feat: add netbird docker

2024-09-16 16:15:01 +02:00 · 2024-09-16 16:15:01 +02:00 · 50049547b6
commit 50049547b6
parent 508d37d2a4
7 changed files with 194 additions and 13 deletions
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@ -27,6 +27,11 @@ resource "authentik_group" "admins" {
  is_superuser = true
 }

+resource "authentik_group" "vpn" {
+  name         = "vpn"
+  is_superuser = false
+}
+

 module "firezone" {
  source              = "../modules/authentik-oidc"
@ -52,7 +57,7 @@ module "gitea" {
  app_access_group_id = ""
  redirect_uris       = ["https://git.roboces.dev/user/oauth2/authentik/callback"]
  app_icon            = "https://git.roboces.dev/assets/img/logo.svg"
-  app_description     = "Beyond coding. We forge. "
+  app_description     = "Beyond coding. We forge."
  app_publisher       = "Forgejo"
  app_url             = "https://git.roboces.dev/user/oauth2/authentik"
  sub_mode            = "hashed_user_id"
@ -136,3 +141,22 @@ module "lidarr" {
  internal_host_ssl_validation = false
  app_icon                     = "https://lidarr.audio/img/background/logo.png"
 }
+
+module "netbird" {
+  source              = "../modules/authentik-oidc"
+  app_name            = "netbird"
+  app_slug            = "netbird"
+  client_id           = var.netbird_client_id
+  client_secret       = var.netbird_client_secret
+  client_type         = "public"
+  app_access_group_id = authentik_group.vpn.id
+  redirect_uris = [
+    "https://vpn.fukurokuju.dev",
+    "https://vpn.fukurokuju.dev.*",
+    "http://localhost:53000"
+  ]
+  sub_mode = "user_id"
+  extra_property_mappings = [
+    "goauthentik.io/providers/oauth2/scope-authentik_api"
+  ]
+}
--- a/tofu/authentik/sample.env
+++ b/tofu/authentik/sample.env
@ -10,3 +10,5 @@ TF_VAR_portainer_client_id=
 TF_VAR_portainer_client_secret=
 TF_VAR_paperless_client_id=
 TF_VAR_paperless_client_secret=
+TF_VAR_netbird_client_id=
+TF_VAR_netbird_client_secret=
--- a/tofu/authentik/vars.tf
+++ b/tofu/authentik/vars.tf
@ -1,4 +1,3 @@
-
 variable "firezone_client_id" {
  description = "Client ID"
  type        = string
@ -48,3 +47,12 @@ variable "paperless_client_secret" {
  description = "Paperless client secret"
  type        = string
 }
+
+variable "netbird_client_id" {
+  description = "Netbird client ID"
+  type        = string
+}
+variable "netbird_client_secret" {
+  description = "Netbird client secret"
+  type        = string
+}
--- a/tofu/modules/authentik-oidc/main.tf
+++ b/tofu/modules/authentik-oidc/main.tf
@ -18,25 +18,28 @@ data "authentik_flow" "default-authentication-flow" {


 data "authentik_property_mapping_provider_scope" "default-scopes" {
-  managed_list = [
+  managed_list = concat([
    "goauthentik.io/providers/oauth2/scope-email",
    "goauthentik.io/providers/oauth2/scope-openid",
    "goauthentik.io/providers/oauth2/scope-profile",
    "goauthentik.io/providers/oauth2/scope-offline_access",
-  ]
+  ], var.extra_property_mappings)
 }


 resource "authentik_provider_oauth2" "provider_oidc" {
-  name                = var.app_name
-  client_id           = var.client_id
-  client_secret       = var.client_secret
-  authorization_flow  = data.authentik_flow.default-authorization-flow.id
-  authentication_flow = data.authentik_flow.default-authentication-flow.id
-  redirect_uris       = var.redirect_uris
-  property_mappings   = data.authentik_property_mapping_provider_scope.default-scopes.ids
-  sub_mode            = var.sub_mode
-  signing_key         = var.oidc_signing_key
+  name                  = var.app_name
+  client_id             = var.client_id
+  client_secret         = var.client_secret
+  client_type           = var.client_type
+  authorization_flow    = data.authentik_flow.default-authorization-flow.id
+  authentication_flow   = data.authentik_flow.default-authentication-flow.id
+  redirect_uris         = var.redirect_uris
+  property_mappings     = data.authentik_property_mapping_provider_scope.default-scopes.ids
+  sub_mode              = var.sub_mode
+  signing_key           = var.oidc_signing_key
+  access_code_validity  = var.access_code_validity
+  access_token_validity = var.access_token_validity
 }


--- a/tofu/modules/authentik-oidc/vars.tf
+++ b/tofu/modules/authentik-oidc/vars.tf
@ -18,6 +18,16 @@ variable "client_secret" {
  type        = string
 }

+variable "client_type" {
+  type    = string
+  default = "confidential"
+
+  validation {
+    condition     = contains(["confidential", "public"], var.client_type)
+    error_message = "client_type must be 'confidential' or 'public'"
+  }
+}
+
 variable "app_access_group_id" {
  description = "ID of a group which will have access to the app"
  type        = string
@ -31,6 +41,11 @@ variable "redirect_uris" {
 variable "sub_mode" {
  type    = string
  default = "user_username"
+
+  validation {
+    condition     = contains(["user_id", "user_username", "hashed_user_id"], var.sub_mode)
+    error_message = "sub_mode must be 'user_id', 'user_username' or 'hashed_user_id'"
+  }
 }

 variable "oidc_signing_key" {
@ -59,7 +74,23 @@ variable "app_publisher" {
  type    = string
  default = ""
 }
+
 variable "app_url" {
  type    = string
  default = ""
 }
+
+variable "access_code_validity" {
+  type    = string
+  default = "minutes=1"
+}
+
+variable "access_token_validity" {
+  type    = string
+  default = "minutes=10"
+}
+
+variable "extra_property_mappings" {
+  type    = list(string)
+  default = []
+}