feat: add authentik-ldap module

2026-01-09 12:50:53 +01:00 · 2026-01-09 12:50:53 +01:00 · a856c4b230
commit a856c4b230
parent 2354f5971b
9 changed files with 151 additions and 46 deletions
--- a/k8s/argo-apps/dcsi.yaml
+++ b/k8s/argo-apps/dcsi.yaml
@ -19,16 +19,16 @@ spec:
          node:
            driver:
              image:
-                tag: 1.9.5
+                tag: next
          controller:
            driver:
              image:
-                tag: 1.9.5
+                tag: next
          csiDriver:
            name: org.dcsi.nfs
          driver:
            image:
-              tag: 1.9.5
+              tag: next
            existingConfigSecret: secrets-dcsi
            config:
              driver: freenas-api-nfs
--- a/tofu/authentik/.terraform.lock.hcl
+++ b/tofu/authentik/.terraform.lock.hcl
@ -2,36 +2,23 @@
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/goauthentik/authentik" {
-  version     = "2025.10.0"
+  version     = "2025.10.1"
-  constraints = "2025.10.0"
+  constraints = "2025.10.1"
  hashes = [
-    "h1:8nN6b5dEGbJJ5ajovedkO//QP4NrWU5GfrenIHAEyz0=",
+    "h1:X0bV1LqI7nu4np+xiGP8yLVfyl6rh/XNXz7QQ7Hsr6g=",
-    "h1:EZlTiEEZ0a6AvlLuTKAIyhBI4m4poYUX4QW0wyHfIaw=",
+    "zh:02ac2478c8901043a0455b8b6b8185e9814786bd802a9aa6d4126d4f56d4735d",
-    "h1:ElpISil/0po3r4pb9KK7/pBCSLxL18a6IDHDSMFdmS0=",
+    "zh:24d680732a9ea72a86c1e7bf4aa13ab9cc0c60ee4bd4cae8af43670eff88edd9",
-    "h1:F7+3L6JmVEG+PMizB9SuifxbznkZD3462LQpFMOW0M0=",
+    "zh:4f415f177671eeea2234eb835479bbb710e811e60864cec6a00ee0e03a412fa3",
-    "h1:L1sFZI0qKeBpUUCMgQkuRge196DsrHaTUJKJWKm0V2w=",
+    "zh:55498caa20504dd52a1870823e15dec6c78948eac2e6ec98e6ec122b5407630b",
-    "h1:OQgVyUOOLTGyosEpVHzE37h+91nHN5n9lKHt6nAOZyU=",
+    "zh:570f9ca7f909bda94b97feab7898ef392e01ae6178d8a9d36aac984d8a433ec1",
-    "h1:Ph1j1Flr4kXMZKCRlP4Hn0asAz1Yfpk+hf5t6aeF4mc=",
+    "zh:92ac78b97e2d5310ed82233980f941ebecf69ae1f9d03f3e719d8687aa6f4cc7",
-    "h1:RjitcUcx/3QKUgs74q3ypbf7KQpg8BoNELW6sE4ONqk=",
+    "zh:95f852a4e7d22daac86901ebc6b327d5987832b707ad3fd3aeff6c36dd088717",
-    "h1:Vw7hY7KdCtQ3hf00uCekrzdDgBJ2EnPXUAnj3ybLXPQ=",
+    "zh:98c8659f468a58a9d224b2fca9d5909d39bcabf9e2593e9b4a574dbffb6e2dca",
-    "h1:fDQcyzUJqHb4qXOyze/Te0Fd3dVMdBcLQ+e2xOtsqbM=",
+    "zh:a7d1428ec803ae794ebb05d772fa44020827a6b762a5b2da11869fc618ea59cd",
-    "h1:jKOzsHSorUnub0L+Lq+tPPhHmeKoaiPS8orF9zZf/i0=",
+    "zh:b1ef054b09fed4282c625a38a4aa6d1276c58e541f4cffcc716aa7d2b773f30a",
-    "h1:kXF4EEV9uzXzshloPfJQQzPbs0YVgjUu5aD+Fj040U0=",
+    "zh:b95e3edeb0da3ee0c0392afa18957cf7d41b2f71ed08a50f4bf38010aaf77d30",
-    "h1:pvMaS6PASVHMJxArSG1pAzS5Micb1fMcLz7MF7bO138=",
+    "zh:c3ce9f57889e6bb33f34ee4cc4463a77652b811351bbb25e6fc5ba9dc0c61e14",
-    "h1:s3wkHrHE8Q/Dj+PIkvuPviLTUcK6h7aoAArrBKNJ8PE=",
+    "zh:f6d2fe811ad5c242ced99a6b51b2d7f60f060d4bc6837fe1026c2abb7cb6f9a4",
-    "zh:0103a533f474db36223d8dbf2abc80f8d76a162b2e3042a2203f0d426f2c8e16",
+    "zh:f78b8e20e7d9f53e1622051c706369a7c6d0f1e37c16df67a214697cd5d0a4fb",
    "zh:03302f83cd5784435ef22864a936b88293284bfdc091ff2fd0cc18a40e97bb55",
    "zh:0730ca92f8bc778dba52425d05c5dceb9ae57660797f88132c06a0bf8a4f4f55",
    "zh:63ace720564b3549d482f0bc68b1f4596a1682faeef5fe4d40163abccda90ceb",
    "zh:8c4acdc358b1f5b1c13192af81bba552c6ad98debd341d836f4adf1fb85610a8",
    "zh:8f101bae1ab303b5e1b91ceb62d11386091a24c2bbd99bca4662bc88f127a8c4",
    "zh:a683c5338f16d20a1432fbc093c35db388ec7ef9f657d7478e3a04fc72722ad7",
    "zh:a99fcbaf234cb161c8d7018f62946178810c7645436229d05913ff432094734d",
    "zh:aa7fc7a3e05e96522507a86ec50b53473ff3e917f56fb2fc7418070fe29f1abc",
    "zh:bc3b9f7cce5f5fd4116700411c5f3d14c48a9b56115268094882d949b811e53a",
    "zh:cba03e3c31ee1e83fcc25511a34ca5f7132e0bbb41f3edc7c7dc113edd5938db",
    "zh:d1f168e7a87a3f74d9932b88daa367242d1e9a2ed1b7b9eaf44fcfcfc190305f",
    "zh:eb5af50c8e13980da4830c5f23fa7d911ae07740b37cf9d6c5895da95374e940",
    "zh:f9db4dbb47b257123bb70b770714552d873f9c8e2e8017c1de227757c8dfb074",
  ]
 }
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@ -8,7 +8,7 @@ terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
-      version = "2025.10.0"
+      version = "2025.10.1"
    }
  }
 }
@ -240,12 +240,11 @@ module "rustical" {
  app_access_group_id = ""
 }
-module "mediamanager" {
+module "jellyfin" {
-  source              = "../modules/authentik-oidc"
+  source              = "../modules/authentik-ldap"
-  app_name            = "mediamanager"
+  app_name            = "Jellyfin"
-  app_slug            = "mediamanager"
+  app_slug            = "jellyfin"
-  client_id           = var.mediamanager_client_id
+  base_dn             = "DC=ldap,DC=fukurokuju,DC=dev"
-  client_secret       = var.mediamanager_client_secret
+  name                = "jellyfin"
-  redirect_uris       = [{ matching_mode = "strict", url = "https://mediamanager.roboces.dev/api/v1/auth/oauth/callback" }]
+  app_access_group_id = authentik_group.arrs.id
  app_access_group_id = authentik_group.mediamanager.id
 }
--- a/tofu/authentik/sample.env
+++ b/tofu/authentik/sample.env
@ -13,5 +13,3 @@ TF_VAR_sftpgo_client_secret=
 TF_VAR_netbird_client_id=
 TF_VAR_rustical_client_id=
 TF_VAR_rustical_client_secret=
 TF_VAR_mediamanager_client_id=
 TF_VAR_mediamanager_client_secret=
--- a/tofu/modules/authentik-ldap/.terraform.lock.hcl
+++ b/tofu/modules/authentik-ldap/.terraform.lock.hcl
@ -0,0 +1,24 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/goauthentik/authentik" {
  version     = "2025.10.1"
  constraints = "2025.10.1"
  hashes = [
    "h1:X0bV1LqI7nu4np+xiGP8yLVfyl6rh/XNXz7QQ7Hsr6g=",
    "zh:02ac2478c8901043a0455b8b6b8185e9814786bd802a9aa6d4126d4f56d4735d",
    "zh:24d680732a9ea72a86c1e7bf4aa13ab9cc0c60ee4bd4cae8af43670eff88edd9",
    "zh:4f415f177671eeea2234eb835479bbb710e811e60864cec6a00ee0e03a412fa3",
    "zh:55498caa20504dd52a1870823e15dec6c78948eac2e6ec98e6ec122b5407630b",
    "zh:570f9ca7f909bda94b97feab7898ef392e01ae6178d8a9d36aac984d8a433ec1",
    "zh:92ac78b97e2d5310ed82233980f941ebecf69ae1f9d03f3e719d8687aa6f4cc7",
    "zh:95f852a4e7d22daac86901ebc6b327d5987832b707ad3fd3aeff6c36dd088717",
    "zh:98c8659f468a58a9d224b2fca9d5909d39bcabf9e2593e9b4a574dbffb6e2dca",
    "zh:a7d1428ec803ae794ebb05d772fa44020827a6b762a5b2da11869fc618ea59cd",
    "zh:b1ef054b09fed4282c625a38a4aa6d1276c58e541f4cffcc716aa7d2b773f30a",
    "zh:b95e3edeb0da3ee0c0392afa18957cf7d41b2f71ed08a50f4bf38010aaf77d30",
    "zh:c3ce9f57889e6bb33f34ee4cc4463a77652b811351bbb25e6fc5ba9dc0c61e14",
    "zh:f6d2fe811ad5c242ced99a6b51b2d7f60f060d4bc6837fe1026c2abb7cb6f9a4",
    "zh:f78b8e20e7d9f53e1622051c706369a7c6d0f1e37c16df67a214697cd5d0a4fb",
  ]
 }
--- a/tofu/modules/authentik-ldap/main.tf
+++ b/tofu/modules/authentik-ldap/main.tf
@ -0,0 +1,45 @@
 terraform {
  required_version = ">= 1.6"
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
      version = "2025.10.1"
    }
  }
 }
 data "authentik_flow" "default-authentication-flow" {
  slug = "default-authentication-flow"
 }
 data "authentik_flow" "default-invalidation-flow" {
  slug = "default-invalidation-flow"
 }
 resource "authentik_provider_ldap" "provider_ldap" {
  base_dn     = var.base_dn
  bind_flow   = data.authentik_flow.default-authentication-flow.id
  name        = var.name
  unbind_flow = data.authentik_flow.default-invalidation-flow.id
 }
 resource "authentik_application" "app" {
  name              = var.app_name
  slug              = var.app_slug
  protocol_provider = authentik_provider_ldap.provider_ldap.id
  open_in_new_tab   = var.open_in_new_tab
  meta_icon         = var.app_icon
  meta_description  = var.app_description
  meta_publisher    = var.app_publisher
  meta_launch_url   = var.app_url
 }
 resource "authentik_policy_binding" "app_access" {
  target = authentik_application.app.uuid
  group  = var.app_access_group_id
  order  = 0
  count  = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists
 }
--- a/tofu/modules/authentik-ldap/vars.tf
+++ b/tofu/modules/authentik-ldap/vars.tf
@ -0,0 +1,52 @@
 variable "app_name" {
  description = "App name"
  type        = string
 }
 variable "app_slug" {
  description = "App slug, a human-readable URL identifier, e.g.: Google -> google"
  type        = string
 }
 variable "app_access_group_id" {
  description = "ID of a group which will have access to the app"
  type        = string
 }
 variable "open_in_new_tab" {
  type        = bool
  description = "Open apps in a new tab"
  default     = true
 }
 variable "app_icon" {
  type    = string
  default = ""
 }
 variable "app_description" {
  type    = string
  default = ""
 }
 variable "app_publisher" {
  type    = string
  default = ""
 }
 variable "app_url" {
  type    = string
  default = ""
 }
 variable "base_dn" {
  type        = string
  description = "Base DN"
 }
 variable "name" {
  type        = string
  description = "Name"
 }
--- a/tofu/modules/authentik-oidc/main.tf
+++ b/tofu/modules/authentik-oidc/main.tf
@ -3,7 +3,7 @@ terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
-      version = "2025.10.0"
+      version = "2025.10.1"
    }
  }
 }
--- a/tofu/modules/authentik-proxy/main.tf
+++ b/tofu/modules/authentik-proxy/main.tf
@ -3,7 +3,7 @@ terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
-      version = "2025.10.0"
+      version = "2025.10.1"
    }
  }
 }