# FILE: infra/base/authentik/bootstrap-prod.yaml # Authentik Bootstrap for Production (app.harkon.co.uk) version: 1 metadata: name: AI Tax Agent — Production Bootstrap entries: # --- AI Tax Agent API (Production) ----------------------------------------- - model: authentik_providers_oauth2.oauth2provider state: present identifiers: name: "AI Tax Agent API (Production)" attrs: client_id: "ai-tax-agent-api-prod" client_secret: !Env [AUTHENTIK_API_CLIENT_SECRET, "changeme-api-secret"] authorization_grant_type: "authorization-code" client_type: "confidential" issuer_mode: "per_provider" sub_mode: "hashed_user_id" include_claims_in_id_token: true signing_key: !Find [ authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"], ] redirect_uris: - matching_mode: strict url: "https://api.app.harkon.co.uk/auth/callback" scope_mappings: - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "openid"], ] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "profile"], ] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "groups"], ] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "offline_access"], ] authorization_flow: !Find [authentik_flows.flow, [slug, "default-authentication-flow"]] invalidation_flow: !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]] - model: authentik_core.application state: present identifiers: slug: "ai-tax-agent-api-prod" attrs: name: "AI Tax Agent API (Production)" provider: !Find [ authentik_providers_oauth2.oauth2provider, [name, "AI Tax Agent API (Production)"], ] meta_launch_url: "https://api.app.harkon.co.uk" meta_description: "AI Tax Agent API Services (Production)" meta_publisher: "AI Tax Agent" policy_engine_mode: "any" # --- MinIO (Production) ---------------------------------------------------- - model: authentik_providers_oauth2.oauth2provider state: present identifiers: name: "MinIO (Production)" attrs: client_id: "minio-prod" client_secret: !Env [AUTHENTIK_MINIO_CLIENT_SECRET, "changeme-minio-secret"] authorization_grant_type: "authorization-code" client_type: "confidential" issuer_mode: "per_provider" sub_mode: "hashed_user_id" include_claims_in_id_token: true signing_key: !Find [ authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"], ] redirect_uris: - matching_mode: strict url: "https://minio.app.harkon.co.uk/oauth_callback" scope_mappings: - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "openid"], ] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "profile"], ] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "groups"], ] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "offline_access"], ] authorization_flow: !Find [authentik_flows.flow, [slug, "default-authentication-flow"]] invalidation_flow: !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]] - model: authentik_core.application state: present identifiers: slug: "minio-prod" attrs: name: "MinIO (Production)" provider: !Find [ authentik_providers_oauth2.oauth2provider, [name, "MinIO (Production)"], ] meta_launch_url: "https://minio.app.harkon.co.uk" meta_description: "Object storage console (Production)" meta_publisher: "AI Tax Agent" policy_engine_mode: "any" # --- Vault (Production) ---------------------------------------------------- - model: authentik_providers_oauth2.oauth2provider state: present identifiers: name: "Vault (Production)" attrs: client_id: "vault-prod" client_secret: !Env [AUTHENTIK_VAULT_CLIENT_SECRET, "changeme-vault-secret"] authorization_grant_type: "authorization-code" client_type: "confidential" issuer_mode: "per_provider" sub_mode: "hashed_user_id" include_claims_in_id_token: true signing_key: !Find [ authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"], ] redirect_uris: - matching_mode: strict url: "https://vault.app.harkon.co.uk/ui/vault/auth/oidc/oidc/callback" - matching_mode: strict url: "https://vault.app.harkon.co.uk/oidc/callback" scope_mappings: - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "openid"], ] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "profile"], ] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "groups"], ] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "offline_access"], ] authorization_flow: !Find [authentik_flows.flow, [slug, "default-authentication-flow"]] invalidation_flow: !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]] - model: authentik_core.application state: present identifiers: slug: "vault-prod" attrs: name: "Vault (Production)" provider: !Find [ authentik_providers_oauth2.oauth2provider, [name, "Vault (Production)"], ] meta_launch_url: "https://vault.app.harkon.co.uk" meta_description: "Secrets management (Vault) (Production)" meta_publisher: "AI Tax Agent" policy_engine_mode: "any" # --- Grafana (Production) -------------------------------------------------- - model: authentik_providers_oauth2.oauth2provider state: present identifiers: name: "Grafana (Production)" attrs: client_id: "grafana-prod" client_secret: !Env [AUTHENTIK_GRAFANA_CLIENT_SECRET, "changeme-grafana-secret"] client_type: "confidential" redirect_uris: "https://grafana.app.harkon.co.uk/login/generic_oauth" sub_mode: "hashed_user_id" include_claims_in_id_token: true issuer_mode: "per_provider" signing_key: !Find [ authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"], ] property_mappings: - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "openid"], ] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "profile"], ] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "groups"], ] - !Find [ authentik_providers_oauth2.scopemapping, [name, "Grafana Role Mapping"], ] authorization_flow: !Find [authentik_flows.flow, [slug, "default-authentication-flow"]] invalidation_flow: !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]] - model: authentik_core.application state: present identifiers: slug: "grafana-prod" attrs: name: "Grafana (Production)" provider: !Find [ authentik_providers_oauth2.oauth2provider, [name, "Grafana (Production)"], ] meta_launch_url: "https://grafana.app.harkon.co.uk" meta_description: "Grafana monitoring (Production)" meta_publisher: "Grafana Labs" policy_engine_mode: "any" # --- Policies -------------------------------------------------------------- - model: authentik_policies_expression.expressionpolicy state: present identifiers: name: "Always Allow" attrs: expression: "return True" - model: authentik_policies.policybinding state: present identifiers: policy: !Find [ authentik_policies_expression.expressionpolicy, [name, "Always Allow"], ] target: !Find [authentik_core.application, [slug, "ai-tax-agent-api-prod"]] attrs: order: 0 - model: authentik_policies.policybinding state: present identifiers: policy: !Find [ authentik_policies_expression.expressionpolicy, [name, "Always Allow"], ] target: !Find [authentik_core.application, [slug, "minio-prod"]] attrs: order: 0 - model: authentik_policies.policybinding state: present identifiers: policy: !Find [ authentik_policies_expression.expressionpolicy, [name, "Always Allow"], ] target: !Find [authentik_core.application, [slug, "vault-prod"]] attrs: order: 0 - model: authentik_policies.policybinding state: present identifiers: policy: !Find [ authentik_policies_expression.expressionpolicy, [name, "Always Allow"], ] target: !Find [authentik_core.application, [slug, "grafana-prod"]] attrs: order: 0