---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: authelia
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: authelia-secret
    template:
      engineVersion: v2
      data:
        # App
        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: "{{ .password }}"
        AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET }}"
        AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: "{{ .AUTHELIA_JWT_SECRET }}"
        AUTHELIA_SESSION_SECRET: "{{ .AUTHELIA_SESSION_SECRET }}"
        AUTHELIA_STORAGE_ENCRYPTION_KEY: "{{ .AUTHELIA_STORAGE_ENCRYPTION_KEY }}"
        # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
        # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
        OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}"
        FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
        FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}"
        GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
        GRAFANA_OAUTH_DIGEST: "{{ .GRAFANA_OAUTH_DIGEST }}"
        OUTLINE_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        OUTLINE_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        JELLYFIN_OAUTH_CLIENT_SECRET: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}"
        JELLYFIN_OAUTH_DIGEST: "{{ .JELLYFIN_OAUTH_DIGEST }}"
        PGADMIN_OAUTH_CLIENT_SECRET: "{{ .PGADMIN_OAUTH_CLIENT_SECRET }}"
        PGADMIN_OAUTH_DIGEST: "{{ .PGADMIN_OAUTH_DIGEST }}"
        PAPERLESS_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        PAPERLESS_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        KOMGA_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        KOMGA_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        WINDMILL_OAUTH_CLIENT_SECRET: "{{ .WINDMILL_OAUTH_CLIENT_SECRET }}"
        WINDMILL_OAUTH_DIGEST: "{{ .WINDMILL_OAUTH_DIGEST }}"
        SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
  dataFrom:
    - extract:
        key: authelia
    - extract:
        key: lldap
    - extract:
        key: generic
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: authelia-db
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: crunchy-pgo-secrets
  target:
    name: authelia-db-secret
    template:
      engineVersion: v2
      data:
        AUTHELIA_STORAGE_POSTGRES_DATABASE: '{{ index . "dbname" }}'
        AUTHELIA_STORAGE_POSTGRES_ADDRESS: 'tcp://{{ index . "host" }}:{{ index . "port" }}'
        AUTHELIA_STORAGE_POSTGRES_USERNAME: '{{ index . "user" }}'
        AUTHELIA_STORAGE_POSTGRES_PASSWORD: '{{ index . "password" }}'
  dataFrom:
    - extract:
        key: postgres-pguser-authelia