diff --git a/infrastructure/terraform/authentik/applications.tf b/infrastructure/terraform/authentik/applications.tf index 07a3239664..3a0275b85f 100644 --- a/infrastructure/terraform/authentik/applications.tf +++ b/infrastructure/terraform/authentik/applications.tf @@ -5,7 +5,7 @@ # icon_url = "https://raw.githubusercontent.com/Prowlarr/Prowlarr/develop/Logo/128.png" # group = "Media" # slug = "prowlarr" -# domain = data.doppler_secrets.this.map.DOMAIN +# domain = module.secret_authentik.fields["domain"] # authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid # auth_groups = [authentik_group.media.id] # } @@ -17,7 +17,7 @@ # icon_url = "https://github.com/Radarr/Radarr/raw/develop/Logo/128.png" # group = "Media" # slug = "radarr" -# domain = data.doppler_secrets.this.map.DOMAIN +# domain = module.secret_authentik.fields["domain"] # authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid # auth_groups = [authentik_group.media.id] # } @@ -29,7 +29,7 @@ # icon_url = "https://github.com/Sonarr/Sonarr/raw/develop/Logo/128.png" # group = "Media" # slug = "sonarr" -# domain = data.doppler_secrets.this.map.DOMAIN +# domain = module.secret_authentik.fields["domain"] # authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid # auth_groups = [authentik_group.media.id] # } @@ -41,7 +41,7 @@ # icon_url = "https://github.com/Sonarr/Sonarr/raw/develop/Logo/128.png" # group = "Media" # slug = "animarr" -# domain = data.doppler_secrets.this.map.DOMAIN +# domain = module.secret_authentik.fields["domain"] # authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid # auth_groups = [authentik_group.media.id] # } @@ -53,7 +53,7 @@ # icon_url = "https://github.com/Lidarr/Lidarr/raw/develop/Logo/128.png" # group = "Media" # slug = "lidarr" -# domain = data.doppler_secrets.this.map.DOMAIN +# domain = module.secret_authentik.fields["domain"] # authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid # auth_groups = [authentik_group.media.id] # } @@ -65,7 +65,7 @@ # icon_url = "https://github.com/Readarr/Readarr/raw/develop/Logo/128.png" # group = "Media" # slug = "readarr" -# domain = data.doppler_secrets.this.map.DOMAIN +# domain = module.secret_authentik.fields["domain"] # authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid # auth_groups = [authentik_group.media.id] # } @@ -76,7 +76,7 @@ module "proxy-whoogle" { description = "Search" icon_url = "https://raw.githubusercontent.com/benbusby/whoogle-search/main/app/static/img/favicon/apple-icon-120x120.png" slug = "search" - domain = data.doppler_secrets.this.map.DOMAIN + domain = module.secret_authentik.fields["domain"] authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid auth_groups = [authentik_group.search.id] access_token_validity = 720 @@ -88,7 +88,7 @@ module "proxy-frigate" { description = "DVR" icon_url = "https://raw.githubusercontent.com/blakeblackshear/frigate/dev/web/images/favicon-32x32.png" slug = "frigate" - domain = data.doppler_secrets.this.map.DOMAIN + domain = module.secret_authentik.fields["domain"] authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid group = "Home Automation" auth_groups = [authentik_group.home.id] @@ -100,7 +100,7 @@ module "proxy-calibre-web" { name = "Calibre Web" description = "Books" slug = "calibre-web" - domain = data.doppler_secrets.this.map.DOMAIN + domain = module.secret_authentik.fields["domain"] authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid group = "Media" auth_groups = [authentik_group.media.id] @@ -111,16 +111,16 @@ module "oauth2-immich" { source = "./oauth2_application" name = "Immich" icon_url = "https://github.com/immich-app/immich/raw/main/docs/static/img/favicon.png" - launch_url = "https://photos.${data.doppler_secrets.this.map.DOMAIN}" + launch_url = "https://photos.${module.secret_authentik.fields["domain"]}" description = "Photo managment" newtab = true group = "Media" auth_groups = [authentik_group.media.id] authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid - client_id = data.doppler_secrets.this.map.IMMICH_OIDC_ID - client_secret = data.doppler_secrets.this.map.IMMICH_OIDC_SECRET + client_id = module.secret_immich.fields["oidc_id"] + client_secret = module.secret_immich.fields["oidc_secret"] redirect_uris = [ - "https://photos.${data.doppler_secrets.this.map.DOMAIN}/auth/login", + "https://photos.${module.secret_authentik.fields["domain"]}/auth/login", "app.immich:/" ] } @@ -129,54 +129,54 @@ module "oauth2-grafana" { source = "./oauth2_application" name = "Grafana" icon_url = "https://raw.githubusercontent.com/grafana/grafana/main/public/img/icons/mono/grafana.svg" - launch_url = "https://grafana.${data.doppler_secrets.this.map.DOMAIN}" + launch_url = "https://grafana.${module.secret_authentik.fields["domain"]}" description = "Infrastructure graphs" newtab = true group = "Infrastructure" auth_groups = [authentik_group.infrastructure.id] authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid - client_id = data.doppler_secrets.this.map.GRAFANA_OIDC_ID - client_secret = data.doppler_secrets.this.map.GRAFANA_OIDC_SECRET - redirect_uris = ["https://grafana.${data.doppler_secrets.this.map.DOMAIN}/login/generic_oauth"] + client_id = module.secret_grafana.fields["oidc_id"] + client_secret = module.secret_grafana.fields["oidc_secret"] + redirect_uris = ["https://grafana.${module.secret_authentik.fields["domain"]}/login/generic_oauth"] } module "oauth2-tandoor" { source = "./oauth2_application" name = "Recipes" icon_url = "https://raw.githubusercontent.com/TandoorRecipes/recipes/develop/docs/logo_color.svg" - launch_url = "https://recipes.${data.doppler_secrets.this.map.DOMAIN}" + launch_url = "https://recipes.${module.secret_authentik.fields["domain"]}" description = "Recipes" newtab = true group = "Media" auth_groups = [authentik_group.media.id] authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid - client_id = data.doppler_secrets.this.map.TANDOOR_OIDC_ID - client_secret = data.doppler_secrets.this.map.TANDOOR_OIDC_SECRET + client_id = module.secret_tandoor.fields["oidc_id"] + client_secret = module.secret_tandoor.fields["oidc_secret"] include_claims_in_id_token = false sub_mode = "user_username" - redirect_uris = ["https://recipes.${data.doppler_secrets.this.map.DOMAIN}/accounts/oidc/authentik/login/callback/"] + redirect_uris = ["https://recipes.${module.secret_authentik.fields["domain"]}/accounts/oidc/authentik/login/callback/"] } module "oauth2-paperless" { source = "./oauth2_application" name = "Paperless" icon_url = "https://raw.githubusercontent.com/paperless-ngx/paperless-ngx/dev/resources/logo/web/svg/Color%20logo%20-%20no%20background.svg" - launch_url = "https://paperless.${data.doppler_secrets.this.map.DOMAIN}" + launch_url = "https://paperless.${module.secret_authentik.fields["domain"]}" description = "Documents" newtab = true group = "Groupware" auth_groups = [authentik_group.infrastructure.id] authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid - client_id = data.doppler_secrets.this.map.PAPERLESS_OIDC_ID - client_secret = data.doppler_secrets.this.map.PAPERLESS_OIDC_SECRET - redirect_uris = ["https://paperless.${data.doppler_secrets.this.map.DOMAIN}/accounts/oidc/authentik/login/callback/"] + client_id = module.secret_paperless.fields["oidc_id"] + client_secret = module.secret_paperless.fields["oidc_secret"] + redirect_uris = ["https://paperless.${module.secret_authentik.fields["domain"]}/accounts/oidc/authentik/login/callback/"] } # module "oauth2-forgejo" { # source = "./oauth2_application" # name = "Forgejo" # icon_url = "https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/public/assets/img/forgejo.svg" -# launch_url = "https://git.${data.doppler_secrets.this.map.DOMAIN}" +# launch_url = "https://git.${module.secret_authentik.fields["domain"]}" # description = "Git" # newtab = true # group = "Infrastructure" @@ -184,5 +184,5 @@ module "oauth2-paperless" { # authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid # client_id = data.doppler_secrets.this.map.FORGEJO_OIDC_ID # client_secret = data.doppler_secrets.this.map.FORGEJO_OIDC_SECRET -# redirect_uris = ["https://git.${data.doppler_secrets.this.map.DOMAIN}/accounts/oidc/authentik/login/callback/"] +# redirect_uris = ["https://git.${module.secret_authentik.fields["domain"]}/accounts/oidc/authentik/login/callback/"] # } diff --git a/infrastructure/terraform/authentik/directory.tf b/infrastructure/terraform/authentik/directory.tf index 39f82ac2a6..01eefd1bcf 100644 --- a/infrastructure/terraform/authentik/directory.tf +++ b/infrastructure/terraform/authentik/directory.tf @@ -1,3 +1,11 @@ +data "authentik_group" "admins" { + name = "authentik Admins" +} + +resource "authentik_group" "superusers" { + name = "superusers" +} + resource "authentik_group" "users" { name = "users" is_superuser = false @@ -25,7 +33,3 @@ resource "authentik_group" "search" { is_superuser = false parent = resource.authentik_group.users.id } - -data "authentik_group" "admins" { - name = "authentik Admins" -} diff --git a/infrastructure/terraform/authentik/doppler.tf b/infrastructure/terraform/authentik/doppler.tf deleted file mode 100644 index 4efa5c7146..0000000000 --- a/infrastructure/terraform/authentik/doppler.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Configure the Doppler provider with the token -provider "doppler" { - -} - -# Define our data source to fetch secrets -data "doppler_secrets" "this" { - project="authentik" - config="prd" -} diff --git a/infrastructure/terraform/authentik/main.tf b/infrastructure/terraform/authentik/main.tf index 057baa5ff2..e94d2023a6 100644 --- a/infrastructure/terraform/authentik/main.tf +++ b/infrastructure/terraform/authentik/main.tf @@ -11,26 +11,47 @@ terraform { source = "goauthentik/authentik" version = "2024.4.2" } - doppler = { - source = "DopplerHQ/doppler" - version = "1.7.1" - } } } -# module "secret_authentik" { -# # Remember to export OP_CONNECT_HOST and OP_CONNECT_TOKEN +module "secret_authentik" { + # Remember to export OP_CONNECT_HOST and OP_CONNECT_TOKEN + source = "github.com/bjw-s/terraform-1password-item?ref=main" + vault = "k8s-home-ops" + item = "authentik" +} + +module "secret_immich" { + source = "github.com/bjw-s/terraform-1password-item?ref=main" + vault = "k8s-home-ops" + item = "immich" +} + +module "secret_grafana" { + source = "github.com/bjw-s/terraform-1password-item?ref=main" + vault = "k8s-home-ops" + item = "grafana" +} + +module "secret_tandoor" { + source = "github.com/bjw-s/terraform-1password-item?ref=main" + vault = "k8s-home-ops" + item = "tandoor" +} + +module "secret_paperless" { + source = "github.com/bjw-s/terraform-1password-item?ref=main" + vault = "k8s-home-ops" + item = "paperless" +} + +# module "secret_ocis" { # source = "github.com/bjw-s/terraform-1password-item?ref=main" # vault = "k8s-home-ops" -# item = "authentik" -# } - -# provider "authentik" { -# url = module.secret_authentik.fields["endpoint"] -# token = module.secret_authentik.fields["tf_token"] +# item = "ocis" # } provider "authentik" { - url = data.doppler_secrets.this.map.ENDPOINT - token = data.doppler_secrets.this.map.TF_TOKEN + url = module.secret_authentik.fields["endpoint"] + token = module.secret_authentik.fields["tf_token"] } diff --git a/infrastructure/terraform/authentik/oauth2_application/main.tf b/infrastructure/terraform/authentik/oauth2_application/main.tf index ea4a94e78f..9a5da636a8 100644 --- a/infrastructure/terraform/authentik/oauth2_application/main.tf +++ b/infrastructure/terraform/authentik/oauth2_application/main.tf @@ -2,7 +2,6 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2024.4.2" } } } @@ -15,10 +14,15 @@ data "authentik_scope_mapping" "scopes" { managed_list = [ "goauthentik.io/providers/oauth2/scope-email", "goauthentik.io/providers/oauth2/scope-openid", - "goauthentik.io/providers/oauth2/scope-profile" + "goauthentik.io/providers/oauth2/scope-profile", + "goauthentik.io/providers/oauth2/scope-offline_access" ] } +resource "random_password" "client_secret" { + length = 52 +} + resource "authentik_provider_oauth2" "oauth2-application" { name = var.name client_id = var.client_id @@ -29,7 +33,7 @@ resource "authentik_provider_oauth2" "oauth2-application" { include_claims_in_id_token = var.include_claims_in_id_token issuer_mode = var.issuer_mode sub_mode = var.sub_mode - access_code_validity = "hours=${var.access_code_validity}" + access_code_validity = var.access_code_validity property_mappings = concat(data.authentik_scope_mapping.scopes.ids, var.additional_property_mappings) redirect_uris = var.redirect_uris } diff --git a/infrastructure/terraform/authentik/oauth2_application/variables.tf b/infrastructure/terraform/authentik/oauth2_application/variables.tf index e1cad8bb71..375d3bb2f8 100644 --- a/infrastructure/terraform/authentik/oauth2_application/variables.tf +++ b/infrastructure/terraform/authentik/oauth2_application/variables.tf @@ -64,8 +64,8 @@ variable "sub_mode" { } variable "access_code_validity" { - type = number - default = 24 + type = string + default = "weeks=8" } variable "additional_property_mappings" { @@ -76,3 +76,11 @@ variable "additional_property_mappings" { variable "redirect_uris" { type = list(string) } + +locals { + client_secret = ( + var.client_type == "confidential" + ? var.client_secret != null ? var.client_secret : random_password.client_secret.result + : null + ) +} diff --git a/infrastructure/terraform/authentik/proxy_application/main.tf b/infrastructure/terraform/authentik/proxy_application/main.tf index 1854ecadea..c8edf21e45 100644 --- a/infrastructure/terraform/authentik/proxy_application/main.tf +++ b/infrastructure/terraform/authentik/proxy_application/main.tf @@ -2,7 +2,6 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2024.4.2" } } } @@ -12,7 +11,7 @@ resource "authentik_provider_proxy" "proxy_provider" { external_host = "https://${var.slug}.${var.domain}" mode = "forward_single" authorization_flow = var.authorization_flow - access_token_validity = "hours=${var.access_token_validity}" + access_token_validity = var.access_token_validity skip_path_regex = var.ignore_paths } diff --git a/infrastructure/terraform/authentik/proxy_application/variables.tf b/infrastructure/terraform/authentik/proxy_application/variables.tf index c7e06e65f2..aeb9ab7f6a 100644 --- a/infrastructure/terraform/authentik/proxy_application/variables.tf +++ b/infrastructure/terraform/authentik/proxy_application/variables.tf @@ -11,8 +11,8 @@ variable "slug" { } variable "access_token_validity" { - type = number - default = 24 + type = string + default = "weeks=8" } variable "authorization_flow" { diff --git a/infrastructure/terraform/authentik/stages.tf b/infrastructure/terraform/authentik/stages.tf index 0d39127048..a5258700ac 100644 --- a/infrastructure/terraform/authentik/stages.tf +++ b/infrastructure/terraform/authentik/stages.tf @@ -2,7 +2,7 @@ resource "authentik_stage_authenticator_totp" "authenticator-totp-setup" { name = "authenticator-totp-setup" - # digits = 6 + digits = 6 configure_flow = authentik_flow.authenticator-totp-setup.uuid } @@ -38,8 +38,8 @@ resource "authentik_stage_authenticator_validate" "authentication-mfa-validation device_classes = ["static", "totp", "webauthn"] not_configured_action = "configure" configuration_stages = [ - authentik_stage_authenticator_totp.authenticator-totp-setup.id, - authentik_stage_authenticator_webauthn.authenticator-webauthn-setup.id + authentik_stage_authenticator_webauthn.authenticator-webauthn-setup.id, + authentik_stage_authenticator_totp.authenticator-totp-setup.id ] } diff --git a/infrastructure/terraform/authentik/system.tf b/infrastructure/terraform/authentik/system.tf index d0ff73dc62..1658068a9e 100644 --- a/infrastructure/terraform/authentik/system.tf +++ b/infrastructure/terraform/authentik/system.tf @@ -3,7 +3,7 @@ data "authentik_certificate_key_pair" "generated" { } # resource "authentik_brand" "home" { -# domain = data.doppler_secrets.this.map.DOMAIN + # domain = module.secret_authentik.fields["domain"] # default = false # branding_title = "Home" @@ -33,10 +33,10 @@ resource "authentik_outpost" "proxyoutpost" { module.proxy-calibre-web.id ] config = jsonencode({ - authentik_host = "https://auth.${data.doppler_secrets.this.map.DOMAIN}", + authentik_host = "https://auth.${module.secret_authentik.fields["domain"]}", authentik_host_insecure = false, authentik_host_browser = "", - log_level = "info", + log_level = "debug", object_naming_template = "ak-outpost-%(name)s", docker_network = null, docker_map_ports = true, @@ -47,7 +47,6 @@ resource "authentik_outpost" "proxyoutpost" { kubernetes_ingress_annotations = { "cert-manager.io/cluster-issuer" = "letsencrypt-production" }, - kubernetes_ingress_class_name = "external", kubernetes_ingress_secret_name = "proxy-outpost-tls", kubernetes_service_type = "ClusterIP", kubernetes_disabled_components = [],