fix

apps/gitea/index.yaml

@@ -9,15 +9,35 @@ metadata:
     A painless self-hosted Git service.
     Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license.
 options:
-  volume:
-    default:
-      size: 10Gi
+  ingress-class:
+    default: traefik
     examples:
-    - size: 10Gi
+    - traefik
+    type: string
+  domain-name:
+    default: your_company.com
+    examples:
+    - your_company.com
+    type: string
+  release:
+    default: 8.3.0
+    examples:
+    - 8.3.0
+    type: string
+  webhook:
+    default:
+      allowed-hosts: private
+      skip-tls-verify: false
+    examples:
+    - allowed-hosts: private
+      skip-tls-verify: false
     properties:
-      size:
-        default: 10Gi
+      allowed-hosts:
+        default: private
         type: string
+      skip-tls-verify:
+        default: false
+        type: boolean
     type: object
   postgres:
     default:
@@ -39,16 +59,91 @@ options:
         default: '14'
         type: string
     type: object
-  disable-registration:
-    default: true
+  sub-domain:
+    default: git
     examples:
-    - true
-    type: boolean
+    - git
+    type: string
+  replicas:
+    default: 1
+    examples:
+    - 1
+    type: integer
+  admin:
+    default:
+      email: git-admin@git.your_company.com
+      name: gitea_admin
+    examples:
+    - email: git-admin@git.your_company.com
+      name: gitea_admin
+    properties:
+      email:
+        default: git-admin@git.your_company.com
+        type: string
+      name:
+        default: gitea_admin
+        type: string
+    type: object
+  timezone:
+    default: Europe/Paris
+    examples:
+    - Europe/Paris
+    type: string
+  ssh-port:
+    default: 2222
+    examples:
+    - 2222
+    type: integer
   domain:
     default: your-company
     examples:
     - your-company
     type: string
+  default-branch:
+    default: main
+    examples:
+    - main
+    type: string
+  theme:
+    default: gitea-modern
+    examples:
+    - gitea-modern
+    type: string
+  issuer:
+    default: letsencrypt-prod
+    examples:
+    - letsencrypt-prod
+    type: string
+  push-create:
+    default:
+      org: 'true'
+      private: 'false'
+      user: 'true'
+    examples:
+    - org: 'true'
+      private: 'false'
+      user: 'true'
+    properties:
+      org:
+        default: 'true'
+        type: string
+      private:
+        default: 'false'
+        type: string
+      user:
+        default: 'true'
+        type: string
+    type: object
+  volume:
+    default:
+      size: 10Gi
+    examples:
+    - size: 10Gi
+    properties:
+      size:
+        default: 10Gi
+        type: string
+    type: object
   images:
     default:
       gitea:
@@ -112,16 +207,21 @@ options:
             type: string
         type: object
     type: object
-  sub-domain:
-    default: git
+  disable-registration:
+    default: true
     examples:
-    - git
-    type: string
-  ssh-port:
-    default: 2222
+    - true
+    type: boolean
+  load-balancer:
+    default:
+      ip: ''
     examples:
-    - 2222
-    type: integer
+    - ip: ''
+    properties:
+      ip:
+        default: ''
+        type: string
+    type: object
   backups:
     default:
       enable: false
@@ -228,106 +328,6 @@ options:
         default: false
         type: boolean
     type: object
-  push-create:
-    default:
-      org: 'true'
-      private: 'false'
-      user: 'true'
-    examples:
-    - org: 'true'
-      private: 'false'
-      user: 'true'
-    properties:
-      org:
-        default: 'true'
-        type: string
-      private:
-        default: 'false'
-        type: string
-      user:
-        default: 'true'
-        type: string
-    type: object
-  load-balancer:
-    default:
-      ip: ''
-    examples:
-    - ip: ''
-    properties:
-      ip:
-        default: ''
-        type: string
-    type: object
-  admin:
-    default:
-      email: git-admin@git.your_company.com
-      name: gitea_admin
-    examples:
-    - email: git-admin@git.your_company.com
-      name: gitea_admin
-    properties:
-      email:
-        default: git-admin@git.your_company.com
-        type: string
-      name:
-        default: gitea_admin
-        type: string
-    type: object
-  ingress-class:
-    default: traefik
-    examples:
-    - traefik
-    type: string
-  timezone:
-    default: Europe/Paris
-    examples:
-    - Europe/Paris
-    type: string
-  replicas:
-    default: 1
-    examples:
-    - 1
-    type: integer
-  issuer:
-    default: letsencrypt-prod
-    examples:
-    - letsencrypt-prod
-    type: string
-  default-branch:
-    default: main
-    examples:
-    - main
-    type: string
-  release:
-    default: 8.3.0
-    examples:
-    - 8.3.0
-    type: string
-  webhook:
-    default:
-      allowed-hosts: private
-      skip-tls-verify: false
-    examples:
-    - allowed-hosts: private
-      skip-tls-verify: false
-    properties:
-      allowed-hosts:
-        default: private
-        type: string
-      skip-tls-verify:
-        default: false
-        type: boolean
-    type: object
-  domain-name:
-    default: your_company.com
-    examples:
-    - your_company.com
-    type: string
-  theme:
-    default: gitea-modern
-    examples:
-    - gitea-modern
-    type: string
 dependencies:
 - dist: null
   category: share

apps/gitea/ldap.tf

@@ -1,5 +1,7 @@
 
 locals {
+  app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
+  main-group = format("app-%s", local.app-name)
   base-dn = format("dc=%s", join(",dc=", split(".", format("%s.%s", var.sub-domain, var.domain-name))))
   base-group-dn = format("ou=groups,%s", local.base-dn)
   base-user-dn = format("ou=users,%s", local.base-dn)
@@ -87,7 +89,8 @@ resource "authentik_application" "gitea_application" {
 }
 
 resource "authentik_group" "gitea_users" {
-  name         = "gitea_users"
+  name         = local.main-group
+  attributes   = jsonencode({"${local.app-name}" = true})
 }
 
 data "authentik_group" "vynil-admin" {
@@ -96,13 +99,22 @@ data "authentik_group" "vynil-admin" {
 }
 
 resource "authentik_group" "gitea_admin" {
-  name         = "gitea_admin"
+  name         = format("admin-%s", local.app-name)
   parent       = authentik_group.gitea_users.id
+  attributes   = jsonencode({"${local.app-name}" = true})
+}
+
+resource "authentik_policy_expression" "policy" {
+  name       = local.main-group
+  expression = <<-EOF
+    attr = request.user.group_attributes()
+    return attr['${local.app-name}'] if '${local.app-name}' in attr else False
+  EOF
 }
 
 resource "authentik_policy_binding" "gitea_access_users" {
   target = authentik_application.gitea_application.uuid
-  group  = authentik_group.gitea_users.id
+  policy = authentik_policy_expression.policy.id
   order  = 0
 }
 resource "authentik_policy_binding" "gitea_access_vynil" {

apps/nextcloud/application.tf

@@ -1,12 +1,13 @@
+locals {
+  app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
+  main-group = format("app-%s", local.app-name)
+}
 data "authentik_group" "akadmin" {
   name = "authentik Admins"
 }
 resource "authentik_group" "groups" {
-  name  = "nextcloud-users"
-}
-data "authentik_group" "readed_groups" {
-  depends_on = [ authentik_group.groups ]
-  name  = "nextcloud-users"
+  name         = local.main-group
+  attributes   = jsonencode({"${local.app-name}" = true})
 }
 
 resource "authentik_application" "prj_app" {
@@ -17,9 +18,17 @@ resource "authentik_application" "prj_app" {
   meta_icon         = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "apps/theming/favicon")
 }
 
+resource "authentik_policy_expression" "policy" {
+  name       = local.main-group
+  expression = <<-EOF
+    attr = request.user.group_attributes()
+    return attr['${local.app-name}'] if '${local.app-name}' in attr else False
+  EOF
+}
+
 resource "authentik_policy_binding" "prj_access_users" {
   target = authentik_application.prj_app.uuid
-  group  = authentik_group.groups.id
+  policy = authentik_policy_expression.policy.id
   order  = 0
 }
 resource "authentik_policy_binding" "prj_access_vynil" {

apps/nextcloud/index.yaml

@@ -6,36 +6,207 @@ metadata:
   name: nextcloud
   description: null
 options:
+  apps:
+    default:
+      audioplayer: false
+      bookmarks: false
+      bpm: false
+      calendar: false
+      collabora: false
+      contacts: false
+      deck: false
+      groupfolders: true
+      mindmap: false
+      music: false
+      notes: false
+      onlyoffice: false
+      passman: false
+      spreed: false
+      tables: false
+      tasks: false
+      texteditor: true
+    examples:
+    - audioplayer: false
+      bookmarks: false
+      bpm: false
+      calendar: false
+      collabora: false
+      contacts: false
+      deck: false
+      groupfolders: true
+      mindmap: false
+      music: false
+      notes: false
+      onlyoffice: false
+      passman: false
+      spreed: false
+      tables: false
+      tasks: false
+      texteditor: true
+    properties:
+      audioplayer:
+        default: false
+        type: boolean
+      bookmarks:
+        default: false
+        type: boolean
+      bpm:
+        default: false
+        type: boolean
+      calendar:
+        default: false
+        type: boolean
+      collabora:
+        default: false
+        type: boolean
+      contacts:
+        default: false
+        type: boolean
+      deck:
+        default: false
+        type: boolean
+      groupfolders:
+        default: true
+        type: boolean
+      mindmap:
+        default: false
+        type: boolean
+      music:
+        default: false
+        type: boolean
+      notes:
+        default: false
+        type: boolean
+      onlyoffice:
+        default: false
+        type: boolean
+      passman:
+        default: false
+        type: boolean
+      spreed:
+        default: false
+        type: boolean
+      tables:
+        default: false
+        type: boolean
+      tasks:
+        default: false
+        type: boolean
+      texteditor:
+        default: true
+        type: boolean
+    type: object
   openid-name:
     default: vynil
     examples:
     - vynil
     type: string
-  postgres:
+  backups:
     default:
-      replicas: 1
-      storage: 5Gi
-      version: '14'
+      enable: false
+      endpoint: ''
+      key-id-key: s3-id
+      restic-key: bck-password
+      retention:
+        db: 30d
+        keepDaily: 14
+        keepMonthly: 12
+        keepWeekly: 6
+        keepYearly: 12
+      schedule:
+        backup: 30 3 * * *
+        check: 30 5 * * 1
+        db: 30 3 * * *
+        prune: 30 1 * * 0
+      secret-key: s3-secret
+      secret-name: backup-settings
+      use-barman: false
     examples:
-    - replicas: 1
-      storage: 5Gi
-      version: '14'
+    - enable: false
+      endpoint: ''
+      key-id-key: s3-id
+      restic-key: bck-password
+      retention:
+        db: 30d
+        keepDaily: 14
+        keepMonthly: 12
+        keepWeekly: 6
+        keepYearly: 12
+      schedule:
+        backup: 30 3 * * *
+        check: 30 5 * * 1
+        db: 30 3 * * *
+        prune: 30 1 * * 0
+      secret-key: s3-secret
+      secret-name: backup-settings
+      use-barman: false
     properties:
-      replicas:
-        default: 1
-        type: integer
-      storage:
-        default: 5Gi
+      enable:
+        default: false
+        type: boolean
+      endpoint:
+        default: ''
         type: string
-      version:
-        default: '14'
+      key-id-key:
+        default: s3-id
         type: string
+      restic-key:
+        default: bck-password
+        type: string
+      retention:
+        default:
+          db: 30d
+          keepDaily: 14
+          keepMonthly: 12
+          keepWeekly: 6
+          keepYearly: 12
+        properties:
+          db:
+            default: 30d
+            type: string
+          keepDaily:
+            default: 14
+            type: integer
+          keepMonthly:
+            default: 12
+            type: integer
+          keepWeekly:
+            default: 6
+            type: integer
+          keepYearly:
+            default: 12
+            type: integer
+        type: object
+      schedule:
+        default:
+          backup: 30 3 * * *
+          check: 30 5 * * 1
+          db: 30 3 * * *
+          prune: 30 1 * * 0
+        properties:
+          backup:
+            default: 30 3 * * *
+            type: string
+          check:
+            default: 30 5 * * 1
+            type: string
+          db:
+            default: 30 3 * * *
+            type: string
+          prune:
+            default: 30 1 * * 0
+            type: string
+        type: object
+      secret-key:
+        default: s3-secret
+        type: string
+      secret-name:
+        default: backup-settings
+        type: string
+      use-barman:
+        default: false
+        type: boolean
     type: object
-  issuer:
-    default: letsencrypt-prod
-    examples:
-    - letsencrypt-prod
-    type: string
   images:
     default:
       collabora:
@@ -199,111 +370,6 @@ options:
             type: string
         type: object
     type: object
-  domain:
-    default: your-company
-    examples:
-    - your-company
-    type: string
-  domain-name:
-    default: your_company.com
-    examples:
-    - your_company.com
-    type: string
-  ingress-class:
-    default: traefik
-    examples:
-    - traefik
-    type: string
-  apps:
-    default:
-      audioplayer: false
-      bookmarks: false
-      bpm: false
-      calendar: false
-      collabora: false
-      contacts: false
-      deck: false
-      groupfolders: true
-      mindmap: false
-      music: false
-      notes: false
-      onlyoffice: false
-      passman: false
-      spreed: false
-      tables: false
-      tasks: false
-      texteditor: true
-    examples:
-    - audioplayer: false
-      bookmarks: false
-      bpm: false
-      calendar: false
-      collabora: false
-      contacts: false
-      deck: false
-      groupfolders: true
-      mindmap: false
-      music: false
-      notes: false
-      onlyoffice: false
-      passman: false
-      spreed: false
-      tables: false
-      tasks: false
-      texteditor: true
-    properties:
-      audioplayer:
-        default: false
-        type: boolean
-      bookmarks:
-        default: false
-        type: boolean
-      bpm:
-        default: false
-        type: boolean
-      calendar:
-        default: false
-        type: boolean
-      collabora:
-        default: false
-        type: boolean
-      contacts:
-        default: false
-        type: boolean
-      deck:
-        default: false
-        type: boolean
-      groupfolders:
-        default: true
-        type: boolean
-      mindmap:
-        default: false
-        type: boolean
-      music:
-        default: false
-        type: boolean
-      notes:
-        default: false
-        type: boolean
-      onlyoffice:
-        default: false
-        type: boolean
-      passman:
-        default: false
-        type: boolean
-      spreed:
-        default: false
-        type: boolean
-      tables:
-        default: false
-        type: boolean
-      tasks:
-        default: false
-        type: boolean
-      texteditor:
-        default: true
-        type: boolean
-    type: object
   hpa:
     default:
       avg-cpu: 50
@@ -324,145 +390,10 @@ options:
         default: 1
         type: integer
     type: object
-  backups:
-    default:
-      enable: false
-      endpoint: ''
-      key-id-key: s3-id
-      restic-key: bck-password
-      retention:
-        db: 30d
-        keepDaily: 14
-        keepMonthly: 12
-        keepWeekly: 6
-        keepYearly: 12
-      schedule:
-        backup: 30 3 * * *
-        check: 30 5 * * 1
-        db: 30 3 * * *
-        prune: 30 1 * * 0
-      secret-key: s3-secret
-      secret-name: backup-settings
-      use-barman: false
+  domain-name:
+    default: your_company.com
     examples:
-    - enable: false
-      endpoint: ''
-      key-id-key: s3-id
-      restic-key: bck-password
-      retention:
-        db: 30d
-        keepDaily: 14
-        keepMonthly: 12
-        keepWeekly: 6
-        keepYearly: 12
-      schedule:
-        backup: 30 3 * * *
-        check: 30 5 * * 1
-        db: 30 3 * * *
-        prune: 30 1 * * 0
-      secret-key: s3-secret
-      secret-name: backup-settings
-      use-barman: false
-    properties:
-      enable:
-        default: false
-        type: boolean
-      endpoint:
-        default: ''
-        type: string
-      key-id-key:
-        default: s3-id
-        type: string
-      restic-key:
-        default: bck-password
-        type: string
-      retention:
-        default:
-          db: 30d
-          keepDaily: 14
-          keepMonthly: 12
-          keepWeekly: 6
-          keepYearly: 12
-        properties:
-          db:
-            default: 30d
-            type: string
-          keepDaily:
-            default: 14
-            type: integer
-          keepMonthly:
-            default: 12
-            type: integer
-          keepWeekly:
-            default: 6
-            type: integer
-          keepYearly:
-            default: 12
-            type: integer
-        type: object
-      schedule:
-        default:
-          backup: 30 3 * * *
-          check: 30 5 * * 1
-          db: 30 3 * * *
-          prune: 30 1 * * 0
-        properties:
-          backup:
-            default: 30 3 * * *
-            type: string
-          check:
-            default: 30 5 * * 1
-            type: string
-          db:
-            default: 30 3 * * *
-            type: string
-          prune:
-            default: 30 1 * * 0
-            type: string
-        type: object
-      secret-key:
-        default: s3-secret
-        type: string
-      secret-name:
-        default: backup-settings
-        type: string
-      use-barman:
-        default: false
-        type: boolean
-    type: object
-  admin:
-    default:
-      name: nextcloud_admin
-    examples:
-    - name: nextcloud_admin
-    properties:
-      name:
-        default: nextcloud_admin
-        type: string
-    type: object
-  storage:
-    default:
-      accessMode: ReadWriteOnce
-      size: 10Gi
-    examples:
-    - accessMode: ReadWriteOnce
-      size: 10Gi
-    properties:
-      accessMode:
-        default: ReadWriteOnce
-        enum:
-        - ReadWriteOnce
-        - ReadOnlyMany
-        - ReadWriteMany
-        type: string
-      size:
-        default: 10Gi
-        type: string
-    type: object
-  sub-domain:
-    default: files
-    examples:
-    - files
+    - your_company.com
     type: string
   redis:
     default:
@@ -497,6 +428,75 @@ options:
         default: 2Gi
         type: string
     type: object
+  ingress-class:
+    default: traefik
+    examples:
+    - traefik
+    type: string
+  sub-domain:
+    default: files
+    examples:
+    - files
+    type: string
+  domain:
+    default: your-company
+    examples:
+    - your-company
+    type: string
+  issuer:
+    default: letsencrypt-prod
+    examples:
+    - letsencrypt-prod
+    type: string
+  postgres:
+    default:
+      replicas: 1
+      storage: 5Gi
+      version: '14'
+    examples:
+    - replicas: 1
+      storage: 5Gi
+      version: '14'
+    properties:
+      replicas:
+        default: 1
+        type: integer
+      storage:
+        default: 5Gi
+        type: string
+      version:
+        default: '14'
+        type: string
+    type: object
+  storage:
+    default:
+      accessMode: ReadWriteOnce
+      size: 10Gi
+    examples:
+    - accessMode: ReadWriteOnce
+      size: 10Gi
+    properties:
+      accessMode:
+        default: ReadWriteOnce
+        enum:
+        - ReadWriteOnce
+        - ReadOnlyMany
+        - ReadWriteMany
+        type: string
+      size:
+        default: 10Gi
+        type: string
+    type: object
+  admin:
+    default:
+      name: nextcloud_admin
+    examples:
+    - name: nextcloud_admin
+    properties:
+      name:
+        default: nextcloud_admin
+        type: string
+    type: object
 dependencies:
 - dist: null
   category: share

share/wildduck/application.tf

@@ -1,12 +1,13 @@
+locals {
+  app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
+  main-group = format("app-%s", local.app-name)
+}
 data "authentik_group" "akadmin" {
   name = "authentik Admins"
 }
 resource "authentik_group" "groups" {
-  name  = "mail-users"
-}
-data "authentik_group" "readed_groups" {
-  depends_on = [ authentik_group.groups ]
-  name  = "mail-users"
+  name         = local.main-group
+  attributes   = jsonencode({"${local.app-name}" = true})
 }
 
 resource "authentik_application" "prj_app" {
@@ -18,9 +19,17 @@ resource "authentik_application" "prj_app" {
   meta_icon         = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "favicon-32x32.png")
 }
 
+resource "authentik_policy_expression" "policy" {
+  name       = local.main-group
+  expression = <<-EOF
+    attr = request.user.group_attributes()
+    return attr['${local.app-name}'] if '${local.app-name}' in attr else False
+  EOF
+}
+
 resource "authentik_policy_binding" "prj_access_users" {
   target = authentik_application.prj_app.uuid
-  group  = authentik_group.groups.id
+  policy = authentik_policy_expression.policy.id
   order  = 0
 }
 resource "authentik_policy_binding" "prj_access_vynil" {

share/wildduck/index.yaml

@@ -6,10 +6,15 @@ metadata:
   name: wildduck
   description: null
 options:
-  issuer:
-    default: letsencrypt-prod
+  domain-name:
+    default: your_company.com
     examples:
-    - letsencrypt-prod
+    - your_company.com
+    type: string
+  domain:
+    default: your-company
+    examples:
+    - your-company
     type: string
   redis:
     default:
@@ -44,11 +49,11 @@ options:
         default: 2Gi
         type: string
     type: object
-  domain:
-    default: your-company
-    examples:
-    - your-company
-    type: string
+  additional-domains:
+    default: []
+    items:
+      type: string
+    type: array
   backups:
     default:
       enable: false
@@ -79,26 +84,6 @@ options:
         default: backup-settings
         type: string
     type: object
-  domain-name:
-    default: your_company.com
-    examples:
-    - your_company.com
-    type: string
-  sub-domain:
-    default: mail
-    examples:
-    - mail
-    type: string
-  ingress-class:
-    default: traefik
-    examples:
-    - traefik
-    type: string
-  additional-domains:
-    default: []
-    items:
-      type: string
-    type: array
   images:
     default:
       haraka:
@@ -308,6 +293,21 @@ options:
             type: string
         type: object
     type: object
+  sub-domain:
+    default: mail
+    examples:
+    - mail
+    type: string
+  ingress-class:
+    default: traefik
+    examples:
+    - traefik
+    type: string
+  issuer:
+    default: letsencrypt-prod
+    examples:
+    - letsencrypt-prod
+    type: string
 dependencies:
 - dist: null
   category: dbo