# GitLab Configuration
external_url '{{ external_url }}'

# GitLab Shell SSH settings
gitlab_rails['gitlab_shell_ssh_port'] = {{ ssh_port }}

# Internal web service settings
{% if traefik_enabled %}
# Traefik handles TLS/SSL certificates
letsencrypt['enable'] = false
nginx['listen_port']  = 80
nginx['listen_https'] = false
{% else %}
# Let's Encrypt certificate management (when not using Traefik)
letsencrypt['enable'] = true
letsencrypt['contact_emails'] = ['{{ email_from|default("admin@example.com") }}']
nginx['redirect_http_to_https'] = true
{% endif %}

{% if registry_enabled %}
# Container Registry settings
registry_external_url '{{ registry_external_url }}'
gitlab_rails['registry_enabled']  = true
registry_nginx['listen_https']    = false
registry_nginx['listen_port']     = {{ registry_port }}
{% endif %}

{% if authentik_enabled %}
# Authentik SSO settings
gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']
gitlab_rails['omniauth_providers'] = [
  {
    name: "openid_connect",
    label: "Authentik",
    icon: "https://avatars.githubusercontent.com/u/82976448?s=200&v=4",
    args: {
      name: "openid_connect",
      scope: ["openid","profile","email"],
      response_type: "code",
      issuer: "{{ authentik_url }}/application/o/{{ authentik_slug }}/",
      discovery: true,
      client_auth_method: "query",
      uid_field: "email",
      send_scope_to_token_endpoint: "false",
      pkce: true,
      client_options: {
        identifier: "{{ authentik_client_id }}",
        secret: "{{ authentik_client_secret }}",
        redirect_uri: "{{ external_url }}/users/auth/openid_connect/callback"
      }
    }
  }
]
{% endif %}

{% if email_enabled %}
# SMTP settings
gitlab_rails['smtp_enable']           = true
gitlab_rails['smtp_address']          = "{{ email_host }}"
gitlab_rails['smtp_port']             = {{ email_port }}
gitlab_rails['smtp_user_name']        = "{{ email_username }}"
gitlab_rails['smtp_password']         = "{{ email_password }}"
gitlab_rails['smtp_authentication']   = "login"
{% if email_use_ssl %}
gitlab_rails['smtp_ssl']              = true
gitlab_rails['smtp_force_ssl']        = true
{% elif email_use_tls %}
gitlab_rails['smtp_tls']              = true
{% endif %}
gitlab_rails['gitlab_email_from']     = '{{ email_from }}'
gitlab_rails['gitlab_email_reply_to'] = '{{ email_from }}'
{% endif %}