From 342fd7a9a69d9674fffeccd92e6f806cb9daba8f Mon Sep 17 00:00:00 2001
From: Jeroen Vijgen <jjvijgen@gmail.com>
Date: Sun, 12 Apr 2026 21:58:38 +0000
Subject: [PATCH] HOTFIX: Authentik authentication fix for tandoor

---
 .../tandoor-service/.env.example              |  9 ++++--
 .../tandoor-service/main.tf                   | 31 +++++++++++--------
 2 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/modules/30-services-software/tandoor-service/.env.example b/modules/30-services-software/tandoor-service/.env.example
index 31c7be6..7bfc6cf 100644
--- a/modules/30-services-software/tandoor-service/.env.example
+++ b/modules/30-services-software/tandoor-service/.env.example
@@ -4,8 +4,13 @@
 # ---------------------------------------------------------------------------
 
 # Setup OpenID
-SOCIAL_PROVIDERS=
-SOCIALACCOUNT_PROVIDERS=
+SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
+SOCIALACCOUNT_PROVIDERS='{"openid_connect":{"APPS":[{"provider_id":"myidp","name":"My Provider","client_id":"...","secret":"...","settings":{"server_url":"https://idp.example.com/.well-known/openid-configuration"}}]}}'
+ALLAUTH_TRUSTED_PROXY_COUNT=2
+SOCIALACCOUNT_ONLY=1 # Fully disable local auth, we have no need for local auth.
+SOCIALACCOUNT_LOGIN_ON_GET=1
+SOCIALACCOUNT_AUTO_SIGNUP=1
+SOCIALACCOUNT_EMAIL_AUTHENTICATION=1
 
 MEDIA_URL="<Your URL>/media/"
 
diff --git a/modules/30-services-software/tandoor-service/main.tf b/modules/30-services-software/tandoor-service/main.tf
index bcb812b..3c0f038 100644
--- a/modules/30-services-software/tandoor-service/main.tf
+++ b/modules/30-services-software/tandoor-service/main.tf
@@ -37,19 +37,24 @@ locals {
   ]
 
   tandoor_env_vars = {
-    SOCIAL_PROVIDERS        = provider::dotenv::get_by_key("SOCIAL_PROVIDERS", local.env_file)
-    SOCIALACCOUNT_PROVIDERS = provider::dotenv::get_by_key("SOCIALACCOUNT_PROVIDERS", local.env_file)
-    ENABLE_SIGNUP           = provider::dotenv::get_by_key("ENABLE_SIGNUP", local.env_file)
-    MEDIA_URL               = provider::dotenv::get_by_key("MEDIA_URL", local.env_file)
-    SECRET_KEY              = provider::dotenv::get_by_key("SECRET_KEY", local.env_file)
-    DEBUG                   = provider::dotenv::get_by_key("DEBUG", local.env_file)
-    ALLOWED_HOSTS           = provider::dotenv::get_by_key("ALLOWED_HOSTS", local.env_file)
-    DB_ENGINE               = provider::dotenv::get_by_key("DB_ENGINE", local.env_file)
-    POSTGRES_HOST           = provider::dotenv::get_by_key("POSTGRES_HOST", local.env_file)
-    POSTGRES_DB             = provider::dotenv::get_by_key("POSTGRES_DB", local.env_file)
-    POSTGRES_PORT           = provider::dotenv::get_by_key("POSTGRES_PORT", local.env_file)
-    POSTGRES_USER           = provider::dotenv::get_by_key("POSTGRES_USER", local.env_file)
-    POSTGRES_PASSWORD       = provider::dotenv::get_by_key("POSTGRES_PASSWORD", local.env_file)
+    ALLAUTH_TRUSTED_PROXY_COUNT        = provider::dotenv::get_by_key("ALLAUTH_TRUSTED_PROXY_COUNT", local.env_file)
+    SOCIAL_PROVIDERS                   = provider::dotenv::get_by_key("SOCIAL_PROVIDERS", local.env_file)
+    SOCIALACCOUNT_PROVIDERS            = provider::dotenv::get_by_key("SOCIALACCOUNT_PROVIDERS", local.env_file)
+    SOCIALACCOUNT_ONLY                 = provider::dotenv::get_by_key("SOCIALACCOUNT_ONLY", local.env_file)
+    SOCIALACCOUNT_LOGIN_ON_GET         = provider::dotenv::get_by_key("SOCIALACCOUNT_LOGIN_ON_GET", local.env_file)
+    SOCIALACCOUNT_AUTO_SIGNUP          = provider::dotenv::get_by_key("SOCIALACCOUNT_AUTO_SIGNUP", local.env_file)
+    SOCIALACCOUNT_EMAIL_AUTHENTICATION = provider::dotenv::get_by_key("SOCIALACCOUNT_EMAIL_AUTHENTICATION", local.env_file)
+    ENABLE_SIGNUP                      = provider::dotenv::get_by_key("ENABLE_SIGNUP", local.env_file)
+    MEDIA_URL                          = provider::dotenv::get_by_key("MEDIA_URL", local.env_file)
+    SECRET_KEY                         = provider::dotenv::get_by_key("SECRET_KEY", local.env_file)
+    DEBUG                              = provider::dotenv::get_by_key("DEBUG", local.env_file)
+    ALLOWED_HOSTS                      = provider::dotenv::get_by_key("ALLOWED_HOSTS", local.env_file)
+    DB_ENGINE                          = provider::dotenv::get_by_key("DB_ENGINE", local.env_file)
+    POSTGRES_HOST                      = provider::dotenv::get_by_key("POSTGRES_HOST", local.env_file)
+    POSTGRES_DB                        = provider::dotenv::get_by_key("POSTGRES_DB", local.env_file)
+    POSTGRES_PORT                      = provider::dotenv::get_by_key("POSTGRES_PORT", local.env_file)
+    POSTGRES_USER                      = provider::dotenv::get_by_key("POSTGRES_USER", local.env_file)
+    POSTGRES_PASSWORD                  = provider::dotenv::get_by_key("POSTGRES_PASSWORD", local.env_file)
   }
 
   postgres_env_vars = {