digitalboard.core/roles/authentik/tasks/blueprints.yml

#SPDX-License-Identifier: MIT-0
---
# Blueprint rendering tasks for authentik

- name: Find existing blueprint files
  find:
    paths: "{{ authentik_docker_volume_dir }}/blueprints"
    patterns: "*.yaml"
  register: existing_blueprints

- name: Build list of expected blueprint files
  vars:
    _oidc:     "{{ authentik_oidc_apps      | map(attribute='slug') | map('regex_replace', '^', '50-oidc-')         | map('regex_replace', '$', '.yaml') | list }}"
    _ldap:     "{{ authentik_ldap_apps      | map(attribute='slug') | map('regex_replace', '^', '55-ldap-')         | map('regex_replace', '$', '.yaml') | list }}"
    _proxy:    "{{ authentik_proxy_apps     | map(attribute='slug') | map('regex_replace', '^', '60-proxy-')        | map('regex_replace', '$', '.yaml') | list }}"
    _outpost:  "{{ authentik_proxy_outposts | map(attribute='name') | map('regex_replace', '^', '70-outpost-')      | map('regex_replace', '$', '.yaml') | list }}"
    _entra:    "{{ authentik_entra_sources  | map(attribute='slug') | map('regex_replace', '^', '40-source-entra-') | map('regex_replace', '$', '.yaml') | list }}"
    _ldap_out: "{{ ['75-outpost-ldap.yaml'] if authentik_ldap_outpost.name is defined else [] }}"
    _users:    "{{ ['10-local-users.yaml']  if (authentik_local_users | length > 0 or authentik_groups | length > 0) else [] }}"
    _cleanup:  "{{ ['00-cleanup.yaml']      if (authentik_removed_oidc_apps + authentik_removed_proxy_apps + authentik_removed_local_users) | length > 0 else [] }}"
  set_fact:
    expected_blueprints: "{{ _oidc + _ldap + _proxy + _outpost + _entra + ['45-login-sources.yaml'] + _ldap_out + _users + _cleanup }}"

- name: Remove stale blueprint files
  file:
    path: "{{ item.path }}"
    state: absent
  loop: "{{ existing_blueprints.files }}"
  when: item.path | basename not in expected_blueprints

- name: Render OIDC blueprints
  ansible.builtin.template:
    src: blueprints/blueprint-oidc-app.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/50-oidc-{{ item.slug }}.yaml"
    mode: "0644"
  loop: "{{ authentik_oidc_apps }}"
  register: oidc_templates

- name: Render LDAP blueprints
  ansible.builtin.template:
    src: blueprints/blueprint-ldap-app.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/55-ldap-{{ item.slug }}.yaml"
    mode: "0644"
  loop: "{{ authentik_ldap_apps }}"
  register: ldap_templates

- name: Render Proxy blueprints
  ansible.builtin.template:
    src: blueprints/blueprint-proxy-app.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/60-proxy-{{ item.slug }}.yaml"
    mode: "0644"
  loop: "{{ authentik_proxy_apps }}"
  register: proxy_templates

- name: Render outpost blueprints
  ansible.builtin.template:
    src: blueprints/outpost-proxy.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/70-outpost-{{ item.name }}.yaml"
    mode: "0644"
  loop: "{{ authentik_proxy_outposts }}"
  register: outpost_bp

- name: Render LDAP outpost blueprint
  ansible.builtin.template:
    src: blueprints/outpost-ldap.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/75-outpost-ldap.yaml"
    mode: "0644"
  when: authentik_ldap_outpost.name is defined
  register: ldap_outpost_bp

- name: Render Entra source blueprints
  ansible.builtin.template:
    src: blueprints/blueprint-source-entra.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/40-source-entra-{{ item.slug }}.yaml"
    mode: "0644"
  loop: "{{ authentik_entra_sources }}"
  register: entra_bp

- name: Render login stage sources blueprint
  ansible.builtin.template:
    src: blueprints/blueprint-login-sources.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/45-login-sources.yaml"
    mode: "0644"
  register: login_bp

- name: Render local users blueprint
  ansible.builtin.template:
    src: blueprints/blueprint-local-users.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/10-local-users.yaml"
    mode: "0644"
  when: authentik_local_users | length > 0 or authentik_groups | length > 0
  register: local_users_bp

- name: Render cleanup blueprint
  ansible.builtin.template:
    src: blueprints/blueprint-cleanup.yaml.j2
    dest: "{{ authentik_docker_volume_dir }}/blueprints/00-cleanup.yaml"
    mode: "0644"
  when: (authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)
  register: cleanup_bp

- name: Set blueprints_changed fact
  set_fact:
    blueprints_changed: >-
      {{
        (oidc_templates is defined and (oidc_templates.results | selectattr('changed') | list | length > 0))
        or (ldap_templates is defined and (ldap_templates.results | selectattr('changed') | list | length > 0))
        or (proxy_templates is defined and (proxy_templates.results | selectattr('changed') | list | length > 0))
        or (outpost_bp is defined and (outpost_bp.results | selectattr('changed') | list | length > 0))
        or (ldap_outpost_bp.changed | default(false))
        or (entra_bp is defined and (entra_bp.results | selectattr('changed') | list | length > 0))
        or (login_bp is defined and login_bp.changed)
        or (local_users_bp.changed | default(false))
        or (cleanup_bp.changed | default(false))
      }}