# Copy to **.env** in this repository root (`.env` is gitignored).
# Ansible **noble_cert_manager** role sources `.env` after cert-manager Helm install and creates
# **cert-manager/cloudflare-dns-api-token** when **CLOUDFLARE_DNS_API_TOKEN** is set.
#
# Cloudflare: Zone → DNS → Edit + Zone → Read for **pcenicni.dev** (see clusters/noble/bootstrap/cert-manager/README.md).
CLOUDFLARE_DNS_API_TOKEN=

# --- Optional: other deploy-time values (documented for manual use or future automation) ---

# Pangolin / Newt — with **noble_newt_install=true**, Ansible creates **newt/newt-pangolin-auth** when all are set (see clusters/noble/bootstrap/newt/README.md).
PANGOLIN_ENDPOINT=
NEWT_ID=
NEWT_SECRET=

# Velero — when **noble_velero_install=true**, set bucket + S3 API URL and credentials (see clusters/noble/bootstrap/velero/README.md).
NOBLE_VELERO_S3_BUCKET=
NOBLE_VELERO_S3_URL=
NOBLE_VELERO_AWS_ACCESS_KEY_ID=
NOBLE_VELERO_AWS_SECRET_ACCESS_KEY=

# Authentik + OIDC — when **noble_authentik_install=true**, Ansible installs Authentik and reconfigures Argo CD, Grafana, Headlamp (native OIDC) and Prometheus/Alertmanager/Longhorn via oauth2-proxy (OIDC to Authentik + Traefik ForwardAuth). See **ansible/roles/noble_authentik/README.md**.
NOBLE_AUTHENTIK_SECRET_KEY=
NOBLE_AUTHENTIK_POSTGRES_PASSWORD=
NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN=
NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL=
NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD=
NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD=
NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA=
NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP=
NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY=
# Random secret for oauth2-proxy session cookie (see oauth2-proxy Helm chart docs; e.g. openssl rand -base64 32 | head -c 32 | base64)
NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET=
# S3 media — **separate** bucket from Velero backups (**NOBLE_VELERO_S3_BUCKET**). Endpoint and keys default to the Velero vars above unless you set the Authentik-specific overrides.
NOBLE_AUTHENTIK_MEDIA_S3_BUCKET=
# Optional overrides (otherwise **NOBLE_VELERO_S3_URL** and Velero AWS keys are used):
# NOBLE_AUTHENTIK_S3_URL=
# NOBLE_AUTHENTIK_S3_ACCESS_KEY=
# NOBLE_AUTHENTIK_S3_SECRET_KEY=
# NOBLE_AUTHENTIK_S3_REGION=
# NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE=
#
# Optional outbound email (password recovery, invites, etc.) — maps to Authentik **AUTHENTIK_EMAIL__*** (see https://docs.goauthentik.io/install-config/configuration/#email-settings ). Omit **NOBLE_AUTHENTIK_SMTP_HOST** to leave email unset in Helm.
# NOBLE_AUTHENTIK_SMTP_HOST=
# NOBLE_AUTHENTIK_SMTP_FROM=
# NOBLE_AUTHENTIK_SMTP_PORT=587
# NOBLE_AUTHENTIK_SMTP_USERNAME=
# NOBLE_AUTHENTIK_SMTP_PASSWORD=
# NOBLE_AUTHENTIK_SMTP_USE_TLS=true
# NOBLE_AUTHENTIK_SMTP_USE_SSL=false
# NOBLE_AUTHENTIK_SMTP_TIMEOUT=30