mirror of
https://github.com/ghndrx/authentik-terraform.git
synced 2026-02-10 06:44:58 +00:00
Greg Hendrickson
814e41f3f2
Infrastructure as Code for Authentik identity provider managing: OAuth2/OIDC Applications: - Grafana, Home Assistant, Immich - Uptime Kuma (proxy auth) - Sonarr, Radarr, Prowlarr (*arr stack proxy auth) - ArgoCD Identity Sources: - Google Workspace federation LDAP: - TrueNAS LDAP provider and outpost CI/CD: - GitHub Actions workflow for plan/apply - Secrets managed via GitHub Actions secrets Provider: beryju/authentik v2025.2
106 lines
3.1 KiB
YAML
106 lines
3.1 KiB
YAML
name: Deploy Authentik Configuration
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
TF_VERSION: "1.7.0"
|
|
|
|
jobs:
|
|
plan:
|
|
name: Terraform Plan
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Terraform
|
|
uses: hashicorp/setup-terraform@v3
|
|
with:
|
|
terraform_version: ${{ env.TF_VERSION }}
|
|
|
|
- name: Create secrets.auto.tfvars
|
|
run: |
|
|
cat > secrets.auto.tfvars << EOF
|
|
authentik_url = "${{ secrets.AUTHENTIK_URL }}"
|
|
authentik_token = "${{ secrets.AUTHENTIK_TOKEN }}"
|
|
|
|
# Google OAuth (optional)
|
|
google_client_id = "${{ secrets.GOOGLE_CLIENT_ID }}"
|
|
google_client_secret = "${{ secrets.GOOGLE_CLIENT_SECRET }}"
|
|
|
|
# Application URLs
|
|
argocd_url = "${{ secrets.ARGOCD_URL }}"
|
|
grafana_url = "${{ secrets.GRAFANA_URL }}"
|
|
home_assistant_url = "${{ secrets.HOME_ASSISTANT_URL }}"
|
|
immich_url = "${{ secrets.IMMICH_URL }}"
|
|
uptime_kuma_url = "${{ secrets.UPTIME_KUMA_URL }}"
|
|
sonarr_url = "${{ secrets.SONARR_URL }}"
|
|
radarr_url = "${{ secrets.RADARR_URL }}"
|
|
prowlarr_url = "${{ secrets.PROWLARR_URL }}"
|
|
EOF
|
|
|
|
- name: Terraform Init
|
|
run: terraform init
|
|
|
|
- name: Terraform Validate
|
|
run: terraform validate
|
|
|
|
- name: Terraform Plan
|
|
run: terraform plan -out=tfplan
|
|
|
|
- name: Upload Plan
|
|
uses: actions/upload-artifact@v4
|
|
if: github.event_name == 'pull_request'
|
|
with:
|
|
name: tfplan
|
|
path: tfplan
|
|
|
|
apply:
|
|
name: Terraform Apply
|
|
runs-on: ubuntu-latest
|
|
needs: plan
|
|
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
|
|
environment: production
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Terraform
|
|
uses: hashicorp/setup-terraform@v3
|
|
with:
|
|
terraform_version: ${{ env.TF_VERSION }}
|
|
|
|
- name: Create secrets.auto.tfvars
|
|
run: |
|
|
cat > secrets.auto.tfvars << EOF
|
|
authentik_url = "${{ secrets.AUTHENTIK_URL }}"
|
|
authentik_token = "${{ secrets.AUTHENTIK_TOKEN }}"
|
|
|
|
# Google OAuth (optional)
|
|
google_client_id = "${{ secrets.GOOGLE_CLIENT_ID }}"
|
|
google_client_secret = "${{ secrets.GOOGLE_CLIENT_SECRET }}"
|
|
|
|
# Application URLs
|
|
argocd_url = "${{ secrets.ARGOCD_URL }}"
|
|
grafana_url = "${{ secrets.GRAFANA_URL }}"
|
|
home_assistant_url = "${{ secrets.HOME_ASSISTANT_URL }}"
|
|
immich_url = "${{ secrets.IMMICH_URL }}"
|
|
uptime_kuma_url = "${{ secrets.UPTIME_KUMA_URL }}"
|
|
sonarr_url = "${{ secrets.SONARR_URL }}"
|
|
radarr_url = "${{ secrets.RADARR_URL }}"
|
|
prowlarr_url = "${{ secrets.PROWLARR_URL }}"
|
|
EOF
|
|
|
|
- name: Terraform Init
|
|
run: terraform init
|
|
|
|
- name: Terraform Apply
|
|
run: terraform apply -auto-approve
|