feat(authentik): split-horizon host rewrite + proxy-app mode/group bindings

* `authentik_host_rewrite_domains`: extra hostnames that reach the authentik container but make it generate URLs (OIDC issuer, reset links) as if requested from the canonical `authentik_domains[0]`. Each entry gets its own traefik router and a URL-based loadbalancer service that disables passHostHeader and pins X-Forwarded-Host via middleware, so server-to-server calls on internal FQDNs keep traffic in the LAN while the iss claim stays aligned with the public host. Uses a network alias on the canonical FQDN so traefik (sharing the network) resolves the URL upstream to this very container. * proxy-app blueprint: - `mode` (default `forward_single`) lets callers pick between proxy, forward_single and forward_domain providers in one template. - `allowed_groups`: when set, emit one PolicyBinding per group on the application; authentik OR-evaluates bindings, so users in any listed group pass and others are denied. Existing inventories with an empty list see no behavioural change.
2026-05-26 14:03:05 +02:00 · 2026-05-26 14:03:05 +02:00 · 6411f94cce
commit 6411f94cce
parent 99d8968a2e
3 changed files with 73 additions and 2 deletions
--- a/roles/authentik/templates/blueprints/blueprint-proxy-app.yaml.j2
+++ b/roles/authentik/templates/blueprints/blueprint-proxy-app.yaml.j2
@ -20,6 +20,16 @@ entries:

      internal_host: "{{ item.internal_host }}"
      external_host: "{{ item.external_host }}"
+{# Provider mode controls how authentik treats the proxy app:
+   - proxy          : the outpost itself proxies traffic to internal_host
+   - forward_single : a single app behind an external reverse proxy
+                      (traefik forwardauth talks to authentik per-domain)
+   - forward_domain : wildcard mode — one provider guards every host on a
+                      cookie domain; configure forward_auth_mode=domain on
+                      the outpost in that case. Default to forward_single
+                      since that's the common ForwardAuth-with-traefik
+                      pattern. #}
+      mode: {{ item.mode | default('forward_single') }}

 {% if item.skip_path_regex is defined and item.skip_path_regex|length > 0 %}
      skip_path_regex: |
@ -34,3 +44,20 @@ entries:
      name: "{{ item.name | default(item.slug) }}"
      slug: {{ item.slug }}
      provider: !KeyOf proxy-provider-{{ item.slug }}
+
+{% if item.allowed_groups is defined and item.allowed_groups | length > 0 %}
+{# Restrict access to listed groups: one PolicyBinding per group, all bound
+   to the application. Authentik treats multiple bindings on the same target
+   as OR (a user matching any binding passes), and a request from a user in
+   none of the bound groups is denied. #}
+{%   for group_name in item.allowed_groups %}
+  - model: authentik_policies.policybinding
+    identifiers:
+      target: !KeyOf app-{{ item.slug }}
+      order: {{ loop.index0 }}
+      group: !Find [authentik_core.group, [name, "{{ group_name }}"]]
+    attrs:
+      enabled: true
+      negate: false
+{%   endfor %}
+{% endif %}