add authentik blueprints for partly automated configuration

2023-04-01 19:33:59 -07:00
parent de566c0395
commit 7e94d27824
10 changed files with 202 additions and 8 deletions
--- a/roles/arrstack/templates/docker-compose.yml.j2
+++ b/roles/arrstack/templates/docker-compose.yml.j2
@@ -14,7 +14,7 @@ services:
    cap_add:
      - NET_ADMIN
    labels:
-      - {{ traefik_labels("qbit", port="8080") | indent(6) }}
+      - {{ traefik_labels("qbit", port="8080", auth=true) | indent(6) }}
    restart: unless-stopped
    networks:
      - default
@@ -31,7 +31,7 @@ services:
    image: linuxserver/prowlarr:latest
    container_name: prowlarr
    labels:
-      - {{ traefik_labels("prowlarr", port="9696") | indent(6) }}
+      - {{ traefik_labels("prowlarr", port="9696", auth=true) | indent(6) }}
    restart: unless-stopped
    depends_on:
      - qbittorrent
@@ -45,7 +45,7 @@ services:
    image: linuxserver/sonarr:latest
    container_name: sonarr
    labels:
-      - {{ traefik_labels("sonarr", port="8989") | indent(6) }}
+      - {{ traefik_labels("sonarr", port="8989", auth=true) | indent(6) }}
    restart: unless-stopped
    depends_on:
      - qbittorrent
@@ -61,7 +61,7 @@ services:
    image: linuxserver/radarr:latest
    container_name: radarr
    labels:
-      - {{ traefik_labels("radarr", port="7878") | indent(6) }}
+      - {{ traefik_labels("radarr", port="7878", auth=true) | indent(6) }}
    restart: unless-stopped
    depends_on:
      - qbittorrent
--- a/roles/authentik/templates/blueprints/apps-oauth2.yaml.j2
+++ b/roles/authentik/templates/blueprints/apps-oauth2.yaml.j2
@@ -0,0 +1,51 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - OAuth2 Apps
+entries:
+  {% set apps = {
+    "Gitea": {
+      "redirect_uris": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
+      "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
+    },
+    "Nextcloud": {
+      "redirect_uris": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
+      "icon": "https://nc."~ domain ~"/apps/theming/favicon",
+    },
+  } -%}
+  {% for app in apps.keys() -%}
+  - identifiers:
+      name: {{ app }}
+    model: authentik_providers_oauth2.oauth2provider
+    id: {{ app | lower }}
+    attrs:
+      access_code_validity: minutes=1
+      access_token_validity: minutes=5
+      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      client_type: confidential
+      issuer_mode: per_provider
+      sub_mode: hashed_user_id
+      property_mappings:
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+      redirect_uris: {{ apps[app]["redirect_uris"] }}
+      refresh_token_validity: days=30
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
+
+  - identifiers:
+      slug: {{ app | lower }}
+    model: authentik_core.application
+    id: {{ app | lower }}
+    attrs:
+      name: {{ app }}
+      group: "Apps"
+      meta_description: "Hello, I'm {{ app }}!"
+      meta_publisher: Alpina
+      # This isn't supported yet, https://github.com/goauthentik/authentik/issues/3484
+      # meta_icon: "{{ apps[app]["icon"] }}"
+      open_in_new_tab: true
+      policy_engine_mode: any
+      provider: !KeyOf {{ app | lower }}
+  {% endfor %}
--- a/roles/authentik/templates/blueprints/arrstack.yaml.j2
+++ b/roles/authentik/templates/blueprints/arrstack.yaml.j2
@@ -0,0 +1,65 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Arrstack Proxy
+entries:
+  - identifiers:
+      name: arrstack
+    model: authentik_core.group
+    id: arrstack
+
+  {% for service in ["qBit", "Prowlarr", "Sonarr", "Radarr"] -%}
+  - identifiers:
+      name: {{ service }}
+    model: authentik_providers_proxy.proxyprovider
+    id: {{ service | lower }}
+    attrs:
+      access_token_validity: hours=24
+      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      certificate: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
+      intercept_header_auth: true
+      external_host: https://{{ service | lower }}.{{ domain }}/
+      mode: forward_single
+      property_mappings:
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, ak_proxy]]
+      refresh_token_validity: days=30
+      skip_path_regex: {{ "/images/qbittorrent-tray.svg" if service == "qBit" else "/Content/Images/logo.svg" }}
+
+  - identifiers:
+      slug: {{ service | lower }}
+    model: authentik_core.application
+    id: {{ service | lower }}
+    attrs:
+      name: {{ service }}
+      group: "Arrstack"
+      meta_description: "Hello, I'm {{ service }}!"
+      meta_publisher: Alpina
+      # This isn't supported yet, https://github.com/goauthentik/authentik/issues/3484
+      # meta_icon: "https://{{ service }}.{{ domain }}/Content/Images/logo.svg"
+      open_in_new_tab: true
+      policy_engine_mode: any
+      provider: !KeyOf {{ service | lower }}
+
+  - identifiers:
+      group: !KeyOf arrstack
+      target: !Find [authentik_core.application, [slug, {{ service | lower }}]]
+    model: authentik_policies.policybinding
+    attrs:
+      enabled: true
+      order: 0
+      timeout: 30
+  {% endfor %}
+
+  - identifiers:
+      managed: goauthentik.io/outposts/embedded
+      name: authentik Embedded Outpost
+    model: authentik_outposts.outpost
+    attrs:
+      providers:
+      {% for service in ["qBit", "Prowlarr", "Sonarr", "Radarr"] -%}
+        - !KeyOf {{ service | lower }}
+      {% endfor %}
--- a/roles/authentik/templates/blueprints/default-authentication.yaml.j2
+++ b/roles/authentik/templates/blueprints/default-authentication.yaml.j2
@@ -0,0 +1,19 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Default Identification Stage
+entries:
+  - identifiers:
+      name: default-authentication-identification
+    model: authentik_stages_identification.identificationstage
+    attrs:
+      sources:
+        - !Find [authentik_core.source, [slug, authentik-built-in]]
+        - !Find [authentik_sources_oauth.oauthsource, [slug, github]]
+
+  - identifiers:
+      slug: default-authentication-flow
+    model: authentik_flows.flow
+    attrs:
+      compatibility_mode: true
--- a/roles/authentik/templates/blueprints/github-oauth.yaml.j2
+++ b/roles/authentik/templates/blueprints/github-oauth.yaml.j2
@@ -0,0 +1,25 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - GitHub OAuth
+entries:
+  - identifiers:
+      slug: github
+    model: authentik_sources_oauth.oauthsource
+    attrs:
+      name: GitHub
+      slug: github
+      access_token_url: https://github.com/login/oauth/access_token
+      additional_scopes: openid read:org
+      authentication_flow: !Find [authentik_flows.flow, [slug, default-source-authentication]]
+      authorization_url: https://github.com/login/oauth/authorize
+      consumer_key: {{ github_consumer_key }}
+      consumer_secret: {{ github_consumer_secret }}
+      enabled: true
+      enrollment_flow: !Find [authentik_flows.flow, [slug, default-source-enrollment]]
+      policy_engine_mode: any
+      profile_url: https://api.github.com/user
+      provider_type: github
+      user_matching_mode: email_link
+      user_path_template: goauthentik.io/sources/%(slug)s
--- a/roles/authentik/templates/docker-compose.yml.j2
+++ b/roles/authentik/templates/docker-compose.yml.j2
@@ -13,6 +13,9 @@ services:
    container_name: authentik_server
    labels:
      - {{ traefik_labels("auth", port="9000") | indent(6) }}
+      - traefik.http.middlewares.authentik.forwardauth.address=http://authentik_server:9000/outpost.goauthentik.io/auth/traefik
+      - traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true
+      - traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
    restart: unless-stopped
    command: server
    env_file:
@@ -29,6 +32,7 @@ services:
    env_file:
      - .env.authentik
    volumes:
+      - ./blueprints:/blueprints/alpina
      - {{ base_volume_path }}/authentik/certs:/certs

  postgres: