---
authentik:
  secret_key: "{{ noble_authentik_secret_key }}"
  postgresql:
    password: "{{ noble_authentik_postgresql_password }}"
global:
  env:
    - name: AUTHENTIK_BOOTSTRAP_TOKEN
      value: "{{ noble_authentik_bootstrap_token }}"
    - name: AUTHENTIK_BOOTSTRAP_EMAIL
      value: "{{ noble_authentik_bootstrap_email }}"
    - name: AUTHENTIK_BOOTSTRAP_PASSWORD
      value: "{{ noble_authentik_bootstrap_password }}"
postgresql:
  auth:
    password: "{{ noble_authentik_postgresql_password }}"
{% if noble_authentik_ingress_extra_hosts | default([]) | length > 0 %}
# Extra SANs on the same Authentik server (e.g. public FQDN behind Pangolin → Newt → Traefik). Helm’s last -f
# replaces **server.ingress.hosts** / **tls[0].hosts**; primary lab host stays first.
server:
  ingress:
    hosts:
      - {{ noble_authentik_host }}
{% for h in noble_authentik_ingress_extra_hosts %}
      - {{ h }}
{% endfor %}
    tls:
      - secretName: authentik-apps-noble-tls
        hosts:
          - {{ noble_authentik_host }}
{% for h in noble_authentik_ingress_extra_hosts %}
          - {{ h }}
{% endfor %}
{% endif %}