harkon/ai-tax-agent
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: working infra with sso
Some checks failed
CI/CD Pipeline / Code Quality & Linting (push) Has been cancelled
Details
CI/CD Pipeline / Policy Validation (push) Has been cancelled
Details
CI/CD Pipeline / Test Suite (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-coverage) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-extract) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-firm-connectors) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-forms) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-hmrc) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-ingestion) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-kg) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-normalize-map) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-ocr) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rag-indexer) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rag-retriever) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-reason) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rpa) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (ui-review) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-coverage) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-extract) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-kg) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-rag-retriever) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (ui-review) (push) Has been cancelled
Details
CI/CD Pipeline / Generate SBOM (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
Details
CI/CD Pipeline / Notifications (push) Has been cancelled
Details

Browse Source
This commit is contained in:
harkon
2025-12-04 12:49:43 +02:00
parent 67de982754
commit 7e54ee9099
13 changed files with 329 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
infra/base/authentik/bootstrap-prod.yaml
View File

@@ -167,6 +167,7 @@ entries:
- !KeyOf scope_email
- !KeyOf scope_groups
- !KeyOf scope_offline
- !KeyOf scope_minio_policy
authorization_flow: !KeyOf default_authz_flow
invalidation_flow: !KeyOf default_inval_flow
@@ -258,6 +259,31 @@ entries:
# Default to Viewer role
return "Viewer"
# Custom Scope Mapping for MinIO
- id: scope_minio_policy
model: authentik_providers_oauth2.scopemapping
state: present
identifiers:
name: "MinIO Policy Mapping"
attrs:
name: "MinIO Policy Mapping"
description: "Maps Authentik groups to MinIO policies"
scope_name: "minio"
expression: |
# Map Authentik groups to MinIO policies
user_groups = [group.name for group in request.user.ak_groups.all()]
# Admin policy mapping
if "Administrators" in user_groups:
return {"policy": ["consoleAdmin"]}
# Default to readwrite for other known groups
if "Tax Reviewers" in user_groups or "Accountants" in user_groups:
return {"policy": ["readwrite"]}
# Default fallback
return {"policy": ["readonly"]}
- model: authentik_providers_oauth2.oauth2provider
state: present
identifiers:
@@ -340,3 +366,78 @@ entries:
target: !Find [authentik_core.application, [slug, "grafana-prod"]]
attrs:
order: 0
# --- Qdrant (Production) ---------------------------------------------------
- id: provider_qdrant
model: authentik_providers_proxy.proxyprovider
state: present
identifiers:
name: "Qdrant (Production)"
attrs:
external_host: "https://qdrant.app.harkon.co.uk:8444"
authorization_flow: !KeyOf default_authz_flow
invalidation_flow: !KeyOf default_inval_flow
mode: "forward_single"
- model: authentik_core.application
state: present
identifiers:
slug: "qdrant-prod"
attrs:
name: "Qdrant (Production)"
provider: !KeyOf provider_qdrant
meta_launch_url: "https://qdrant.app.harkon.co.uk:8444/dashboard"
meta_description: "Vector Database Dashboard"
meta_publisher: "AI Tax Agent"
policy_engine_mode: "any"
# --- Neo4j (Production) ----------------------------------------------------
- id: provider_neo4j
model: authentik_providers_proxy.proxyprovider
state: present
identifiers:
name: "Neo4j (Production)"
attrs:
external_host: "https://neo4j.app.harkon.co.uk:8444"
authorization_flow: !KeyOf default_authz_flow
invalidation_flow: !KeyOf default_inval_flow
mode: "forward_single"
- model: authentik_core.application
state: present
identifiers:
slug: "neo4j-prod"
attrs:
name: "Neo4j (Production)"
provider: !KeyOf provider_neo4j
meta_launch_url: "https://neo4j.app.harkon.co.uk:8444"
meta_description: "Knowledge Graph Browser"
meta_publisher: "AI Tax Agent"
policy_engine_mode: "any"
# --- Policy Bindings for New Apps ------------------------------------------
- model: authentik_policies.policybinding
state: present
identifiers:
policy: !KeyOf policy_always_allow
target: !Find [authentik_core.application, [slug, "qdrant-prod"]]
attrs:
order: 0
- model: authentik_policies.policybinding
state: present
identifiers:
policy: !KeyOf policy_always_allow
target: !Find [authentik_core.application, [slug, "neo4j-prod"]]
attrs:
order: 0
# --- Outpost Assignment ----------------------------------------------------
- model: authentik_outposts.outpost
state: present
identifiers:
name: "authentik Embedded Outpost"
attrs:
providers:
- !KeyOf provider_qdrant
- !KeyOf provider_neo4j

8
infra/base/infrastructure.yaml
View File

@@ -106,6 +106,7 @@ services:
AUTHENTIK_MINIO_CLIENT_SECRET: ${AUTHENTIK_MINIO_CLIENT_SECRET}
AUTHENTIK_VAULT_CLIENT_SECRET: ${AUTHENTIK_VAULT_CLIENT_SECRET}
AUTHENTIK_BOOTSTRAP_FILE: /blueprints/ai-tax-agent-bootstrap.yaml
AUTHENTIK_HOST_BROWSER: https://auth.${DOMAIN}:8444
depends_on:
- apa-authentik-db
- apa-authentik-redis
@@ -174,10 +175,11 @@ services:
- frontend
volumes:
- vault_data:/vault/data
- ./vault/config:/vault/config
environment:
VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_DEV_ROOT_TOKEN_ID}
VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
command: vault server -dev -dev-listen-address=0.0.0.0:8200
VAULT_ADDR: "http://127.0.0.1:8200"
VAULT_API_ADDR: "http://127.0.0.1:8200"
command: vault server -config=/vault/config/vault.hcl
cap_add:
- IPC_LOCK
extra_hosts:

6
infra/base/monitoring.yaml
View File

@@ -63,11 +63,11 @@ services:
GF_AUTH_GENERIC_OAUTH_ENABLED: true
GF_AUTH_GENERIC_OAUTH_NAME: Authentik
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: ${GRAFANA_OAUTH_CLIENT_ID}
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ${GRAFANA_OAUTH_CLIENT_SECRET}
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ${AUTHENTIK_GRAFANA_CLIENT_SECRET}
GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email groups
GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.${DOMAIN}/application/o/authorize/
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.${DOMAIN}/application/o/token/
GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.${DOMAIN}/application/o/userinfo/
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: http://apa-authentik-server:9000/application/o/token/
GF_AUTH_GENERIC_OAUTH_API_URL: http://apa-authentik-server:9000/application/o/userinfo/
GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN: false
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: true
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: role

13
infra/base/vault/config/vault.hcl Normal file
View File

@@ -0,0 +1,13 @@
storage "raft" {
path = "/vault/data"
node_id = "node1"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = "true"
}
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
ui = true