#data "authentik_scope_mapping" "nextcloud" { # name = "Nextcloud Profile" #} resource "authentik_scope_mapping" "nextcloud-scope" { name = "Nextcloud Profile" scope_name = "profile" expression = <<EOF # Extract all groups the user is a member of groups = [group.name for group in user.ak_groups.all()] # Nextcloud admins must be members of a group called "admin". # This is static and cannot be changed. # We append a fictional "admin" group to the user's groups if they are an admin in authentik. # This group would only be visible in Nextcloud and does not exist in authentik. if user.is_superuser and "Nextcloud Admin" not in groups: groups.append("admin") return { "name": request.user.name, "groups": groups, # To set a quota set the "nextcloud_quota" property in the user's attributes "quota": user.group_attributes().get("nextcloud_quota", None), # To connect an already existing user, set the "nextcloud_user_id" property in the # user's attributes to the username of the corresponding user on Nextcloud. "user_id": user.attributes.get("nextcloud_user_id", str(user.uuid)), } EOF } resource "random_id" "nextcloud_client_id" { byte_length = 16 } resource "authentik_provider_oauth2" "nextcloud" { name = "Nextcloud" # Required. You can use the output of: # $ openssl rand -hex 16 client_id = random_id.nextcloud_client_id.id # Optional: will be generated if not provided # client_secret = "my_client_secret" sub_mode = "user_uuid" authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id redirect_uris = [ "https://cloud.lab.cowley.tech/apps/user_oidc/code", ] property_mappings = [ data.authentik_scope_mapping.scope-email.id, authentik_scope_mapping.nextcloud-scope.id ] lifecycle { ignore_changes = [ signing_key, authentication_flow, ] } } resource "authentik_application" "nextcloud" { name = "Nextcloud" slug = "nextcloud" protocol_provider = authentik_provider_oauth2.nextcloud.id } resource "authentik_group" "nextcloud_admins" { name = "Nextcloud Admins" }