---
argument_specs:
  main:
    short_description: Deploy authentik (server + worker + Postgres) via Docker Compose.
    description:
      - Renders a Compose stack for authentik with traefik labels, optional
        TLS and a configurable split-horizon host-rewrite that keeps the OIDC
        issuer URL on the canonical public hostname even when traffic enters
        on an internal FQDN.
      - Provisions resources through templated blueprints
        (local users, groups, OIDC/Proxy/LDAP apps, outposts, OAuth sources).
    options:
      docker_compose_base_dir:
        type: path
        default: /etc/docker/compose
      docker_volume_base_dir:
        type: path
        default: /srv/data
      authentik_service_name:
        type: str
        default: authentik
      authentik_docker_compose_dir:
        type: path
        description: Defaults to C({{ docker_compose_base_dir }}/{{ authentik_service_name }}).
      authentik_docker_volume_dir:
        type: path
        description: Defaults to C({{ docker_volume_base_dir }}/{{ authentik_service_name }}).

      authentik_domains:
        type: list
        elements: str
        required: true
        description:
          - FQDNs the authentik router accepts. The first entry is the
            canonical (public) hostname and is used for the network alias,
            the X-Forwarded-Host rewrite target, and as the default OIDC
            issuer. Further entries cover internal C(*.int.*) names used
            for server-to-server traffic.
      authentik_host_rewrite_domains:
        type: list
        elements: str
        default: []
        description:
          - Hostnames that should reach authentik but make it generate URLs
            (OIDC issuer, password reset links, etc.) as if the request had
            arrived on C(authentik_domains[0]).
          - Each entry gets its own traefik router and a URL-based
            loadbalancer service that disables passHostHeader and pins
            X-Forwarded-Host via middleware. Used for split-horizon setups
            where the LAN keeps server-to-server traffic but the iss claim
            must match the public hostname browsers see.
      authentik_image:
        type: str
        default: ghcr.io/goauthentik/server:2026.2.2
      authentik_port:
        type: int
        default: 9000
      authentik_secret_key:
        type: str
        required: true
        description: PG fernet key / signing secret. Generate with C(openssl rand -base64 60).

      authentik_postgres_image:
        type: str
        default: postgres:16-alpine
      authentik_postgres_db:
        type: str
        default: authentik
      authentik_postgres_user:
        type: str
        default: authentik
      authentik_postgres_password:
        type: str
        required: true

      authentik_traefik_network:
        type: str
        default: proxy
      authentik_backend_network:
        type: str
        default: backend
      authentik_use_ssl:
        type: bool
        default: true

      authentik_log_level:
        type: str
        choices: [trace, debug, info, warning, error]
        default: info
      authentik_error_reporting_enabled:
        type: bool
        default: false

      authentik_proxy_apps:
        type: list
        elements: dict
        default: []
        description:
          - Proxy/ForwardAuth applications rendered via the
            C(blueprint-proxy-app.yaml.j2) template.
        options:
          slug:
            type: str
            required: true
          name:
            type: str
            required: true
          internal_host:
            type: str
            description: Required when C(mode=proxy).
          external_host:
            type: str
            required: true
          mode:
            type: str
            choices: [proxy, forward_single, forward_domain]
            default: forward_single
            description:
              - "C(proxy): the outpost itself proxies traffic to internal_host."
              - "C(forward_single): a single app behind an external reverse
                proxy via ForwardAuth."
              - "C(forward_domain): wildcard mode — one provider guards every
                host on a cookie domain."
          allowed_groups:
            type: list
            elements: str
            description:
              - If set, PolicyBindings are emitted (one per group, OR-evaluated).
                Users in none of the listed groups are denied.
          skip_path_regex:
            type: str
          flows:
            type: dict
            description: Authentication / authorization / invalidation flow slugs.

      authentik_proxy_outposts:
        type: list
        elements: dict
        default: []

      authentik_ldap_apps:
        type: list
        elements: dict
        default: []
      authentik_ldap_outpost:
        type: dict
        default: {}

      authentik_oidc_apps:
        type: list
        elements: dict
        default: []

      authentik_entra_sources:
        type: list
        elements: dict
        default: []
      authentik_login_sources:
        type: list
        elements: dict
        default: []
      authentik_identification_stage_name:
        type: str
        default: default-authentication-identification
      authentik_login_user_fields:
        type: list
        elements: str
        choices: [username, email, upn]
        default: [username, email]
        description: Local login fields shown on the login screen. Empty list hides local login.

      authentik_groups:
        type: list
        elements: dict
        default: []
      authentik_local_users:
        type: list
        elements: dict
        default: []

      authentik_removed_oidc_apps:
        type: list
        elements: str
        default: []
        description: OIDC application slugs scheduled for deletion.
      authentik_removed_proxy_apps:
        type: list
        elements: str
        default: []
      authentik_removed_local_users:
        type: list
        elements: str
        default: []