lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

ops/vault: add authentik-backed auth

Browse source
This commit is contained in:
Luke Granger-Brown 2022-05-21 15:42:55 +01:00
parent 4522f79791
commit 97d71c78a1
3 changed files with 67 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
ops/vault/cfg/authbackend-authentik.nix Normal file
View file

@ -0,0 +1,43 @@
{ ... }:
{
resource.vault_jwt_auth_backend.authentik = {
default_role = "user";
namespace_in_state = true;
oidc_discovery_url = "https://auth.lukegb.com/application/o/vault/";
oidc_client_id = "33e3bdaf2dcc48cba5614e69cca22df701728d4d";
oidc_client_secret = "\${data.vault_generic_secret.misc.data[\"authentikAuthToken\"]}";
};
my.authBackend.authentik = {
resourceType = "vault_jwt_auth_backend";
type = "oidc";
tune.default_lease_ttl = "24h";
tune.max_lease_ttl = "24h";
};
resource.vault_jwt_auth_backend_role = let
baseRole = {
backend = "\${resource.vault_jwt_auth_backend.authentik.path}";
role_type = "oidc";
bound_audiences = ["\${resource.vault_jwt_auth_backend.authentik.oidc_client_id}"];
user_claim = "sub";
allowed_redirect_uris = [
"http://localhost:8250/oidc/callback"
"https://vault-server-j2gbzkpiaq-ew.a.run.app/ui/vault/auth/oidc/authentik/callback"
"https://vault.int.lukegb.com/ui/vault/auth/oidc/authentik/callback"
];
};
in {
authentik_user = baseRole // {
role_name = "user";
token_policies = ["base" "user"];
};
authentik_admin = baseRole // {
role_name = "admin";
token_policies = ["base" "admin"];
};
};
}

23
ops/vault/cfg/authbackend-oidc.nix
View file

@ -16,4 +16,27 @@
tune.default_lease_ttl = "24h"; tune.default_lease_ttl = "24h";
tune.max_lease_ttl = "24h"; tune.max_lease_ttl = "24h";
}; };
resource.vault_jwt_auth_backend_role = let
baseRole = {
backend = "\${resource.vault_jwt_auth_backend.oidc.path}";
role_type = "oidc";
bound_audiences = ["620300851636-6ha1a7t9r4gatrn9gdqa82toem3cbq3b.apps.googleusercontent.com"];
user_claim = "sub";
allowed_redirect_uris = [
"http://localhost:8250/oidc/callback"
"https://vault-server-j2gbzkpiaq-ew.a.run.app/ui/vault/auth/oidc/oidc/callback"
"https://vault.int.lukegb.com/ui/vault/auth/oidc/oidc/callback"
];
};
in {
oidc_user = baseRole // {
role_name = "user";
token_policies = ["base" "user"];
};
oidc_admin = baseRole // {
role_name = "admin";
token_policies = ["base" "admin"];
};
};
} }

1
ops/vault/cfg/config.nix
View file

@ -7,6 +7,7 @@
./authbackend-approle.nix ./authbackend-approle.nix
./authbackend-oidc.nix ./authbackend-oidc.nix
./authbackend-authentik.nix
./ssh-ca-client.nix ./ssh-ca-client.nix
./ssh-ca-server.nix ./ssh-ca-server.nix