From 424e1db07ff77a6edf99a4de982f5cbe0d353418 Mon Sep 17 00:00:00 2001 From: Tobias Reisinger Date: Wed, 9 Oct 2024 02:29:08 +0200 Subject: [PATCH] Fix authentik config --- modules/infrastructure/variables.tf | 1 + modules/services/authentik.tf | 10 ++++++++-- modules/services/output.tf | 2 +- modules/services/variables.tf | 1 + roles/gatus/vars/main.yml | 2 +- roles/linkwarden/vars/main.yml | 4 ++-- roles/vikunja/vars/main.yml | 2 +- services.auto.tfvars | 1 + variables.tf | 1 + 9 files changed, 17 insertions(+), 7 deletions(-) diff --git a/modules/infrastructure/variables.tf b/modules/infrastructure/variables.tf index 9252827..31821ab 100644 --- a/modules/infrastructure/variables.tf +++ b/modules/infrastructure/variables.tf @@ -88,6 +88,7 @@ variable "services" { }))) ports = optional(list(string)) auth = bool + auth_cert = optional(string) auth_redirects = optional(list(string)) s3 = bool database = bool diff --git a/modules/services/authentik.tf b/modules/services/authentik.tf index 63bc0e7..ea784c4 100644 --- a/modules/services/authentik.tf +++ b/modules/services/authentik.tf @@ -2,10 +2,14 @@ data "authentik_flow" "default_authorization_flow" { slug = "default-provider-authorization-implicit-consent" } -data "authentik_certificate_key_pair" "default" { +data "authentik_certificate_key_pair" "ecdsa" { name = "auth.serguzim.me" } +data "authentik_certificate_key_pair" "rsa" { + name = "authentik Self-signed Certificate" +} + data "authentik_property_mapping_provider_scope" "default_scopes" { managed_list = [ "goauthentik.io/providers/oauth2/scope-email", @@ -58,7 +62,9 @@ resource "authentik_provider_oauth2" "service_providers" { data.authentik_property_mapping_provider_scope.default_scopes.ids, each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : [] ]) - signing_key = data.authentik_certificate_key_pair.default.id + signing_key = (each.value.auth_cert == "rsa" ? + data.authentik_certificate_key_pair.rsa.id : + data.authentik_certificate_key_pair.ecdsa.id) } resource "authentik_application" "service_applications" { diff --git a/modules/services/output.tf b/modules/services/output.tf index eeee49b..14edcb8 100644 --- a/modules/services/output.tf +++ b/modules/services/output.tf @@ -1,7 +1,7 @@ output "authentik_data" { value = { for key in keys(authentik_application.service_applications) : key => { - "base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}/" + "base_url" = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}" "client_id" = authentik_provider_oauth2.service_providers[key].client_id "client_secret" = authentik_provider_oauth2.service_providers[key].client_secret } diff --git a/modules/services/variables.tf b/modules/services/variables.tf index faa5db9..eca2500 100644 --- a/modules/services/variables.tf +++ b/modules/services/variables.tf @@ -37,6 +37,7 @@ variable "services" { }))) ports = optional(list(string)) auth = bool + auth_cert = optional(string) auth_redirects = optional(list(string)) s3 = bool database = bool diff --git a/roles/gatus/vars/main.yml b/roles/gatus/vars/main.yml index df8b11c..f425c00 100644 --- a/roles/gatus/vars/main.yml +++ b/roles/gatus/vars/main.yml @@ -47,7 +47,7 @@ gatus_yml: security: oidc: - issuer-url: "{{ opentofu.authentik_data.gatus.base_url }}" + issuer-url: "{{ opentofu.authentik_data.gatus.base_url }}/" redirect-url: "https://{{ gatus_svc.domain }}/authorization-code/callback" client-id: "{{ opentofu.authentik_data.gatus.client_id }}" client-secret: "{{ opentofu.authentik_data.gatus.client_secret }}" diff --git a/roles/linkwarden/vars/main.yml b/roles/linkwarden/vars/main.yml index fe9ed5e..8df1e66 100644 --- a/roles/linkwarden/vars/main.yml +++ b/roles/linkwarden/vars/main.yml @@ -27,8 +27,8 @@ linkwarden_env: SPACES_FORCE_PATH_STYLE: false NEXT_PUBLIC_DISABLE_REGISTRATION: true - NEXT_PUBLIC_CREDENTIALS_ENABLED: true - NEXT_PUBLIC_AUTHENTIK_ENABLED: false + NEXT_PUBLIC_CREDENTIALS_ENABLED: false + NEXT_PUBLIC_AUTHENTIK_ENABLED: true AUTHENTIK_CUSTOM_NAME: auth.serguzim.me AUTHENTIK_ISSUER: "{{ opentofu.authentik_data.linkwarden.base_url }}" AUTHENTIK_CLIENT_ID: "{{ opentofu.authentik_data.linkwarden.client_id }}" diff --git a/roles/vikunja/vars/main.yml b/roles/vikunja/vars/main.yml index 394fa16..db2bc27 100644 --- a/roles/vikunja/vars/main.yml +++ b/roles/vikunja/vars/main.yml @@ -40,7 +40,7 @@ vikunja_yml: enabled: true providers: - name: auth.serguzim.me - authurl: "{{ opentofu.authentik_data.vikunja.base_url }}" + authurl: "{{ opentofu.authentik_data.vikunja.base_url }}/" logouturl: "{{ (opentofu.authentik_data.vikunja.base_url, 'end-session') | path_join }}" clientid: "{{ opentofu.authentik_data.vikunja.client_id }}" clientsecret: "{{ opentofu.authentik_data.vikunja.client_secret }}" diff --git a/services.auto.tfvars b/services.auto.tfvars index 3d76288..6e58d1c 100644 --- a/services.auto.tfvars +++ b/services.auto.tfvars @@ -233,6 +233,7 @@ services = { group = "4-services" } auth = true + auth_cert = "rsa" auth_redirects = ["https://bookmarks.serguzim.me/api/v1/auth/callback/authentik"] database = true s3 = true diff --git a/variables.tf b/variables.tf index a6495e1..c3fcffd 100644 --- a/variables.tf +++ b/variables.tf @@ -144,6 +144,7 @@ variable "services" { })) ports = optional(list(string)) auth = bool + auth_cert = optional(string) auth_redirects = optional(list(string)) s3 = bool database = bool