diff --git a/mycloud-nextcloud/README.adoc b/mycloud-nextcloud/README.adoc
index 09d5578..7c6bd48 100644
--- a/mycloud-nextcloud/README.adoc
+++ b/mycloud-nextcloud/README.adoc
@@ -233,7 +233,7 @@ image::https://img.shields.io/badge/Version-application-informational?style=flat
 
 | helm.nextcloud.chart
 | string
-| `"a4fb1cb316b1184c82637b59e0166030fd35728c"`
+| `"6378227fe4a3b36c9d968e6ece377036b6c2df1a"`
 | version of the helm chart (current on git)
 
 | ingress.annotations
@@ -295,6 +295,11 @@ image::https://img.shields.io/badge/Version-application-informational?style=flat
 | string
 | `nil`
 | default quota for an user
+
+| theme.color
+| string
+| `nil`
+| set theme color in nextcloud
 |===
 
 Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs]
diff --git a/mycloud-nextcloud/templates/release.yaml b/mycloud-nextcloud/templates/release.yaml
index 24cc588..de88414 100644
--- a/mycloud-nextcloud/templates/release.yaml
+++ b/mycloud-nextcloud/templates/release.yaml
@@ -79,6 +79,51 @@ spec:
               mountPath: /var/www/html/config
               subPath: "config"
       {{- end }}
+      extraEnv:
+        - name: NC_HOOK_OIDC_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Release.Name }}-auth-authentik-application
+              key: clientID
+        - name: NC_HOOK_OIDC_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Release.Name }}-auth-authentik-application
+              key: clientSecret
+
+      hooks:
+        # docu for theming: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/theming.html#configure-theming-through-cli
+        # /var/www/html/occ theming:config logo "{{ .Values.commons.theme.logo }}";
+        #
+        # TODO add group mapping after fix is there
+        # https://github.com/nextcloud/user_oidc/issues/744
+        # https://codeberg.org/wrenix/flux-charts/issues/7
+        before-starting: |-
+          #!/bin/sh
+          echo "update all apps:";
+          /var/www/html/occ app:update --all;
+
+          echo "setup theming:";
+          /var/www/html/occ theming:config disable-user-theming yes;
+          /var/www/html/occ theming:config name "{{ .Values.commons.theme.title }}";
+          {{- with .Values.theme.color }}
+          /var/www/html/occ theming:config color {{ . | quote }};
+          {{- end }}
+
+          echo "setup oidc:";
+          /var/www/html/occ user_oidc:provider mycloud \
+            --clientid  $NC_HOOK_OIDC_CLIENT_ID \
+            --clientsecret $NC_HOOK_OIDC_CLIENT_SECRET \
+            --discoveryuri "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/mycloud-nextcloud/.well-known/openid-configuration" \
+            --scope "openid email profile" \
+            --extra-claims=scope \
+            --mapping-uid={{ .Values.auth.idMapping }} \
+            --mapping-email=email \
+            --mapping-display-name=name \
+            --mapping-quota=quota \
+            --mapping-groups=groups \
+            --check-bearer=true \
+            --unique-uid=0;
 
       appManagement:
         enabled: true
@@ -112,41 +157,6 @@ spec:
           {{- toYaml . | nindent 10 }}
           {{- end }}
 
-      hooks:
-        before-starting:
-          # docu for theming: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/theming.html#configure-theming-through-cli
-          # /var/www/html/occ theming:config logo "{{ .Values.commons.theme.logo }}";
-          #
-          # TODO add group mapping after fix is there
-          # https://github.com/nextcloud/user_oidc/issues/744
-          # https://codeberg.org/wrenix/flux-charts/issues/7
-          shell: |-
-            #!/bin/sh
-            echo "update all apps:";
-            /var/www/html/occ app:update --all;
-
-            echo "setup theming:";
-            /var/www/html/occ theming:config disable-user-theming yes;
-            /var/www/html/occ theming:config name "{{ .Values.commons.theme.title }}";
-            {{- with .Values.theme.color }}
-            /var/www/html/occ theming:config color {{ . | quote }};
-            {{- end }}
-
-            echo "setup oidc:";
-            /var/www/html/occ user_oidc:provider mycloud \
-              --clientid  {{ .Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "auth.clientID") | squote }} \
-              --clientsecret {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "auth.clientSecret") | squote }} \
-              --discoveryuri "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/mycloud-nextcloud/.well-known/openid-configuration" \
-              --scope "openid email profile" \
-              --extra-claims=scope \
-              --mapping-uid={{ .Values.auth.idMapping }} \
-              --mapping-email=email \
-              --mapping-display-name=name \
-              --mapping-quota=quota \
-              --mapping-groups=groups \
-              --check-bearer=true \
-              --unique-uid=0;
-
     phpClientHttpsFix:
       enabled: true
 
diff --git a/mycloud-nextcloud/values.yaml b/mycloud-nextcloud/values.yaml
index 0180ca3..ea3d2dc 100644
--- a/mycloud-nextcloud/values.yaml
+++ b/mycloud-nextcloud/values.yaml
@@ -54,7 +54,7 @@ commons:
 helm:
   nextcloud:
     # -- version of the helm chart (current on git)
-    chart: "a4fb1cb316b1184c82637b59e0166030fd35728c"
+    chart: "6378227fe4a3b36c9d968e6ece377036b6c2df1a"
 
 # -- generated by .Values.commons.masterPassword
 adminPassword: