---
# Bao secret expected at <mount>/data/authentik with keys:
#   secret_key, postgres_password, admin_password,
#   ldap_outpost_token,
#   nextcloud_oidc_secret
_authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"

# First entry is the canonical public FQDN. Additional entries cover
# internal *.int.* names so server-to-server traffic (e.g. the LDAP
# outpost) hits authentik on a name with a valid internal cert and
# skips the DMZ hop.
authentik_domains:
  - "auth.gymb.souveredu.ch"
  - "auth.int.gymb.souveredu.ch"
authentik_secret_key: "{{ _authentik.secret_key }}"
authentik_postgres_password: "{{ _authentik.postgres_password }}"

# LDAP outpost (provider for nextcloud)
authentik_ldap_apps:
  - slug: ldap
    name: LDAP
    base_dn: "dc=gymb,dc=souveredu,dc=ch"
    search_group: admins

authentik_ldap_outpost:
  name: "ldap-outpost"
  token: "{{ _authentik.ldap_outpost_token }}"
  config:
    # Outpost pulls config from authentik over the internal FQDN — keeps
    # the round-trip in the LAN with a valid cert.
    authentik_host: "https://auth.int.gymb.souveredu.ch/"
    log_level: "info"

# OIDC clients
authentik_oidc_apps:
  - slug: nextcloud
    name: Nextcloud
    client_id: nextcloud
    client_secret: "{{ _authentik.nextcloud_oidc_secret }}"
    redirect_uris:
      - url: "https://cloud.gymb.souveredu.ch/apps/user_oidc/code"
        matching_mode: strict
    signing_key_name: "authentik Self-signed Certificate"
    flows:
      authorization_slug: default-provider-authorization-implicit-consent
      invalidation_slug: default-provider-invalidation-flow
    scopes: [openid, email, profile, offline_access]

authentik_groups:
  - name: admins
  - name: users

authentik_local_users:
  - username: akadmin
    name: "Authentik Admin"
    email: "admin@gymb.souveredu.ch"
    password: "{{ _authentik.admin_password }}"
    is_active: true
    groups:
      - authentik Admins
      - admins