aaaaa

2025-08-26 00:58:27 +02:00 · 2025-08-26 00:58:27 +02:00 · d3a93fd115
commit d3a93fd115
parent 414e830efa
35 changed files with 1832 additions and 228 deletions
--- a/modules/services/authentik/provider.nix
+++ b/modules/services/authentik/provider.nix
@ -0,0 +1,144 @@
+{ lib, config, ... }:
+with lib;
+let
+
+  # { ldapApps = { appName = { name = str?; group = str?; meta_desc = str?; meta_icon = str?; meta_launch_url = str?; meta_publisher = str?;  }; }; oauthApps = { appName = {}; ] }; proxyApps = { appName = { externalHost = "";  }; };  }
+
+  authorizationFlow = tfRef "data.authentik_flow.default-authorization-flow.id";
+  authenticationFlow = tfRef "data.authentik_flow.default-authentication-flow.id";
+  genApp = provider: n: v: {
+    protocol_provider = provider;
+    slug = n;
+    inherit (v)
+      name
+      group
+      meta_description
+      meta_icon
+      meta_launch_url
+      meta_publisher
+      ;
+  };
+in
+{
+  options = {
+    stateFile = mkOption { type = types.str; };
+    oauthApps = mkOption { type = types.attrs; };
+    proxyApps = mkOption { type = types.attrs; };
+    ldapApps = mkOption { type = types.attrs; };
+
+  };
+  config = {
+    terraform.backend.local.path = config.stateFile;
+    provider.authentik = { };
+    data.authentik_flow."default-authorization-flow" = {
+      slug = "default-provider-authorization-implicit-consent";
+    };
+    data."authentik_flow"."default-authentication-flow" = {
+      slug = "default-authentication-flow";
+    };
+    resource.authentik_outpost.proxy = {
+      name = "proxy";
+      type = "proxy";
+      protocol_providers = mapAttrsToList (
+        n: v: (tfRef "authentik_provider_proxy.${n}.id")
+      ) config.proxyApps;
+    };
+    resource.authentik_outpost.ldap = {
+      name = "ldap";
+      type = "ldap";
+      protocol_providers = mapAttrsToList (
+        n: v: (tfRef "authentik_provider_ldap.${n}.id")
+      ) config.ldapApps;
+    };
+
+    resource.authentik_provider_oauth2 = mapAttrs (n: v: {
+      name = n;
+      client_id = n;
+      authorization_flow = authorizationFlow;
+    }) config.oauthApps;
+    data.authentik_provider_oauth2_config = mapAttrs (n: v: {
+      provider_id = tfRef "resource.authentik_provider_oauth2.${n}.id";
+    }) config.oauthApps;
+
+    resource.authentik_provider_proxy = mapAttrs (n: v: {
+      name = n;
+      mode = "forward-single";
+      external_host = v.externalHost;
+      authorization_flow = authorizationFlow;
+    }) config.proxyApps;
+    resource.authentik_provider_ldap = mapAttrs (n: v: {
+      name = n;
+      base_dn = "dc=ldap,dc=goauthentik,dc=io";
+      bind_flow = authenticationFlow;
+    }) config.ldapApps;
+    output =
+      (mapAttrs' (
+        n: v:
+        nameValuePair ("${n}_environment") ({
+          value =
+            let
+              val = val: tfRef "resource.authentik_provider_oauth2.${n}.${val}";
+              cfgVal = val: tfRef "data.authentik_provider_oauth2_config.${n}.${val}";
+            in
+            ''
+              CLIENT_ID=${val "client_id"}
+              CLIENT_SECRET=${val "client_secret"}
+              USER_INFO_URL=${cfgVal "user_info_url"}
+              TOKEN_URL=${cfgVal "token_url"}
+              AUTHORIZE_URL=${cfgVal "authorize_url"}
+            '';
+        })
+      ) config.oauthApps)
+      // {
+        proxy_config.value = tfRef "resource.authentik_outpost.proxy.config";
+        ldap_config.value = tfRef "resource.authentik_outpost.ldap.config";
+      };
+
+    resource.authentik_application = mkMerge [
+      (mapAttrs (n: v: genApp (tfRef "authentik_provider_oauth2.${n}.id") n v) config.oauthApps)
+      (mapAttrs (n: v: genApp (tfRef "authentik_provider_proxy.${n}.id") n v) config.proxyApps)
+      (mapAttrs (n: v: genApp (tfRef "authentik_provider_ldap.${n}.id") n v) config.ldapApps)
+    ];
+
+    # group stuff
+    resource.authentik_group.admin = {
+      name = "admin";
+    };
+    resource.authentik_application_entitlement =
+      let
+        genEnts =
+          apps:
+          mapAttrs (n: v: {
+            name = "${n}-ent";
+            application = tfRef "authentik_application.${n}.uuid";
+          }) (filterAttrs (n: v: (builtins.length v.groups) > 0) apps);
+      in
+      mkMerge [
+        (genEnts config.oauthApps)
+        (genEnts config.proxyApps)
+        (genEnts config.ldapApps)
+      ];
+    resource.authentik_policy_binding =
+      let
+        genEnts =
+          apps:
+          lib.flatten (
+            mapAttrsToList (
+              n: v:
+              (map (g: {
+                "${n}-${g}-access" = {
+                  target = tfRef "authentik_application_entitlement.${n}.uuid";
+                  group = tfRef "authentik_group.${g}.id";
+                  order = 0;
+                };
+              }) v.groups)
+            ) apps
+          );
+      in
+      mkMerge [
+        (genEnts config.oauthApps)
+        (genEnts config.proxyApps)
+        (genEnts config.ldapApps)
+      ];
+  };
+}