Skip to content

Manage private auth resources with Terraform#603

Merged
mulatta merged 5 commits into
mainfrom
authentik-forward-auth-terraform
Jul 3, 2026
Merged

Manage private auth resources with Terraform#603
mulatta merged 5 commits into
mainfrom
authentik-forward-auth-terraform

Conversation

@mulatta

@mulatta mulatta commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Move Authentik forward-auth resources, Headscale users/policy, and OIDC client metadata into Terraform.

Highlights:

  • Package the Authentik Terraform provider in the flake dev shell.
  • Manage Authentik groups, users, proxy providers, apps, policies, and outpost attachments for Authentik-protected apps.
  • Keep status.sjanglab.org visible in the Authentik dashboard as a launch-only application without protecting the page.
  • Manage Headscale users and ACL policy from the same encrypted user inventory.
  • Add lock timeout for Terragrunt stack plans.
  • Centralize OIDC client secrets in SOPS for Terraform and Nix consumers.
  • Remove the old Gatus Authentik proxy app because the status page is tailnet-only and unauthenticated.

Depends on #602.

@mulatta

mulatta commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator Author

This change is part of the following stack:

Change managed by git-spice.

@mulatta mulatta changed the title terraform: package Authentik provider Manage private auth resources with Terraform Jul 3, 2026
@mulatta mulatta force-pushed the tailnet-private-services-base branch from 39a8814 to 09f4404 Compare July 3, 2026 04:55
@mulatta mulatta force-pushed the authentik-forward-auth-terraform branch 2 times, most recently from ae3fa3f to 5f0d350 Compare July 3, 2026 05:05
Base automatically changed from tailnet-private-services-base to main July 3, 2026 05:30
mulatta added 5 commits July 3, 2026 14:31
Manage Authentik objects declaratively without letting OpenTofu download provider binaries outside the Nix-managed toolchain.
Nginx forward auth fails closed when the embedded outpost lacks matching proxy providers, leaving private dashboards with runtime 500s. Declare the protected applications, group bindings, and outpost attachments so Authentik policy stays in sync with the tailnet ingress configuration.
Keep Authentik and Headscale authorization derived from the same user inventory so group membership changes do not depend on a separate sync service. Terraform owns Headscale users and the database policy, while SOPS keeps API credentials and user PII encrypted.
Parallel Terragrunt stack plans can briefly contend for PostgreSQL backend locks. Make OpenTofu wait instead of failing immediately so running plan across all Terraform modules is reliable.
Headscale, Nextcloud, and Vaultwarden depend on manually configured Authentik OIDC clients. Move those clients and their group claim mappings into Terraform, and make the services consume the same SOPS-managed client secrets so Authentik and Nix converge from one source.
@mulatta mulatta force-pushed the authentik-forward-auth-terraform branch from 5f0d350 to 0f7eeca Compare July 3, 2026 05:31
@mulatta mulatta merged commit 0ae8ce2 into main Jul 3, 2026
3 of 4 checks passed
@mulatta mulatta deleted the authentik-forward-auth-terraform branch July 3, 2026 05:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant