From 01ee9d4b447604fc4c97d3e7320149b3e3c29ffc Mon Sep 17 00:00:00 2001 From: Tobias Reisinger Date: Sat, 28 Sep 2024 14:14:09 +0200 Subject: [PATCH] Add authentik to opentofu --- .terraform.lock.hcl | 158 +++++++++++++++++++-------------- authentik.tf | 28 ++++++ hosts.auto.tfvars | 14 +-- main.tf | 24 +++-- output.tf | 11 +++ roles/authentik/vars/main.yml | 2 +- roles/linkwarden/vars/main.yml | 6 +- services.auto.tfvars | 13 +++ variables.tf | 12 +++ 9 files changed, 184 insertions(+), 84 deletions(-) create mode 100644 authentik.tf diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index bf938bd..f22b4ee 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -23,6 +23,28 @@ provider "registry.opentofu.org/cyrilgdn/postgresql" { ] } +provider "registry.opentofu.org/goauthentik/authentik" { + version = "2024.8.4" + constraints = "~> 2024.8.0" + hashes = [ + "h1:bZS9RwjEc1FlLFMidiCzyUrFTC7VONufHBDgGjAtSWs=", + "zh:13040879209e226ba73dd3492849301f5d6233098decf4789dde4e75a7db00a3", + "zh:21e5b1403749e4577c85efe1e1ffbc7f70f910c9b025a66ee36d6d9e7a26834d", + "zh:3290e95ff74aa269031df2d9604526c977826d76c4c1c03b61c61d4767775f44", + "zh:5648de4e32e83f1162844dfae55c2c2ff23eb1b0ae0c6a251a38917d6c7407f0", + "zh:5a12f804038d3d84819954fe7666b84aa24bc2284682e5732302c0811401faa3", + "zh:6b61eaad598256beb677f170fcb63c2f56c8a9e2a8f6516c98802fab0009807d", + "zh:8071892662952c013bdee898a4f5dc4116c18e7e2fbcb0fa96afdf56e78a582f", + "zh:94aead29a3fb563c84eca7275a88f7b49e14f6bc7344cc06c766fdf638098d6d", + "zh:96ad4fddd7c4ff84f6c18e7106a7565c545e545ac8b8419f2c76216760e1a35a", + "zh:c5105037a5d9f0be8fd6a3ecbf08928e26acd3af587dbeb099a328c994cef6f6", + "zh:c69b47759a0b831270ba074002078ebf375da712f8c306053b880946cb80ae14", + "zh:cb76e7fcdffa73055670f2ecf88286353a3d70a9cc3528e77217ea00465a32c2", + "zh:d95b39d122b61c833e234b3fdf423495685cb20456efd761fdcbafc3817248e1", + "zh:fc1a55ce2f8f7872f6911afd68d5f76472ba247a2ad2d739010d15add2c7e268", + ] +} + provider "registry.opentofu.org/hashicorp/random" { version = "3.6.3" hashes = [ @@ -70,89 +92,89 @@ provider "registry.opentofu.org/hashicorp/time" { } provider "registry.opentofu.org/hetznercloud/hcloud" { - version = "1.48.1" - constraints = "~> 1.45" + version = "1.45.0" + constraints = "~> 1.45.0" hashes = [ - "h1:fa9fxdSV9DG+HDcXyRbcGfb6Dk94SBP3TamHb1yOYiI=", - "zh:086cce10cb005f25f85183c59e639d6675e91e919934c80f660ca1cc4b9bc09b", - "zh:111d185707168b90c7ed3d245b522b2bd508f0bd4275496a1acdc9c0adaa85f2", - "zh:1acba3f30150282d283c46cd7ce25e9afb8b027fd2f594d41de9131d25a42b27", - "zh:1f8858aa81f93d52550502a11c7ea4e9370316ab098f6b75a09ffe75da6129ee", - "zh:20e01e6e6f99f57b3c1ef2a9de5d617c0139d3f3934eeb5e6c5976ae8b831a48", - "zh:2a8489a586a7bdadc42bbc9e3cb7b9deaefdf8020e3f2caba2678877d5d64d52", - "zh:31d8017529b0429bc9e873ec5d358ab9b75af2ba0ae24f21abcd4d09f36b7ee9", - "zh:407b4d7f1407e7e4a51b6f4dcdb0c7fbf81f2f1e25a7275f34054009419125a2", - "zh:42cf7cf867d199054713d4e6060e4b578eff16f0f537e9aaa5fd990c3eab8bc6", - "zh:460ac856ff952c5d41525949b93cfb7ee642f900594eff965494f11999d7496b", - "zh:d09e527d23f62564c82bc24e286cf2cb8cb0ed6cdc6f4c66adf2145cfa62adac", - "zh:d465356710444ac70dea4883252efc429b73e79fc6dc94f075662b838476680e", - "zh:d476c8eca307e30a20eed54c0735b062a6f3066b4ac63eebecd38ab8f40c16f4", - "zh:e0e9b2f6d5e28dbd01fa1ec3147aa88062d6223c5146532a3dcd1d3bb827e1e9", + "h1:BEE0B6hv1ZAmTLIO12uqIm7s3oSjmGzZLm6OzudlxAw=", + "zh:1c4b44a698cfaca215bdbadaf92669dd23533210c3cbf32895fbf4ff7acf6c24", + "zh:2915f8385559694e5097d8d0df16358200e9f0d9efb80559e9ea0bd072d792b9", + "zh:3a6b37b0bba50d263bd3dba26185bde13c825e59b6b301ab3f9f45686a21456b", + "zh:3e3910fa22a3a8d73d1aed38cc479c3e1958e9168b5f4a7d0da6cf03c2dfc155", + "zh:3f8d7d09e5c93162a1e9e6c89acac0799fb55765b44b7d1d020763c814263c57", + "zh:40bc5e94bff495440e1b4f797165d7f0dcee2282a86a61b158f47fe4bc57e9fb", + "zh:473f51d464b897d0e8e3d5ca2eb175b37e2f7ce03c8b26f47cc35885cf620946", + "zh:6fdd4bf71c19cfad78d7e1d2336be873eb8567a139d53e672e78ebcbc36a4d7d", + "zh:9e08638cbfc90d69f1c21ee34191db077d58d040cf7a9eed07a1dc335d463e97", + "zh:b1ed5ea81bc6d2c88efdefaeb244322874508d90d8217ac2e3541445254bdadc", + "zh:ced05776c27d550d15d4a71360243740ecb4ea1e65e67229fb2273a27353b00c", + "zh:da79b8a1a982a1d365ea206a2654e8b5003aeba9ccdc9c8751bb6ee3f40d8c49", + "zh:fabbad25bab09dd74f2b819992ab99b939c642374d6ca080b18d6e2a91d8d487", + "zh:fb0e083d2925f289999dc561ef1c2f84a9e0ab11388c40162ca8b470f50f71f5", ] } provider "registry.opentofu.org/ovh/ovh" { - version = "0.50.0" - constraints = "~> 0.48" + version = "0.48.0" + constraints = "~> 0.48.0" hashes = [ - "h1:HKkJ0TdXphZb503dGYyOj4mXy9HPSSgXhf0yFmsRyxo=", - "zh:1c88525ece36dc8878567301fb245422d10a788a7545fff918c7b96828d2efd1", - "zh:311f5f3103ff0f5baab886e338de443e28d40557664c54697a21f2c091c0c673", - "zh:37a1dc197d9fc68cc1c90b8ef77411797c4bc494b528ad4880e6ee4185f1eddb", - "zh:6f61600d81b4c5c0a016d58c2dae7ca4bfaef28481abc12797bc7e90f9c7d3f8", - "zh:7eb791886e01bbbbcff93d9fedbc2d4d78852bfcf9d2aba188aa5032f45008dc", - "zh:87d53dcf87466ec341c3cc41b619e8829faa4805e06491ccd4d7e1945cb78664", - "zh:8b017819ea1d0cf2ca78de6b2d935b71a23e13030f5b2c2a2afe65122ec354d3", - "zh:8ddc5f0f50c551c78aabf5521e4418badb71e77c6103f8da85f1862eb620cc39", - "zh:91dbd9069b803582618e442f648d8a72f1e28ecf4c45c539d1b67f4acc601498", - "zh:c4b4f626adfb81179b9e4a61f1df08f26c581a6da093f958620abafa308c572e", - "zh:d836cd3127f93acf27c7bfd7b020f27cab977ff5e52f6c0403ab9eb54dcf9da4", - "zh:deb1b6352c5b6d3c210091587fbfab93453fcb5aaa761a02d61c03ab4d56637f", - "zh:e53cf3cb629bb0701bd54d9dcbd4253d6f001923f355e891b5776f7fa63f56ee", - "zh:f2026e2dacb00bc0571127a6435837943281b1e085fad2b11356db78c9a863c0", + "h1:dOwImR7DGX4FHt9IpY6S7z8z62fyhTOiLm0kgSA+MfE=", + "zh:64ae6a94f86115d6a0cf54e62de16f3751f2f511c7c133a58734b623ecd83133", + "zh:808c0dfc35f0cdde84fff2b772ef52aef57363e2f496ae8e5b5d191ae2482db3", + "zh:91427314fe73ee5bb3cc0fdcc88c15416709ff049751573674cb56a17ebf137f", + "zh:97a60491d8a50900c83365ab86343f59ae39a6a8d0ecbf2229be389143c584af", + "zh:a2be10afc172ea844706217143b003c21dd502fcfe429fa61f5cebdbd2c38c55", + "zh:a6e0e5978a6b1247a110e1bf2461771e3bf1b3c974cc83b56ae3255cdc5123d3", + "zh:b6cac2ddd451cb783faab09ec90a54be222a2bc9ef59eaaec309980b46a8650c", + "zh:d767fc3a8c992fa01be52a86ba92204d5ac7ea238a2ebce5e313eaf56e4ae3ac", + "zh:ed2f82995fbe92d7a750a9560cb325d6dbee1b031898dba4ab74447c6043c878", + "zh:ef20c721c5349f03106aa3514752b1df3583ce96a0e704a4b45d9b4b455ca57b", + "zh:f33f42bca65d40097033f0e64e45ad113107804be2198a2279d5561bb1122b34", + "zh:f922c6d3d73f8c252beb91dc9f97eb96643781ad3e7192018be47d4df2e4d0e3", + "zh:f93577ad688f449c03c4087a19cea3cc37bc30c94519eee4710323099bf501ad", + "zh:ff33c4b2543030a82935551631d209df87adf981b4661a4ab60406e704fe7485", ] } provider "registry.opentofu.org/scaleway/scaleway" { - version = "2.45.0" - constraints = "~> 2.43" + version = "2.43.0" + constraints = "~> 2.43.0" hashes = [ - "h1:TUNrkoCHyGUJrmpOjg+Wfyf8IYe/6X6D2yu11Vi9UoM=", - "zh:11dc4916523a65acf06555816ed09a5d5267477b8c005c48f91ed036a1e8d93a", - "zh:20f8ee896d88ea85b89fb73311341a90ffe6c8c3211e5b710c7c8daa977d6156", - "zh:2d9a0dd05c34d36469625b139b8089b8dd9f93b92d18e3af24aaf6f37620c727", - "zh:3d0e1a19edbf707d488e3f35b1d6fdd1922cd1a376ff78314d4f06fd63666840", - "zh:676872e1613714e9f7d619eae23c33a96b423d27d378a2b935e773d9c6f79edf", - "zh:87b038b2e7d51c50469fa95dcd8a1a8c21fcc1decd75a49b6367fc80a1ac5809", - "zh:97bd93434231540cad2516e33e5f90edc9d2bd3d4eaabaefbdd76117004f7283", - "zh:a2c4ee0b8a81c61714d52449aeb92c8fae2d002b93865a355f72f18072171e8b", - "zh:a55372fc3470c493fa053d404f3332d2ffba3a70696b3926ac2fcc8852b6055a", - "zh:c0c413943a14a7a2cb277b12e6a70f4647e3ad34abc6fe7368c726ba3d2b31ff", - "zh:c0e0779ccc8233a8efa1ae0d9d3f23becc1ef6cdff00ca083282939e3d639631", - "zh:d40e4a9acd839589ad01ebed256b19725f31b4308681e11ea4a22ed0285963ee", - "zh:de1a592889747125dc739f4b1dfb20f848ffcc10a0c25272f8f2fd90b435940e", - "zh:fa200b7e1e24d63d5d4eb4ff4e44c00a6f7cfb883ce1eee98eb74a539f91774d", + "h1:adTVxpdKkSUVDasMWHrNqoSRDD6ztSVXONOEhnmIkyY=", + "zh:019b1d05013bed2ac7687d64ff51a5b150cefacaef4cc752d677cdb0c06b07a0", + "zh:0fc7a5e0178774945ca8135585ea51d755da66a2083e88e87b522efa058ac556", + "zh:295ee6f2b45deb01b0961d189110ad704b3634026d7d3ace424dba7a51623cf1", + "zh:526ef9b9a5678ab61537ba021f2421b8d11d893e3fdfcef15c720d309631ede0", + "zh:6624284c6424fe07c9cfd09204174c44716d26ed8b48d2d13ceaa937c3eb0b8a", + "zh:6ccc51561986facc7f8b25e148fa6b528afb04b65a8df7afba73fe65cf6c2f04", + "zh:790b74d9d85c8596fe5974cfb59740508668fb65c6dea04f08f769c08c917446", + "zh:9b58cd255511124458b03dac23e2db2625c8f2ef3148ea3ca10a514511233416", + "zh:b339ad67e9a7bbe02382d1c48b633e1a3da0c3c245093a50a86fedf33548339c", + "zh:cee426f008289568f20297775d689734fd674a03c2c9b9691fb38f94c4c0ab34", + "zh:e3f0e06190767aff4a2d7242a865f7ac2963eb59a00d86b2a8359911e2d514d1", + "zh:ef958ad54d4e6cd4d76a5fbe86a051fb411998a27cb1cf7229c05463d0ad535e", + "zh:f8608db4e7e7156c4f7f7205e8b3a2095a49e115402257323d0180a8bafc2d2e", + "zh:f88ce1874d5f2faa06c81bc1666ecf8ec1cc3dd7ffe68688c17ae8a2f30692e4", ] } provider "registry.opentofu.org/tailscale/tailscale" { - version = "0.17.1" - constraints = "~> 0.16" + version = "0.16.2" + constraints = "~> 0.16.0" hashes = [ - "h1:yUzwRZxbCa0QDkn1VSYriZpC02tHaa5X05pxp/K2Sao=", - "zh:1823fbc277875863d7f7fd198b1636a3e213fff523c6882d5d7aaf83a745872e", - "zh:2a9a21fba0acbe44cd6b78ce8b49fba2e650576675818255cd1abf3c0493d448", - "zh:382450ba8918c1738b60a736fe2e37e845242fac7bf85c4936b135061864eaba", - "zh:413226903d4d924eb005505a2e06c11186185466d0d7741d67d154f3a4c49b41", - "zh:43e9fbb4f43df7c169651a07bdf56cdf10f315f25b5ca428d7f8325d236b77a7", - "zh:6a47fccb7d7248f42e36860aeb9c4b109bba9a0fe702cfb13ec88bc2babaccbf", - "zh:834308305b0ff8355a37869338f60ac072dad1bf0856964dd29f5b4542e1f41b", - "zh:859199d820fd66da7d4f6b30fd4b828952f5f318f37b8bacf80f5668b769c162", - "zh:89894383c69a6dd242faff79218850249d75673f736ceb212b26e13bc0950640", - "zh:8ab2011df75200dff2e9cb885de28ba00bc5141c9de7cad609cf12d39735a819", - "zh:90df5ea74438217ed981af32fb061fabc71b14cfd4bb1fbf5c830036152c6253", - "zh:b56875c717c155db6da4c54b9a242b087f1a4fcb31b84758902e072805159a07", - "zh:d1c328adab27ac8ef0afb97a518f4db4a1f5f916ba93927ecd3fca7e72023517", - "zh:e62555f5a1fb59141db198a22bc29c01eff1a781a1ea207107997a5e42ade45b", + "h1:m8r5+K4JWe+tdT4IyryZkAQ7d38GVPtoQ9mzp+5Scaw=", + "zh:2a37ef43b88ad8e26ecad79e6b34a896769be2b7d18140f855f6063775367841", + "zh:3867d3331b59c8281dd8a742260b22e18750ae84a9bd2009e8f9d90412d2c044", + "zh:5e5e5ee08e0ecefa08a0ce7a9281a858f9b3a2a66bc9c06802b1624a1cb3eae0", + "zh:6298e8ed55bccd5513060e0d357d055919b3a22146fcfb6c34881efd49ec33f8", + "zh:6ce0ab6564fbbc673ab98ce4b7db7d64258a916394436a005d14b25c3ea58ad1", + "zh:6fdc1fb66074d2af5124a6988f81efdc77011b185e710629140e87ffb8624956", + "zh:7ff7888d77a17b18c9bdc9dfc1bf1e7f98f512410c29d1a8c2e6c21c8fe2a5c4", + "zh:9cafb8660daffd5c9c490d4529c7ba3d691fee5e4093b55e73f188b17e34cead", + "zh:b11e0e1b6c8485eb832336a69be02dfae151b71350e25288ec7bf0637df35485", + "zh:c7371d0dcde253fcd1808f86be2fcfc6e0b6ec82aa714e5dc6b533ba10007d48", + "zh:dcddd847b8a03a3b7c9288d68e781d65a3b911ef9cc96df9502a2d069195ae42", + "zh:dfd37ec661fe5b1520b595dcb93cca65f716270edc173a393a600c85b3f842d7", + "zh:e3b623167859344ed93f4125e97d24c5793246ccb329e4d82b2d9d8e5c356380", + "zh:f4d38ec08191ae70ef05ffd3943df1c27e2b11192a02e1979498a59ea1881ee3", ] } diff --git a/authentik.tf b/authentik.tf new file mode 100644 index 0000000..34cfcb3 --- /dev/null +++ b/authentik.tf @@ -0,0 +1,28 @@ +data "authentik_flow" "default_authorization_flow" { + slug = "default-provider-authorization-implicit-consent" +} + +data "authentik_property_mapping_provider_scope" "default_scopes" { + managed_list = [ + "goauthentik.io/providers/oauth2/scope-email", + "goauthentik.io/providers/oauth2/scope-openid", + "goauthentik.io/providers/oauth2/scope-profile" + ] +} + +resource "authentik_provider_oauth2" "service_providers" { + for_each = local.service_auths + name = each.value.name + client_type = "confidential" + client_id = each.value.name + authorization_flow = data.authentik_flow.default_authorization_flow.id + redirect_uris = each.value.auth_redirects + property_mappings = data.authentik_property_mapping_provider_scope.default_scopes.ids +} + +resource "authentik_application" "service_applications" { + for_each = local.service_auths + name = each.value.name + slug = "${each.value.subdomain}-serguzim-me" + protocol_provider = authentik_provider_oauth2.service_providers[each.key].id +} diff --git a/hosts.auto.tfvars b/hosts.auto.tfvars index c2f23d8..0077fbc 100644 --- a/hosts.auto.tfvars +++ b/hosts.auto.tfvars @@ -1,11 +1,11 @@ hosts = { - "node001" = { - hostname = "node001" - rdns = "node001.serguzim.net" - provider = "contabo" - ipv4_address = "144.91.106.67", - ipv6_address = "2a02:c207:2051:6620::1" - }, + #"node001" = { + # hostname = "node001" + # rdns = "node001.serguzim.net" + # provider = "contabo" + # ipv4_address = "144.91.106.67", + # ipv6_address = "2a02:c207:2051:6620::1" + #}, "node002" = { hostname = "node002" rdns = "node002.serguzim.net" diff --git a/main.tf b/main.tf index 4ac0181..153841c 100644 --- a/main.tf +++ b/main.tf @@ -1,24 +1,28 @@ terraform { required_providers { + authentik = { + source = "goauthentik/authentik" + version = "~> 2024.8.0" + } hcloud = { source = "hetznercloud/hcloud" - version = "~> 1.45" + version = "~> 1.45.0" } ovh = { source = "ovh/ovh" - version = "~> 0.48" + version = "~> 0.48.0" } postgresql = { source = "cyrilgdn/postgresql" - version = "~> 1.23" + version = "~> 1.23.0" } scaleway = { source = "scaleway/scaleway" - version = "~> 2.43" + version = "~> 2.43.0" } tailscale = { source = "tailscale/tailscale" - version = "~> 0.16" + version = "~> 0.16.0" } } @@ -41,6 +45,11 @@ terraform { } } +provider "authentik" { + url = "${var.authentik_url}" + token = "${var.authentik_token}" +} + provider "hcloud" { token = "${var.hcloud_token}" } @@ -75,3 +84,8 @@ provider "tailscale" { api_key = "${var.tailscale_api_key}" tailnet = "${var.tailscale_tailnet}" } + +locals { + service_auths = {for key, val in var.services : key => val if val.auth} +} + diff --git a/output.tf b/output.tf index 5debd37..e4fd4b8 100644 --- a/output.tf +++ b/output.tf @@ -14,6 +14,17 @@ output "hosts" { } } +output "authentik_data" { + value = { + for key, val in local.service_auths : key => { + "base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}" + "client_id" = authentik_provider_oauth2.service_providers[key].client_id + "client_secret" = authentik_provider_oauth2.service_providers[key].client_secret + } + } + sensitive = true +} + output "postgresql_service_roles" { value = postgresql_role.service_roles sensitive = true diff --git a/roles/authentik/vars/main.yml b/roles/authentik/vars/main.yml index 77d83c0..fe7c4ca 100644 --- a/roles/authentik/vars/main.yml +++ b/roles/authentik/vars/main.yml @@ -3,7 +3,7 @@ authentik_svc: domain: auth.serguzim.me name: authentik port: 9000 - image_tag: 2024.2 + image_tag: 2024.8 db: host: "{{ postgres.host }}" database: authentik diff --git a/roles/linkwarden/vars/main.yml b/roles/linkwarden/vars/main.yml index 445e01e..33a9036 100644 --- a/roles/linkwarden/vars/main.yml +++ b/roles/linkwarden/vars/main.yml @@ -30,9 +30,9 @@ linkwarden_env: NEXT_PUBLIC_CREDENTIALS_ENABLED: true NEXT_PUBLIC_AUTHENTIK_ENABLED: false AUTHENTIK_CUSTOM_NAME: auth.serguzim.me - AUTHENTIK_ISSUER: https://auth.serguzim.me/application/o/bookmarks-serguzim-me - AUTHENTIK_CLIENT_ID: "{{ vault_linkwarden.oidc_client.id }}" - AUTHENTIK_CLIENT_SECRET: "{{ vault_linkwarden.oidc_client.secret }}" + AUTHENTIK_ISSUER: "{{ opentofu.authentik_data.linkwarden.base_url }}" + AUTHENTIK_CLIENT_ID: "{{ opentofu.authentik_data.linkwarden.client_id }}" + AUTHENTIK_CLIENT_SECRET: "{{ opentofu.authentik_data.linkwarden.client_secret }}" linkwarden_compose: watchtower: true diff --git a/services.auto.tfvars b/services.auto.tfvars index 4f7b8b1..be0f713 100644 --- a/services.auto.tfvars +++ b/services.auto.tfvars @@ -1,31 +1,44 @@ services = { "acme_dns" = { name = "acme_dns" + subdomain = "acme" + auth = false bucket = false database = true }, "forgejo" = { name = "forgejo" + subdomain = "git" + auth = true + auth_redirects = ["https://git.serguzim.me/user/oauth2/auth.serguzim.me/callback"] bucket = true database = true }, "linkwarden" = { name = "linkwarden" + subdomain = "bookmarks" + auth = true bucket = true database = true }, "tinytinyrss" = { name = "tinytinyrss" + subdomain = "rss" + auth = false bucket = false database = true }, "umami" = { name = "umami" + subdomain = "analytics" + auth = false bucket = false database = true }, "wiki_js" = { name = "wiki_js" + subdomain = "wiki" + auth = true bucket = false database = true }, diff --git a/variables.tf b/variables.tf index 31ae52f..2429459 100644 --- a/variables.tf +++ b/variables.tf @@ -19,6 +19,15 @@ variable "backend_bucket" { } +variable "authentik_url" { + default = "https://auth.serguzim.me" +} + +variable "authentik_token" { + sensitive = true +} + + variable "hcloud_token" { sensitive = true } @@ -95,6 +104,9 @@ variable "default_ssh_key" { variable "services" { type = map(object({ name = string + subdomain = string + auth = bool + auth_redirects = optional(list(string)) bucket = bool database = bool }))