Torjus Håkestad
d7f6603620
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
50 lines
1.5 KiB
HCL
50 lines
1.5 KiB
HCL
# OIDC authentication backend for Kanidm integration
|
|
resource "vault_jwt_auth_backend" "oidc" {
|
|
path = "oidc"
|
|
type = "oidc"
|
|
oidc_discovery_url = "https://auth.home.2rjus.net/oauth2/openid/openbao"
|
|
oidc_client_id = "openbao"
|
|
oidc_client_secret = random_password.auto_secrets["services/openbao/oauth2-client-secret"].result
|
|
default_role = "default"
|
|
|
|
tune {
|
|
listing_visibility = "unauth"
|
|
default_lease_ttl = "1h"
|
|
max_lease_ttl = "24h"
|
|
token_type = "default-service"
|
|
}
|
|
}
|
|
|
|
# Admin role - maps Kanidm admins group to admin policy
|
|
resource "vault_jwt_auth_backend_role" "admin" {
|
|
backend = vault_jwt_auth_backend.oidc.path
|
|
role_name = "admin"
|
|
token_policies = ["oidc-admin"]
|
|
|
|
user_claim = "preferred_username"
|
|
groups_claim = "groups"
|
|
bound_claims = { groups = "admins" }
|
|
role_type = "oidc"
|
|
|
|
allowed_redirect_uris = [
|
|
"http://localhost:8250/oidc/callback",
|
|
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
|
|
]
|
|
}
|
|
|
|
# Default role - any authenticated user (limited access)
|
|
resource "vault_jwt_auth_backend_role" "default" {
|
|
backend = vault_jwt_auth_backend.oidc.path
|
|
role_name = "default"
|
|
token_policies = ["oidc-default"]
|
|
|
|
user_claim = "preferred_username"
|
|
groups_claim = "groups"
|
|
role_type = "oidc"
|
|
|
|
allowed_redirect_uris = [
|
|
"http://localhost:8250/oidc/callback",
|
|
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
|
|
]
|
|
}
|