36e3a4b688
- Refactor: collapse `*_domain` + `*_extra_domains` into a single `*_domains` list across authentik, collabora, garage and nextcloud roles. First entry is the canonical FQDN (used for OVERWRITEHOST, BASE_URL, notify_push setup and garage root_domain). - Authentik blueprint: guard the OAuth sources block so an empty `authentik_login_sources` no longer renders an invalid YAML key. - Nextcloud: introduce `nextcloud_collabora_public_domain` and set Collabora's `public_wopi_url` separately from the server-to-server `wopi_url` so browsers can reach Collabora via the public name while Nextcloud still talks to it on the internal one. - Nextcloud: URL-encode the postgres user/password in DATABASE_URL.
152 lines
4.4 KiB
YAML
152 lines
4.4 KiB
YAML
#SPDX-License-Identifier: MIT-0
|
|
---
|
|
# defaults file for authentik
|
|
|
|
# Base directory configuration (inherited from base role or defined here)
|
|
docker_compose_base_dir: /etc/docker/compose
|
|
docker_volume_base_dir: /srv/data
|
|
|
|
# Authentik-specific configuration
|
|
authentik_service_name: authentik
|
|
authentik_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ authentik_service_name }}"
|
|
authentik_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ authentik_service_name }}"
|
|
|
|
# Authentik service configuration
|
|
# FQDNs the authentik router accepts. The first entry is the canonical
|
|
# domain; further entries cover internal *.int.* names used for
|
|
# server-to-server traffic so backend calls don't hairpin via DMZ.
|
|
authentik_domains:
|
|
- "authentik.local.test"
|
|
authentik_image: "ghcr.io/goauthentik/server:2026.2.2"
|
|
authentik_port: 9000
|
|
authentik_secret_key: "changeme-generate-a-random-string"
|
|
|
|
# PostgreSQL configuration
|
|
authentik_postgres_image: "postgres:16-alpine"
|
|
authentik_postgres_db: authentik
|
|
authentik_postgres_user: authentik
|
|
authentik_postgres_password: "changeme"
|
|
|
|
# Traefik configuration
|
|
authentik_traefik_network: "proxy"
|
|
authentik_backend_network: "backend"
|
|
authentik_use_ssl: true
|
|
|
|
# Authentik environment settings
|
|
authentik_log_level: "info"
|
|
authentik_error_reporting_enabled: false
|
|
|
|
# Blueprints
|
|
authentik_proxy_apps: []
|
|
# - slug: whoami
|
|
# name: whoami
|
|
# internal_host: "http://whoami:80"
|
|
# external_host: "https://whoami.example.com"
|
|
# skip_path_regex: |
|
|
# ^/healthz$
|
|
# flows:
|
|
# authentication_slug: default-authentication-flow
|
|
# authorization_slug: default-provider-authorization-implicit-consent
|
|
# invalidation_slug: default-provider-invalidation-flow
|
|
|
|
authentik_proxy_outposts: []
|
|
# - name: "proxy-main"
|
|
# type: "proxy"
|
|
# service_connection: null
|
|
# providers:
|
|
# - whoami
|
|
# - nextcloud-proxy
|
|
# config:
|
|
# authentik_host: "https://authentik.local.test/"
|
|
# authentik_host_browser: "https://authentik.local.test/"
|
|
# log_level: "info"
|
|
|
|
authentik_ldap_apps: []
|
|
# - slug: ldap
|
|
# name: LDAP
|
|
# base_dn: "dc=local,dc=test"
|
|
# search_mode: cached # cached | direct
|
|
# bind_mode: cached # cached | direct
|
|
# search_group: null # optional: group name whose members can search
|
|
# certificate: null # optional: certificate name for LDAPS
|
|
# uid_start_number: 2000
|
|
# gid_start_number: 4000
|
|
|
|
authentik_ldap_outpost: {}
|
|
# name: "ldap-outpost"
|
|
# token: "changeme" # known token for outpost authentication
|
|
# config:
|
|
# authentik_host: "https://authentik.local.test/"
|
|
# log_level: "info"
|
|
|
|
authentik_oidc_apps: []
|
|
# - slug: grafana
|
|
# name: Grafana
|
|
# client_id: "grafana"
|
|
# client_secret: "changeme"
|
|
# redirect_uris:
|
|
# - url: "https://grafana.example.com/login/generic_oauth"
|
|
# matching_mode: strict
|
|
# signing_key_name: "authentik Self-signed Certificate"
|
|
# flows:
|
|
# authorization_slug: default-provider-authorization-implicit-consent
|
|
# invalidation_slug: default-provider-invalidation-flow
|
|
# scopes: [openid, email, profile, offline_access]
|
|
|
|
# Oauth sources
|
|
authentik_entra_sources: []
|
|
# - slug: entra-id
|
|
# name: "Login with Entra"
|
|
# tenant_mode: single # single | common
|
|
# tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
|
# client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
|
# client_secret: "changeme"
|
|
# scopes:
|
|
# - openid
|
|
# - profile
|
|
# - email
|
|
# # add only if you really need group sync on login:
|
|
# # - https://graph.microsoft.com/GroupMember.Read.All
|
|
|
|
|
|
# Show OAuth sources on login screen (list of source slugs):
|
|
authentik_login_sources: []
|
|
# - slug: entra-id
|
|
authentik_identification_stage_name: default-authentication-identification
|
|
|
|
# Local login fields to show on login screen (username, email, upn)
|
|
# Set to empty list to hide local login form entirely
|
|
authentik_login_user_fields:
|
|
- username
|
|
- email
|
|
|
|
# Groups to provision
|
|
authentik_groups: []
|
|
# - name: admins
|
|
# - name: editors
|
|
# is_superuser: false
|
|
# parent: null
|
|
|
|
# Local users to provision
|
|
authentik_local_users: []
|
|
# - username: admin
|
|
# name: "Admin User"
|
|
# email: "admin@example.com"
|
|
# password: "changeme"
|
|
# is_active: true
|
|
# groups:
|
|
# - authentik Admins
|
|
# attributes:
|
|
# settings:
|
|
# locale: en
|
|
|
|
# Resources to remove from Authentik (cleanup)
|
|
# Add slugs/names here when removing from the lists above
|
|
authentik_removed_oidc_apps: []
|
|
# - grafana
|
|
|
|
authentik_removed_proxy_apps: []
|
|
# - whoami
|
|
|
|
authentik_removed_local_users: []
|
|
# - olduser
|