feat: add blueprints for authentik ldap outpost and render values directly instead of using env vars

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
2026-04-10 13:50:32 +02:00 · 2026-04-10 13:50:32 +02:00 · c27b4d9488
commit c27b4d9488
parent d25f1c5304
12 changed files with 323 additions and 86 deletions
--- a/roles/authentik/tasks/blueprints.yml
+++ b/roles/authentik/tasks/blueprints.yml
@ -9,17 +9,17 @@
  register: existing_blueprints

 - name: Build list of expected blueprint files
+  vars:
+    _oidc:     "{{ authentik_oidc_apps      | map(attribute='slug') | map('regex_replace', '^', '50-oidc-')         | map('regex_replace', '$', '.yaml') | list }}"
+    _ldap:     "{{ authentik_ldap_apps      | map(attribute='slug') | map('regex_replace', '^', '55-ldap-')         | map('regex_replace', '$', '.yaml') | list }}"
+    _proxy:    "{{ authentik_proxy_apps     | map(attribute='slug') | map('regex_replace', '^', '60-proxy-')        | map('regex_replace', '$', '.yaml') | list }}"
+    _outpost:  "{{ authentik_proxy_outposts | map(attribute='name') | map('regex_replace', '^', '70-outpost-')      | map('regex_replace', '$', '.yaml') | list }}"
+    _entra:    "{{ authentik_entra_sources  | map(attribute='slug') | map('regex_replace', '^', '40-source-entra-') | map('regex_replace', '$', '.yaml') | list }}"
+    _ldap_out: "{{ ['75-outpost-ldap.yaml'] if authentik_ldap_outpost.name is defined else [] }}"
+    _users:    "{{ ['10-local-users.yaml']  if (authentik_local_users | length > 0 or authentik_groups | length > 0) else [] }}"
+    _cleanup:  "{{ ['00-cleanup.yaml']      if (authentik_removed_oidc_apps + authentik_removed_proxy_apps + authentik_removed_local_users) | length > 0 else [] }}"
  set_fact:
-    expected_blueprints: >-
-      {{
-        (authentik_oidc_apps | map(attribute='slug') | map('regex_replace', '^(.*)$', '50-oidc-\1.yaml') | list) +
-        (authentik_proxy_apps | map(attribute='slug') | map('regex_replace', '^(.*)$', '60-proxy-\1.yaml') | list) +
-        (authentik_proxy_outposts | map(attribute='name') | map('regex_replace', '^(.*)$', '70-outpost-\1.yaml') | list) +
-        (authentik_entra_sources | map(attribute='slug') | map('regex_replace', '^(.*)$', '40-source-entra-\1.yaml') | list) +
-        ['45-login-sources.yaml'] +
-        ((authentik_local_users | length > 0) | ternary(['10-local-users.yaml'], [])) +
-        (((authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)) | ternary(['00-cleanup.yaml'], []))
-      }}
+    expected_blueprints: "{{ _oidc + _ldap + _proxy + _outpost + _entra + ['45-login-sources.yaml'] + _ldap_out + _users + _cleanup }}"

 - name: Remove stale blueprint files
  file:
@ -36,6 +36,14 @@
  loop: "{{ authentik_oidc_apps }}"
  register: oidc_templates

+- name: Render LDAP blueprints
+  ansible.builtin.template:
+    src: blueprints/blueprint-ldap-app.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/55-ldap-{{ item.slug }}.yaml"
+    mode: "0644"
+  loop: "{{ authentik_ldap_apps }}"
+  register: ldap_templates
+
 - name: Render Proxy blueprints
  ansible.builtin.template:
    src: blueprints/blueprint-proxy-app.yaml.j2
@ -52,6 +60,14 @@
  loop: "{{ authentik_proxy_outposts }}"
  register: outpost_bp

+- name: Render LDAP outpost blueprint
+  ansible.builtin.template:
+    src: blueprints/outpost-ldap.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/75-outpost-ldap.yaml"
+    mode: "0644"
+  when: authentik_ldap_outpost.name is defined
+  register: ldap_outpost_bp
+
 - name: Render Entra source blueprints
  ansible.builtin.template:
    src: blueprints/blueprint-source-entra.yaml.j2
@ -72,7 +88,7 @@
    src: blueprints/blueprint-local-users.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/10-local-users.yaml"
    mode: "0644"
-  when: authentik_local_users | length > 0
+  when: authentik_local_users | length > 0 or authentik_groups | length > 0
  register: local_users_bp

 - name: Render cleanup blueprint
@ -88,8 +104,10 @@
    blueprints_changed: >-
      {{
        (oidc_templates is defined and (oidc_templates.results | selectattr('changed') | list | length > 0))
+        or (ldap_templates is defined and (ldap_templates.results | selectattr('changed') | list | length > 0))
        or (proxy_templates is defined and (proxy_templates.results | selectattr('changed') | list | length > 0))
        or (outpost_bp is defined and (outpost_bp.results | selectattr('changed') | list | length > 0))
+        or (ldap_outpost_bp.changed | default(false))
        or (entra_bp is defined and (entra_bp.results | selectattr('changed') | list | length > 0))
        or (login_bp is defined and login_bp.changed)
        or (local_users_bp.changed | default(false))
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@ -2,44 +2,18 @@
 ---
 # tasks file for authentik

- name: Create docker compose directory
+- name: Create authentik directories
  file:
-    path: "{{ authentik_docker_compose_dir }}"
+    path: "{{ item }}"
    state: directory
    mode: '0755'
-
- name: Create authentik data directory
-  file:
-    path: "{{ authentik_docker_volume_dir }}/data"
-    state: directory
-    mode: '0755'
-
- name: Create authentik certs directory
-  file:
-    path: "{{ authentik_docker_volume_dir }}/certs"
-    state: directory
-    mode: '0755'
-
- name: Create authentik templates directory
-  file:
-    path: "{{ authentik_docker_volume_dir }}/templates"
-    state: directory
-    mode: '0755'
-
- name: Create postgres data directory
-  file:
-    path: "{{ authentik_docker_volume_dir }}/postgresql"
-    state: directory
-    mode: '0755'
-
- name: Create blueprints directory
-  file:
-    path: "{{ authentik_docker_volume_dir }}/blueprints"
-    state: directory
-    mode: '0755'
-
- name: Render blueprints
-  import_tasks: blueprints.yml
+  loop:
+    - "{{ authentik_docker_compose_dir }}"
+    - "{{ authentik_docker_volume_dir }}/data"
+    - "{{ authentik_docker_volume_dir }}/certs"
+    - "{{ authentik_docker_volume_dir }}/templates"
+    - "{{ authentik_docker_volume_dir }}/postgresql"
+    - "{{ authentik_docker_volume_dir }}/blueprints"

 - name: Create docker-compose file for authentik
  template:
@ -51,6 +25,46 @@
  community.docker.docker_compose_v2:
    project_src: "{{ authentik_docker_compose_dir }}"
    state: present
-    recreate: "{{ blueprints_changed | ternary('always', 'auto') }}"
    wait: true
-    wait_timeout: 300
+    wait_timeout: 300
+
+- name: Render blueprints
+  import_tasks: blueprints.yml
+
+- name: Render blueprint wait script
+  template:
+    src: wait-for-blueprints.py.j2
+    dest: "{{ authentik_docker_volume_dir }}/data/wait-for-blueprints.py"
+    mode: '0644'
+
+- name: Wait for custom blueprints to be applied
+  community.docker.docker_compose_v2_exec:
+    project_src: "{{ authentik_docker_compose_dir }}"
+    service: server
+    command: ak shell -c "exec(open('/data/wait-for-blueprints.py').read())"
+  register: blueprint_wait_result
+  changed_when: "'changed' in blueprint_wait_result.stdout"
+  retries: 30
+  delay: 10
+  until: blueprint_wait_result.rc == 0
+  when: blueprints_changed
+
+- name: Render LDAP outpost token script
+  template:
+    src: set-outpost-token.py.j2
+    dest: "{{ authentik_docker_volume_dir }}/data/set-outpost-token.py"
+    mode: '0644'
+  when: authentik_ldap_outpost.name is defined
+  register: ldap_token_script
+
+- name: Set known token for LDAP outpost
+  community.docker.docker_compose_v2_exec:
+    project_src: "{{ authentik_docker_compose_dir }}"
+    service: server
+    command: ak shell -c "exec(open('/data/set-outpost-token.py').read())"
+  register: ldap_token_result
+  changed_when: "'changed' in ldap_token_result.stdout"
+  retries: 30
+  delay: 10
+  until: ldap_token_result.rc == 0
+  when: authentik_ldap_outpost.name is defined and (blueprints_changed or ldap_token_script.changed)