# Copy to **.env** in this repository root (`.env` is gitignored). # Ansible **noble_cert_manager** role sources `.env` after cert-manager Helm install and creates # **cert-manager/cloudflare-dns-api-token** when **CLOUDFLARE_DNS_API_TOKEN** is set. # # Cloudflare: Zone → DNS → Edit + Zone → Read for **pcenicni.dev** (see clusters/noble/bootstrap/cert-manager/README.md). CLOUDFLARE_DNS_API_TOKEN= # --- Optional: other deploy-time values (documented for manual use or future automation) --- # Pangolin / Newt — with **noble_newt_install=true**, Ansible creates **newt/newt-pangolin-auth** when all are set (see clusters/noble/bootstrap/newt/README.md). PANGOLIN_ENDPOINT= NEWT_ID= NEWT_SECRET= # Optional: Pangolin Integration API — automate public HTTP resources + Traefik targets (**noble_pangolin_sync_http_resources=true** in **group_vars**; see **clusters/noble/bootstrap/newt/README.md** §4). # NOBLE_PANGOLIN_API_BASE=https://api.example.com/v1 # Integration API — separate host from the main Pangolin UI; see clusters/noble/bootstrap/newt/README.md §4 # NOBLE_PANGOLIN_ORG_ID= # NOBLE_PANGOLIN_API_TOKEN= # **apiKeyId.apiKeySecret** (one value, dot in the middle) from Organization → API keys — **not** login password; browser cookies do not apply. Alternatively: secret only here + **NOBLE_PANGOLIN_API_KEY_ID** below. # NOBLE_PANGOLIN_API_KEY_ID= # optional; if set, **NOBLE_PANGOLIN_API_TOKEN** may be the secret half only # NOBLE_PANGOLIN_SITE_ID= # numeric siteId, or Pangolin **niceId** (Sites UI slug, e.g. unruly-asian-badger) # NOBLE_PANGOLIN_TRAEFIK_IP=192.168.50.211 # NOBLE_PANGOLIN_TRAEFIK_PORT=443 # Self-signed Integration API TLS: either trust your CA (preferred) or homelab-only skip verify: # NOBLE_PANGOLIN_CA_BUNDLE=/path/to/ca.pem # NOBLE_PANGOLIN_INSECURE_SKIP_TLS_VERIFY=true # Velero — when **noble_velero_install=true**, set bucket + S3 API URL and credentials (see clusters/noble/bootstrap/velero/README.md). NOBLE_VELERO_S3_BUCKET= NOBLE_VELERO_S3_URL= NOBLE_VELERO_AWS_ACCESS_KEY_ID= NOBLE_VELERO_AWS_SECRET_ACCESS_KEY= # Authentik + OIDC — when **noble_authentik_install=true**, Ansible installs Authentik and reconfigures Argo CD, Grafana, Headlamp, **Open WebUI** (native OIDC) and Prometheus/Alertmanager/Longhorn via oauth2-proxy (OIDC to Authentik + Traefik ForwardAuth). See **ansible/roles/noble_authentik/README.md**. NOBLE_AUTHENTIK_SECRET_KEY= NOBLE_AUTHENTIK_POSTGRES_PASSWORD= NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN= NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL= NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD= NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD= NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA= NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP= NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY= # Open WebUI (Argo app **clusters/noble/apps/open-webui**) — OIDC client secret + app secrets (see **clusters/noble/apps/open-webui/values.yaml**). NOBLE_AUTHENTIK_CLIENT_SECRET_OPEN_WEBUI= NOBLE_OPEN_WEBUI_OPENAI_API_KEY= # e.g. openssl rand -hex 32 NOBLE_OPEN_WEBUI_WEBUI_SECRET_KEY= # Random secret for oauth2-proxy session cookie (see oauth2-proxy Helm chart docs; e.g. openssl rand -base64 32 | head -c 32 | base64) NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET= # S3 media — **separate** bucket from Velero backups (**NOBLE_VELERO_S3_BUCKET**). Endpoint and keys default to the Velero vars above unless you set the Authentik-specific overrides. NOBLE_AUTHENTIK_MEDIA_S3_BUCKET= # Optional overrides (otherwise **NOBLE_VELERO_S3_URL** and Velero AWS keys are used): # NOBLE_AUTHENTIK_S3_URL= # NOBLE_AUTHENTIK_S3_ACCESS_KEY= # NOBLE_AUTHENTIK_S3_SECRET_KEY= # NOBLE_AUTHENTIK_S3_REGION= # NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE= # # Optional outbound email (password recovery, invites, etc.) — maps to Authentik **AUTHENTIK_EMAIL__*** (see https://docs.goauthentik.io/install-config/configuration/#email-settings ). Omit **NOBLE_AUTHENTIK_SMTP_HOST** to leave email unset in Helm. # NOBLE_AUTHENTIK_SMTP_HOST= # NOBLE_AUTHENTIK_SMTP_FROM= # NOBLE_AUTHENTIK_SMTP_PORT=587 # NOBLE_AUTHENTIK_SMTP_USERNAME= # NOBLE_AUTHENTIK_SMTP_PASSWORD= # NOBLE_AUTHENTIK_SMTP_USE_TLS=true # NOBLE_AUTHENTIK_SMTP_USE_SSL=false # NOBLE_AUTHENTIK_SMTP_TIMEOUT=30