authentik: Support for additional mounts

2025-05-26 00:00:27 +03:00
parent bc2220e1ed
commit 8fdb8eaf80
4 changed files with 48 additions and 14 deletions
--- a/roles/authentik/defaults/main.yml
+++ b/roles/authentik/defaults/main.yml
@@ -3,3 +3,5 @@ authentik_tag: latest
 authentik_env: {}
 docker_networks:
  - name: authentik
+
+authentik_additional_mounts: []
--- a/roles/authentik/meta/argument_specs.yml
+++ b/roles/authentik/meta/argument_specs.yml
@@ -15,6 +15,42 @@ argument_specs:
        type: dict
        required: false
        default: {}
+      authentik_additional_mounts:
+        description: "List of bind mounts or volumes to be mounted inside the container. Each element is a dict with path and exactly one of name, src or template"
+        type: list
+        required: false
+        default: []
+        elements: dict
+        options:
+          path:
+            description: "The path inside the container to mount at"
+            type: str
+            required: true
+          readonly:
+            description: "If true, volume will be mounted as read only inside the container. Only applies for named and src mounts."
+            type: bool
+            required: false
+            default: false
+          mode:
+            description: "Permissions for the created/templated directory. Defaults to '0644' for files, '0755' for directories. Doesn't apply for named volumes."
+            type: str
+            required: false
+          name:
+            description: "If docker_volume_type is named, the name of the named volume to be mounted at path. If docker_volume_type is bind, the name of the folder to create under /opt/<service>[/suffix]/mounts/ and mount at path."
+            type: str
+            required: false
+          src:
+            description: "Host path to bind mount inside the container."
+            type: str
+            required: false
+          template:
+            description: "Name of template without .j2 extension. Will be templated at /opt/<service>[/suffix]/mounts/<template> and mounted read only inside the container."
+            type: str
+            required: false
+          copypath:
+            description: "Name of file or directory to copy. Will be deployed from files/<copypath> to /opt/<service>[/suffix]/mounts/<copypath> and mounted read only inside the container."
+            type: str
+            required: false

      # All options after this will be passed directly to the container role
      docker_service_suffix:
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@@ -12,13 +12,7 @@
    docker_additional_services:
      - redis
    docker_env: "{{ authentik_common_env | combine(authentik_env) }}"
-    docker_mounts:
-      - path: /media
-        name: "media"
-      - path: /templates
-        name: "templates"
-      - path: /certs
-        name: "certs"
+    docker_mounts: "{{ _authentik_mounts }}"

 - name: Authentik worker container
  ansible.builtin.include_role:
@@ -31,10 +25,4 @@
      - worker
    reverse_proxy_type: none
    docker_env: "{{ authentik_common_env | combine(authentik_env) }}"
-    docker_mounts:
-      - path: /media
-        name: "media"
-      - path: /templates
-        name: "templates"
-      - path: /certs
-        name: "certs"
+    docker_mounts: "{{ _authentik_mounts }}"
--- a/roles/authentik/vars/main.yml
+++ b/roles/authentik/vars/main.yml
@@ -1,4 +1,12 @@
 ---
+_authentik_default_mounts:
+  - path: /media
+    name: "media"
+  - path: /templates
+    name: "templates"
+  - path: /certs
+    name: "certs"
+_authentik_mounts: "{{ _authentik_default_mounts + authentik_additional_mounts }}"

 authentik_common_env:
  AUTHENTIK_REDIS__HOST: authentik-redis