#SPDX-License-Identifier: MIT-0
---
# defaults file for authentik

# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data

# Authentik-specific configuration
authentik_service_name: authentik
authentik_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ authentik_service_name }}"
authentik_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ authentik_service_name }}"

# Authentik service configuration
authentik_domain: "authentik.local.test"
authentik_image: "ghcr.io/goauthentik/server:2025.12.0"
authentik_port: 9000
authentik_secret_key: "changeme-generate-a-random-string"

# PostgreSQL configuration
authentik_postgres_image: "postgres:16-alpine"
authentik_postgres_db: authentik
authentik_postgres_user: authentik
authentik_postgres_password: "changeme"

# Traefik configuration
authentik_traefik_network: "proxy"
authentik_backend_network: "backend"
authentik_use_ssl: true

# Authentik environment settings
authentik_log_level: "info"
authentik_error_reporting_enabled: false

# Blueprints
authentik_proxy_apps: []
# - slug: whoami
#   name: whoami
#   internal_host: "http://whoami:80"
#   external_host: "https://whoami.example.com"
#   skip_path_regex: |
#     ^/healthz$
#   flows:
#     authentication_slug: default-authentication-flow
#     authorization_slug: default-provider-authorization-implicit-consent
#     invalidation_slug: default-provider-invalidation-flow

authentik_oidc_apps: []
# - slug: grafana
#   name: Grafana
#   client_id_env: GRAFANA_OIDC_CLIENT_ID
#   client_secret_env: GRAFANA_OIDC_CLIENT_SECRET
#   redirect_uris:
#     - url: "https://grafana.example.com/login/generic_oauth"
#       matching_mode: strict
#   signing_key_name: "authentik Self-signed Certificate"
#   flows:
#     authorization_slug: default-provider-authorization-implicit-consent
#     invalidation_slug: default-provider-invalidation-flow
#   scopes: [openid, email, profile, offline_access]

authentik_blueprint_env: []
# GRAFANA_OIDC_CLIENT_ID: "grafana"
# GRAFANA_OIDC_CLIENT_SECRET: "{{ vault_grafana_oidc_secret }}"