Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions
digitalboard.core/roles/authentik/templates/blueprints/blueprint-proxy-app.yaml.j2
Simon Bärlocher da103a59f2
feat(authentik): split-horizon host rewrite + proxy-app mode/group bindings 
* `authentik_host_rewrite_domains`: extra hostnames that reach the
  authentik container but make it generate URLs (OIDC issuer, reset
  links) as if requested from the canonical `authentik_domains[0]`.
  Each entry gets its own traefik router and a URL-based loadbalancer
  service that disables passHostHeader and pins X-Forwarded-Host via
  middleware, so server-to-server calls on internal FQDNs keep traffic
  in the LAN while the iss claim stays aligned with the public host.
  Uses a network alias on the canonical FQDN so traefik (sharing the
  network) resolves the URL upstream to this very container.

* proxy-app blueprint:
  - `mode` (default `forward_single`) lets callers pick between proxy,
    forward_single and forward_domain providers in one template.
  - `allowed_groups`: when set, emit one PolicyBinding per group on
    the application; authentik OR-evaluates bindings, so users in any
    listed group pass and others are denied.

Existing inventories with an empty list see no behavioural change.
2026-05-26 14:03:05 +02:00

63 lines
2.7 KiB
Django/Jinja
Raw Blame History

# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
version: 1
metadata:
name: "proxy-{{ item.slug }}"
labels:
blueprints.goauthentik.io/instantiate: "true"
blueprints.goauthentik.io/description: "Proxy provider + application for {{ item.slug }}"
entries:
- model: authentik_providers_proxy.proxyprovider
id: proxy-provider-{{ item.slug }}
identifiers:
name: {{ item.slug }}
attrs:
name: {{ item.slug }}
authentication_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.authentication_slug | default('default-authentication-flow') }}]]
authorization_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.authorization_slug | default('default-provider-authorization-implicit-consent') }}]]
invalidation_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.invalidation_slug | default('default-provider-invalidation-flow') }}]]
internal_host: "{{ item.internal_host }}"
external_host: "{{ item.external_host }}"
{# Provider mode controls how authentik treats the proxy app:
- proxy : the outpost itself proxies traffic to internal_host
- forward_single : a single app behind an external reverse proxy
(traefik forwardauth talks to authentik per-domain)
- forward_domain : wildcard mode — one provider guards every host on a
cookie domain; configure forward_auth_mode=domain on
the outpost in that case. Default to forward_single
since that's the common ForwardAuth-with-traefik
pattern. #}
mode: {{ item.mode | default('forward_single') }}
{% if item.skip_path_regex is defined and item.skip_path_regex|length > 0 %}
skip_path_regex: |
{{ item.skip_path_regex | indent(8, true) }}
{% endif %}
- model: authentik_core.application
id: app-{{ item.slug }}
identifiers:
slug: {{ item.slug }}
attrs:
name: "{{ item.name | default(item.slug) }}"
slug: {{ item.slug }}
provider: !KeyOf proxy-provider-{{ item.slug }}
{% if item.allowed_groups is defined and item.allowed_groups | length > 0 %}
{# Restrict access to listed groups: one PolicyBinding per group, all bound
to the application. Authentik treats multiple bindings on the same target
as OR (a user matching any binding passes), and a request from a user in
none of the bound groups is denied. #}
{% for group_name in item.allowed_groups %}
- model: authentik_policies.policybinding
identifiers:
target: !KeyOf app-{{ item.slug }}
order: {{ loop.index0 }}
group: !Find [authentik_core.group, [name, "{{ group_name }}"]]
attrs:
enabled: true
negate: false
{% endfor %}
{% endif %}
View git blame Copy permalink