version: 1
metadata:
  name: Pre-configured LDAP Outpost
entries:
  - model: authentik_providers_ldap.ldapprovider
    identifiers:
      name: ldap-provider
    attrs:
      base_dn: "@AUTHENTIK_LDAP_DC_DOMAIN@"
      search_group: null
      authorization_flow:
        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]

  - model: authentik_core.user
    state: present
    identifiers:
      username: "ldap-service"
    attrs:
      name: "LDAP Bind Service Account"
      type: "service_account"
      path: "goauthentik.io"
      is_active: true
      password: !Env DEFAULT_LDAP_PASSWORD
      attributes:
        ak_recovery_immutable: true

  - model: authentik_core.token
    identifiers:
      identifier: ldap-outpost-static-token
    attrs:
      intent: api
      key: !Env AUTHENTIK_TOKEN
      user: !Find [authentik_core.user, [username, "ldap-service"]]

  - model: authentik_outposts.outpost
    identifiers:
      name: LDAP Outpost
    attrs:
      type: ldap
      providers:
        - !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
      token:
        !Find [authentik_core.token, [identifier, ldap-outpost-static-token]]
      config:
        log_level: info
        authentik_host: https://sso.test.helcel.net/
        refresh_interval: minutes=5
        authentik_host_insecure: false

  - model: authentik_rbac.role
    state: present
    identifiers:
      name: "LDAP Search Role"
    attrs:
      permissions:
        - "authentik_providers_ldap.search_full_directory"

  - model: authentik_core.group
    state: present
    identifiers:
      name: "LDAP Search Group"
    attrs:
      users:
        - !Find [authentik_core.user, [username, "ldap-service"]]
      roles:
        - !Find [authentik_rbac.role, [name, "LDAP Search Role"]]