version: 1
metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Alpina - Proxied Apps
entries:
  - identifiers:
      name: arrstack
    model: authentik_core.group
    id: arrstack
    attrs:
      arrstack_username: "arr"
      arrstack_password: "{{ arrstack_password }}"

  # TODO: Probably refactor this into a jinja macro
  {% set apps = {
    "uptime-kuma": {
      "host": "uptime",
      "name": "Uptime Kuma",
      "icon": "https://uptime."~ domain ~"/icon.svg",
      "unauthenticated_paths": "^/icon.svg$",
      "group": "Services",
      "create_admin_group": true,
    },
    "qbit": {
      "host": "qbit",
      "name": "qBit",
      "icon": "https://qbit."~ domain ~"/images/qbittorrent-tray.svg",
      "unauthenticated_paths": "^/images/qbittorrent-tray.svg$",
      "group": "Arrstack",
      "create_admin_group": false,
    },
    "prowlarr": {
      "host": "prowlarr",
      "name": "Prowlarr",
      "icon": "https://prowlarr."~ domain ~"/Content/Images/logo.svg",
      "unauthenticated_paths": "^/Content/Images/logo.svg$",
      "group": "Arrstack",
      "create_admin_group": false,
    },
    "sonarr": {
      "host": "sonarr",
      "name": "Sonarr",
      "icon": "https://sonarr."~ domain ~"/Content/Images/logo.svg",
      "unauthenticated_paths": "^/Content/Images/logo.svg$",
      "group": "Arrstack",
      "create_admin_group": false,
    },
    "radarr": {
      "host": "radarr",
      "name": "Radarr",
      "icon": "https://radarr."~ domain ~"/Content/Images/logo.svg",
      "unauthenticated_paths": "^/Content/Images/logo.svg$",
      "group": "Arrstack",
      "create_admin_group": false,
    },
  } -%}

  {% for app in apps.keys() -%}
  - identifiers:
      name: {{ apps[app]["name"] }}
    model: authentik_providers_proxy.proxyprovider
    id: {{ app }}
    attrs:
      authorization_flow: !Find [authentik_flows.flow, [ slug, default-provider-authorization-implicit-consent ] ]
      mode: forward_single
      external_host: "https://{{ apps[app]["host"] }}.{{ domain }}/"
      skip_path_regex: "{{ apps[app]["unauthenticated_paths"] }}"

  - identifiers:
      slug: {{ app }}
    model: authentik_core.application
    attrs:
      name: {{ apps[app]["name"] }}
      group: {{ apps[app]["group"] }}
      meta_description: "Hello, I'm {{ apps[app]["name"] }}!"
      meta_publisher: Alpina
      icon: "{{ apps[app]["icon"] }}"
      open_in_new_tab: true
      provider: !KeyOf {{ app }}

  {% if apps[app]["create_admin_group"] -%}
  - identifiers:
      name: "{{ apps[app]["name"] }} Admins"
    model: authentik_core.group
    id: "{{ app }} Admins"

  - identifiers:
      group: !KeyOf "{{ app }} Admins"
      target: !Find [authentik_core.application, [ slug, {{ app }}] ]
    model: authentik_policies.policybinding
    attrs:
      order: 0
  {% endif %}

  {% if apps[app]["group"] == "Arrstack" -%}
  - identifiers:
      group: !KeyOf arrstack
      target: !Find [authentik_core.application, [slug, {{ app }}]]
    model: authentik_policies.policybinding
    attrs:
      order: 0
  {% endif %}

  {% endfor %}

  - identifiers:
      managed: goauthentik.io/outposts/embedded
      name: authentik Embedded Outpost
    model: authentik_outposts.outpost
    attrs:
      providers:
      {% for app in apps.keys() -%}
        - !KeyOf {{ app }}
      {% endfor %}