# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
version: 1
metadata:
  name: "proxy-{{ item.slug }}"
  labels:
    blueprints.goauthentik.io/instantiate: "true"
    blueprints.goauthentik.io/description: "Proxy provider + application for {{ item.slug }}"

entries:
  - model: authentik_providers_proxy.proxyprovider
    id: proxy-provider-{{ item.slug }}
    identifiers:
      name: {{ item.slug }}
    attrs:
      name: {{ item.slug }}

      authentication_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.authentication_slug | default('default-authentication-flow') }}]]
      authorization_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.authorization_slug | default('default-provider-authorization-implicit-consent') }}]]
      invalidation_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.invalidation_slug | default('default-provider-invalidation-flow') }}]]

      internal_host: "{{ item.internal_host }}"
      external_host: "{{ item.external_host }}"
{# Provider mode controls how authentik treats the proxy app:
   - proxy          : the outpost itself proxies traffic to internal_host
   - forward_single : a single app behind an external reverse proxy
                      (traefik forwardauth talks to authentik per-domain)
   - forward_domain : wildcard mode — one provider guards every host on a
                      cookie domain; configure forward_auth_mode=domain on
                      the outpost in that case. Default to forward_single
                      since that's the common ForwardAuth-with-traefik
                      pattern. #}
      mode: {{ item.mode | default('forward_single') }}

{% if item.skip_path_regex is defined and item.skip_path_regex|length > 0 %}
      skip_path_regex: |
{{ item.skip_path_regex | indent(8, true) }}
{% endif %}

  - model: authentik_core.application
    id: app-{{ item.slug }}
    identifiers:
      slug: {{ item.slug }}
    attrs:
      name: "{{ item.name | default(item.slug) }}"
      slug: {{ item.slug }}
      provider: !KeyOf proxy-provider-{{ item.slug }}

{% if item.allowed_groups is defined and item.allowed_groups | length > 0 %}
{# Restrict access to listed groups: one PolicyBinding per group, all bound
   to the application. Authentik treats multiple bindings on the same target
   as OR (a user matching any binding passes), and a request from a user in
   none of the bound groups is denied. #}
{%   for group_name in item.allowed_groups %}
  - model: authentik_policies.policybinding
    identifiers:
      target: !KeyOf app-{{ item.slug }}
      order: {{ loop.index0 }}
      group: !Find [authentik_core.group, [name, "{{ group_name }}"]]
    attrs:
      enabled: true
      negate: false
{%   endfor %}
{% endif %}