feat: organize all services into separate stacks by dependency

utility-services/authentik/index.ts

@@ -0,0 +1,47 @@
+import * as fs from "fs";
+import * as path from "path";
+import { Release } from "@cdktf/provider-helm/lib/release";
+import { Construct } from "constructs";
+import { OnePasswordSecret } from "../../utils";
+import { Providers } from "../../types";
+
+type AuthentikServerOptions = {
+  providers: Providers;
+  name: string;
+  namespace: string;
+};
+
+export class AuthentikServer extends Construct {
+  constructor(scope: Construct, id: string, options: AuthentikServerOptions) {
+    super(scope, id);
+
+    const { kubernetes, helm } = options.providers;
+
+    new OnePasswordSecret(this, "secret-key", {
+      provider: kubernetes,
+      name: "authentik-secret-key",
+      namespace: options.namespace,
+      itemPath: "vaults/Lab/items/authentik-secret-key",
+    });
+
+    new OnePasswordSecret(this, "smtp", {
+      provider: kubernetes,
+      name: "authentik-smtp-token",
+      namespace: options.namespace,
+      itemPath: "vaults/Lab/items/smtp-token",
+    });
+
+    new Release(this, id, {
+      ...options,
+      provider: helm,
+      repository: "https://charts.goauthentik.io",
+      chart: "authentik",
+      createNamespace: true,
+      values: [
+        fs.readFileSync(path.join(__dirname, "values.yaml"), {
+          encoding: "utf8",
+        }),
+      ],
+    }).importFrom("homelab/authentik");
+  }
+}

utility-services/authentik/values.yaml

@@ -0,0 +1,110 @@
+global:
+  addPrometheusAnnotations: true
+  securityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  podLabels:
+    app: authentik
+  nodeSelector:
+    nodepool: worker
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: DoNotSchedule
+      labelSelector:
+        matchLabels:
+          app: authentik
+  env:
+    - name: AUTHENTIK_SECRET_KEY
+      valueFrom:
+        secretKeyRef:
+          name: authentik-secret-key
+          key: password
+    - name: AUTHENTIK_EMAIL__USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: authentik-smtp-token
+          key: authentik-username
+    - name: AUTHENTIK_EMAIL__PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: authentik-smtp-token
+          key: authentik-password
+    - name: AUTHENTIK_EMAIL__FROM
+      valueFrom:
+        secretKeyRef:
+          name: authentik-smtp-token
+          key: authentik-username
+    - name: AUTHENTIK_EMAIL__USE_TLS
+      value: "true"
+    - name: AUTHENTIK_POSTGRESQL__SSLMODE
+      value: verify-full
+    - name: AUTHENTIK_POSTGRESQL__SSLROOTCERT
+      value: "/opt/authentik/certs/ca.crt"
+    - name: AUTHENTIK_POSTGRESQL__SSLCERT
+      value: "/opt/authentik/certs/tls.crt"
+    - name: AUTHENTIK_POSTGRESQL__SSLKEY
+      value: "/opt/authentik/certs/tls.key"
+    - name: AUTHENTIK_REDIS__PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: valkey
+          key: password
+  volumes:
+    - name: ssl-bundle
+      projected:
+        sources:
+          - secret:
+              name: authentik-client-cert
+              items:
+                - key: tls.crt
+                  path: tls.crt
+                - key: tls.key
+                  path: tls.key
+                  mode: 0600
+          - secret:
+              name: postgres-server-cert
+              items:
+                - key: ca.crt
+                  path: ca.crt
+  volumeMounts:
+    - name: ssl-bundle
+      mountPath: /opt/authentik/certs
+      readOnly: true
+
+authentik:
+  error_reporting:
+    enabled: false
+  email:
+    host: "smtp.protonmail.ch"
+    port: 587
+  postgresql:
+    host: postgres-cluster-rw
+    user: authentik
+    name: authentik
+  redis:
+    host: valkey
+
+server:
+  replicas: 3
+  ingress:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: cloudflare-issuer
+      cert-manager.io/acme-challenge-type: dns01
+      cert-manager.io/private-key-size: "4096"
+    ingressClassName: traefik
+    hosts:
+      - auth.dogar.dev
+    tls:
+      - secretName: authentik-tls
+        hosts:
+          - auth.dogar.dev
+
+worker:
+  replicas: 3
+    
+postgresql:
+    enabled: false
+redis:
+    enabled: false