From 4264017641c2218089709bdba8030be414e5ff03 Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Sun, 8 Jun 2025 18:09:24 +0200
Subject: [PATCH] Remove minio oidc login
---
modules/services/authentik.tf | 31 +----------------------------
playbooks/roles/minio/vars/main.yml | 7 -------
services.auto.tfvars | 2 +-
shell.nix | 1 +
4 files changed, 3 insertions(+), 38 deletions(-)
diff --git a/modules/services/authentik.tf b/modules/services/authentik.tf
index 80ce95d..618f8e1 100644
--- a/modules/services/authentik.tf
+++ b/modules/services/authentik.tf
@@ -28,32 +28,6 @@ resource "authentik_user" "default" {
email = var.admin_email
}
-resource "authentik_property_mapping_provider_scope" "minio" {
- name = "minio"
- scope_name = "minio"
- expression = <<EOF
-if ak_is_group_member(request.user, name="${authentik_group.minio_admins.name}"):
- return {
- "minio_policy": "consoleAdmin",
-}
-elif ak_is_group_member(request.user, name="${authentik_group.minio_users.name}"):
- return {
- "minio_policy": "readonly"
-}
-return None
-EOF
-}
-
-resource "authentik_group" "minio_admins" {
- name = "Minio admins"
- users = [authentik_user.default.id]
-}
-
-resource "authentik_group" "minio_users" {
- name = "Minio users"
- users = []
-}
-
resource "authentik_group" "grafana_grafana_admins" {
name = "Grafana GrafanaAdmins"
users = [authentik_user.default.id]
@@ -83,10 +57,7 @@ resource "authentik_provider_oauth2" "service_providers" {
matching_mode = "strict",
url = redir,
}]
- property_mappings = flatten([
- data.authentik_property_mapping_provider_scope.default_scopes.ids,
- each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : []
- ])
+ property_mappings = data.authentik_property_mapping_provider_scope.default_scopes.ids
signing_key = (each.value.auth_cert == "rsa" ?
data.authentik_certificate_key_pair.rsa.id :
data.authentik_certificate_key_pair.ecdsa.id)
diff --git a/playbooks/roles/minio/vars/main.yml b/playbooks/roles/minio/vars/main.yml
index dca102b..1dc540c 100644
--- a/playbooks/roles/minio/vars/main.yml
+++ b/playbooks/roles/minio/vars/main.yml
@@ -20,13 +20,6 @@ minio_env:
MINIO_ROOT_USER: "{{ vault_minio.user }}"
MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"
- MINIO_IDENTITY_OPENID_CONFIG_URL: "{{ (opentofu.authentik_data.minio.base_url, '.well-known/openid-configuration') | path_join }}"
- MINIO_IDENTITY_OPENID_CLIENT_ID: "{{ opentofu.authentik_data.minio.client_id }}"
- MINIO_IDENTITY_OPENID_CLIENT_SECRET: "{{ opentofu.authentik_data.minio.client_secret }}"
- MINIO_IDENTITY_OPENID_CLAIM_NAME: minio_policy
- MINIO_IDENTITY_OPENID_DISPLAY_NAME: auth.serguzim.me
- MINIO_IDENTITY_OPENID_SCOPES: openid,email,profile,minio
-
minio_compose:
watchtower: update
diff --git a/services.auto.tfvars b/services.auto.tfvars
index ccc7526..31914b3 100644
--- a/services.auto.tfvars
+++ b/services.auto.tfvars
@@ -497,7 +497,7 @@ services = {
url = "/minio/health/live"
group = "7-support"
}
- auth = true
+ auth = false
auth_redirects = ["https://console.s3.serguzim.me/oauth_callback"]
database = false
},
diff --git a/shell.nix b/shell.nix
index 77b4051..911432f 100644
--- a/shell.nix
+++ b/shell.nix
@@ -5,6 +5,7 @@ mkShell {
ansible-lint
d2
dnscontrol
+ minio-client
opentofu
python3Packages.jinja2
python3Packages.bc-python-hcl2