---
serve:
  admin:
    host: {{ oidc_urls.hydra_admin.address | default("localhost") }}
    port: {{ oidc_urls.hydra_admin.port | default("4445") }}
  public:
    host: {{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }}
    port: {{ oidc_urls.hydra_public.port | default("4444") }}
  tls:
    cert:
      path: {{ hydra_tls.cert }}
    key:
      path: {{ hydra_tls.key }}
dsn: 'postgres://{{ hydra_db_user }}:{{ hydra_db_password }}@{{ hydra_db_host }}:{{ hydra_db_port }}/{{ hydra_db_name }}'

webfinger:
  oidc_discovery:
    supported_claims:
      - email
      - email_verified
      - given_name
      - family_name
      - middle_name
      - name
      - birthdate
      - zoneinfo
      - locale
      - https://auth.cacert.org/groups
    supported_scope:
      - profile
      - email

oauth2:
  expose_internal_errors: false

urls:
  login: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/login
  consent: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/consent
  logout: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/logout
  error: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/error
  post_logout_redirect: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/logout-successful
  self:
    public: https://{{ oidc_urls.hydra_public.host }}:{{ oidc_urls.hydra_public.port }}/
    issuer: https://{{ oidc_urls.hydra_public.host }}:{{ oidc_urls.hydra_public.port }}/

secrets:
  system:
    - "{{ hydra_system_secret }}"