# Drawio

Ansible role to deploy [draw.io](https://www.drawio.com/) (the
self-hosted `jgraph/drawio` container) via Docker Compose behind
Traefik, with optional authentik ForwardAuth gating.

## Requirements

- Docker and Docker Compose installed on the target host
- Ansible collection: `community.docker`
- Traefik with a shared `drawio_traefik_network` (default `proxy`)
- For ForwardAuth: a reachable authentik embedded outpost endpoint

## Role variables

Full spec with types and defaults: `meta/argument_specs.yml`. The most
common overrides:

### Service

- `drawio_domain`: canonical hostname used in the traefik Host rule
  (default `drawio.local.test`).
- `drawio_extra_domains`: additional hostnames the same container
  should answer on (e.g. an internal `*.int.*` FQDN so a DMZ proxy
  can reach drawio via a backend hostname).
- `drawio_image`, `drawio_port`, `drawio_use_ssl`.

### Authentik ForwardAuth

- `drawio_authentik_forward_auth`: set to `true` to gate the editor
  behind authentik.
- `drawio_authentik_forward_auth_url`: full URL of the embedded
  outpost ForwardAuth endpoint, e.g.
  `https://auth.example.com/outpost.goauthentik.io/auth/traefik`.

When enabled, traefik redirects unauthenticated requests to authentik
for login and forwards the resulting `X-Authentik-*` identity headers
downstream.

## Dependencies

- Traefik network (`drawio_traefik_network`, default `proxy`)
- Optional: authentik with a Proxy/ForwardAuth provider for drawio
  (see the `authentik` role's `authentik_proxy_apps`).

## Example playbook

```yaml
- hosts: app_servers
  roles:
    - role: digitalboard.core.drawio
      vars:
        drawio_domain: "drawio.example.com"
        drawio_authentik_forward_auth: true
        drawio_authentik_forward_auth_url: "https://auth.example.com/outpost.goauthentik.io/auth/traefik"
```

## License

MIT-0