authentik, minio: initial integration with blueprints for admin policy

authentik: refactor oauth apps blueprints with group policies
authentik: refactor groups and proxied apps blueprints
2024-12-21 00:42:22 -08:00 · 2024-12-20 21:51:20 -08:00 · 2024-12-20 21:37:19 -08:00 · 2024-12-20 19:57:59 -08:00
8 changed files with 242 additions and 218 deletions
--- a/.idea/jsonSchemas.xml
+++ b/.idea/jsonSchemas.xml
@ -31,7 +31,7 @@
                <list>
                  <Item>
                    <option name="directory" value="true" />
-                    <option name="path" value="roles/alpina/collections/services/authentik/templates/blueprints" />
+                    <option name="path" value="roles/alpina/templates/services/authentik/blueprints" />
                    <option name="mappingKind" value="Directory" />
                  </Item>
                </list>
--- a/group_vars/alpina/vars.yml
+++ b/group_vars/alpina/vars.yml
@ -14,6 +14,9 @@ authentik_secret_key: "{{ vault_authentik_secret_key }}"
 authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}"

 auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}"
+auth_gitea_client_secret: "{{ vault_auth_gitea_client_secret }}"
+auth_nextcloud_client_secret: "{{ vault_auth_nextcloud_client_secret }}"
+auth_minio_client_secret: "{{ vault_auth_minio_client_secret }}"
 arrstack_password: "{{ vault_arrstack_password }}"

 # Minio
--- a/group_vars/alpina/vault.yml
+++ b/group_vars/alpina/vault.yml
@ -1,88 +1,113 @@
 $ANSIBLE_VAULT;1.1;AES256
-36636236366435333738633465323539336231393239656538643863643233346563333836623335
-3136393936656261396434316232356338313838373666660a653464613833306133343232623864
-61666561336462376664363463313533353238623031613664353063396236343663643936303730
-6235646336306636360a653238633038306532613436633132363231613862383636313838623461
-32633366326136346435613232396632396365656138643361643139353430663637353565383664
-36623961663030653639316131376535363138343965636437653139646233613765323439393030
-31666137346339663162393836636638636431326232323461353661613062623032306130393965
-38313931313935666633343835303232333961633232623538383138366262663335323764323939
-32373333663834626633363265373632356439633862316562323565646530383534653338353165
-38396434353332623164346137383238343536303130616666643065306431656137303263323135
-34316662353031653932396239623733313037383935383762623136346636323434363231623161
-30393864353466643637316566663366363231373335663331323932663837626239663633663965
-66333531323861663130353531323339386566303630366236636135393439356634393732623033
-31336231363935633436363962316666666336303338313636386163313666636336343464336133
-33313730303961663632323435323963663530623265663664343735643061323332343265343431
-61363039333730623562363233373537633138663239313132336666313237373137353663326538
-32366130326635366433393434653735616132366264386461363063393265623765666461626366
-38636239376534653230663932393930343162333262643130633835343363613061623932363761
-64643164323335376565646137643763316562343565366462376162333633313737303465373362
-63343734633536353661353165346632666230616138396461336332623365366432313734343837
-30613736313961663334326335333834336634373338326631313739363765303036303132346166
-37313030373264383564383936396339623061616134356663333733653838393537306336313135
-32336261356437653863653839373130323035346538343938646265653239376236373932646433
-35373932326535643763396563373138626239393661373231393066323335336264373835336635
-38393732643630336364363834303534663334396363623261383339313939663461303236646237
-36393330373534383836373065373239353836653137306338336638396662363434303839363466
-37303332343464663733653632363239366337656364333532313237633935616637333361383763
-62363063323362323565363837333264346161353032643039323839336666656333336433376231
-36363335626137366135373230613436653232663138343862623562306331336330356630316166
-30613264353165343634663461373630653632366333313837373237613339336638396338376465
-64633638373263376330343561303664666139663237326637663964386133623164626339346635
-66636365366562343636653362656133306164353761346661343430356633613063656466316262
-31633932313532663930303837353863333664393563646566396164666236633832633235653362
-63663931353436623034653733313766393465363466363831643130643939356335643166356436
-38386530333264313263636438376134666235646636316233653330613735323234313036356639
-61316164376434616239646235326661323363333835393430646462323234356138653163616530
-65623233636435396462343437626130353735643530376538633762346332653162353563386366
-32656633633935626238323431643631633434633032303435383037353834653964326336616530
-30363765663133313239373664383830393238303439653531316664636532363135636563356666
-34376636373033353665373261363536393562653638306661663832326139383565613862333831
-38616238616332326532656430393331383161376237393365666639363732363164306332343336
-37366638326464373261386431623731306663616262633837313965633530616265326536323136
-62366365666461383535663637633332626464643062653139623333663038316536353930653266
-37343830613062346533613762663738343138383537396435643765323237623130363564396462
-61663063643135303539313062396338353061346336303938626361343238366366393533363638
-31313437623631626437393761366537636664393863306164373431653133316639623630353336
-65313037636533393362363266366231393334613264343331623531393666336336626265366163
-34663161396633666162326564313735373137303337386538633866653331646635633532336465
-34386166373436386566656135313438363733353139663630613430363332656239356139393532
-35626337666639376664346631323938316538333066353363646562323266353165366632656137
-66366162376165626564363230353062666364646363366637666433636333316536623435623836
-62346566363362363939353038396566653238666138666531396338323262323965383031336362
-34613332363334653531383231363539343133333531666564386133346562323338366139663438
-31613466366438643566333632326239653662636464373337326537313234393038306132343730
-36633136366162643966396362643165313336383862653435343630646431306366656636353230
-64326633346561613662383863356531306563623439363566643733336535303335303164633535
-36356463616162313039386434323637383937613133623131373033373462363365643730666166
-65383166346638313533326366346433656461346439343838306564393336383536633732343965
-39306231386130303433616361366363366163646534316138623362393063663438313165643762
-39393332653564333762663762366633386135353865366338396138666265653662373535666366
-35613937613366323064316561643435353830316239396464393737613835373964626437316464
-39643664656565633966393832643033323130636562383233323636363361353430353062323439
-39396464633336623963633963326461316562333162333766613064336462613235336531623437
-30383063653666633839646533386239366637346230363033306161386537303039376465303535
-34643162323065326264343662303138313063303834353832393663616239383739313133393532
-62393766343037666564326132386139346661383564366366646530346434373366326531356138
-31323531653338653130303733363764636430336563336439666132626434363463306631363334
-39623332376334383338633132653262653735346563626365613336623435396539383630366332
-31316638393562376131363166633163333332633332393062393962613132366538653865663264
-38313237393436353333323431336361653938343034346164353335366535396265633961333138
-65386137356161643732636531613166633464326163303336303439383435376331373935333563
-64633961623761393131333234656530653737346563643963643833383262383434653266343362
-35623832643032346133346363646136646438663761363330666231316434306232623339656535
-34393337666237656262313439386336336466373466663663616139353463316265396135626366
-62313562306334343831616364633933343463386233323637313832316635346235623830333461
-33663530343966383739643261653736363865323438363430653661653964643339633833386438
-36333331366334366461346636636462343335313234663864613864366134356161396662383632
-36663538373761353937313666363262626435623537646665646364353934373638366261333234
-36353439303663656531666637376364313838386130343966316138356338643135316139363630
-30386635376565363931333331336431303562346431323534643238333337386264616161356163
-35663766306635626235373663643064393233346364666663393236353561653362373361666164
-65653566666234626464356338613834323332383939643935323337376162316163333034643062
-63646237646234636561313038383636373936656164333735323461626233633337623764383830
-66383161346336633962643032376662656566396666343662656337306333313836613335643961
-64323961663032373239636430306430383639306333363938303837386139643230353061623937
-36373733636337616264313432643230303935626666633533666135666538626266626266643864
-376430653461346366626432636336653437
+62376365353162306161343336623464386634383663663165393632366666633530373636633032
+6536633438613664316163613236663334663635363665630a666135396430306536646534616535
+65383432356339643063373232393861333366393038666134346363646130626130633861646536
+3134613738333465300a363031626561376533343730353361646462306434663564336538666565
+38643166326439356138653163323030626539393265613833303661313036336562373938323663
+39336533383636626464343461653836313734393430306238336561323038306238646236393835
+62643638636137646162616239636561666432376561393338336663366438346530346666396662
+63626432326263383561633532613039643862303135643262383636666161663539643465616566
+66303364333133393932643666656263613063373162373265353433616337636337363363353938
+31613638633462383031356433393765353439373434356366336234316361393862343763643333
+61623233633664396564376462336131353061303831316466306632663261666161323137333633
+39623938633861356136636532373139356339636334373137303034646431363438613936636438
+38363463386664643439313564313364613962346631343663633837326532613933336462636265
+32616161663065316661313335373234353161653732303965613731633665646532386139383732
+32363834636532363262646433616563363232643864653365643736353434346130383963393564
+34333861326633393763653639663666333061613161393864323165303638353962333531333661
+36316534303365626562643366393836356337303533313237613534313565643832373438373530
+32393065653538393762333232636235316439653935663437616236326162313464323037336630
+39323262333530363230353334356461343866346438626533633339386162336337623137393366
+32373361393231343134626237323062663634323939613461633866353561636334613234336532
+61306235363037306466656463653836396434313830333031366630373364343637376662346663
+65663132346239343937636261643238623364633062356163323364363466666661346364356239
+32653266303837663237333136316464626161626136336333363964636461616138323962313166
+64643930333964303639393439666432366435386464326561323165353333623765653132383636
+34326633663331376563613766383734613762653834356561616461303361373662653337623863
+37633135393861366137613137633265306137326536363632373962353233373735663065653534
+37333038363330633931353233623236313332336234393333616238353137656363643230633966
+32636336663762636130343933373834386465396536316439386465623130396266393438396262
+63636561623533366166393831383035373935643037326265636634646339336264383937366334
+37373961663330326131343531356238363632663861376362643561643966636364653235303032
+33363861396336666332356130353638373135376336373236383730373665623336373830643137
+35613234343966383264643834353162353533373939346561363438376339656239323364353036
+63623630643930363739326236653435613538393438326331383366666332383763356631356533
+39393363366261393231386239363161313939396431323630323062393962313933633462303439
+35623831356638333431313430343832616438343134613538343064323535613539663431643830
+32623363343733623837366236393136393864353332316538306463346337363264613763326463
+65366536326463303062663262636563306565323861666661376338633334383138626364333039
+34333734656331346334316465333339333535333632383963663633383361383661643235383866
+32326634643633366566306137383066653334323935363066316366313934373663383234316438
+35346139633239323431386536656464666161656434316238356333323665333661623364653865
+33636139333866356630323031323162323834303062363637313430313164326636383436383465
+35333434613632353265633935343164613266383463633631323763633565353039306134656431
+37616430633736326139366438613666346434646363313032366231616436616535393334613264
+34646132303061383034363139613362626235383938393535626339353438626635396561346166
+36666530613634336666653638353734323336366639626465346135323838343565383335313233
+62356631666135666434363061666234396337323838303866343839383164643939323862616632
+34646433333031653939313434613435623036346631643265643663613537323061343733326534
+64626663306338623533333132613333386562306162343438653266356666663535623036616666
+64613866663261386233343236353931353766323833623631373438353664393137613032366461
+63623164353435336564613739353863383037326465363462376536663934626362393132313465
+66353965643763656564366630353131313465656265613434363538343331313666613564313036
+35396436633233623261323432666237303335333339393363636362376536343837346264383935
+30346163353338336661646536643536623262343762303766393438343666623063326463346566
+34663538656133353639333830316562376137643666323832363666623766366131303830626531
+62313832316533663261353365343733636236643333396561333636303065653732646665386136
+31386535663732386165623037373763333731343461393431306339393634346130646462646661
+61646539613964666437623631643333333435353039633531313364366338316365396131346331
+30363963633236653364643061316237326362653462656563656165346134656338383738613932
+65333432393534643331396563643865656435373563613939616234636533383731336561623037
+61373839343132376465343332343165316361383831333538313531333063633632643832633536
+33313464643239323963346338386566313031306233336562616638353365666237346262666134
+33646134393531346637376133393039326638316334626333363162313239393239663865323730
+30343731363031303565643833313135643036666461366666376132663433343662333730373137
+65636236313561613637343262653833666135653832363466613138363332393061653032333933
+66376263663830333937336566333461333431393336333161623233353332396437396664316137
+64363737323036366635613938346261383634353237346337613933303334623434623439616533
+32353465336237396133643039613730646661643039363836333733353033343236373864626634
+37666562653233336464633337353963363361646334373863653032353137363738613561613135
+66356132393630613031316466663837633633383033633064326565303837633062336531373866
+34666537303033323362363163353666383962333536303135363666653930326166323637636266
+34306537343238353833313635306663643737653531313435383064383133366364646331306261
+66363763353534643833316533383364353632343439393032313437633734323031383438633333
+31616362343332373333626135396435366235313465346639326564353265643133313339376639
+63333233653833653333373162633033623035633832333566653536343832373035636664643839
+38393864666430313162366337653836333135333738653763653261343233663666373865383366
+65343038646166343934376633613337306436336130626363396339313236653731653265383661
+34633332343639333533316631643763363664666563353137383639616132313363383137383132
+33343635386139366230363464363731383166393430396533613438366661353439353537346530
+62366461653534333834386637363364346432333964306639376339313531383431323930333530
+37383665373937303732643636383539393039663363623337663938303139663039366536323031
+66613036326263316239646535656163626232626130336465303166336336316435343262373631
+39613536336366366435326230653339356635636432303862306636613935306432323966313234
+65623938316162393931343337326334666235666362313739343564633339653962313062393431
+35373338306332326133333638636137386337343261386663333261333030343635336532373134
+38626136383936393339613534386539663035316335656566656639613837313239626431386362
+62643733326636323635373363333964643132323562633430626666616531656639383231336432
+61653439376663613161396465343638623639653135363863336363343230636336346434326234
+32343962666337646435653035333431333632363239616535333835393761353366386561356366
+37356530333763346137653566643134376136656638386334343038376439643037623338643333
+66626537633931333465383062303766333436346433636434653139333966613865656234346539
+36376239393632653536306363313633636464343366373862343039306235303766623462633932
+32313537306530343032663365626330363838396566356534343766383865653231613538323461
+37303439393733376539613061663937633665663963613236323764653835656563346565636531
+30363239376139343166346664306234363031623031663266643966636265666163353536346132
+65623638323065633361373330386334636332306634636336613365663133373835666135396230
+38373939366534663336376135646237633232646261383964383735353533303862623064313333
+33633533653537376138623635663465336131383838663237653933623634343761623731366335
+64653233366335656365656336303862656663303138643531356661373831633062633734363661
+39306633323337356366383863643034656135393432386638353761323337373631353436383664
+34623631306663636439376464383831323566666266613536613661633266343732646264306162
+36353030343538316330313831626232353165323038363034666161336338316536353832353966
+35336365393563643733363535393763613865663436616130343066303638353431653039356661
+34393936363764393032646133326432656230353232623339646165663932366130363734663762
+34303433376666383639663661356334653939663739643139363237623031666632623239343562
+30656438623236616637643132613666343133393436346635316638633664316363323832393862
+39643831363633643562323664613666393033656132333964643639333230353763383330343835
+64383530373332343838666536303363313033303931646232343037303863343835366139326135
+34336330343365663837396134653566633536643832373433393035366531323035616462363639
+66336133346139336264346636643735383136343336303133313031653230366166396239303335
+64656535326465363563396532376538336434643964336264303061393139656139376635633730
+62326664613766393435383464363538393937313236363630656337356264633134353464393835
+32653133383732656235
--- a/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
@ -5,46 +5,80 @@ metadata:
  name: Alpina - OAuth2 Apps
 entries:
  {% set apps = {
+    "Grafana": {
+      "redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth",
+      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
+      "client_secret": auth_grafana_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
+    "Minio": {
+      "redirect_uri": "https://minio."~ domain ~"/oauth_callback",
+      "icon": "https://minio."~ domain ~"/logo192.png",
+      "client_secret": auth_minio_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
    "Gitea": {
-      "redirect_uris": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
+      "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
      "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
+      "client_secret": auth_gitea_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
    },
    "Nextcloud": {
-      "redirect_uris": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
+      "redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
      "icon": "https://nc."~ domain ~"/apps/theming/favicon",
+      "client_secret": auth_nextcloud_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
    },
  } -%}
  {% for app in apps.keys() -%}
  - identifiers:
      name: {{ app }}
    model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
+    id: {{ app }}
    attrs:
-      access_code_validity: minutes=1
-      access_token_validity: minutes=5
      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      client_type: confidential
-      issuer_mode: per_provider
-      sub_mode: hashed_user_id
+      client_id: {{ app | lower }}
+      client_secret: {{ apps[app]["client_secret"] }}
      property_mappings:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
-      refresh_token_validity: days=30
+        {% if app == "Minio" -%}
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, minio]]
+        {%- endif %}
+
+      redirect_uris:
+        - matching_mode: strict
+          url: {{ apps[app]["redirect_uri"] }}
+      # Necessary for JWKS to be generated correctly
      signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]

  - identifiers:
      slug: {{ app | lower }}
    model: authentik_core.application
-    id: {{ app | lower }}
+    id: app-{{ app }}
    attrs:
      name: {{ app }}
-      group: "Apps"
+      group: "{{ apps[app]["ui_group"] }}"
      meta_description: "Hello, I'm {{ app }}!"
      meta_publisher: Alpina
      icon: "{{ apps[app]["icon"] }}"
      open_in_new_tab: true
-      policy_engine_mode: any
-      provider: !KeyOf {{ app | lower }}
+      provider: !KeyOf {{ app }}
+
+  {% for group in apps[app]["allowed_for_groups"] -%}
+  - identifiers:
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
+    model: authentik_policies.policybinding
+    attrs:
+      order: 10
+  {% endfor %}
+
  {% endfor %}
--- a/roles/alpina/templates/services/authentik/blueprints/apps-proxy.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/apps-proxy.yaml.j2
@ -4,61 +4,47 @@ metadata:
    blueprints.goauthentik.io/instantiate: "true"
  name: Alpina - Proxied Apps
 entries:
-  - identifiers:
-      name: arrstack
-    model: authentik_core.group
-    id: arrstack
-    attrs:
-      arrstack_username: "arr"
-      arrstack_password: "{{ arrstack_password }}"
-
-  # TODO: Probably refactor this into a jinja macro
+  # TODO: Possibly refactor this into a jinja macro (?)
  {% set apps = {
-    "uptime-kuma": {
+    "Uptime Kuma": {
      "host": "uptime",
-      "name": "Uptime Kuma",
      "icon": "https://uptime."~ domain ~"/icon.svg",
      "unauthenticated_paths": "^/icon.svg$",
-      "group": "Services",
-      "create_admin_group": true,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
    },
-    "qbit": {
+    "qBit": {
      "host": "qbit",
-      "name": "qBit",
      "icon": "https://qbit."~ domain ~"/images/qbittorrent-tray.svg",
      "unauthenticated_paths": "^/images/qbittorrent-tray.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
    },
-    "prowlarr": {
+    "Prowlarr": {
      "host": "prowlarr",
-      "name": "Prowlarr",
      "icon": "https://prowlarr."~ domain ~"/Content/Images/logo.svg",
      "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
    },
-    "sonarr": {
+    "Sonarr": {
      "host": "sonarr",
-      "name": "Sonarr",
      "icon": "https://sonarr."~ domain ~"/Content/Images/logo.svg",
      "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
    },
-    "radarr": {
+    "Radarr": {
      "host": "radarr",
-      "name": "Radarr",
      "icon": "https://radarr."~ domain ~"/Content/Images/logo.svg",
      "unauthenticated_paths": "^/Content/Images/logo.svg$",
-      "group": "Arrstack",
-      "create_admin_group": false,
+      "ui_group": "Arrstack",
+      "allowed_for_groups": ["arrstack"],
    },
  } -%}
-
  {% for app in apps.keys() -%}
  - identifiers:
-      name: {{ apps[app]["name"] }}
+      name: {{ app }}
    model: authentik_providers_proxy.proxyprovider
    id: {{ app }}
    attrs:
@ -68,39 +54,26 @@ entries:
      skip_path_regex: "{{ apps[app]["unauthenticated_paths"] }}"

  - identifiers:
-      slug: {{ app }}
+      slug: {{ app | lower | replace(" ", "-") }}
    model: authentik_core.application
+    id: app-{{ app }}
    attrs:
-      name: {{ apps[app]["name"] }}
-      group: {{ apps[app]["group"] }}
-      meta_description: "Hello, I'm {{ apps[app]["name"] }}!"
+      name: {{ app }}
+      group: {{ apps[app]["ui_group"] }}
+      meta_description: "Hello, I'm {{ app }}!"
      meta_publisher: Alpina
      icon: "{{ apps[app]["icon"] }}"
      open_in_new_tab: true
      provider: !KeyOf {{ app }}

-  {% if apps[app]["create_admin_group"] -%}
+  {% for group in apps[app]["allowed_for_groups"] -%}
  - identifiers:
-      name: "{{ apps[app]["name"] }} Admins"
-    model: authentik_core.group
-    id: "{{ app }} Admins"
-
-  - identifiers:
-      group: !KeyOf "{{ app }} Admins"
-      target: !Find [authentik_core.application, [ slug, {{ app }}] ]
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
    model: authentik_policies.policybinding
    attrs:
-      order: 0
-  {% endif %}
-
-  {% if apps[app]["group"] == "Arrstack" -%}
-  - identifiers:
-      group: !KeyOf arrstack
-      target: !Find [authentik_core.application, [slug, {{ app }}]]
-    model: authentik_policies.policybinding
-    attrs:
-      order: 0
-  {% endif %}
+      order: 10
+  {% endfor %}

  {% endfor %}

--- a/roles/alpina/templates/services/authentik/blueprints/default-groups.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/default-groups.yaml.j2
@ -0,0 +1,40 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Default Groups
+entries:
+  - identifiers:
+      name: "admins"
+    model: authentik_core.group
+    id: "admins"
+    attrs:
+      is_superuser: true
+
+  - identifiers:
+      name: "users"
+    model: authentik_core.group
+    id: "users"
+
+  - identifiers:
+      name: "arrstack"
+    model: authentik_core.group
+    id: "arrstack"
+    attrs:
+      arrstack_username: "arr"
+      arrstack_password: "{{ arrstack_password }}"
+
+  - identifiers:
+      scope_name: "minio"
+    model: authentik_providers_oauth2.scopemapping
+    id: "scope-minio"
+    attrs:
+      name: "Minio Policy"
+      expression: |
+        policy = "default"
+        if ak_is_group_member(request.user, name="admins"):
+            policy = "consoleAdmin"
+
+        return {
+          "policy": policy,
+        }
--- a/roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2
@ -1,56 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Alpina - OAuth2 Services
-entries:
-  {% set apps = {
-    "Grafana": {
-      "redirect_uris": "https://grafana."~ domain ~"/login/generic_oauth",
-      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
-      "client_secret": auth_grafana_client_secret,
-    },
-  } -%}
-  # TODO: Add Minio
-
-  {% for app in apps.keys() -%}
-  - identifiers:
-      name: {{ app }}
-    model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
-    attrs:
-      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-      client_type: confidential
-      client_id: {{ app | lower }}
-      client_secret: {{ apps[app]["client_secret"] }}
-      property_mappings:
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
-
-  - identifiers:
-      slug: {{ app | lower }}
-    model: authentik_core.application
-    attrs:
-      name: {{ app }}
-      group: "Services"
-      meta_description: "Hello, I'm {{ app }}!"
-      meta_publisher: Alpina
-      icon: "{{ apps[app]["icon"] }}"
-      open_in_new_tab: true
-      provider: !KeyOf {{ app | lower }}
-
-  - identifiers:
-      name: "{{ app }} Admins"
-    model: authentik_core.group
-    id: "{{ app }} Admins"
-
-  - identifiers:
-      group: !KeyOf "{{ app }} Admins"
-      target: !Find [authentik_core.application, [slug, {{ app | lower }}]]
-    model: authentik_policies.policybinding
-    attrs:
-      order: 0
-
-  {% endfor %}
--- a/roles/alpina/templates/services/minio/.env.minio.j2
+++ b/roles/alpina/templates/services/minio/.env.minio.j2
@ -5,11 +5,16 @@ MINIO_DOMAIN=s3.{{ domain }}
 MINIO_SERVER_URL=https://s3.{{ domain }}
 MINIO_BROWSER_REDIRECT_URL=https://minio.{{ domain }}

-#MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
-#MINIO_IDENTITY_OPENID_CLIENT_ID=
-#MINIO_IDENTITY_OPENID_CLIENT_SECRET=
-#MINIO_IDENTITY_OPENID_CLAIM_NAME=
-#MINIO_IDENTITY_OPENID_CLAIM_PREFIX=
-#MINIO_IDENTITY_OPENID_SCOPES=
-#MINIO_IDENTITY_OPENID_REDIRECT_URI=
+# https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
+MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
+MINIO_IDENTITY_OPENID_CLIENT_ID=minio
+MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ auth_minio_client_secret }}
+# defaults to "policy"
+#MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
+MINIO_IDENTITY_OPENID_DISPLAY_NAME=Authentik
+# no need to specify scopes,
+# as it defaults to the ones advertised at the discovery url
+#MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,minio
+#MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=off
+#MINIO_IDENTITY_OPENID_CLAIM_USERINFO=on
 #MINIO_IDENTITY_OPENID_COMMENT=
Author	SHA1	Message	Date
Yuri Tatishchev	dbdd2cfe11	authentik, minio: initial integration with blueprints for admin policy	2024-12-21 00:42:22 -08:00
Yuri Tatishchev	1be4868f09	authentik: refactor oauth apps blueprints with group policies	2024-12-20 21:51:20 -08:00
Yuri Tatishchev	ee24d69906	authentik: refactor groups and proxied apps blueprints	2024-12-20 21:37:19 -08:00
Yuri Tatishchev	f0a10cc1d2	authentik: refactor oauth2 app blueprints	2024-12-20 19:57:59 -08:00