computer-playbook/roles/web-app-openwebui/templates/env.j2

# Documentation: https://docs.openwebui.com/getting-started/env-configuration/

# =========================
# Open WebUI Base Settings
# =========================
OLLAMA_BASE_URL={{ OLLAMA_BASE_LOCAL_URL }}
OFFLINE_MODE={{ OPENWEBUI_OFFLINE_MODE | ternary(1, 0) }}
HF_HUB_OFFLINE={{ OPENWEBUI_HF_HUB_OFFLINE | ternary(1, 0) }}
ENABLE_PERSISTENT_CONFIG=false

{% if OPENWEBUI_OIDC_ENABLED %}
# =========================
# OIDC / OAuth2 Settings
# =========================
# Enable sign-up/login via OIDC provider
ENABLE_OAUTH_SIGNUP=true

# Client credentials (must match Keycloak client)
OAUTH_CLIENT_ID={{ OIDC.CLIENT.ID }}
OAUTH_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}

# Well-known configuration URL from Keycloak
OPENID_PROVIDER_URL={{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}

# Redirect URI (must match what is configured in Keycloak client)
OPENID_REDIRECT_URI={{ (domains | get_url(application_id, WEB_PROTOCOL)) ~ '/oauth/oidc/callback' }}

# Display name of the provider in the login button
OAUTH_PROVIDER_NAME={{ OIDC.BUTTON_TEXT }}

# Scopes to request (openid is required; email/profile recommended)
OAUTH_SCOPES=openid email profile

# =========================
# Optional: Role Management
# =========================
# Enable automatic role mapping from token claims
# ENABLE_OAUTH_ROLE_MANAGEMENT=true
# OAUTH_ROLES_CLAIM=roles
# OAUTH_ALLOWED_ROLES=user
# OAUTH_ADMIN_ROLES=admin

# =========================
# Optional: Group Management
# =========================
# ENABLE_OAUTH_GROUP_MANAGEMENT=true
# ENABLE_OAUTH_GROUP_CREATION=false
# OAUTH_GROUP_CLAIM={{ RBAC.GROUP.CLAIM }}
{% endif %}