Add authentik to opentofu

This commit is contained in:
Tobias Reisinger 2024-09-28 14:14:09 +02:00
parent 496cd360c6
commit 01ee9d4b44
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
9 changed files with 184 additions and 84 deletions

View file

@ -23,6 +23,28 @@ provider "registry.opentofu.org/cyrilgdn/postgresql" {
] ]
} }
provider "registry.opentofu.org/goauthentik/authentik" {
version = "2024.8.4"
constraints = "~> 2024.8.0"
hashes = [
"h1:bZS9RwjEc1FlLFMidiCzyUrFTC7VONufHBDgGjAtSWs=",
"zh:13040879209e226ba73dd3492849301f5d6233098decf4789dde4e75a7db00a3",
"zh:21e5b1403749e4577c85efe1e1ffbc7f70f910c9b025a66ee36d6d9e7a26834d",
"zh:3290e95ff74aa269031df2d9604526c977826d76c4c1c03b61c61d4767775f44",
"zh:5648de4e32e83f1162844dfae55c2c2ff23eb1b0ae0c6a251a38917d6c7407f0",
"zh:5a12f804038d3d84819954fe7666b84aa24bc2284682e5732302c0811401faa3",
"zh:6b61eaad598256beb677f170fcb63c2f56c8a9e2a8f6516c98802fab0009807d",
"zh:8071892662952c013bdee898a4f5dc4116c18e7e2fbcb0fa96afdf56e78a582f",
"zh:94aead29a3fb563c84eca7275a88f7b49e14f6bc7344cc06c766fdf638098d6d",
"zh:96ad4fddd7c4ff84f6c18e7106a7565c545e545ac8b8419f2c76216760e1a35a",
"zh:c5105037a5d9f0be8fd6a3ecbf08928e26acd3af587dbeb099a328c994cef6f6",
"zh:c69b47759a0b831270ba074002078ebf375da712f8c306053b880946cb80ae14",
"zh:cb76e7fcdffa73055670f2ecf88286353a3d70a9cc3528e77217ea00465a32c2",
"zh:d95b39d122b61c833e234b3fdf423495685cb20456efd761fdcbafc3817248e1",
"zh:fc1a55ce2f8f7872f6911afd68d5f76472ba247a2ad2d739010d15add2c7e268",
]
}
provider "registry.opentofu.org/hashicorp/random" { provider "registry.opentofu.org/hashicorp/random" {
version = "3.6.3" version = "3.6.3"
hashes = [ hashes = [
@ -70,89 +92,89 @@ provider "registry.opentofu.org/hashicorp/time" {
} }
provider "registry.opentofu.org/hetznercloud/hcloud" { provider "registry.opentofu.org/hetznercloud/hcloud" {
version = "1.48.1" version = "1.45.0"
constraints = "~> 1.45" constraints = "~> 1.45.0"
hashes = [ hashes = [
"h1:fa9fxdSV9DG+HDcXyRbcGfb6Dk94SBP3TamHb1yOYiI=", "h1:BEE0B6hv1ZAmTLIO12uqIm7s3oSjmGzZLm6OzudlxAw=",
"zh:086cce10cb005f25f85183c59e639d6675e91e919934c80f660ca1cc4b9bc09b", "zh:1c4b44a698cfaca215bdbadaf92669dd23533210c3cbf32895fbf4ff7acf6c24",
"zh:111d185707168b90c7ed3d245b522b2bd508f0bd4275496a1acdc9c0adaa85f2", "zh:2915f8385559694e5097d8d0df16358200e9f0d9efb80559e9ea0bd072d792b9",
"zh:1acba3f30150282d283c46cd7ce25e9afb8b027fd2f594d41de9131d25a42b27", "zh:3a6b37b0bba50d263bd3dba26185bde13c825e59b6b301ab3f9f45686a21456b",
"zh:1f8858aa81f93d52550502a11c7ea4e9370316ab098f6b75a09ffe75da6129ee", "zh:3e3910fa22a3a8d73d1aed38cc479c3e1958e9168b5f4a7d0da6cf03c2dfc155",
"zh:20e01e6e6f99f57b3c1ef2a9de5d617c0139d3f3934eeb5e6c5976ae8b831a48", "zh:3f8d7d09e5c93162a1e9e6c89acac0799fb55765b44b7d1d020763c814263c57",
"zh:2a8489a586a7bdadc42bbc9e3cb7b9deaefdf8020e3f2caba2678877d5d64d52", "zh:40bc5e94bff495440e1b4f797165d7f0dcee2282a86a61b158f47fe4bc57e9fb",
"zh:31d8017529b0429bc9e873ec5d358ab9b75af2ba0ae24f21abcd4d09f36b7ee9", "zh:473f51d464b897d0e8e3d5ca2eb175b37e2f7ce03c8b26f47cc35885cf620946",
"zh:407b4d7f1407e7e4a51b6f4dcdb0c7fbf81f2f1e25a7275f34054009419125a2", "zh:6fdd4bf71c19cfad78d7e1d2336be873eb8567a139d53e672e78ebcbc36a4d7d",
"zh:42cf7cf867d199054713d4e6060e4b578eff16f0f537e9aaa5fd990c3eab8bc6", "zh:9e08638cbfc90d69f1c21ee34191db077d58d040cf7a9eed07a1dc335d463e97",
"zh:460ac856ff952c5d41525949b93cfb7ee642f900594eff965494f11999d7496b", "zh:b1ed5ea81bc6d2c88efdefaeb244322874508d90d8217ac2e3541445254bdadc",
"zh:d09e527d23f62564c82bc24e286cf2cb8cb0ed6cdc6f4c66adf2145cfa62adac", "zh:ced05776c27d550d15d4a71360243740ecb4ea1e65e67229fb2273a27353b00c",
"zh:d465356710444ac70dea4883252efc429b73e79fc6dc94f075662b838476680e", "zh:da79b8a1a982a1d365ea206a2654e8b5003aeba9ccdc9c8751bb6ee3f40d8c49",
"zh:d476c8eca307e30a20eed54c0735b062a6f3066b4ac63eebecd38ab8f40c16f4", "zh:fabbad25bab09dd74f2b819992ab99b939c642374d6ca080b18d6e2a91d8d487",
"zh:e0e9b2f6d5e28dbd01fa1ec3147aa88062d6223c5146532a3dcd1d3bb827e1e9", "zh:fb0e083d2925f289999dc561ef1c2f84a9e0ab11388c40162ca8b470f50f71f5",
] ]
} }
provider "registry.opentofu.org/ovh/ovh" { provider "registry.opentofu.org/ovh/ovh" {
version = "0.50.0" version = "0.48.0"
constraints = "~> 0.48" constraints = "~> 0.48.0"
hashes = [ hashes = [
"h1:HKkJ0TdXphZb503dGYyOj4mXy9HPSSgXhf0yFmsRyxo=", "h1:dOwImR7DGX4FHt9IpY6S7z8z62fyhTOiLm0kgSA+MfE=",
"zh:1c88525ece36dc8878567301fb245422d10a788a7545fff918c7b96828d2efd1", "zh:64ae6a94f86115d6a0cf54e62de16f3751f2f511c7c133a58734b623ecd83133",
"zh:311f5f3103ff0f5baab886e338de443e28d40557664c54697a21f2c091c0c673", "zh:808c0dfc35f0cdde84fff2b772ef52aef57363e2f496ae8e5b5d191ae2482db3",
"zh:37a1dc197d9fc68cc1c90b8ef77411797c4bc494b528ad4880e6ee4185f1eddb", "zh:91427314fe73ee5bb3cc0fdcc88c15416709ff049751573674cb56a17ebf137f",
"zh:6f61600d81b4c5c0a016d58c2dae7ca4bfaef28481abc12797bc7e90f9c7d3f8", "zh:97a60491d8a50900c83365ab86343f59ae39a6a8d0ecbf2229be389143c584af",
"zh:7eb791886e01bbbbcff93d9fedbc2d4d78852bfcf9d2aba188aa5032f45008dc", "zh:a2be10afc172ea844706217143b003c21dd502fcfe429fa61f5cebdbd2c38c55",
"zh:87d53dcf87466ec341c3cc41b619e8829faa4805e06491ccd4d7e1945cb78664", "zh:a6e0e5978a6b1247a110e1bf2461771e3bf1b3c974cc83b56ae3255cdc5123d3",
"zh:8b017819ea1d0cf2ca78de6b2d935b71a23e13030f5b2c2a2afe65122ec354d3", "zh:b6cac2ddd451cb783faab09ec90a54be222a2bc9ef59eaaec309980b46a8650c",
"zh:8ddc5f0f50c551c78aabf5521e4418badb71e77c6103f8da85f1862eb620cc39", "zh:d767fc3a8c992fa01be52a86ba92204d5ac7ea238a2ebce5e313eaf56e4ae3ac",
"zh:91dbd9069b803582618e442f648d8a72f1e28ecf4c45c539d1b67f4acc601498", "zh:ed2f82995fbe92d7a750a9560cb325d6dbee1b031898dba4ab74447c6043c878",
"zh:c4b4f626adfb81179b9e4a61f1df08f26c581a6da093f958620abafa308c572e", "zh:ef20c721c5349f03106aa3514752b1df3583ce96a0e704a4b45d9b4b455ca57b",
"zh:d836cd3127f93acf27c7bfd7b020f27cab977ff5e52f6c0403ab9eb54dcf9da4", "zh:f33f42bca65d40097033f0e64e45ad113107804be2198a2279d5561bb1122b34",
"zh:deb1b6352c5b6d3c210091587fbfab93453fcb5aaa761a02d61c03ab4d56637f", "zh:f922c6d3d73f8c252beb91dc9f97eb96643781ad3e7192018be47d4df2e4d0e3",
"zh:e53cf3cb629bb0701bd54d9dcbd4253d6f001923f355e891b5776f7fa63f56ee", "zh:f93577ad688f449c03c4087a19cea3cc37bc30c94519eee4710323099bf501ad",
"zh:f2026e2dacb00bc0571127a6435837943281b1e085fad2b11356db78c9a863c0", "zh:ff33c4b2543030a82935551631d209df87adf981b4661a4ab60406e704fe7485",
] ]
} }
provider "registry.opentofu.org/scaleway/scaleway" { provider "registry.opentofu.org/scaleway/scaleway" {
version = "2.45.0" version = "2.43.0"
constraints = "~> 2.43" constraints = "~> 2.43.0"
hashes = [ hashes = [
"h1:TUNrkoCHyGUJrmpOjg+Wfyf8IYe/6X6D2yu11Vi9UoM=", "h1:adTVxpdKkSUVDasMWHrNqoSRDD6ztSVXONOEhnmIkyY=",
"zh:11dc4916523a65acf06555816ed09a5d5267477b8c005c48f91ed036a1e8d93a", "zh:019b1d05013bed2ac7687d64ff51a5b150cefacaef4cc752d677cdb0c06b07a0",
"zh:20f8ee896d88ea85b89fb73311341a90ffe6c8c3211e5b710c7c8daa977d6156", "zh:0fc7a5e0178774945ca8135585ea51d755da66a2083e88e87b522efa058ac556",
"zh:2d9a0dd05c34d36469625b139b8089b8dd9f93b92d18e3af24aaf6f37620c727", "zh:295ee6f2b45deb01b0961d189110ad704b3634026d7d3ace424dba7a51623cf1",
"zh:3d0e1a19edbf707d488e3f35b1d6fdd1922cd1a376ff78314d4f06fd63666840", "zh:526ef9b9a5678ab61537ba021f2421b8d11d893e3fdfcef15c720d309631ede0",
"zh:676872e1613714e9f7d619eae23c33a96b423d27d378a2b935e773d9c6f79edf", "zh:6624284c6424fe07c9cfd09204174c44716d26ed8b48d2d13ceaa937c3eb0b8a",
"zh:87b038b2e7d51c50469fa95dcd8a1a8c21fcc1decd75a49b6367fc80a1ac5809", "zh:6ccc51561986facc7f8b25e148fa6b528afb04b65a8df7afba73fe65cf6c2f04",
"zh:97bd93434231540cad2516e33e5f90edc9d2bd3d4eaabaefbdd76117004f7283", "zh:790b74d9d85c8596fe5974cfb59740508668fb65c6dea04f08f769c08c917446",
"zh:a2c4ee0b8a81c61714d52449aeb92c8fae2d002b93865a355f72f18072171e8b", "zh:9b58cd255511124458b03dac23e2db2625c8f2ef3148ea3ca10a514511233416",
"zh:a55372fc3470c493fa053d404f3332d2ffba3a70696b3926ac2fcc8852b6055a", "zh:b339ad67e9a7bbe02382d1c48b633e1a3da0c3c245093a50a86fedf33548339c",
"zh:c0c413943a14a7a2cb277b12e6a70f4647e3ad34abc6fe7368c726ba3d2b31ff", "zh:cee426f008289568f20297775d689734fd674a03c2c9b9691fb38f94c4c0ab34",
"zh:c0e0779ccc8233a8efa1ae0d9d3f23becc1ef6cdff00ca083282939e3d639631", "zh:e3f0e06190767aff4a2d7242a865f7ac2963eb59a00d86b2a8359911e2d514d1",
"zh:d40e4a9acd839589ad01ebed256b19725f31b4308681e11ea4a22ed0285963ee", "zh:ef958ad54d4e6cd4d76a5fbe86a051fb411998a27cb1cf7229c05463d0ad535e",
"zh:de1a592889747125dc739f4b1dfb20f848ffcc10a0c25272f8f2fd90b435940e", "zh:f8608db4e7e7156c4f7f7205e8b3a2095a49e115402257323d0180a8bafc2d2e",
"zh:fa200b7e1e24d63d5d4eb4ff4e44c00a6f7cfb883ce1eee98eb74a539f91774d", "zh:f88ce1874d5f2faa06c81bc1666ecf8ec1cc3dd7ffe68688c17ae8a2f30692e4",
] ]
} }
provider "registry.opentofu.org/tailscale/tailscale" { provider "registry.opentofu.org/tailscale/tailscale" {
version = "0.17.1" version = "0.16.2"
constraints = "~> 0.16" constraints = "~> 0.16.0"
hashes = [ hashes = [
"h1:yUzwRZxbCa0QDkn1VSYriZpC02tHaa5X05pxp/K2Sao=", "h1:m8r5+K4JWe+tdT4IyryZkAQ7d38GVPtoQ9mzp+5Scaw=",
"zh:1823fbc277875863d7f7fd198b1636a3e213fff523c6882d5d7aaf83a745872e", "zh:2a37ef43b88ad8e26ecad79e6b34a896769be2b7d18140f855f6063775367841",
"zh:2a9a21fba0acbe44cd6b78ce8b49fba2e650576675818255cd1abf3c0493d448", "zh:3867d3331b59c8281dd8a742260b22e18750ae84a9bd2009e8f9d90412d2c044",
"zh:382450ba8918c1738b60a736fe2e37e845242fac7bf85c4936b135061864eaba", "zh:5e5e5ee08e0ecefa08a0ce7a9281a858f9b3a2a66bc9c06802b1624a1cb3eae0",
"zh:413226903d4d924eb005505a2e06c11186185466d0d7741d67d154f3a4c49b41", "zh:6298e8ed55bccd5513060e0d357d055919b3a22146fcfb6c34881efd49ec33f8",
"zh:43e9fbb4f43df7c169651a07bdf56cdf10f315f25b5ca428d7f8325d236b77a7", "zh:6ce0ab6564fbbc673ab98ce4b7db7d64258a916394436a005d14b25c3ea58ad1",
"zh:6a47fccb7d7248f42e36860aeb9c4b109bba9a0fe702cfb13ec88bc2babaccbf", "zh:6fdc1fb66074d2af5124a6988f81efdc77011b185e710629140e87ffb8624956",
"zh:834308305b0ff8355a37869338f60ac072dad1bf0856964dd29f5b4542e1f41b", "zh:7ff7888d77a17b18c9bdc9dfc1bf1e7f98f512410c29d1a8c2e6c21c8fe2a5c4",
"zh:859199d820fd66da7d4f6b30fd4b828952f5f318f37b8bacf80f5668b769c162", "zh:9cafb8660daffd5c9c490d4529c7ba3d691fee5e4093b55e73f188b17e34cead",
"zh:89894383c69a6dd242faff79218850249d75673f736ceb212b26e13bc0950640", "zh:b11e0e1b6c8485eb832336a69be02dfae151b71350e25288ec7bf0637df35485",
"zh:8ab2011df75200dff2e9cb885de28ba00bc5141c9de7cad609cf12d39735a819", "zh:c7371d0dcde253fcd1808f86be2fcfc6e0b6ec82aa714e5dc6b533ba10007d48",
"zh:90df5ea74438217ed981af32fb061fabc71b14cfd4bb1fbf5c830036152c6253", "zh:dcddd847b8a03a3b7c9288d68e781d65a3b911ef9cc96df9502a2d069195ae42",
"zh:b56875c717c155db6da4c54b9a242b087f1a4fcb31b84758902e072805159a07", "zh:dfd37ec661fe5b1520b595dcb93cca65f716270edc173a393a600c85b3f842d7",
"zh:d1c328adab27ac8ef0afb97a518f4db4a1f5f916ba93927ecd3fca7e72023517", "zh:e3b623167859344ed93f4125e97d24c5793246ccb329e4d82b2d9d8e5c356380",
"zh:e62555f5a1fb59141db198a22bc29c01eff1a781a1ea207107997a5e42ade45b", "zh:f4d38ec08191ae70ef05ffd3943df1c27e2b11192a02e1979498a59ea1881ee3",
] ]
} }

28
authentik.tf Normal file
View file

@ -0,0 +1,28 @@
data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_property_mapping_provider_scope" "default_scopes" {
managed_list = [
"goauthentik.io/providers/oauth2/scope-email",
"goauthentik.io/providers/oauth2/scope-openid",
"goauthentik.io/providers/oauth2/scope-profile"
]
}
resource "authentik_provider_oauth2" "service_providers" {
for_each = local.service_auths
name = each.value.name
client_type = "confidential"
client_id = each.value.name
authorization_flow = data.authentik_flow.default_authorization_flow.id
redirect_uris = each.value.auth_redirects
property_mappings = data.authentik_property_mapping_provider_scope.default_scopes.ids
}
resource "authentik_application" "service_applications" {
for_each = local.service_auths
name = each.value.name
slug = "${each.value.subdomain}-serguzim-me"
protocol_provider = authentik_provider_oauth2.service_providers[each.key].id
}

View file

@ -1,11 +1,11 @@
hosts = { hosts = {
"node001" = { #"node001" = {
hostname = "node001" # hostname = "node001"
rdns = "node001.serguzim.net" # rdns = "node001.serguzim.net"
provider = "contabo" # provider = "contabo"
ipv4_address = "144.91.106.67", # ipv4_address = "144.91.106.67",
ipv6_address = "2a02:c207:2051:6620::1" # ipv6_address = "2a02:c207:2051:6620::1"
}, #},
"node002" = { "node002" = {
hostname = "node002" hostname = "node002"
rdns = "node002.serguzim.net" rdns = "node002.serguzim.net"

24
main.tf
View file

@ -1,24 +1,28 @@
terraform { terraform {
required_providers { required_providers {
authentik = {
source = "goauthentik/authentik"
version = "~> 2024.8.0"
}
hcloud = { hcloud = {
source = "hetznercloud/hcloud" source = "hetznercloud/hcloud"
version = "~> 1.45" version = "~> 1.45.0"
} }
ovh = { ovh = {
source = "ovh/ovh" source = "ovh/ovh"
version = "~> 0.48" version = "~> 0.48.0"
} }
postgresql = { postgresql = {
source = "cyrilgdn/postgresql" source = "cyrilgdn/postgresql"
version = "~> 1.23" version = "~> 1.23.0"
} }
scaleway = { scaleway = {
source = "scaleway/scaleway" source = "scaleway/scaleway"
version = "~> 2.43" version = "~> 2.43.0"
} }
tailscale = { tailscale = {
source = "tailscale/tailscale" source = "tailscale/tailscale"
version = "~> 0.16" version = "~> 0.16.0"
} }
} }
@ -41,6 +45,11 @@ terraform {
} }
} }
provider "authentik" {
url = "${var.authentik_url}"
token = "${var.authentik_token}"
}
provider "hcloud" { provider "hcloud" {
token = "${var.hcloud_token}" token = "${var.hcloud_token}"
} }
@ -75,3 +84,8 @@ provider "tailscale" {
api_key = "${var.tailscale_api_key}" api_key = "${var.tailscale_api_key}"
tailnet = "${var.tailscale_tailnet}" tailnet = "${var.tailscale_tailnet}"
} }
locals {
service_auths = {for key, val in var.services : key => val if val.auth}
}

View file

@ -14,6 +14,17 @@ output "hosts" {
} }
} }
output "authentik_data" {
value = {
for key, val in local.service_auths : key => {
"base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}"
"client_id" = authentik_provider_oauth2.service_providers[key].client_id
"client_secret" = authentik_provider_oauth2.service_providers[key].client_secret
}
}
sensitive = true
}
output "postgresql_service_roles" { output "postgresql_service_roles" {
value = postgresql_role.service_roles value = postgresql_role.service_roles
sensitive = true sensitive = true

View file

@ -3,7 +3,7 @@ authentik_svc:
domain: auth.serguzim.me domain: auth.serguzim.me
name: authentik name: authentik
port: 9000 port: 9000
image_tag: 2024.2 image_tag: 2024.8
db: db:
host: "{{ postgres.host }}" host: "{{ postgres.host }}"
database: authentik database: authentik

View file

@ -30,9 +30,9 @@ linkwarden_env:
NEXT_PUBLIC_CREDENTIALS_ENABLED: true NEXT_PUBLIC_CREDENTIALS_ENABLED: true
NEXT_PUBLIC_AUTHENTIK_ENABLED: false NEXT_PUBLIC_AUTHENTIK_ENABLED: false
AUTHENTIK_CUSTOM_NAME: auth.serguzim.me AUTHENTIK_CUSTOM_NAME: auth.serguzim.me
AUTHENTIK_ISSUER: https://auth.serguzim.me/application/o/bookmarks-serguzim-me AUTHENTIK_ISSUER: "{{ opentofu.authentik_data.linkwarden.base_url }}"
AUTHENTIK_CLIENT_ID: "{{ vault_linkwarden.oidc_client.id }}" AUTHENTIK_CLIENT_ID: "{{ opentofu.authentik_data.linkwarden.client_id }}"
AUTHENTIK_CLIENT_SECRET: "{{ vault_linkwarden.oidc_client.secret }}" AUTHENTIK_CLIENT_SECRET: "{{ opentofu.authentik_data.linkwarden.client_secret }}"
linkwarden_compose: linkwarden_compose:
watchtower: true watchtower: true

View file

@ -1,31 +1,44 @@
services = { services = {
"acme_dns" = { "acme_dns" = {
name = "acme_dns" name = "acme_dns"
subdomain = "acme"
auth = false
bucket = false bucket = false
database = true database = true
}, },
"forgejo" = { "forgejo" = {
name = "forgejo" name = "forgejo"
subdomain = "git"
auth = true
auth_redirects = ["https://git.serguzim.me/user/oauth2/auth.serguzim.me/callback"]
bucket = true bucket = true
database = true database = true
}, },
"linkwarden" = { "linkwarden" = {
name = "linkwarden" name = "linkwarden"
subdomain = "bookmarks"
auth = true
bucket = true bucket = true
database = true database = true
}, },
"tinytinyrss" = { "tinytinyrss" = {
name = "tinytinyrss" name = "tinytinyrss"
subdomain = "rss"
auth = false
bucket = false bucket = false
database = true database = true
}, },
"umami" = { "umami" = {
name = "umami" name = "umami"
subdomain = "analytics"
auth = false
bucket = false bucket = false
database = true database = true
}, },
"wiki_js" = { "wiki_js" = {
name = "wiki_js" name = "wiki_js"
subdomain = "wiki"
auth = true
bucket = false bucket = false
database = true database = true
}, },

View file

@ -19,6 +19,15 @@ variable "backend_bucket" {
} }
variable "authentik_url" {
default = "https://auth.serguzim.me"
}
variable "authentik_token" {
sensitive = true
}
variable "hcloud_token" { variable "hcloud_token" {
sensitive = true sensitive = true
} }
@ -95,6 +104,9 @@ variable "default_ssh_key" {
variable "services" { variable "services" {
type = map(object({ type = map(object({
name = string name = string
subdomain = string
auth = bool
auth_redirects = optional(list(string))
bucket = bool bucket = bool
database = bool database = bool
})) }))