6411f94cce
* `authentik_host_rewrite_domains`: extra hostnames that reach the
authentik container but make it generate URLs (OIDC issuer, reset
links) as if requested from the canonical `authentik_domains[0]`.
Each entry gets its own traefik router and a URL-based loadbalancer
service that disables passHostHeader and pins X-Forwarded-Host via
middleware, so server-to-server calls on internal FQDNs keep traffic
in the LAN while the iss claim stays aligned with the public host.
Uses a network alias on the canonical FQDN so traefik (sharing the
network) resolves the URL upstream to this very container.
* proxy-app blueprint:
- `mode` (default `forward_single`) lets callers pick between proxy,
forward_single and forward_domain providers in one template.
- `allowed_groups`: when set, emit one PolicyBinding per group on
the application; authentik OR-evaluates bindings, so users in any
listed group pass and others are denied.
Existing inventories with an empty list see no behavioural change.
|
||
|---|---|---|
| .. | ||
| defaults | ||
| handlers | ||
| meta | ||
| tasks | ||
| templates | ||
| tests | ||
| vars | ||
| README.md | ||
Authentik
Deploys Authentik identity provider with Docker Compose.
Variables
See defaults/main.yml for all available variables.
Blueprints
The role renders blueprints for:
- Local users (
authentik_local_users) - OIDC applications (
authentik_oidc_apps) - Proxy applications (
authentik_proxy_apps) - Proxy outposts (
authentik_proxy_outposts) - Entra ID sources (
authentik_entra_sources) - Login screen sources (
authentik_login_source_ids)
Secrets are passed via authentik_blueprint_env using environment variable references.
Removing resources
To remove resources from Authentik, move slugs to the removal lists:
authentik_removed_oidc_appsauthentik_removed_proxy_appsauthentik_removed_local_users
After confirming deletion, remove the slug from the list.