-productivity-flaticons-lineal-color-flat-icons.png"
mode = "proxy"
outpost = "kubernetes-outpost"
create_group = true
access_groups = ["admins"]
}
"syncthing-master" = {
name = "Syncthing-master"
slug = "syncthing-master"
group = "Media and Storage"
external_host = "https://ss.hexor.cy"
internal_host = "https://syncthing-master.syncthing.svc:8384"
internal_host_ssl_validation = false
meta_description = ""
meta_icon = "https://img.icons8.com/?size=100&id=Id4NcEcXcYzF&format=png&color=000000"
mode = "proxy"
outpost = "kubernetes-outpost"
create_group = true
access_groups = ["admins"]
}
"syncthing-khv" = {
name = "Syncthing-khv"
slug = "syncthing-khv"
group = "Media and Storage"
external_host = "https://ss-khv.hexor.cy"
internal_host = "https://syncthing-khv.syncthing.svc:8384"
internal_host_ssl_validation = false
meta_description = ""
meta_icon = "https://img.icons8.com/?size=100&id=Id4NcEcXcYzF&format=png&color=000000"
mode = "proxy"
outpost = "kubernetes-outpost"
create_group = true
access_groups = ["admins"]
}
"truenas" = {
name = "TrueNAS"
slug = "truenas-proxy"
group = "Media and Storage"
external_host = "https://nas.hexor.cy"
internal_host = "http://10.0.5.107:81"
internal_host_ssl_validation = false
meta_description = ""
meta_icon = "https://img.icons8.com/dusk/64/nas.png"
mode = "proxy"
outpost = "kubernetes-outpost"
create_group = true
access_groups = ["admins"]
}
"hexound" = {
name = "Hexound"
slug = "hexound"
group = "Media and Storage"
external_host = "https://hexound.hexor.cy"
internal_host = "http://hexound.hexound.svc:80"
internal_host_ssl_validation = false
meta_description = ""
meta_icon = "https://img.icons8.com/fluency/48/audio-wave.png"
mode = "proxy"
outpost = "kubernetes-outpost"
}
"khm" = {
name = "KHM"
slug = "khm"
group = "Media and Storage"
external_host = "https://khm.hexor.cy"
internal_host = "http://khm.khm.svc:8080"
internal_host_ssl_validation = false
meta_description = ""
meta_icon = "https://img.icons8.com/liquid-glass/48/key.png"
mode = "proxy"
outpost = "kubernetes-outpost"
access_groups = ["admins", "khm"] # Используем существующие группы
create_group = true
access_groups = ["admins"]
}
"minecraft" = {
name = "Minecraft"
slug = "minecraft"
group = "Media and Storage"
external_host = "https://minecraft.hexor.cy"
internal_host = "http://minecraft-dynmap.minecraft.svc"
internal_host_ssl_validation = false
meta_description = ""
meta_icon = "https://img.icons8.com/color/48/minecraft-grass-cube.png"
mode = "proxy"
outpost = "kubernetes-outpost"
}
}

28
terraform/authentik/terraform.tfvars Normal file
View File

@@ -0,0 +1,28 @@
authentik_url = "https://idm.hexor.cy"
flows = {
}
tags = {
environment = "production"
managed_by = "terraform"
project = "homelab"
}
outposts = {
"kubernetes-outpost" = {
name = "authentik Embedded Outpost"
type = "proxy"
service_connection = "k8s-cluster"
config = {
authentik_host = "https://idm.hexor.cy"
authentik_host_insecure = false
log_level = "info"
error_reporting = true
#container_image = null
}
}
}