--- # Bao secret /data/garage expected to contain: # rpc_secret, admin_token, metrics_token, webui_password _garage: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/garage', url=vault_addr) }}" # First entry is the canonical public S3 FQDN. Additional entries # cover internal *.int.* names so server-to-server S3 traffic (e.g. # nextcloud → garage) stays in the LAN. garage_s3_domains: - "s3.gymb.souveredu.ch" - "s3.int.gymb.souveredu.ch" garage_webui_domain: "console.s3.gymb.souveredu.ch" garage_use_ssl: true garage_webui_enabled: true # Gate the WebUI behind authentik (admins-only, via policy-binding on the # authentik proxy app). Replaces the htpasswd Basic-Auth — AUTH_USER_PASS # is dropped from the compose env when this is true. The forwardauth URL # uses a dedicated outpost-only FQDN that's deliberately outside # authentik_domains so Authentik routes it to the embedded outpost (not # ASGI). The public auth.gymb.* FQDN would 404 here — Authentik routes # any Host matching an auth-domain to ASGI which doesn't serve the outpost # path. The outpost itself then matches the protected app via # X-Forwarded-Host (Traefik forwards it via trustForwardHeader=true). # The FQDN is pinned to the application host via traefik_extra_hosts so # the request stays in the LAN. garage_webui_authentik_forward_auth: true garage_webui_authentik_forward_auth_url: "https://outpost.auth.int.gymb.souveredu.ch/outpost.goauthentik.io/auth/traefik" # Kept for completeness — only used when authentik ForwardAuth is off. garage_webui_username: "admin" garage_webui_password: "{{ _garage.webui_password | default('disabled') }}" garage_rpc_secret: "{{ _garage.rpc_secret }}" garage_admin_token: "{{ _garage.admin_token }}" garage_metrics_token: "{{ _garage.metrics_token }}" # Initial cluster bootstrap (single-node) garage_bootstrap_enabled: true garage_bootstrap_zone: "burgdorf1" garage_bootstrap_capacity: "100G" # Buckets and keys consumed by nextcloud garage_s3_keys: - name: nextcloud buckets: - name: nextcloud permissions: ["read", "write"]