64 lines
3.4 KiB
Plaintext
64 lines
3.4 KiB
Plaintext
# Copy to **.env** in this repository root (`.env` is gitignored).
|
|
# Ansible **noble_cert_manager** role sources `.env` after cert-manager Helm install and creates
|
|
# **cert-manager/cloudflare-dns-api-token** when **CLOUDFLARE_DNS_API_TOKEN** is set.
|
|
#
|
|
# Cloudflare: Zone → DNS → Edit + Zone → Read for **pcenicni.dev** (see clusters/noble/bootstrap/cert-manager/README.md).
|
|
CLOUDFLARE_DNS_API_TOKEN=
|
|
|
|
# --- Optional: other deploy-time values (documented for manual use or future automation) ---
|
|
|
|
# Pangolin / Newt — with **noble_newt_install=true**, Ansible creates **newt/newt-pangolin-auth** when all are set (see clusters/noble/bootstrap/newt/README.md).
|
|
PANGOLIN_ENDPOINT=
|
|
NEWT_ID=
|
|
NEWT_SECRET=
|
|
|
|
# Optional: Pangolin Integration API — automate public HTTP resources + Traefik targets (**noble_pangolin_sync_http_resources=true** in **group_vars**; see **clusters/noble/bootstrap/newt/README.md** §4).
|
|
# NOBLE_PANGOLIN_API_BASE=https://api.your-pangolin.example/v1
|
|
# NOBLE_PANGOLIN_ORG_ID=
|
|
# NOBLE_PANGOLIN_API_TOKEN=
|
|
# NOBLE_PANGOLIN_SITE_ID=
|
|
# NOBLE_PANGOLIN_TRAEFIK_IP=192.168.50.211
|
|
# NOBLE_PANGOLIN_TRAEFIK_PORT=443
|
|
|
|
# Velero — when **noble_velero_install=true**, set bucket + S3 API URL and credentials (see clusters/noble/bootstrap/velero/README.md).
|
|
NOBLE_VELERO_S3_BUCKET=
|
|
NOBLE_VELERO_S3_URL=
|
|
NOBLE_VELERO_AWS_ACCESS_KEY_ID=
|
|
NOBLE_VELERO_AWS_SECRET_ACCESS_KEY=
|
|
|
|
# Authentik + OIDC — when **noble_authentik_install=true**, Ansible installs Authentik and reconfigures Argo CD, Grafana, Headlamp, **Open WebUI** (native OIDC) and Prometheus/Alertmanager/Longhorn via oauth2-proxy (OIDC to Authentik + Traefik ForwardAuth). See **ansible/roles/noble_authentik/README.md**.
|
|
NOBLE_AUTHENTIK_SECRET_KEY=
|
|
NOBLE_AUTHENTIK_POSTGRES_PASSWORD=
|
|
NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN=
|
|
NOBLE_AUTHENTIK_BOOTSTRAP_EMAIL=
|
|
NOBLE_AUTHENTIK_BOOTSTRAP_PASSWORD=
|
|
NOBLE_AUTHENTIK_CLIENT_SECRET_ARGOCD=
|
|
NOBLE_AUTHENTIK_CLIENT_SECRET_GRAFANA=
|
|
NOBLE_AUTHENTIK_CLIENT_SECRET_HEADLAMP=
|
|
NOBLE_AUTHENTIK_CLIENT_SECRET_OAUTH2_PROXY=
|
|
# Open WebUI (Argo app **clusters/noble/apps/open-webui**) — OIDC client secret + app secrets (see **clusters/noble/apps/open-webui/values.yaml**).
|
|
NOBLE_AUTHENTIK_CLIENT_SECRET_OPEN_WEBUI=
|
|
NOBLE_OPEN_WEBUI_OPENAI_API_KEY=
|
|
# e.g. openssl rand -hex 32
|
|
NOBLE_OPEN_WEBUI_WEBUI_SECRET_KEY=
|
|
# Random secret for oauth2-proxy session cookie (see oauth2-proxy Helm chart docs; e.g. openssl rand -base64 32 | head -c 32 | base64)
|
|
NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET=
|
|
# S3 media — **separate** bucket from Velero backups (**NOBLE_VELERO_S3_BUCKET**). Endpoint and keys default to the Velero vars above unless you set the Authentik-specific overrides.
|
|
NOBLE_AUTHENTIK_MEDIA_S3_BUCKET=
|
|
# Optional overrides (otherwise **NOBLE_VELERO_S3_URL** and Velero AWS keys are used):
|
|
# NOBLE_AUTHENTIK_S3_URL=
|
|
# NOBLE_AUTHENTIK_S3_ACCESS_KEY=
|
|
# NOBLE_AUTHENTIK_S3_SECRET_KEY=
|
|
# NOBLE_AUTHENTIK_S3_REGION=
|
|
# NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE=
|
|
#
|
|
# Optional outbound email (password recovery, invites, etc.) — maps to Authentik **AUTHENTIK_EMAIL__*** (see https://docs.goauthentik.io/install-config/configuration/#email-settings ). Omit **NOBLE_AUTHENTIK_SMTP_HOST** to leave email unset in Helm.
|
|
# NOBLE_AUTHENTIK_SMTP_HOST=
|
|
# NOBLE_AUTHENTIK_SMTP_FROM=
|
|
# NOBLE_AUTHENTIK_SMTP_PORT=587
|
|
# NOBLE_AUTHENTIK_SMTP_USERNAME=
|
|
# NOBLE_AUTHENTIK_SMTP_PASSWORD=
|
|
# NOBLE_AUTHENTIK_SMTP_USE_TLS=true
|
|
# NOBLE_AUTHENTIK_SMTP_USE_SSL=false
|
|
# NOBLE_AUTHENTIK_SMTP_TIMEOUT=30
|