Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions
digitalboard.core/roles/authentik
History
Simon Bärlocher 3ace667b6c
feat(services): refine split-horizon OIDC routing and harden nextcloud patch 
- authentik: address the rewrite service by compose service name instead
  of a network alias on the public FQDN, which shadowed extra_hosts pins
  and broke OIDC discovery for c-ares-based (Node) resolvers
- homarr: add homarr_extra_hosts to pin the IdP FQDN to a LAN IP so OIDC
  discovery stays in-network while the issuer matches the browser-facing URL
- opnform: add opnform_oidc_sso_redirect_root to 302 the root URL to the
  SSO path (deep-links untouched, /login?bypass=1 break-glass); restart
  ingress via container restart so envsubst re-renders nginx.conf
- nextcloud: make the UserConfig sed workaround fail loud on upstream
  drift instead of silently skipping (nextcloud/server#59629)
- gitignore: exclude the local .ansible/ collection cache
2026-06-02 13:44:08 +02:00
..
defaults feat(authentik): split-horizon host rewrite + proxy-app mode/group bindings 2026-05-27 23:12:23 +02:00
handlers chore: add new role boilerplate for authentik 2026-01-14 10:03:06 +01:00
meta docs(collection): document all roles and fix metadata drift 2026-05-27 23:12:24 +02:00
tasks feat: add blueprints for authentik ldap outpost and render values directly instead of using env vars 2026-04-10 14:33:52 +02:00
templates feat(services): refine split-horizon OIDC routing and harden nextcloud patch 2026-06-02 13:44:08 +02:00
tests chore: add new role boilerplate for authentik 2026-01-14 10:03:06 +01:00
vars chore: add new role boilerplate for authentik 2026-01-14 10:03:06 +01:00
README.md docs(collection): document all roles and fix metadata drift 2026-05-27 23:12:24 +02:00

README.md

Authentik

Deploys authentik (server + worker + Postgres) as a Docker Compose stack behind Traefik, with all resources provisioned via templated blueprints.

What this role does

  • Renders the Compose stack with traefik labels and an optional split-horizon host rewrite (see below)
  • Provisions local users, groups, OIDC apps, Proxy/ForwardAuth apps, LDAP apps and outposts, and Entra ID OAuth sources via blueprints
  • Configures the login screen (visible sources, local login fields)
  • Supports declarative cleanup via authentik_removed_* lists

Variables

Full spec with types and defaults: meta/argument_specs.yml. The most common overrides:

Service

  • authentik_domains (required, list): FQDNs the router accepts. First entry is the canonical hostname; further entries cover internal *.int.* names for server-to-server traffic.
  • authentik_secret_key (required): PG fernet / signing secret. Generate with openssl rand -base64 60.
  • authentik_postgres_password (required).
  • authentik_image, authentik_port, authentik_log_level.

Split-horizon host rewrite

authentik_host_rewrite_domains lists hostnames that should reach the authentik container but make it generate URLs (OIDC issuer, password reset links, etc.) as if the request had arrived on authentik_domains[0].

For each entry the role:

  • Creates a dedicated traefik router on that hostname
  • Routes it to a URL-based loadbalancer service that disables passHostHeader, so the upstream Host header becomes the canonical FQDN
  • Pins X-Forwarded-Host via middleware so the iss claim stays aligned with the public hostname browsers see

Use case: an internal auth.int.example.com keeps server-to-server traffic in the LAN, but Keycloak/Nextcloud/etc. still receive issuer URLs matching auth.example.com.

Blueprints

The role renders blueprints for:

  • Local users (authentik_local_users)
  • Groups (authentik_groups)
  • OIDC applications (authentik_oidc_apps)
  • Proxy applications (authentik_proxy_apps)
  • Proxy outposts (authentik_proxy_outposts)
  • LDAP applications (authentik_ldap_apps)
  • LDAP outpost (authentik_ldap_outpost)
  • Entra ID sources (authentik_entra_sources)
  • Login-screen source visibility (authentik_login_sources)

Secrets are passed via the authentik_blueprint_env env-var indirection so they never land in rendered blueprint YAML on disk.

Proxy apps: mode and group restrictions

Each entry in authentik_proxy_apps supports:

  • mode (default forward_single): one of proxy, forward_single, forward_domain
  • allowed_groups: when set, a PolicyBinding is emitted per group on the application. authentik OR-evaluates bindings, so users in any listed group pass and users in none are denied.

Example:

authentik_proxy_apps:
  - slug: drawio
    name: drawio
    external_host: "https://drawio.example.com"
    mode: forward_single
    allowed_groups:
      - drawio-users
      - admins

Removing resources

Move slugs from the active list to the matching removal list:

  • authentik_removed_oidc_apps
  • authentik_removed_proxy_apps
  • authentik_removed_local_users

After authentik has applied the deletion blueprint, remove the slug from the list to keep state clean.

Dependencies

  • Run digitalboard.core.base first (Docker) and have the community.docker collection installed; the role drives the stack via community.docker.docker_compose_v2.
  • Traefik network (authentik_traefik_network, default proxy) must exist beforehand (e.g. created by the traefik role); it is referenced as an external network in the Compose file.
  • Internal backend network (authentik_backend_network, default backend).

Example playbook

- hosts: identity_servers
  roles:
    - role: digitalboard.core.authentik
      vars:
        authentik_domains:
          - "auth.example.com"
          - "auth.int.example.com"
        authentik_host_rewrite_domains:
          - "auth.int.example.com"
        authentik_secret_key: "{{ vault_authentik_secret_key }}"
        authentik_postgres_password: "{{ vault_authentik_pg_password }}"
        authentik_proxy_apps:
          - slug: drawio
            name: drawio
            external_host: "https://drawio.example.com"
            mode: forward_single
            allowed_groups: [drawio-users]

License

MIT-0