update authentik tf

cbc02009 · May 31, 2024 · 0be6b01 · 0be6b01
1 parent 95e8f74
commit 0be6b01
Show file tree

Hide file tree

Showing 10 changed files with 96 additions and 71 deletions.
diff --git a/infrastructure/terraform/authentik/applications.tf b/infrastructure/terraform/authentik/applications.tf
@@ -5,7 +5,7 @@
 #   icon_url           = "https://raw.githubusercontent.com/Prowlarr/Prowlarr/develop/Logo/128.png"
 #   group              = "Media"
 #   slug               = "prowlarr"
-#   domain             = data.doppler_secrets.this.map.DOMAIN
+#   domain             = module.secret_authentik.fields["domain"]
 #   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
 #   auth_groups        = [authentik_group.media.id]
 # }
@@ -17,7 +17,7 @@
 #   icon_url           = "https://github.com/Radarr/Radarr/raw/develop/Logo/128.png"
 #   group              = "Media"
 #   slug               = "radarr"
-#   domain             = data.doppler_secrets.this.map.DOMAIN
+#   domain             = module.secret_authentik.fields["domain"]
 #   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
 #   auth_groups        = [authentik_group.media.id]
 # }
@@ -29,7 +29,7 @@
 #   icon_url           = "https://github.com/Sonarr/Sonarr/raw/develop/Logo/128.png"
 #   group              = "Media"
 #   slug               = "sonarr"
-#   domain             = data.doppler_secrets.this.map.DOMAIN
+#   domain             = module.secret_authentik.fields["domain"]
 #   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
 #   auth_groups        = [authentik_group.media.id]
 # }
@@ -41,7 +41,7 @@
 #   icon_url           = "https://github.com/Sonarr/Sonarr/raw/develop/Logo/128.png"
 #   group              = "Media"
 #   slug               = "animarr"
-#   domain             = data.doppler_secrets.this.map.DOMAIN
+#   domain             = module.secret_authentik.fields["domain"]
 #   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
 #   auth_groups        = [authentik_group.media.id]
 # }
@@ -53,7 +53,7 @@
 #   icon_url           = "https://github.com/Lidarr/Lidarr/raw/develop/Logo/128.png"
 #   group              = "Media"
 #   slug               = "lidarr"
-#   domain             = data.doppler_secrets.this.map.DOMAIN
+#   domain             = module.secret_authentik.fields["domain"]
 #   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
 #   auth_groups        = [authentik_group.media.id]
 # }
@@ -65,7 +65,7 @@
 #   icon_url           = "https://github.com/Readarr/Readarr/raw/develop/Logo/128.png"
 #   group              = "Media"
 #   slug               = "readarr"
-#   domain             = data.doppler_secrets.this.map.DOMAIN
+#   domain             = module.secret_authentik.fields["domain"]
 #   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
 #   auth_groups        = [authentik_group.media.id]
 # }
@@ -76,7 +76,7 @@ module "proxy-whoogle" {
   description        = "Search"
   icon_url           = "https://raw.githubusercontent.com/benbusby/whoogle-search/main/app/static/img/favicon/apple-icon-120x120.png"
   slug               = "search"
-  domain             = data.doppler_secrets.this.map.DOMAIN
+  domain             = module.secret_authentik.fields["domain"]
   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
   auth_groups        = [authentik_group.search.id]
   access_token_validity = 720
@@ -88,7 +88,7 @@ module "proxy-frigate" {
   description        = "DVR"
   icon_url           = "https://raw.githubusercontent.com/blakeblackshear/frigate/dev/web/images/favicon-32x32.png"
   slug               = "frigate"
-  domain             = data.doppler_secrets.this.map.DOMAIN
+  domain             = module.secret_authentik.fields["domain"]
   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
   group              = "Home Automation"
   auth_groups        = [authentik_group.home.id]
@@ -100,7 +100,7 @@ module "proxy-calibre-web" {
   name               = "Calibre Web"
   description        = "Books"
   slug               = "calibre-web"
-  domain             = data.doppler_secrets.this.map.DOMAIN
+  domain             = module.secret_authentik.fields["domain"]
   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
   group              = "Media"
   auth_groups        = [authentik_group.media.id]
@@ -111,16 +111,16 @@ module "oauth2-immich" {
   source             = "./oauth2_application"
   name               = "Immich"
   icon_url           = "https://github.com/immich-app/immich/raw/main/docs/static/img/favicon.png"
-  launch_url         = "https://photos.${data.doppler_secrets.this.map.DOMAIN}"
+  launch_url         = "https://photos.${module.secret_authentik.fields["domain"]}"
   description        = "Photo managment"
   newtab             = true
   group              = "Media"
   auth_groups        = [authentik_group.media.id]
   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
-  client_id          = data.doppler_secrets.this.map.IMMICH_OIDC_ID
-  client_secret      = data.doppler_secrets.this.map.IMMICH_OIDC_SECRET
+  client_id          = module.secret_immich.fields["oidc_id"]
+  client_secret      = module.secret_immich.fields["oidc_secret"]
   redirect_uris = [
-    "https://photos.${data.doppler_secrets.this.map.DOMAIN}/auth/login",
+    "https://photos.${module.secret_authentik.fields["domain"]}/auth/login",
     "app.immich:/"
   ]
 }
@@ -129,60 +129,60 @@ module "oauth2-grafana" {
   source             = "./oauth2_application"
   name               = "Grafana"
   icon_url           = "https://raw.githubusercontent.com/grafana/grafana/main/public/img/icons/mono/grafana.svg"
-  launch_url         = "https://grafana.${data.doppler_secrets.this.map.DOMAIN}"
+  launch_url         = "https://grafana.${module.secret_authentik.fields["domain"]}"
   description        = "Infrastructure graphs"
   newtab             = true
   group              = "Infrastructure"
   auth_groups        = [authentik_group.infrastructure.id]
   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
-  client_id          = data.doppler_secrets.this.map.GRAFANA_OIDC_ID
-  client_secret      = data.doppler_secrets.this.map.GRAFANA_OIDC_SECRET
-  redirect_uris      = ["https://grafana.${data.doppler_secrets.this.map.DOMAIN}/login/generic_oauth"]
+  client_id          = module.secret_grafana.fields["oidc_id"]
+  client_secret      = module.secret_grafana.fields["oidc_secret"]
+  redirect_uris      = ["https://grafana.${module.secret_authentik.fields["domain"]}/login/generic_oauth"]
 }
 
 module "oauth2-tandoor" {
   source                     = "./oauth2_application"
   name                       = "Recipes"
   icon_url                   = "https://raw.githubusercontent.com/TandoorRecipes/recipes/develop/docs/logo_color.svg"
-  launch_url                 = "https://recipes.${data.doppler_secrets.this.map.DOMAIN}"
+  launch_url                 = "https://recipes.${module.secret_authentik.fields["domain"]}"
   description                = "Recipes"
   newtab                     = true
   group                      = "Media"
   auth_groups                = [authentik_group.media.id]
   authorization_flow         = resource.authentik_flow.provider-authorization-implicit-consent.uuid
-  client_id                  = data.doppler_secrets.this.map.TANDOOR_OIDC_ID
-  client_secret              = data.doppler_secrets.this.map.TANDOOR_OIDC_SECRET
+  client_id                  = module.secret_tandoor.fields["oidc_id"]
+  client_secret              = module.secret_tandoor.fields["oidc_secret"]
   include_claims_in_id_token = false
   sub_mode                   = "user_username"
-  redirect_uris              = ["https://recipes.${data.doppler_secrets.this.map.DOMAIN}/accounts/oidc/authentik/login/callback/"]
+  redirect_uris              = ["https://recipes.${module.secret_authentik.fields["domain"]}/accounts/oidc/authentik/login/callback/"]
 }
 
 module "oauth2-paperless" {
   source = "./oauth2_application"
   name = "Paperless"
   icon_url = "https://raw.githubusercontent.com/paperless-ngx/paperless-ngx/dev/resources/logo/web/svg/Color%20logo%20-%20no%20background.svg"
-  launch_url = "https://paperless.${data.doppler_secrets.this.map.DOMAIN}"
+  launch_url = "https://paperless.${module.secret_authentik.fields["domain"]}"
   description = "Documents"
   newtab = true
   group = "Groupware"
   auth_groups = [authentik_group.infrastructure.id]
   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
-  client_id          = data.doppler_secrets.this.map.PAPERLESS_OIDC_ID
-  client_secret      = data.doppler_secrets.this.map.PAPERLESS_OIDC_SECRET
-  redirect_uris = ["https://paperless.${data.doppler_secrets.this.map.DOMAIN}/accounts/oidc/authentik/login/callback/"]
+  client_id          = module.secret_paperless.fields["oidc_id"]
+  client_secret      = module.secret_paperless.fields["oidc_secret"]
+  redirect_uris = ["https://paperless.${module.secret_authentik.fields["domain"]}/accounts/oidc/authentik/login/callback/"]
 }
 
 # module "oauth2-forgejo" {
 #   source = "./oauth2_application"
 #   name = "Forgejo"
 #   icon_url = "https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/public/assets/img/forgejo.svg"
-#   launch_url = "https://git.${data.doppler_secrets.this.map.DOMAIN}"
+#   launch_url = "https://git.${module.secret_authentik.fields["domain"]}"
 #   description = "Git"
 #   newtab = true
 #   group = "Infrastructure"
 #   auth_groups = [authentik_group.infrastructure.id]
 #   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
 #   client_id          = data.doppler_secrets.this.map.FORGEJO_OIDC_ID
 #   client_secret      = data.doppler_secrets.this.map.FORGEJO_OIDC_SECRET
-#   redirect_uris = ["https://git.${data.doppler_secrets.this.map.DOMAIN}/accounts/oidc/authentik/login/callback/"]
+#   redirect_uris = ["https://git.${module.secret_authentik.fields["domain"]}/accounts/oidc/authentik/login/callback/"]
 # }
diff --git a/infrastructure/terraform/authentik/directory.tf b/infrastructure/terraform/authentik/directory.tf
@@ -1,3 +1,11 @@
+data "authentik_group" "admins" {
+  name = "authentik Admins"
+}
+
+resource "authentik_group" "superusers" {
+  name = "superusers"
+}
+
 resource "authentik_group" "users" {
   name         = "users"
   is_superuser = false
@@ -25,7 +33,3 @@ resource "authentik_group" "search" {
   is_superuser = false
   parent       = resource.authentik_group.users.id
 }
-
-data "authentik_group" "admins" {
-  name = "authentik Admins"
-}
diff --git a/infrastructure/terraform/authentik/doppler.tf b/infrastructure/terraform/authentik/doppler.tf
diff --git a/infrastructure/terraform/authentik/main.tf b/infrastructure/terraform/authentik/main.tf
@@ -11,26 +11,47 @@ terraform {
       source  = "goauthentik/authentik"
       version = "2024.4.2"
     }
-    doppler = {
-      source = "DopplerHQ/doppler"
-      version = "1.7.1"
-    }
   }
 }
 
-# module "secret_authentik" {
-#   # Remember to export OP_CONNECT_HOST and OP_CONNECT_TOKEN
+module "secret_authentik" {
+  # Remember to export OP_CONNECT_HOST and OP_CONNECT_TOKEN
+  source = "github.com/bjw-s/terraform-1password-item?ref=main"
+  vault  = "k8s-home-ops"
+  item   = "authentik"
+}
+
+module "secret_immich" {
+  source = "github.com/bjw-s/terraform-1password-item?ref=main"
+  vault  = "k8s-home-ops"
+  item   = "immich"
+}
+
+module "secret_grafana" {
+  source = "github.com/bjw-s/terraform-1password-item?ref=main"
+  vault  = "k8s-home-ops"
+  item   = "grafana"
+}
+
+module "secret_tandoor" {
+  source = "github.com/bjw-s/terraform-1password-item?ref=main"
+  vault  = "k8s-home-ops"
+  item   = "tandoor"
+}
+
+module "secret_paperless" {
+  source = "github.com/bjw-s/terraform-1password-item?ref=main"
+  vault  = "k8s-home-ops"
+  item   = "paperless"
+}
+
+# module "secret_ocis" {
 #   source = "github.com/bjw-s/terraform-1password-item?ref=main"
 #   vault  = "k8s-home-ops"
-#   item   = "authentik"
-# }
-
-# provider "authentik" {
-#   url   = module.secret_authentik.fields["endpoint"]
-#   token = module.secret_authentik.fields["tf_token"]
+#   item   = "ocis"
 # }
 
 provider "authentik" {
-  url   = data.doppler_secrets.this.map.ENDPOINT
-  token = data.doppler_secrets.this.map.TF_TOKEN
+  url   = module.secret_authentik.fields["endpoint"]
+  token = module.secret_authentik.fields["tf_token"]
 }
diff --git a/infrastructure/terraform/authentik/oauth2_application/main.tf b/infrastructure/terraform/authentik/oauth2_application/main.tf
@@ -2,7 +2,6 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2024.4.2"
     }
   }
 }
@@ -15,10 +14,15 @@ data "authentik_scope_mapping" "scopes" {
   managed_list = [
     "goauthentik.io/providers/oauth2/scope-email",
     "goauthentik.io/providers/oauth2/scope-openid",
-    "goauthentik.io/providers/oauth2/scope-profile"
+    "goauthentik.io/providers/oauth2/scope-profile",
+    "goauthentik.io/providers/oauth2/scope-offline_access"
   ]
 }
 
+resource "random_password" "client_secret" {
+  length = 52
+}
+
 resource "authentik_provider_oauth2" "oauth2-application" {
   name                       = var.name
   client_id                  = var.client_id
@@ -29,7 +33,7 @@ resource "authentik_provider_oauth2" "oauth2-application" {
   include_claims_in_id_token = var.include_claims_in_id_token
   issuer_mode                = var.issuer_mode
   sub_mode                   = var.sub_mode
-  access_code_validity       = "hours=${var.access_code_validity}"
+  access_code_validity       = var.access_code_validity
   property_mappings          = concat(data.authentik_scope_mapping.scopes.ids, var.additional_property_mappings)
   redirect_uris              = var.redirect_uris
 }

diff --git a/infrastructure/terraform/authentik/oauth2_application/variables.tf b/infrastructure/terraform/authentik/oauth2_application/variables.tf
@@ -64,8 +64,8 @@ variable "sub_mode" {
 }
 
 variable "access_code_validity" {
-  type    = number
-  default = 24
+  type    = string
+  default = "weeks=8"
 }
 
 variable "additional_property_mappings" {
@@ -76,3 +76,11 @@ variable "additional_property_mappings" {
 variable "redirect_uris" {
   type = list(string)
 }
+
+locals {
+  client_secret = (
+    var.client_type == "confidential"
+    ? var.client_secret != null ? var.client_secret : random_password.client_secret.result
+    : null
+  )
+}
diff --git a/infrastructure/terraform/authentik/proxy_application/main.tf b/infrastructure/terraform/authentik/proxy_application/main.tf
@@ -2,7 +2,6 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2024.4.2"
     }
   }
 }
@@ -12,7 +11,7 @@ resource "authentik_provider_proxy" "proxy_provider" {
   external_host         = "https://${var.slug}.${var.domain}"
   mode                  = "forward_single"
   authorization_flow    = var.authorization_flow
-  access_token_validity = "hours=${var.access_token_validity}"
+  access_token_validity = var.access_token_validity
   skip_path_regex       = var.ignore_paths
 }
 

diff --git a/infrastructure/terraform/authentik/proxy_application/variables.tf b/infrastructure/terraform/authentik/proxy_application/variables.tf
@@ -11,8 +11,8 @@ variable "slug" {
 }
 
 variable "access_token_validity" {
-  type    = number
-  default = 24
+  type    = string
+  default = "weeks=8"
 }
 
 variable "authorization_flow" {

diff --git a/infrastructure/terraform/authentik/stages.tf b/infrastructure/terraform/authentik/stages.tf
@@ -2,7 +2,7 @@
 
 resource "authentik_stage_authenticator_totp" "authenticator-totp-setup" {
   name           = "authenticator-totp-setup"
-  # digits         = 6
+  digits         = 6
   configure_flow = authentik_flow.authenticator-totp-setup.uuid
 }
 
@@ -38,8 +38,8 @@ resource "authentik_stage_authenticator_validate" "authentication-mfa-validation
   device_classes        = ["static", "totp", "webauthn"]
   not_configured_action = "configure"
   configuration_stages = [
-    authentik_stage_authenticator_totp.authenticator-totp-setup.id,
-    authentik_stage_authenticator_webauthn.authenticator-webauthn-setup.id
+    authentik_stage_authenticator_webauthn.authenticator-webauthn-setup.id,
+    authentik_stage_authenticator_totp.authenticator-totp-setup.id
   ]
 }