ops/vault: add authentik-backed auth

ops/vault/cfg/authbackend-authentik.nix

@@ -0,0 +1,43 @@
+{ ... }:
+
+{
+  resource.vault_jwt_auth_backend.authentik = {
+    default_role = "user";
+    namespace_in_state = true;
+
+    oidc_discovery_url = "https://auth.lukegb.com/application/o/vault/";
+    oidc_client_id = "33e3bdaf2dcc48cba5614e69cca22df701728d4d";
+    oidc_client_secret = "\${data.vault_generic_secret.misc.data[\"authentikAuthToken\"]}";
+  };
+
+  my.authBackend.authentik = {
+    resourceType = "vault_jwt_auth_backend";
+    type = "oidc";
+
+    tune.default_lease_ttl = "24h";
+    tune.max_lease_ttl = "24h";
+  };
+
+  resource.vault_jwt_auth_backend_role = let
+    baseRole = {
+      backend = "\${resource.vault_jwt_auth_backend.authentik.path}";
+      role_type = "oidc";
+      bound_audiences = ["\${resource.vault_jwt_auth_backend.authentik.oidc_client_id}"];
+      user_claim = "sub";
+      allowed_redirect_uris = [
+        "http://localhost:8250/oidc/callback"
+        "https://vault-server-j2gbzkpiaq-ew.a.run.app/ui/vault/auth/oidc/authentik/callback"
+        "https://vault.int.lukegb.com/ui/vault/auth/oidc/authentik/callback"
+      ];
+    };
+  in {
+    authentik_user = baseRole // {
+      role_name = "user";
+      token_policies = ["base" "user"];
+    };
+    authentik_admin = baseRole // {
+      role_name = "admin";
+      token_policies = ["base" "admin"];
+    };
+  };
+}

ops/vault/cfg/authbackend-oidc.nix

@@ -16,4 +16,27 @@
     tune.default_lease_ttl = "24h";
     tune.max_lease_ttl = "24h";
   };
+
+  resource.vault_jwt_auth_backend_role = let
+    baseRole = {
+      backend = "\${resource.vault_jwt_auth_backend.oidc.path}";
+      role_type = "oidc";
+      bound_audiences = ["620300851636-6ha1a7t9r4gatrn9gdqa82toem3cbq3b.apps.googleusercontent.com"];
+      user_claim = "sub";
+      allowed_redirect_uris = [
+        "http://localhost:8250/oidc/callback"
+        "https://vault-server-j2gbzkpiaq-ew.a.run.app/ui/vault/auth/oidc/oidc/callback"
+        "https://vault.int.lukegb.com/ui/vault/auth/oidc/oidc/callback"
+      ];
+    };
+  in {
+    oidc_user = baseRole // {
+      role_name = "user";
+      token_policies = ["base" "user"];
+    };
+    oidc_admin = baseRole // {
+      role_name = "admin";
+      token_policies = ["base" "admin"];
+    };
+  };
 }

ops/vault/cfg/config.nix

@@ -7,6 +7,7 @@
 
     ./authbackend-approle.nix
     ./authbackend-oidc.nix
+    ./authbackend-authentik.nix
 
     ./ssh-ca-client.nix
     ./ssh-ca-server.nix