---

# Penpot version to deploy
penpot_version: 1.19.0
# SHould ansible manage upgrades. If False, only the initial install will be done
penpot_manage_upgrade: True

# Where will penpot be installed
penpot_root_dir: /opt/penpot
# URL of the archive
penpot_archive_url: https://github.com/penpot/penpot/archive/refs/tags/{{ penpot_version }}.tar.gz
# Expected sha256 of the archive
penpot_archive_sha256: 3677ea3ea4073e0ca6e99090f660400b005b0308bd840d4965b045d76a6a71da
# User under which penpot will run. Will be created
penpot_user: penpot

# Public URL where penpot will be available to users
penpot_public_url: https://{{ inventory_hostname }}

# Ports used by penpot components
# Note that those ports will bind on localhost only, and penpot will be
# exposed by an nginx instance. If you want to restrict penpot access at the firewall level
# you have to set nginx_src_ip
penpot_ports:
  backend: 6060
  exporter: 6061
  srepl: 6062

# Postgres database settings
penpot_db_server: "{{ pg_server | default('localhost') }}"
penpot_db_port: 5432
penpot_db_name: penpot
penpot_db_user: penpot
# If the password is not defined, a random one will be created and stored un {{ penpot_root_dir }}/meta/ansible_dbpass
# penpot_db_pass: S3cr3t.

# Penpot uses a redis server to handle notifications
# Note: redis will be installed if this URL points on localhost
penpot_redis_url: redis://localhost/0

# Allow user registration ? Note that oidc auth requires registration to be enabled
penpot_allow_user_registration: "{{ penpot_oidc_auth | ternary(True, False) }}"
# You can restrict registrations to some domains
penpot_user_registration_allowed_domains: [ "{{ ansible_domain }}" ]

# OIDC auth
penpot_oidc_auth: False
penpot_oidc_base_url: https://sso.{{ ansible_domain }}/oauth2
penpot_oidc_auth_url: "{{ penpot_oidc_base_url }}/authorize"
penpot_oidc_user_url: "{{ penpot_oidc_base_url }}/userinfo"
penpot_oidc_token_url: "{{ penpot_oidc_base_url }}/token"
penpot_oidc_client_id: penpot
# The oidc secret must be set
# penpot_oidc_client_secret: S3cr3t.
penpot_oidc_scopes: openid email profile

# LDAP auth
penpot_ldap_auth: "{{ (ldap_auth | default(False) or ad_auth | default(False)) | ternary(True, False) }}"
penpot_ldap_server: "{{ ldap_uri | default('ldap://ldap.' ~ ansible_domain) | urlsplit('hostname') }}"
penpot_ldap_port: "{{ (ldap_uri | default('ldap://ldap.' ~ ansible_domain) | urlsplit('port') == '') | ternary(ldap_uri | default('ldap://ldap.' ~ ansible_domain) | urlsplit('port'), '389') }}"
penpot_ldap_ssl: "{{ (penpot_ldap_port == 636) | ternary(True, False) }}"
penpot_ldap_tls: "{{ penpot_ldap_ssl | ternary(False, True) }}"
penpot_ldap_base_dn: "{{ (ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base,(ldap_user_base is defined) | ternary(ldap_user_base,(ad_auth | default(False) | ternary('DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), 'dc=' ~ ansible_domain | regex_replace('\\.',',dc='))))) }}"
penpot_ldap_search_filter: "{{ ad_auth | ternary('(&(sAMAccountName=:username)(objectClass=user)(objectCatagory=person)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))', '(&(uid=:username)(objectClass=inetOrgPerson))') }}"
# If auth is needed, set penpot_ldap_bind_dn and penpot_ldap_bind_pass
# penpot_ldap_bin_dn: CN=Penpot, OU=Apps, DC=example, DC=org
# penpot_ldap_bind_pass: S3cr3t.
penpot_ldap_attr_username: "{{ ad_auth | default(False) | ternary('userPrincipalName', 'uid') }}"
penpot_ldap_attr_email: mail
penpot_ldap_attr_fullname: cn

# Email settings
penpot_email_from: no-reply@{{ ansible_domain }}
penpot_smtp_server: localhost
penpot_smtp_port: 25
penpot_smtp_tls: "{{ (penpot_smtp_port == 587) | ternary(True, False) }}"
penpot_smtp_ssl: "{{ (penpot_smtp_port == 465) | ternary(True, False) }}"
# You can set user and password if needed
# penpot_smtp_user: penpot@example.org
# penpot_smtp_pass: S3cr3t.