opencloud_domain: "opencloud.local.test"
opencloud_admin_password: "admin"
opencloud_extra_networks:
  - ldap
opencloud_extra_hosts:
  - "opencloud.local.test:host-gateway"
  - "authentik.local.test:192.168.56.11"
  - "storage.local.test:192.168.56.11"
  - "office.local.test:host-gateway"
  - "drawio.local.test:host-gateway"

# OIDC configuration (Authentik)
opencloud_oidc_issuer: "https://authentik.local.test/application/o/opencloud/"
opencloud_oidc_client_id: "opencloud"
opencloud_oidc_client_secret: "opencloud-secret-change-in-production"
opencloud_oidc_account_edit_url: "https://authentik.local.test/if/user/#/settings"
opencloud_oidc_autoprovision_accounts: true

# S3 storage configuration using Garage
opencloud_use_s3_storage: true
opencloud_s3_endpoint: "http://{{ hostvars['backend']['garage_s3_domain'] }}"
opencloud_s3_access_key: "{{ lookup('digitalboard.core.garage_credentials', 'opencloud', host='backend')['key_id'] }}"
opencloud_s3_secret_key: "{{ lookup('digitalboard.core.garage_credentials', 'opencloud', host='backend')['secret_key'] }}"
opencloud_s3_bucket: "opencloud"

# Collabora integration
opencloud_collabora_domain: "office.local.test"
opencloud_wopi_domain: "wopi.opencloud.local.test"

# LDAP backend (Authentik LDAP outpost)
opencloud_ldap_uri: "ldap://authentik-outpost-ldap-ldap-1:3389"
opencloud_ldap_bind_dn: "cn=akadmin,ou=users,dc=local,dc=test"
opencloud_ldap_bind_password: "admin"
opencloud_ldap_user_base_dn: "ou=users,dc=local,dc=test"
opencloud_ldap_group_base_dn: "ou=groups,dc=local,dc=test"
opencloud_ldap_user_schema_id: "uid"
opencloud_ldap_user_schema_id_is_octet_string: false
opencloud_ldap_user_schema_username: "cn"
opencloud_ldap_user_schema_display_name: "cn"
opencloud_ldap_group_schema_id: "uid"
opencloud_ldap_group_schema_id_is_octet_string: false

# Draw.io integration
opencloud_drawio_url: "https://drawio.local.test"

# Role assignment via OIDC (maps LDAP groups from Keycloak token to OpenCloud roles)
opencloud_role_assignment_driver: "oidc"
opencloud_role_mapping:
  - role_name: admin
    claim_value: admins
  - role_name: user
    claim_value: users
  - role_name: user
    claim_value: developers

# CSP configuration
opencloud_csp_extra_connect_src:
  - "https://authentik.local.test/"
opencloud_csp_extra_frame_src:
  - "https://drawio.local.test/"