From 97d71c78a1effe450df784ae25fd45992c20010a Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Sat, 21 May 2022 15:42:55 +0100
Subject: [PATCH] ops/vault: add authentik-backed auth

---
 ops/vault/cfg/authbackend-authentik.nix | 43 +++++++++++++++++++++++++
 ops/vault/cfg/authbackend-oidc.nix      | 23 +++++++++++++
 ops/vault/cfg/config.nix                |  1 +
 3 files changed, 67 insertions(+)
 create mode 100644 ops/vault/cfg/authbackend-authentik.nix

diff --git a/ops/vault/cfg/authbackend-authentik.nix b/ops/vault/cfg/authbackend-authentik.nix
new file mode 100644
index 0000000000..e0a7ea0e4e
--- /dev/null
+++ b/ops/vault/cfg/authbackend-authentik.nix
@@ -0,0 +1,43 @@
+{ ... }:
+
+{
+  resource.vault_jwt_auth_backend.authentik = {
+    default_role = "user";
+    namespace_in_state = true;
+
+    oidc_discovery_url = "https://auth.lukegb.com/application/o/vault/";
+    oidc_client_id = "33e3bdaf2dcc48cba5614e69cca22df701728d4d";
+    oidc_client_secret = "\${data.vault_generic_secret.misc.data[\"authentikAuthToken\"]}";
+  };
+
+  my.authBackend.authentik = {
+    resourceType = "vault_jwt_auth_backend";
+    type = "oidc";
+
+    tune.default_lease_ttl = "24h";
+    tune.max_lease_ttl = "24h";
+  };
+
+  resource.vault_jwt_auth_backend_role = let
+    baseRole = {
+      backend = "\${resource.vault_jwt_auth_backend.authentik.path}";
+      role_type = "oidc";
+      bound_audiences = ["\${resource.vault_jwt_auth_backend.authentik.oidc_client_id}"];
+      user_claim = "sub";
+      allowed_redirect_uris = [
+        "http://localhost:8250/oidc/callback"
+        "https://vault-server-j2gbzkpiaq-ew.a.run.app/ui/vault/auth/oidc/authentik/callback"
+        "https://vault.int.lukegb.com/ui/vault/auth/oidc/authentik/callback"
+      ];
+    };
+  in {
+    authentik_user = baseRole // {
+      role_name = "user";
+      token_policies = ["base" "user"];
+    };
+    authentik_admin = baseRole // {
+      role_name = "admin";
+      token_policies = ["base" "admin"];
+    };
+  };
+}
diff --git a/ops/vault/cfg/authbackend-oidc.nix b/ops/vault/cfg/authbackend-oidc.nix
index b98b5e3da1..060c596f78 100644
--- a/ops/vault/cfg/authbackend-oidc.nix
+++ b/ops/vault/cfg/authbackend-oidc.nix
@@ -16,4 +16,27 @@
     tune.default_lease_ttl = "24h";
     tune.max_lease_ttl = "24h";
   };
+
+  resource.vault_jwt_auth_backend_role = let
+    baseRole = {
+      backend = "\${resource.vault_jwt_auth_backend.oidc.path}";
+      role_type = "oidc";
+      bound_audiences = ["620300851636-6ha1a7t9r4gatrn9gdqa82toem3cbq3b.apps.googleusercontent.com"];
+      user_claim = "sub";
+      allowed_redirect_uris = [
+        "http://localhost:8250/oidc/callback"
+        "https://vault-server-j2gbzkpiaq-ew.a.run.app/ui/vault/auth/oidc/oidc/callback"
+        "https://vault.int.lukegb.com/ui/vault/auth/oidc/oidc/callback"
+      ];
+    };
+  in {
+    oidc_user = baseRole // {
+      role_name = "user";
+      token_policies = ["base" "user"];
+    };
+    oidc_admin = baseRole // {
+      role_name = "admin";
+      token_policies = ["base" "admin"];
+    };
+  };
 }
diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix
index 5f1d0b7fb0..d1df1f4149 100644
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@@ -7,6 +7,7 @@
 
     ./authbackend-approle.nix
     ./authbackend-oidc.nix
+    ./authbackend-authentik.nix
 
     ./ssh-ca-client.nix
     ./ssh-ca-server.nix