gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Authentik and oauth2-proxy support to noble cluster setup, including environment variables, playbook tags, and landing URLs. Update README and kustomization.yaml to reflect new OIDC integration, enhancing security and user authentication capabilities.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-14 00:23:48 -04:00
parent 2bf7277917
commit 78b524a044
25 changed files with 1125 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

217
ansible/roles/noble_authentik/tasks/from_env.yml Normal file
View File

@@ -0,0 +1,217 @@
---
# **.env** is shell `KEY=value` syntax (not YAML). Source it like **noble_velero** does.
- name: Stat repository .env for Authentik
ansible.builtin.stat:
path: "{{ noble_repo_root }}/.env"
register: noble_authentik_dotenv_stat
changed_when: false
- name: Load NOBLE_AUTHENTIK_SECRET_KEY from .env when unset
ansible.builtin.shell: |
set -a
. "{{ noble_repo_root }}/.env"
set +a
printf '%s' "${NOBLE_AUTHENTIK_SECRET_KEY:-}"
register: noble_authentik_secret_key_from_env
when:
- noble_authentik_dotenv_stat.stat.exists | default(false)
- noble_authentik_secret_key | default('') | length == 0
changed_when: false
no_log: true
- name: Apply NOBLE_AUTHENTIK_SECRET_KEY from .env
ansible.builtin.set_fact:
noble_authentik_secret_key: "{{ noble_authentik_secret_key_from_env.stdout | trim }}"
when:
- noble_authentik_secret_key_from_env is defined
- (noble_authentik_secret_key_from_env.stdout | default('') | trim | length) > 0
no_log: true
- name: Load NOBLE_AUTHENTIK_POSTGRES_PASSWORD from .env when unset
ansible.builtin.shell: |
set -a
. "{{ noble_repo_root }}/.env"
set +a
printf '%s' "${NOBLE_AUTHENTIK_POSTGRES_PASSWORD:-}"
register: noble_authentik_pg_from_env
when:
- noble_authentik_dotenv_stat.stat.exists | default(false)
- noble_authentik_postgresql_password | default('') | length == 0
changed_when: false
no_log: true
- name: Apply NOBLE_AUTHENTIK_POSTGRES_PASSWORD from .env
ansible.builtin.set_fact:
noble_authentik_postgresql_password: "{{ noble_authentik_pg_from_env.stdout | trim }}"
when:
- noble_authentik_pg_from_env is defined
- (noble_authentik_pg_from_env.stdout | default('') | trim | length) > 0
no_log: true
- name: Load NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN from .env when unset
ansible.builtin.shell: |
set -a
. "{{ noble_repo_root }}/.env"
set +a
printf '%s' "${NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN:-}"
register: noble_authentik_bt_from_env
when:
- noble_authentik_dotenv_stat.stat.exists | default(false)
- noble_authentik_bootstrap_token | default('') | length == 0
changed_when: false
no_log: true
- name: Apply NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN from .env
ansible.builtin.set_fact:
noble_authentik_bootstrap_token: "{{ noble_authentik_bt_from_env.stdout | trim }}"
when:
- noble_authentik_bt_from_env is defined
- (noble_authentik_bt_from_env.stdout | default('') | trim | length) > 0
no_log: true
- name: Load NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL from .env when unset
ansible.builtin.shell: |
set -a
. "{{ noble_repo_root }}/.env"
set +a
printf '%s' "${NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL:-}"
register: noble_authentik_be_from_env
when:
- noble_authentik_dotenv_stat.stat.exists | default(false)
- noble_authentik_bootstrap_email | default('') | length == 0
changed_when: false
no_log: true
- name: Apply NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL from .env
ansible.builtin.set_fact:
noble_authentik_bootstrap_email: "{{ noble_authentik_be_from_env.stdout | trim }}"
when:
- noble_authentik_be_from_env is defined
- (noble_authentik_be_from_env.stdout | default('') | trim | length) > 0
no_log: true
- name: Load NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD from .env when unset
ansible.builtin.shell: |
set -a
. "{{ noble_repo_root }}/.env"
set +a
printf '%s' "${NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD:-}"
register: noble_authentik_bp_from_env
when:
- noble_authentik_dotenv_stat.stat.exists | default(false)
- noble_authentik_bootstrap_password | default('') | length == 0
changed_when: false
no_log: true
- name: Apply NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD from .env
ansible.builtin.set_fact:
noble_authentik_bootstrap_password: "{{ noble_authentik_bp_from_env.stdout | trim }}"
when:
- noble_authentik_bp_from_env is defined
- (noble_authentik_bp_from_env.stdout | default('') | trim | length) > 0
no_log: true
- name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD from .env when unset
ansible.builtin.shell: |
set -a
. "{{ noble_repo_root }}/.env"
set +a
printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD:-}"
register: noble_authentik_cs_argo_from_env
when:
- noble_authentik_dotenv_stat.stat.exists | default(false)
- noble_authentik_client_secret_argocd | default('') | length == 0
changed_when: false
no_log: true
- name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD from .env
ansible.builtin.set_fact:
noble_authentik_client_secret_argocd: "{{ noble_authentik_cs_argo_from_env.stdout | trim }}"
when:
- noble_authentik_cs_argo_from_env is defined
- (noble_authentik_cs_argo_from_env.stdout | default('') | trim | length) > 0
no_log: true
- name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA from .env when unset
ansible.builtin.shell: |
set -a
. "{{ noble_repo_root }}/.env"
set +a
printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA:-}"
register: noble_authentik_cs_graf_from_env
when:
- noble_authentik_dotenv_stat.stat.exists | default(false)
- noble_authentik_client_secret_grafana | default('') | length == 0
changed_when: false
no_log: true
- name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA from .env
ansible.builtin.set_fact:
noble_authentik_client_secret_grafana: "{{ noble_authentik_cs_graf_from_env.stdout | trim }}"
when:
- noble_authentik_cs_graf_from_env is defined
- (noble_authentik_cs_graf_from_env.stdout | default('') | trim | length) > 0
no_log: true
- name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP from .env when unset
ansible.builtin.shell: |
set -a
. "{{ noble_repo_root }}/.env"
set +a
printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP:-}"
register: noble_authentik_cs_hl_from_env
when:
- noble_authentik_dotenv_stat.stat.exists | default(false)
- noble_authentik_client_secret_headlamp | default('') | length == 0
changed_when: false
no_log: true
- name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP from .env
ansible.builtin.set_fact:
noble_authentik_client_secret_headlamp: "{{ noble_authentik_cs_hl_from_env.stdout | trim }}"
when:
- noble_authentik_cs_hl_from_env is defined
- (noble_authentik_cs_hl_from_env.stdout | default('') | trim | length) > 0
no_log: true
- name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY from .env when unset
ansible.builtin.shell: |
set -a
. "{{ noble_repo_root }}/.env"
set +a
printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY:-}"
register: noble_authentik_cs_o2_from_env
when:
- noble_authentik_dotenv_stat.stat.exists | default(false)
- noble_authentik_client_secret_oauth2_proxy | default('') | length == 0
changed_when: false
no_log: true
- name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY from .env
ansible.builtin.set_fact:
noble_authentik_client_secret_oauth2_proxy: "{{ noble_authentik_cs_o2_from_env.stdout | trim }}"
when:
- noble_authentik_cs_o2_from_env is defined
- (noble_authentik_cs_o2_from_env.stdout | default('') | trim | length) > 0
no_log: true
- name: Load NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET from .env when unset
ansible.builtin.shell: |
set -a
. "{{ noble_repo_root }}/.env"
set +a
printf '%s' "${NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET:-}"
register: noble_authentik_cs_cookie_from_env
when:
- noble_authentik_dotenv_stat.stat.exists | default(false)
- noble_authentik_oauth2_proxy_cookie_secret | default('') | length == 0
changed_when: false
no_log: true
- name: Apply NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET from .env
ansible.builtin.set_fact:
noble_authentik_oauth2_proxy_cookie_secret: "{{ noble_authentik_cs_cookie_from_env.stdout | trim }}"
when:
- noble_authentik_cs_cookie_from_env is defined
- (noble_authentik_cs_cookie_from_env.stdout | default('') | trim | length) > 0
no_log: true