---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: {{ .Release.Name }}-auth
spec:
  chart:
    spec:
      sourceRef:
        kind: GitRepository
        name: "wrenix-helm-charts"
        namespace: "flux-system"
      chart: "./authentik-application"
      reconcileStrategy: "Revision"
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    {{- $host := .Values.ingress.host | default (printf "fs.%s" .Values.commons.ingress.domain) }}
    blueprint:
      authentik:
        domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}"
      provider:
        type: "oidc"
        name: "Nextcloud"
        oidc:
          clientType: "confidential"
          redirectURL: "https://{{ $host }}/apps/user_oidc/code"
          clientID: {{ .Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "auth.clientID") | quote }}
          clientSecret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "auth.clientSecret") | quote }}
          signingKey: "authentik Self-signed Certificate"
          scopes:
            - name: "authentik default OAuth Mapping: OpenID 'openid'"
            - name: "authentik default OAuth Mapping: OpenID 'email'"
            - name: "OAuth Mapping: Nextcloud Profile"
              scope_name: profile
              expression: |-
                groups = [group.name for group in user.ak_groups.all() if group.attributes.get("nextcloud_group", False)]
                groups.append("all")
                if user.is_superuser and "admin" not in groups:
                    groups.append("admin")

                return {
                    "nickname": request.user.username,
                    "name": request.user.name,
                    "groups": groups,
                    "quota": user.group_attributes().get("nextcloud_quota", {{ with .Values.quota }}{{ . | quote }}{{ else }}None{{ end }})
                }

      groups:
        - slug: "mycloud - users"
          bindID: "4525d9a3-1853-45dc-adc0-6d411a3a907e"

      application:
        policyEngineMode: "any"
        openInNewTab: true
        publisher: "WrenIX's myCloud"
        slug: "mycloud-nextcloud"
        group: "Office"
        name: "Nextcloud"
        launchURL: "https://{{ $host }}/"
        icon: "https://{{ $host }}/core/img/favicon-touch.png"
        description: "📱☁️💻 A safe home for all your data – community-driven, free & open source 👏"