Greg Hendrickson
5d2535067e
feat: Add custom MFA authentication flow with configurable enforcement
...
- Add authentication-flow.tf with complete MFA auth flow:
- Identification -> Password -> MFA validation -> Session stages
- Brute-force reputation policy binding
- Evaluates policies on plan for user context
- Add configuration variables:
- enable_mfa_flow: Toggle custom MFA flow (default: false)
- mfa_enforcement: skip/configure/deny (default: configure)
- Fix existing issues:
- rbac-groups.tf: parent -> parents (list)
- source-google.tf: Use variables instead of deprecated sops
- Google source now conditional (created only if credentials provided)
- Update README:
- Document MFA enforcement levels
- Add authentication-flow.tf to file structure
- Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup
Security: Custom flow includes brute-force protection policy bound
at flow level, not just stage level.
2026-02-09 16:03:32 +00:00
Greg Hendrickson
d55a52a8d5
feat: Add Portainer OAuth2 + enable RBAC policy bindings
...
- Add app-portainer.tf: OAuth2 provider for Portainer container management
- Add portainer_url variable
- Enable RBAC policy bindings for Grafana, ArgoCD, Home Assistant
- Portainer bound to Infrastructure group policy
RBAC Summary:
- Infrastructure group → Grafana, ArgoCD, Portainer
- Home Automation group → Home Assistant
- Media group → arr stack (existing in app-proxy-arr-stack.tf)
2026-02-05 16:03:40 +00:00
814e41f3f2
feat: Authentik Terraform configuration for homelab SSO
...
Infrastructure as Code for Authentik identity provider managing:
OAuth2/OIDC Applications:
- Grafana, Home Assistant, Immich
- Uptime Kuma (proxy auth)
- Sonarr, Radarr, Prowlarr (*arr stack proxy auth)
- ArgoCD
Identity Sources:
- Google Workspace federation
LDAP:
- TrueNAS LDAP provider and outpost
CI/CD:
- GitHub Actions workflow for plan/apply
- Secrets managed via GitHub Actions secrets
Provider: beryju/authentik v2025.2
2026-02-01 20:03:45 +00:00
