#SPDX-License-Identifier: MIT-0
---
# defaults file for keycloak

# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data

# Keycloak-specific configuration
keycloak_service_name: keycloak
keycloak_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ keycloak_service_name }}"
keycloak_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ keycloak_service_name }}"

# Keycloak service configuration
keycloak_domain: "keycloak.local.test"
keycloak_image: "quay.io/keycloak/keycloak:24.0.1"
keycloak_port: 8080
keycloak_admin_user: admin
keycloak_admin_password: "changeme"

# PostgreSQL configuration
keycloak_postgres_image: "postgres:15"
keycloak_postgres_db: keycloak
keycloak_postgres_user: keycloak
keycloak_postgres_password: "changeme"

# Traefik configuration
keycloak_traefik_network: "proxy"
keycloak_backend_network: "backend"
keycloak_use_ssl: true

# Keycloak environment variables
keycloak_log_level: "INFO"
keycloak_proxy_mode: "edge"
keycloak_gzip_enabled: false  # Disable GZIP encoding to avoid MIME type issues

# Provisioning configuration
keycloak_provisioning_enabled: false

# Realm configuration
keycloak_realm: "default"
keycloak_realm_display_name: "Default Realm"

# Auth URL for API access (used by provisioning tasks)
keycloak_auth_url: "{{ 'https' if keycloak_use_ssl else 'http' }}://{{ keycloak_domain }}"

# Groups to provision
keycloak_groups: []
# - name: admins
# - name: users

# Local users to provision
keycloak_local_users: []
# - username: admin
#   first_name: "Admin"
#   last_name: "User"
#   email: "admin@example.com"
#   password: "changeme"
#   groups:
#     - name: admins

# OIDC clients to provision
keycloak_oidc_clients: []
# - client_id: nextcloud
#   name: "Nextcloud"
#   client_secret: "changeme"
#   redirect_uris:
#     - "https://nextcloud.example.com/apps/user_oidc/code"
#   default_client_scopes:
#     - openid
#     - email
#     - profile

# Identity providers (e.g., Entra ID, Google)
keycloak_identity_providers: []
# - alias: entra-id
#   display_name: "Login with Microsoft"
#   provider_id: oidc
#   config:
#     clientId: "{{ entra_client_id }}"
#     clientSecret: "{{ entra_client_secret }}"
#     authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
#     tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
#     defaultScope: "openid profile email"

# Resources to remove from Keycloak (cleanup)
# Add names/aliases here when removing from the lists above
keycloak_removed_users: []
# - olduser

keycloak_removed_groups: []
# - oldgroup

keycloak_removed_clients: []
# - old-client

keycloak_removed_identity_providers: []
# - old-idp