---
authentik:
  secret_key: "{{ noble_authentik_secret_key }}"
  postgresql:
    password: "{{ noble_authentik_postgresql_password }}"
global:
  env:
    - name: AUTHENTIK_BOOTSTRAP_TOKEN
      value: "{{ noble_authentik_bootstrap_token }}"
    - name: AUTHENTIK_BOOTSTRAP_EMAIL
      value: "{{ noble_authentik_bootstrap_email }}"
    - name: AUTHENTIK_BOOTSTRAP_PASSWORD
      value: "{{ noble_authentik_bootstrap_password }}"
    - name: AUTHENTIK_STORAGE__BACKEND
      value: "s3"
    - name: AUTHENTIK_STORAGE__S3__BUCKET_NAME
      value: "{{ noble_authentik_media_s3_bucket }}"
    - name: AUTHENTIK_STORAGE__S3__ENDPOINT
      value: "{{ noble_authentik_s3_endpoint }}"
    - name: AUTHENTIK_STORAGE__S3__ACCESS_KEY
      value: "{{ noble_authentik_s3_access_key }}"
    - name: AUTHENTIK_STORAGE__S3__SECRET_KEY
      value: "{{ noble_authentik_s3_secret_key }}"
    - name: AUTHENTIK_STORAGE__S3__REGION
      value: "{{ noble_authentik_s3_region }}"
    - name: AUTHENTIK_STORAGE__S3__ADDRESSING_STYLE
      value: "{{ noble_authentik_s3_addressing_style }}"
{% if noble_authentik_smtp_host | default('') | trim | length > 0 %}
    - name: AUTHENTIK_EMAIL__HOST
      value: {{ noble_authentik_smtp_host | trim | to_json }}
    - name: AUTHENTIK_EMAIL__PORT
      value: {{ (noble_authentik_smtp_port | default('587') | string) | to_json }}
    - name: AUTHENTIK_EMAIL__USERNAME
      value: {{ noble_authentik_smtp_username | default('') | to_json }}
    - name: AUTHENTIK_EMAIL__PASSWORD
      value: {{ noble_authentik_smtp_password | default('') | to_json }}
    - name: AUTHENTIK_EMAIL__USE_TLS
      value: {{ (noble_authentik_smtp_use_tls | default('true') | string) | to_json }}
    - name: AUTHENTIK_EMAIL__USE_SSL
      value: {{ (noble_authentik_smtp_use_ssl | default('false') | string) | to_json }}
    - name: AUTHENTIK_EMAIL__TIMEOUT
      value: {{ (noble_authentik_smtp_timeout | default('30') | string) | to_json }}
    - name: AUTHENTIK_EMAIL__FROM
      value: {{ noble_authentik_smtp_from | trim | to_json }}
{% endif %}
postgresql:
  auth:
    password: "{{ noble_authentik_postgresql_password }}"
{% if noble_authentik_ingress_extra_hosts | default([]) | length > 0 %}
# Extra SANs on the same Authentik server (e.g. public FQDN behind Pangolin → Newt → Traefik). Helm’s last -f
# replaces **server.ingress.hosts** / **tls[0].hosts**; primary lab host stays first.
server:
  ingress:
    hosts:
      - {{ noble_authentik_host }}
{% for h in noble_authentik_ingress_extra_hosts %}
      - {{ h }}
{% endfor %}
    tls:
      - secretName: authentik-apps-noble-tls
        hosts:
          - {{ noble_authentik_host }}
{% for h in noble_authentik_ingress_extra_hosts %}
          - {{ h }}
{% endfor %}
{% endif %}
{% if noble_authentik_blueprints_enabled | default(false) | bool %}
blueprints:
  configMaps:
    - {{ noble_authentik_blueprints_configmap_name }}
{% endif %}