serguzim/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove minio oidc login

Browse source
This commit is contained in:
Tobias Reisinger 2025-06-08 18:09:24 +02:00
parent b336d01858
commit 4264017641
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
4 changed files with 3 additions and 38 deletions
modules/services
authentik.tf
playbooks/roles/minio/vars
main.yml
services.auto.tfvarsshell.nix

31
modules/services/authentik.tf
View file

@ -28,32 +28,6 @@ resource "authentik_user" "default" {
email = var.admin_email email = var.admin_email
} }
resource "authentik_property_mapping_provider_scope" "minio" {
name = "minio"
scope_name = "minio"
expression = <<EOF
if ak_is_group_member(request.user, name="${authentik_group.minio_admins.name}"):
return {
"minio_policy": "consoleAdmin",
}
elif ak_is_group_member(request.user, name="${authentik_group.minio_users.name}"):
return {
"minio_policy": "readonly"
}
return None
EOF
}
resource "authentik_group" "minio_admins" {
name = "Minio admins"
users = [authentik_user.default.id]
}
resource "authentik_group" "minio_users" {
name = "Minio users"
users = []
}
resource "authentik_group" "grafana_grafana_admins" { resource "authentik_group" "grafana_grafana_admins" {
name = "Grafana GrafanaAdmins" name = "Grafana GrafanaAdmins"
users = [authentik_user.default.id] users = [authentik_user.default.id]
@ -83,10 +57,7 @@ resource "authentik_provider_oauth2" "service_providers" {
matching_mode = "strict", matching_mode = "strict",
url = redir, url = redir,
}] }]
property_mappings = flatten([ property_mappings = data.authentik_property_mapping_provider_scope.default_scopes.ids
data.authentik_property_mapping_provider_scope.default_scopes.ids,
each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : []
])
signing_key = (each.value.auth_cert == "rsa" ? signing_key = (each.value.auth_cert == "rsa" ?
data.authentik_certificate_key_pair.rsa.id : data.authentik_certificate_key_pair.rsa.id :
data.authentik_certificate_key_pair.ecdsa.id) data.authentik_certificate_key_pair.ecdsa.id)

7
playbooks/roles/minio/vars/main.yml
View file

@ -20,13 +20,6 @@ minio_env:
MINIO_ROOT_USER: "{{ vault_minio.user }}" MINIO_ROOT_USER: "{{ vault_minio.user }}"
MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}" MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"
MINIO_IDENTITY_OPENID_CONFIG_URL: "{{ (opentofu.authentik_data.minio.base_url, '.well-known/openid-configuration') | path_join }}"
MINIO_IDENTITY_OPENID_CLIENT_ID: "{{ opentofu.authentik_data.minio.client_id }}"
MINIO_IDENTITY_OPENID_CLIENT_SECRET: "{{ opentofu.authentik_data.minio.client_secret }}"
MINIO_IDENTITY_OPENID_CLAIM_NAME: minio_policy
MINIO_IDENTITY_OPENID_DISPLAY_NAME: auth.serguzim.me
MINIO_IDENTITY_OPENID_SCOPES: openid,email,profile,minio
minio_compose: minio_compose:
watchtower: update watchtower: update

2
services.auto.tfvars
View file

@ -497,7 +497,7 @@ services = {
url = "/minio/health/live" url = "/minio/health/live"
group = "7-support" group = "7-support"
} }
auth = true auth = false
auth_redirects = ["https://console.s3.serguzim.me/oauth_callback"] auth_redirects = ["https://console.s3.serguzim.me/oauth_callback"]
database = false database = false
}, },

1
shell.nix
View file

@ -5,6 +5,7 @@ mkShell {
ansible-lint ansible-lint
d2 d2
dnscontrol dnscontrol
minio-client
opentofu opentofu
python3Packages.jinja2 python3Packages.jinja2
python3Packages.bc-python-hcl2 python3Packages.bc-python-hcl2