authentik yay

2025-09-07 00:11:16 +02:00 · 2025-09-07 00:11:16 +02:00 · f2fcbfb679
commit f2fcbfb679
parent d3a93fd115
34 changed files with 612 additions and 363 deletions
--- a/modules/services/authentik/provider.nix
+++ b/modules/services/authentik/provider.nix
@ -6,6 +6,7 @@ let

  authorizationFlow = tfRef "data.authentik_flow.default-authorization-flow.id";
  authenticationFlow = tfRef "data.authentik_flow.default-authentication-flow.id";
+  invalidationFlow = tfRef "data.authentik_flow.default-provider-invalidation-flow.id";
  genApp = provider: n: v: {
    protocol_provider = provider;
    slug = n;
@ -25,29 +26,34 @@ in
    oauthApps = mkOption { type = types.attrs; };
    proxyApps = mkOption { type = types.attrs; };
    ldapApps = mkOption { type = types.attrs; };
+    url = mkOption { type = types.str; };
+    insecure = mkOption { type = types.bool; };

  };
  config = {
    terraform.backend.local.path = config.stateFile;
-    provider.authentik = { };
+    terraform.required_providers.authentik.source = "goauthentik/authentik";
    data.authentik_flow."default-authorization-flow" = {
      slug = "default-provider-authorization-implicit-consent";
    };
    data."authentik_flow"."default-authentication-flow" = {
      slug = "default-authentication-flow";
    };
+    data."authentik_flow"."default-provider-invalidation-flow" = {
+      slug = "default-provider-invalidation-flow";
+    };
    resource.authentik_outpost.proxy = {
      name = "proxy";
      type = "proxy";
      protocol_providers = mapAttrsToList (
-        n: v: (tfRef "authentik_provider_proxy.${n}.id")
+        n: v: (tfRef "resource.authentik_provider_proxy.${n}.id")
      ) config.proxyApps;
    };
    resource.authentik_outpost.ldap = {
      name = "ldap";
      type = "ldap";
      protocol_providers = mapAttrsToList (
-        n: v: (tfRef "authentik_provider_ldap.${n}.id")
+        n: v: (tfRef "resource.authentik_provider_ldap.${n}.id")
      ) config.ldapApps;
    };

@ -55,6 +61,7 @@ in
      name = n;
      client_id = n;
      authorization_flow = authorizationFlow;
+      invalidation_flow = invalidationFlow;
    }) config.oauthApps;
    data.authentik_provider_oauth2_config = mapAttrs (n: v: {
      provider_id = tfRef "resource.authentik_provider_oauth2.${n}.id";
@ -62,19 +69,23 @@ in

    resource.authentik_provider_proxy = mapAttrs (n: v: {
      name = n;
-      mode = "forward-single";
+      mode = "forward_single";
      external_host = v.externalHost;
      authorization_flow = authorizationFlow;
+      invalidation_flow = invalidationFlow;
    }) config.proxyApps;
    resource.authentik_provider_ldap = mapAttrs (n: v: {
      name = n;
      base_dn = "dc=ldap,dc=goauthentik,dc=io";
      bind_flow = authenticationFlow;
+      unbind_flow = invalidationFlow;
    }) config.ldapApps;
+
    output =
      (mapAttrs' (
        n: v:
        nameValuePair ("${n}_environment") ({
+          sensitive = true;
          value =
            let
              val = val: tfRef "resource.authentik_provider_oauth2.${n}.${val}";
@ -90,10 +101,39 @@ in
        })
      ) config.oauthApps)
      // {
-        proxy_config.value = tfRef "resource.authentik_outpost.proxy.config";
-        ldap_config.value = tfRef "resource.authentik_outpost.ldap.config";
+        proxy_config.sensitive = true;
+        proxy_config.value = ''
+          AUTHENTIK_HOST=http://localhost:9000
+          AUTHENTIK_HOST_BROWSER=${config.url}
+          AUTHENTIK_TOKEN=${tfRef "resource.authentik_token.proxy_outpost.key"}
+        '';
+        ldap_config.sensitive = true;
+        ldap_config.value = ''
+          AUTHENTIK_HOST=http://localhost:9000
+          AUTHENTIK_HOST_BROWSER=${config.url}
+          AUTHENTIK_TOKEN=${tfRef "resource.authentik_token.ldap_outpost.key"}
+        '';
      };

+    data.authentik_user."proxy" = {
+      username = "ak-outpost-${tfRef ''replace(resource.authentik_outpost.proxy.id,"-","")''}";
+    };
+    data.authentik_user."ldap" = {
+      username = "ak-outpost-${tfRef ''replace(resource.authentik_outpost.ldap.id,"-","")''}";
+    };
+    resource.authentik_token."proxy_outpost" = {
+      identifier = "proxy-outpost-token";
+      user = tfRef "data.authentik_user.proxy.id";
+      expiring = false;
+      retrieve_key = true;
+    };
+    resource.authentik_token."ldap_outpost" = {
+      identifier = "ldap-outpost-token";
+      user = tfRef "data.authentik_user.ldap.id";
+      expiring = false;
+      retrieve_key = true;
+    };
+
    resource.authentik_application = mkMerge [
      (mapAttrs (n: v: genApp (tfRef "authentik_provider_oauth2.${n}.id") n v) config.oauthApps)
      (mapAttrs (n: v: genApp (tfRef "authentik_provider_proxy.${n}.id") n v) config.proxyApps)
@ -122,7 +162,7 @@ in
      let
        genEnts =
          apps:
-          lib.flatten (
+          flatten (
            mapAttrsToList (
              n: v:
              (map (g: {
@ -135,10 +175,6 @@ in
            ) apps
          );
      in
-      mkMerge [
-        (genEnts config.oauthApps)
-        (genEnts config.proxyApps)
-        (genEnts config.ldapApps)
-      ];
+      mkMerge ((genEnts config.oauthApps) ++ (genEnts config.proxyApps) ++ (genEnts config.ldapApps));
  };
 }