#############################################
### Identity and Access Management (IAM)  ###
#############################################

#############################################
### OIDC                                  ###
#############################################
# @see https://en.wikipedia.org/wiki/OpenID_Connect

## Private configuration variables:
_oidc_client_realm:       "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}"
_oidc_client_issuer_url:  "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"

defaults_oidc:
  enabled:               true
  client:
    id:                   "{{primary_domain}}"
#   secret:               # Define in inventory file
    realm:                "{{_oidc_client_realm}}"
    issuer_url:           "{{_oidc_client_issuer_url}}"
    discovery_document:   "{{_oidc_client_issuer_url}}/.well-known/openid-configuration"
    authorize_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"
    toke_url:             "{{_oidc_client_issuer_url}}/protocol/openid-connect/token"
    user_info_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"
    logout_url:           "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"
    change_credentials:   "{{_oidc_client_issuer_url}}account/account-security/signing-in"

#############################################
### OAuth2-Proxy                          ###
#############################################
# The name of the application which the server redirects to. Needs to be defined in role vars.
oauth2_proxy_upstream_application_and_port:  "application:80"
oauth2_proxy_active:                         false   

#############################################
### LDAP                                  ###
#############################################

# Helper variables
_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"

ldap:
  # Enables LDAP for all roles in play if true
  enabled:  true
  # Distinguished Names (DN)
  dn:
    # Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).
    root:   "{{_ldap_dn_base}}"
    # Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain.
    bind:   "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}"
    # Dn from which the users should be read
    users:          "ou=users,{{_ldap_dn_base}}"
  # Password to access dn.bind
  bind_credential:  "{{applications.ldap.administrator_database_password}}"
  server:
    domain: "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
    uri:    "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}"
  network:
    local:  "{{applications.ldap.openldap.network.local}}" # Uses the application configuration to define if local network should be available or not