ghndrx/authentik-terraform
1
0
Fork 0
mirror of https://github.com/ghndrx/authentik-terraform.git synced 2026-02-09 22:34:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
5 Commits 1 Branch 0 Tags
main
Commit Graph

5 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Greg Hendrickson
5d2535067e feat: Add custom MFA authentication flow with configurable enforcement 
- Add authentication-flow.tf with complete MFA auth flow:
  - Identification -> Password -> MFA validation -> Session stages
  - Brute-force reputation policy binding
  - Evaluates policies on plan for user context

- Add configuration variables:
  - enable_mfa_flow: Toggle custom MFA flow (default: false)
  - mfa_enforcement: skip/configure/deny (default: configure)

- Fix existing issues:
  - rbac-groups.tf: parent -> parents (list)
  - source-google.tf: Use variables instead of deprecated sops
  - Google source now conditional (created only if credentials provided)

- Update README:
  - Document MFA enforcement levels
  - Add authentication-flow.tf to file structure
  - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup

Security: Custom flow includes brute-force protection policy bound
at flow level, not just stage level.
 2026-02-09 16:03:32 +00:00
Greg Hendrickson
d55a52a8d5 feat: Add Portainer OAuth2 + enable RBAC policy bindings 
- Add app-portainer.tf: OAuth2 provider for Portainer container management
- Add portainer_url variable
- Enable RBAC policy bindings for Grafana, ArgoCD, Home Assistant
- Portainer bound to Infrastructure group policy

RBAC Summary:
- Infrastructure group → Grafana, ArgoCD, Portainer
- Home Automation group → Home Assistant
- Media group → arr stack (existing in app-proxy-arr-stack.tf)
 2026-02-05 16:03:40 +00:00
Cleanup Bot
61ab2ec70c Add Kubeflow OAuth2 application 2026-02-02 21:06:28 +00:00
Data (Clawdbot)
9a9a47a6a4 feat(security): add comprehensive security policies and RBAC 
- Add security-policies.tf:
  - Strong password policy (12 chars, HIBP check, zxcvbn scoring)
  - Password reuse prevention (last 5 passwords)
  - Brute force protection (reputation policy, 5 attempt threshold)
  - MFA stages: TOTP, WebAuthn/Passkeys, recovery codes
  - MFA validation stage with configurable enforcement
  - Admin-only and MFA-required expression policies

- Add rbac-groups.tf:
  - Media group (Sonarr, Radarr, etc.)
  - Infrastructure group (Grafana, ArgoCD, etc.)
  - Home Automation group (Home Assistant)
  - Group-based access policies

- Fix main.tf: Remove SOPS, use variables for token
- Fix versions.tf: Remove unused SOPS provider
- Update README with security documentation
 2026-02-02 16:05:04 +00:00
Greg Hendrickson
814e41f3f2 feat: Authentik Terraform configuration for homelab SSO 
Infrastructure as Code for Authentik identity provider managing:

OAuth2/OIDC Applications:
- Grafana, Home Assistant, Immich
- Uptime Kuma (proxy auth)
- Sonarr, Radarr, Prowlarr (*arr stack proxy auth)
- ArgoCD

Identity Sources:
- Google Workspace federation

LDAP:
- TrueNAS LDAP provider and outpost

CI/CD:
- GitHub Actions workflow for plan/apply
- Secrets managed via GitHub Actions secrets

Provider: beryju/authentik v2025.2
 2026-02-01 20:03:45 +00:00