feat: add blueprints for authentik ldap outpost and render values directly instead of using env vars

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
2026-04-10 13:50:32 +02:00 · 2026-04-10 13:50:32 +02:00 · c27b4d9488
commit c27b4d9488
parent d25f1c5304
12 changed files with 323 additions and 86 deletions
--- a/roles/authentik/templates/blueprints/blueprint-ldap-app.yaml.j2
+++ b/roles/authentik/templates/blueprints/blueprint-ldap-app.yaml.j2
@ -0,0 +1,124 @@
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+version: 1
+metadata:
+  name: "ldap-{{ item.slug }}"
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+    blueprints.goauthentik.io/description: "LDAP provider + application for {{ item.slug }}"
+
+entries:
+  # Simple password-only flow for LDAP bind (no browser policies)
+  - model: authentik_stages_password.passwordstage
+    id: ldap-password-stage
+    identifiers:
+      name: ldap-bind-password
+    attrs:
+      name: ldap-bind-password
+      backends:
+        - authentik.core.auth.InbuiltBackend
+        - authentik.core.auth.TokenBackend
+        - authentik.sources.ldap.auth.LDAPBackend
+
+  - model: authentik_stages_identification.identificationstage
+    id: ldap-identification-stage
+    identifiers:
+      name: ldap-bind-identification
+    attrs:
+      name: ldap-bind-identification
+      user_fields:
+        - username
+        - email
+      password_stage: !KeyOf ldap-password-stage
+
+  - model: authentik_stages_user_login.userloginstage
+    id: ldap-login-stage
+    identifiers:
+      name: ldap-bind-login
+    attrs:
+      name: ldap-bind-login
+
+  - model: authentik_flows.flow
+    id: ldap-bind-flow
+    identifiers:
+      slug: ldap-bind
+    attrs:
+      name: LDAP Bind
+      slug: ldap-bind
+      title: LDAP Bind
+      designation: authentication
+      authentication: none
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf ldap-bind-flow
+      stage: !KeyOf ldap-identification-stage
+      order: 0
+    attrs:
+      target: !KeyOf ldap-bind-flow
+      stage: !KeyOf ldap-identification-stage
+      order: 0
+
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf ldap-bind-flow
+      stage: !KeyOf ldap-login-stage
+      order: 10
+    attrs:
+      target: !KeyOf ldap-bind-flow
+      stage: !KeyOf ldap-login-stage
+      order: 10
+
+{% if item.search_group is defined and item.search_group %}
+  - model: authentik_rbac.role
+    id: ldap-search-role-{{ item.slug }}
+    identifiers:
+      name: ldap-search-{{ item.slug }}
+    attrs:
+      name: ldap-search-{{ item.slug }}
+{% endif %}
+
+  - model: authentik_providers_ldap.ldapprovider
+    id: ldap-provider-{{ item.slug }}
+    identifiers:
+      name: {{ item.name }}
+    attrs:
+      name: {{ item.name }}
+      base_dn: "{{ item.base_dn }}"
+      authorization_flow: !KeyOf ldap-bind-flow
+      invalidation_flow: !Find [authentik_flows.flow, [slug, {{ item.invalidation_flow_slug | default('default-provider-invalidation-flow') }}]]
+      authentication_flow: !KeyOf ldap-bind-flow
+      search_mode: {{ item.search_mode | default('cached') }}
+      bind_mode: {{ item.bind_mode | default('direct') }}
+{% if item.certificate is defined and item.certificate %}
+      certificate: !Find [authentik_crypto.certificatekeypair, [name, {{ item.certificate }}]]
+{% endif %}
+{% if item.uid_start_number is defined %}
+      uid_start_number: {{ item.uid_start_number }}
+{% endif %}
+{% if item.gid_start_number is defined %}
+      gid_start_number: {{ item.gid_start_number }}
+{% endif %}
+{% if item.search_group is defined and item.search_group %}
+    permissions:
+      - permission: authentik_providers_ldap.search_full_directory
+        role: !KeyOf ldap-search-role-{{ item.slug }}
+{% endif %}
+
+{% if item.search_group is defined and item.search_group %}
+  # Assign the LDAP search role to the search group
+  - model: authentik_core.group
+    identifiers:
+      name: {{ item.search_group }}
+    attrs:
+      roles:
+        - !KeyOf ldap-search-role-{{ item.slug }}
+{% endif %}
+
+  - model: authentik_core.application
+    id: app-{{ item.slug }}
+    identifiers:
+      slug: {{ item.slug }}
+    attrs:
+      name: "{{ item.name | default(item.slug) }}"
+      slug: {{ item.slug }}
+      provider: !KeyOf ldap-provider-{{ item.slug }}
--- a/roles/authentik/templates/blueprints/blueprint-local-users.yaml.j2
+++ b/roles/authentik/templates/blueprints/blueprint-local-users.yaml.j2
@ -4,9 +4,24 @@ metadata:
  name: "local-users"
  labels:
    blueprints.goauthentik.io/instantiate: "true"
-    blueprints.goauthentik.io/description: "Local user accounts"
+    blueprints.goauthentik.io/description: "Local groups and user accounts"

 entries:
+{% for group in authentik_groups %}
+  - model: authentik_core.group
+    id: group-{{ group.name | regex_replace('[^a-zA-Z0-9]', '-') }}
+    identifiers:
+      name: {{ group.name }}
+    attrs:
+      name: {{ group.name }}
+{% if group.is_superuser is defined %}
+      is_superuser: {{ group.is_superuser | lower }}
+{% endif %}
+{% if group.parent is defined and group.parent %}
+      parent: !Find [authentik_core.group, [name, {{ group.parent }}]]
+{% endif %}
+
+{% endfor %}
 {% for user in authentik_local_users %}
  - model: authentik_core.user
    id: user-{{ user.username }}
@ -17,8 +32,8 @@ entries:
      name: "{{ user.name | default(user.username) }}"
      email: "{{ user.email | default('') }}"
      is_active: {{ user.is_active | default(true) | lower }}
-{% if user.password_env is defined %}
-      password: !Env {{ user.password_env }}
+{% if user.password is defined %}
+      password: "{{ user.password }}"
 {% endif %}
 {% if user.groups is defined and user.groups | length > 0 %}
      groups:
--- a/roles/authentik/templates/blueprints/blueprint-oidc-app.yaml.j2
+++ b/roles/authentik/templates/blueprints/blueprint-oidc-app.yaml.j2
@ -13,9 +13,11 @@ entries:
      name: {{ item.slug }}
    attrs:
      name: {{ item.slug }}
-      client_type: confidential
-      client_id: !Env {{ item.client_id_env }}
-      client_secret: !Env {{ item.client_secret_env }}
+      client_type: {{ item.client_type | default('confidential') }}
+      client_id: "{{ item.client_id }}"
+{% if item.client_type | default('confidential') == 'confidential' %}
+      client_secret: "{{ item.client_secret }}"
+{% endif %}

      redirect_uris:
 {% for ru in item.redirect_uris %}
--- a/roles/authentik/templates/blueprints/blueprint-source-entra.yaml.j2
+++ b/roles/authentik/templates/blueprints/blueprint-source-entra.yaml.j2
@ -15,12 +15,12 @@ entries:
      name: "{{ item.name | default('Microsoft Entra ID') }}"
      slug: {{ item.slug }}

-      # Authentik’s OAuth sources support vendor-specific types.
-      # Entra guide calls it “Entra ID OAuth Source”.
+      # Authentik's OAuth sources support vendor-specific types.
+      # Entra guide calls it "Entra ID OAuth Source".
      provider_type: entraid

-      consumer_key: !Env {{ item.client_id_env }}
-      consumer_secret: !Env {{ item.client_secret_env }}
+      consumer_key: "{{ item.client_id }}"
+      consumer_secret: "{{ item.client_secret }}"

      scopes:
 {% for s in (item.scopes | default(['openid','profile','email'])) %}
@ -28,10 +28,10 @@ entries:
 {% endfor %}

 {% if (item.tenant_mode | default('single')) == 'single' %}
-      authorization_url: !Format ["https://login.microsoftonline.com/%s/oauth2/v2.0/authorize", !Env {{ item.tenant_id_env }}]
-      access_token_url: !Format ["https://login.microsoftonline.com/%s/oauth2/v2.0/token", !Env {{ item.tenant_id_env }}]
+      authorization_url: "https://login.microsoftonline.com/{{ item.tenant_id }}/oauth2/v2.0/authorize"
+      access_token_url: "https://login.microsoftonline.com/{{ item.tenant_id }}/oauth2/v2.0/token"
      profile_url: "https://graph.microsoft.com/v1.0/me"
-      oidc_jwks_url: !Format ["https://login.microsoftonline.com/%s/discovery/v2.0/keys", !Env {{ item.tenant_id_env }}]
+      oidc_jwks_url: "https://login.microsoftonline.com/{{ item.tenant_id }}/discovery/v2.0/keys"
 {% else %}
      authorization_url: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
      access_token_url: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
--- a/roles/authentik/templates/blueprints/outpost-ldap.yaml.j2
+++ b/roles/authentik/templates/blueprints/outpost-ldap.yaml.j2
@ -0,0 +1,27 @@
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+version: 1
+metadata:
+  name: "outpost-{{ authentik_ldap_outpost.name }}"
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+
+entries:
+  - model: authentik_outposts.outpost
+    identifiers:
+      name: "{{ authentik_ldap_outpost.name }}"
+    attrs:
+      name: "{{ authentik_ldap_outpost.name }}"
+      type: ldap
+      service_connection: null
+
+      providers:
+{% for app in authentik_ldap_apps %}
+        - !Find [authentik_providers_ldap.ldapprovider, [name, {{ app.name }}]]
+{% endfor %}
+
+{% if authentik_ldap_outpost.config is defined %}
+      config:
+{%   for k, v in authentik_ldap_outpost.config.items() %}
+        {{ k }}: {{ v | tojson }}
+{%   endfor %}
+{% endif %}
--- a/roles/authentik/templates/docker-compose.yml.j2
+++ b/roles/authentik/templates/docker-compose.yml.j2
@ -35,11 +35,6 @@ services:
      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }}
      AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}"
-{% if authentik_blueprint_env|length > 0 %}
-{%  for k, v in authentik_blueprint_env.items() %}
-      {{ k }}: "{{ v }}"
-{% endfor %}
-{% endif %}
    volumes:
      - {{ authentik_docker_volume_dir }}/blueprints:/blueprints/custom
      - {{ authentik_docker_volume_dir }}/data:/data
@ -75,11 +70,6 @@ services:
      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }}
      AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}"
-{% if authentik_blueprint_env|length > 0 %}
-{%  for k, v in authentik_blueprint_env.items() %}
-      {{ k }}: "{{ v }}"
-{% endfor %}
-{% endif %}
    volumes:
      - {{ authentik_docker_volume_dir }}/data:/data
      - {{ authentik_docker_volume_dir }}/certs:/certs
--- a/roles/authentik/templates/set-outpost-token.py.j2
+++ b/roles/authentik/templates/set-outpost-token.py.j2
@ -0,0 +1,10 @@
+from authentik.outposts.models import Outpost
+from authentik.core.models import Token
+o = Outpost.objects.get(name='{{ authentik_ldap_outpost.name }}')
+t = Token.objects.get(identifier=o.token_identifier)
+if t.key != '{{ authentik_ldap_outpost.token }}':
+    t.key = '{{ authentik_ldap_outpost.token }}'
+    t.save(update_fields=['key'])
+    print('changed')
+else:
+    print('ok')
--- a/roles/authentik/templates/wait-for-blueprints.py.j2
+++ b/roles/authentik/templates/wait-for-blueprints.py.j2
@ -0,0 +1,20 @@
+from authentik.blueprints.models import BlueprintInstance
+from authentik.blueprints.v1.importer import Importer
+
+failed = list(BlueprintInstance.objects.filter(enabled=True, path__startswith="custom/").exclude(status="successful").order_by("path"))
+if not failed:
+    print("ok")
+else:
+    for bp in failed:
+        content = bp.retrieve()
+        importer = Importer.from_string(content)
+        valid, _ = importer.validate()
+        if valid:
+            importer.apply()
+            bp.status = "successful"
+            bp.save()
+    still_failed = BlueprintInstance.objects.filter(enabled=True, path__startswith="custom/").exclude(status="successful")
+    if still_failed.exists():
+        names = ", ".join(bp.name for bp in still_failed)
+        raise Exception(f"Blueprints still failing: {names}")
+    print("changed")