reference-ansible/inventories/demo-gymburgdorf/host_vars/application/homarr.yml

---
# Bao secret <mount>/data/homarr expected to contain:
#   secret_encryption_key (64 hex chars), admin_password, oidc_client_secret
_homarr: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/homarr', url=vault_addr) }}"

homarr_domain: "home.gymb.souveredu.ch"
homarr_extra_domains:
  - "home.int.gymb.souveredu.ch"
homarr_base_url: "https://home.gymb.souveredu.ch"

homarr_secret_encryption_key: "{{ _homarr.secret_encryption_key }}"
homarr_admin_username: "admin"
homarr_admin_email: "admin@gymb.souveredu.ch"
homarr_admin_password: "{{ _homarr.admin_password }}"

# OIDC against Authentik. credentials provider stays enabled as a
# break-glass account — reach it via /auth/login/credentials when
# AUTH_OIDC_AUTO_LOGIN bypasses the normal /login page.
#
# Issuer must match the `iss` claim authentik emits, which is always the
# public FQDN (authentik's host-rewrite middleware aligns the claim with
# what browsers see). Homarr (oauth4webapi) does a strict 1:1 comparison
# between the discovery response's issuer and this URL — using the
# internal FQDN here fails with OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED.
# The extra_hosts pin below keeps the actual discovery/token/userinfo
# traffic on the LAN.
homarr_auth_providers: "credentials,oidc"
homarr_oidc_issuer: "https://auth.gymb.souveredu.ch/application/o/homarr/"
homarr_oidc_client_id: "homarr"
homarr_oidc_client_secret: "{{ _homarr.oidc_client_secret }}"
homarr_oidc_client_name: "Authentik"
homarr_oidc_scopes: "openid profile email groups"
homarr_oidc_groups_attribute: "groups"
homarr_oidc_auto_login: "true"

# Pin the public authentik FQDN to the application host so OIDC
# discovery (and downstream token/userinfo) calls from the homarr
# container stay in the LAN. Without this, fetch() to auth.gymb.* would
# hit the public IP and time out in the DMZ (no hairpin-NAT). Same
# pattern as nextcloud_extra_hosts.
homarr_extra_hosts:
  - "auth.gymb.souveredu.ch:172.16.19.101"

# Default board with shortcuts to the other gymburgdorf services. Width
# values describe horizontal grid cells (1-10 desktop / 6 tablet / 2
# mobile, packed left-to-right).
homarr_apps:
  - id: nextcloud
    name: Nextcloud
    description: "Cloud Storage & Collaboration"
    icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/nextcloud.png
    href: https://cloud.gymb.souveredu.ch
    width: 2
  - id: collabora
    name: Collabora Office
    icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/collaboraonline.png
    href: https://office.gymb.souveredu.ch
    width: 2
  - id: drawio
    name: Draw.io
    icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/drawio.png
    href: https://draw.gymb.souveredu.ch
    width: 2
  - id: send
    name: Send
    description: "Encrypted file-share"
    icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/firefox-send.png
    href: https://send.gymb.souveredu.ch
    width: 2
  - id: opnform
    name: OpnForm
    description: "Self-hosted forms"
    icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/opnform.png
    href: https://forms.gymb.souveredu.ch
    width: 2
  - id: bookstack
    name: BookStack
    description: "Wiki & documentation"
    icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/bookstack.png
    href: https://wiki.gymb.souveredu.ch
    width: 2
  - id: authentik
    name: Authentik
    description: "Identity provider"
    icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/authentik.png
    href: https://auth.gymb.souveredu.ch
    width: 2