harkon/ai-tax-agent
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: working infra with sso
Some checks failed
CI/CD Pipeline / Code Quality & Linting (push) Has been cancelled
Details
CI/CD Pipeline / Policy Validation (push) Has been cancelled
Details
CI/CD Pipeline / Test Suite (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-coverage) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-extract) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-firm-connectors) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-forms) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-hmrc) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-ingestion) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-kg) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-normalize-map) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-ocr) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rag-indexer) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rag-retriever) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-reason) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rpa) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (ui-review) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-coverage) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-extract) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-kg) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-rag-retriever) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (ui-review) (push) Has been cancelled
Details
CI/CD Pipeline / Generate SBOM (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
Details
CI/CD Pipeline / Notifications (push) Has been cancelled
Details

Browse Source
This commit is contained in:
harkon
2025-12-04 12:49:43 +02:00
parent 67de982754
commit 7e54ee9099
13 changed files with 329 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
infra/base/authentik/bootstrap-prod.yaml
View File

@@ -167,6 +167,7 @@ entries:
- !KeyOf scope_email
- !KeyOf scope_groups
- !KeyOf scope_offline
- !KeyOf scope_minio_policy
authorization_flow: !KeyOf default_authz_flow
invalidation_flow: !KeyOf default_inval_flow
@@ -258,6 +259,31 @@ entries:
# Default to Viewer role
return "Viewer"
# Custom Scope Mapping for MinIO
- id: scope_minio_policy
model: authentik_providers_oauth2.scopemapping
state: present
identifiers:
name: "MinIO Policy Mapping"
attrs:
name: "MinIO Policy Mapping"
description: "Maps Authentik groups to MinIO policies"
scope_name: "minio"
expression: |
# Map Authentik groups to MinIO policies
user_groups = [group.name for group in request.user.ak_groups.all()]
# Admin policy mapping
if "Administrators" in user_groups:
return {"policy": ["consoleAdmin"]}
# Default to readwrite for other known groups
if "Tax Reviewers" in user_groups or "Accountants" in user_groups:
return {"policy": ["readwrite"]}
# Default fallback
return {"policy": ["readonly"]}
- model: authentik_providers_oauth2.oauth2provider
state: present
identifiers:
@@ -340,3 +366,78 @@ entries:
target: !Find [authentik_core.application, [slug, "grafana-prod"]]
attrs:
order: 0
# --- Qdrant (Production) ---------------------------------------------------
- id: provider_qdrant
model: authentik_providers_proxy.proxyprovider
state: present
identifiers:
name: "Qdrant (Production)"
attrs:
external_host: "https://qdrant.app.harkon.co.uk:8444"
authorization_flow: !KeyOf default_authz_flow
invalidation_flow: !KeyOf default_inval_flow
mode: "forward_single"
- model: authentik_core.application
state: present
identifiers:
slug: "qdrant-prod"
attrs:
name: "Qdrant (Production)"
provider: !KeyOf provider_qdrant
meta_launch_url: "https://qdrant.app.harkon.co.uk:8444/dashboard"
meta_description: "Vector Database Dashboard"
meta_publisher: "AI Tax Agent"
policy_engine_mode: "any"
# --- Neo4j (Production) ----------------------------------------------------
- id: provider_neo4j
model: authentik_providers_proxy.proxyprovider
state: present
identifiers:
name: "Neo4j (Production)"
attrs:
external_host: "https://neo4j.app.harkon.co.uk:8444"
authorization_flow: !KeyOf default_authz_flow
invalidation_flow: !KeyOf default_inval_flow
mode: "forward_single"
- model: authentik_core.application
state: present
identifiers:
slug: "neo4j-prod"
attrs:
name: "Neo4j (Production)"
provider: !KeyOf provider_neo4j
meta_launch_url: "https://neo4j.app.harkon.co.uk:8444"
meta_description: "Knowledge Graph Browser"
meta_publisher: "AI Tax Agent"
policy_engine_mode: "any"
# --- Policy Bindings for New Apps ------------------------------------------
- model: authentik_policies.policybinding
state: present
identifiers:
policy: !KeyOf policy_always_allow
target: !Find [authentik_core.application, [slug, "qdrant-prod"]]
attrs:
order: 0
- model: authentik_policies.policybinding
state: present
identifiers:
policy: !KeyOf policy_always_allow
target: !Find [authentik_core.application, [slug, "neo4j-prod"]]
attrs:
order: 0
# --- Outpost Assignment ----------------------------------------------------
- model: authentik_outposts.outpost
state: present
identifiers:
name: "authentik Embedded Outpost"
attrs:
providers:
- !KeyOf provider_qdrant
- !KeyOf provider_neo4j