53 lines
1.6 KiB
YAML
53 lines
1.6 KiB
YAML
---
|
|
# Bao secret expected at <mount>/data/authentik with keys:
|
|
# secret_key, postgres_password, admin_password,
|
|
# ldap_outpost_token,
|
|
# nextcloud_oidc_secret
|
|
_authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"
|
|
|
|
authentik_domain: "auth.gymb.souveredu.ch"
|
|
authentik_secret_key: "{{ _authentik.secret_key }}"
|
|
authentik_postgres_password: "{{ _authentik.postgres_password }}"
|
|
|
|
# LDAP outpost (provider for nextcloud)
|
|
authentik_ldap_apps:
|
|
- slug: ldap
|
|
name: LDAP
|
|
base_dn: "dc=gymb,dc=souveredu,dc=ch"
|
|
search_group: admins
|
|
|
|
authentik_ldap_outpost:
|
|
name: "ldap-outpost"
|
|
token: "{{ _authentik.ldap_outpost_token }}"
|
|
config:
|
|
authentik_host: "https://auth.gymb.souveredu.ch/"
|
|
log_level: "info"
|
|
|
|
# OIDC clients
|
|
authentik_oidc_apps:
|
|
- slug: nextcloud
|
|
name: Nextcloud
|
|
client_id: nextcloud
|
|
client_secret: "{{ _authentik.nextcloud_oidc_secret }}"
|
|
redirect_uris:
|
|
- url: "https://cloud.gymb.souveredu.ch/apps/user_oidc/code"
|
|
matching_mode: strict
|
|
signing_key_name: "authentik Self-signed Certificate"
|
|
flows:
|
|
authorization_slug: default-provider-authorization-implicit-consent
|
|
invalidation_slug: default-provider-invalidation-flow
|
|
scopes: [openid, email, profile, offline_access]
|
|
|
|
authentik_groups:
|
|
- name: admins
|
|
- name: users
|
|
|
|
authentik_local_users:
|
|
- username: akadmin
|
|
name: "Authentik Admin"
|
|
email: "admin@gymb.souveredu.ch"
|
|
password: "{{ _authentik.admin_password }}"
|
|
is_active: true
|
|
groups:
|
|
- authentik Admins
|
|
- admins
|