#SPDX-License-Identifier: MIT-0
---
# defaults file for authentik

# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data

# Authentik-specific configuration
authentik_service_name: authentik
authentik_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ authentik_service_name }}"
authentik_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ authentik_service_name }}"

# Authentik service configuration
# FQDNs the authentik router accepts. The first entry is the canonical
# domain; further entries cover internal *.int.* names used for
# server-to-server traffic so backend calls don't hairpin via DMZ.
authentik_domains:
  - "authentik.local.test"
authentik_image: "ghcr.io/goauthentik/server:2026.2.2"
authentik_port: 9000
authentik_secret_key: "changeme-generate-a-random-string"

# PostgreSQL configuration
authentik_postgres_image: "postgres:16-alpine"
authentik_postgres_db: authentik
authentik_postgres_user: authentik
authentik_postgres_password: "changeme"

# Traefik configuration
authentik_traefik_network: "proxy"
authentik_backend_network: "backend"
authentik_use_ssl: true

# Authentik environment settings
authentik_log_level: "info"
authentik_error_reporting_enabled: false

# Blueprints
authentik_proxy_apps: []
# - slug: whoami
#   name: whoami
#   internal_host: "http://whoami:80"
#   external_host: "https://whoami.example.com"
#   skip_path_regex: |
#     ^/healthz$
#   flows:
#     authentication_slug: default-authentication-flow
#     authorization_slug: default-provider-authorization-implicit-consent
#     invalidation_slug: default-provider-invalidation-flow

authentik_proxy_outposts: []
# - name: "proxy-main"
#   type: "proxy"
#   service_connection: null
#   providers:
#     - whoami
#     - nextcloud-proxy
#   config:
#     authentik_host: "https://authentik.local.test/"
#     authentik_host_browser: "https://authentik.local.test/"
#     log_level: "info"

authentik_ldap_apps: []
# - slug: ldap
#   name: LDAP
#   base_dn: "dc=local,dc=test"
#   search_mode: cached    # cached | direct
#   bind_mode: cached      # cached | direct
#   search_group: null     # optional: group name whose members can search
#   certificate: null      # optional: certificate name for LDAPS
#   uid_start_number: 2000
#   gid_start_number: 4000

authentik_ldap_outpost: {}
# name: "ldap-outpost"
# token: "changeme"      # known token for outpost authentication
# config:
#   authentik_host: "https://authentik.local.test/"
#   log_level: "info"

authentik_oidc_apps: []
# - slug: grafana
#   name: Grafana
#   client_id: "grafana"
#   client_secret: "changeme"
#   redirect_uris:
#     - url: "https://grafana.example.com/login/generic_oauth"
#       matching_mode: strict
#   signing_key_name: "authentik Self-signed Certificate"
#   flows:
#     authorization_slug: default-provider-authorization-implicit-consent
#     invalidation_slug: default-provider-invalidation-flow
#   scopes: [openid, email, profile, offline_access]

# Oauth sources
authentik_entra_sources: []
#  - slug: entra-id
#    name: "Login with Entra"
#    tenant_mode: single  # single | common
#    tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
#    client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
#    client_secret: "changeme"
#    scopes:
#      - openid
#      - profile
#      - email
#      # add only if you really need group sync on login:
#      # - https://graph.microsoft.com/GroupMember.Read.All


# Show OAuth sources on login screen (list of source slugs):
authentik_login_sources: []
# - slug: entra-id
authentik_identification_stage_name: default-authentication-identification

# Local login fields to show on login screen (username, email, upn)
# Set to empty list to hide local login form entirely
authentik_login_user_fields:
  - username
  - email

# Groups to provision
authentik_groups: []
# - name: admins
# - name: editors
#   is_superuser: false
#   parent: null

# Local users to provision
authentik_local_users: []
# - username: admin
#   name: "Admin User"
#   email: "admin@example.com"
#   password: "changeme"
#   is_active: true
#   groups:
#     - authentik Admins
#   attributes:
#     settings:
#       locale: en

# Resources to remove from Authentik (cleanup)
# Add slugs/names here when removing from the lists above
authentik_removed_oidc_apps: []
# - grafana

authentik_removed_proxy_apps: []
# - whoami

authentik_removed_local_users: []
# - olduser