redeploy authentic policies as code.
This commit is contained in:
45
boilerplates/authentik/blueprints/proxmox.yaml
Normal file
45
boilerplates/authentik/blueprints/proxmox.yaml
Normal file
@@ -0,0 +1,45 @@
|
||||
# ──────────────────────────────────────────────────────────────────────────────
|
||||
# Blueprint: Proxmox VE — OIDC Provider + Application
|
||||
# ──────────────────────────────────────────────────────────────────────────────
|
||||
version: 1
|
||||
metadata:
|
||||
name: mk-labs-proxmox
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
entries:
|
||||
- model: authentik_providers_oauth2.oauth2provider
|
||||
id: proxmox-provider
|
||||
state: present
|
||||
identifiers:
|
||||
name: "Provider for Proxmox VE"
|
||||
attrs:
|
||||
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
||||
client_type: confidential
|
||||
client_id: !Env PROXMOX_OIDC_CLIENT_ID
|
||||
client_secret: !Env PROXMOX_OIDC_CLIENT_SECRET
|
||||
redirect_uris:
|
||||
- url: "https://main-street-usa.local.mk-labs.cloud:8006"
|
||||
matching_mode: strict
|
||||
- url: "https://tomorrowland.local.mk-labs.cloud:8006"
|
||||
matching_mode: strict
|
||||
- url: "https://fantasyland.local.mk-labs.cloud:8006"
|
||||
matching_mode: strict
|
||||
sub_mode: hashed_user_id
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||
|
||||
- model: authentik_core.application
|
||||
id: proxmox-application
|
||||
state: present
|
||||
identifiers:
|
||||
slug: proxmox
|
||||
attrs:
|
||||
name: "Proxmox VE"
|
||||
provider: !KeyOf proxmox-provider
|
||||
group: "Infrastructure"
|
||||
meta_launch_url: "https://main-street-usa.local.mk-labs.cloud:8006"
|
||||
policy_engine_mode: any
|
||||
40
boilerplates/authentik/blueprints/step-ca.yaml
Normal file
40
boilerplates/authentik/blueprints/step-ca.yaml
Normal file
@@ -0,0 +1,40 @@
|
||||
# ──────────────────────────────────────────────────────────────────────────────
|
||||
# Blueprint: step-ca — OIDC Provider + Application
|
||||
# ──────────────────────────────────────────────────────────────────────────────
|
||||
version: 1
|
||||
metadata:
|
||||
name: mk-labs-step-ca
|
||||
labels:
|
||||
blueprints.goauthentik.io/instantiate: "true"
|
||||
entries:
|
||||
- model: authentik_providers_oauth2.oauth2provider
|
||||
id: step-ca-provider
|
||||
state: present
|
||||
identifiers:
|
||||
name: "Provider for step-ca"
|
||||
attrs:
|
||||
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
||||
client_type: confidential
|
||||
client_id: !Env STEPCA_OIDC_CLIENT_ID
|
||||
client_secret: !Env STEPCA_OIDC_CLIENT_SECRET
|
||||
redirect_uris:
|
||||
- url: "http://127.0.0.1:10000"
|
||||
matching_mode: strict
|
||||
sub_mode: hashed_user_id
|
||||
property_mappings:
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||
|
||||
- model: authentik_core.application
|
||||
id: step-ca-application
|
||||
state: present
|
||||
identifiers:
|
||||
slug: step-ca
|
||||
attrs:
|
||||
name: "step-ca"
|
||||
provider: !KeyOf step-ca-provider
|
||||
group: "Infrastructure"
|
||||
policy_engine_mode: any
|
||||
@@ -12,7 +12,11 @@ services:
|
||||
- AUTHENTIK_POSTGRESQL__USER=authentik
|
||||
- AUTHENTIK_POSTGRESQL__NAME=authentik
|
||||
- AUTHENTIK_POSTGRESQL__PASSWORD=${DATABASE_PASSWORD}
|
||||
- AUTHENTIK_REDIS__HOST=authentik_redis
|
||||
# OIDC client credentials — consumed by blueprints via ${VAR} substitution
|
||||
- PROXMOX_OIDC_CLIENT_ID=${PROXMOX_OIDC_CLIENT_ID}
|
||||
- PROXMOX_OIDC_CLIENT_SECRET=${PROXMOX_OIDC_CLIENT_SECRET}
|
||||
- STEPCA_OIDC_CLIENT_ID=${STEPCA_OIDC_CLIENT_ID}
|
||||
- STEPCA_OIDC_CLIENT_SECRET=${STEPCA_OIDC_CLIENT_SECRET}
|
||||
networks:
|
||||
- authentik_backend
|
||||
ports:
|
||||
@@ -21,11 +25,10 @@ services:
|
||||
volumes:
|
||||
- authentik_data:/data
|
||||
- authentik_templates:/templates
|
||||
- ./blueprints:/blueprints/custom:ro
|
||||
depends_on:
|
||||
authentik_postgres:
|
||||
condition: service_healthy
|
||||
authentik_redis:
|
||||
condition: service_healthy
|
||||
|
||||
authentik_worker:
|
||||
image: ghcr.io/goauthentik/server:2025.12.4
|
||||
@@ -39,8 +42,12 @@ services:
|
||||
- AUTHENTIK_POSTGRESQL__USER=authentik
|
||||
- AUTHENTIK_POSTGRESQL__NAME=authentik
|
||||
- AUTHENTIK_POSTGRESQL__PASSWORD=${DATABASE_PASSWORD}
|
||||
- AUTHENTIK_REDIS__HOST=authentik_redis
|
||||
- AUTHENTIK_BOOTSTRAP_PASSWORD=${AUTHENTIK_ADMIN_PASSWORD}
|
||||
# OIDC client credentials — consumed by blueprints via ${VAR} substitution
|
||||
- PROXMOX_OIDC_CLIENT_ID=${PROXMOX_OIDC_CLIENT_ID}
|
||||
- PROXMOX_OIDC_CLIENT_SECRET=${PROXMOX_OIDC_CLIENT_SECRET}
|
||||
- STEPCA_OIDC_CLIENT_ID=${STEPCA_OIDC_CLIENT_ID}
|
||||
- STEPCA_OIDC_CLIENT_SECRET=${STEPCA_OIDC_CLIENT_SECRET}
|
||||
user: root
|
||||
networks:
|
||||
- authentik_backend
|
||||
@@ -49,11 +56,10 @@ services:
|
||||
- authentik_data:/data
|
||||
- authentik_certs:/certs
|
||||
- authentik_templates:/templates
|
||||
- ./blueprints:/blueprints/custom:ro
|
||||
depends_on:
|
||||
authentik_postgres:
|
||||
condition: service_healthy
|
||||
authentik_redis:
|
||||
condition: service_healthy
|
||||
|
||||
authentik_postgres:
|
||||
image: docker.io/library/postgres:17.8
|
||||
@@ -74,22 +80,6 @@ services:
|
||||
volumes:
|
||||
- authentik_postgres:/var/lib/postgresql/data
|
||||
|
||||
authentik_redis:
|
||||
image: docker.io/library/redis:7-alpine
|
||||
container_name: authentik-redis
|
||||
restart: unless-stopped
|
||||
command: --save 60 1 --loglevel warning
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
|
||||
start_period: 10s
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 5
|
||||
networks:
|
||||
- authentik_backend
|
||||
volumes:
|
||||
- authentik_redis:/data
|
||||
|
||||
networks:
|
||||
authentik_backend:
|
||||
driver: bridge
|
||||
@@ -97,8 +87,6 @@ networks:
|
||||
volumes:
|
||||
authentik_postgres:
|
||||
driver: local
|
||||
authentik_redis:
|
||||
driver: local
|
||||
authentik_data:
|
||||
driver: local
|
||||
authentik_certs:
|
||||
|
||||
Reference in New Issue
Block a user