From 438a41356af030b3961e6fcc7239028aa412e3b5 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Wed, 14 Jan 2026 14:05:05 +0100 Subject: [PATCH] feat: add ability to provision proxy apps using blueprints --- roles/authentik/defaults/main.yml | 13 ++++++- roles/authentik/tasks/main.yml | 8 +++++ .../blueprints/blueprint-proxy-app.yaml.j2 | 36 +++++++++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 roles/authentik/templates/blueprints/blueprint-proxy-app.yaml.j2 diff --git a/roles/authentik/defaults/main.yml b/roles/authentik/defaults/main.yml index 92a17df..d7ca79c 100644 --- a/roles/authentik/defaults/main.yml +++ b/roles/authentik/defaults/main.yml @@ -33,7 +33,17 @@ authentik_log_level: "info" authentik_error_reporting_enabled: false # Blueprints -# OIDC apps to provision +authentik_proxy_apps: [] +# - slug: whoami +# name: whoami +# internal_host: "http://whoami:80" +# external_host: "https://whoami.example.com" +# skip_path_regex: | +# ^/healthz$ +# flows: +# authentication_slug: default-authentication-flow +# authorization_slug: default-provider-authorization-implicit-consent +# invalidation_slug: default-provider-invalidation-flow authentik_oidc_apps: [] # - slug: grafana @@ -48,6 +58,7 @@ authentik_oidc_apps: [] # authorization_slug: default-provider-authorization-implicit-consent # invalidation_slug: default-provider-invalidation-flow # scopes: [openid, email, profile, offline_access] + authentik_blueprint_env: [] # GRAFANA_OIDC_CLIENT_ID: "grafana" # GRAFANA_OIDC_CLIENT_SECRET: "{{ vault_grafana_oidc_secret }}" \ No newline at end of file diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml index 134245e..dd9aa2e 100644 --- a/roles/authentik/tasks/main.yml +++ b/roles/authentik/tasks/main.yml @@ -46,6 +46,14 @@ loop: "{{ authentik_oidc_apps }}" register: oidc_templates +- name: Render Proxy blueprints + ansible.builtin.template: + src: blueprints/blueprint-proxy-app.yaml.j2 + dest: "{{ authentik_docker_volume_dir }}/blueprints/20-proxy-{{ item.slug }}.yaml" + mode: "0644" + loop: "{{ authentik_proxy_apps }}" + register: proxy_templates + - name: Create docker-compose file for authentik template: src: docker-compose.yml.j2 diff --git a/roles/authentik/templates/blueprints/blueprint-proxy-app.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-proxy-app.yaml.j2 new file mode 100644 index 0000000..5e29756 --- /dev/null +++ b/roles/authentik/templates/blueprints/blueprint-proxy-app.yaml.j2 @@ -0,0 +1,36 @@ +# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json +version: 1 +metadata: + name: "proxy-{{ item.slug }}" + labels: + blueprints.goauthentik.io/instantiate: "true" + blueprints.goauthentik.io/description: "Proxy provider + application for {{ item.slug }}" + +entries: + - model: authentik_providers_proxy.proxyprovider + id: proxy-provider-{{ item.slug }} + identifiers: + name: {{ item.slug }} + attrs: + name: {{ item.slug }} + + authentication_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.authentication_slug | default('default-authentication-flow') }}]] + authorization_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.authorization_slug | default('default-provider-authorization-implicit-consent') }}]] + invalidation_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.invalidation_slug | default('default-provider-invalidation-flow') }}]] + + internal_host: "{{ item.internal_host }}" + external_host: "{{ item.external_host }}" + +{% if item.skip_path_regex is defined and item.skip_path_regex|length > 0 %} + skip_path_regex: | +{{ item.skip_path_regex | indent(8, true) }} +{% endif %} + + - model: authentik_core.application + id: app-{{ item.slug }} + identifiers: + slug: {{ item.slug }} + attrs: + name: "{{ item.name | default(item.slug) }}" + slug: {{ item.slug }} + provider: !KeyOf proxy-provider-{{ item.slug }}