Greg Hendrickson
d55a52a8d5
feat: Add Portainer OAuth2 + enable RBAC policy bindings
...
- Add app-portainer.tf: OAuth2 provider for Portainer container management
- Add portainer_url variable
- Enable RBAC policy bindings for Grafana, ArgoCD, Home Assistant
- Portainer bound to Infrastructure group policy
RBAC Summary:
- Infrastructure group → Grafana, ArgoCD, Portainer
- Home Automation group → Home Assistant
- Media group → arr stack (existing in app-proxy-arr-stack.tf)
2026-02-05 16:03:40 +00:00
Data (Clawdbot)
9a9a47a6a4
feat(security): add comprehensive security policies and RBAC
...
- Add security-policies.tf:
- Strong password policy (12 chars, HIBP check, zxcvbn scoring)
- Password reuse prevention (last 5 passwords)
- Brute force protection (reputation policy, 5 attempt threshold)
- MFA stages: TOTP, WebAuthn/Passkeys, recovery codes
- MFA validation stage with configurable enforcement
- Admin-only and MFA-required expression policies
- Add rbac-groups.tf:
- Media group (Sonarr, Radarr, etc.)
- Infrastructure group (Grafana, ArgoCD, etc.)
- Home Automation group (Home Assistant)
- Group-based access policies
- Fix main.tf: Remove SOPS, use variables for token
- Fix versions.tf: Remove unused SOPS provider
- Update README with security documentation
2026-02-02 16:05:04 +00:00
814e41f3f2
feat: Authentik Terraform configuration for homelab SSO
...
Infrastructure as Code for Authentik identity provider managing:
OAuth2/OIDC Applications:
- Grafana, Home Assistant, Immich
- Uptime Kuma (proxy auth)
- Sonarr, Radarr, Prowlarr (*arr stack proxy auth)
- ArgoCD
Identity Sources:
- Google Workspace federation
LDAP:
- TrueNAS LDAP provider and outpost
CI/CD:
- GitHub Actions workflow for plan/apply
- Secrets managed via GitHub Actions secrets
Provider: beryju/authentik v2025.2
2026-02-01 20:03:45 +00:00
