feat: allow deletion of ressources via blueprints

2026-01-14 16:03:20 +01:00 · 2026-01-14 16:03:20 +01:00 · 3d3a09025a
commit 3d3a09025a
parent f8b9975ae4
4 changed files with 70 additions and 2 deletions
--- a/roles/authentik/README.md
+++ b/roles/authentik/README.md
@ -17,3 +17,12 @@ The role renders blueprints for:
 - Login screen sources (`authentik_login_source_ids`)

 Secrets are passed via `authentik_blueprint_env` using environment variable references.
+
+## Removing resources
+
+To remove resources from Authentik, move slugs to the removal lists:
+- `authentik_removed_oidc_apps`
+- `authentik_removed_proxy_apps`
+- `authentik_removed_local_users`
+
+After confirming deletion, remove the slug from the list.
--- a/roles/authentik/defaults/main.yml
+++ b/roles/authentik/defaults/main.yml
@ -111,3 +111,14 @@ authentik_local_users: []
 #   attributes:
 #     settings:
 #       locale: en
+
+# Resources to remove from Authentik (cleanup)
+# Add slugs/names here when removing from the lists above
+authentik_removed_oidc_apps: []
+# - grafana
+
+authentik_removed_proxy_apps: []
+# - whoami
+
+authentik_removed_local_users: []
+# - olduser
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@ -53,7 +53,8 @@
        (authentik_proxy_outposts | map(attribute='name') | map('regex_replace', '^(.*)$', '30-outpost-\1.yaml') | list) +
        (authentik_entra_sources | map(attribute='slug') | map('regex_replace', '^(.*)$', '20-source-entra-\1.yaml') | list) +
        ['21-login-sources.yaml'] +
-        ((authentik_local_users | length > 0) | ternary(['05-local-users.yaml'], []))
+        ((authentik_local_users | length > 0) | ternary(['05-local-users.yaml'], [])) +
+        (((authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)) | ternary(['00-cleanup.yaml'], []))
      }}

 - name: Remove stale blueprint files
@ -110,6 +111,14 @@
  when: authentik_local_users | length > 0
  register: local_users_bp

+- name: Render cleanup blueprint
+  ansible.builtin.template:
+    src: blueprints/blueprint-cleanup.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/00-cleanup.yaml"
+    mode: "0644"
+  when: (authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)
+  register: cleanup_bp
+
 - name: Create docker-compose file for authentik
  template:
    src: docker-compose.yml.j2
@ -129,5 +138,6 @@
         or (entra_bp is defined and (entra_bp.results | selectattr('changed') | list | length > 0))
         or (login_bp is defined and login_bp.changed)
         or (local_users_bp.changed | default(false))
+         or (cleanup_bp.changed | default(false))
        ) | ternary('always','auto')
      }}
--- a/roles/authentik/templates/blueprints/blueprint-cleanup.yaml.j2
+++ b/roles/authentik/templates/blueprints/blueprint-cleanup.yaml.j2
@ -0,0 +1,38 @@
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+version: 1
+metadata:
+  name: "cleanup"
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+    blueprints.goauthentik.io/description: "Remove stale resources"
+
+entries:
+{% for slug in authentik_removed_oidc_apps %}
+  # Remove OIDC app: {{ slug }}
+  - model: authentik_core.application
+    state: absent
+    identifiers:
+      slug: {{ slug }}
+  - model: authentik_providers_oauth2.oauth2provider
+    state: absent
+    identifiers:
+      name: {{ slug }}
+{% endfor %}
+{% for slug in authentik_removed_proxy_apps %}
+  # Remove proxy app: {{ slug }}
+  - model: authentik_core.application
+    state: absent
+    identifiers:
+      slug: {{ slug }}
+  - model: authentik_providers_proxy.proxyprovider
+    state: absent
+    identifiers:
+      name: {{ slug }}
+{% endfor %}
+{% for username in authentik_removed_local_users %}
+  # Remove user: {{ username }}
+  - model: authentik_core.user
+    state: absent
+    identifiers:
+      username: {{ username }}
+{% endfor %}