# Authentik blueprint — Nextcloud OIDC (when NEXTCLOUD_ENABLED=true)
# Generated from nextcloud-oidc.yaml.template
# Client secret must match NC_OIDC_CLIENT_SECRET in .env
version: 1
metadata:
  name: Nextcloud OIDC
  labels:
    blueprints.goauthentik.io/instantiate: "true"
entries:
  - model: authentik_providers_oauth2.oauth2provider
    id: nc-oauth-provider
    identifiers:
      name: ulti-nextcloud-provider
    attrs:
      name: ulti-nextcloud-provider
      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      property_mappings:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
      client_type: confidential
      client_id: ulti-nextcloud
      client_secret: changeme
      redirect_uris:
        - matching_mode: strict
          url: {{SUITE_ORIGIN}}/cloud/apps/user_oidc/code
        - matching_mode: strict
          url: http://localhost/cloud/apps/user_oidc/code
        - matching_mode: strict
          url: http://127.0.0.1/cloud/apps/user_oidc/code
      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]

  - model: authentik_core.application
    identifiers:
      slug: nextcloud
    attrs:
      name: Nextcloud
      slug: nextcloud
      group: Ulti Suite
      provider: !KeyOf nc-oauth-provider
      meta_launch_url: {{SUITE_ORIGIN}}/cloud/
      policy_engine_mode: any