home-server/ansible/roles/noble_authentik/defaults/main.yml

---
# Set **noble_authentik_install: true** after filling **.env** (see role README and repository **.env.sample**).
noble_authentik_install: false
# When true, run **configure_authentik.py** against the Authentik API (requires bootstrap token + client secrets).
noble_authentik_configure_idp: true
# **worker** — upsert OAuth2 providers + applications via **ak shell** + Django ORM (avoids **GET …/providers/oauth2/** 403
# for bootstrap tokens). **rest** — use the Authentik API only (needs a token that can list/patch OAuth2 providers).
# When true (default), run **worker_ensure_authentik_admin_access.py** so **akadmin** / bootstrap email is in
# **authentik Admins** with **is_superuser** on the group (fixes **/if/admin/** redirecting to user UI in 2026+).
noble_authentik_ensure_admin_ui_access: true

noble_authentik_chart_version: "2026.2.3"
noble_authentik_namespace: authentik
# Helm release name (deployments: **{release}-server**, **{release}-worker**).
noble_authentik_release_name: authentik
noble_authentik_oauth2_proxy_chart_version: "10.4.3"
# Helm **--wait** timeout for **oauth2-proxy** (first pull / API checks can exceed 10m).
noble_authentik_oauth2_proxy_helm_wait_timeout: 10m

noble_authentik_host: auth.apps.noble.lab.pcenicni.dev
noble_authentik_public_url: "https://{{ noble_authentik_host }}"
noble_authentik_api_base: "{{ noble_authentik_public_url }}/api/v3"

# Optional extra Ingress hostnames (FQDN strings) for the **same** Authentik release — e.g. a **public** name
# (Pangolin HTTP resource → Newt site → Traefik) while **`noble_authentik_host`** stays the in-lab name.
# Ansible merges these into **server.ingress.hosts** / **tls** (one cert Secret with multiple SANs).
noble_authentik_ingress_extra_hosts: []

# Mounted **blueprints** (ConfigMap → worker `/blueprints/mounted/cm-*`). See README § split routing / two-Brand.
noble_authentik_blueprints_enabled: false
noble_authentik_blueprints_configmap_name: authentik-noble-blueprints
# Directory groups blueprint (**`10-noble-public-groups.yaml.j2`**): merges **`noble_authentik_blueprint_public_groups`**
# (optional — often empty), **`noble_authentik_blueprint_extra_directory_groups`**, and **`noble_authentik_blueprint_nikflix_groups`**
# (defaults: **`nikflix-users`** / **`nikflix-admins`**). Lab onboarding uses **`noble_authentik_blueprint_lab_invitee_group_name`**
# from blueprint **22**, not this list. Each item may be:
#   - a **string** (group name only), or
#   - a **dict** with **`name`** (required) and optional **`is_superuser`** (bool), **`attributes`** (dict → JSON in blueprint),
#     **`parents`** (list of **existing** group names — list parents *before* children in these lists, or use built-in groups).
noble_authentik_blueprint_public_groups: []
# Additional directory groups (same entry shape as **`noble_authentik_blueprint_public_groups`**); merged into blueprint **10** after **`public_groups`**.
noble_authentik_blueprint_extra_directory_groups: []
# Nikflix (e.g. **auth.nikflix.ca**) directory groups — merged **after** optional **`public_groups`** + **`extra_directory_groups`**
# so **`parents`** can reference those. Prefer **`nikflix-users`** / **`nikflix-admins`** for the internet-facing Brand.
noble_authentik_blueprint_nikflix_groups:
  - name: nikflix-users
    attributes:
      "noble.ak/brand": nikflix
      "noble.ak/audience": public
  - name: nikflix-admins
    parents:
      - nikflix-users
    attributes:
      "noble.ak/brand": nikflix
      "noble.ak/audience": public
# Lab-only authentication flow slug (Brand for **`noble_authentik_host`** points here).
noble_authentik_blueprint_lab_flow_slug: noble-lab-operator-authentication-flow
noble_authentik_blueprint_operator_policy_name: noble-lab-operators-only
# Who may sign in on the **lab** hostname (`noble_authentik_host`). Bootstrap user should be in **noble-admins**
# and/or **authentik Admins** (see **`noble_authentik_ensure_admin_ui_access`**).
noble_authentik_blueprint_lab_operator_groups:
  - noble-admins
  - authentik Admins
noble_authentik_blueprint_lab_brand_title: Noble lab (operators)
noble_authentik_blueprint_public_brand_title_prefix: Nikflix
# Public hostname Brand(s) → dedicated authentication flow (**21-noble-public-…** blueprint).
noble_authentik_blueprint_public_auth_flow_slug: noble-public-authentication-flow
# Lab flow: password stage (**failed_attempts_before_cancel**) and strength checks (expression policy; skips when **password** not yet in request context).
noble_authentik_blueprint_lab_password_failed_attempts: 3
noble_authentik_blueprint_lab_password_policy_length_min: 16
noble_authentik_blueprint_lab_password_policy_amount_uppercase: 1
noble_authentik_blueprint_lab_password_policy_amount_lowercase: 1
noble_authentik_blueprint_lab_password_policy_amount_digits: 1
noble_authentik_blueprint_lab_password_policy_amount_symbols: 1
noble_authentik_blueprint_lab_password_policy_check_zxcvbn: true
noble_authentik_blueprint_lab_password_policy_zxcvbn_score_threshold: 3
noble_authentik_blueprint_lab_password_policy_error_message: >-
  Lab password policy: at least 16 characters with upper, lower, digit, symbol, and sufficient strength.
# Lab MFA when user has no compatible device: **skip** (like stock), **deny** (block), **configure** (TOTP setup via default stage).
noble_authentik_blueprint_lab_mfa_not_configured_action: configure
# Invitation-based **enrollment** flows (blueprint **22**). Brands do not select enrollment; each **Invitation** picks a flow.
# Link shape: **`https://<host>/if/flow/<slug>/?itoken=<uuid>`** — use your **Nikflix / extra_hosts** FQDN for this flow’s invites.
noble_authentik_blueprint_public_invitation_enrollment_flow_slug: nikflix-invitation-enrollment
noble_authentik_blueprint_lab_invitation_enrollment_flow_slug: noble-lab-invitation-enrollment
noble_authentik_blueprint_public_invitation_flow_name: Nikflix invitation enrollment
noble_authentik_blueprint_public_invitation_flow_title: Complete your signup
noble_authentik_blueprint_lab_invitation_flow_name: Noble lab invitation enrollment
noble_authentik_blueprint_lab_invitation_flow_title: Lab access — complete enrollment
# **User write** for Nikflix (internet) invites: must match a **Group** created in blueprint **10** (default **`nikflix-users`**).
noble_authentik_blueprint_public_invitation_user_group: nikflix-users
# **`internal`** — normal directory users (default). Use **`external`** only when you intentionally isolate invitees from admin / “internal-only” surfaces (see [Invitations troubleshooting](https://docs.goauthentik.io/users-sources/user/invitations/)).
noble_authentik_blueprint_public_invitation_user_type: internal
noble_authentik_blueprint_public_invitation_user_path: users/noble/nikflix
# Lab invites: blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`**; add members to **`noble_authentik_blueprint_lab_operator_groups`** manually when they should use the lab URL.
noble_authentik_blueprint_lab_invitee_group_name: noble-lab-invited
noble_authentik_blueprint_lab_invitation_user_type: internal
noble_authentik_blueprint_lab_invitation_user_path: users/noble/lab

noble_authentik_oauth2_proxy_host: oauth2.apps.noble.lab.pcenicni.dev

# Media: **S3** via Ansible **`global.env`** (same S3 **URL** + **access keys** as **Velero** when you omit Authentik-specific overrides).
# Set **`NOBLE_AUTHENTIK_MEDIA_S3_BUCKET`** to a **dedicated** bucket (do not use the Velero backup bucket).
noble_authentik_media_s3_bucket: ""
noble_authentik_s3_endpoint: ""
noble_authentik_s3_access_key: ""
noble_authentik_s3_secret_key: ""
noble_authentik_s3_region: "us-east-1"
noble_authentik_s3_addressing_style: "path"

# Optional outbound SMTP (maps to **AUTHENTIK_EMAIL__*** in Helm **global.env**). Leave **noble_authentik_smtp_host**
# empty to omit email env vars; set **NOBLE_AUTHENTIK_SMTP_HOST** (and **NOBLE_AUTHENTIK_SMTP_FROM**) in **.env** to enable.
noble_authentik_smtp_host: ""
noble_authentik_smtp_port: "587"
noble_authentik_smtp_username: ""
noble_authentik_smtp_password: ""
noble_authentik_smtp_use_tls: "true"
noble_authentik_smtp_use_ssl: "false"
noble_authentik_smtp_timeout: "30"
noble_authentik_smtp_from: ""

# OIDC client ids (must match Authentik providers created by configure script)
noble_authentik_client_id_argocd: argocd
noble_authentik_client_id_grafana: grafana
noble_authentik_client_id_headlamp: headlamp
noble_authentik_client_id_oauth2_proxy: oauth2-proxy
noble_authentik_client_id_open_webui: open-webui

# Headlamp **OIDC_SCOPES** for Secret **headlamp-oidc**. Omit **groups** unless the Authentik OAuth2 provider
# includes a separate **groups** ScopeMapping (2026.x defaults often embed groups in **profile** only; requesting
# **groups** then yields **invalid_scope** on authorize). Override if your IdP exposes **groups** explicitly.
noble_authentik_headlamp_oidc_scopes: "openid profile email offline_access"
# PKCE for Headlamp OIDC. **false** is the default for Authentik **confidential** clients: auth still uses the
# standard browser OAuth code flow; PKCE is optional and some users see the callback “flash” then login reset
# when PKCE state/cookies do not survive the redirect. Set **true** if you require PKCE.
noble_authentik_headlamp_oidc_use_pkce: false

# Secrets / bootstrap — prefer **lookup('env', ...)** set via repository **.env** (see from_env.yml).
noble_authentik_secret_key: ""
noble_authentik_postgresql_password: ""
noble_authentik_bootstrap_token: ""
noble_authentik_bootstrap_email: ""
noble_authentik_bootstrap_password: ""

noble_authentik_client_secret_argocd: ""
noble_authentik_client_secret_grafana: ""
noble_authentik_client_secret_headlamp: ""
noble_authentik_client_secret_oauth2_proxy: ""
noble_authentik_client_secret_open_webui: ""
noble_authentik_oauth2_proxy_cookie_secret: ""

# **open-webui** namespace — Secret **open-webui-secrets** (Ansible **--tags authentik**). See **clusters/noble/apps/open-webui/values.yaml**.
noble_open_webui_openai_api_key: ""
noble_open_webui_webui_secret_key: ""
# Public FQDN for Open WebUI (Ingress + OIDC **redirect_uri**). Set in **group_vars** (e.g. **webui.example.com**); must match GitOps **values.yaml** **ingress.host** and **OPENID_REDIRECT_URI** / **WEBUI_URL**.
noble_open_webui_public_host: ""

# Optional: OAuth2 provider flow PKs (UUID strings). When **both** are set, **configure_authentik.py**
# skips **GET /flows/instances/** (avoids 403 if the API token cannot view flows). If unset, the role
# tries **kubectl exec** into **authentik-worker** + **ak shell** to read the same slugs from the DB.
noble_authentik_oauth_authorization_flow_pk: ""
noble_authentik_oauth_invalidation_flow_pk: ""
# Optional: OAuth2 signing key (**CertificateKeyPair** UUID). When set, **configure_authentik.py** skips
# **GET /crypto/certificatekeypairs/** (often 403 for bootstrap tokens). If unset, the role resolves it
# from the worker DB when possible (see **resolve_oauth_signing_key_pk.py**).
noble_authentik_oauth_signing_key_pk: ""
# Optional: comma-separated **ScopeMapping** UUIDs (openid, email, profile, offline_access; optional **groups**
# if you created a separate mapping — 2026.x defaults embed groups in **profile** only).
# When set, **configure_authentik.py** skips **GET /propertymappings/...** (often 403 for bootstrap tokens).
noble_authentik_oauth_scope_mapping_pks: ""
# Optional: **Group** UUIDs for **noble-admins** / **noble-editors** (skip **GET /core/groups/** when set).
noble_authentik_group_pk_noble_admins: ""
noble_authentik_group_pk_noble_editors: ""

noble_authentik_helm_wait_timeout: 25m

# After Helm --wait, the worker still creates the bootstrap API token; poll the public API before configure_authentik.py.
noble_authentik_bootstrap_api_wait_retries: 36
noble_authentik_bootstrap_api_wait_delay: 5

# Re-apply the same chart versions as the rest of noble.yml when flipping SSO on.
noble_authentik_argocd_chart_version: "9.5.14"
noble_authentik_kube_prometheus_chart_version: "85.0.3"
noble_authentik_headlamp_chart_version: "0.42.0"
noble_authentik_longhorn_chart_version: "1.11.2"
noble_authentik_kube_prometheus_helm_wait_timeout: 60m