nextcloud_collabora_disable_cert_verification: true

# Draw.io integration
nextcloud_enable_drawio: true
nextcloud_drawio_url: "https://drawio.local.test"

# Apps to install (override defaults to include drawio)
nextcloud_apps_to_install:
  - groupfolders
  - richdocuments
  - spreed
  - user_ldap
  - user_oidc
  - whiteboard
  - drawio
nextcloud_allow_local_remote_servers: true  # Allow requests to local network in Vagrant
nextcloud_oidc_allow_selfsigned: true  # Allow self-signed certs for OIDC in Vagrant

# S3 storage configuration using Garage
nextcloud_use_s3_storage: true
nextcloud_s3_key: "{{ lookup('digitalboard.core.garage_credentials', 'nextcloud', host='backend')['key_id'] }}"
nextcloud_s3_secret: "{{ lookup('digitalboard.core.garage_credentials', 'nextcloud', host='backend')['secret_key'] }}"
nextcloud_s3_bucket: "nextcloud"
nextcloud_s3_host: "{{ hostvars['backend']['garage_s3_domain'] }}"
nextcloud_s3_port: 80
nextcloud_s3_ssl: false
nextcloud_s3_usepath_style: true

# Extra hosts for container DNS resolution (Vagrant only)
nextcloud_extra_hosts:
  - "storage.local.test:192.168.56.11"
  - "keycloak.local.test:192.168.56.11"
  - "authentik.local.test:192.168.56.11"
  - "389ds:192.168.56.11"

# LDAP backend (pre-create users synced from Keycloak via 389ds)
nextcloud_ldap_enabled: true
nextcloud_ldap_config:
  ldapHost: "ldaps://389ds"
  ldapPort: "3636"
  ldapAgentName: "cn=Directory Manager"
  ldapAgentPassword: "admin"
  ldapBase: "dc=local,dc=test"
  ldapBaseUsers: "ou=users,dc=local,dc=test"
  ldapBaseGroups: "dc=local,dc=test"
  ldapTLS: "0"
  turnOffCertCheck: "1"
  ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))"
  ldapUserFilterObjectclass: "inetOrgPerson"
  ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))"
  ldapLoginFilterUsername: "1"
  ldapUserDisplayName: "displayName"
  ldapEmailAttribute: "mail"
  ldapExpertUsernameAttr: "uid"
  ldapExpertUUIDUserAttr: "nsuniqueid"
  ldapCacheTTL: "600"
  ldapPagingSize: "500"
  ldapExperiencedAdmin: "1"
  ldapConfigurationActive: "1"

# OIDC providers for login
nextcloud_oidc_providers:
  - identifier: keycloak
    display_name: "Login with Keycloak"
    client_id: "nextcloud"
    client_secret: "nextcloud-secret-change-in-production"
    discovery_url: "https://keycloak.local.test/realms/vagrant/.well-known/openid-configuration"
    scope: "openid email profile"
    unique_uid: false
    mapping:
      uid: preferred_username
      display_name: name
      email: email
  - identifier: authentik
    display_name: "Login with Authentik"
    client_id: "test1234"
    client_secret: "test1234"
    discovery_url: "https://authentik.local.test/application/o/nextcloud/.well-known/openid-configuration"
    scope: "openid email profile"
    unique_uid: true
    mapping:
      uid: preferred_username
      display_name: name
      email: email