From b00a051b9d0f050888d325bfa14d8da82d962b35 Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Wed, 14 Jan 2026 16:23:52 +0100
Subject: [PATCH] chore: add blueprint stuff to seperate task file

---
 roles/authentik/tasks/blueprints.yml | 97 ++++++++++++++++++++++++++++
 roles/authentik/tasks/main.yml       | 95 +--------------------------
 2 files changed, 100 insertions(+), 92 deletions(-)
 create mode 100644 roles/authentik/tasks/blueprints.yml

diff --git a/roles/authentik/tasks/blueprints.yml b/roles/authentik/tasks/blueprints.yml
new file mode 100644
index 0000000..58c8b19
--- /dev/null
+++ b/roles/authentik/tasks/blueprints.yml
@@ -0,0 +1,97 @@
+#SPDX-License-Identifier: MIT-0
+---
+# Blueprint rendering tasks for authentik
+
+- name: Find existing blueprint files
+  find:
+    paths: "{{ authentik_docker_volume_dir }}/blueprints"
+    patterns: "*.yaml"
+  register: existing_blueprints
+
+- name: Build list of expected blueprint files
+  set_fact:
+    expected_blueprints: >-
+      {{
+        (authentik_oidc_apps | map(attribute='slug') | map('regex_replace', '^(.*)$', '10-oidc-\1.yaml') | list) +
+        (authentik_proxy_apps | map(attribute='slug') | map('regex_replace', '^(.*)$', '20-proxy-\1.yaml') | list) +
+        (authentik_proxy_outposts | map(attribute='name') | map('regex_replace', '^(.*)$', '30-outpost-\1.yaml') | list) +
+        (authentik_entra_sources | map(attribute='slug') | map('regex_replace', '^(.*)$', '20-source-entra-\1.yaml') | list) +
+        ['21-login-sources.yaml'] +
+        ((authentik_local_users | length > 0) | ternary(['05-local-users.yaml'], [])) +
+        (((authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)) | ternary(['00-cleanup.yaml'], []))
+      }}
+
+- name: Remove stale blueprint files
+  file:
+    path: "{{ item.path }}"
+    state: absent
+  loop: "{{ existing_blueprints.files }}"
+  when: item.path | basename not in expected_blueprints
+
+- name: Render OIDC blueprints
+  ansible.builtin.template:
+    src: blueprints/blueprint-oidc-app.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/10-oidc-{{ item.slug }}.yaml"
+    mode: "0644"
+  loop: "{{ authentik_oidc_apps }}"
+  register: oidc_templates
+
+- name: Render Proxy blueprints
+  ansible.builtin.template:
+    src: blueprints/blueprint-proxy-app.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/20-proxy-{{ item.slug }}.yaml"
+    mode: "0644"
+  loop: "{{ authentik_proxy_apps }}"
+  register: proxy_templates
+
+- name: Render outpost blueprints
+  ansible.builtin.template:
+    src: blueprints/outpost-proxy.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/30-outpost-{{ item.name }}.yaml"
+    mode: "0644"
+  loop: "{{ authentik_proxy_outposts }}"
+  register: outpost_bp
+
+- name: Render Entra source blueprints
+  ansible.builtin.template:
+    src: blueprints/blueprint-source-entra.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/20-source-entra-{{ item.slug }}.yaml"
+    mode: "0644"
+  loop: "{{ authentik_entra_sources }}"
+  register: entra_bp
+
+- name: Render login stage sources blueprint
+  ansible.builtin.template:
+    src: blueprints/blueprint-login-sources.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/21-login-sources.yaml"
+    mode: "0644"
+  register: login_bp
+
+- name: Render local users blueprint
+  ansible.builtin.template:
+    src: blueprints/blueprint-local-users.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/05-local-users.yaml"
+    mode: "0644"
+  when: authentik_local_users | length > 0
+  register: local_users_bp
+
+- name: Render cleanup blueprint
+  ansible.builtin.template:
+    src: blueprints/blueprint-cleanup.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/00-cleanup.yaml"
+    mode: "0644"
+  when: (authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)
+  register: cleanup_bp
+
+- name: Set blueprints_changed fact
+  set_fact:
+    blueprints_changed: >-
+      {{
+        (oidc_templates is defined and (oidc_templates.results | selectattr('changed') | list | length > 0))
+        or (proxy_templates is defined and (proxy_templates.results | selectattr('changed') | list | length > 0))
+        or (outpost_bp is defined and (outpost_bp.results | selectattr('changed') | list | length > 0))
+        or (entra_bp is defined and (entra_bp.results | selectattr('changed') | list | length > 0))
+        or (login_bp is defined and login_bp.changed)
+        or (local_users_bp.changed | default(false))
+        or (cleanup_bp.changed | default(false))
+      }}
\ No newline at end of file
diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml
index 83805ad..a762969 100644
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@@ -38,86 +38,8 @@
     state: directory
     mode: '0755'
 
-- name: Find existing blueprint files
-  find:
-    paths: "{{ authentik_docker_volume_dir }}/blueprints"
-    patterns: "*.yaml"
-  register: existing_blueprints
-
-- name: Build list of expected blueprint files
-  set_fact:
-    expected_blueprints: >-
-      {{
-        (authentik_oidc_apps | map(attribute='slug') | map('regex_replace', '^(.*)$', '10-oidc-\1.yaml') | list) +
-        (authentik_proxy_apps | map(attribute='slug') | map('regex_replace', '^(.*)$', '20-proxy-\1.yaml') | list) +
-        (authentik_proxy_outposts | map(attribute='name') | map('regex_replace', '^(.*)$', '30-outpost-\1.yaml') | list) +
-        (authentik_entra_sources | map(attribute='slug') | map('regex_replace', '^(.*)$', '20-source-entra-\1.yaml') | list) +
-        ['21-login-sources.yaml'] +
-        ((authentik_local_users | length > 0) | ternary(['05-local-users.yaml'], [])) +
-        (((authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)) | ternary(['00-cleanup.yaml'], []))
-      }}
-
-- name: Remove stale blueprint files
-  file:
-    path: "{{ item.path }}"
-    state: absent
-  loop: "{{ existing_blueprints.files }}"
-  when: item.path | basename not in expected_blueprints
-
-- name: Render OIDC blueprints
-  ansible.builtin.template:
-    src: blueprints/blueprint-oidc-app.yaml.j2
-    dest: "{{ authentik_docker_volume_dir }}/blueprints/10-oidc-{{ item.slug }}.yaml"
-    mode: "0644"
-  loop: "{{ authentik_oidc_apps }}"
-  register: oidc_templates
-
-- name: Render Proxy blueprints
-  ansible.builtin.template:
-    src: blueprints/blueprint-proxy-app.yaml.j2
-    dest: "{{ authentik_docker_volume_dir }}/blueprints/20-proxy-{{ item.slug }}.yaml"
-    mode: "0644"
-  loop: "{{ authentik_proxy_apps }}"
-  register: proxy_templates
-
-- name: Render outpost blueprints
-  template:
-    src: blueprints/outpost-proxy.yaml.j2
-    dest: "{{ authentik_docker_volume_dir }}/blueprints/30-outpost-{{ item.name }}.yaml"
-    mode: "0644"
-  loop: "{{ authentik_proxy_outposts }}"
-  register: outpost_bp
-
-- name: Render Entra source blueprints
-  ansible.builtin.template:
-    src: blueprints/blueprint-source-entra.yaml.j2
-    dest: "{{ authentik_docker_volume_dir }}/blueprints/20-source-entra-{{ item.slug }}.yaml"
-    mode: "0644"
-  loop: "{{ authentik_entra_sources }}"
-  register: entra_bp
-
-- name: Render login stage sources blueprint
-  ansible.builtin.template:
-    src: blueprints/blueprint-login-sources.yaml.j2
-    dest: "{{ authentik_docker_volume_dir }}/blueprints/21-login-sources.yaml"
-    mode: "0644"
-  register: login_bp
-
-- name: Render local users blueprint
-  ansible.builtin.template:
-    src: blueprints/blueprint-local-users.yaml.j2
-    dest: "{{ authentik_docker_volume_dir }}/blueprints/05-local-users.yaml"
-    mode: "0644"
-  when: authentik_local_users | length > 0
-  register: local_users_bp
-
-- name: Render cleanup blueprint
-  ansible.builtin.template:
-    src: blueprints/blueprint-cleanup.yaml.j2
-    dest: "{{ authentik_docker_volume_dir }}/blueprints/00-cleanup.yaml"
-    mode: "0644"
-  when: (authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)
-  register: cleanup_bp
+- name: Render blueprints
+  import_tasks: blueprints.yml
 
 - name: Create docker-compose file for authentik
   template:
@@ -129,15 +51,4 @@
   community.docker.docker_compose_v2:
     project_src: "{{ authentik_docker_compose_dir }}"
     state: present
-    recreate: >-
-      {{
-        (
-         (oidc_templates is defined and (oidc_templates.results | selectattr('changed') | list | length > 0))
-         or (proxy_templates is defined and (proxy_templates.results | selectattr('changed') | list | length > 0))
-         or (outpost_bp is defined and (outpost_bp.results | selectattr('changed') | list | length > 0))
-         or (entra_bp is defined and (entra_bp.results | selectattr('changed') | list | length > 0))
-         or (login_bp is defined and login_bp.changed)
-         or (local_users_bp.changed | default(false))
-         or (cleanup_bp.changed | default(false))
-        ) | ternary('always','auto')
-      }}
+    recreate: "{{ blueprints_changed | ternary('always', 'auto') }}"
\ No newline at end of file