version: 1
metadata:
  name: domain-wide-proxy-setup
entries:
  # 1. The Provider
  - model: authentik_providers_proxy.proxyprovider
    identifiers:
      name: Domain Wide Proxy
    attrs:
      authorization_flow:
        !Find [
          authentik_flows.flow,
          [slug, default-provider-authorization-implicit-consent],
        ]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]

      external_host: https://@AUTHENTIK_DOMAIN@
      cookie_domain: "@COOKIE_DOMAIN@"

      mode: forward_domain
      intercept_header_auth: true

  # 2. The Application (Required to link the provider)
  - model: authentik_core.application
    identifiers:
      slug: authentik-proxy
    attrs:
      name: "Domain Auth Provider"
      provider:
        !Find [
          authentik_providers_proxy.proxyprovider,
          [name, Domain Wide Proxy],
        ]

  # 3. Add to Outpost
  - model: authentik_outposts.outpost
    identifiers:
      name: authentik Embedded Outpost
    attrs:
      providers:
        - !Find [
            authentik_providers_proxy.proxyprovider,
            [name, Domain Wide Proxy],
          ]