Add authentik blueprints

2026-05-10 18:29:53 +02:00
parent 9813e7d49a
commit c637fea0d0
9 changed files with 170 additions and 25 deletions
--- a/modules/server/containers/data/authentik/nextcloud.yaml
+++ b/modules/server/containers/data/authentik/nextcloud.yaml
@@ -0,0 +1,49 @@
+version: 1
+metadata:
+  name: nextcloud-saml-setup
+entries:
+  # 1. Create the SAML Provider
+  - model: authentik_providers_saml.samlprovider
+    identifiers:
+      name: Nextcloud SAML
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-explicit-consent],
+        ]
+      # Adjust these URLs to match your Nextcloud domain
+      acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
+      audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
+      issuer: https://@AUTHENTIK_DOMAIN@
+      sp_binding: post
+      # Map the attributes for Name, Email, and Groups
+      property_mappings:
+        - !Find [
+            authentik_core.propertymapping,
+            [managed, goauthentik.io/providers/saml/ms-name],
+          ]
+        - !Find [
+            authentik_core.propertymapping,
+            [managed, goauthentik.io/providers/saml/ms-email],
+          ]
+        - !Find [
+            authentik_core.propertymapping,
+            [managed, goauthentik.io/providers/saml/ms-groups],
+          ]
+      # Select your signing certificate (default is usually self-signed)
+      signing_kp:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, "authentik Self-signed Certificate"],
+        ]
+
+  # 2. Create the Application
+  - model: authentik_core.application
+    identifiers:
+      slug: nextcloud
+    attrs:
+      name: Nextcloud
+      provider:
+        !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
+      group: "Cloud Services"
--- a/modules/server/containers/data/authentik/traefik.yaml
+++ b/modules/server/containers/data/authentik/traefik.yaml
@@ -0,0 +1,35 @@
+version: 1
+metadata:
+  name: domain-wide-proxy-setup
+entries:
+  # 1. The Provider
+  - model: authentik_providers_proxy.proxyprovider
+    identifiers:
+      name: Domain Wide Proxy
+    attrs:
+      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-explicit-consent]]
+      
+      # For domain-wide, external_host must be the root domain or the auth domain
+      external_host: https://@AUTHENTIK_DOMAIN@
+      
+      # This allows the cookie to work across *.@COOKIE_DOMAIN@
+      cookie_domain: @COOKIE_DOMAIN@
+      
+      mode: forward_auth
+      intercept_header_auth: true
+
+  # 2. The Application (Required to link the provider)
+  - model: authentik_core.application
+    identifiers:
+      slug: authentik-proxy-root
+    attrs:
+      name: "Domain Auth Provider"
+      provider: !Find [authentik_providers_proxy.proxyprovider, [name, Domain Wide Proxy]]
+
+  # 3. Add to Outpost
+  - model: authentik_outposts.outpost
+    identifiers:
+      name: authentik Embedded Outpost
+    attrs:
+      providers:
+        - !Find [authentik_providers_proxy.proxyprovider, [name, Domain Wide Proxy]]