authentik_domain: authentik.local.test
authentik_secret_key: "vagrant-test-secret-key-change-in-production"
authentik_postgres_password: "vagrant-test-password"

authentik_proxy_apps:
- slug: httpbin
  name: httpbin
  internal_host: "http://httbin.local.test:80"
  external_host: "https://httbin.local.test"
  skip_path_regex: |
    ^/healthz$
  flows:
    authentication_slug: default-authentication-flow
    authorization_slug: default-provider-authorization-implicit-consent
    invalidation_slug: default-provider-invalidation-flow

authentik_proxy_outposts:
  - name: "proxy-main"
    type: "proxy"
    service_connection: null
    providers:
      - httpbin
    config:
      authentik_host: "https://authentik.local.test/"
      authentik_host_browser: "https://authentik.local.test/"
      log_level: "info"

authentik_ldap_apps:
- slug: ldap
  name: LDAP
  base_dn: "dc=local,dc=test"
  search_group: admins

authentik_ldap_outpost:
  name: "ldap-outpost"
  token: "vagrant-ldap-outpost-token-change-in-production"
  config:
    authentik_host: "https://authentik.local.test/"
    log_level: "info"

authentik_oidc_apps:
  - slug: nextcloud
    name: Nextcloud
    client_id: test1234
    client_secret: test1234
    redirect_uris:
      - url: "https://nextcloud.local.test/apps/user_oidc/code"
        matching_mode: strict
    signing_key_name: "authentik Self-signed Certificate"
    flows:
      authorization_slug: default-provider-authorization-implicit-consent
      invalidation_slug: default-provider-invalidation-flow
    scopes: [openid, email, profile, offline_access]
  - slug: opencloud
    name: OpenCloud
    client_type: public
    client_id: opencloud
    redirect_uris:
      - url: "https://opencloud.local.test/oidc-callback.html"
        matching_mode: strict
      - url: "https://opencloud.local.test/"
        matching_mode: strict
    scopes: [openid, email, profile, offline_access]

authentik_entra_sources:
  - slug: entra-id
    name: "Login with Entra"
    tenant_mode: multi  # Use 'single' with real tenant ID in production
    # tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"  # Not needed for multi-tenant mode
    client_id: "placeholder-change-in-production"
    client_secret: "placeholder-change-in-production"
    scopes:
      - openid
      - profile
      - email

authentik_login_sources:
  - slug: entra-id

authentik_groups:
  - name: admins

authentik_local_users:
  - username: akadmin
    name: "Authentik Admin"
    email: "admin@local.test"
    password: "admin"
    is_active: true
    groups:
      - authentik Admins
      - admins