add authentik [ci skip]

2024-11-12 20:20:10 +00:00 · 2024-11-12 20:20:10 +00:00 · cb3ec53d41
commit cb3ec53d41
parent 16cd13abc3
6 changed files with 96 additions and 0 deletions
--- a/main.tf
+++ b/main.tf
@ -76,6 +76,8 @@ variable "nextcloud_db_password" {}
 variable "homepage_credentials" {
  type = map(any)
 }
+variable "authentik_secret_key" {}
+variable "authentik_postgres_password" {}

 variable "ansible_prefix" {
  default     = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup"
@ -365,6 +367,9 @@ module "kubernetes_cluster" {

  nextcloud_db_password = var.nextcloud_db_password
  homepage_credentials  = var.homepage_credentials
+
+  authentik_secret_key        = var.authentik_secret_key
+  authentik_postgres_password = var.authentik_postgres_password
 }


--- a/modules/kubernetes/authentik/main.tf
+++ b/modules/kubernetes/authentik/main.tf
@ -0,0 +1,64 @@
+variable "tls_secret_name" {}
+variable "secret_key" {}
+variable "postgres_password" {}
+
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "authentik"
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_namespace" "authentik" {
+  metadata {
+    name = "authentik"
+  }
+}
+
+resource "helm_release" "authentik" {
+  namespace        = "authentik"
+  create_namespace = true
+  name             = "goauthentik"
+
+  repository = "https://charts.goauthentik.io/"
+  chart      = "authentik"
+  version    = "2024.10.1"
+  atomic     = true
+  timeout    = 6000
+
+  values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key })]
+}
+
+
+resource "kubernetes_ingress_v1" "authentik" {
+  metadata {
+    name      = "authentik"
+    namespace = "authentik"
+    annotations = {
+      "kubernetes.io/ingress.class" = "nginx"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["authentik.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "authentik.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "goauthentik-server"
+              port {
+                number = 80
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/modules/kubernetes/authentik/values.yaml
+++ b/modules/kubernetes/authentik/values.yaml
@ -0,0 +1,18 @@
+authentik:
+  secret_key: "${secret_key}"
+  # This sends anonymous usage-data, stack traces on errors and
+  # performance data to authentik.error-reporting.a7k.io, and is fully opt-in
+  error_reporting:
+    enabled: true
+  postgresql:
+    host: postgresql.dbaas.svc.cluster.local
+    user: authentik
+    password: ${postgres_password}
+  redis:
+    host: redis.redis.svc.cluster.local
+
+server:
+  ingress:
+    enabled: false
+    # hosts:
+    #   - authentik.viktorbarzin.me
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@ -61,6 +61,8 @@ variable "diun_nfty_token" {}
 variable "docker_config" {}
 variable "nextcloud_db_password" {}
 variable "homepage_credentials" {}
+variable "authentik_secret_key" {}
+variable "authentik_postgres_password" {}

 resource "null_resource" "core_services" {
  # List all the core modules that must be provisioned first
@ -512,3 +514,10 @@ module "matrix" {
  source          = "./matrix"
  tls_secret_name = var.tls_secret_name
 }
+
+module "authentik" {
+  source            = "./authentik"
+  tls_secret_name   = var.tls_secret_name
+  secret_key        = var.authentik_secret_key
+  postgres_password = var.authentik_postgres_password
+}
--- a/terraform.tfstate
+++ b/terraform.tfstate
--- a/terraform.tfvars
+++ b/terraform.tfvars