# Simple Authentik Bootstrap Configuration
# This file configures the basic Authentik setup for AI Tax Agent

version: 1

metadata:
  name: AI Tax Agent Simple Bootstrap

entries:
  # Create admin user
  - model: authentik_core.user
    identifiers:
      username: admin
    attrs:
      name: "System Administrator"
      email: admin@local.lan
      is_active: true
      is_staff: true
      is_superuser: true

  # Create user groups
  - model: authentik_core.group
    identifiers:
      name: "Administrators"
    attrs:
      is_superuser: true

  - model: authentik_core.group
    identifiers:
      name: "Tax Reviewers"
    attrs:
      is_superuser: false

  - model: authentik_core.group
    identifiers:
      name: "Accountants"
    attrs:
      is_superuser: false

  - model: authentik_core.group
    identifiers:
      name: "Clients"
    attrs:
      is_superuser: false

  # Create OIDC Provider for API services
  - model: authentik_providers_oauth2.oauth2provider
    identifiers:
      name: "AI Tax Agent API"
    attrs:
      client_id: "ai-tax-agent-api"
      client_secret: !Env [AUTHENTIK_API_CLIENT_SECRET, "changeme-api-secret"]
      authorization_grant_type: "authorization-code"
      client_type: "confidential"
      redirect_uris: "https://api.local/auth/callback\nhttps://review.local/auth/callback"
      sub_mode: "hashed_user_id"
      include_claims_in_id_token: true
      issuer_mode: "per_provider"
      authorization_flow:
        !Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]

  # Create OIDC Provider for Grafana
  - model: authentik_providers_oauth2.oauth2provider
    identifiers:
      name: "Grafana"
    attrs:
      client_id: "grafana"
      client_secret:
        !Env [AUTHENTIK_GRAFANA_CLIENT_SECRET, "changeme-grafana-secret"]
      authorization_grant_type: "authorization-code"
      client_type: "confidential"
      redirect_uris: "https://grafana.local/login/generic_oauth"
      sub_mode: "hashed_user_id"
      include_claims_in_id_token: true
      issuer_mode: "per_provider"
      authorization_flow:
        !Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]

  # Create Applications
  - model: authentik_core.application
    identifiers:
      name: "AI Tax Agent API"
      slug: "ai-tax-agent-api"
    attrs:
      provider:
        !Find [
          authentik_providers_oauth2.oauth2provider,
          [name, "AI Tax Agent API"],
        ]
      meta_launch_url: "https://api.local"
      meta_description: "AI Tax Agent API Services"
      meta_publisher: "AI Tax Agent"
      policy_engine_mode: "any"

  - model: authentik_core.application
    identifiers:
      name: "Grafana"
      slug: "grafana"
    attrs:
      provider:
        !Find [authentik_providers_oauth2.oauth2provider, [name, "Grafana"]]
      meta_launch_url: "https://grafana.local"
      meta_description: "Monitoring and Observability Dashboard"
      meta_publisher: "AI Tax Agent"
      policy_engine_mode: "any"