Authentik

.gitignore

@@ -0,0 +1,2 @@
+.terraform
+.terraform.lock.hcl

ReadMe.md

@@ -0,0 +1,62 @@
+# Terraform Providers Repository
+
+This repository contains configurations and documentation for various Terraform providers. Each provider listed below is used to manage specific resources and services. The repository is structured to help users integrate these providers into their Terraform projects.
+
+## Providers
+
+Below is a list of the Terraform providers referenced in this repository:
+
+1. [Authentik Provider](https://registry.terraform.io/providers/goauthentik/authentik/latest/docs)  
+   Manage resources for the Authentik identity provider.
+
+2. [NGINX Proxy Manager Provider](https://registry.terraform.io/providers/Sander0542/nginxproxymanager/latest)  
+   Manage resources for NGINX Proxy Manager.
+
+3. [Portainer Provider](https://registry.terraform.io/providers/portainer/portainer/latest)  
+   Manage resources for Portainer, a container management platform.
+
+4. [Technitium Provider](https://registry.terraform.io/providers/kevynb/technitium/latest)  
+   Manage resources for Technitium DNS Server.
+
+5. [Cloudflare Provider](https://registry.terraform.io/providers/cloudflare/cloudflare/5.4.0/docs/resources/dns_record)  
+   Manage DNS records and other resources for Cloudflare.
+
+## Usage
+
+To use any of the providers listed above, include the corresponding provider block in your Terraform configuration file. Below is an example of how to configure a provider:
+
+```hcl
+provider "cloudflare" {
+  email   = "your-email@example.com"
+  api_key = "your-api-key"
+}
+```
+
+Refer to the official documentation linked above for detailed usage instructions for each provider.
+
+### Prerequisites
+Before using this repository, ensure you have the following installed:
+
+- Terraform (latest version recommended)
+- Access credentials for the services you intend to manage (e.g., API keys, tokens, etc.)
+
+### Getting Started
+1. Clone this repository:
+
+```shell
+git clone <repository-url>
+cd <repository-directory>
+```
+
+2. Initialize Terraform:
+
+```shell
+terraform init
+```
+
+3. Customize the configuration files to suit your environment.
+4. Apply the configuration:
+
+```shell
+terraform apply
+```

modules/authentik/directory.tf

@@ -0,0 +1,18 @@
+resource "authentik_user" "dccoder" {
+  username = "DCCoder"
+  email    = var.dccoder_email
+}
+
+resource "authentik_user" "name" {
+  for_each = { for user in var.users : user.username => user }
+
+  username = each.value.username
+  email    = each.value.email
+  password = each.value.password
+}
+
+resource "authentik_group" "group" {
+  name         = "tf_admins"
+  users        = [authentik_user.dccoder.id]
+  is_superuser = true
+}

modules/authentik/providers.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2025.4.0"
+    }
+  }
+}
+
+provider "authentik" {
+}
+
+# SEE: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs

modules/authentik/variables.tf

@@ -0,0 +1,15 @@
+variable "dccoder_email" {
+  description = "My email address"
+  default     = ""
+}
+
+variable "users" {
+  description = "List of users to create in authentik"
+  type = list(object({
+    username = string
+    email    = string
+    password = string
+  }))
+  default = []
+
+}

modules/dns/cloudflare.tf

@@ -0,0 +1,21 @@
+resource "cloudflare_dns_record" "ipv4_dns_record" {
+  count   = var.internal_only ? 0 : var.enable_ipv4 ? 1 : 0
+  zone_id = var.zone_id
+  comment = "Managed via terraform"
+  content = var.external_host_ipv4
+  name    = var.domain_name
+  proxied = var.proxied_domain
+  ttl     = var.ttl
+  type    = "A"
+}
+
+resource "cloudflare_dns_record" "ipv6_dns_record" {
+  count   = var.internal_only ? 0 : var.enable_ipv6 ? 1 : 0
+  zone_id = var.zone_id
+  comment = "Managed via terraform"
+  content = var.external_host_ipv6
+  name    = var.domain_name
+  proxied = var.proxied_domain
+  ttl     = var.ttl
+  type    = "AAAA"
+}

modules/dns/nginxproxy.tf

@@ -0,0 +1,47 @@
+module "nginx" {
+  source = "../nginx_config"
+}
+
+resource "nginxproxymanager_certificate_letsencrypt" "certificate" {
+  domain_names = [var.domain_name]
+
+  letsencrypt_email = var.admin_email
+  letsencrypt_agree = true
+
+  dns_challenge            = true
+  dns_provider             = "cloudflare"
+  dns_provider_credentials = var.dns_cloudflare_api_token
+}
+
+data "nginxproxymanager_access_list" "access_list" {
+  id = var.internal_only ? module.nginx.outputs.internal_access_list_id : module.nginx.outputs.cloudflare_access_list_id
+}
+
+resource "nginxproxymanager_proxy_host" "host" {
+  domain_names = [var.domain_name]
+
+  forward_scheme = "https"
+  forward_host   = var.domain_name
+  forward_port   = 443
+
+  caching_enabled         = true
+  allow_websocket_upgrade = true
+  block_exploits          = true
+
+  access_list_id = data.nginxproxymanager_access_list.access_list.id
+
+  locations = [
+    {
+      path           = "/"
+      forward_scheme = "http"
+      forward_host   = var.internal_host_ipv4 != "" ? var.internal_host_ipv4 : var.internal_host_ipv6
+      forward_port   = var.service_port
+    }
+  ]
+
+  certificate_id  = nginxproxymanager_certificate_letsencrypt.certificate.id
+  ssl_forced      = true
+  hsts_enabled    = false
+  hsts_subdomains = false
+  http2_support   = true
+}

modules/dns/providers.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    nginxproxymanager = {
+      source  = "Sander0542/nginxproxymanager"
+      version = "1.1.1"
+    }
+
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 5"
+    }
+
+    technitium = {
+      source  = "kevynb/technitium"
+      version = "0.2.0"
+    }
+  }
+}

modules/dns/technitium.tf

@@ -0,0 +1,17 @@
+resource "technitium_record" "ipv4_dns_record" {
+  count = var.enable_ipv4 ? 1 : 0
+  #zone       = var.zone_name
+  domain     = var.domain_name
+  type       = "A"
+  ip_address = var.internal_host_ipv4
+  ttl        = var.ttl
+}
+
+resource "technitium_record" "ipv6_dns_record" {
+  count = var.enable_ipv6 ? 1 : 0
+  #zone       = var.zone_name
+  domain     = var.domain_name
+  type       = "AAAA"
+  ip_address = var.internal_host_ipv6
+  ttl        = var.ttl
+}

modules/dns/variables.tf

@@ -0,0 +1,87 @@
+variable "internal_only" {
+  description = "If true, the application is only accessible internally"
+  type        = bool
+  default     = false
+}
+
+variable "service_port" {
+  description = "Port on which the service is running"
+  type        = number
+  default     = 80
+}
+
+variable "dns_cloudflare_api_token" {
+  description = "Cloudflare API token for DNS updates"
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+variable "admin_email" {
+  description = "Email address for the admin user"
+  type        = string
+  default     = ""
+}
+
+variable "external_host_ipv4" {
+  description = "External host for the application"
+  type        = string
+  default     = ""
+}
+
+variable "external_host_ipv6" {
+  description = "External host for the application"
+  type        = string
+  default     = ""
+}
+
+variable "internal_host_ipv4" {
+  description = "Internal host for the application"
+  type        = string
+  default     = ""
+}
+
+variable "internal_host_ipv6" {
+  description = "Internal host for the application"
+  type        = string
+  default     = ""
+}
+
+variable "enable_ipv4" {
+  description = "If true, enable IPv4 for the application"
+  type        = bool
+  default     = true
+}
+
+variable "enable_ipv6" {
+  description = "If true, enable IPv6 for the application"
+  type        = bool
+  default     = false
+}
+
+variable "zone_name" {
+  description = "Zone name for the DNS record"
+  type        = string
+}
+
+variable "domain_name" {
+  description = "Domain name for the application"
+  type        = string
+}
+
+variable "zone_id" {
+  description = "Cloudflare zone ID for the DNS record"
+  type        = string
+}
+
+variable "proxied_domain" {
+  description = "If true, the DNS record is proxied through Cloudflare"
+  type        = bool
+  default     = true
+}
+
+variable "ttl" {
+  description = "Time to live for the DNS record"
+  type        = number
+  default     = 3600
+}