3236ca332f
Replace ansible-galaxy init placeholders across the collection and correct documentation that drifted from the code, after a multi-agent review of every role README against its defaults, tasks and templates. Collection level: - README: role table for all 16 roles, requirements and role-ordering - galaxy.yml: declare community.docker and community.general deps, real description/tags/urls; normalize license to MIT-0 - meta/runtime.yml: requires_ansible '>=2.15.0' - plugins/README: document the homarr_layout filter and garage_credentials lookup instead of scaffold boilerplate Per-role meta/main.yml and README for the placeholder roles (389ds, authentik, authentik_outpost_ldap, base, collabora, drawio, garage, homarr, httpbin, keycloak, nextcloud, opencloud, traefik). Correctness fixes found during review: - keycloak: wrong domain default, drop invented keycloak_cert_resolver, document the provisioning feature - garage: root_domain is .s3.<first-entry>, not the bare domain - opnform: jwt/front_api secrets use `openssl rand -hex 32`; align the validation fail_msg in tasks/main.yml accordingly - send: S3 example references garage_s3_domains[0] (was singular) - opencloud: document required opencloud_wopi_domain License normalized to MIT-0 across galaxy.yml, role meta and READMEs to match the SPDX headers. |
||
|---|---|---|
| .. | ||
| defaults | ||
| handlers | ||
| meta | ||
| tasks | ||
| templates | ||
| tests | ||
| vars | ||
| README.md | ||
Authentik
Deploys authentik (server + worker + Postgres) as a Docker Compose stack behind Traefik, with all resources provisioned via templated blueprints.
What this role does
- Renders the Compose stack with traefik labels and an optional split-horizon host rewrite (see below)
- Provisions local users, groups, OIDC apps, Proxy/ForwardAuth apps, LDAP apps and outposts, and Entra ID OAuth sources via blueprints
- Configures the login screen (visible sources, local login fields)
- Supports declarative cleanup via
authentik_removed_*lists
Variables
Full spec with types and defaults: meta/argument_specs.yml. The most
common overrides:
Service
authentik_domains(required, list): FQDNs the router accepts. First entry is the canonical hostname; further entries cover internal*.int.*names for server-to-server traffic.authentik_secret_key(required): PG fernet / signing secret. Generate withopenssl rand -base64 60.authentik_postgres_password(required).authentik_image,authentik_port,authentik_log_level.
Split-horizon host rewrite
authentik_host_rewrite_domains lists hostnames that should reach the
authentik container but make it generate URLs (OIDC issuer, password
reset links, etc.) as if the request had arrived on
authentik_domains[0].
For each entry the role:
- Creates a dedicated traefik router on that hostname
- Routes it to a URL-based loadbalancer service that disables
passHostHeader, so the upstream Host header becomes the canonical FQDN - Pins
X-Forwarded-Hostvia middleware so the iss claim stays aligned with the public hostname browsers see
Use case: an internal auth.int.example.com keeps server-to-server
traffic in the LAN, but Keycloak/Nextcloud/etc. still receive issuer
URLs matching auth.example.com.
Blueprints
The role renders blueprints for:
- Local users (
authentik_local_users) - Groups (
authentik_groups) - OIDC applications (
authentik_oidc_apps) - Proxy applications (
authentik_proxy_apps) - Proxy outposts (
authentik_proxy_outposts) - LDAP applications (
authentik_ldap_apps) - LDAP outpost (
authentik_ldap_outpost) - Entra ID sources (
authentik_entra_sources) - Login-screen source visibility (
authentik_login_sources)
Secrets are passed via the authentik_blueprint_env env-var indirection
so they never land in rendered blueprint YAML on disk.
Proxy apps: mode and group restrictions
Each entry in authentik_proxy_apps supports:
mode(defaultforward_single): one ofproxy,forward_single,forward_domainallowed_groups: when set, aPolicyBindingis emitted per group on the application. authentik OR-evaluates bindings, so users in any listed group pass and users in none are denied.
Example:
authentik_proxy_apps:
- slug: drawio
name: drawio
external_host: "https://drawio.example.com"
mode: forward_single
allowed_groups:
- drawio-users
- admins
Removing resources
Move slugs from the active list to the matching removal list:
authentik_removed_oidc_appsauthentik_removed_proxy_appsauthentik_removed_local_users
After authentik has applied the deletion blueprint, remove the slug from the list to keep state clean.
Dependencies
- Run
digitalboard.core.basefirst (Docker) and have thecommunity.dockercollection installed; the role drives the stack viacommunity.docker.docker_compose_v2. - Traefik network (
authentik_traefik_network, defaultproxy) must exist beforehand (e.g. created by the traefik role); it is referenced as an external network in the Compose file. - Internal backend network (
authentik_backend_network, defaultbackend).
Example playbook
- hosts: identity_servers
roles:
- role: digitalboard.core.authentik
vars:
authentik_domains:
- "auth.example.com"
- "auth.int.example.com"
authentik_host_rewrite_domains:
- "auth.int.example.com"
authentik_secret_key: "{{ vault_authentik_secret_key }}"
authentik_postgres_password: "{{ vault_authentik_pg_password }}"
authentik_proxy_apps:
- slug: drawio
name: drawio
external_host: "https://drawio.example.com"
mode: forward_single
allowed_groups: [drawio-users]
License
MIT-0