diff --git a/main.tf b/main.tf index dc0526f9..850ceabe 100644 --- a/main.tf +++ b/main.tf @@ -76,6 +76,8 @@ variable "nextcloud_db_password" {} variable "homepage_credentials" { type = map(any) } +variable "authentik_secret_key" {} +variable "authentik_postgres_password" {} variable "ansible_prefix" { default = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup" @@ -365,6 +367,9 @@ module "kubernetes_cluster" { nextcloud_db_password = var.nextcloud_db_password homepage_credentials = var.homepage_credentials + + authentik_secret_key = var.authentik_secret_key + authentik_postgres_password = var.authentik_postgres_password } diff --git a/modules/kubernetes/authentik/main.tf b/modules/kubernetes/authentik/main.tf new file mode 100644 index 00000000..5da0d9c4 --- /dev/null +++ b/modules/kubernetes/authentik/main.tf @@ -0,0 +1,64 @@ +variable "tls_secret_name" {} +variable "secret_key" {} +variable "postgres_password" {} + + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "authentik" + tls_secret_name = var.tls_secret_name +} + +resource "kubernetes_namespace" "authentik" { + metadata { + name = "authentik" + } +} + +resource "helm_release" "authentik" { + namespace = "authentik" + create_namespace = true + name = "goauthentik" + + repository = "https://charts.goauthentik.io/" + chart = "authentik" + version = "2024.10.1" + atomic = true + timeout = 6000 + + values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key })] +} + + +resource "kubernetes_ingress_v1" "authentik" { + metadata { + name = "authentik" + namespace = "authentik" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + } + } + + spec { + tls { + hosts = ["authentik.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "authentik.viktorbarzin.me" + http { + path { + path = "/" + backend { + service { + name = "goauthentik-server" + port { + number = 80 + } + } + } + } + } + } + } +} diff --git a/modules/kubernetes/authentik/values.yaml b/modules/kubernetes/authentik/values.yaml new file mode 100644 index 00000000..14ca606d --- /dev/null +++ b/modules/kubernetes/authentik/values.yaml @@ -0,0 +1,18 @@ +authentik: + secret_key: "${secret_key}" + # This sends anonymous usage-data, stack traces on errors and + # performance data to authentik.error-reporting.a7k.io, and is fully opt-in + error_reporting: + enabled: true + postgresql: + host: postgresql.dbaas.svc.cluster.local + user: authentik + password: ${postgres_password} + redis: + host: redis.redis.svc.cluster.local + +server: + ingress: + enabled: false + # hosts: + # - authentik.viktorbarzin.me diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 29bb1502..e7e46370 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -61,6 +61,8 @@ variable "diun_nfty_token" {} variable "docker_config" {} variable "nextcloud_db_password" {} variable "homepage_credentials" {} +variable "authentik_secret_key" {} +variable "authentik_postgres_password" {} resource "null_resource" "core_services" { # List all the core modules that must be provisioned first @@ -512,3 +514,10 @@ module "matrix" { source = "./matrix" tls_secret_name = var.tls_secret_name } + +module "authentik" { + source = "./authentik" + tls_secret_name = var.tls_secret_name + secret_key = var.authentik_secret_key + postgres_password = var.authentik_postgres_password +} diff --git a/terraform.tfstate b/terraform.tfstate index f982c192..e51f6bc9 100644 Binary files a/terraform.tfstate and b/terraform.tfstate differ diff --git a/terraform.tfvars b/terraform.tfvars index 5b402872..ede04619 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ