---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: authelia
  namespace: default
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: authelia-secret
    template:
      engineVersion: v2
      data:
        # App
        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: "{{ .password }}"
        AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET }}"
        AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: "{{ .AUTHELIA_JWT_SECRET }}"
        AUTHELIA_SESSION_SECRET: "{{ .AUTHELIA_SESSION_SECRET }}"
        AUTHELIA_STORAGE_ENCRYPTION_KEY: "{{ .AUTHELIA_STORAGE_ENCRYPTION_KEY }}"
        AUTHELIA_STORAGE_POSTGRES_ADDRESS: &dbHost postgres16-rw.database.svc.cluster.local
        AUTHELIA_STORAGE_POSTGRES_DATABASE: &dbName authelia
        AUTHELIA_STORAGE_POSTGRES_USERNAME: &dbUser "{{ .AUTHELIA_STORAGE_POSTGRES_USERNAME }}"
        AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}"
        # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
        # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
        AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .OIDC_JWKS_KEY }}"
        OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}"
        OIDC_JWKS_CERT: "{{ .OIDC_JWKS_CERT }}"
        FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
        FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}"
        GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
        GRAFANA_OAUTH_DIGEST: "{{ .GRAFANA_OAUTH_DIGEST }}"
        OUTLINE_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        OUTLINE_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        JELLYFIN_OAUTH_CLIENT_SECRET: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}"
        JELLYFIN_OAUTH_DIGEST: "{{ .JELLYFIN_OAUTH_DIGEST }}"
        PGADMIN_OAUTH_CLIENT_SECRET: "{{ .PGADMIN_OAUTH_CLIENT_SECRET }}"
        PGADMIN_OAUTH_DIGEST: "{{ .PGADMIN_OAUTH_DIGEST }}"
        PAPERLESS_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        PAPERLESS_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        KOMGA_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        KOMGA_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        WINDMILL_OAUTH_CLIENT_SECRET: "{{ .WINDMILL_OAUTH_CLIENT_SECRET }}"
        WINDMILL_OAUTH_DIGEST: "{{ .WINDMILL_OAUTH_DIGEST }}"
        SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
        # Postgres Init
        INIT_POSTGRES_DBNAME: *dbName
        INIT_POSTGRES_HOST: *dbHost
        INIT_POSTGRES_USER: *dbUser
        INIT_POSTGRES_PASS: *dbPass
        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
  dataFrom:
    - extract:
        key: authelia
    - extract:
        key: cloudnative-pg
    - extract:
        key: lldap
    - extract:
        key: generic