Expose Tailscale and add Zulip SAML deployment
This commit is contained in:
Conrad Kramer
parent
7d3e7a6ec5
commit
44f437c33c
13 changed files with 1064 additions and 3 deletions
|
|
@ -10,6 +10,8 @@ template_slug="${AUTHENTIK_TAILSCALE_TEMPLATE_SLUG:-ts}"
|
|||
client_id="${AUTHENTIK_TAILSCALE_CLIENT_ID:-tailscale.burrow.net}"
|
||||
client_secret="${AUTHENTIK_TAILSCALE_CLIENT_SECRET:-}"
|
||||
launch_url="${AUTHENTIK_TAILSCALE_LAUNCH_URL:-https://login.tailscale.com/start/oidc}"
|
||||
access_group="${AUTHENTIK_TAILSCALE_ACCESS_GROUP:-}"
|
||||
default_external_application_slug="${AUTHENTIK_DEFAULT_EXTERNAL_APPLICATION_SLUG:-}"
|
||||
redirect_uris_json="${AUTHENTIK_TAILSCALE_REDIRECT_URIS_JSON:-[
|
||||
\"https://login.tailscale.com/a/oauth_response\"
|
||||
]}"
|
||||
|
|
@ -31,6 +33,8 @@ Optional environment:
|
|||
AUTHENTIK_TAILSCALE_CLIENT_ID
|
||||
AUTHENTIK_TAILSCALE_LAUNCH_URL
|
||||
AUTHENTIK_TAILSCALE_REDIRECT_URIS_JSON
|
||||
AUTHENTIK_TAILSCALE_ACCESS_GROUP
|
||||
AUTHENTIK_DEFAULT_EXTERNAL_APPLICATION_SLUG
|
||||
EOF
|
||||
}
|
||||
|
||||
|
|
@ -123,6 +127,97 @@ wait_for_authentik() {
|
|||
|
||||
wait_for_authentik
|
||||
|
||||
lookup_group_pk() {
|
||||
local group_name="$1"
|
||||
|
||||
api GET "/api/v3/core/groups/?page_size=200" \
|
||||
| jq -r --arg group_name "$group_name" '.results[]? | select(.name == $group_name) | .pk // empty' \
|
||||
| head -n1
|
||||
}
|
||||
|
||||
lookup_application_pk() {
|
||||
local slug="$1"
|
||||
|
||||
api GET "/api/v3/core/applications/?page_size=200" \
|
||||
| jq -r --arg slug "$slug" '.results[]? | select(.slug == $slug) | .pk // empty' \
|
||||
| head -n1
|
||||
}
|
||||
|
||||
ensure_application_group_binding() {
|
||||
local application_slug="$1"
|
||||
local group_name="$2"
|
||||
local application_pk group_pk existing payload binding_pk
|
||||
|
||||
application_pk="$(lookup_application_pk "$application_slug")"
|
||||
if [[ -z "$application_pk" ]]; then
|
||||
echo "warning: could not resolve Authentik application ${application_slug}; skipping application group binding" >&2
|
||||
return 0
|
||||
fi
|
||||
|
||||
group_pk="$(lookup_group_pk "$group_name")"
|
||||
if [[ -z "$group_pk" ]]; then
|
||||
echo "error: could not resolve Authentik group ${group_name}" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
existing="$(
|
||||
api GET "/api/v3/policies/bindings/?page_size=200&target=${application_pk}" \
|
||||
| jq -c --arg group_pk "$group_pk" '.results[]? | select(.group == $group_pk)' \
|
||||
| head -n1
|
||||
)"
|
||||
|
||||
payload="$(
|
||||
jq -cn \
|
||||
--arg target "$application_pk" \
|
||||
--arg group "$group_pk" \
|
||||
'{
|
||||
group: $group,
|
||||
target: $target,
|
||||
negate: false,
|
||||
enabled: true,
|
||||
order: 100,
|
||||
timeout: 30,
|
||||
failure_result: false
|
||||
}'
|
||||
)"
|
||||
|
||||
if [[ -n "$existing" ]]; then
|
||||
binding_pk="$(printf '%s\n' "$existing" | jq -r '.pk')"
|
||||
api PATCH "/api/v3/policies/bindings/${binding_pk}/" "$payload" >/dev/null
|
||||
else
|
||||
api POST "/api/v3/policies/bindings/" "$payload" >/dev/null
|
||||
fi
|
||||
}
|
||||
|
||||
ensure_default_external_application() {
|
||||
local application_slug="$1"
|
||||
local application_pk default_brand brand_payload
|
||||
|
||||
application_pk="$(lookup_application_pk "$application_slug")"
|
||||
if [[ -z "$application_pk" ]]; then
|
||||
echo "error: could not resolve Authentik application ${application_slug} for brand default application" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
default_brand="$(
|
||||
api GET "/api/v3/core/brands/?page_size=200" \
|
||||
| jq -c '.results[]? | select(.default == true)' \
|
||||
| head -n1
|
||||
)"
|
||||
|
||||
if [[ -z "$default_brand" ]]; then
|
||||
echo "warning: could not resolve the default Authentik brand; skipping external default application" >&2
|
||||
return 0
|
||||
fi
|
||||
|
||||
brand_payload="$(
|
||||
printf '%s\n' "$default_brand" \
|
||||
| jq --arg application_pk "$application_pk" '.default_application = $application_pk'
|
||||
)"
|
||||
|
||||
api PUT "/api/v3/core/brands/$(printf '%s\n' "$default_brand" | jq -r '.brand_uuid')/" "$brand_payload" >/dev/null
|
||||
}
|
||||
|
||||
template_provider="$(
|
||||
api GET "/api/v3/providers/oauth2/?page_size=200" \
|
||||
| jq -c --arg template_slug "$template_slug" '.results[]? | select(.assigned_application_slug == $template_slug)' \
|
||||
|
|
@ -239,6 +334,14 @@ if [[ -z "${application_pk:-}" ]]; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
if [[ -n "$access_group" ]]; then
|
||||
ensure_application_group_binding "$application_slug" "$access_group"
|
||||
fi
|
||||
|
||||
if [[ -n "$default_external_application_slug" ]]; then
|
||||
ensure_default_external_application "$default_external_application_slug"
|
||||
fi
|
||||
|
||||
for _ in $(seq 1 30); do
|
||||
if curl -fsS "${authentik_url}/application/o/${application_slug}/.well-known/openid-configuration" >/dev/null 2>&1; then
|
||||
echo "Synced Authentik Tailscale OIDC application ${application_slug} (${application_name})."
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue