# Documentation: https://docs.openwebui.com/getting-started/env-configuration/

# =========================
# Open WebUI Base Settings
# =========================
OLLAMA_BASE_URL={{ OLLAMA_BASE_LOCAL_URL }}
OFFLINE_MODE={{ OPENWEBUI_OFFLINE_MODE | ternary(1, 0) }}
HF_HUB_OFFLINE={{ OPENWEBUI_HF_HUB_OFFLINE | ternary(1, 0) }}
ENABLE_PERSISTENT_CONFIG=false

# =========================
# Bootstrap Admin Account
# =========================
# Use this to automatically assign the first admin in a fresh installation.
# The specified email will be promoted to ADMIN on first login.
# After initial setup you can remove this block and manage admins via the UI.
ADMIN_EMAIL=users.administrator.email

# If enabled, the pending-activation page will display the admin’s email address
# so new users know who to contact for access.
SHOW_ADMIN_DETAILS=true

{% if OPENWEBUI_OIDC_ENABLED %}
# =========================
# OIDC / OAuth2 Settings
# =========================
# Enable sign-up/login via OIDC provider
ENABLE_OAUTH_SIGNUP=true
DEFAULT_USER_ROLE=user

# Client credentials (must match Keycloak client)
OAUTH_CLIENT_ID={{ OIDC.CLIENT.ID }}
OAUTH_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}

# Well-known configuration URL from Keycloak
OPENID_PROVIDER_URL={{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}

# Redirect URI (must match what is configured in Keycloak client)
OPENID_REDIRECT_URI={{ OPENWEBUI_OIDC_REDIRECT_URL }}

# Display name of the provider in the login button
OAUTH_PROVIDER_NAME={{ OIDC.BUTTON_TEXT }}

# Scopes to request (openid is required; email/profile recommended)
OAUTH_SCOPES=openid email profile

# =========================
# Optional: Role Management
# =========================
# Enable automatic role mapping from token claims
ENABLE_OAUTH_ROLE_MANAGEMENT=true
OAUTH_ROLES_CLAIM={{ RBAC.GROUP.CLAIM }}
# OAUTH_ALLOWED_ROLES=user
OAUTH_ADMIN_ROLES={{ OPENWEBUI_OIDC_ADMIN_GROUP }}

# =========================
# Optional: Group Management
# =========================
# ENABLE_OAUTH_GROUP_MANAGEMENT=true
# ENABLE_OAUTH_GROUP_CREATION=false
# OAUTH_GROUP_CLAIM={{ RBAC.GROUP.CLAIM }}
{% endif %}

{% if OPENWEBUI_LDAP_ENABLED %}
# =========================
# LDAP Authentication
# =========================
# Enable LDAP login in parallel to OIDC (both can coexist)
ENABLE_LDAP=true

# --- Server Settings ---
# Label shown in the UI (optional)
LDAP_SERVER_LABEL=OpenLDAP
# Hostname/IP and port from your global LDAP settings
LDAP_SERVER_HOST={{ LDAP.SERVER.DOMAIN }}
LDAP_SERVER_PORT={{ LDAP.SERVER.PORT }}

# TLS: set to true for StartTLS or LDAPS (maps from your SECURITY setting)
# SECURITY can be "", "TLS" or "SSL" in your mapping; treat TLS/SSL as true
LDAP_USE_TLS={{ ('true' if (LDAP.SERVER.SECURITY | upper) in ['TLS','SSL'] else 'false') }}

# Certificate validation (set to true if you use a proper CA; false for self-signed/dev)
LDAP_VALIDATE_CERT={{ ('true' if (LDAP.SERVER.SECURITY | upper) in ['TLS','SSL'] else 'false') }}

# --- Bind Credentials (app/service account) ---
LDAP_APP_DN={{ LDAP.DN.ADMINISTRATOR.DATA }}
LDAP_APP_PASSWORD={{ LDAP.BIND_CREDENTIAL }}

# --- User Schema / Search ---
# Base DN for user search
LDAP_SEARCH_BASE={{ LDAP.DN.ROOT }}
# Attribute used as login name (uid / sAMAccountName / mail, etc.)
LDAP_ATTRIBUTE_FOR_USERNAME={{ LDAP.USER.ATTRIBUTES.ID }}
# Attribute for email address
LDAP_ATTRIBUTE_FOR_MAIL={{ LDAP.USER.ATTRIBUTES.MAIL }}
# Search filter with placeholder for username
LDAP_SEARCH_FILTER=({{ LDAP.USER.ATTRIBUTES.ID }}=%(user)s)
{% endif %}