infrastructure/modules/services/authentik.tf

data "authentik_flow" "default_authorization_flow" {
  slug = "default-provider-authorization-implicit-consent"
}

data "authentik_certificate_key_pair" "ecdsa" {
  name = "auth.serguzim.me"
}

data "authentik_certificate_key_pair" "rsa" {
  name = "authentik Self-signed Certificate"
}

data "authentik_property_mapping_provider_scope" "default_scopes" {
  managed_list = [
    "goauthentik.io/providers/oauth2/scope-email",
    "goauthentik.io/providers/oauth2/scope-openid",
    "goauthentik.io/providers/oauth2/scope-profile"
  ]
}

resource "authentik_user" "default" {
  username = "serguzim"
  name     = "Tobias Reisinger"
  email    = "tobias@msrg.cc"
}

resource "authentik_property_mapping_provider_scope" "minio" {
  name       = "minio"
  scope_name = "minio"
  expression = <<EOF
if ak_is_group_member(request.user, name="${authentik_group.minio_admins.name}"):
  return {
      "minio_policy": "consoleAdmin",
}
elif ak_is_group_member(request.user, name="${authentik_group.minio_users.name}"):
  return {
      "minio_policy": "readonly"
}
return None
EOF
}

resource "authentik_group" "minio_admins" {
  name         = "Minio admins"
  users        = [authentik_user.default.id]
}

resource "authentik_group" "minio_users" {
  name         = "Minio users"
  users        = []
}


resource "authentik_provider_oauth2" "service_providers" {
  for_each           = local.services_auth
  name               = each.key
  client_type        = "confidential"
  client_id          = each.key
  authorization_flow = data.authentik_flow.default_authorization_flow.id
  redirect_uris      = each.value.auth_redirects
  property_mappings  = flatten([
      data.authentik_property_mapping_provider_scope.default_scopes.ids,
      each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : []
  ])
  signing_key        = (each.value.auth_cert == "rsa" ?
      data.authentik_certificate_key_pair.rsa.id :
      data.authentik_certificate_key_pair.ecdsa.id)
}

resource "authentik_application" "service_applications" {
  for_each          = local.services_auth
  name              = each.key
  slug              = replace(each.value.dns[0].domain, ".", "-")
  protocol_provider = authentik_provider_oauth2.service_providers[each.key].id
}
Add authentik to opentofu 2024-09-28 12:14:09 +00:00			`data "authentik_flow" "default_authorization_flow" {`
			`slug = "default-provider-authorization-implicit-consent"`
			`}`

Fix authentik config 2024-10-09 00:29:08 +00:00			`data "authentik_certificate_key_pair" "ecdsa" {`
Add vikunja opentofu stuff and fix some issues 2024-09-28 19:26:13 +00:00			`name = "auth.serguzim.me"`
			`}`

Fix authentik config 2024-10-09 00:29:08 +00:00			`data "authentik_certificate_key_pair" "rsa" {`
			`name = "authentik Self-signed Certificate"`
			`}`

Add authentik to opentofu 2024-09-28 12:14:09 +00:00			`data "authentik_property_mapping_provider_scope" "default_scopes" {`
			`managed_list = [`
			`"goauthentik.io/providers/oauth2/scope-email",`
			`"goauthentik.io/providers/oauth2/scope-openid",`
			`"goauthentik.io/providers/oauth2/scope-profile"`
			`]`
			`}`

Add minio to authentik 2024-10-08 23:33:24 +00:00			`resource "authentik_user" "default" {`
			`username = "serguzim"`
			`name = "Tobias Reisinger"`
			`email = "tobias@msrg.cc"`
			`}`

			`resource "authentik_property_mapping_provider_scope" "minio" {`
			`name = "minio"`
			`scope_name = "minio"`
			`expression = <<EOF`
			`if ak_is_group_member(request.user, name="${authentik_group.minio_admins.name}"):`
			`return {`
			`"minio_policy": "consoleAdmin",`
			`}`
			`elif ak_is_group_member(request.user, name="${authentik_group.minio_users.name}"):`
			`return {`
			`"minio_policy": "readonly"`
			`}`
			`return None`
			`EOF`
			`}`

			`resource "authentik_group" "minio_admins" {`
			`name = "Minio admins"`
			`users = [authentik_user.default.id]`
			`}`

			`resource "authentik_group" "minio_users" {`
			`name = "Minio users"`
			`users = []`
			`}`


Add authentik to opentofu 2024-09-28 12:14:09 +00:00			`resource "authentik_provider_oauth2" "service_providers" {`
Refactor output 2024-09-28 16:24:07 +00:00			`for_each = local.services_auth`
Refactor all_services to remove name attribute 2024-10-22 16:29:03 +00:00			`name = each.key`
Add authentik to opentofu 2024-09-28 12:14:09 +00:00			`client_type = "confidential"`
Refactor all_services to remove name attribute 2024-10-22 16:29:03 +00:00			`client_id = each.key`
Add authentik to opentofu 2024-09-28 12:14:09 +00:00			`authorization_flow = data.authentik_flow.default_authorization_flow.id`
			`redirect_uris = each.value.auth_redirects`
Add minio to authentik 2024-10-08 23:33:24 +00:00			`property_mappings = flatten([`
			`data.authentik_property_mapping_provider_scope.default_scopes.ids,`
			`each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : []`
			`])`
Fix authentik config 2024-10-09 00:29:08 +00:00			`signing_key = (each.value.auth_cert == "rsa" ?`
			`data.authentik_certificate_key_pair.rsa.id :`
			`data.authentik_certificate_key_pair.ecdsa.id)`
Add authentik to opentofu 2024-09-28 12:14:09 +00:00			`}`

			`resource "authentik_application" "service_applications" {`
Refactor output 2024-09-28 16:24:07 +00:00			`for_each = local.services_auth`
Refactor all_services to remove name attribute 2024-10-22 16:29:03 +00:00			`name = each.key`
Refactor "dns" to remove target-domain split 2024-10-18 22:19:23 +00:00			`slug = replace(each.value.dns[0].domain, ".", "-")`
Add authentik to opentofu 2024-09-28 12:14:09 +00:00			`protocol_provider = authentik_provider_oauth2.service_providers[each.key].id`
			`}`