feat: Authentik Terraform configuration for homelab SSO

Infrastructure as Code for Authentik identity provider managing: OAuth2/OIDC Applications: - Grafana, Home Assistant, Immich - Uptime Kuma (proxy auth) - Sonarr, Radarr, Prowlarr (*arr stack proxy auth) - ArgoCD Identity Sources: - Google Workspace federation LDAP: - TrueNAS LDAP provider and outpost CI/CD: - GitHub Actions workflow for plan/apply - Secrets managed via GitHub Actions secrets Provider: beryju/authentik v2025.2
2026-02-10 06:44:58 +00:00 · 2026-02-01 20:03:45 +00:00
commit 814e41f3f2
16 changed files with 902 additions and 0 deletions
--- a/source-google.tf
+++ b/source-google.tf
@@ -0,0 +1,31 @@
+# =============================================================================
+# Google Workspace Federation
+# Allow users to sign in with their Google Workspace accounts
+# =============================================================================
+
+# Google OAuth Source
+resource "authentik_source_oauth" "google" {
+  name                = "Google Workspace"
+  slug                = "google"
+  authentication_flow = data.authentik_flow.default_authentication.id
+  enrollment_flow     = data.authentik_flow.default_enrollment.id
+  
+  provider_type   = "google"
+  consumer_key    = data.sops_file.secrets.data["google_client_id"]
+  consumer_secret = data.sops_file.secrets.data["google_client_secret"]
+  
+  # PKCE method - S256 is recommended
+  pkce = "S256"
+  
+  # User matching - link by email
+  user_matching_mode = "email_link"
+  
+  # Policy engine
+  policy_engine_mode = "any"
+  
+  # Enable for login page
+  enabled = true
+}
+
+# Note: After applying, the Google login button will appear on the Authentik login page.
+# Users with matching emails will be linked; new users will be enrolled.