feat: add blueprints for authentik ldap outpost and render values directly instead of using env vars

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
2026-04-10 13:50:32 +02:00 · 2026-04-10 13:50:32 +02:00 · c27b4d9488
commit c27b4d9488
parent d25f1c5304
12 changed files with 323 additions and 86 deletions
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@ -2,44 +2,18 @@
 ---
 # tasks file for authentik

- name: Create docker compose directory
+- name: Create authentik directories
  file:
-    path: "{{ authentik_docker_compose_dir }}"
+    path: "{{ item }}"
    state: directory
    mode: '0755'
-
- name: Create authentik data directory
-  file:
-    path: "{{ authentik_docker_volume_dir }}/data"
-    state: directory
-    mode: '0755'
-
- name: Create authentik certs directory
-  file:
-    path: "{{ authentik_docker_volume_dir }}/certs"
-    state: directory
-    mode: '0755'
-
- name: Create authentik templates directory
-  file:
-    path: "{{ authentik_docker_volume_dir }}/templates"
-    state: directory
-    mode: '0755'
-
- name: Create postgres data directory
-  file:
-    path: "{{ authentik_docker_volume_dir }}/postgresql"
-    state: directory
-    mode: '0755'
-
- name: Create blueprints directory
-  file:
-    path: "{{ authentik_docker_volume_dir }}/blueprints"
-    state: directory
-    mode: '0755'
-
- name: Render blueprints
-  import_tasks: blueprints.yml
+  loop:
+    - "{{ authentik_docker_compose_dir }}"
+    - "{{ authentik_docker_volume_dir }}/data"
+    - "{{ authentik_docker_volume_dir }}/certs"
+    - "{{ authentik_docker_volume_dir }}/templates"
+    - "{{ authentik_docker_volume_dir }}/postgresql"
+    - "{{ authentik_docker_volume_dir }}/blueprints"

 - name: Create docker-compose file for authentik
  template:
@ -51,6 +25,46 @@
  community.docker.docker_compose_v2:
    project_src: "{{ authentik_docker_compose_dir }}"
    state: present
-    recreate: "{{ blueprints_changed | ternary('always', 'auto') }}"
    wait: true
-    wait_timeout: 300
+    wait_timeout: 300
+
+- name: Render blueprints
+  import_tasks: blueprints.yml
+
+- name: Render blueprint wait script
+  template:
+    src: wait-for-blueprints.py.j2
+    dest: "{{ authentik_docker_volume_dir }}/data/wait-for-blueprints.py"
+    mode: '0644'
+
+- name: Wait for custom blueprints to be applied
+  community.docker.docker_compose_v2_exec:
+    project_src: "{{ authentik_docker_compose_dir }}"
+    service: server
+    command: ak shell -c "exec(open('/data/wait-for-blueprints.py').read())"
+  register: blueprint_wait_result
+  changed_when: "'changed' in blueprint_wait_result.stdout"
+  retries: 30
+  delay: 10
+  until: blueprint_wait_result.rc == 0
+  when: blueprints_changed
+
+- name: Render LDAP outpost token script
+  template:
+    src: set-outpost-token.py.j2
+    dest: "{{ authentik_docker_volume_dir }}/data/set-outpost-token.py"
+    mode: '0644'
+  when: authentik_ldap_outpost.name is defined
+  register: ldap_token_script
+
+- name: Set known token for LDAP outpost
+  community.docker.docker_compose_v2_exec:
+    project_src: "{{ authentik_docker_compose_dir }}"
+    service: server
+    command: ak shell -c "exec(open('/data/set-outpost-token.py').read())"
+  register: ldap_token_result
+  changed_when: "'changed' in ldap_token_result.stdout"
+  retries: 30
+  delay: 10
+  until: ldap_token_result.rc == 0
+  when: authentik_ldap_outpost.name is defined and (blueprints_changed or ldap_token_script.changed)