# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
version: 1
metadata:
  name: "ldap-{{ item.slug }}"
  labels:
    blueprints.goauthentik.io/instantiate: "true"
    blueprints.goauthentik.io/description: "LDAP provider + application for {{ item.slug }}"

entries:
  # Simple password-only flow for LDAP bind (no browser policies)
  - model: authentik_stages_password.passwordstage
    id: ldap-password-stage
    identifiers:
      name: ldap-bind-password
    attrs:
      name: ldap-bind-password
      backends:
        - authentik.core.auth.InbuiltBackend
        - authentik.core.auth.TokenBackend
        - authentik.sources.ldap.auth.LDAPBackend

  - model: authentik_stages_identification.identificationstage
    id: ldap-identification-stage
    identifiers:
      name: ldap-bind-identification
    attrs:
      name: ldap-bind-identification
      user_fields:
        - username
        - email
      password_stage: !KeyOf ldap-password-stage

  - model: authentik_stages_user_login.userloginstage
    id: ldap-login-stage
    identifiers:
      name: ldap-bind-login
    attrs:
      name: ldap-bind-login

  - model: authentik_flows.flow
    id: ldap-bind-flow
    identifiers:
      slug: ldap-bind
    attrs:
      name: LDAP Bind
      slug: ldap-bind
      title: LDAP Bind
      designation: authentication
      authentication: none

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf ldap-bind-flow
      stage: !KeyOf ldap-identification-stage
      order: 0
    attrs:
      target: !KeyOf ldap-bind-flow
      stage: !KeyOf ldap-identification-stage
      order: 0

  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !KeyOf ldap-bind-flow
      stage: !KeyOf ldap-login-stage
      order: 10
    attrs:
      target: !KeyOf ldap-bind-flow
      stage: !KeyOf ldap-login-stage
      order: 10

{% if item.search_group is defined and item.search_group %}
  - model: authentik_rbac.role
    id: ldap-search-role-{{ item.slug }}
    identifiers:
      name: ldap-search-{{ item.slug }}
    attrs:
      name: ldap-search-{{ item.slug }}
{% endif %}

  - model: authentik_providers_ldap.ldapprovider
    id: ldap-provider-{{ item.slug }}
    identifiers:
      name: {{ item.name }}
    attrs:
      name: {{ item.name }}
      base_dn: "{{ item.base_dn }}"
      authorization_flow: !KeyOf ldap-bind-flow
      invalidation_flow: !Find [authentik_flows.flow, [slug, {{ item.invalidation_flow_slug | default('default-provider-invalidation-flow') }}]]
      authentication_flow: !KeyOf ldap-bind-flow
      search_mode: {{ item.search_mode | default('cached') }}
      bind_mode: {{ item.bind_mode | default('direct') }}
{% if item.certificate is defined and item.certificate %}
      certificate: !Find [authentik_crypto.certificatekeypair, [name, {{ item.certificate }}]]
{% endif %}
{% if item.uid_start_number is defined %}
      uid_start_number: {{ item.uid_start_number }}
{% endif %}
{% if item.gid_start_number is defined %}
      gid_start_number: {{ item.gid_start_number }}
{% endif %}
{% if item.search_group is defined and item.search_group %}
    permissions:
      - permission: authentik_providers_ldap.search_full_directory
        role: !KeyOf ldap-search-role-{{ item.slug }}
{% endif %}

{% if item.search_group is defined and item.search_group %}
  # Assign the LDAP search role to the search group
  - model: authentik_core.group
    identifiers:
      name: {{ item.search_group }}
    attrs:
      roles:
        - !KeyOf ldap-search-role-{{ item.slug }}
{% endif %}

  - model: authentik_core.application
    id: app-{{ item.slug }}
    identifiers:
      slug: {{ item.slug }}
    attrs:
      name: "{{ item.name | default(item.slug) }}"
      slug: {{ item.slug }}
      provider: !KeyOf ldap-provider-{{ item.slug }}