---
# =================================================================
# Authentik Authentication Service Role - Container Configuration
# =================================================================
# Containerized Authentik deployment using Podman quadlets
# Follows rick-infra patterns for pragmatic service deployment

# =================================================================
# Service Configuration
# =================================================================

# Service Management
authentik_service_enabled: true
authentik_service_state: "started"

# User and Container Configuration
authentik_user: "authentik"
authentik_group: "authentik"
authentik_home: "/var/lib/authentik"
authentik_subuid_start: 100000
authentik_subgid_start: 100000
authentik_subuid_size: 65536
authentik_subgid_size: 65536

# Container Configuration
authentik_image_server: "ghcr.io/goauthentik/server"
authentik_image_tag: "2024.8.3"
authentik_pod_name: "authentik"
authentik_network_name: "authentik-net"

# =================================================================
# Domain and Caddy Integration 
# =================================================================

# Domain setup (follows rick-infra pattern)
authentik_subdomain: "auth"
authentik_domain: "{{ caddy_domain | default('localhost') }}"
authentik_full_domain: "{{ authentik_subdomain }}.{{ authentik_domain }}"

# Caddy integration
caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"

# =================================================================
# Database Configuration (Self-Contained)
# =================================================================

# Authentik manages its own database
authentik_db_engine: "postgresql"
authentik_db_host: "/run/postgresql"  # Unix socket directory
authentik_db_port: 5432
authentik_db_name: "authentik"
authentik_db_user: "authentik"
authentik_db_password: "{{ vault_authentik_db_password }}"

# =================================================================
# Cache Configuration (Valkey/Redis)
# =================================================================

# Valkey/Redis cache configuration (TCP via host gateway)  
authentik_redis_host: "host.containers.internal"  # Using TCP due to Authentik Unix socket issues
authentik_redis_port: 6379
authentik_redis_db: 1
authentik_redis_password: "{{ vault_valkey_password | default('') }}"

# =================================================================
# Application Settings
# =================================================================

# Authentik core configuration
authentik_secret_key: "{{ vault_authentik_secret_key }}"
authentik_error_reporting_enabled: false
authentik_disable_update_check: true
authentik_disable_startup_analytics: true

# Email configuration (disabled by default)
authentik_email_host: ""
authentik_email_port: 587
authentik_email_username: ""
authentik_email_password: ""
authentik_email_use_tls: true
authentik_email_from: "authentik@{{ authentik_domain }}"

# Worker configuration
authentik_worker_concurrency: 2

# =================================================================
# Container Networking
# =================================================================

# Port mappings
authentik_http_port: 9000
authentik_https_port: 9443

# Network configuration
authentik_bridge_network: true
authentik_enable_host_gateway: true

# =================================================================
# Rick-Infra Integration Notes
# =================================================================
# This role:
# - Depends on PostgreSQL, Valkey, Podman, and Caddy infrastructure roles
# - Creates its own database and user in PostgreSQL
# - Uses Valkey database 1 for caching
# - Deploys Caddy configuration to sites-enabled
# - Uses Podman quadlets for systemd integration
# - Follows containerized service pattern with service-specific user