From dc6fc316e7f6a310643975bd74e3ede5a0c45a26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Sun, 24 Mar 2024 17:31:30 +0100 Subject: [PATCH] feat: add firezone tofu app --- tofu/authentik/main.tf | 27 +++++++++++++++++++++++++-- tofu/authentik/sample.env | 4 +++- tofu/authentik/vars.tf | 10 ++++++++++ tofu/modules/authentik/main.tf | 3 +++ tofu/modules/authentik/vars.tf | 25 ++++++++++++++++++++----- 5 files changed, 61 insertions(+), 8 deletions(-) diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index ad1dbdd..2973914 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -21,6 +21,11 @@ resource "authentik_group" "ci" { users = [data.authentik_user.catalin.id] } +resource "authentik_group" "admins" { + name = "authentik Admins" + is_superuser = true +} + module "argo-workflows" { source = "../modules/authentik" app_name = "Argo Workflows" @@ -28,6 +33,24 @@ module "argo-workflows" { client_id = var.argo_workflows_client_id client_secret = var.argo_workflows_client_secret app_access_group_id = authentik_group.ci.id - redirect_uris = ["https://ci.fuku/oauth2/callback"] - app_icon = "https://argoproj.github.io/icons/icon-512x512.png" + redirect_uris = ["https://ci.fuku/oauth2/callback"] + app_icon = "https://argoproj.github.io/icons/icon-512x512.png" + app_description = "Kubernetes-native workflow engine supporting DAG and step-based workflows" + app_publisher = "Argo Project" + app_url = "https://ci.fuku" +} + +module "firezone" { + source = "../modules/authentik" + app_name = "Firezone" + app_slug = "firezone" + client_id = var.firezone_client_id + client_secret = var.firezone_client_secret + app_access_group_id = authentik_group.admins.id + redirect_uris = ["https://fz.fukurokuju.dev/auth/oidc/authentik/callback/"] + app_icon = "https://www.firezone.dev/icon.svg" + app_description = "VPN" + app_publisher = "Firezone" + app_url = "https://fz.fukurokuju.dev" + sub_mode = "hashed_user_id" } \ No newline at end of file diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env index 0eb6593..29cff53 100644 --- a/tofu/authentik/sample.env +++ b/tofu/authentik/sample.env @@ -1,4 +1,6 @@ AUTHENTIK_URL=https://auth.fukurokuju.dev AUTHENTIK_TOKEN= TF_VAR_argo_workflows_client_id= - TF_VAR_argo_workflows_client_secret= \ No newline at end of file + TF_VAR_argo_workflows_client_secret= + TF_VAR_firezone_client_id= + TF_VAR_firezone_client_secret= diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf index 3c32c43..e9ff398 100644 --- a/tofu/authentik/vars.tf +++ b/tofu/authentik/vars.tf @@ -7,3 +7,13 @@ variable "argo_workflows_client_secret" { description = "Client secret" type = string } + +variable "firezone_client_id" { + description = "Client ID" + type = string +} + +variable "firezone_client_secret" { + description = "Client secret" + type = string +} diff --git a/tofu/modules/authentik/main.tf b/tofu/modules/authentik/main.tf index 3ca08d8..f2232b0 100644 --- a/tofu/modules/authentik/main.tf +++ b/tofu/modules/authentik/main.tf @@ -38,6 +38,9 @@ resource "authentik_application" "app" { protocol_provider = authentik_provider_oauth2.provider_oidc.id open_in_new_tab = var.open_in_new_tab meta_icon = var.app_icon + meta_description = var.app_description + meta_publisher = var.app_publisher + meta_launch_url = var.app_url } resource "authentik_policy_binding" "app_access" { target = authentik_application.app.uuid diff --git a/tofu/modules/authentik/vars.tf b/tofu/modules/authentik/vars.tf index bad4c6b..4db3bbb 100644 --- a/tofu/modules/authentik/vars.tf +++ b/tofu/modules/authentik/vars.tf @@ -29,7 +29,7 @@ variable "redirect_uris" { } variable "sub_mode" { - type = string + type = string default = "user_username" } @@ -40,11 +40,26 @@ variable "oidc_signing_key" { } variable "open_in_new_tab" { - type = bool + type = bool description = "Open apps in a new tab" - default = true + default = true } variable "app_icon" { - type = string -} \ No newline at end of file + type = string + default = "" +} + +variable "app_description" { + type = string + default = "" +} + +variable "app_publisher" { + type = string + default = "" +} +variable "app_url" { + type = string + default = "" +}