diff --git a/docker/forgejo-runner/docker-compose.yml b/docker/forgejo-runner/docker-compose.yml index 903042c..e98dc66 100644 --- a/docker/forgejo-runner/docker-compose.yml +++ b/docker/forgejo-runner/docker-compose.yml @@ -1,6 +1,6 @@ --- x-runner-common: &runner-common - image: code.forgejo.org/forgejo/runner:12.6.4 + image: code.forgejo.org/forgejo/runner:11.3.1 links: - docker-in-docker depends_on: diff --git a/docker/ganymede/docker-compose.yml b/docker/ganymede/docker-compose.yml deleted file mode 100644 index 1f24da0..0000000 --- a/docker/ganymede/docker-compose.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -services: - ganymede: - container_name: ganymede - image: ghcr.io/zibbp/ganymede:4.11.5 - restart: unless-stopped - environment: - DEBUG: ${GANYMEDE_DEBUG:-false} - TZ: ${GANYMEDE_TZ:-Europe/Madrid} - VIDEOS_DIR: ${GANYMEDE_VIDEOS_DIR:-/data/videos} - TEMP_DIR: ${GANYMEDE_TEMP_DIR:-/data/temp} - LOGS_DIR: ${GANYMEDE_LOGS_DIR:-/data/logs} - CONFIG_DIR: ${GANYMEDE_CONFIG_DIR:-/data/config} - DB_HOST: ${GANYMEDE_DB_HOST:-192.168.1.3} - DB_PORT: ${GANYMEDE_DB_PORT:-5432} - DB_USER: ${GANYMEDE_DB_USER:-ganymede} - DB_PASS: ${GANYMEDE_DB_PASS} - DB_NAME: ${GANYMEDE_DB_NAME:-ganymede} - DB_SSL: ${GANYMEDE_DB_SSL:-disable} - TWITCH_CLIENT_ID: ${GANYMEDE_TWITCH_CLIENT_ID} - TWITCH_CLIENT_SECRET: ${GANYMEDE_TWITCH_CLIENT_SECRET} - MAX_CHAT_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS:-3} - MAX_CHAT_RENDER_EXECUTIONS: ${GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS:-2} - MAX_VIDEO_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS:-2} - MAX_VIDEO_CONVERT_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS:-3} - MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS:-2} - OAUTH_ENABLED: ${GANYMEDE_OAUTH_ENABLED:-true} - OAUTH_PROVIDER_URL: ${GANYMEDE_OAUTH_PROVIDER_URL:-https://auth.fukurokuju.dev/application/o/ganymede/} - OAUTH_CLIENT_ID: ${GANYMEDE_OAUTH_CLIENT_ID} - OAUTH_CLIENT_SECRET: ${GANYMEDE_OAUTH_CLIENT_SECRET} - OAUTH_REDIRECT_URL: ${GANYMEDE_OAUTH_REDIRECT_URL:-https://vods.roboces.dev/api/v1/auth/oauth/callback} - SHOW_SSO_LOGIN_BUTTON: ${GANYMEDE_SHOW_SSO_LOGIN_BUTTON:-true} - FORCE_SSO_AUTH: ${GANYMEDE_FORCE_SSO_AUTH:-true} - REQUIRE_LOGIN: ${GANYMEDE_REQUIRE_LOGIN:-true} - volumes: - - ${GANYMEDE_VIDEOS:-/mnt/vods/ganymede/videos}:/data/videos - - ${GANYMEDE_TEMP:-/mnt/vods/ganymede/temp}:/data/temp - - ${GANYMEDE_CACHE:-/mnt/vods/ganymede/cache}:/data/.cache - - ${GANYMEDE_LOGS:-/mnt/vods/ganymede/logs}:/data/logs - - ${GANYMEDE_CONFIG:-/mnt/vods/ganymede/config}:/data/config - ports: - - "4800:4000" - healthcheck: - test: curl --fail http://localhost:4000/health || exit 1 - interval: 60s - retries: 5 - start_period: 60s - timeout: 10s diff --git a/docker/ganymede/sample.env b/docker/ganymede/sample.env deleted file mode 100644 index 5b2205b..0000000 --- a/docker/ganymede/sample.env +++ /dev/null @@ -1,27 +0,0 @@ -GANYMEDE_DEBUG=false -GANYMEDE_TZ=Europe/Madrid -GANYMEDE_VIDEOS_DIR=/data/videos -GANYMEDE_TEMP_DIR=/data/temp -GANYMEDE_LOGS_DIR=/data/logs -GANYMEDE_CONFIG_DIR=/data/config -GANYMEDE_DB_HOST=192.168.1.3 -GANYMEDE_DB_PORT=5432 -GANYMEDE_DB_USER=ganymede -GANYMEDE_DB_PASS= -GANYMEDE_DB_NAME=ganymede -GANYMEDE_DB_SSL=disable -GANYMEDE_TWITCH_CLIENT_ID= -GANYMEDE_TWITCH_CLIENT_SECRET= -GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS=3 -GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS=2 -GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS=2 -GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS=3 -GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS=2 -GANYMEDE_OAUTH_ENABLED=true -GANYMEDE_OAUTH_PROVIDER_URL=https://auth.fukurokuju.dev/application/o/ganymede/ -GANYMEDE_OAUTH_CLIENT_ID= -GANYMEDE_OAUTH_CLIENT_SECRET= -GANYMEDE_OAUTH_REDIRECT_URL=https://vods.roboces.dev/api/v1/auth/oauth/callback -GANYMEDE_SHOW_SSO_LOGIN_BUTTON=true -GANYMEDE_FORCE_SSO_AUTH=false -GANYMEDE_REQUIRE_LOGIN=false diff --git a/docker/netbird/docker-compose.yml b/docker/netbird/docker-compose.yml new file mode 100644 index 0000000..76dc7af --- /dev/null +++ b/docker/netbird/docker-compose.yml @@ -0,0 +1,112 @@ +--- +services: + dashboard: + image: netbirdio/dashboard:v2.20.2 + restart: unless-stopped + ports: + - 8005:80 + environment: + NETBIRD_MGMT_API_ENDPOINT: ${NETBIRD_MGMT_API_ENDPOINT:-https://vpn.fukurokuju.dev} + NETBIRD_MGMT_GRPC_API_ENDPOINT: ${NETBIRD_MGMT_GRPC_API_ENDPOINT:-https://vpn.fukurokuju.dev} + AUTH_AUDIENCE: ${NETBIRD_AUTH_AUDIENCE:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2} # yamllint disable rule:line-length + AUTH_CLIENT_ID: ${NETBIRD_AUTH_CLIENT_ID:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2} # yamllint disable rule:line-length + AUTH_AUTHORITY: ${NETBIRD_AUTH_AUTHORITY:-https://auth.fukurokuju.dev/application/o/netbird/} + USE_AUTH0: false + AUTH_SUPPORTED_SCOPES: ${NETBIRD_AUTH_SUPPORTED_SCOPES:-api offline_access openid email profile} + AUTH_REDIRECT_URI: + AUTH_SILENT_REDIRECT_URI: + NETBIRD_TOKEN_SOURCE: accessToken + NGINX_SSL_PORT: 443 + logging: + driver: "json-file" + options: + max-size: "500m" + max-file: "2" + signal: + image: netbirdio/signal:0.59.11 + restart: unless-stopped + volumes: + - netbird-signal:/var/lib/netbird + ports: + - "10000:80" + logging: + driver: "json-file" + options: + max-size: "500m" + max-file: "2" + relay: + image: netbirdio/relay:0.59.11 + restart: unless-stopped + environment: + NB_LOG_LEVEL: ${NB_LOG_LEVEL:-info} + NB_LISTEN_ADDRESS: ${NB_LISTEN_ADDRESS:-:33080} + NB_EXPOSED_ADDRESS: ${NB_EXPOSED_ADDRESS:-vpn.fukurokuju.dev:33080} + NB_AUTH_SECRET: ${NB_AUTH_SECRET} + ports: + - "33080:33080" + logging: + driver: "json-file" + options: + max-size: "500m" + max-file: "2" + management: + image: netbirdio/management:0.59.10 + restart: unless-stopped + depends_on: + - dashboard + volumes: + - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/data:/var/lib/netbird + - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/management.json:/etc/netbird/management.json:z + ports: + - "33073:443" + command: [ + "--port", "443", + "--log-file", "console", + "--log-level", "info", + "--disable-anonymous-metrics=false", + "--single-account-mode-domain=vpn.fukurokuju.dev", + "--dns-domain=netbird.fuku", + ] + logging: + driver: "json-file" + options: + max-size: "500m" + max-file: "2" + environment: + - NETBIRD_STORE_ENGINE_POSTGRES_DSN= + + coturn: + image: coturn/coturn:4.7 + restart: unless-stopped + domainname: vpn.fukurokuju.dev + volumes: + - ${NETBIRD_COTURN_VOLUME:-/mnt/nas1/shared/netbird/coturn}/turnserver.conf:/etc/turnserver.conf:ro + network_mode: host + command: + - -c /etc/turnserver.conf + logging: + driver: "json-file" + options: + max-size: "500m" + max-file: "2" + + peer-1: + image: netbirdio/netbird:0.59.11 + restart: unless-stopped + volumes: + - ${NETBIRD_PEER_VOLUME:-/mnt/nas1/shared/netbird/peer-1}/data:/etc/netbird + environment: + NB_MANAGEMENT_URL: https://vpn.fukurokuju.dev:443 + NB_SETUP_KEY: ${NB_SETUP_KEY} + cap_add: + - NET_ADMIN + depends_on: + - management + - dashboard + - relay + - signal + - coturn + +volumes: + netbird-mgmt: + netbird-signal: diff --git a/docker/netbird/sample.env b/docker/netbird/sample.env new file mode 100644 index 0000000..6a76871 --- /dev/null +++ b/docker/netbird/sample.env @@ -0,0 +1,2 @@ +NB_AUTH_SECRET= +NB_SETUP_KEY= diff --git a/docker/paperless/docker-compose.yml b/docker/paperless/docker-compose.yml index 99209c6..58acc07 100644 --- a/docker/paperless/docker-compose.yml +++ b/docker/paperless/docker-compose.yml @@ -14,7 +14,7 @@ services: webserver: - image: ghcr.io/paperless-ngx/paperless-ngx:2.20.6 + image: ghcr.io/paperless-ngx/paperless-ngx:2.20.0 restart: unless-stopped ports: - 8002:8000 diff --git a/docker/rustical/docker-compose.yml b/docker/rustical/docker-compose.yml index 2bca4ee..662a7df 100644 --- a/docker/rustical/docker-compose.yml +++ b/docker/rustical/docker-compose.yml @@ -1,7 +1,7 @@ --- services: rustical: - image: ghcr.io/lennart-k/rustical:0.12.4 + image: ghcr.io/lennart-k/rustical:0.10.5 ports: - '4000:4000' volumes: diff --git a/docker/tailscale/docker-compose.yml b/docker/tailscale/docker-compose.yml deleted file mode 100644 index f0d25e1..0000000 --- a/docker/tailscale/docker-compose.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -services: - tailscale: - image: tailscale/tailscale:v1.92.5 - hostname: tailscale - environment: - TS_AUTHKEY: ${TS_AUTHKEY} - TS_HOSTNAME: ${TS_HOSTNAME:-docker-exit-node} - TS_EXTRA_ARGS: ${TS_EXTRA_ARGS:---advertise-exit-node} - TS_ROUTES: ${TS_ROUTES:-192.168.1.0/24} - TS_STATE_DIR: /var/lib/tailscale - volumes: - - ${TS_VOLUME:-/mnt/nas1/shared/tailscale}:/var/lib/tailscale - devices: - - /dev/net/tun:/dev/net/tun - cap_add: - - net_admin - restart: unless-stopped diff --git a/docker/tailscale/sample.env b/docker/tailscale/sample.env deleted file mode 100644 index 83646d5..0000000 --- a/docker/tailscale/sample.env +++ /dev/null @@ -1,5 +0,0 @@ -TS_AUTHKEY= -TS_HOSTNAME=docker-exit-node -TS_EXTRA_ARGS=--advertise-exit-node -TS_ROUTES=192.168.1.0/24 -TS_VOLUME=/mnt/nas1/shared/tailscale diff --git a/docker/tandoor/docker-compose.yml b/docker/tandoor/docker-compose.yml deleted file mode 100644 index 5bf5d88..0000000 --- a/docker/tandoor/docker-compose.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -services: - web_recipes: - restart: always - image: vabene1111/recipes:2.4.2 - volumes: - - ${TANDOOR_STATICFILES:-/mnt/nas1/shared/tandoor/staticfiles}:/opt/recipes/staticfiles - - ${TANDOOR_MEDIAFILES:-/mnt/nas1/shared/tandoor/mediafiles}:/opt/recipes/mediafiles - environment: - SECRET_KEY: ${TANDOOR_SECRET_KEY} - TZ: ${TANDOOR_TZ:-Europe/Madrid} - ALLOWED_HOSTS: ${TANDOOR_ALLOWED_HOSTS:-recipes.roboces.dev} - SOCIAL_PROVIDERS: ${TANDOOR_SOCIAL_PROVIDERS:-allauth.socialaccount.providers.openid_connect} - SOCIALACCOUNT_PROVIDERS: ${TANDOOR_SOCIALACCOUNT_PROVIDERS} - POSTGRES_HOST: ${TANDOOR_POSTGRES_HOST:-192.168.1.3} - POSTGRES_DB: ${TANDOOR_POSTGRES_DB:-tandoor} - POSTGRES_PORT: ${TANDOOR_POSTGRES_PORT:-5432} - POSTGRES_USER: ${TANDOOR_POSTGRES_USER} - POSTGRES_PASSWORD: ${TANDOOR_POSTGRES_PASSWORD} - ports: - - "8081:80" diff --git a/docker/tandoor/sample.env b/docker/tandoor/sample.env deleted file mode 100644 index e5029ad..0000000 --- a/docker/tandoor/sample.env +++ /dev/null @@ -1,11 +0,0 @@ -TANDOOR_STATICFILES= -TANDOOR_MEDIAFILES= -TANDOOR_SECRET_KEY= -TANDOOR_TZ=Europe/Madrid -TANDOOR_ALLOWED_HOSTS= -TANDOOR_SOCIALACCOUNT_PROVIDERS= -TANDOOR_POSTGRES_HOST= -TANDOOR_POSTGRES_DB= -TANDOOR_POSTGRES_PORT= -TANDOOR_POSTGRES_USER= -TANDOOR_POSTGRES_PASSWORD= diff --git a/docker/vaultwarden/docker-compose.yml b/docker/vaultwarden/docker-compose.yml index dfd51a4..4c2b3dc 100644 --- a/docker/vaultwarden/docker-compose.yml +++ b/docker/vaultwarden/docker-compose.yml @@ -1,7 +1,7 @@ --- services: vaultwarden: - image: vaultwarden/server:1.35.3-alpine + image: vaultwarden/server:1.34.3-alpine restart: unless-stopped environment: DATABASE_URL: ${DATABASE_URL} diff --git a/k8s/argo-apps/authentik.yaml b/k8s/argo-apps/authentik.yaml index b046a8b..045afd6 100644 --- a/k8s/argo-apps/authentik.yaml +++ b/k8s/argo-apps/authentik.yaml @@ -12,7 +12,7 @@ spec: sources: - chart: authentik repoURL: https://charts.goauthentik.io/ - targetRevision: 2025.12.* + targetRevision: 2025.10.* helm: valuesObject: authentik: diff --git a/k8s/argo-apps/dcsi.yaml b/k8s/argo-apps/dcsi.yaml index 9c9e48d..13a5a3c 100644 --- a/k8s/argo-apps/dcsi.yaml +++ b/k8s/argo-apps/dcsi.yaml @@ -2,39 +2,29 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: democratic-csi - namespace: argocd + name: democratic-csi + namespace: argocd spec: - destination: - name: '' - namespace: democratic-csi - server: https://kubernetes.default.svc - sources: - - chart: democratic-csi - repoURL: https://democratic-csi.github.io/charts/ - targetRevision: 0.15.* - helm: - releaseName: zfs-nfs - valuesObject: - node: - driver: - image: - tag: next - controller: - driver: - image: - tag: next - csiDriver: - name: org.dcsi.nfs - driver: - image: - tag: next - existingConfigSecret: secrets-dcsi - config: - driver: freenas-api-nfs - - repoURL: https://git.roboces.dev/catalin/fukuops.git - path: k8s/services/dcsi - targetRevision: main - project: management - syncPolicy: - automated: {} + destination: + name: '' + namespace: democratic-csi + server: https://kubernetes.default.svc + sources: + - chart: democratic-csi + repoURL: https://democratic-csi.github.io/charts/ + targetRevision: 0.15.* + helm: + releaseName: zfs-nfs + valuesObject: + csiDriver: + name: org.dcsi.nfs + driver: + existingConfigSecret: secrets-dcsi + config: + driver: freenas-api-nfs + - repoURL: https://git.roboces.dev/catalin/fukuops.git + path: k8s/services/dcsi + targetRevision: main + project: management + syncPolicy: + automated: {} diff --git a/k8s/argo-apps/factorio.yaml b/k8s/argo-apps/factorio.yaml new file mode 100644 index 0000000..cd2d97d --- /dev/null +++ b/k8s/argo-apps/factorio.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: factorio + namespace: argocd +spec: + destination: + name: '' + namespace: apps-fuku + server: https://kubernetes.default.svc + sources: + - chart: factorio-server-charts + repoURL: https://sqljames.github.io/factorio-server-charts/ + targetRevision: 2.5.* + helm: + valuesObject: + rcon: + passwordSecret: secrets-factorio + nodeSelector: + kubernetes.io/hostname: agent1 + image: + tag: latest + factorioServer: + save_name: fukurokuju-space + admin_list: + - Phireh + account: + accountSecret: secrets-factorio + server_settings: + name: factorio-fukurokuju + visibility: + public: false + require_user_verification: false + persistence: + storageClassName: truenas-nfs-csi + serverPassword: + passwordSecret: secrets-factorio + + - repoURL: https://git.roboces.dev/catalin/fukuops.git + path: k8s/services/factorio + targetRevision: main + project: fuku + syncPolicy: + automated: {} diff --git a/k8s/argo-apps/forgejo.yaml b/k8s/argo-apps/forgejo.yaml index 1106bc3..277a779 100644 --- a/k8s/argo-apps/forgejo.yaml +++ b/k8s/argo-apps/forgejo.yaml @@ -14,7 +14,7 @@ spec: sources: - chart: forgejo repoURL: code.forgejo.org/forgejo-helm - targetRevision: 16.0.2 + targetRevision: 15.0.3 helm: valuesObject: replicaCount: 2 diff --git a/k8s/argo-apps/kubetail.yaml b/k8s/argo-apps/kubetail.yaml index b7d79e3..453b3b8 100644 --- a/k8s/argo-apps/kubetail.yaml +++ b/k8s/argo-apps/kubetail.yaml @@ -12,7 +12,7 @@ spec: sources: - chart: kubetail repoURL: https://kubetail-org.github.io/helm-charts/ - targetRevision: 0.17.0 + targetRevision: 0.16.3 helm: valuesObject: kubetail: diff --git a/k8s/argo-apps/pulse.yaml b/k8s/argo-apps/pulse.yaml deleted file mode 100644 index aa2dd3f..0000000 --- a/k8s/argo-apps/pulse.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: pulse - namespace: argocd -spec: - destination: - name: '' - namespace: apps-fuku - server: https://kubernetes.default.svc - project: fuku - syncPolicy: - automated: {} - sources: - - repoURL: https://rcourtman.github.io/Pulse - chart: pulse - targetRevision: 5.1.* - helm: - valuesObject: - persistence: - enabled: true - size: 10Gi - storageClass: truenas-nfs-csi - accessModes: - - ReadWriteMany - service: - type: LoadBalancer - ingress: - enabled: true - hosts: - - host: pulse.fukurokuju.dev - paths: - - path: / - pathType: Prefix - tls: [] - monitoring: - serviceMonitor: - enabled: true - - - path: k8s/services/pulse - repoURL: https://git.roboces.dev/catalin/fukuops.git - targetRevision: main diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml index 61305e6..83c3d3a 100644 --- a/k8s/argo-apps/renovate.yaml +++ b/k8s/argo-apps/renovate.yaml @@ -13,7 +13,7 @@ spec: sources: - chart: renovate repoURL: https://docs.renovatebot.com/helm-charts - targetRevision: 46.6.* + targetRevision: 45.21.* helm: valuesObject: renovate: diff --git a/k8s/argo-apps/sealed-secrets.yaml b/k8s/argo-apps/sealed-secrets.yaml index c180041..d60c2ec 100644 --- a/k8s/argo-apps/sealed-secrets.yaml +++ b/k8s/argo-apps/sealed-secrets.yaml @@ -12,7 +12,7 @@ spec: source: chart: sealed-secrets repoURL: https://bitnami-labs.github.io/sealed-secrets - targetRevision: 2.18.* + targetRevision: 2.17.* helm: releaseName: sealed-secrets valuesObject: diff --git a/k8s/services/argo/project-fuku.yaml b/k8s/services/argo/project-fuku.yaml index ead0d89..c4ab6ee 100644 --- a/k8s/services/argo/project-fuku.yaml +++ b/k8s/services/argo/project-fuku.yaml @@ -31,5 +31,3 @@ spec: - https://groundhog2k.github.io/helm-charts/ - registry-1.docker.io/cloudpirates - https://vmware-tanzu.github.io/helm-charts/ - - https://helm.runix.net - - https://rcourtman.github.io/Pulse diff --git a/k8s/services/miniflux/deployment.yaml b/k8s/services/miniflux/deployment.yaml index a89d916..d80d087 100644 --- a/k8s/services/miniflux/deployment.yaml +++ b/k8s/services/miniflux/deployment.yaml @@ -28,7 +28,7 @@ spec: spec: containers: - name: miniflux - image: miniflux/miniflux:2.2.17 + image: miniflux/miniflux:2.2.16 imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false diff --git a/k8s/services/pulse/ds.yaml b/k8s/services/pulse/ds.yaml deleted file mode 100644 index 2785813..0000000 --- a/k8s/services/pulse/ds.yaml +++ /dev/null @@ -1,105 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: pulse-agent - namespace: apps-fuku ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: pulse-agent-read -rules: - - apiGroups: [""] - resources: ["nodes", "pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: pulse-agent-read -subjects: - - kind: ServiceAccount - name: pulse-agent - namespace: apps-fuku -roleRef: - kind: ClusterRole - name: pulse-agent-read - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: pulse-agent - namespace: apps-fuku -spec: - selector: - matchLabels: - app: pulse-agent - template: - metadata: - labels: - app: pulse-agent - spec: - serviceAccountName: pulse-agent - containers: - - name: pulse-agent - image: rcourtman/pulse:5.1.8 - command: ["/opt/pulse/bin/pulse-agent-linux-amd64"] - args: - - --enable-kubernetes - env: - - name: PULSE_URL - value: "https://pulse.fukurokuju.dev" - - name: PULSE_TOKEN - valueFrom: - secretKeyRef: - name: pulse-agent-secrets - key: PULSE_TOKEN - - name: PULSE_AGENT_ID - value: "k8s-cluster" - - name: PULSE_ENABLE_HOST - value: "true" - - name: HOST_PROC - value: "/host/proc" - - name: HOST_SYS - value: "/host/sys" - - name: HOST_ETC - value: "/host/etc" - - name: PULSE_KUBE_INCLUDE_ALL_PODS - value: "true" - - name: PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS - value: "true" - securityContext: - privileged: true - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - memory: 512Mi - volumeMounts: - - name: host-proc - mountPath: /host/proc - readOnly: true - - name: host-sys - mountPath: /host/sys - readOnly: true - - name: host-root - mountPath: /host/root - readOnly: true - volumes: - - name: host-proc - hostPath: - path: /proc - - name: host-sys - hostPath: - path: /sys - - name: host-root - hostPath: - path: / - tolerations: - - operator: Exists diff --git a/k8s/services/pulse/sealedsecrets.yaml b/k8s/services/pulse/sealedsecrets.yaml deleted file mode 100644 index 0cade5d..0000000 --- a/k8s/services/pulse/sealedsecrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# yamllint disable rule:line-length ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: pulse-agent-secrets - namespace: apps-fuku -spec: - encryptedData: - PULSE_TOKEN: AgBBxrJ80IpJ0RvYKQuN6p3G8vIdSL9nESO9OTAR0NiMjSGZNbNEELKE/a1f2ixQUSsNc/k31c+7GlAi+8PmNC4c7rmRJTe+z3uO/BNNLYeTi7DsEk9/oJZTWn7iOcLogiZJQKxbGozCp/S8zrWisH67N2ZHmzz5UEJAzq57+fBEyAk22/WR0QMfW3oOYHGZFNR5AdAxrdfyRwTvSEOz4R2YlrQKRtOFVIPG/aEaAn42AGYfrq2cLVEiCygjE+8nZQ62TMmQqMiwiCjk5do9uRhhiRimuD78FrNnFU5dSwe/11ji5sSrEPjszPB8O0TBbsCssxfz48cKRm/6IdI9B5pKHYob68Ed8u5UgpRU/ZhUWJLyXuZF/Tgw+WcIsVkQXb3eqQTARBeZueugnA23lnzxh5gjR17wjPw7ePYaLiUWTYikOK5HvgpJyiuB0ev2cjGSqYeeAAn5ewCGM/NODXUAlFdC+N9S7ft1+chJrHoaXgHy8J9LWm/maKW99+yT08a68RvGGoZtFPZNlFjzurNF6EY9SLUFf0RLzShkyq6uuOzLm8gENyDIQ+Ru7wWEwyEcUz4ceAR5I78k0gCIDR1o4Ti22asdbRjMptZdOTbep+PWmu2K1oUvxXtXwgKkn8pvTkJpcdejqehnYPWfRAI3Guxi7LQDf++yShKS1NdXMdjhtFoNLa03xHM/G94sF3/mnJwivNhur1V7iC1yCY5NlruPr4KCd5AgOnKqoreRRvRbCVlFO1mtP6XV4sjqEIhmZyXWFJ76bwAC+hxSlFzL - template: - metadata: - creationTimestamp: null - name: pulse-agent-secrets - namespace: apps-fuku - type: Opaque diff --git a/tofu/adguard/main.tf b/tofu/adguard/main.tf index 894cfea..e419eee 100644 --- a/tofu/adguard/main.tf +++ b/tofu/adguard/main.tf @@ -85,12 +85,8 @@ resource "adguard_rewrite" "master2" { answer = "192.168.1.32" } + resource "adguard_rewrite" "k3m3" { domain = "k3m3.fuku" answer = "192.168.1.43" } - -resource "adguard_rewrite" "pulse" { - answer = "pulse.fukurokuju.dev" - domain = "192.168.1.12" -} diff --git a/tofu/authentik/.terraform.lock.hcl b/tofu/authentik/.terraform.lock.hcl index fe7616b..ce22035 100644 --- a/tofu/authentik/.terraform.lock.hcl +++ b/tofu/authentik/.terraform.lock.hcl @@ -2,36 +2,36 @@ # Manual edits may be lost in future updates. provider "registry.opentofu.org/goauthentik/authentik" { - version = "2025.12.1" - constraints = "2025.12.1" + version = "2025.10.0" + constraints = "2025.10.0" hashes = [ - "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=", - "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=", - "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=", - "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=", - "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=", - "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=", - "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=", - "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=", - "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=", - "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=", - "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=", - "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=", - "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=", - "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=", - "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515", - "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962", - "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b", - "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91", - "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f", - "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1", - "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338", - "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7", - "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8", - "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897", - "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3", - "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50", - "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18", - "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25", + "h1:8nN6b5dEGbJJ5ajovedkO//QP4NrWU5GfrenIHAEyz0=", + "h1:EZlTiEEZ0a6AvlLuTKAIyhBI4m4poYUX4QW0wyHfIaw=", + "h1:ElpISil/0po3r4pb9KK7/pBCSLxL18a6IDHDSMFdmS0=", + "h1:F7+3L6JmVEG+PMizB9SuifxbznkZD3462LQpFMOW0M0=", + "h1:L1sFZI0qKeBpUUCMgQkuRge196DsrHaTUJKJWKm0V2w=", + "h1:OQgVyUOOLTGyosEpVHzE37h+91nHN5n9lKHt6nAOZyU=", + "h1:Ph1j1Flr4kXMZKCRlP4Hn0asAz1Yfpk+hf5t6aeF4mc=", + "h1:RjitcUcx/3QKUgs74q3ypbf7KQpg8BoNELW6sE4ONqk=", + "h1:Vw7hY7KdCtQ3hf00uCekrzdDgBJ2EnPXUAnj3ybLXPQ=", + "h1:fDQcyzUJqHb4qXOyze/Te0Fd3dVMdBcLQ+e2xOtsqbM=", + "h1:jKOzsHSorUnub0L+Lq+tPPhHmeKoaiPS8orF9zZf/i0=", + "h1:kXF4EEV9uzXzshloPfJQQzPbs0YVgjUu5aD+Fj040U0=", + "h1:pvMaS6PASVHMJxArSG1pAzS5Micb1fMcLz7MF7bO138=", + "h1:s3wkHrHE8Q/Dj+PIkvuPviLTUcK6h7aoAArrBKNJ8PE=", + "zh:0103a533f474db36223d8dbf2abc80f8d76a162b2e3042a2203f0d426f2c8e16", + "zh:03302f83cd5784435ef22864a936b88293284bfdc091ff2fd0cc18a40e97bb55", + "zh:0730ca92f8bc778dba52425d05c5dceb9ae57660797f88132c06a0bf8a4f4f55", + "zh:63ace720564b3549d482f0bc68b1f4596a1682faeef5fe4d40163abccda90ceb", + "zh:8c4acdc358b1f5b1c13192af81bba552c6ad98debd341d836f4adf1fb85610a8", + "zh:8f101bae1ab303b5e1b91ceb62d11386091a24c2bbd99bca4662bc88f127a8c4", + "zh:a683c5338f16d20a1432fbc093c35db388ec7ef9f657d7478e3a04fc72722ad7", + "zh:a99fcbaf234cb161c8d7018f62946178810c7645436229d05913ff432094734d", + "zh:aa7fc7a3e05e96522507a86ec50b53473ff3e917f56fb2fc7418070fe29f1abc", + "zh:bc3b9f7cce5f5fd4116700411c5f3d14c48a9b56115268094882d949b811e53a", + "zh:cba03e3c31ee1e83fcc25511a34ca5f7132e0bbb41f3edc7c7dc113edd5938db", + "zh:d1f168e7a87a3f74d9932b88daa367242d1e9a2ed1b7b9eaf44fcfcfc190305f", + "zh:eb5af50c8e13980da4830c5f23fa7d911ae07740b37cf9d6c5895da95374e940", + "zh:f9db4dbb47b257123bb70b770714552d873f9c8e2e8017c1de227757c8dfb074", ] } diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 4ff4a0c..5b58c64 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -8,7 +8,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.12.1" + version = "2025.10.0" } } } @@ -22,11 +22,6 @@ resource "authentik_group" "ci" { users = [data.authentik_user.catalin.id] } -resource "authentik_group" "vods" { - name = "vods" - users = [data.authentik_user.catalin.id] -} - resource "authentik_group" "admins" { name = "authentik Admins" is_superuser = true @@ -52,7 +47,6 @@ resource "authentik_group" "mediamanager" { is_superuser = false } - module "gitea" { source = "../modules/authentik-oidc" app_name = "Gitea" @@ -134,7 +128,7 @@ module "sonarr" { app_slug = "sonarr" app_access_group_id = authentik_group.arrs.id app_url = "https://sonarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:30113/" + internal_host = "http://192.168.1.3:38013/" internal_host_ssl_validation = false app_icon = "https://sonarr.tv/img/logo.png" } @@ -145,7 +139,7 @@ module "radarr" { app_slug = "radarr" app_access_group_id = authentik_group.arrs.id app_url = "https://radarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:30025/" + internal_host = "http://192.168.1.3:38012/" internal_host_ssl_validation = false app_icon = "https://radarr.video/img/background/logo.png" } @@ -156,7 +150,7 @@ module "lidarr" { app_slug = "lidarr" app_access_group_id = authentik_group.arrs.id app_url = "https://lidarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:30071/" + internal_host = "http://192.168.1.3:38010/" internal_host_ssl_validation = false app_icon = "https://lidarr.audio/img/background/logo.png" } @@ -177,7 +171,7 @@ module "prowlarr" { app_slug = "prowlarr" app_access_group_id = authentik_group.admins.id app_url = "https://prowlarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:30050" + internal_host = "http://192.168.1.3:38014" internal_host_ssl_validation = false } @@ -205,70 +199,53 @@ module "sftpgo" { sub_mode = "user_username" } +module "netbird" { + source = "../modules/authentik-oidc" + app_name = "netbird" + app_slug = "netbird" + client_id = var.netbird_client_id + client_type = "public" + app_access_group_id = authentik_group.vpn.id + redirect_uris = [ + { + matching_mode = "strict", + url = "https://vpn.fukurokuju.dev", + }, + { + matching_mode = "regex", + url = "https://vpn.fukurokuju.dev.*", + }, + { + matching_mode = "strict", + url = "http://localhost:53000" + }, + + ] + sub_mode = "user_id" + extra_property_mappings = [ + "goauthentik.io/providers/oauth2/scope-authentik_api" + ] + app_icon = "https://vpn.fukurokuju.dev/apple-icon.png" + access_token_validity = "days=10" + client_secret = "" +} + module "rustical" { source = "../modules/authentik-oidc" app_name = "rustical" app_slug = "rustical" - app_url = "https://cal.roboces.dev" client_id = var.rustical_client_id client_secret = var.rustical_client_secret redirect_uris = [{ matching_mode = "strict", url = "https://cal.roboces.dev/frontend/login/oidc/callback" }] app_access_group_id = "" } -module "jellyfin" { - source = "../modules/authentik-ldap" - app_name = "Jellyfin" - app_slug = "jellyfin" - base_dn = "DC=ldap,DC=fukurokuju,DC=dev" - name = "jellyfin" - app_url = "https://jelly.roboces.dev" - app_icon = "https://jelly.roboces.dev/web/touchicon.f5bbb798cb2c65908633.png" - app_access_group_id = authentik_group.arrs.id -} - -module "tandoor" { +module "mediamanager" { source = "../modules/authentik-oidc" - app_name = "Tandoor" - app_slug = "tandoor" - app_access_group_id = "" - app_url = "https://recipes.roboces.dev" - redirect_uris = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }] - app_icon = "https://recipes.roboces.dev/static/assets/logo_color_192.c9b9177ff941.png" - client_id = var.tandoor_client_id - client_secret = var.tandoor_client_secret -} - -module "ganymede" { - source = "../modules/authentik-oidc" - app_name = "Ganymede" - app_slug = "ganymede" - redirect_uris = [{ matching_mode = "strict", url = "https://vods.roboces.dev/api/v1/auth/oauth/callback" }] - client_id = var.ganymede_client_id - client_secret = var.ganymede_client_secret - app_url = "https://vods.roboces.dev" - app_icon = "https://vods.roboces.dev/favicon.ico" - app_access_group_id = authentik_group.vods.id -} - -module "jellyseerr" { - source = "../modules/authentik-app" - app_name = "Solicitudes Jelly" - app_slug = "jellyseer" - app_url = "https://requests.roboces.dev" - app_icon = "https://requests.roboces.dev/os_icon.svg" - app_description = "Solicita series, animes y pelis para ser añadidas automáticamente a Jellyfin" - app_access_group_id = authentik_group.arrs.id -} - -module "pulse" { - source = "../modules/authentik-oidc" - app_name = "Pulse" - app_slug = "pulse" - app_url = "https://pulse.fukurokuju.dev" - client_id = var.pulse_client_id - client_secret = var.pulse_client_secret - app_icon = "https://pulse.fukurokuju.dev/logo.svg" - redirect_uris = [{ matching_mode = "strict", url = "https://pulse.fukurokuju.dev/api/oidc/callback" }] - app_access_group_id = authentik_group.admins.id + app_name = "mediamanager" + app_slug = "mediamanager" + client_id = var.mediamanager_client_id + client_secret = var.mediamanager_client_secret + redirect_uris = [{ matching_mode = "strict", url = "https://mediamanager.roboces.dev/api/v1/auth/oauth/callback" }] + app_access_group_id = authentik_group.mediamanager.id } diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env index 31a7461..f7ff6ea 100644 --- a/tofu/authentik/sample.env +++ b/tofu/authentik/sample.env @@ -10,11 +10,8 @@ TF_VAR_paperless_client_id= TF_VAR_paperless_client_secret= TF_VAR_sftpgo_client_id= TF_VAR_sftpgo_client_secret= +TF_VAR_netbird_client_id= TF_VAR_rustical_client_id= TF_VAR_rustical_client_secret= -TF_VAR_tandoor_client_id= -TF_VAR_tandoor_client_secret= -TF_VAR_ganymede_client_id= -TF_VAR_ganymede_client_secret= -TF_VAR_pulse_client_id= -TF_VAR_pulse_client_secret= +TF_VAR_mediamanager_client_id= +TF_VAR_mediamanager_client_secret= diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf index f0e5dc2..4a1c5dd 100644 --- a/tofu/authentik/vars.tf +++ b/tofu/authentik/vars.tf @@ -39,6 +39,12 @@ variable "paperless_client_secret" { type = string } +variable "netbird_client_id" { + description = "Netbird client ID" + type = string +} + + variable "sftpgo_client_id" { description = "SFTPGo client ID" type = string @@ -55,36 +61,16 @@ variable "rustical_client_id" { } variable "rustical_client_secret" { - description = "Tandoor client secret" + description = "Rustical client secret" type = string } -variable "tandoor_client_id" { - description = "Tandoor client ID" +variable "mediamanager_client_id" { + description = "MediaManager client ID" type = string } -variable "tandoor_client_secret" { - description = "Tandoor client secret" - type = string -} - -variable "ganymede_client_id" { - description = "Ganymede client ID" - type = string -} - -variable "ganymede_client_secret" { - description = "Ganymede client secret" - type = string -} - -variable "pulse_client_id" { - description = "Pulse client ID" - type = string -} - -variable "pulse_client_secret" { - description = "Pulse client secret" +variable "mediamanager_client_secret" { + description = "MediaManager client secret" type = string } diff --git a/tofu/modules/authentik-app/main.tf b/tofu/modules/authentik-app/main.tf deleted file mode 100644 index 1b65990..0000000 --- a/tofu/modules/authentik-app/main.tf +++ /dev/null @@ -1,26 +0,0 @@ -terraform { - required_version = ">= 1.6" - required_providers { - authentik = { - source = "goauthentik/authentik" - version = "2025.12.1" - } - } -} - -resource "authentik_application" "app" { - name = var.app_name - slug = var.app_slug - open_in_new_tab = var.open_in_new_tab - meta_icon = var.app_icon - meta_description = var.app_description - meta_publisher = var.app_publisher - meta_launch_url = var.app_url -} - -resource "authentik_policy_binding" "app_access" { - target = authentik_application.app.uuid - group = var.app_access_group_id - order = 0 - count = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists -} diff --git a/tofu/modules/authentik-app/vars.tf b/tofu/modules/authentik-app/vars.tf deleted file mode 100644 index 445710f..0000000 --- a/tofu/modules/authentik-app/vars.tf +++ /dev/null @@ -1,62 +0,0 @@ -variable "app_name" { - description = "App name" - type = string -} - -variable "app_slug" { - description = "App slug, a human-readable URL identifier, e.g.: Google -> google" - type = string -} - - -variable "client_type" { - type = string - default = "confidential" - - validation { - condition = contains(["confidential", "public"], var.client_type) - error_message = "client_type must be 'confidential' or 'public'" - } -} - -variable "app_access_group_id" { - description = "ID of a group which will have access to the app" - type = string -} - -variable "sub_mode" { - type = string - default = "user_username" - - validation { - condition = contains(["user_id", "user_username", "hashed_user_id"], var.sub_mode) - error_message = "sub_mode must be 'user_id', 'user_username' or 'hashed_user_id'" - } -} - - -variable "open_in_new_tab" { - type = bool - description = "Open apps in a new tab" - default = true -} - -variable "app_icon" { - type = string - default = "" -} - -variable "app_description" { - type = string - default = "" -} - -variable "app_publisher" { - type = string - default = "" -} - -variable "app_url" { - type = string - default = "" -} diff --git a/tofu/modules/authentik-ldap/.terraform.lock.hcl b/tofu/modules/authentik-ldap/.terraform.lock.hcl deleted file mode 100644 index fe7616b..0000000 --- a/tofu/modules/authentik-ldap/.terraform.lock.hcl +++ /dev/null @@ -1,37 +0,0 @@ -# This file is maintained automatically by "tofu init". -# Manual edits may be lost in future updates. - -provider "registry.opentofu.org/goauthentik/authentik" { - version = "2025.12.1" - constraints = "2025.12.1" - hashes = [ - "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=", - "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=", - "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=", - "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=", - "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=", - "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=", - "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=", - "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=", - "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=", - "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=", - "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=", - "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=", - "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=", - "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=", - "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515", - "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962", - "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b", - "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91", - "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f", - "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1", - "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338", - "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7", - "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8", - "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897", - "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3", - "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50", - "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18", - "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25", - ] -} diff --git a/tofu/modules/authentik-ldap/main.tf b/tofu/modules/authentik-ldap/main.tf deleted file mode 100644 index b0fc742..0000000 --- a/tofu/modules/authentik-ldap/main.tf +++ /dev/null @@ -1,45 +0,0 @@ -terraform { - required_version = ">= 1.6" - required_providers { - authentik = { - source = "goauthentik/authentik" - version = "2025.12.1" - } - } -} - - -data "authentik_flow" "default-authentication-flow" { - slug = "default-authentication-flow" -} - -data "authentik_flow" "default-invalidation-flow" { - slug = "default-invalidation-flow" -} - - -resource "authentik_provider_ldap" "provider_ldap" { - base_dn = var.base_dn - bind_flow = data.authentik_flow.default-authentication-flow.id - name = var.name - unbind_flow = data.authentik_flow.default-invalidation-flow.id -} - - -resource "authentik_application" "app" { - name = var.app_name - slug = var.app_slug - protocol_provider = authentik_provider_ldap.provider_ldap.id - open_in_new_tab = var.open_in_new_tab - meta_icon = var.app_icon - meta_description = var.app_description - meta_publisher = var.app_publisher - meta_launch_url = var.app_url -} - -resource "authentik_policy_binding" "app_access" { - target = authentik_application.app.uuid - group = var.app_access_group_id - order = 0 - count = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists -} diff --git a/tofu/modules/authentik-ldap/vars.tf b/tofu/modules/authentik-ldap/vars.tf deleted file mode 100644 index 3d44d35..0000000 --- a/tofu/modules/authentik-ldap/vars.tf +++ /dev/null @@ -1,52 +0,0 @@ -variable "app_name" { - description = "App name" - type = string -} - -variable "app_slug" { - description = "App slug, a human-readable URL identifier, e.g.: Google -> google" - type = string -} - - -variable "app_access_group_id" { - description = "ID of a group which will have access to the app" - type = string -} - - -variable "open_in_new_tab" { - type = bool - description = "Open apps in a new tab" - default = true -} - -variable "app_icon" { - type = string - default = "" -} - -variable "app_description" { - type = string - default = "" -} - -variable "app_publisher" { - type = string - default = "" -} -variable "app_url" { - type = string - default = "" -} - - -variable "base_dn" { - type = string - description = "Base DN" -} - -variable "name" { - type = string - description = "Name" -} diff --git a/tofu/modules/authentik-oidc/main.tf b/tofu/modules/authentik-oidc/main.tf index aea24f7..beb4b02 100644 --- a/tofu/modules/authentik-oidc/main.tf +++ b/tofu/modules/authentik-oidc/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.12.1" + version = "2025.10.0" } } } diff --git a/tofu/modules/authentik-proxy/main.tf b/tofu/modules/authentik-proxy/main.tf index 86e4baa..0d9c6f0 100644 --- a/tofu/modules/authentik-proxy/main.tf +++ b/tofu/modules/authentik-proxy/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.12.1" + version = "2025.10.0" } } }