# ─── Secret ───────────────────────────────────────────────────────
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-secrets
  namespace: gitlab
type: Opaque
stringData:
  GITLAB_ROOT_PASSWORD: "NewPassword123!"
  GITLAB_OMNIBUS_CONFIG: |
    external_url 'https://gitlab.henryathome.home64.de'
    gitlab_rails['gitlab_shell_ssh_port'] = 31022
    nginx['listen_port'] = 80
    nginx['listen_https'] = false
    nginx['proxy_set_headers'] = {
      'X-Forwarded-Proto' => 'https',
      'X-Forwarded-Ssl' => 'on'
    }
    prometheus_monitoring['enable'] = false

    # Authentik SSO (OpenID Connect)
    gitlab_rails['omniauth_enabled'] = true
    gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
    gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
    gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
    gitlab_rails['omniauth_sync_profile_attributes'] = ['email', 'name']
    gitlab_rails['omniauth_block_auto_created_users'] = false
    gitlab_rails['omniauth_providers'] = [
      {
        name: "openid_connect",
        label: "Authentik",
        args: {
          name: "openid_connect",
          scope: ["openid", "profile", "email"],
          response_type: "code",
          issuer: "https://authentik.henryathome.home64.de/application/o/gitlab/",
          discovery: true,
          client_auth_method: "query",
          uid_field: "sub",
          pkce: true,
          client_options: {
            identifier: "HaKYx5sj767TYywPOekXD99ylk4NdPEX85UWa9Jo",
            secret: "9AazToYtgYdfaAgZauR8FMNJVj0qF8qePz0Gq5TPYK9fiE45QUDoEM1v3CEROiSI2BngXJVRqSEgBszSyieHe283w8Ube0yWXzesLNS84qR3fDWWSpbJ3sLZBlJMKMUj",
            redirect_uri: "https://gitlab.henryathome.home64.de/users/auth/openid_connect/callback"
          }
        }
      }
    ]

---
# ─── ConfigMap ────────────────────────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
  name: gitlab-config
  namespace: gitlab
data:
  GITLAB_TIMEZONE: "Europe/Berlin"