blob: 7e9dd4b5b9c566ba238ca7b007e52c9e260c09ee (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
# Configure TVL Keycloak instance.
#
# TODO(tazjin): Configure GitHub/GitLab IDP
terraform {
required_providers {
keycloak = {
source = "mrparkers/keycloak"
}
}
backend "s3" {
endpoint = "https://objects.dc-sto1.glesys.net"
bucket = "tvl-state"
key = "terraform/tvl-keycloak"
region = "glesys"
skip_credentials_validation = true
skip_region_validation = true
skip_metadata_api_check = true
}
}
provider "keycloak" {
client_id = "terraform"
url = "https://auth.tvl.fyi"
}
resource "keycloak_realm" "tvl" {
realm = "TVL"
enabled = true
display_name = "The Virus Lounge"
default_signature_algorithm = "RS256"
}
resource "keycloak_ldap_user_federation" "tvl_ldap" {
name = "tvl-ldap"
realm_id = keycloak_realm.tvl.id
enabled = true
connection_url = "ldap://localhost"
users_dn = "ou=users,dc=tvl,dc=fyi"
username_ldap_attribute = "cn"
uuid_ldap_attribute = "cn"
rdn_ldap_attribute = "cn"
full_sync_period = 86400
trust_email = true
user_object_classes = [
"inetOrgPerson",
"organizationalPerson",
]
}
resource "keycloak_openid_client" "oauth2_proxy" {
realm_id = keycloak_realm.tvl.id
client_id = "oauth2-proxy"
name = "TVL OAuth2 Proxy"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
valid_redirect_uris = [
"https://login.tvl.fyi/oauth2/callback",
"http://localhost:4774/oauth2/callback",
]
}
resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
realm_id = keycloak_realm.tvl.id
client_id = keycloak_openid_client.oauth2_proxy.id
name = "oauth2-proxy-audience"
included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
}
resource "keycloak_openid_client" "grafana" {
realm_id = keycloak_realm.tvl.id
client_id = "grafana"
name = "Grafana"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
base_url = "https://status.tvl.su"
valid_redirect_uris = [
"https://status.tvl.su/*",
]
}
resource "keycloak_openid_client" "gerrit" {
realm_id = keycloak_realm.tvl.id
client_id = "gerrit"
name = "TVL Gerrit"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
base_url = "https://cl.tvl.fyi"
description = "TVL's code review tool"
direct_access_grants_enabled = true
exclude_session_state_from_auth_response = false
valid_redirect_uris = [
"https://cl.tvl.fyi/*",
]
web_origins = [
"https://cl.tvl.fyi",
]
}
resource "keycloak_openid_client" "buildkite" {
realm_id = keycloak_realm.tvl.id
client_id = "https://buildkite.com"
name = "Buildkite"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
base_url = "https://buildkite.com/sso/tvl"
direct_access_grants_enabled = false
exclude_session_state_from_auth_response = false
backchannel_logout_session_required = false
valid_redirect_uris = [
"https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume",
]
web_origins = [
"https://buildkite.com",
]
}
|