ai-tax-agent/infra/authentik/bootstrap.yaml

# FILE: blueprints/ai-tax-agent-bootstrap.yaml
# Authentik Bootstrap (v2025.x): users, groups, scope mappings, OIDC providers, applications

version: 1

metadata:
  name: AI Tax Agent — Bootstrap + OIDC Providers

entries:
  # --- Groups first (so the admin user can reference them) -------------------
  - model: authentik_core.group
    state: present
    identifiers:
      name: "Administrators"
    attrs:
      is_superuser: true

  - model: authentik_core.group
    state: present
    identifiers:
      name: "Tax Reviewers"
    attrs:
      is_superuser: false

  - model: authentik_core.group
    state: present
    identifiers:
      name: "Accountants"
    attrs:
      is_superuser: false

  - model: authentik_core.group
    state: present
    identifiers:
      name: "Clients"
    attrs:
      is_superuser: false

  # --- Admin user ------------------------------------------------------------
  - model: authentik_core.user
    state: present
    identifiers:
      username: admin
    attrs:
      name: "System Administrator"
      email: admin@local.lan
      is_active: true
      is_staff: true
      is_superuser: true
      groups:
        - !Find [authentik_core.group, [name, "Administrators"]]

  # Helper finders

  # ========= OIDC Providers + Applications ==================================

  # --- UI Review (Proxy Provider for ForwardAuth) ---------------------------
  - model: authentik_providers_proxy.proxyprovider
    state: present
    identifiers:
      name: "UI Review Proxy"
    attrs:
      external_host: "https://review.local.lan"
      internal_host: "http://ui-review:3030"
      authorization_flow:
        !Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
      mode: "forward_single"
      cookie_domain: "local.lan"

  - model: authentik_core.application
    state: present
    identifiers:
      slug: "ui-review"
    attrs:
      name: "UI Review"
      provider:
        !Find [
          authentik_providers_proxy.proxyprovider,
          [name, "UI Review Proxy"],
        ]
      meta_launch_url: "https://review.local.lan"
      meta_description: "Tax Agent Platform - Review UI"
      meta_publisher: "AI Tax Agent"
      policy_engine_mode: "any"

  # --- Vault OIDC Provider --------------------------------------------------
  - model: authentik_providers_oauth2.oauth2provider
    state: present
    identifiers:
      name: "Vault OIDC"
    attrs:
      client_id: "vault"
      client_secret: !Env [AUTHENTIK_VAULT_CLIENT_SECRET, "changeme"]
      client_type: "confidential"
      redirect_uris:
        - matching_mode: strict
          url: "https://vault.local.lan/ui/vault/auth/oidc/oidc/callback"
        - matching_mode: strict
          url: "https://vault.local.lan/oidc/callback"
        - matching_mode: strict
          url: "http://localhost:8250/oidc/callback"
      sub_mode: "hashed_user_id"
      include_claims_in_id_token: true
      issuer_mode: "per_provider"
      signing_key:
        !Find [
          authentik_crypto.certificatekeypair,
          [name, "authentik Self-signed Certificate"],
        ]
      property_mappings:
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [scope_name, "openid"],
          ]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [scope_name, "profile"],
          ]
      authorization_flow:
        !Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]

  - model: authentik_core.application
    state: present
    identifiers:
      slug: "vault-oidc"
    attrs:
      name: "Vault OIDC"
      provider:
        !Find [authentik_providers_oauth2.oauth2provider, [name, "Vault OIDC"]]
      meta_launch_url: "https://vault.local.lan"
      meta_description: "Vault OIDC Authentication"
      meta_publisher: "AI Tax Agent"
      policy_engine_mode: "any"

  # --- MinIO OIDC Provider --------------------------------------------------

  # Scope Mapping for MinIO Policy
  - model: authentik_providers_oauth2.scopemapping
    state: present
    identifiers:
      name: "MinIO Policy Mapping"
    attrs:
      name: "MinIO Policy Mapping"
      description: "Maps Authentik users to MinIO policies"
      scope_name: "minio"
      expression: |
        # Default to readwrite for all authenticated users
        # You can customize this based on groups
        return {
            "policy": "readwrite"
        }

  - model: authentik_providers_oauth2.oauth2provider
    state: present
    identifiers:
      name: "MinIO OIDC"
    attrs:
      client_id: "minio"
      client_secret: !Env [AUTHENTIK_MINIO_CLIENT_SECRET, "changeme"]
      client_type: "confidential"
      redirect_uris:
        - matching_mode: strict
          url: "https://minio.local.lan/oauth_callback"
      sub_mode: "hashed_user_id"
      include_claims_in_id_token: true
      issuer_mode: "per_provider"
      signing_key:
        !Find [
          authentik_crypto.certificatekeypair,
          [name, "authentik Self-signed Certificate"],
        ]
      property_mappings:
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [scope_name, "openid"],
          ]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [scope_name, "profile"],
          ]
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [name, "MinIO Policy Mapping"],
          ]
      authorization_flow:
        !Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]

  - model: authentik_core.application
    state: present
    identifiers:
      slug: "minio-oidc"
    attrs:
      name: "MinIO OIDC"
      provider:
        !Find [authentik_providers_oauth2.oauth2provider, [name, "MinIO OIDC"]]
      meta_launch_url: "https://minio.local.lan"
      meta_description: "MinIO Object Storage OIDC"
      meta_publisher: "AI Tax Agent"
      policy_engine_mode: "any"

  # --- Grafana SSO Configuration -------------------------------------------

  # Custom Role Mapping for Grafana
  - model: authentik_providers_oauth2.scopemapping
    state: present
    identifiers:
      name: "Grafana Role Mapping"
    attrs:
      name: "Grafana Role Mapping"
      description: "Maps Authentik groups to Grafana roles"
      scope_name: "role"
      expression: |
        # Map Authentik groups to Grafana roles
        user_groups = [group.name for group in request.user.ak_groups.all()]

        # Admin role mapping
        if "authentik Admins" in user_groups or "Administrators" in user_groups:
            return "Admin"

        # Editor role mapping
        if "Tax Reviewers" in user_groups or "Accountants" in user_groups:
            return "Editor"

        # Default to Viewer role
        return "Viewer"

  # Grafana OAuth2 Provider
  - model: authentik_providers_oauth2.oauth2provider
    state: present
    identifiers:
      name: "Grafana"
    attrs:
      client_id: !Env [GRAFANA_OAUTH_CLIENT_ID, "grafana"]
      client_secret: !Env [GRAFANA_OAUTH_CLIENT_SECRET, "changeme"]
      client_type: "confidential"
      redirect_uris:
        - matching_mode: strict
          url: "https://grafana.local.lan/login/generic_oauth"
      sub_mode: "hashed_user_id"
      include_claims_in_id_token: true
      issuer_mode: "per_provider"
      signing_key:
        !Find [
          authentik_crypto.certificatekeypair,
          [name, "authentik Self-signed Certificate"],
        ]
      property_mappings:
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [scope_name, "openid"],
          ]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [scope_name, "profile"],
          ]

        - !Find [
            authentik_providers_oauth2.scopemapping,
            [name, "Grafana Role Mapping"],
          ]
      authorization_flow:
        !Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]

  # Grafana Application
  - model: authentik_core.application
    state: present
    identifiers:
      slug: "grafana"
    attrs:
      name: "Grafana"
      provider:
        !Find [authentik_providers_oauth2.oauth2provider, [name, "Grafana"]]
      meta_launch_url: "https://grafana.local.lan"
      meta_description: "Grafana monitoring and observability platform"
      meta_publisher: "Grafana Labs"
      policy_engine_mode: "any"

  # --- Traefik Dashboard (Proxy Provider for ForwardAuth) -------------------
  - model: authentik_providers_proxy.proxyprovider
    state: present
    identifiers:
      name: "Traefik Dashboard Proxy"
    attrs:
      external_host: "https://traefik.local.lan"
      internal_host: "http://apa-traefik:8080"
      authorization_flow:
        !Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
      mode: "forward_single"
      cookie_domain: "local.lan"

  - model: authentik_core.application
    state: present
    identifiers:
      slug: "traefik-dashboard"
    attrs:
      name: "Traefik Dashboard"
      provider:
        !Find [
          authentik_providers_proxy.proxyprovider,
          [name, "Traefik Dashboard Proxy"],
        ]
      meta_launch_url: "https://traefik.local.lan"
      meta_description: "Traefik Edge Router Dashboard"
      meta_publisher: "AI Tax Agent"
      policy_engine_mode: "any"

  # --- AI Tax Agent API (Proxy Provider for ForwardAuth) --------------------
  - model: authentik_providers_proxy.proxyprovider
    state: present
    identifiers:
      name: "AI Tax Agent API Proxy"
    attrs:
      external_host: "https://api.local.lan"
      internal_host: "http://apa-traefik:8080"
      authorization_flow:
        !Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
      mode: "forward_single"
      cookie_domain: "local.lan"

  - model: authentik_core.application
    state: present
    identifiers:
      slug: "ai-tax-agent-api-gateway"
    attrs:
      name: "AI Tax Agent API Gateway"
      provider:
        !Find [
          authentik_providers_proxy.proxyprovider,
          [name, "AI Tax Agent API Proxy"],
        ]
      meta_launch_url: "https://api.local.lan"
      meta_description: "AI Tax Agent API Gateway"
      meta_publisher: "AI Tax Agent"
      policy_engine_mode: "any"

  # --- Outpost Configuration ------------------------------------------------
  - model: authentik_outposts.outpost
    state: present
    identifiers:
      name: "authentik Embedded Outpost"
    attrs:
      token: !Env [AUTHENTIK_OUTPOST_TOKEN, "changeme"]
      providers:
        - !Find [
            authentik_providers_proxy.proxyprovider,
            [name, "Traefik Dashboard Proxy"],
          ]
        - !Find [
            authentik_providers_proxy.proxyprovider,
            [name, "UI Review Proxy"],
          ]
        - !Find [
            authentik_providers_proxy.proxyprovider,
            [name, "AI Tax Agent API Proxy"],
          ]