From 8fdb8eaf8096e40ca842105915e7f11ecccb0362 Mon Sep 17 00:00:00 2001
From: uumas <gitcommit@uumas.fi>
Date: Mon, 26 May 2025 00:00:27 +0300
Subject: [PATCH] authentik: Support for additional mounts

---
 roles/authentik/defaults/main.yml       |  2 ++
 roles/authentik/meta/argument_specs.yml | 36 +++++++++++++++++++++++++
 roles/authentik/tasks/main.yml          | 16 ++---------
 roles/authentik/vars/main.yml           |  8 ++++++
 4 files changed, 48 insertions(+), 14 deletions(-)

diff --git a/roles/authentik/defaults/main.yml b/roles/authentik/defaults/main.yml
index 610f548..1914c53 100644
--- a/roles/authentik/defaults/main.yml
+++ b/roles/authentik/defaults/main.yml
@@ -3,3 +3,5 @@ authentik_tag: latest
 authentik_env: {}
 docker_networks:
   - name: authentik
+
+authentik_additional_mounts: []
diff --git a/roles/authentik/meta/argument_specs.yml b/roles/authentik/meta/argument_specs.yml
index 6e7b761..9bc37f6 100644
--- a/roles/authentik/meta/argument_specs.yml
+++ b/roles/authentik/meta/argument_specs.yml
@@ -15,6 +15,42 @@ argument_specs:
         type: dict
         required: false
         default: {}
+      authentik_additional_mounts:
+        description: "List of bind mounts or volumes to be mounted inside the container. Each element is a dict with path and exactly one of name, src or template"
+        type: list
+        required: false
+        default: []
+        elements: dict
+        options:
+          path:
+            description: "The path inside the container to mount at"
+            type: str
+            required: true
+          readonly:
+            description: "If true, volume will be mounted as read only inside the container. Only applies for named and src mounts."
+            type: bool
+            required: false
+            default: false
+          mode:
+            description: "Permissions for the created/templated directory. Defaults to '0644' for files, '0755' for directories. Doesn't apply for named volumes."
+            type: str
+            required: false
+          name:
+            description: "If docker_volume_type is named, the name of the named volume to be mounted at path. If docker_volume_type is bind, the name of the folder to create under /opt/<service>[/suffix]/mounts/ and mount at path."
+            type: str
+            required: false
+          src:
+            description: "Host path to bind mount inside the container."
+            type: str
+            required: false
+          template:
+            description: "Name of template without .j2 extension. Will be templated at /opt/<service>[/suffix]/mounts/<template> and mounted read only inside the container."
+            type: str
+            required: false
+          copypath:
+            description: "Name of file or directory to copy. Will be deployed from files/<copypath> to /opt/<service>[/suffix]/mounts/<copypath> and mounted read only inside the container."
+            type: str
+            required: false
 
       # All options after this will be passed directly to the container role
       docker_service_suffix:
diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml
index 51aedb5..2dec304 100644
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@@ -12,13 +12,7 @@
     docker_additional_services:
       - redis
     docker_env: "{{ authentik_common_env | combine(authentik_env) }}"
-    docker_mounts:
-      - path: /media
-        name: "media"
-      - path: /templates
-        name: "templates"
-      - path: /certs
-        name: "certs"
+    docker_mounts: "{{ _authentik_mounts }}"
 
 - name: Authentik worker container
   ansible.builtin.include_role:
@@ -31,10 +25,4 @@
       - worker
     reverse_proxy_type: none
     docker_env: "{{ authentik_common_env | combine(authentik_env) }}"
-    docker_mounts:
-      - path: /media
-        name: "media"
-      - path: /templates
-        name: "templates"
-      - path: /certs
-        name: "certs"
+    docker_mounts: "{{ _authentik_mounts }}"
diff --git a/roles/authentik/vars/main.yml b/roles/authentik/vars/main.yml
index 9d16e5d..730d535 100644
--- a/roles/authentik/vars/main.yml
+++ b/roles/authentik/vars/main.yml
@@ -1,4 +1,12 @@
 ---
+_authentik_default_mounts:
+  - path: /media
+    name: "media"
+  - path: /templates
+    name: "templates"
+  - path: /certs
+    name: "certs"
+_authentik_mounts: "{{ _authentik_default_mounts + authentik_additional_mounts }}"
 
 authentik_common_env:
   AUTHENTIK_REDIS__HOST: authentik-redis