authentik: add vpgen group, change default enrollment group to vpgen

2024-12-31 18:09:23 -08:00 · 2024-12-31 18:09:23 -08:00 · 278839fdba
commit 278839fdba
parent 2b265620d4
5 changed files with 10 additions and 4 deletions
--- a/group_vars/alpina/vars.yml
+++ b/group_vars/alpina/vars.yml
@ -10,7 +10,6 @@ traefik_subnet: 172.16.122.0
 # Authentik
 authentik_db_password: "{{ vault_authentik_db_password }}"
 authentik_secret_key: "{{ vault_authentik_secret_key }}"
-
 authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}"

 auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}"
@ -20,6 +19,8 @@ auth_nextcloud_client_secret: "{{ vault_auth_nextcloud_client_secret }}"
 arrstack_password: "{{ vault_arrstack_password }}"
 auth_vpgen_client_secret: "{{ vault_auth_vpgen_client_secret }}"

+auth_default_enrollment_group: vpgen
+
 # Minio
 minio_password: "{{ vault_minio_password }}"

--- a/roles/alpina/templates/services/authentik/blueprints/alpina-enrollment-internal.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/alpina-enrollment-internal.yaml.j2
@ -93,7 +93,7 @@ entries:
    id: enrollment-user-write
    attrs:
      user_type: internal
-      create_users_group: !Find [authentik_core.group, [name, users]]
+      create_users_group: !Find [authentik_core.group, [name, {{ auth_default_enrollment_group }}]]
  - identifiers:
      name: alpina-enrollment-email-verify
    model: authentik_stages_email.emailstage
--- a/roles/alpina/templates/services/authentik/blueprints/alpina-groups.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/alpina-groups.yaml.j2
@ -38,3 +38,8 @@ entries:
        return {
          "policy": policy,
        }
+
+  - identifiers:
+      name: "vpgen"
+    model: authentik_core.group
+    id: "vpgen"
--- a/roles/alpina/templates/services/authentik/blueprints/alpina-oauth-sources.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/alpina-oauth-sources.yaml.j2
@ -76,4 +76,4 @@ entries:
    model: authentik_stages_user_write.userwritestage
    attrs:
      user_type: internal
-      create_users_group: !Find [authentik_core.group, [name, users]]
+      create_users_group: !Find [authentik_core.group, [name, {{ auth_default_enrollment_group }}]]
--- a/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
@ -38,7 +38,7 @@ entries:
      "icon": "https://vpgen."~ domain ~"/favicon.png",
      "client_secret": auth_vpgen_client_secret,
      "ui_group": "Apps",
-      "allowed_for_groups": ["admins", "users"],
+      "allowed_for_groups": ["admins", "users", "vpgen"],
    },
  } -%}
  {% for app in apps.keys() -%}