blumeops/argocd/manifests/authentik/configmap-blueprint.yaml

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: authentik-blueprints
  namespace: authentik
data:
  common.yaml: |
    version: 1
    metadata:
      name: BlumeOps Common Identity
      labels:
        blueprints.goauthentik.io/description: "Shared groups and identity resources"
    entries:
      - model: authentik_core.group
        id: admins-group
        identifiers:
          name: admins
        attrs:
          name: admins

  grafana.yaml: |
    version: 1
    metadata:
      name: BlumeOps Grafana SSO
      labels:
        blueprints.goauthentik.io/description: "Grafana OIDC provider and application"
    entries:
      # OAuth2 provider for Grafana
      - model: authentik_providers_oauth2.oauth2provider
        id: grafana-provider
        identifiers:
          name: Grafana
        attrs:
          name: Grafana
          authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
          invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
          client_type: confidential
          client_id: grafana
          client_secret: !Env AUTHENTIK_GRAFANA_CLIENT_SECRET
          redirect_uris:
            - matching_mode: strict
              url: https://grafana.ops.eblu.me/login/generic_oauth
            - matching_mode: strict
              url: https://grafana.tail8d86e.ts.net/login/generic_oauth
          signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
          property_mappings:
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, groups]]
          sub_mode: hashed_user_id
          include_claims_in_id_token: true

      # Grafana application — linked to the OAuth2 provider
      - model: authentik_core.application
        id: grafana-app
        identifiers:
          slug: grafana
        attrs:
          name: Grafana
          slug: grafana
          provider: !KeyOf grafana-provider
          meta_launch_url: https://grafana.ops.eblu.me
          policy_engine_mode: any

      # Policy binding — restrict Grafana to admins group
      - model: authentik_policies.policybinding
        identifiers:
          order: 0
          target: !KeyOf grafana-app
          group: !Find [authentik_core.group, [name, admins]]
        attrs:
          target: !KeyOf grafana-app
          group: !Find [authentik_core.group, [name, admins]]
          order: 0
          enabled: true
          negate: false
          timeout: 30

  forgejo.yaml: |
    version: 1
    metadata:
      name: BlumeOps Forgejo SSO
      labels:
        blueprints.goauthentik.io/description: "Forgejo OIDC provider and application"
    entries:
      # OAuth2 provider for Forgejo
      - model: authentik_providers_oauth2.oauth2provider
        id: forgejo-provider
        identifiers:
          name: Forgejo
        attrs:
          name: Forgejo
          authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
          invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
          client_type: confidential
          client_id: forgejo
          client_secret: !Env AUTHENTIK_FORGEJO_CLIENT_SECRET
          redirect_uris:
            - matching_mode: strict
              url: https://forge.ops.eblu.me/user/oauth2/authentik/callback
          signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
          property_mappings:
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, groups]]
          sub_mode: hashed_user_id
          include_claims_in_id_token: true

      # Forgejo application — linked to the OAuth2 provider
      - model: authentik_core.application
        id: forgejo-app
        identifiers:
          slug: forgejo
        attrs:
          name: Forgejo
          slug: forgejo
          provider: !KeyOf forgejo-provider
          meta_launch_url: https://forge.ops.eblu.me
          policy_engine_mode: any

      # Policy binding — restrict Forgejo to admins group
      - model: authentik_policies.policybinding
        identifiers:
          order: 0
          target: !KeyOf forgejo-app
          group: !Find [authentik_core.group, [name, admins]]
        attrs:
          target: !KeyOf forgejo-app
          group: !Find [authentik_core.group, [name, admins]]
          order: 0
          enabled: true
          negate: false
          timeout: 30