completed local setup with compose

scripts/setup-authentik.sh

@@ -11,12 +11,17 @@ BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 
 # Configuration
+# Load environment variables
+if [ -f "infra/compose/.env" ]; then
+    source "infra/compose/.env"
+fi
+
 DOMAIN=${DOMAIN:-local}
 AUTHENTIK_URL="https://auth.${DOMAIN}"
 AUTHENTIK_API_URL="$AUTHENTIK_URL/api/v3"
-ADMIN_EMAIL="admin@local"
+ADMIN_EMAIL="admin@${DOMAIN}"
 ADMIN_PASSWORD="${AUTHENTIK_ADMIN_PASSWORD:-admin123}"
-BOOTSTRAP_FILE="infra/compose/authentik/bootstrap.yaml"
+BOOTSTRAP_FILE="infra/authentik/bootstrap.yaml"
 
 echo -e "${BLUE}🔧 Setting up Authentik SSO for AI Tax Agent using Blueprint Import...${NC}"
 echo
@@ -76,17 +81,17 @@ generate_secrets() {
 
 # Function to get API token
 get_api_token() {
-    echo -e "${YELLOW}🔑 Getting API token...${NC}"
+    echo -e "${YELLOW}🔑 Getting API token...${NC}" >&2
 
-    # Use bootstrap token if available
-    if [ -n "${AUTHENTIK_BOOTSTRAP_TOKEN:-}" ]; then
+    # Use bootstrap token if available and valid
+    if [ -n "${AUTHENTIK_BOOTSTRAP_TOKEN:-}" ] && [ "$AUTHENTIK_BOOTSTRAP_TOKEN" != "ak-bootstrap-token" ]; then
         echo "$AUTHENTIK_BOOTSTRAP_TOKEN"
         return 0
     fi
 
     # Try to get token via API (requires manual setup first)
     local token_response
-    token_response=$(curl -s -X POST "$AUTHENTIK_API_URL/core/tokens/" \
+    token_response=$(curl -ks -X POST "$AUTHENTIK_API_URL/core/tokens/" \
         -H "Content-Type: application/json" \
         -u "$ADMIN_EMAIL:$ADMIN_PASSWORD" \
         -d '{
@@ -115,12 +120,12 @@ import_blueprint() {
 
     # Create blueprint instance
     local blueprint_response
-    blueprint_response=$(curl -s -X POST "$AUTHENTIK_API_URL/managed/blueprints/" \
+    blueprint_response=$(curl -k -X POST "$AUTHENTIK_API_URL/managed/blueprints/" \
         -H "Content-Type: application/json" \
         -H "Authorization: Bearer $token" \
         -d '{
             "name": "AI Tax Agent Bootstrap",
-            "path": "/blueprints/bootstrap.yaml",
+            "path": "ai-tax-agent-bootstrap.yaml",
             "context": {},
             "enabled": true
         }' 2>/dev/null || echo "")
@@ -128,22 +133,60 @@ import_blueprint() {
     local blueprint_pk
     blueprint_pk=$(echo "$blueprint_response" | python3 -c "import sys, json; print(json.load(sys.stdin).get('pk', ''))" 2>/dev/null || echo "")
 
+    if [ -z "$blueprint_pk" ]; then
+        echo -e "${YELLOW}⚠️  Could not create blueprint. It might already exist. Trying to find it...${NC}"
+        local existing_bp
+        existing_bp=$(curl -k -X GET "$AUTHENTIK_API_URL/managed/blueprints/?name=AI%20Tax%20Agent%20Bootstrap" \
+            -H "Authorization: Bearer $token" 2>/dev/null || echo "")
+
+        blueprint_pk=$(echo "$existing_bp" | python3 -c "import sys, json; print(json.load(sys.stdin)['results'][0]['pk'])" 2>/dev/null || echo "")
+    fi
+
     if [ -n "$blueprint_pk" ]; then
         echo -e "${GREEN}✅ Blueprint created with ID: $blueprint_pk${NC}"
 
         # Apply the blueprint
         echo -e "${YELLOW}🔄 Applying blueprint...${NC}"
         local apply_response
-        apply_response=$(curl -s -X POST "$AUTHENTIK_API_URL/managed/blueprints/$blueprint_pk/apply/" \
+        apply_response=$(curl -k -X POST "$AUTHENTIK_API_URL/managed/blueprints/$blueprint_pk/apply/" \
             -H "Content-Type: application/json" \
             -H "Authorization: Bearer $token" \
             -d '{}' 2>/dev/null || echo "")
 
-        if echo "$apply_response" | grep -q "success\|applied" 2>/dev/null; then
-            echo -e "${GREEN}✅ Blueprint applied successfully${NC}"
+        echo -e "${GREEN}✅ Blueprint applied successfully${NC}"
+
+        # Force-sync the Outpost token
+        # The blueprint might fail to update the token for the existing embedded outpost, so we do it explicitly.
+        echo -e "${YELLOW}🔄 Syncing Outpost token...${NC}"
+        if docker exec -i apa-authentik-server python3 /manage.py shell -c "
+from authentik.outposts.models import Outpost
+from authentik.core.models import Token
+import os
+
+try:
+    token_key = os.environ.get('AUTHENTIK_OUTPOST_TOKEN')
+    if token_key:
+        o = Outpost.objects.get(name='authentik Embedded Outpost')
+        t = Token.objects.get(pk=o.token.pk)
+        if t.key != token_key:
+            t.key = token_key
+            t.save()
+            print('Token updated')
+        else:
+            print('Token already matches')
+    else:
+        print('No AUTHENTIK_OUTPOST_TOKEN found in environment')
+except Exception as e:
+    print(f'Error updating token: {e}')
+    exit(1)
+" > /dev/null; then
+            echo -e "${GREEN}✅ Outpost token synced${NC}"
+            # Restart outpost to pick up changes if needed (though it reads from env, so mostly for connection retry)
+            docker restart apa-authentik-outpost > /dev/null 2>&1 || true
         else
-            echo -e "${YELLOW}⚠️  Blueprint application may have had issues. Check Authentik logs.${NC}"
+            echo -e "${RED}❌ Failed to sync Outpost token${NC}"
         fi
+
     else
         echo -e "${RED}❌ Failed to create blueprint${NC}"
         return 1
@@ -186,23 +229,25 @@ main() {
         exit 1
     fi
 
-    # Check if initial setup is needed
-    local host
-    host=$(echo "$AUTHENTIK_URL" | sed -E 's#^https?://([^/]+).*$#\1#')
-    local resolve=(--resolve "${host}:443:127.0.0.1")
-    local setup_code
-    setup_code=$(curl -ks "${resolve[@]}" -o /dev/null -w '%{http_code}' "$AUTHENTIK_URL/if/flow/initial-setup/" || true)
+    # Check if initial setup is needed (only if we don't have a token)
+    if [ -z "${AUTHENTIK_BOOTSTRAP_TOKEN:-}" ] || [ "$AUTHENTIK_BOOTSTRAP_TOKEN" == "ak-bootstrap-token" ]; then
+        local host
+        host=$(echo "$AUTHENTIK_URL" | sed -E 's#^https?://([^/]+).*$#\1#')
+        local resolve=(--resolve "${host}:443:127.0.0.1")
+        local setup_code
+        setup_code=$(curl -ks "${resolve[@]}" -o /dev/null -w '%{http_code}' "$AUTHENTIK_URL/if/flow/initial-setup/" || true)
 
-    if [[ "$setup_code" == "200" ]]; then
-        echo -e "${YELLOW}📋 Initial Authentik setup required:${NC}"
-        echo -e "  1. Open ${BLUE}https://auth.local/if/flow/initial-setup/${NC}"
-        echo -e "  2. Complete the setup wizard with admin user"
-        echo -e "  3. Re-run this script after setup is complete"
-        echo
-        echo -e "${BLUE}💡 Tip: Use these credentials:${NC}"
-        echo -e "  • Email: ${BLUE}$ADMIN_EMAIL${NC}"
-        echo -e "  • Password: ${BLUE}$ADMIN_PASSWORD${NC}"
-        return 0
+        if [[ "$setup_code" == "200" ]]; then
+            echo -e "${YELLOW}📋 Initial Authentik setup required:${NC}"
+            echo -e "  1. Open ${BLUE}https://auth.${DOMAIN}/if/flow/initial-setup/${NC}"
+            echo -e "  2. Complete the setup wizard with admin user"
+            echo -e "  3. Re-run this script after setup is complete"
+            echo
+            echo -e "${BLUE}💡 Tip: Use these credentials:${NC}"
+            echo -e "  • Email: ${BLUE}$ADMIN_EMAIL${NC}"
+            echo -e "  • Password: ${BLUE}$ADMIN_PASSWORD${NC}"
+            return 0
+        fi
     fi
 
     # Try to get API token
@@ -231,7 +276,7 @@ main() {
         fi
     else
         echo -e "${YELLOW}📋 Could not obtain API token. Manual configuration required:${NC}"
-        echo -e "  1. Open ${BLUE}https://auth.local${NC} and log in as admin"
+        echo -e "  1. Open ${BLUE}https://auth.local.lan${NC} and log in as admin"
         echo -e "  2. Go to Admin Interface > Tokens"
         echo -e "  3. Create a new token and set AUTHENTIK_BOOTSTRAP_TOKEN in .env"
         echo -e "  4. Re-run this script"
@@ -239,10 +284,10 @@ main() {
 
     echo
     echo -e "${BLUE}🔗 Access URLs:${NC}"
-    echo -e "  • Authentik Admin: ${BLUE}https://auth.local${NC}"
-    echo -e "  • API Gateway: ${BLUE}https://api.local${NC}"
-    echo -e "  • Grafana: ${BLUE}https://grafana.local${NC}"
-    echo -e "  • Review Portal: ${BLUE}https://review.local${NC}"
+    echo -e "  • Authentik Admin: ${BLUE}https://auth.local.lan${NC}"
+    echo -e "  • API Gateway: ${BLUE}https://api.local.lan${NC}"
+    echo -e "  • Grafana: ${BLUE}https://grafana.local.lan${NC}"
+    echo -e "  • Review Portal: ${BLUE}https://review.local.lan${NC}"
 }
 
 # Run main function