From 8f02dd774f79d54be8338bb30d9b1e30109511e5 Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Wed, 14 Jan 2026 16:03:20 +0100
Subject: [PATCH] feat: allow deletion of ressources via blueprints

---
 roles/authentik/README.md         | 11 ++++++++++-
 roles/authentik/defaults/main.yml | 11 +++++++++++
 roles/authentik/tasks/main.yml    | 12 +++++++++++-
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/roles/authentik/README.md b/roles/authentik/README.md
index 2fb18d1..8311190 100644
--- a/roles/authentik/README.md
+++ b/roles/authentik/README.md
@@ -16,4 +16,13 @@ The role renders blueprints for:
 - Entra ID sources (`authentik_entra_sources`)
 - Login screen sources (`authentik_login_source_ids`)
 
-Secrets are passed via `authentik_blueprint_env` using environment variable references.
\ No newline at end of file
+Secrets are passed via `authentik_blueprint_env` using environment variable references.
+
+## Removing resources
+
+To remove resources from Authentik, move slugs to the removal lists:
+- `authentik_removed_oidc_apps`
+- `authentik_removed_proxy_apps`
+- `authentik_removed_local_users`
+
+After confirming deletion, remove the slug from the list.
\ No newline at end of file
diff --git a/roles/authentik/defaults/main.yml b/roles/authentik/defaults/main.yml
index 8ac0785..85e8a15 100644
--- a/roles/authentik/defaults/main.yml
+++ b/roles/authentik/defaults/main.yml
@@ -111,3 +111,14 @@ authentik_local_users: []
 #   attributes:
 #     settings:
 #       locale: en
+
+# Resources to remove from Authentik (cleanup)
+# Add slugs/names here when removing from the lists above
+authentik_removed_oidc_apps: []
+# - grafana
+
+authentik_removed_proxy_apps: []
+# - whoami
+
+authentik_removed_local_users: []
+# - olduser
diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml
index 5a28a69..83805ad 100644
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@@ -53,7 +53,8 @@
         (authentik_proxy_outposts | map(attribute='name') | map('regex_replace', '^(.*)$', '30-outpost-\1.yaml') | list) +
         (authentik_entra_sources | map(attribute='slug') | map('regex_replace', '^(.*)$', '20-source-entra-\1.yaml') | list) +
         ['21-login-sources.yaml'] +
-        ((authentik_local_users | length > 0) | ternary(['05-local-users.yaml'], []))
+        ((authentik_local_users | length > 0) | ternary(['05-local-users.yaml'], [])) +
+        (((authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)) | ternary(['00-cleanup.yaml'], []))
       }}
 
 - name: Remove stale blueprint files
@@ -110,6 +111,14 @@
   when: authentik_local_users | length > 0
   register: local_users_bp
 
+- name: Render cleanup blueprint
+  ansible.builtin.template:
+    src: blueprints/blueprint-cleanup.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/00-cleanup.yaml"
+    mode: "0644"
+  when: (authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)
+  register: cleanup_bp
+
 - name: Create docker-compose file for authentik
   template:
     src: docker-compose.yml.j2
@@ -129,5 +138,6 @@
          or (entra_bp is defined and (entra_bp.results | selectattr('changed') | list | length > 0))
          or (login_bp is defined and login_bp.changed)
          or (local_users_bp.changed | default(false))
+         or (cleanup_bp.changed | default(false))
         ) | ternary('always','auto')
       }}