fukuops/tofu/authentik/main.tf

terraform {
  required_version = ">= 1.6"
  backend "s3" {
    bucket = "fuku-terraform"
    key    = "authentik/terraform"
    region = "us-east-1"
  }
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
      version = "2025.10.0"
    }
  }
}

data "authentik_user" "catalin" {
  username = "catalin"
}

resource "authentik_group" "ci" {
  name  = "ci"
  users = [data.authentik_user.catalin.id]
}

resource "authentik_group" "admins" {
  name         = "authentik Admins"
  is_superuser = true
}

resource "authentik_group" "arrs" {
  name         = "arrs"
  is_superuser = false
}

resource "authentik_group" "vpn" {
  name         = "vpn"
  is_superuser = false
}

resource "authentik_group" "ftp" {
  name         = "ftp"
  is_superuser = false
}


module "gitea" {
  source              = "../modules/authentik-oidc"
  app_name            = "Gitea"
  app_slug            = "gitea"
  client_id           = var.gitea_client_id
  client_secret       = var.gitea_client_secret
  app_access_group_id = ""
  redirect_uris       = [{ matching_mode = "strict", url = "https://git.roboces.dev/user/oauth2/authentik/callback" }]
  app_icon            = "https://git.roboces.dev/assets/img/logo.svg"
  app_description     = "Beyond coding. We forge."
  app_publisher       = "Forgejo"
  app_url             = "https://git.roboces.dev/user/oauth2/authentik"
  sub_mode            = "hashed_user_id"
}

module "miniflux" {
  source              = "../modules/authentik-oidc"
  app_name            = "Miniflux"
  app_slug            = "miniflux"
  client_id           = var.miniflux_client_id
  client_secret       = var.miniflux_client_secret
  app_access_group_id = ""
  redirect_uris = [
    {
      matching_mode = "strict",
      url           = "https://feeds.roboces.dev/oauth2/oidc/callback"
    },
    {
      matching_mode = "strict",
      url           = "https://feeds.fuku/oauth2/oidc/callback"
    }
  ]
  app_icon        = "https://miniflux.app/favicon.ico"
  app_description = "RSS aggregator"
  app_publisher   = "Miniflux"
  app_url         = "https://feeds.roboces.dev"
  sub_mode        = "hashed_user_id"
}

module "portainer" {
  source              = "../modules/authentik-oidc"
  app_name            = "Portainer"
  app_slug            = "portainer"
  client_id           = var.portainer_client_id
  client_secret       = var.portainer_client_secret
  app_access_group_id = authentik_group.admins.id
  redirect_uris = [
    {
      matching_mode = "strict",
      url           = "https://containers.fukurokuju.dev/"
    }
  ]
  app_icon        = "https://www.portainer.io/hubfs/crane-icon.svg"
  app_description = "Kubernetes and Docker container Management Software"
  app_publisher   = "Portainer"
  app_url         = "https://containers.fukurokuju.dev/"
  sub_mode        = "hashed_user_id"
}

module "paperless" {
  source              = "../modules/authentik-oidc"
  app_name            = "Paperless"
  app_slug            = "paperless"
  client_id           = var.paperless_client_id
  client_secret       = var.paperless_client_secret
  app_access_group_id = ""
  redirect_uris = [
    { matching_mode = "strict", url = "https://paperless.roboces.dev/accounts/oidc/authentik/login/callback/" }
  ]
  app_icon        = "https://paperless.roboces.dev/favicon.ico"
  app_description = "Document manager"
  app_publisher   = "Paperless"
  app_url         = "https://paperless.roboces.dev"
}

module "sonarr" {
  source                       = "../modules/authentik-proxy"
  app_name                     = "Sonarr"
  app_slug                     = "sonarr"
  app_access_group_id          = authentik_group.arrs.id
  app_url                      = "https://sonarr.fukurokuju.dev"
  internal_host                = "http://192.168.1.3:38013/"
  internal_host_ssl_validation = false
  app_icon                     = "https://sonarr.tv/img/logo.png"
}

module "radarr" {
  source                       = "../modules/authentik-proxy"
  app_name                     = "Radarr"
  app_slug                     = "radarr"
  app_access_group_id          = authentik_group.arrs.id
  app_url                      = "https://radarr.fukurokuju.dev"
  internal_host                = "http://192.168.1.3:38012/"
  internal_host_ssl_validation = false
  app_icon                     = "https://radarr.video/img/background/logo.png"
}

module "lidarr" {
  source                       = "../modules/authentik-proxy"
  app_name                     = "Lidarr"
  app_slug                     = "lidarr"
  app_access_group_id          = authentik_group.arrs.id
  app_url                      = "https://lidarr.fukurokuju.dev"
  internal_host                = "http://192.168.1.3:38010/"
  internal_host_ssl_validation = false
  app_icon                     = "https://lidarr.audio/img/background/logo.png"
}

module "qbit" {
  source                       = "../modules/authentik-proxy"
  app_name                     = "qBit"
  app_slug                     = "qbit"
  app_access_group_id          = authentik_group.arrs.id
  app_url                      = "https://qbit.fukurokuju.dev"
  internal_host                = "http://192.168.1.3:30024"
  internal_host_ssl_validation = false
}

module "prowlarr" {
  source                       = "../modules/authentik-proxy"
  app_name                     = "Prowlarr"
  app_slug                     = "prowlarr"
  app_access_group_id          = authentik_group.admins.id
  app_url                      = "https://prowlarr.fukurokuju.dev"
  internal_host                = "http://192.168.1.3:38014"
  internal_host_ssl_validation = false
}

module "sftpgo" {
  source              = "../modules/authentik-oidc"
  app_name            = "SFTPGo"
  app_slug            = "SFTPGo"
  client_id           = var.sftpgo_client_id
  client_secret       = var.sftpgo_client_secret
  client_type         = "confidential"
  app_access_group_id = authentik_group.ftp.id
  redirect_uris = [
    {
      matching_mode = "regex",
      url           = "https://ftp.fukurokuju.dev/.*"
    }
  ]
  extra_property_mappings = [

  ]
  app_icon              = "https://ftp.fukurokuju.dev/static/img/logo.png"
  access_token_validity = "days=10"
  app_url               = "https://ftp.fukurokuju.dev"
  app_description       = "SFTPGo"
  sub_mode              = "user_username"
}

module "netbird" {
  source              = "../modules/authentik-oidc"
  app_name            = "netbird"
  app_slug            = "netbird"
  client_id           = var.netbird_client_id
  client_type         = "public"
  app_access_group_id = authentik_group.vpn.id
  redirect_uris = [
    {
      matching_mode = "strict",
      url           = "https://vpn.fukurokuju.dev",
    },
    {
      matching_mode = "regex",
      url           = "https://vpn.fukurokuju.dev.*",
    },
    {
      matching_mode = "strict",
      url           = "http://localhost:53000"
    },

  ]
  sub_mode = "user_id"
  extra_property_mappings = [
    "goauthentik.io/providers/oauth2/scope-authentik_api"
  ]
  app_icon              = "https://vpn.fukurokuju.dev/apple-icon.png"
  access_token_validity = "days=10"
  client_secret         = ""
}

module "rustical" {
  source              = "../modules/authentik-oidc"
  app_name            = "rustical"
  app_slug            = "rustical"
  client_id           = var.rustical_client_id
  client_secret       = var.rustical_client_secret
  redirect_uris       = [{ matching_mode = "strict", url = "https://cal.roboces.dev/frontend/login/oidc/callback" }]
  app_access_group_id = ""
}