Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions
digitalboard.core/roles/authentik/defaults/main.yml
Simon Bärlocher da103a59f2
feat(authentik): split-horizon host rewrite + proxy-app mode/group bindings 
* `authentik_host_rewrite_domains`: extra hostnames that reach the
  authentik container but make it generate URLs (OIDC issuer, reset
  links) as if requested from the canonical `authentik_domains[0]`.
  Each entry gets its own traefik router and a URL-based loadbalancer
  service that disables passHostHeader and pins X-Forwarded-Host via
  middleware, so server-to-server calls on internal FQDNs keep traffic
  in the LAN while the iss claim stays aligned with the public host.
  Uses a network alias on the canonical FQDN so traefik (sharing the
  network) resolves the URL upstream to this very container.

* proxy-app blueprint:
  - `mode` (default `forward_single`) lets callers pick between proxy,
    forward_single and forward_domain providers in one template.
  - `allowed_groups`: when set, emit one PolicyBinding per group on
    the application; authentik OR-evaluates bindings, so users in any
    listed group pass and others are denied.

Existing inventories with an empty list see no behavioural change.
2026-05-26 14:03:05 +02:00

161 lines
4.9 KiB
YAML
Raw Blame History

#SPDX-License-Identifier: MIT-0
---
# defaults file for authentik
# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data
# Authentik-specific configuration
authentik_service_name: authentik
authentik_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ authentik_service_name }}"
authentik_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ authentik_service_name }}"
# Authentik service configuration
# FQDNs the authentik router accepts. The first entry is the canonical
# domain; further entries cover internal *.int.* names used for
# server-to-server traffic so backend calls don't hairpin via DMZ.
authentik_domains:
- "authentik.local.test"
# Hostnames that should reach authentik but make it generate URLs (OIDC
# issuer, password reset links, etc.) as if requested from the canonical
# `authentik_domains[0]` instead. Used for split-horizon setups where an
# internal FQDN (e.g. `auth.int.example.com`) keeps server-to-server
# traffic in the LAN but the iss claim must still match the public
# hostname that browsers see. Traefik handles each entry via a separate
# router that rewrites the Host header before forwarding to authentik.
authentik_host_rewrite_domains: []
authentik_image: "ghcr.io/goauthentik/server:2026.2.2"
authentik_port: 9000
authentik_secret_key: "changeme-generate-a-random-string"
# PostgreSQL configuration
authentik_postgres_image: "postgres:16-alpine"
authentik_postgres_db: authentik
authentik_postgres_user: authentik
authentik_postgres_password: "changeme"
# Traefik configuration
authentik_traefik_network: "proxy"
authentik_backend_network: "backend"
authentik_use_ssl: true
# Authentik environment settings
authentik_log_level: "info"
authentik_error_reporting_enabled: false
# Blueprints
authentik_proxy_apps: []
# - slug: whoami
# name: whoami
# internal_host: "http://whoami:80"
# external_host: "https://whoami.example.com"
# skip_path_regex: |
# ^/healthz$
# flows:
# authentication_slug: default-authentication-flow
# authorization_slug: default-provider-authorization-implicit-consent
# invalidation_slug: default-provider-invalidation-flow
authentik_proxy_outposts: []
# - name: "proxy-main"
# type: "proxy"
# service_connection: null
# providers:
# - whoami
# - nextcloud-proxy
# config:
# authentik_host: "https://authentik.local.test/"
# authentik_host_browser: "https://authentik.local.test/"
# log_level: "info"
authentik_ldap_apps: []
# - slug: ldap
# name: LDAP
# base_dn: "dc=local,dc=test"
# search_mode: cached # cached | direct
# bind_mode: cached # cached | direct
# search_group: null # optional: group name whose members can search
# certificate: null # optional: certificate name for LDAPS
# uid_start_number: 2000
# gid_start_number: 4000
authentik_ldap_outpost: {}
# name: "ldap-outpost"
# token: "changeme" # known token for outpost authentication
# config:
# authentik_host: "https://authentik.local.test/"
# log_level: "info"
authentik_oidc_apps: []
# - slug: grafana
# name: Grafana
# client_id: "grafana"
# client_secret: "changeme"
# redirect_uris:
# - url: "https://grafana.example.com/login/generic_oauth"
# matching_mode: strict
# signing_key_name: "authentik Self-signed Certificate"
# flows:
# authorization_slug: default-provider-authorization-implicit-consent
# invalidation_slug: default-provider-invalidation-flow
# scopes: [openid, email, profile, offline_access]
# Oauth sources
authentik_entra_sources: []
# - slug: entra-id
# name: "Login with Entra"
# tenant_mode: single # single | common
# tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# client_secret: "changeme"
# scopes:
# - openid
# - profile
# - email
# # add only if you really need group sync on login:
# # - https://graph.microsoft.com/GroupMember.Read.All
# Show OAuth sources on login screen (list of source slugs):
authentik_login_sources: []
# - slug: entra-id
authentik_identification_stage_name: default-authentication-identification
# Local login fields to show on login screen (username, email, upn)
# Set to empty list to hide local login form entirely
authentik_login_user_fields:
- username
- email
# Groups to provision
authentik_groups: []
# - name: admins
# - name: editors
# is_superuser: false
# parent: null
# Local users to provision
authentik_local_users: []
# - username: admin
# name: "Admin User"
# email: "admin@example.com"
# password: "changeme"
# is_active: true
# groups:
# - authentik Admins
# attributes:
# settings:
# locale: en
# Resources to remove from Authentik (cleanup)
# Add slugs/names here when removing from the lists above
authentik_removed_oidc_apps: []
# - grafana
authentik_removed_proxy_apps: []
# - whoami
authentik_removed_local_users: []
# - olduser
View git blame Copy permalink