diff --git a/docker/forgejo-runner/docker-compose.yml b/docker/forgejo-runner/docker-compose.yml index e98dc66..903042c 100644 --- a/docker/forgejo-runner/docker-compose.yml +++ b/docker/forgejo-runner/docker-compose.yml @@ -1,6 +1,6 @@ --- x-runner-common: &runner-common - image: code.forgejo.org/forgejo/runner:11.3.1 + image: code.forgejo.org/forgejo/runner:12.6.4 links: - docker-in-docker depends_on: diff --git a/docker/ganymede/docker-compose.yml b/docker/ganymede/docker-compose.yml new file mode 100644 index 0000000..1f24da0 --- /dev/null +++ b/docker/ganymede/docker-compose.yml @@ -0,0 +1,48 @@ +--- +services: + ganymede: + container_name: ganymede + image: ghcr.io/zibbp/ganymede:4.11.5 + restart: unless-stopped + environment: + DEBUG: ${GANYMEDE_DEBUG:-false} + TZ: ${GANYMEDE_TZ:-Europe/Madrid} + VIDEOS_DIR: ${GANYMEDE_VIDEOS_DIR:-/data/videos} + TEMP_DIR: ${GANYMEDE_TEMP_DIR:-/data/temp} + LOGS_DIR: ${GANYMEDE_LOGS_DIR:-/data/logs} + CONFIG_DIR: ${GANYMEDE_CONFIG_DIR:-/data/config} + DB_HOST: ${GANYMEDE_DB_HOST:-192.168.1.3} + DB_PORT: ${GANYMEDE_DB_PORT:-5432} + DB_USER: ${GANYMEDE_DB_USER:-ganymede} + DB_PASS: ${GANYMEDE_DB_PASS} + DB_NAME: ${GANYMEDE_DB_NAME:-ganymede} + DB_SSL: ${GANYMEDE_DB_SSL:-disable} + TWITCH_CLIENT_ID: ${GANYMEDE_TWITCH_CLIENT_ID} + TWITCH_CLIENT_SECRET: ${GANYMEDE_TWITCH_CLIENT_SECRET} + MAX_CHAT_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS:-3} + MAX_CHAT_RENDER_EXECUTIONS: ${GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS:-2} + MAX_VIDEO_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS:-2} + MAX_VIDEO_CONVERT_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS:-3} + MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS:-2} + OAUTH_ENABLED: ${GANYMEDE_OAUTH_ENABLED:-true} + OAUTH_PROVIDER_URL: ${GANYMEDE_OAUTH_PROVIDER_URL:-https://auth.fukurokuju.dev/application/o/ganymede/} + OAUTH_CLIENT_ID: ${GANYMEDE_OAUTH_CLIENT_ID} + OAUTH_CLIENT_SECRET: ${GANYMEDE_OAUTH_CLIENT_SECRET} + OAUTH_REDIRECT_URL: ${GANYMEDE_OAUTH_REDIRECT_URL:-https://vods.roboces.dev/api/v1/auth/oauth/callback} + SHOW_SSO_LOGIN_BUTTON: ${GANYMEDE_SHOW_SSO_LOGIN_BUTTON:-true} + FORCE_SSO_AUTH: ${GANYMEDE_FORCE_SSO_AUTH:-true} + REQUIRE_LOGIN: ${GANYMEDE_REQUIRE_LOGIN:-true} + volumes: + - ${GANYMEDE_VIDEOS:-/mnt/vods/ganymede/videos}:/data/videos + - ${GANYMEDE_TEMP:-/mnt/vods/ganymede/temp}:/data/temp + - ${GANYMEDE_CACHE:-/mnt/vods/ganymede/cache}:/data/.cache + - ${GANYMEDE_LOGS:-/mnt/vods/ganymede/logs}:/data/logs + - ${GANYMEDE_CONFIG:-/mnt/vods/ganymede/config}:/data/config + ports: + - "4800:4000" + healthcheck: + test: curl --fail http://localhost:4000/health || exit 1 + interval: 60s + retries: 5 + start_period: 60s + timeout: 10s diff --git a/docker/ganymede/sample.env b/docker/ganymede/sample.env new file mode 100644 index 0000000..5b2205b --- /dev/null +++ b/docker/ganymede/sample.env @@ -0,0 +1,27 @@ +GANYMEDE_DEBUG=false +GANYMEDE_TZ=Europe/Madrid +GANYMEDE_VIDEOS_DIR=/data/videos +GANYMEDE_TEMP_DIR=/data/temp +GANYMEDE_LOGS_DIR=/data/logs +GANYMEDE_CONFIG_DIR=/data/config +GANYMEDE_DB_HOST=192.168.1.3 +GANYMEDE_DB_PORT=5432 +GANYMEDE_DB_USER=ganymede +GANYMEDE_DB_PASS= +GANYMEDE_DB_NAME=ganymede +GANYMEDE_DB_SSL=disable +GANYMEDE_TWITCH_CLIENT_ID= +GANYMEDE_TWITCH_CLIENT_SECRET= +GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS=3 +GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS=2 +GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS=2 +GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS=3 +GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS=2 +GANYMEDE_OAUTH_ENABLED=true +GANYMEDE_OAUTH_PROVIDER_URL=https://auth.fukurokuju.dev/application/o/ganymede/ +GANYMEDE_OAUTH_CLIENT_ID= +GANYMEDE_OAUTH_CLIENT_SECRET= +GANYMEDE_OAUTH_REDIRECT_URL=https://vods.roboces.dev/api/v1/auth/oauth/callback +GANYMEDE_SHOW_SSO_LOGIN_BUTTON=true +GANYMEDE_FORCE_SSO_AUTH=false +GANYMEDE_REQUIRE_LOGIN=false diff --git a/docker/netbird/docker-compose.yml b/docker/netbird/docker-compose.yml deleted file mode 100644 index 76dc7af..0000000 --- a/docker/netbird/docker-compose.yml +++ /dev/null @@ -1,112 +0,0 @@ ---- -services: - dashboard: - image: netbirdio/dashboard:v2.20.2 - restart: unless-stopped - ports: - - 8005:80 - environment: - NETBIRD_MGMT_API_ENDPOINT: ${NETBIRD_MGMT_API_ENDPOINT:-https://vpn.fukurokuju.dev} - NETBIRD_MGMT_GRPC_API_ENDPOINT: ${NETBIRD_MGMT_GRPC_API_ENDPOINT:-https://vpn.fukurokuju.dev} - AUTH_AUDIENCE: ${NETBIRD_AUTH_AUDIENCE:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2} # yamllint disable rule:line-length - AUTH_CLIENT_ID: ${NETBIRD_AUTH_CLIENT_ID:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2} # yamllint disable rule:line-length - AUTH_AUTHORITY: ${NETBIRD_AUTH_AUTHORITY:-https://auth.fukurokuju.dev/application/o/netbird/} - USE_AUTH0: false - AUTH_SUPPORTED_SCOPES: ${NETBIRD_AUTH_SUPPORTED_SCOPES:-api offline_access openid email profile} - AUTH_REDIRECT_URI: - AUTH_SILENT_REDIRECT_URI: - NETBIRD_TOKEN_SOURCE: accessToken - NGINX_SSL_PORT: 443 - logging: - driver: "json-file" - options: - max-size: "500m" - max-file: "2" - signal: - image: netbirdio/signal:0.59.11 - restart: unless-stopped - volumes: - - netbird-signal:/var/lib/netbird - ports: - - "10000:80" - logging: - driver: "json-file" - options: - max-size: "500m" - max-file: "2" - relay: - image: netbirdio/relay:0.59.11 - restart: unless-stopped - environment: - NB_LOG_LEVEL: ${NB_LOG_LEVEL:-info} - NB_LISTEN_ADDRESS: ${NB_LISTEN_ADDRESS:-:33080} - NB_EXPOSED_ADDRESS: ${NB_EXPOSED_ADDRESS:-vpn.fukurokuju.dev:33080} - NB_AUTH_SECRET: ${NB_AUTH_SECRET} - ports: - - "33080:33080" - logging: - driver: "json-file" - options: - max-size: "500m" - max-file: "2" - management: - image: netbirdio/management:0.59.10 - restart: unless-stopped - depends_on: - - dashboard - volumes: - - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/data:/var/lib/netbird - - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/management.json:/etc/netbird/management.json:z - ports: - - "33073:443" - command: [ - "--port", "443", - "--log-file", "console", - "--log-level", "info", - "--disable-anonymous-metrics=false", - "--single-account-mode-domain=vpn.fukurokuju.dev", - "--dns-domain=netbird.fuku", - ] - logging: - driver: "json-file" - options: - max-size: "500m" - max-file: "2" - environment: - - NETBIRD_STORE_ENGINE_POSTGRES_DSN= - - coturn: - image: coturn/coturn:4.7 - restart: unless-stopped - domainname: vpn.fukurokuju.dev - volumes: - - ${NETBIRD_COTURN_VOLUME:-/mnt/nas1/shared/netbird/coturn}/turnserver.conf:/etc/turnserver.conf:ro - network_mode: host - command: - - -c /etc/turnserver.conf - logging: - driver: "json-file" - options: - max-size: "500m" - max-file: "2" - - peer-1: - image: netbirdio/netbird:0.59.11 - restart: unless-stopped - volumes: - - ${NETBIRD_PEER_VOLUME:-/mnt/nas1/shared/netbird/peer-1}/data:/etc/netbird - environment: - NB_MANAGEMENT_URL: https://vpn.fukurokuju.dev:443 - NB_SETUP_KEY: ${NB_SETUP_KEY} - cap_add: - - NET_ADMIN - depends_on: - - management - - dashboard - - relay - - signal - - coturn - -volumes: - netbird-mgmt: - netbird-signal: diff --git a/docker/netbird/sample.env b/docker/netbird/sample.env deleted file mode 100644 index 6a76871..0000000 --- a/docker/netbird/sample.env +++ /dev/null @@ -1,2 +0,0 @@ -NB_AUTH_SECRET= -NB_SETUP_KEY= diff --git a/docker/paperless/docker-compose.yml b/docker/paperless/docker-compose.yml index 58acc07..99209c6 100644 --- a/docker/paperless/docker-compose.yml +++ b/docker/paperless/docker-compose.yml @@ -14,7 +14,7 @@ services: webserver: - image: ghcr.io/paperless-ngx/paperless-ngx:2.20.0 + image: ghcr.io/paperless-ngx/paperless-ngx:2.20.6 restart: unless-stopped ports: - 8002:8000 diff --git a/docker/rustical/docker-compose.yml b/docker/rustical/docker-compose.yml index 662a7df..2bca4ee 100644 --- a/docker/rustical/docker-compose.yml +++ b/docker/rustical/docker-compose.yml @@ -1,7 +1,7 @@ --- services: rustical: - image: ghcr.io/lennart-k/rustical:0.10.5 + image: ghcr.io/lennart-k/rustical:0.12.4 ports: - '4000:4000' volumes: diff --git a/docker/tailscale/docker-compose.yml b/docker/tailscale/docker-compose.yml new file mode 100644 index 0000000..f0d25e1 --- /dev/null +++ b/docker/tailscale/docker-compose.yml @@ -0,0 +1,18 @@ +--- +services: + tailscale: + image: tailscale/tailscale:v1.92.5 + hostname: tailscale + environment: + TS_AUTHKEY: ${TS_AUTHKEY} + TS_HOSTNAME: ${TS_HOSTNAME:-docker-exit-node} + TS_EXTRA_ARGS: ${TS_EXTRA_ARGS:---advertise-exit-node} + TS_ROUTES: ${TS_ROUTES:-192.168.1.0/24} + TS_STATE_DIR: /var/lib/tailscale + volumes: + - ${TS_VOLUME:-/mnt/nas1/shared/tailscale}:/var/lib/tailscale + devices: + - /dev/net/tun:/dev/net/tun + cap_add: + - net_admin + restart: unless-stopped diff --git a/docker/tailscale/sample.env b/docker/tailscale/sample.env new file mode 100644 index 0000000..83646d5 --- /dev/null +++ b/docker/tailscale/sample.env @@ -0,0 +1,5 @@ +TS_AUTHKEY= +TS_HOSTNAME=docker-exit-node +TS_EXTRA_ARGS=--advertise-exit-node +TS_ROUTES=192.168.1.0/24 +TS_VOLUME=/mnt/nas1/shared/tailscale diff --git a/docker/tandoor/docker-compose.yml b/docker/tandoor/docker-compose.yml new file mode 100644 index 0000000..5bf5d88 --- /dev/null +++ b/docker/tandoor/docker-compose.yml @@ -0,0 +1,21 @@ +--- +services: + web_recipes: + restart: always + image: vabene1111/recipes:2.4.2 + volumes: + - ${TANDOOR_STATICFILES:-/mnt/nas1/shared/tandoor/staticfiles}:/opt/recipes/staticfiles + - ${TANDOOR_MEDIAFILES:-/mnt/nas1/shared/tandoor/mediafiles}:/opt/recipes/mediafiles + environment: + SECRET_KEY: ${TANDOOR_SECRET_KEY} + TZ: ${TANDOOR_TZ:-Europe/Madrid} + ALLOWED_HOSTS: ${TANDOOR_ALLOWED_HOSTS:-recipes.roboces.dev} + SOCIAL_PROVIDERS: ${TANDOOR_SOCIAL_PROVIDERS:-allauth.socialaccount.providers.openid_connect} + SOCIALACCOUNT_PROVIDERS: ${TANDOOR_SOCIALACCOUNT_PROVIDERS} + POSTGRES_HOST: ${TANDOOR_POSTGRES_HOST:-192.168.1.3} + POSTGRES_DB: ${TANDOOR_POSTGRES_DB:-tandoor} + POSTGRES_PORT: ${TANDOOR_POSTGRES_PORT:-5432} + POSTGRES_USER: ${TANDOOR_POSTGRES_USER} + POSTGRES_PASSWORD: ${TANDOOR_POSTGRES_PASSWORD} + ports: + - "8081:80" diff --git a/docker/tandoor/sample.env b/docker/tandoor/sample.env new file mode 100644 index 0000000..e5029ad --- /dev/null +++ b/docker/tandoor/sample.env @@ -0,0 +1,11 @@ +TANDOOR_STATICFILES= +TANDOOR_MEDIAFILES= +TANDOOR_SECRET_KEY= +TANDOOR_TZ=Europe/Madrid +TANDOOR_ALLOWED_HOSTS= +TANDOOR_SOCIALACCOUNT_PROVIDERS= +TANDOOR_POSTGRES_HOST= +TANDOOR_POSTGRES_DB= +TANDOOR_POSTGRES_PORT= +TANDOOR_POSTGRES_USER= +TANDOOR_POSTGRES_PASSWORD= diff --git a/docker/vaultwarden/docker-compose.yml b/docker/vaultwarden/docker-compose.yml index 4c2b3dc..dfd51a4 100644 --- a/docker/vaultwarden/docker-compose.yml +++ b/docker/vaultwarden/docker-compose.yml @@ -1,7 +1,7 @@ --- services: vaultwarden: - image: vaultwarden/server:1.34.3-alpine + image: vaultwarden/server:1.35.3-alpine restart: unless-stopped environment: DATABASE_URL: ${DATABASE_URL} diff --git a/k8s/argo-apps/authentik.yaml b/k8s/argo-apps/authentik.yaml index 045afd6..b046a8b 100644 --- a/k8s/argo-apps/authentik.yaml +++ b/k8s/argo-apps/authentik.yaml @@ -12,7 +12,7 @@ spec: sources: - chart: authentik repoURL: https://charts.goauthentik.io/ - targetRevision: 2025.10.* + targetRevision: 2025.12.* helm: valuesObject: authentik: diff --git a/k8s/argo-apps/dcsi.yaml b/k8s/argo-apps/dcsi.yaml index 13a5a3c..9c9e48d 100644 --- a/k8s/argo-apps/dcsi.yaml +++ b/k8s/argo-apps/dcsi.yaml @@ -2,29 +2,39 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: democratic-csi - namespace: argocd + name: democratic-csi + namespace: argocd spec: - destination: - name: '' - namespace: democratic-csi - server: https://kubernetes.default.svc - sources: - - chart: democratic-csi - repoURL: https://democratic-csi.github.io/charts/ - targetRevision: 0.15.* - helm: - releaseName: zfs-nfs - valuesObject: - csiDriver: - name: org.dcsi.nfs - driver: - existingConfigSecret: secrets-dcsi - config: - driver: freenas-api-nfs - - repoURL: https://git.roboces.dev/catalin/fukuops.git - path: k8s/services/dcsi - targetRevision: main - project: management - syncPolicy: - automated: {} + destination: + name: '' + namespace: democratic-csi + server: https://kubernetes.default.svc + sources: + - chart: democratic-csi + repoURL: https://democratic-csi.github.io/charts/ + targetRevision: 0.15.* + helm: + releaseName: zfs-nfs + valuesObject: + node: + driver: + image: + tag: next + controller: + driver: + image: + tag: next + csiDriver: + name: org.dcsi.nfs + driver: + image: + tag: next + existingConfigSecret: secrets-dcsi + config: + driver: freenas-api-nfs + - repoURL: https://git.roboces.dev/catalin/fukuops.git + path: k8s/services/dcsi + targetRevision: main + project: management + syncPolicy: + automated: {} diff --git a/k8s/argo-apps/factorio.yaml b/k8s/argo-apps/factorio.yaml deleted file mode 100644 index cd2d97d..0000000 --- a/k8s/argo-apps/factorio.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: factorio - namespace: argocd -spec: - destination: - name: '' - namespace: apps-fuku - server: https://kubernetes.default.svc - sources: - - chart: factorio-server-charts - repoURL: https://sqljames.github.io/factorio-server-charts/ - targetRevision: 2.5.* - helm: - valuesObject: - rcon: - passwordSecret: secrets-factorio - nodeSelector: - kubernetes.io/hostname: agent1 - image: - tag: latest - factorioServer: - save_name: fukurokuju-space - admin_list: - - Phireh - account: - accountSecret: secrets-factorio - server_settings: - name: factorio-fukurokuju - visibility: - public: false - require_user_verification: false - persistence: - storageClassName: truenas-nfs-csi - serverPassword: - passwordSecret: secrets-factorio - - - repoURL: https://git.roboces.dev/catalin/fukuops.git - path: k8s/services/factorio - targetRevision: main - project: fuku - syncPolicy: - automated: {} diff --git a/k8s/argo-apps/forgejo.yaml b/k8s/argo-apps/forgejo.yaml index 277a779..1106bc3 100644 --- a/k8s/argo-apps/forgejo.yaml +++ b/k8s/argo-apps/forgejo.yaml @@ -14,7 +14,7 @@ spec: sources: - chart: forgejo repoURL: code.forgejo.org/forgejo-helm - targetRevision: 15.0.3 + targetRevision: 16.0.2 helm: valuesObject: replicaCount: 2 diff --git a/k8s/argo-apps/kubetail.yaml b/k8s/argo-apps/kubetail.yaml index 453b3b8..b7d79e3 100644 --- a/k8s/argo-apps/kubetail.yaml +++ b/k8s/argo-apps/kubetail.yaml @@ -12,7 +12,7 @@ spec: sources: - chart: kubetail repoURL: https://kubetail-org.github.io/helm-charts/ - targetRevision: 0.16.3 + targetRevision: 0.17.0 helm: valuesObject: kubetail: diff --git a/k8s/argo-apps/pulse.yaml b/k8s/argo-apps/pulse.yaml new file mode 100644 index 0000000..aa2dd3f --- /dev/null +++ b/k8s/argo-apps/pulse.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: pulse + namespace: argocd +spec: + destination: + name: '' + namespace: apps-fuku + server: https://kubernetes.default.svc + project: fuku + syncPolicy: + automated: {} + sources: + - repoURL: https://rcourtman.github.io/Pulse + chart: pulse + targetRevision: 5.1.* + helm: + valuesObject: + persistence: + enabled: true + size: 10Gi + storageClass: truenas-nfs-csi + accessModes: + - ReadWriteMany + service: + type: LoadBalancer + ingress: + enabled: true + hosts: + - host: pulse.fukurokuju.dev + paths: + - path: / + pathType: Prefix + tls: [] + monitoring: + serviceMonitor: + enabled: true + + - path: k8s/services/pulse + repoURL: https://git.roboces.dev/catalin/fukuops.git + targetRevision: main diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml index 83c3d3a..61305e6 100644 --- a/k8s/argo-apps/renovate.yaml +++ b/k8s/argo-apps/renovate.yaml @@ -13,7 +13,7 @@ spec: sources: - chart: renovate repoURL: https://docs.renovatebot.com/helm-charts - targetRevision: 45.21.* + targetRevision: 46.6.* helm: valuesObject: renovate: diff --git a/k8s/argo-apps/sealed-secrets.yaml b/k8s/argo-apps/sealed-secrets.yaml index d60c2ec..c180041 100644 --- a/k8s/argo-apps/sealed-secrets.yaml +++ b/k8s/argo-apps/sealed-secrets.yaml @@ -12,7 +12,7 @@ spec: source: chart: sealed-secrets repoURL: https://bitnami-labs.github.io/sealed-secrets - targetRevision: 2.17.* + targetRevision: 2.18.* helm: releaseName: sealed-secrets valuesObject: diff --git a/k8s/services/argo/project-fuku.yaml b/k8s/services/argo/project-fuku.yaml index c4ab6ee..ead0d89 100644 --- a/k8s/services/argo/project-fuku.yaml +++ b/k8s/services/argo/project-fuku.yaml @@ -31,3 +31,5 @@ spec: - https://groundhog2k.github.io/helm-charts/ - registry-1.docker.io/cloudpirates - https://vmware-tanzu.github.io/helm-charts/ + - https://helm.runix.net + - https://rcourtman.github.io/Pulse diff --git a/k8s/services/miniflux/deployment.yaml b/k8s/services/miniflux/deployment.yaml index f6be938..a89d916 100644 --- a/k8s/services/miniflux/deployment.yaml +++ b/k8s/services/miniflux/deployment.yaml @@ -28,7 +28,7 @@ spec: spec: containers: - name: miniflux - image: miniflux/miniflux:2.2.13 + image: miniflux/miniflux:2.2.17 imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false diff --git a/k8s/services/pulse/ds.yaml b/k8s/services/pulse/ds.yaml new file mode 100644 index 0000000..2785813 --- /dev/null +++ b/k8s/services/pulse/ds.yaml @@ -0,0 +1,105 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pulse-agent + namespace: apps-fuku +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pulse-agent-read +rules: + - apiGroups: [""] + resources: ["nodes", "pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pulse-agent-read +subjects: + - kind: ServiceAccount + name: pulse-agent + namespace: apps-fuku +roleRef: + kind: ClusterRole + name: pulse-agent-read + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: pulse-agent + namespace: apps-fuku +spec: + selector: + matchLabels: + app: pulse-agent + template: + metadata: + labels: + app: pulse-agent + spec: + serviceAccountName: pulse-agent + containers: + - name: pulse-agent + image: rcourtman/pulse:5.1.8 + command: ["/opt/pulse/bin/pulse-agent-linux-amd64"] + args: + - --enable-kubernetes + env: + - name: PULSE_URL + value: "https://pulse.fukurokuju.dev" + - name: PULSE_TOKEN + valueFrom: + secretKeyRef: + name: pulse-agent-secrets + key: PULSE_TOKEN + - name: PULSE_AGENT_ID + value: "k8s-cluster" + - name: PULSE_ENABLE_HOST + value: "true" + - name: HOST_PROC + value: "/host/proc" + - name: HOST_SYS + value: "/host/sys" + - name: HOST_ETC + value: "/host/etc" + - name: PULSE_KUBE_INCLUDE_ALL_PODS + value: "true" + - name: PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS + value: "true" + securityContext: + privileged: true + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + memory: 512Mi + volumeMounts: + - name: host-proc + mountPath: /host/proc + readOnly: true + - name: host-sys + mountPath: /host/sys + readOnly: true + - name: host-root + mountPath: /host/root + readOnly: true + volumes: + - name: host-proc + hostPath: + path: /proc + - name: host-sys + hostPath: + path: /sys + - name: host-root + hostPath: + path: / + tolerations: + - operator: Exists diff --git a/k8s/services/pulse/sealedsecrets.yaml b/k8s/services/pulse/sealedsecrets.yaml new file mode 100644 index 0000000..0cade5d --- /dev/null +++ b/k8s/services/pulse/sealedsecrets.yaml @@ -0,0 +1,17 @@ +# yamllint disable rule:line-length +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: pulse-agent-secrets + namespace: apps-fuku +spec: + encryptedData: + PULSE_TOKEN: AgBBxrJ80IpJ0RvYKQuN6p3G8vIdSL9nESO9OTAR0NiMjSGZNbNEELKE/a1f2ixQUSsNc/k31c+7GlAi+8PmNC4c7rmRJTe+z3uO/BNNLYeTi7DsEk9/oJZTWn7iOcLogiZJQKxbGozCp/S8zrWisH67N2ZHmzz5UEJAzq57+fBEyAk22/WR0QMfW3oOYHGZFNR5AdAxrdfyRwTvSEOz4R2YlrQKRtOFVIPG/aEaAn42AGYfrq2cLVEiCygjE+8nZQ62TMmQqMiwiCjk5do9uRhhiRimuD78FrNnFU5dSwe/11ji5sSrEPjszPB8O0TBbsCssxfz48cKRm/6IdI9B5pKHYob68Ed8u5UgpRU/ZhUWJLyXuZF/Tgw+WcIsVkQXb3eqQTARBeZueugnA23lnzxh5gjR17wjPw7ePYaLiUWTYikOK5HvgpJyiuB0ev2cjGSqYeeAAn5ewCGM/NODXUAlFdC+N9S7ft1+chJrHoaXgHy8J9LWm/maKW99+yT08a68RvGGoZtFPZNlFjzurNF6EY9SLUFf0RLzShkyq6uuOzLm8gENyDIQ+Ru7wWEwyEcUz4ceAR5I78k0gCIDR1o4Ti22asdbRjMptZdOTbep+PWmu2K1oUvxXtXwgKkn8pvTkJpcdejqehnYPWfRAI3Guxi7LQDf++yShKS1NdXMdjhtFoNLa03xHM/G94sF3/mnJwivNhur1V7iC1yCY5NlruPr4KCd5AgOnKqoreRRvRbCVlFO1mtP6XV4sjqEIhmZyXWFJ76bwAC+hxSlFzL + template: + metadata: + creationTimestamp: null + name: pulse-agent-secrets + namespace: apps-fuku + type: Opaque diff --git a/tofu/adguard/main.tf b/tofu/adguard/main.tf index e419eee..894cfea 100644 --- a/tofu/adguard/main.tf +++ b/tofu/adguard/main.tf @@ -85,8 +85,12 @@ resource "adguard_rewrite" "master2" { answer = "192.168.1.32" } - resource "adguard_rewrite" "k3m3" { domain = "k3m3.fuku" answer = "192.168.1.43" } + +resource "adguard_rewrite" "pulse" { + answer = "pulse.fukurokuju.dev" + domain = "192.168.1.12" +} diff --git a/tofu/authentik/.terraform.lock.hcl b/tofu/authentik/.terraform.lock.hcl index ce22035..fe7616b 100644 --- a/tofu/authentik/.terraform.lock.hcl +++ b/tofu/authentik/.terraform.lock.hcl @@ -2,36 +2,36 @@ # Manual edits may be lost in future updates. provider "registry.opentofu.org/goauthentik/authentik" { - version = "2025.10.0" - constraints = "2025.10.0" + version = "2025.12.1" + constraints = "2025.12.1" hashes = [ - "h1:8nN6b5dEGbJJ5ajovedkO//QP4NrWU5GfrenIHAEyz0=", - "h1:EZlTiEEZ0a6AvlLuTKAIyhBI4m4poYUX4QW0wyHfIaw=", - "h1:ElpISil/0po3r4pb9KK7/pBCSLxL18a6IDHDSMFdmS0=", - "h1:F7+3L6JmVEG+PMizB9SuifxbznkZD3462LQpFMOW0M0=", - "h1:L1sFZI0qKeBpUUCMgQkuRge196DsrHaTUJKJWKm0V2w=", - "h1:OQgVyUOOLTGyosEpVHzE37h+91nHN5n9lKHt6nAOZyU=", - "h1:Ph1j1Flr4kXMZKCRlP4Hn0asAz1Yfpk+hf5t6aeF4mc=", - "h1:RjitcUcx/3QKUgs74q3ypbf7KQpg8BoNELW6sE4ONqk=", - "h1:Vw7hY7KdCtQ3hf00uCekrzdDgBJ2EnPXUAnj3ybLXPQ=", - "h1:fDQcyzUJqHb4qXOyze/Te0Fd3dVMdBcLQ+e2xOtsqbM=", - "h1:jKOzsHSorUnub0L+Lq+tPPhHmeKoaiPS8orF9zZf/i0=", - "h1:kXF4EEV9uzXzshloPfJQQzPbs0YVgjUu5aD+Fj040U0=", - "h1:pvMaS6PASVHMJxArSG1pAzS5Micb1fMcLz7MF7bO138=", - "h1:s3wkHrHE8Q/Dj+PIkvuPviLTUcK6h7aoAArrBKNJ8PE=", - "zh:0103a533f474db36223d8dbf2abc80f8d76a162b2e3042a2203f0d426f2c8e16", - "zh:03302f83cd5784435ef22864a936b88293284bfdc091ff2fd0cc18a40e97bb55", - "zh:0730ca92f8bc778dba52425d05c5dceb9ae57660797f88132c06a0bf8a4f4f55", - "zh:63ace720564b3549d482f0bc68b1f4596a1682faeef5fe4d40163abccda90ceb", - "zh:8c4acdc358b1f5b1c13192af81bba552c6ad98debd341d836f4adf1fb85610a8", - "zh:8f101bae1ab303b5e1b91ceb62d11386091a24c2bbd99bca4662bc88f127a8c4", - "zh:a683c5338f16d20a1432fbc093c35db388ec7ef9f657d7478e3a04fc72722ad7", - "zh:a99fcbaf234cb161c8d7018f62946178810c7645436229d05913ff432094734d", - "zh:aa7fc7a3e05e96522507a86ec50b53473ff3e917f56fb2fc7418070fe29f1abc", - "zh:bc3b9f7cce5f5fd4116700411c5f3d14c48a9b56115268094882d949b811e53a", - "zh:cba03e3c31ee1e83fcc25511a34ca5f7132e0bbb41f3edc7c7dc113edd5938db", - "zh:d1f168e7a87a3f74d9932b88daa367242d1e9a2ed1b7b9eaf44fcfcfc190305f", - "zh:eb5af50c8e13980da4830c5f23fa7d911ae07740b37cf9d6c5895da95374e940", - "zh:f9db4dbb47b257123bb70b770714552d873f9c8e2e8017c1de227757c8dfb074", + "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=", + "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=", + "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=", + "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=", + "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=", + "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=", + "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=", + "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=", + "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=", + "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=", + "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=", + "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=", + "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=", + "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=", + "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515", + "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962", + "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b", + "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91", + "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f", + "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1", + "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338", + "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7", + "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8", + "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897", + "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3", + "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50", + "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18", + "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25", ] } diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 5b58c64..4ff4a0c 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -8,7 +8,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.0" + version = "2025.12.1" } } } @@ -22,6 +22,11 @@ resource "authentik_group" "ci" { users = [data.authentik_user.catalin.id] } +resource "authentik_group" "vods" { + name = "vods" + users = [data.authentik_user.catalin.id] +} + resource "authentik_group" "admins" { name = "authentik Admins" is_superuser = true @@ -47,6 +52,7 @@ resource "authentik_group" "mediamanager" { is_superuser = false } + module "gitea" { source = "../modules/authentik-oidc" app_name = "Gitea" @@ -128,7 +134,7 @@ module "sonarr" { app_slug = "sonarr" app_access_group_id = authentik_group.arrs.id app_url = "https://sonarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:38013/" + internal_host = "http://192.168.1.3:30113/" internal_host_ssl_validation = false app_icon = "https://sonarr.tv/img/logo.png" } @@ -139,7 +145,7 @@ module "radarr" { app_slug = "radarr" app_access_group_id = authentik_group.arrs.id app_url = "https://radarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:38012/" + internal_host = "http://192.168.1.3:30025/" internal_host_ssl_validation = false app_icon = "https://radarr.video/img/background/logo.png" } @@ -150,7 +156,7 @@ module "lidarr" { app_slug = "lidarr" app_access_group_id = authentik_group.arrs.id app_url = "https://lidarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:38010/" + internal_host = "http://192.168.1.3:30071/" internal_host_ssl_validation = false app_icon = "https://lidarr.audio/img/background/logo.png" } @@ -171,7 +177,7 @@ module "prowlarr" { app_slug = "prowlarr" app_access_group_id = authentik_group.admins.id app_url = "https://prowlarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:38014" + internal_host = "http://192.168.1.3:30050" internal_host_ssl_validation = false } @@ -199,53 +205,70 @@ module "sftpgo" { sub_mode = "user_username" } -module "netbird" { - source = "../modules/authentik-oidc" - app_name = "netbird" - app_slug = "netbird" - client_id = var.netbird_client_id - client_type = "public" - app_access_group_id = authentik_group.vpn.id - redirect_uris = [ - { - matching_mode = "strict", - url = "https://vpn.fukurokuju.dev", - }, - { - matching_mode = "regex", - url = "https://vpn.fukurokuju.dev.*", - }, - { - matching_mode = "strict", - url = "http://localhost:53000" - }, - - ] - sub_mode = "user_id" - extra_property_mappings = [ - "goauthentik.io/providers/oauth2/scope-authentik_api" - ] - app_icon = "https://vpn.fukurokuju.dev/apple-icon.png" - access_token_validity = "days=10" - client_secret = "" -} - module "rustical" { source = "../modules/authentik-oidc" app_name = "rustical" app_slug = "rustical" + app_url = "https://cal.roboces.dev" client_id = var.rustical_client_id client_secret = var.rustical_client_secret redirect_uris = [{ matching_mode = "strict", url = "https://cal.roboces.dev/frontend/login/oidc/callback" }] app_access_group_id = "" } -module "mediamanager" { - source = "../modules/authentik-oidc" - app_name = "mediamanager" - app_slug = "mediamanager" - client_id = var.mediamanager_client_id - client_secret = var.mediamanager_client_secret - redirect_uris = [{ matching_mode = "strict", url = "https://mediamanager.roboces.dev/api/v1/auth/oauth/callback" }] - app_access_group_id = authentik_group.mediamanager.id +module "jellyfin" { + source = "../modules/authentik-ldap" + app_name = "Jellyfin" + app_slug = "jellyfin" + base_dn = "DC=ldap,DC=fukurokuju,DC=dev" + name = "jellyfin" + app_url = "https://jelly.roboces.dev" + app_icon = "https://jelly.roboces.dev/web/touchicon.f5bbb798cb2c65908633.png" + app_access_group_id = authentik_group.arrs.id +} + +module "tandoor" { + source = "../modules/authentik-oidc" + app_name = "Tandoor" + app_slug = "tandoor" + app_access_group_id = "" + app_url = "https://recipes.roboces.dev" + redirect_uris = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }] + app_icon = "https://recipes.roboces.dev/static/assets/logo_color_192.c9b9177ff941.png" + client_id = var.tandoor_client_id + client_secret = var.tandoor_client_secret +} + +module "ganymede" { + source = "../modules/authentik-oidc" + app_name = "Ganymede" + app_slug = "ganymede" + redirect_uris = [{ matching_mode = "strict", url = "https://vods.roboces.dev/api/v1/auth/oauth/callback" }] + client_id = var.ganymede_client_id + client_secret = var.ganymede_client_secret + app_url = "https://vods.roboces.dev" + app_icon = "https://vods.roboces.dev/favicon.ico" + app_access_group_id = authentik_group.vods.id +} + +module "jellyseerr" { + source = "../modules/authentik-app" + app_name = "Solicitudes Jelly" + app_slug = "jellyseer" + app_url = "https://requests.roboces.dev" + app_icon = "https://requests.roboces.dev/os_icon.svg" + app_description = "Solicita series, animes y pelis para ser añadidas automáticamente a Jellyfin" + app_access_group_id = authentik_group.arrs.id +} + +module "pulse" { + source = "../modules/authentik-oidc" + app_name = "Pulse" + app_slug = "pulse" + app_url = "https://pulse.fukurokuju.dev" + client_id = var.pulse_client_id + client_secret = var.pulse_client_secret + app_icon = "https://pulse.fukurokuju.dev/logo.svg" + redirect_uris = [{ matching_mode = "strict", url = "https://pulse.fukurokuju.dev/api/oidc/callback" }] + app_access_group_id = authentik_group.admins.id } diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env index f7ff6ea..31a7461 100644 --- a/tofu/authentik/sample.env +++ b/tofu/authentik/sample.env @@ -10,8 +10,11 @@ TF_VAR_paperless_client_id= TF_VAR_paperless_client_secret= TF_VAR_sftpgo_client_id= TF_VAR_sftpgo_client_secret= -TF_VAR_netbird_client_id= TF_VAR_rustical_client_id= TF_VAR_rustical_client_secret= -TF_VAR_mediamanager_client_id= -TF_VAR_mediamanager_client_secret= +TF_VAR_tandoor_client_id= +TF_VAR_tandoor_client_secret= +TF_VAR_ganymede_client_id= +TF_VAR_ganymede_client_secret= +TF_VAR_pulse_client_id= +TF_VAR_pulse_client_secret= diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf index 4a1c5dd..f0e5dc2 100644 --- a/tofu/authentik/vars.tf +++ b/tofu/authentik/vars.tf @@ -39,12 +39,6 @@ variable "paperless_client_secret" { type = string } -variable "netbird_client_id" { - description = "Netbird client ID" - type = string -} - - variable "sftpgo_client_id" { description = "SFTPGo client ID" type = string @@ -61,16 +55,36 @@ variable "rustical_client_id" { } variable "rustical_client_secret" { - description = "Rustical client secret" + description = "Tandoor client secret" type = string } -variable "mediamanager_client_id" { - description = "MediaManager client ID" +variable "tandoor_client_id" { + description = "Tandoor client ID" type = string } -variable "mediamanager_client_secret" { - description = "MediaManager client secret" +variable "tandoor_client_secret" { + description = "Tandoor client secret" + type = string +} + +variable "ganymede_client_id" { + description = "Ganymede client ID" + type = string +} + +variable "ganymede_client_secret" { + description = "Ganymede client secret" + type = string +} + +variable "pulse_client_id" { + description = "Pulse client ID" + type = string +} + +variable "pulse_client_secret" { + description = "Pulse client secret" type = string } diff --git a/tofu/modules/authentik-app/main.tf b/tofu/modules/authentik-app/main.tf new file mode 100644 index 0000000..1b65990 --- /dev/null +++ b/tofu/modules/authentik-app/main.tf @@ -0,0 +1,26 @@ +terraform { + required_version = ">= 1.6" + required_providers { + authentik = { + source = "goauthentik/authentik" + version = "2025.12.1" + } + } +} + +resource "authentik_application" "app" { + name = var.app_name + slug = var.app_slug + open_in_new_tab = var.open_in_new_tab + meta_icon = var.app_icon + meta_description = var.app_description + meta_publisher = var.app_publisher + meta_launch_url = var.app_url +} + +resource "authentik_policy_binding" "app_access" { + target = authentik_application.app.uuid + group = var.app_access_group_id + order = 0 + count = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists +} diff --git a/tofu/modules/authentik-app/vars.tf b/tofu/modules/authentik-app/vars.tf new file mode 100644 index 0000000..445710f --- /dev/null +++ b/tofu/modules/authentik-app/vars.tf @@ -0,0 +1,62 @@ +variable "app_name" { + description = "App name" + type = string +} + +variable "app_slug" { + description = "App slug, a human-readable URL identifier, e.g.: Google -> google" + type = string +} + + +variable "client_type" { + type = string + default = "confidential" + + validation { + condition = contains(["confidential", "public"], var.client_type) + error_message = "client_type must be 'confidential' or 'public'" + } +} + +variable "app_access_group_id" { + description = "ID of a group which will have access to the app" + type = string +} + +variable "sub_mode" { + type = string + default = "user_username" + + validation { + condition = contains(["user_id", "user_username", "hashed_user_id"], var.sub_mode) + error_message = "sub_mode must be 'user_id', 'user_username' or 'hashed_user_id'" + } +} + + +variable "open_in_new_tab" { + type = bool + description = "Open apps in a new tab" + default = true +} + +variable "app_icon" { + type = string + default = "" +} + +variable "app_description" { + type = string + default = "" +} + +variable "app_publisher" { + type = string + default = "" +} + +variable "app_url" { + type = string + default = "" +} diff --git a/tofu/modules/authentik-ldap/.terraform.lock.hcl b/tofu/modules/authentik-ldap/.terraform.lock.hcl new file mode 100644 index 0000000..fe7616b --- /dev/null +++ b/tofu/modules/authentik-ldap/.terraform.lock.hcl @@ -0,0 +1,37 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/goauthentik/authentik" { + version = "2025.12.1" + constraints = "2025.12.1" + hashes = [ + "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=", + "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=", + "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=", + "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=", + "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=", + "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=", + "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=", + "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=", + "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=", + "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=", + "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=", + "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=", + "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=", + "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=", + "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515", + "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962", + "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b", + "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91", + "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f", + "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1", + "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338", + "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7", + "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8", + "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897", + "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3", + "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50", + "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18", + "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25", + ] +} diff --git a/tofu/modules/authentik-ldap/main.tf b/tofu/modules/authentik-ldap/main.tf new file mode 100644 index 0000000..b0fc742 --- /dev/null +++ b/tofu/modules/authentik-ldap/main.tf @@ -0,0 +1,45 @@ +terraform { + required_version = ">= 1.6" + required_providers { + authentik = { + source = "goauthentik/authentik" + version = "2025.12.1" + } + } +} + + +data "authentik_flow" "default-authentication-flow" { + slug = "default-authentication-flow" +} + +data "authentik_flow" "default-invalidation-flow" { + slug = "default-invalidation-flow" +} + + +resource "authentik_provider_ldap" "provider_ldap" { + base_dn = var.base_dn + bind_flow = data.authentik_flow.default-authentication-flow.id + name = var.name + unbind_flow = data.authentik_flow.default-invalidation-flow.id +} + + +resource "authentik_application" "app" { + name = var.app_name + slug = var.app_slug + protocol_provider = authentik_provider_ldap.provider_ldap.id + open_in_new_tab = var.open_in_new_tab + meta_icon = var.app_icon + meta_description = var.app_description + meta_publisher = var.app_publisher + meta_launch_url = var.app_url +} + +resource "authentik_policy_binding" "app_access" { + target = authentik_application.app.uuid + group = var.app_access_group_id + order = 0 + count = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists +} diff --git a/tofu/modules/authentik-ldap/vars.tf b/tofu/modules/authentik-ldap/vars.tf new file mode 100644 index 0000000..3d44d35 --- /dev/null +++ b/tofu/modules/authentik-ldap/vars.tf @@ -0,0 +1,52 @@ +variable "app_name" { + description = "App name" + type = string +} + +variable "app_slug" { + description = "App slug, a human-readable URL identifier, e.g.: Google -> google" + type = string +} + + +variable "app_access_group_id" { + description = "ID of a group which will have access to the app" + type = string +} + + +variable "open_in_new_tab" { + type = bool + description = "Open apps in a new tab" + default = true +} + +variable "app_icon" { + type = string + default = "" +} + +variable "app_description" { + type = string + default = "" +} + +variable "app_publisher" { + type = string + default = "" +} +variable "app_url" { + type = string + default = "" +} + + +variable "base_dn" { + type = string + description = "Base DN" +} + +variable "name" { + type = string + description = "Name" +} diff --git a/tofu/modules/authentik-oidc/main.tf b/tofu/modules/authentik-oidc/main.tf index beb4b02..aea24f7 100644 --- a/tofu/modules/authentik-oidc/main.tf +++ b/tofu/modules/authentik-oidc/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.0" + version = "2025.12.1" } } } diff --git a/tofu/modules/authentik-proxy/main.tf b/tofu/modules/authentik-proxy/main.tf index 0d9c6f0..86e4baa 100644 --- a/tofu/modules/authentik-proxy/main.tf +++ b/tofu/modules/authentik-proxy/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.0" + version = "2025.12.1" } } }