Add minio to authentik

2024-10-09 01:33:24 +02:00 · 2024-10-09 01:33:24 +02:00 · 979a386831
commit 979a386831
parent 0b838b52cc
3 changed files with 47 additions and 2 deletions
--- a/modules/services/authentik.tf
+++ b/modules/services/authentik.tf
@ -14,6 +14,39 @@ data "authentik_property_mapping_provider_scope" "default_scopes" {
  ]
 }

+resource "authentik_user" "default" {
+  username = "serguzim"
+  name     = "Tobias Reisinger"
+  email    = "tobias@msrg.cc"
+}
+
+resource "authentik_property_mapping_provider_scope" "minio" {
+  name       = "minio"
+  scope_name = "minio"
+  expression = <<EOF
+if ak_is_group_member(request.user, name="${authentik_group.minio_admins.name}"):
+  return {
+      "minio_policy": "consoleAdmin",
+}
+elif ak_is_group_member(request.user, name="${authentik_group.minio_users.name}"):
+  return {
+      "minio_policy": "readonly"
+}
+return None
+EOF
+}
+
+resource "authentik_group" "minio_admins" {
+  name         = "Minio admins"
+  users        = [authentik_user.default.id]
+}
+
+resource "authentik_group" "minio_users" {
+  name         = "Minio users"
+  users        = []
+}
+
+
 resource "authentik_provider_oauth2" "service_providers" {
  for_each           = local.services_auth
  name               = each.value.name
@ -21,7 +54,10 @@ resource "authentik_provider_oauth2" "service_providers" {
  client_id          = each.value.name
  authorization_flow = data.authentik_flow.default_authorization_flow.id
  redirect_uris      = each.value.auth_redirects
-  property_mappings  = data.authentik_property_mapping_provider_scope.default_scopes.ids
+  property_mappings  = flatten([
+      data.authentik_property_mapping_provider_scope.default_scopes.ids,
+      each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : []
+  ])
  signing_key        = data.authentik_certificate_key_pair.default.id
 }

--- a/roles/minio/vars/main.yml
+++ b/roles/minio/vars/main.yml
@ -21,6 +21,14 @@ minio_env:
  MINIO_ROOT_USER: "{{ vault_minio.user }}"
  MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"

+  MINIO_IDENTITY_OPENID_CONFIG_URL: "{{ (opentofu.authentik_data.minio.base_url, '.well-known/openid-configuration') | path_join }}"
+  MINIO_IDENTITY_OPENID_CLIENT_ID: "{{ opentofu.authentik_data.minio.client_id }}"
+  MINIO_IDENTITY_OPENID_CLIENT_SECRET: "{{ opentofu.authentik_data.minio.client_secret }}"
+  MINIO_IDENTITY_OPENID_CLAIM_NAME: minio_policy
+  MINIO_IDENTITY_OPENID_DISPLAY_NAME: auth.serguzim.me
+  MINIO_IDENTITY_OPENID_SCOPES: openid,email,profile,minio
+
+
 minio_compose:
  watchtower: true
  image: minio/minio
--- a/services.auto.tfvars
+++ b/services.auto.tfvars
@ -280,7 +280,8 @@ services = {
      url = "/minio/health/live"
      group = "7-support"
    }
-    auth = false
+    auth = true
+    auth_redirects = ["https://console.s3.serguzim.me/oauth_callback"]
    database = false
    s3 = false
  },