From 20461fd8ff9747ae4c373b63903a46e97889a9a2 Mon Sep 17 00:00:00 2001
From: harkon <harris@harkon.co.uk>
Date: Tue, 2 Dec 2025 16:28:53 +0200
Subject: [PATCH] fix: correct worker volume mount and add always allow policy
 to blueprint

---
 infra/base/authentik/bootstrap-prod.yaml | 57 ++++++++++++++++++++++++
 infra/base/infrastructure.yaml           |  2 +-
 2 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/infra/base/authentik/bootstrap-prod.yaml b/infra/base/authentik/bootstrap-prod.yaml
index e99482b..5195f8e 100644
--- a/infra/base/authentik/bootstrap-prod.yaml
+++ b/infra/base/authentik/bootstrap-prod.yaml
@@ -248,3 +248,60 @@ entries:
       meta_description: "Grafana monitoring (Production)"
       meta_publisher: "Grafana Labs"
       policy_engine_mode: "any"
+
+  # --- Policies --------------------------------------------------------------
+  - model: authentik_policies_expression.expressionpolicy
+    state: present
+    identifiers:
+      name: "Always Allow"
+    attrs:
+      expression: "return True"
+
+  - model: authentik_policies.policybinding
+    state: present
+    identifiers:
+      policy:
+        !Find [
+          authentik_policies_expression.expressionpolicy,
+          [name, "Always Allow"],
+        ]
+      target:
+        !Find [authentik_core.application, [slug, "ai-tax-agent-api-prod"]]
+    attrs:
+      order: 0
+
+  - model: authentik_policies.policybinding
+    state: present
+    identifiers:
+      policy:
+        !Find [
+          authentik_policies_expression.expressionpolicy,
+          [name, "Always Allow"],
+        ]
+      target: !Find [authentik_core.application, [slug, "minio-prod"]]
+    attrs:
+      order: 0
+
+  - model: authentik_policies.policybinding
+    state: present
+    identifiers:
+      policy:
+        !Find [
+          authentik_policies_expression.expressionpolicy,
+          [name, "Always Allow"],
+        ]
+      target: !Find [authentik_core.application, [slug, "vault-prod"]]
+    attrs:
+      order: 0
+
+  - model: authentik_policies.policybinding
+    state: present
+    identifiers:
+      policy:
+        !Find [
+          authentik_policies_expression.expressionpolicy,
+          [name, "Always Allow"],
+        ]
+      target: !Find [authentik_core.application, [slug, "grafana-prod"]]
+    attrs:
+      order: 0
diff --git a/infra/base/infrastructure.yaml b/infra/base/infrastructure.yaml
index 94c0caa..19095b6 100644
--- a/infra/base/infrastructure.yaml
+++ b/infra/base/infrastructure.yaml
@@ -135,7 +135,7 @@ services:
       - apa-authentik-db
       - apa-authentik-redis
     volumes:
-      - ./authentik:/blueprints/custom
+      - ./authentik:/blueprints/ai-tax-agent
 
   apa-authentik-outpost:
     image: ghcr.io/goauthentik/proxy:2025.8.3