Refactor Authentik blueprint configuration to merge public, extra, and Nikflix directory groups into a single YAML template. Update README to clarify group entry requirements and enhance validation in Ansible tasks for blueprint entries. This improves the structure and usability of directory groups in Authentik deployments.

2026-05-14 22:39:53 -04:00
parent 93d602de9d
commit 7b337f7128
4 changed files with 102 additions and 14 deletions
--- a/ansible/roles/noble_authentik/tasks/main.yml
+++ b/ansible/roles/noble_authentik/tasks/main.yml
@@ -84,15 +84,32 @@
    - name: Assert noble Authentik blueprint variables (when blueprints enabled)
      ansible.builtin.assert:
        that:
-          - noble_authentik_blueprint_public_groups | default([]) | length > 0
+          - >-
+              ((noble_authentik_blueprint_public_groups | default([])) | length
+              + (noble_authentik_blueprint_extra_directory_groups | default([])) | length
+              + (noble_authentik_blueprint_nikflix_groups | default([])) | length) > 0
          - noble_authentik_blueprint_lab_operator_groups | default([]) | length > 0
          - noble_authentik_blueprint_lab_flow_slug | default('') | trim | length > 0
        fail_msg: >-
-          When noble_authentik_blueprints_enabled is true, set noble_authentik_blueprint_public_groups (non-empty),
-          noble_authentik_blueprint_lab_operator_groups (non-empty), and noble_authentik_blueprint_lab_flow_slug.
+          When noble_authentik_blueprints_enabled is true, set at least one entry across
+          noble_authentik_blueprint_public_groups, noble_authentik_blueprint_extra_directory_groups,
+          and/or noble_authentik_blueprint_nikflix_groups,
+          plus noble_authentik_blueprint_lab_operator_groups (non-empty) and noble_authentik_blueprint_lab_flow_slug.
          See ansible/roles/noble_authentik/defaults/main.yml and README.
      when: noble_authentik_blueprints_enabled | default(false) | bool

+    - name: Validate noble Authentik blueprint directory group entries (when blueprints enabled)
+      ansible.builtin.assert:
+        that:
+          - (item is string and (item | trim | length) > 0) or (item is mapping and (item.name | default('') | trim | length) > 0)
+        fail_msg: >-
+          Each noble_authentik_blueprint_*_groups entry must be a non-empty string or a dict with key **name** (string).
+          Invalid entry: {{ item }}
+      loop: "{{ (noble_authentik_blueprint_public_groups | default([])) + (noble_authentik_blueprint_extra_directory_groups | default([])) + (noble_authentik_blueprint_nikflix_groups | default([])) }}"
+      loop_control:
+        label: "{{ item if item is string else item.name }}"
+      when: noble_authentik_blueprints_enabled | default(false) | bool
+
    - name: Render Authentik noble blueprint YAML files
      ansible.builtin.template:
        src: "blueprints/{{ item }}.j2"