--- argument_specs: main: short_description: Deploy draw.io diagram editor via Docker Compose behind Traefik. description: - Renders a Compose stack for jgraph/drawio with traefik labels, optional TLS and optional authentik ForwardAuth gating. options: docker_compose_base_dir: type: path default: /etc/docker/compose drawio_service_name: type: str default: drawio drawio_docker_compose_dir: type: path description: Defaults to C({{ docker_compose_base_dir }}/{{ drawio_service_name }}). drawio_domain: type: str default: drawio.local.test description: Canonical hostname used in the traefik Host rule. drawio_extra_domains: type: list elements: str default: [] description: - Additional hostnames the same drawio container should answer on, e.g. an internal C(*.int.*) FQDN so a DMZ reverse-proxy can reach drawio via a backend hostname covered by the local traefik cert. drawio_image: type: str default: jgraph/drawio:latest drawio_port: type: int default: 8080 drawio_extra_hosts: type: list elements: str default: [] description: C(extra_hosts) entries injected into the container (Docker C(host:ip) syntax). drawio_traefik_network: type: str default: proxy drawio_use_ssl: type: bool default: true drawio_authentik_forward_auth: type: bool default: false description: - When true, traefik attaches a ForwardAuth middleware pointing at the authentik embedded outpost. Unauthenticated requests are redirected to authentik for login and the resulting C(X-Authentik-*) identity headers are forwarded downstream. drawio_authentik_forward_auth_url: type: str default: '' description: - URL of the authentik ForwardAuth endpoint, typically C(https://auth.example.com/outpost.goauthentik.io/auth/traefik). Required when C(drawio_authentik_forward_auth=true).