feat: add blueprints for authentik ldap outpost and render values directly instead of using env vars

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
2026-04-10 13:50:32 +02:00 · 2026-04-10 13:50:32 +02:00 · c27b4d9488
commit c27b4d9488
parent d25f1c5304
12 changed files with 323 additions and 86 deletions
--- a/roles/authentik/defaults/main.yml
+++ b/roles/authentik/defaults/main.yml
@ -13,7 +13,7 @@ authentik_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ authentik_service_

 # Authentik service configuration
 authentik_domain: "authentik.local.test"
-authentik_image: "ghcr.io/goauthentik/server:2025.12.0"
+authentik_image: "ghcr.io/goauthentik/server:2026.2.2"
 authentik_port: 9000
 authentik_secret_key: "changeme-generate-a-random-string"

@ -57,11 +57,29 @@ authentik_proxy_outposts: []
 #     authentik_host_browser: "https://authentik.local.test/"
 #     log_level: "info"

+authentik_ldap_apps: []
+# - slug: ldap
+#   name: LDAP
+#   base_dn: "dc=local,dc=test"
+#   search_mode: cached    # cached | direct
+#   bind_mode: cached      # cached | direct
+#   search_group: null     # optional: group name whose members can search
+#   certificate: null      # optional: certificate name for LDAPS
+#   uid_start_number: 2000
+#   gid_start_number: 4000
+
+authentik_ldap_outpost: {}
+# name: "ldap-outpost"
+# token: "changeme"      # known token for outpost authentication
+# config:
+#   authentik_host: "https://authentik.local.test/"
+#   log_level: "info"
+
 authentik_oidc_apps: []
 # - slug: grafana
 #   name: Grafana
-#   client_id_env: GRAFANA_OIDC_CLIENT_ID
-#   client_secret_env: GRAFANA_OIDC_CLIENT_SECRET
+#   client_id: "grafana"
+#   client_secret: "changeme"
 #   redirect_uris:
 #     - url: "https://grafana.example.com/login/generic_oauth"
 #       matching_mode: strict
@ -71,21 +89,14 @@ authentik_oidc_apps: []
 #     invalidation_slug: default-provider-invalidation-flow
 #   scopes: [openid, email, profile, offline_access]

-authentik_blueprint_env: []
-# GRAFANA_OIDC_CLIENT_ID: "grafana"
-# GRAFANA_OIDC_CLIENT_SECRET: "{{ vault_grafana_oidc_secret }}"
-# ENTRA_TENANT_ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-# ENTRA_CLIENT_ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-# ENTRA_CLIENT_SECRET: "{{ vault_entra_client_secret }}"
-
 # Oauth sources
 authentik_entra_sources: []
 #  - slug: entra-id
 #    name: "Login with Entra"
 #    tenant_mode: single  # single | common
-#    tenant_id_env: ENTRA_TENANT_ID
-#    client_id_env: ENTRA_CLIENT_ID
-#    client_secret_env: ENTRA_CLIENT_SECRET
+#    tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+#    client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+#    client_secret: "changeme"
 #    scopes:
 #      - openid
 #      - profile
@ -105,12 +116,19 @@ authentik_login_user_fields:
  - username
  - email

+# Groups to provision
+authentik_groups: []
+# - name: admins
+# - name: editors
+#   is_superuser: false
+#   parent: null
+
 # Local users to provision
 authentik_local_users: []
 # - username: admin
 #   name: "Admin User"
 #   email: "admin@example.com"
-#   password_env: AUTHENTIK_ADMIN_PASSWORD  # reference env var in authentik_blueprint_env
+#   password: "changeme"
 #   is_active: true
 #   groups:
 #     - authentik Admins