authentik: add initial enrollment by invitation flow

.idea/jsonSchemas.xml

@@ -31,7 +31,7 @@
                 <list>
                   <Item>
                     <option name="directory" value="true" />
-                    <option name="path" value="roles/alpina/collections/services/authentik/templates/blueprints" />
+                    <option name="path" value="roles/alpina/templates/services/authentik/blueprints" />
                     <option name="mappingKind" value="Directory" />
                   </Item>
                 </list>

group_vars/alpina/vars.yml

@@ -14,13 +14,16 @@ authentik_secret_key: "{{ vault_authentik_secret_key }}"
 authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}"
 
 auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}"
+auth_minio_client_secret: "{{ vault_auth_minio_client_secret }}"
+auth_gitea_client_secret: "{{ vault_auth_gitea_client_secret }}"
+auth_nextcloud_client_secret: "{{ vault_auth_nextcloud_client_secret }}"
 arrstack_password: "{{ vault_arrstack_password }}"
+auth_vpgen_client_secret: "{{ vault_auth_vpgen_client_secret }}"
 
 # Minio
 minio_password: "{{ vault_minio_password }}"
 
 # Monitoring
-## auth_grafana_client_secret:
 influxdb_admin_password: "{{ vault_influxdb_admin_password }}"
 influxdb_admin_token: "{{ vault_influxdb_admin_token }}"
 
@@ -46,3 +49,15 @@ jwt_secret: "{{ vault_jwt_secret }}"
 nextcloud_db_password: "{{ vault_nextcloud_db_password }}"
 redis_password: "{{ vault_redis_password }}"
 nextcloud_sendgrid_api_key: "{{ vault_nextcloud_sendgrid_api_key }}"
+
+# VPGen
+vpgen_opnsense_api_url: https://opnsense.cazzzer.com
+vpgen_opnsense_api_key: "{{ vault_vpgen_opnsense_api_key }}"
+vpgen_opnsense_api_secret: "{{ vault_vpgen_opnsense_api_secret }}"
+vpgen_opnsense_wg_ifname: wg2
+
+vpgen_ipv6_client_prefix_size: 112
+vpgen_ip_max_index: 100
+vpgen_vpn_endpoint: "{{ vault_vpgen_vpn_endpoint }}"
+vpgen_vpn_dns: "{{ vault_vpgen_vpn_dns }}"
+vpgen_max_clients_per_user: 20

group_vars/alpina/vault.yml

@@ -1,88 +1,138 @@
 $ANSIBLE_VAULT;1.1;AES256
-36636236366435333738633465323539336231393239656538643863643233346563333836623335
-3136393936656261396434316232356338313838373666660a653464613833306133343232623864
-61666561336462376664363463313533353238623031613664353063396236343663643936303730
-6235646336306636360a653238633038306532613436633132363231613862383636313838623461
-32633366326136346435613232396632396365656138643361643139353430663637353565383664
-36623961663030653639316131376535363138343965636437653139646233613765323439393030
-31666137346339663162393836636638636431326232323461353661613062623032306130393965
-38313931313935666633343835303232333961633232623538383138366262663335323764323939
-32373333663834626633363265373632356439633862316562323565646530383534653338353165
-38396434353332623164346137383238343536303130616666643065306431656137303263323135
-34316662353031653932396239623733313037383935383762623136346636323434363231623161
-30393864353466643637316566663366363231373335663331323932663837626239663633663965
-66333531323861663130353531323339386566303630366236636135393439356634393732623033
-31336231363935633436363962316666666336303338313636386163313666636336343464336133
-33313730303961663632323435323963663530623265663664343735643061323332343265343431
-61363039333730623562363233373537633138663239313132336666313237373137353663326538
-32366130326635366433393434653735616132366264386461363063393265623765666461626366
-38636239376534653230663932393930343162333262643130633835343363613061623932363761
-64643164323335376565646137643763316562343565366462376162333633313737303465373362
-63343734633536353661353165346632666230616138396461336332623365366432313734343837
-30613736313961663334326335333834336634373338326631313739363765303036303132346166
-37313030373264383564383936396339623061616134356663333733653838393537306336313135
-32336261356437653863653839373130323035346538343938646265653239376236373932646433
-35373932326535643763396563373138626239393661373231393066323335336264373835336635
-38393732643630336364363834303534663334396363623261383339313939663461303236646237
-36393330373534383836373065373239353836653137306338336638396662363434303839363466
-37303332343464663733653632363239366337656364333532313237633935616637333361383763
-62363063323362323565363837333264346161353032643039323839336666656333336433376231
-36363335626137366135373230613436653232663138343862623562306331336330356630316166
-30613264353165343634663461373630653632366333313837373237613339336638396338376465
-64633638373263376330343561303664666139663237326637663964386133623164626339346635
-66636365366562343636653362656133306164353761346661343430356633613063656466316262
-31633932313532663930303837353863333664393563646566396164666236633832633235653362
-63663931353436623034653733313766393465363466363831643130643939356335643166356436
-38386530333264313263636438376134666235646636316233653330613735323234313036356639
-61316164376434616239646235326661323363333835393430646462323234356138653163616530
-65623233636435396462343437626130353735643530376538633762346332653162353563386366
-32656633633935626238323431643631633434633032303435383037353834653964326336616530
-30363765663133313239373664383830393238303439653531316664636532363135636563356666
-34376636373033353665373261363536393562653638306661663832326139383565613862333831
-38616238616332326532656430393331383161376237393365666639363732363164306332343336
-37366638326464373261386431623731306663616262633837313965633530616265326536323136
-62366365666461383535663637633332626464643062653139623333663038316536353930653266
-37343830613062346533613762663738343138383537396435643765323237623130363564396462
-61663063643135303539313062396338353061346336303938626361343238366366393533363638
-31313437623631626437393761366537636664393863306164373431653133316639623630353336
-65313037636533393362363266366231393334613264343331623531393666336336626265366163
-34663161396633666162326564313735373137303337386538633866653331646635633532336465
-34386166373436386566656135313438363733353139663630613430363332656239356139393532
-35626337666639376664346631323938316538333066353363646562323266353165366632656137
-66366162376165626564363230353062666364646363366637666433636333316536623435623836
-62346566363362363939353038396566653238666138666531396338323262323965383031336362
-34613332363334653531383231363539343133333531666564386133346562323338366139663438
-31613466366438643566333632326239653662636464373337326537313234393038306132343730
-36633136366162643966396362643165313336383862653435343630646431306366656636353230
-64326633346561613662383863356531306563623439363566643733336535303335303164633535
-36356463616162313039386434323637383937613133623131373033373462363365643730666166
-65383166346638313533326366346433656461346439343838306564393336383536633732343965
-39306231386130303433616361366363366163646534316138623362393063663438313165643762
-39393332653564333762663762366633386135353865366338396138666265653662373535666366
-35613937613366323064316561643435353830316239396464393737613835373964626437316464
-39643664656565633966393832643033323130636562383233323636363361353430353062323439
-39396464633336623963633963326461316562333162333766613064336462613235336531623437
-30383063653666633839646533386239366637346230363033306161386537303039376465303535
-34643162323065326264343662303138313063303834353832393663616239383739313133393532
-62393766343037666564326132386139346661383564366366646530346434373366326531356138
-31323531653338653130303733363764636430336563336439666132626434363463306631363334
-39623332376334383338633132653262653735346563626365613336623435396539383630366332
-31316638393562376131363166633163333332633332393062393962613132366538653865663264
-38313237393436353333323431336361653938343034346164353335366535396265633961333138
-65386137356161643732636531613166633464326163303336303439383435376331373935333563
-64633961623761393131333234656530653737346563643963643833383262383434653266343362
-35623832643032346133346363646136646438663761363330666231316434306232623339656535
-34393337666237656262313439386336336466373466663663616139353463316265396135626366
-62313562306334343831616364633933343463386233323637313832316635346235623830333461
-33663530343966383739643261653736363865323438363430653661653964643339633833386438
-36333331366334366461346636636462343335313234663864613864366134356161396662383632
-36663538373761353937313666363262626435623537646665646364353934373638366261333234
-36353439303663656531666637376364313838386130343966316138356338643135316139363630
-30386635376565363931333331336431303562346431323534643238333337386264616161356163
-35663766306635626235373663643064393233346364666663393236353561653362373361666164
-65653566666234626464356338613834323332383939643935323337376162316163333034643062
-63646237646234636561313038383636373936656164333735323461626233633337623764383830
-66383161346336633962643032376662656566396666343662656337306333313836613335643961
-64323961663032373239636430306430383639306333363938303837386139643230353061623937
-36373733636337616264313432643230303935626666633533666135666538626266626266643864
-376430653461346366626432636336653437
+38376439643766303237356563616337663731366435613930393135383962666435313530663632
+3432326162343632613565393737363335306263653032300a643539393562376162333761376631
+62343731316430316638363338343966326635383930623339383339653936343765316439393233
+6562323634383363300a323233346338393764623363346139313661386433656337363332656230
+31306233643735333033316139363165373062363334363933396563366234316330646230353261
+62326539663337323036346533303031333730373061656563613535376162633138306634626462
+37313038356466336138643834643863393333373939616362636365366231383762633030313831
+33393139313336623437396161623437323163633362363137626262653462633737373062643735
+63353561313639393166306466346134623933323532636438656263663338376337376434356163
+64343239616632313566656664393136363337386464613932383961343134363233653039336137
+65656566306463313264646163646130323533666464323464643433313030346535346535323264
+34356433343739343166383034313935666139663239653662663734343139343035616134303730
+39643136623735666333646234346239303337333961343261383834393963386633633030633962
+61376132313532643730633865326130666565303631386262396366306565613665363934383335
+37376139616165396436663135373932653064656136356662363137653036383537613665393634
+38313063656637353630373634316564383362663335356364626161663163323362333937316461
+64336636386234623438613766316430353261346339313863306462393335636131363966363038
+66393561323335393063663838393466656331323433376461653838313638303564666662636438
+38663735616261656338626437336433613730353236636266316536656165303534353538316232
+62363063376464323932383261663537393263333266633461326536656533653661303335646431
+36616436396137343634373563386439653833306537373735353764346430616231313538636362
+30363430613839373761363032316137636432643339383561313637376339323836353161343639
+36316665656164396236383538346561306432333637393431393566333566633434393961663330
+32383833396238633966393837336564626135653733383863346161663364353062303931303931
+39653662373734643037393832643439653437353935666430373337643532346161376661633738
+61643431633431666535333463636461613166363238373138306565643533623039353031646634
+62383662663435346635373865633731393362623761313834393964623930646364366534333236
+35393138346433366435313066633436393561643263343534393034373161343834633261363933
+65376636393263663566653436633762643331336139653565663334373561353130653065653935
+31616337313764313532303934376236623833363433336335303262643135643339613839623231
+37343730616166323239653537313137373136626337333665633134363830626131353030393662
+31643366386365353336326133636434303636343637643539653131316133306132643133643364
+64636464373564383938663838613031626563613362626435383832346661306562343165643539
+66353431393032313262393566353833343632366139656234306561366139633431653133356165
+32363332636433626132666462626137653337646234646565303831646330333133353964626461
+37333265623865376562663365336339353036346135363062663534643537353331623630356264
+66386665333633383534313062623533383239383231333163663565633531666236306465633135
+36363164636165343863363866343437636630353863316633623761373232643262623762316162
+32613665306535626139366564616362393536336364666663333761383362393631316134373138
+32616665363164363639303538373539346239663261373731613464333734326436666433666539
+31656264326535626134323231646535656563363231633434636337323538343038303233363765
+61393164316237323533313336316530316431653731343261636265393361616464323536333130
+65346538306664663566666435393738323832396365363764333637613331356661306535376332
+62313533306365373737643835396364363737306631346161353031633531383364636563383237
+64633432386565356137333730313736393737303665326531356265376333663636393430386233
+33666532616632373061633063656136646533363034363330366231653936396166663134396139
+66393131653963386365656364666263666362316136333561326566626562616138383739346139
+62343035646435393136656434646138376331346164663562306166646132363230333538323536
+38643934613633373734653337666261356639353235326539356264633232343834633062336539
+31616536663730656163626437653932313564633938643163313765393731386533323465303831
+34353663363862363761643565633635373834623665653131613531373637386361636661376532
+64386435643966343034643763393461373961626134346539653865636161333962333463393734
+62343838363432396133326235323636613239326139376365353930373835313531326433326234
+66396537636162363865663433626230316362343334653735646637613130636436633132663538
+64623230303266373965616533346464373661363233613837613765343463306136623063313139
+31383039343462363536646636653736316362356565326538636331646235373162663332313961
+64623061636638666234623336656365383165626461323561343930316432313632316332306334
+61376430303835383934396266303564363230313735366464386134393265326334663633663632
+38643034393737303963643733656333316137646435653666353239373738373632383561646333
+65363865353362383832643238363332613931343038366563316163303764323936316466666364
+31373439383661656336653431666164393833643266656133383137376133636134643137663532
+33353531663336346562653339616430333133363232336461353937303435346337363932306133
+37623164343462363830323263323664303334633563313439376232303031633633316636383164
+66306238333432333635653435383138383339343837346134613630353335656335663062326132
+65323638343963623062663638366538363162343230323262616138373239653163623832313366
+65323834383631646164316363383636643437346435313030656362653332653635343066666232
+39346235383265326262306434383861653138393835663863383032363664323565316165646566
+61646238393062373131346536343533663839313831383335316363343465663130633133393436
+66333465633636353639663836376561353839613533346164366238353833636534633338313262
+30656433376362346333303630643639353262323532666238633764363132303161326638643761
+36616131636538613539383935613337643930333334613566393031646630383330656164363361
+37306536356164633831626362653364313164356235653464333633313263383032333439626434
+65376531396661636661303831393062666362623966353739303330393631323963373564353265
+61343862323737336238356231626561396333386264666563356235333339653538626130623936
+63326431316538346534313764356333396565666431633833613337323136643137306166623238
+66393561333137373964353935323930636237366433613038383761643665363330323865386133
+37623339613733353366656637383030623663313639363334656361623035643232626633313864
+36346564653766646333613763616163363462613937656534363461376235613064373039326165
+32666265383065636232613632333830633439653066653666663261646536663434393535613131
+30373062313765663038313534623165653833623330383032363063393239373234636630646561
+38633962363530666638666630316434613462656335613236363831313863613030636539356133
+66386133383433663964306661636131633236633935633236623530373864646363383534383735
+63633165626464333332303331333338313838393832626637626137316338643136336333633930
+61346436336635656639616261383666336330333862303139633137373362303033653432613039
+35623663353538323761623839623438646363313164356631386364356533346133333334326565
+32303837663261386463313535373765356166376165386535623838326431616564346632363732
+62373231356530346632373134343865303532326136653731633038353066623435336462303138
+37363039343433613939363663623135396636396433653362666164323237393664623564393532
+61376463336564396537366365373936333666373432376566323864343735636264643139643063
+66396230303336633438666234336434353866323637316334313162363734623763666338336234
+39303330343035333864396631323231363134646238323065356138633131323135613133356237
+34373562633430613062313261363939373632313838333934303165336562663839663833383763
+39316632656561653033613933373861366361353761346539306234366538373461373930306535
+66623430343336333033306135303639646566393336663538313430616364653933663536386535
+64323962353734356134656361663131376564626461386233643731393664353038626464313763
+64396265373737313134613962376334373965353338303363303935353538643561336461393032
+37356434343837376534663938366434343063643966643965346465636166363235643635333466
+38323664366366663363616664336165653264633437393636363866316262303432356461386330
+63326539626363333331366162363230626462656633653866383331333164663734633630353265
+63303832376230646136346261383965626633613739616330666232376366613332663839336531
+32343031336363663865643165666435623462376130326433316562363530343662366432313031
+63626538656633346563663735323030363231643933326337613634376531636235333339373633
+66353362333265343964353966383363613336636536393734363363623363316532653533633434
+39333162303834353362323362656630343733653336613065333462626637303264653361393462
+32336238326535383662636465383832346438333230666662633430303964343236626331623536
+65383666316431646538396661386332323037383666336138666135613763363633343934663836
+32656362323631303732613235663135633939643165626231373162643963613637626235613365
+32326266323431636434633234333730373836373039666137663232323539396364373061393232
+30646432666365333336333836313333363537363163383034656136383164663331373632313564
+34353731363338323438366464663938393632626530323537306233613866356234323364373766
+34326662656263383864613538326536626133386532303932326362376632363631356535393937
+33346462336636656165316166363364343330383337636361656438383661333366633532616131
+37313033623430663039626131303933316561666233613666636433363537373264653331323136
+66663532653233373735326333333738663931343735306262353831303330633136623966316431
+39316462313066336536623438626163383139343532313932316435356431323865373035343465
+30346237393531353833616136323431376530333635633632666431313938643539363831313539
+38396338336136363165323135663836336139623865666631663237616664636233653663383965
+39623665656563316334323738323730306631636565393662313536353565383033653365663461
+38326432353166376438356238386161396638666131636536356333393563613461373263346538
+36656138353762323662363061613764633466303566353338626666646533616137393336333333
+30393733316636353266653039346237363830333831383535646531616130353534633062643135
+64373533646462313035383236333866313866366130663863363162613234393762646662666233
+30653666353333366365343036643462346361303536363935396133343166303339623461376563
+39333163636466646534356337656431376663623833303235303534633634386665636162346634
+34646665633639663763316339663539663261333436363935316334656330313835616138626237
+35623363393532633937653132303635396536646635633062393661616538303631663136363038
+35623539303963383063343338653130643233636537356264323238633839303337383665393333
+36303330393638643464646535653833626531343634626531396261363139326336623765623039
+32613237636366376463343766303964336661363432646436373963626537373137396661633766
+63633830663035663764303634643662333464353234646232343066306131336533396435313239
+66366630643564313665306130656463633065646430373334336664633264353336376439666137
+65366537366462623136353539373961333238373733663837373430663865643334393565333861
+35363035343561633164613631633532623164376339633630393633396437333034376339656538
+32653030626434326632386635383739663932393331333062656565303939373566653031613839
+31363162666330393232646562333833633266643165316464623533623539356339333365623966
+65323638396531346261303835373138333262323466656263643737343734303237303638353036
+3733

inventories/prod/group_vars/alpina/vars.yml

@@ -12,3 +12,7 @@ fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
 # Authentik GitHub OAuth
 github_consumer_key: 32d5cae58d744c56fcc9
 github_consumer_secret: "{{ vault_github_consumer_secret }}"
+
+# VPGen
+vpgen_ipv4_starting_addr: 10.18.11.100
+vpgen_ipv6_starting_addr: "{{ vault_vpgen_ipv6_starting_addr }}"

inventories/prod/group_vars/alpina/vault.yml

@@ -1,21 +1,24 @@
 $ANSIBLE_VAULT;1.1;AES256
-61656162363565633436373135333536623561663136303736393865623830633539376362363363
-3938333137343336626634346262363964316563643261310a366538363037343965363766646535
-61636239326464373039333462653562373933396665393039633266326234663335363337666439
-6137323332303533640a383062383135633762323561313666636566306531306636633466316536
-66623731626266333731303336323733343336626366343833633365616330343565363035323039
-35313961383131616133386663376331336639633137383137346164353632653939363266613562
-36316631366661353632386230306532633862393963663465383862653964646462666334396666
-66626636353539316266343937623662613336616331626439306538363764636366656635356639
-30663535393366383261333832356237373230663037373638303161303534636230616464636265
-37623938303638646233346338616239393838396433313063343065386666323264646461373032
-63376661646139316430303533643063336634333364643231336130613638626431623732646434
-63643833353164313465633333646232653761356333323933396666323837656334343866363762
-39646263653137356632323534356631366531636530613736343438393136363835373435636230
-30313163386335353935663432323033326235653963653930396235373863373232666334326661
-34336632666365666563326366376461386130343965363832343430396537323734363533353065
-64313837623366356261383437306465633730353332636561333462356363326132313933653234
-66363634333664333433613466396639306436353035346134373430663532373934343861323262
-30666664336336393835346234316238613839326436363162626439376530306133343530303365
-65393030633237333166336637363435646435323736353461333932366638333264333239373733
-30623062643336643431
+63353634643462306366336162646431616335613961343464626166303837363565393136373433
+3663373337303837353564383531393462343064353534370a666333363166636137396634613139
+62313762373332303334666530333731653231663263663930633265333665383661643037303737
+3239666139623937390a373066376363663865373266623831653964366565623138643138353866
+35343633323032326331393263316434396335643732363337643262373663646339663836623235
+61356534393435303336313636646665366238303539343835343761633230383261333864396465
+34336166346261613061616336633166383338623561626662333665323462623064666531633833
+34333735343934356365306135386430646539366561666334393065363532393636653031393237
+38633437383961376162366430393761366231636437316139373334623964396236643761306363
+33653761356632643334333932346664353037366638363835663435363162396333616535363730
+61623539363130633330303462613861393965643066303338353531346433363962373761623235
+36313838323830333966326331656435653837363530353837636465333434666266373639626534
+37663633353962336237316433653763616333333165343630346637346137613338333363653231
+36326163343839363936613334373430326531646464626230616634663530343265356166346165
+61306263613937626565626165616336626131636234643062306530326235646532313962626438
+61363333373034313563373831633339653365663831376463663839333233616635656137333561
+36396639393835316133393737313164353939336134623666396265396535353861643263366235
+62323137306235633061386630636235613636393033333631633231316337393430383438643462
+63343630353134363633383331373437623631333532663536643937616636666433623861643639
+63653532626337333136313932396164393733333038396235313133326338356234363363633962
+34336562396138333535363165343764363336316238323364326539343738633831636536306139
+38653766656430353035396166616133343666303231363039386635363536306531343932656261
+623162633233343566376630303538636664

inventories/staging/group_vars/alpina/vars.yml

@@ -12,3 +12,7 @@ fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
 # Authentik GitHub OAuth
 github_consumer_key: dbacb8621c37320eb745
 github_consumer_secret: "{{ vault_github_consumer_secret }}"
+
+# VPGen
+vpgen_ipv4_starting_addr: 10.18.11.50
+vpgen_ipv6_starting_addr: "{{ vault_vpgen_ipv6_starting_addr }}"

inventories/staging/group_vars/alpina/vault.yml

@@ -1,21 +1,24 @@
 $ANSIBLE_VAULT;1.1;AES256
-63633535633462326534626562373461373363643166383961303861623531663263323534366537
-3263633238646439306430356365623233313838326639350a386633363434623737313565316535
-33393734633937333637373432366132323366343836393538366339626235613937323066613666
-3737393262646333390a623331333461373563313166323232343234616538623433376166313532
-32323834346336336164343938303062336438643566343866316164643535663039326331646465
-36666162393365323633646635333666613030386265306238633434303234336439646663356363
-63323638373035326465633934326363316364616539613462653232393465633233366666373664
-66616361646564303530356331323864343966633736643434653237316236363063613634646438
-35303238646632616465643264316164363139393834626362326538613033656464323435396638
-31346631653764303332386331663361623766333332366537313634636333346538653537346631
-62363438303036386530633236376633326162336434343861346261373835653735323161323965
-62353965373164616537346134303232363033323134323130316439386339613966646330666533
-65346239383230646565346133663530613462363532663562326136376233303638323332326630
-35656432363563653663616236393932663637323139666664636237336136366438656666633865
-66353162656364356638313236643131613830393838636264663833343461373963613431656364
-32303331623033303433333631313038316336653638656638373031653234356164333363336532
-37316334353463376562643138346633613633353536653939376564333166323931353634333736
-63616133663266383339323562343265613461623865623263623139396163343065623264366230
-32633362336335396562366563363830636133376238646433386236666461333731353337386333
-61323931643766326338
+63633035373836396362626539323363363132366230343762366437326339343535663361633430
+3039646662343464303663313631313361306136613461340a313836363237376238343232613463
+36633962613233386261366536333664346132396266383064353065353936653038346534343433
+3734333932666436660a346539643637316432343761393635333265656165313464656631653236
+37303637333564383036623664616237313466643836663632363461353462386638326361396535
+34353639303734323633306266356134393832366132633132383361336138643961663362616132
+65356338353837623531383566363666633565646537353937656463343832613031633630306462
+62313335353065323939366536356161653339316265373362376138396636626361643435386234
+61633732383963653935363137346466623163396231303430346338323761643237383461303932
+36663263633730346362386366663135653735303161383166633631333862303261356132303461
+34633432633663623136303337613335643636356530626336366361373736333336366230346265
+31396463363639303431386439303163643037376262616437643438323162653134643837363430
+66336331636466383063656632306566346531336161653136623938616564333333326566616364
+62383935616637656132373664343730653239396634313530633665633736653365366136656265
+39343833333836323133376465376164323530643438353234353938663733323433373531636335
+64366232613637636537626139656130303663353266363064666464373665336238383763616436
+30303032393830333730353837656237666564346430613531653466646534613536353433613634
+62653538366638366565633261346431396639663435356531366537353737363761356530643635
+61653438346434363834653131646661366338633431303862333732326262626366633034323137
+30323636616333356430346365643630366162323133376135366663343265346234346161306431
+35383736336664636561623262643162636130366162326536656231653165386230333562383466
+66323863656566396639316263376233613162396265373235306662663665613663626565623761
+663938383964623436306662666663303330

roles/alpina/tasks/main.yml

@@ -31,4 +31,5 @@
       - nextcloud
       - jellyfin
       - arrstack
+      - vpgen
   import_tasks: deploy_collection.yml

roles/alpina/templates/apps/vpgen/.env.vpgen.j2

@@ -0,0 +1,20 @@
+DATABASE_URL=file:/data/vpgen.db
+
+AUTH_DOMAIN=auth.{{ domain }}
+AUTH_CLIENT_ID=vpgen
+AUTH_CLIENT_SECRET={{ auth_vpgen_client_secret }}
+
+OPNSENSE_API_URL={{ vpgen_opnsense_api_url }}
+OPNSENSE_API_KEY={{ vpgen_opnsense_api_key }}
+OPNSENSE_API_SECRET={{ vpgen_opnsense_api_secret }}
+OPNSENSE_WG_IFNAME={{ vpgen_opnsense_wg_ifname }}
+
+IPV4_STARTING_ADDR={{ vpgen_ipv4_starting_addr }}
+IPV6_STARTING_ADDR={{ vpgen_ipv6_starting_addr }}
+IPV6_CLIENT_PREFIX_SIZE={{ vpgen_ipv6_client_prefix_size }}
+IP_MAX_INDEX={{ vpgen_ip_max_index }}
+VPN_ENDPOINT={{ vpgen_vpn_endpoint }}
+VPN_DNS={{ vpgen_vpn_dns }}
+MAX_CLIENTS_PER_USER={{ vpgen_max_clients_per_user }}
+
+ORIGIN=https://vpgen.{{ domain }}

roles/alpina/templates/apps/vpgen/docker-compose.yml.j2

@@ -0,0 +1,16 @@
+{% import 'contrib/compose_helpers.j2' as helpers with context %}
+
+networks:
+  {{ helpers.default_network(196) | indent(2) }}
+
+services:
+  vpgen:
+    image: gitea.cazzzer.com/cazzzer/vpgen:develop
+    container_name: vpgen
+    labels:
+      - {{ helpers.traefik_labels('vpgen', port='3000') | indent(6) }}
+    restart: unless-stopped
+    env_file:
+      - .env.vpgen
+    volumes:
+      - {{ base_volume_path }}/vpgen:/data

roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2

@@ -5,46 +5,87 @@ metadata:
   name: Alpina - OAuth2 Apps
 entries:
   {% set apps = {
+    "Grafana": {
+      "redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth",
+      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
+      "client_secret": auth_grafana_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
+    "Minio": {
+      "redirect_uri": "https://minio."~ domain ~"/oauth_callback",
+      "icon": "https://minio."~ domain ~"/logo192.png",
+      "client_secret": auth_minio_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
     "Gitea": {
-      "redirect_uris": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
+      "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
       "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
+      "client_secret": auth_gitea_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
     },
     "Nextcloud": {
-      "redirect_uris": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
+      "redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
       "icon": "https://nc."~ domain ~"/apps/theming/favicon",
+      "client_secret": auth_nextcloud_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
+    },
+    "VPGen": {
+      "redirect_uri": "https://vpgen."~ domain ~"/auth/authentik/callback",
+      "icon": "https://vpgen."~ domain ~"/favicon.png",
+      "client_secret": auth_vpgen_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
     },
   } -%}
   {% for app in apps.keys() -%}
   - identifiers:
       name: {{ app }}
     model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
+    id: {{ app }}
     attrs:
-      access_code_validity: minutes=1
-      access_token_validity: minutes=5
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
       client_type: confidential
-      issuer_mode: per_provider
-      sub_mode: hashed_user_id
+      client_id: {{ app | lower }}
+      client_secret: {{ apps[app]["client_secret"] }}
       property_mappings:
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
-      refresh_token_validity: days=30
+        {% if app == "Minio" -%}
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, minio]]
+        {%- endif %}
+
+      redirect_uris:
+        - matching_mode: strict
+          url: {{ apps[app]["redirect_uri"] }}
+      # Necessary for JWKS to be generated correctly
       signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
 
   - identifiers:
       slug: {{ app | lower }}
     model: authentik_core.application
-    id: {{ app | lower }}
+    id: app-{{ app }}
     attrs:
       name: {{ app }}
-      group: "Apps"
+      group: "{{ apps[app]["ui_group"] }}"
       meta_description: "Hello, I'm {{ app }}!"
       meta_publisher: Alpina
       icon: "{{ apps[app]["icon"] }}"
       open_in_new_tab: true
-      policy_engine_mode: any
-      provider: !KeyOf {{ app | lower }}
+      provider: !KeyOf {{ app }}
+
+  {% for group in apps[app]["allowed_for_groups"] -%}
+  - identifiers:
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
+    model: authentik_policies.policybinding
+    attrs:
+      order: 10
+  {% endfor %}
+
   {% endfor %}

roles/alpina/templates/services/authentik/blueprints/apps-proxy.yaml.j2

@@ -4,61 +4,47 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Alpina - Proxied Apps
 entries:
-  - identifiers:
-      name: arrstack
-    model: authentik_core.group
-    id: arrstack
-    attrs:
-      arrstack_username: "arr"
-      arrstack_password: "{{ arrstack_password }}"
-
-  # TODO: Probably refactor this into a jinja macro
+  # TODO: Possibly refactor this into a jinja macro (?)
   {% set apps = {
-    "uptime-kuma": {
+    "Uptime Kuma": {
       "host": "uptime",
-      "name": "Uptime Kuma",
       "icon": "https://uptime."~ domain ~"/icon.svg",
       "unauthenticated_paths": "^/icon.svg$",
-      "group": "Services",
-      "create_admin_group": true,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
     },
-    "qbit": {
+    "qBit": {
       "host": "qbit",
-      "name": "qBit",
       "icon": "https://qbit."~ domain ~"/images/qbittorrent-tray.svg",
       "unauthenticated_paths": "^/images/qbittorrent-tray.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
     },
-    "prowlarr": {
+    "Prowlarr": {
       "host": "prowlarr",
-      "name": "Prowlarr",
       "icon": "https://prowlarr."~ domain ~"/Content/Images/logo.svg",
       "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
     },
-    "sonarr": {
+    "Sonarr": {
       "host": "sonarr",
-      "name": "Sonarr",
       "icon": "https://sonarr."~ domain ~"/Content/Images/logo.svg",
       "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
     },
-    "radarr": {
+    "Radarr": {
       "host": "radarr",
-      "name": "Radarr",
       "icon": "https://radarr."~ domain ~"/Content/Images/logo.svg",
       "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
     },
   } -%}
-
   {% for app in apps.keys() -%}
   - identifiers:
-      name: {{ apps[app]["name"] }}
+      name: {{ app }}
     model: authentik_providers_proxy.proxyprovider
     id: {{ app }}
     attrs:
@@ -68,39 +54,26 @@ entries:
       skip_path_regex: "{{ apps[app]["unauthenticated_paths"] }}"
 
   - identifiers:
-      slug: {{ app }}
+      slug: {{ app | lower | replace(" ", "-") }}
     model: authentik_core.application
+    id: app-{{ app }}
     attrs:
-      name: {{ apps[app]["name"] }}
-      group: {{ apps[app]["group"] }}
-      meta_description: "Hello, I'm {{ apps[app]["name"] }}!"
+      name: {{ app }}
+      group: {{ apps[app]["ui_group"] }}
+      meta_description: "Hello, I'm {{ app }}!"
       meta_publisher: Alpina
       icon: "{{ apps[app]["icon"] }}"
       open_in_new_tab: true
       provider: !KeyOf {{ app }}
 
-  {% if apps[app]["create_admin_group"] -%}
+  {% for group in apps[app]["allowed_for_groups"] -%}
   - identifiers:
-      name: "{{ apps[app]["name"] }} Admins"
-    model: authentik_core.group
-    id: "{{ app }} Admins"
-
-  - identifiers:
-      group: !KeyOf "{{ app }} Admins"
-      target: !Find [authentik_core.application, [ slug, {{ app }}] ]
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
     model: authentik_policies.policybinding
     attrs:
-      order: 0
-  {% endif %}
-
-  {% if apps[app]["group"] == "Arrstack" -%}
-  - identifiers:
-      group: !KeyOf arrstack
-      target: !Find [authentik_core.application, [slug, {{ app }}]]
-    model: authentik_policies.policybinding
-    attrs:
-      order: 0
-  {% endif %}
+      order: 10
+  {% endfor %}
 
   {% endfor %}
 

roles/alpina/templates/services/authentik/blueprints/default-enrollment-internal.yaml.j2

@@ -0,0 +1,152 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Default Enrollment by Invitation (Internal)
+entries:
+  # Flow for internal enrollment by invitation
+  - identifiers:
+      slug: enrollment-internal-invitation-flow
+    model: authentik_flows.flow
+    id: flow
+    attrs:
+      name: Default enrollment Flow
+      title: Welcome to authentik!
+      designation: enrollment
+      authentication: require_unauthenticated
+
+  # Prompt fields
+  - identifiers:
+      name: default-enrollment-field-username
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-username
+    attrs:
+      field_key: username
+      label: Username
+      type: username
+      required: true
+      placeholder: Username
+      placeholder_expression: false
+      order: 0
+  - identifiers:
+      name: default-enrollment-field-password
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-password
+    attrs:
+      field_key: password
+      label: Password
+      type: password
+      required: true
+      placeholder: Password
+      placeholder_expression: false
+      order: 0
+  - identifiers:
+      name: default-enrollment-field-password-repeat
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-password-repeat
+    attrs:
+      field_key: password_repeat
+      label: Password (repeat)
+      type: password
+      required: true
+      placeholder: Password (repeat)
+      placeholder_expression: false
+      order: 1
+  - identifiers:
+      name: default-enrollment-field-name
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-name
+    attrs:
+      field_key: name
+      label: Name
+      type: text
+      required: true
+      placeholder: Name
+      placeholder_expression: false
+      order: 0
+  - identifiers:
+      name: default-enrollment-field-email
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-email
+    attrs:
+      field_key: email
+      label: Email
+      type: email
+      required: true
+      placeholder: Email
+      placeholder_expression: false
+      order: 1
+
+  # Flow stages
+  - identifiers:
+      name: default-enrollment-invitation
+    model: authentik_stages_invitation.invitationstage
+    id: default-enrollment-invitation
+  - identifiers:
+      name: default-enrollment-prompt-first
+    model: authentik_stages_prompt.promptstage
+    id: default-enrollment-prompt-first
+    attrs:
+      fields:
+        - !KeyOf prompt-field-username
+        - !KeyOf prompt-field-password
+        - !KeyOf prompt-field-password-repeat
+  - identifiers:
+      name: default-enrollment-prompt-second
+    model: authentik_stages_prompt.promptstage
+    id: default-enrollment-prompt-second
+    attrs:
+      fields:
+        - !KeyOf prompt-field-name
+        - !KeyOf prompt-field-email
+  - identifiers:
+      name: default-enrollment-user-write
+    model: authentik_stages_user_write.userwritestage
+    id: default-enrollment-user-write
+    attrs:
+      user_creation_mode: always_create
+      user_type: internal
+  - identifiers:
+      name: default-enrollment-email-verify
+    model: authentik_stages_email.emailstage
+    id: default-enrollment-email-verify
+    attrs:
+      use_global_settings: true
+      template: email/account_confirmation.html
+      activate_user_on_success: true
+  - identifiers:
+      name: default-enrollment-user-login
+    model: authentik_stages_user_login.userloginstage
+    id: default-enrollment-user-login
+
+  # Flow stage bindings
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-invitation
+      order: 0
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-prompt-first
+      order: 10
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-prompt-second
+      order: 11
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-user-write
+      order: 20
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-email-verify
+      order: 30
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf default-enrollment-user-login
+      order: 100
+    model: authentik_flows.flowstagebinding

roles/alpina/templates/services/authentik/blueprints/default-groups.yaml.j2

@@ -0,0 +1,40 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Default Groups
+entries:
+  - identifiers:
+      name: "admins"
+    model: authentik_core.group
+    id: "admins"
+    attrs:
+      is_superuser: true
+
+  - identifiers:
+      name: "users"
+    model: authentik_core.group
+    id: "users"
+
+  - identifiers:
+      name: "arrstack"
+    model: authentik_core.group
+    id: "arrstack"
+    attrs:
+      arrstack_username: "arr"
+      arrstack_password: "{{ arrstack_password }}"
+
+  - identifiers:
+      scope_name: "minio"
+    model: authentik_providers_oauth2.scopemapping
+    id: "scope-minio"
+    attrs:
+      name: "Minio Policy"
+      expression: |
+        policy = "default"
+        if ak_is_group_member(request.user, name="admins"):
+            policy = "consoleAdmin"
+
+        return {
+          "policy": policy,
+        }

roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2

@@ -1,56 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Alpina - OAuth2 Services
-entries:
-  {% set apps = {
-    "Grafana": {
-      "redirect_uris": "https://grafana."~ domain ~"/login/generic_oauth",
-      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
-      "client_secret": auth_grafana_client_secret,
-    },
-  } -%}
-  # TODO: Add Minio
-
-  {% for app in apps.keys() -%}
-  - identifiers:
-      name: {{ app }}
-    model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
-    attrs:
-      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-      client_type: confidential
-      client_id: {{ app | lower }}
-      client_secret: {{ apps[app]["client_secret"] }}
-      property_mappings:
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
-
-  - identifiers:
-      slug: {{ app | lower }}
-    model: authentik_core.application
-    attrs:
-      name: {{ app }}
-      group: "Services"
-      meta_description: "Hello, I'm {{ app }}!"
-      meta_publisher: Alpina
-      icon: "{{ apps[app]["icon"] }}"
-      open_in_new_tab: true
-      provider: !KeyOf {{ app | lower }}
-
-  - identifiers:
-      name: "{{ app }} Admins"
-    model: authentik_core.group
-    id: "{{ app }} Admins"
-
-  - identifiers:
-      group: !KeyOf "{{ app }} Admins"
-      target: !Find [authentik_core.application, [slug, {{ app | lower }}]]
-    model: authentik_policies.policybinding
-    attrs:
-      order: 0
-
-  {% endfor %}

roles/alpina/templates/services/minio/.env.minio.j2

@@ -5,11 +5,16 @@ MINIO_DOMAIN=s3.{{ domain }}
 MINIO_SERVER_URL=https://s3.{{ domain }}
 MINIO_BROWSER_REDIRECT_URL=https://minio.{{ domain }}
 
-#MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
-#MINIO_IDENTITY_OPENID_CLIENT_ID=
-#MINIO_IDENTITY_OPENID_CLIENT_SECRET=
-#MINIO_IDENTITY_OPENID_CLAIM_NAME=
-#MINIO_IDENTITY_OPENID_CLAIM_PREFIX=
-#MINIO_IDENTITY_OPENID_SCOPES=
-#MINIO_IDENTITY_OPENID_REDIRECT_URI=
+# https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
+MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
+MINIO_IDENTITY_OPENID_CLIENT_ID=minio
+MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ auth_minio_client_secret }}
+# defaults to "policy"
+#MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
+MINIO_IDENTITY_OPENID_DISPLAY_NAME=Authentik
+# no need to specify scopes,
+# as it defaults to the ones advertised at the discovery url
+#MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,minio
+#MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=off
+#MINIO_IDENTITY_OPENID_CLAIM_USERINFO=on
 #MINIO_IDENTITY_OPENID_COMMENT=

roles/alpina/templates/services/monitoring/grafana_config/grafana.ini.j2

@@ -31,4 +31,4 @@ name_attribute_path = name
 
 # Optionally map user groups to Grafana roles
 allow_assign_grafana_admin = true
-role_attribute_path = contains(groups[*], 'Grafana Admins') && 'GrafanaAdmin' || 'Viewer'
+role_attribute_path = contains(groups[*], 'admins') && 'GrafanaAdmin' || 'Viewer'

roles/alpina/templates/services/traefik/docker-compose.yml.j2

@@ -12,7 +12,7 @@ networks:
 
 services:
   traefik:
-    image: traefik:v3.0
+    image: traefik:v3.2
     container_name: traefik
     restart: unless-stopped
     env_file:
@@ -23,7 +23,6 @@ services:
       - ./rules:/rules:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - {{ base_volume_path }}/traefik/rules:/rules/extra:ro
-      - {{ base_volume_path }}/traefik/logs:/logs
       - {{ base_volume_path }}/traefik/acme:/acme
 
   # This is mostly just so that the traefik network gets created

roles/alpina/templates/services/traefik/traefik.yml.j2

@@ -2,11 +2,8 @@ api:
   insecure: true
 
 log:
-  filePath: /logs/traefik.log
   level: INFO
 accessLog:
-  filePath: /logs/access.log
-  bufferingSize: 100
 
 entryPoints:
   web: