ab/homelab
1
0
Fork 1
Code Pull Requests Actions Packages Wiki Activity

fmt
All checks were successful
Check with kubeconform / lint (push) Successful in 1m11s
Details

Browse Source
This commit is contained in:
AB from home.homenet
2025-09-16 00:28:54 +03:00
parent 7dde0d3f2a
commit d71935d063
5 changed files with 122 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
terraform/authentik/.terraform.lock.hcl generated
View File

@@ -3,9 +3,10 @@
provider "registry.terraform.io/goauthentik/authentik" {
version = "2025.8.1"
constraints = ">= 2023.10.0"
constraints = ">= 2023.10.0, 2025.8.1"
hashes = [
"h1:L3Fh0LyQ066laexCAeqLd+AVuSPDemwCmYgq1Bges6c=",
"h1:R3h8ADB0Kkv/aoY0AaHkBiX2/P4+GnW8sSgkN30kJfQ=",
"zh:0c3f1083fd48f20ed06959401ff1459fbb5d454d81c8175b5b6d321b308c0be3",
"zh:21c6d93f8d26e688da38a660d121b5624e3597c426c671289f31a17a9771abbf",
"zh:301b5763ffc4c5fe47aa7e851ce0b19f71bab4fae5c81003ad81b38775e85f78",
@@ -28,6 +29,7 @@ provider "registry.terraform.io/hashicorp/random" {
constraints = ">= 3.5.0"
hashes = [
"h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=",
"h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=",
"zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f",
"zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc",
"zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab",

136
terraform/authentik/main.tf
View File

@@ -25,7 +25,7 @@ resource "authentik_certificate_key_pair" "certificates" {
name = each.value.name
certificate_data = each.value.certificate_data
key_data = each.value.key_data
key_data = each.value.key_data
}
@@ -52,9 +52,9 @@ resource "authentik_property_mapping_provider_scope" "oidc_mappings" {
if v.oidc_scope != null
}
name = each.value.name
scope_name = each.value.oidc_scope
expression = each.value.expression
name = each.value.name
scope_name = each.value.oidc_scope
expression = each.value.expression
}
resource "authentik_property_mapping_provider_saml" "saml_mappings" {
@@ -70,55 +70,55 @@ resource "authentik_property_mapping_provider_saml" "saml_mappings" {
module "oauth_applications" {
source = "./modules/oauth-provider"
for_each = var.oauth_applications
name = each.value.name
app_name = each.value.name
app_slug = each.value.slug
app_group = each.value.group
client_id = each.value.client_id
authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
redirect_uris = each.value.redirect_uris
client_type = each.value.client_type
app_name = each.value.name
app_slug = each.value.slug
app_group = each.value.group
client_id = each.value.client_id
authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
redirect_uris = each.value.redirect_uris
client_type = each.value.client_type
include_claims_in_id_token = each.value.include_claims_in_id_token
access_code_validity = each.value.access_code_validity
access_token_validity = each.value.access_token_validity
refresh_token_validity = each.value.refresh_token_validity
property_mappings = each.value.property_mappings
signing_key = each.value.signing_key
policy_engine_mode = each.value.policy_engine_mode
meta_description = each.value.meta_description
meta_launch_url = each.value.meta_launch_url
meta_icon = each.value.meta_icon
access_code_validity = each.value.access_code_validity
access_token_validity = each.value.access_token_validity
refresh_token_validity = each.value.refresh_token_validity
property_mappings = each.value.property_mappings
signing_key = each.value.signing_key
policy_engine_mode = each.value.policy_engine_mode
meta_description = each.value.meta_description
meta_launch_url = each.value.meta_launch_url
meta_icon = each.value.meta_icon
}
module "proxy_applications" {
source = "./modules/proxy-provider"
for_each = var.proxy_applications
name = each.value.name
app_name = each.value.name
app_slug = each.value.slug
app_group = each.value.group
external_host = each.value.external_host
internal_host = each.value.internal_host
internal_host_ssl_validation = each.value.internal_host_ssl_validation
authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
mode = each.value.mode
intercept_header_auth = each.value.intercept_header_auth
basic_auth_enabled = each.value.basic_auth_enabled
basic_auth_user_attribute = each.value.basic_auth_username_attribute
name = each.value.name
app_name = each.value.name
app_slug = each.value.slug
app_group = each.value.group
external_host = each.value.external_host
internal_host = each.value.internal_host
internal_host_ssl_validation = each.value.internal_host_ssl_validation
authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
mode = each.value.mode
intercept_header_auth = each.value.intercept_header_auth
basic_auth_enabled = each.value.basic_auth_enabled
basic_auth_user_attribute = each.value.basic_auth_username_attribute
basic_auth_password_attribute = each.value.basic_auth_password_attribute
cookie_domain = each.value.cookie_domain
skip_path_regex = each.value.skip_path_regex
policy_engine_mode = each.value.policy_engine_mode
meta_description = each.value.meta_description
meta_launch_url = each.value.meta_launch_url
meta_icon = each.value.meta_icon
cookie_domain = each.value.cookie_domain
skip_path_regex = each.value.skip_path_regex
policy_engine_mode = each.value.policy_engine_mode
meta_description = each.value.meta_description
meta_launch_url = each.value.meta_launch_url
meta_icon = each.value.meta_icon
}
locals {
@@ -126,18 +126,18 @@ locals {
for app_key, app in var.oauth_applications : app_key => app.outpost
if app.outpost != null
}
proxy_outpost_assignments = {
for app_key, app in var.proxy_applications : app_key => app.outpost
if app.outpost != null
}
outpost_providers = {
for outpost_key, outpost in var.outposts : outpost_key => concat(
[for app_key, app_outpost in local.oauth_outpost_assignments :
module.oauth_applications[app_key].provider_id if app_outpost == outpost_key],
[for app_key, app_outpost in local.proxy_outpost_assignments :
module.proxy_applications[app_key].provider_id if app_outpost == outpost_key]
[for app_key, app_outpost in local.oauth_outpost_assignments :
module.oauth_applications[app_key].provider_id if app_outpost == outpost_key],
[for app_key, app_outpost in local.proxy_outpost_assignments :
module.proxy_applications[app_key].provider_id if app_outpost == outpost_key]
)
}
}
@@ -153,27 +153,27 @@ resource "authentik_outpost" "outposts" {
protocol_providers = local.outpost_providers[each.key]
service_connection = data.authentik_service_connection_kubernetes.local_k8s.id
config = jsonencode({
log_level = "info"
docker_labels = null
authentik_host = var.authentik_url
docker_network = null
container_image = null
docker_map_ports = true
refresh_interval = "minutes=5"
kubernetes_replicas = 1
kubernetes_namespace = "authentik"
authentik_host_browser = ""
object_naming_template = "ak-outpost-%(name)s"
authentik_host_insecure = false
kubernetes_json_patches = null
kubernetes_service_type = "ClusterIP"
kubernetes_image_pull_secrets = []
kubernetes_ingress_class_name = null
kubernetes_disabled_components = []
kubernetes_ingress_annotations = {}
kubernetes_ingress_secret_name = "authentik-outpost-tls"
log_level = "info"
docker_labels = null
authentik_host = var.authentik_url
docker_network = null
container_image = null
docker_map_ports = true
refresh_interval = "minutes=5"
kubernetes_replicas = 1
kubernetes_namespace = "authentik"
authentik_host_browser = ""
object_naming_template = "ak-outpost-%(name)s"
authentik_host_insecure = false
kubernetes_json_patches = null
kubernetes_service_type = "ClusterIP"
kubernetes_image_pull_secrets = []
kubernetes_ingress_class_name = null
kubernetes_disabled_components = []
kubernetes_ingress_annotations = {}
kubernetes_ingress_secret_name = "authentik-outpost-tls"
})
depends_on = [
module.oauth_applications,
module.proxy_applications

16
terraform/authentik/outputs.tf
View File

@@ -4,9 +4,9 @@ output "oauth_applications" {
for k, v in module.oauth_applications : k => {
application_id = v.application_id
application_uuid = v.application_uuid
client_id = v.client_id
client_secret = v.client_secret
slug = v.application_slug
client_id = v.client_id
client_secret = v.client_secret
slug = v.application_slug
}
}
sensitive = true
@@ -18,9 +18,9 @@ output "proxy_applications" {
for k, v in module.proxy_applications : k => {
application_id = v.application_id
application_uuid = v.application_uuid
external_host = v.external_host
internal_host = v.internal_host
slug = v.application_slug
external_host = v.external_host
internal_host = v.internal_host
slug = v.application_slug
}
}
}
@@ -61,8 +61,8 @@ output "certificates" {
description = "Certificates details"
value = {
for k, v in authentik_certificate_key_pair.certificates : k => {
id = v.id
name = v.name
id = v.id
name = v.name
fingerprint_sha256 = v.fingerprint_sha256
fingerprint_sha1 = v.fingerprint_sha1
}

2
terraform/authentik/providers.tf
View File

@@ -1,7 +1,7 @@
terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
source = "goauthentik/authentik"
version = "2025.8.1"
}
}

83
terraform/authentik/variables.tf
View File

@@ -1,24 +1,24 @@
variable "oauth_applications" {
description = "Map of OAuth2/OpenID applications"
type = map(object({
name = string
slug = string
group = optional(string, "")
policy_engine_mode = optional(string, "all")
meta_description = optional(string, "")
meta_launch_url = optional(string, "")
meta_icon = optional(string, "")
redirect_uris = list(string)
client_type = optional(string, "confidential")
client_id = optional(string, null)
name = string
slug = string
group = optional(string, "")
policy_engine_mode = optional(string, "all")
meta_description = optional(string, "")
meta_launch_url = optional(string, "")
meta_icon = optional(string, "")
redirect_uris = list(string)
client_type = optional(string, "confidential")
client_id = optional(string, null)
include_claims_in_id_token = optional(bool, true)
access_code_validity = optional(string, "minutes=1")
access_token_validity = optional(string, "minutes=5")
refresh_token_validity = optional(string, "days=30")
property_mappings = optional(list(string), [])
authorization_flow = optional(string, null)
signing_key = optional(string, null)
outpost = optional(string, null)
access_code_validity = optional(string, "minutes=1")
access_token_validity = optional(string, "minutes=5")
refresh_token_validity = optional(string, "days=30")
property_mappings = optional(list(string), [])
authorization_flow = optional(string, null)
signing_key = optional(string, null)
outpost = optional(string, null)
}))
default = {}
}
@@ -26,25 +26,25 @@ variable "oauth_applications" {
variable "proxy_applications" {
description = "Map of Proxy applications"
type = map(object({
name = string
slug = string
group = optional(string, "")
policy_engine_mode = optional(string, "all")
meta_description = optional(string, "")
meta_launch_url = optional(string, "")
meta_icon = optional(string, "")
external_host = string
internal_host = optional(string, "")
internal_host_ssl_validation = optional(bool, true)
mode = optional(string, "proxy")
intercept_header_auth = optional(bool, false)
basic_auth_enabled = optional(bool, false)
name = string
slug = string
group = optional(string, "")
policy_engine_mode = optional(string, "all")
meta_description = optional(string, "")
meta_launch_url = optional(string, "")
meta_icon = optional(string, "")
external_host = string
internal_host = optional(string, "")
internal_host_ssl_validation = optional(bool, true)
mode = optional(string, "proxy")
intercept_header_auth = optional(bool, false)
basic_auth_enabled = optional(bool, false)
basic_auth_username_attribute = optional(string, "")
basic_auth_password_attribute = optional(string, "")
cookie_domain = optional(string, "")
authorization_flow = optional(string, null)
skip_path_regex = optional(string, "")
outpost = optional(string, null)
cookie_domain = optional(string, "")
authorization_flow = optional(string, null)
skip_path_regex = optional(string, "")
outpost = optional(string, null)
}))
default = {}
}
@@ -76,10 +76,10 @@ variable "flows" {
variable "groups" {
description = "Map of user groups"
type = map(object({
name = string
name = string
is_superuser = optional(bool, false)
parent = optional(string, null)
attributes = optional(map(any), {})
parent = optional(string, null)
attributes = optional(map(any), {})
}))
default = {}
}
@@ -87,8 +87,8 @@ variable "groups" {
variable "certificates" {
description = "Map of certificates for HTTPS"
type = map(object({
name = string
certificate_data = string
name = string
certificate_data = string
key_data = string
managed = optional(string, null)
}))
@@ -114,7 +114,7 @@ variable "default_authorization_flow" {
}
variable "default_authentication_flow" {
description = "Default authentication flow slug"
description = "Default authentication flow slug"
type = string
default = "default-authentication-flow"
}
@@ -134,4 +134,5 @@ variable "tags" {
variable "authentik_url" {
description = "Authentik URL"
type = string
}
default = "https://idm.hexor.cy"
}