serguzim/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add minio to authentik

Browse source
This commit is contained in:
Tobias Reisinger 2024-10-09 01:33:24 +02:00
parent 0b838b52cc
commit 979a386831
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
3 changed files with 47 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

38
modules/services/authentik.tf
View file

@ -14,6 +14,39 @@ data "authentik_property_mapping_provider_scope" "default_scopes" {
] ]
} }
resource "authentik_user" "default" {
username = "serguzim"
name = "Tobias Reisinger"
email = "tobias@msrg.cc"
}
resource "authentik_property_mapping_provider_scope" "minio" {
name = "minio"
scope_name = "minio"
expression = <<EOF
if ak_is_group_member(request.user, name="${authentik_group.minio_admins.name}"):
return {
"minio_policy": "consoleAdmin",
}
elif ak_is_group_member(request.user, name="${authentik_group.minio_users.name}"):
return {
"minio_policy": "readonly"
}
return None
EOF
}
resource "authentik_group" "minio_admins" {
name = "Minio admins"
users = [authentik_user.default.id]
}
resource "authentik_group" "minio_users" {
name = "Minio users"
users = []
}
resource "authentik_provider_oauth2" "service_providers" { resource "authentik_provider_oauth2" "service_providers" {
for_each = local.services_auth for_each = local.services_auth
name = each.value.name name = each.value.name
@ -21,7 +54,10 @@ resource "authentik_provider_oauth2" "service_providers" {
client_id = each.value.name client_id = each.value.name
authorization_flow = data.authentik_flow.default_authorization_flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
redirect_uris = each.value.auth_redirects redirect_uris = each.value.auth_redirects
property_mappings = data.authentik_property_mapping_provider_scope.default_scopes.ids property_mappings = flatten([
data.authentik_property_mapping_provider_scope.default_scopes.ids,
each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : []
])
signing_key = data.authentik_certificate_key_pair.default.id signing_key = data.authentik_certificate_key_pair.default.id
} }

8
roles/minio/vars/main.yml
View file

@ -21,6 +21,14 @@ minio_env:
MINIO_ROOT_USER: "{{ vault_minio.user }}" MINIO_ROOT_USER: "{{ vault_minio.user }}"
MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}" MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"
MINIO_IDENTITY_OPENID_CONFIG_URL: "{{ (opentofu.authentik_data.minio.base_url, '.well-known/openid-configuration') | path_join }}"
MINIO_IDENTITY_OPENID_CLIENT_ID: "{{ opentofu.authentik_data.minio.client_id }}"
MINIO_IDENTITY_OPENID_CLIENT_SECRET: "{{ opentofu.authentik_data.minio.client_secret }}"
MINIO_IDENTITY_OPENID_CLAIM_NAME: minio_policy
MINIO_IDENTITY_OPENID_DISPLAY_NAME: auth.serguzim.me
MINIO_IDENTITY_OPENID_SCOPES: openid,email,profile,minio
minio_compose: minio_compose:
watchtower: true watchtower: true
image: minio/minio image: minio/minio

3
services.auto.tfvars
View file

@ -280,7 +280,8 @@ services = {
url = "/minio/health/live" url = "/minio/health/live"
group = "7-support" group = "7-support"
} }
auth = false auth = true
auth_redirects = ["https://console.s3.serguzim.me/oauth_callback"]
database = false database = false
s3 = false s3 = false
}, },