chore: wip on demo-gymburgdorf inventory and architecture notes

inventories/demo-gymburgdorf/host_vars/application/authentik.yml

@@ -0,0 +1,53 @@
+---
+# Bao secret expected at <mount>/data/authentik with keys:
+#   secret_key, postgres_password, admin_password,
+#   ldap_outpost_token,
+#   nextcloud_oidc_secret
+_authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"
+
+authentik_domain: "auth.gymb.souveredu.ch"
+authentik_secret_key: "{{ _authentik.secret_key }}"
+authentik_postgres_password: "{{ _authentik.postgres_password }}"
+
+# LDAP outpost (provider for nextcloud)
+authentik_ldap_apps:
+  - slug: ldap
+    name: LDAP
+    base_dn: "dc=gymb,dc=souveredu,dc=ch"
+    search_group: admins
+
+authentik_ldap_outpost:
+  name: "ldap-outpost"
+  token: "{{ _authentik.ldap_outpost_token }}"
+  config:
+    authentik_host: "https://auth.gymb.souveredu.ch/"
+    log_level: "info"
+
+# OIDC clients
+authentik_oidc_apps:
+  - slug: nextcloud
+    name: Nextcloud
+    client_id: nextcloud
+    client_secret: "{{ _authentik.nextcloud_oidc_secret }}"
+    redirect_uris:
+      - url: "https://cloud.gymb.souveredu.ch/apps/user_oidc/code"
+        matching_mode: strict
+    signing_key_name: "authentik Self-signed Certificate"
+    flows:
+      authorization_slug: default-provider-authorization-implicit-consent
+      invalidation_slug: default-provider-invalidation-flow
+    scopes: [openid, email, profile, offline_access]
+
+authentik_groups:
+  - name: admins
+  - name: users
+
+authentik_local_users:
+  - username: akadmin
+    name: "Authentik Admin"
+    email: "admin@gymb.souveredu.ch"
+    password: "{{ _authentik.admin_password }}"
+    is_active: true
+    groups:
+      - authentik Admins
+      - admins