feat: add firezone tofu app

2024-03-24 17:31:30 +01:00 · 2024-03-24 17:31:30 +01:00 · dc6fc316e7
commit dc6fc316e7
parent 909eb5913f
5 changed files with 61 additions and 8 deletions
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@ -21,6 +21,11 @@ resource "authentik_group" "ci" {
  users = [data.authentik_user.catalin.id]
 }

+resource "authentik_group" "admins" {
+  name = "authentik Admins"
+  is_superuser = true
+}
+
 module "argo-workflows" {
  source              = "../modules/authentik"
  app_name            = "Argo Workflows"
@ -28,6 +33,24 @@ module "argo-workflows" {
  client_id           = var.argo_workflows_client_id
  client_secret       = var.argo_workflows_client_secret
  app_access_group_id = authentik_group.ci.id
-  redirect_uris = ["https://ci.fuku/oauth2/callback"]
-  app_icon = "https://argoproj.github.io/icons/icon-512x512.png"
+  redirect_uris       = ["https://ci.fuku/oauth2/callback"]
+  app_icon            = "https://argoproj.github.io/icons/icon-512x512.png"
+  app_description = "Kubernetes-native workflow engine supporting DAG and step-based workflows"
+  app_publisher = "Argo Project"
+  app_url = "https://ci.fuku"
+}
+
+module "firezone" {
+  source              = "../modules/authentik"
+  app_name            = "Firezone"
+  app_slug            = "firezone"
+  client_id           = var.firezone_client_id
+  client_secret       = var.firezone_client_secret
+  app_access_group_id = authentik_group.admins.id
+  redirect_uris       = ["https://fz.fukurokuju.dev/auth/oidc/authentik/callback/"]
+  app_icon            = "https://www.firezone.dev/icon.svg"
+  app_description = "VPN"
+  app_publisher = "Firezone"
+  app_url = "https://fz.fukurokuju.dev"
+  sub_mode = "hashed_user_id"
 }
--- a/tofu/authentik/sample.env
+++ b/tofu/authentik/sample.env
@ -1,4 +1,6 @@
 AUTHENTIK_URL=https://auth.fukurokuju.dev
 AUTHENTIK_TOKEN=
 TF_VAR_argo_workflows_client_id=
- TF_VAR_argo_workflows_client_secret=
+ TF_VAR_argo_workflows_client_secret=
+ TF_VAR_firezone_client_id=
+ TF_VAR_firezone_client_secret=
--- a/tofu/authentik/vars.tf
+++ b/tofu/authentik/vars.tf
@ -7,3 +7,13 @@ variable "argo_workflows_client_secret" {
  description = "Client secret"
  type        = string
 }
+
+variable "firezone_client_id" {
+  description = "Client ID"
+  type        = string
+}
+
+variable "firezone_client_secret" {
+  description = "Client secret"
+  type        = string
+}
--- a/tofu/modules/authentik/main.tf
+++ b/tofu/modules/authentik/main.tf
@ -38,6 +38,9 @@ resource "authentik_application" "app" {
  protocol_provider = authentik_provider_oauth2.provider_oidc.id
  open_in_new_tab   = var.open_in_new_tab
  meta_icon = var.app_icon
+  meta_description = var.app_description
+  meta_publisher = var.app_publisher
+  meta_launch_url = var.app_url
 }
 resource "authentik_policy_binding" "app_access" {
  target = authentik_application.app.uuid
--- a/tofu/modules/authentik/vars.tf
+++ b/tofu/modules/authentik/vars.tf
@ -29,7 +29,7 @@ variable "redirect_uris" {
 }

 variable "sub_mode" {
-  type = string
+  type    = string
  default = "user_username"
 }

@ -40,11 +40,26 @@ variable "oidc_signing_key" {
 }

 variable "open_in_new_tab" {
-  type = bool
+  type        = bool
  description = "Open apps in a new tab"
-  default = true
+  default     = true
 }

 variable "app_icon" {
-  type = string
-}
+  type    = string
+  default = ""
+}
+
+variable "app_description" {
+  type    = string
+  default = ""
+}
+
+variable "app_publisher" {
+  type    = string
+  default = ""
+}
+variable "app_url" {
+  type    = string
+  default = ""
+}