---
# =================================================================
# Nextcloud Cloud Storage Role - Default Variables
# =================================================================
# Self-contained Nextcloud deployment with FPM, PostgreSQL, and Valkey

# =================================================================
# Service Configuration
# =================================================================

# Service user and directories
nextcloud_user: nextcloud
nextcloud_group: nextcloud
nextcloud_home: /opt/nextcloud
nextcloud_html_dir: "{{ nextcloud_home }}/html"
nextcloud_data_dir: "{{ nextcloud_home }}/data"
nextcloud_config_dir: "{{ nextcloud_home }}/config"

# Container configuration (FPM variant)
nextcloud_version: "stable-fpm"
nextcloud_image: "docker.io/library/nextcloud"
nextcloud_fpm_port: 9001  # Internal FPM port (published to 127.0.0.1, Authentik uses 9000)

# Service management
nextcloud_service_enabled: true
nextcloud_service_state: "started"

# =================================================================
# Database Configuration (Self-managed)
# =================================================================

nextcloud_db_name: "nextcloud"
nextcloud_db_user: "nextcloud"
nextcloud_db_password: "{{ vault_nextcloud_db_password }}"

# =================================================================
# Cache Configuration (Self-managed)
# =================================================================

nextcloud_valkey_db: 2  # Use database 2 (Authentik uses 1)

# =================================================================
# Network Configuration
# =================================================================

nextcloud_domain: "cloud.jnss.me"

# =================================================================
# Nextcloud Core Configuration
# =================================================================

# Admin user (auto-configured on first run)
nextcloud_admin_user: "admin"
nextcloud_admin_email: "admin@jnss.me"
nextcloud_admin_password: "{{ vault_nextcloud_admin_password }}"

# Trusted domains (space-separated)
nextcloud_trusted_domains: "{{ nextcloud_domain }}"

# Reverse proxy configuration
nextcloud_overwriteprotocol: "https"

# =================================================================
# PHP Configuration
# =================================================================

nextcloud_php_memory_limit: "512M"
nextcloud_php_upload_limit: "512M"

# =================================================================
# Background Jobs Configuration
# =================================================================

nextcloud_background_jobs_mode: "cron"  # Options: ajax, webcron, cron
nextcloud_cron_interval: "5min"  # How often cron runs (systemd timer)

# =================================================================
# Nextcloud System Configuration
# =================================================================

nextcloud_maintenance_window_start: 4  # Start hour (UTC) for maintenance window
nextcloud_default_phone_region: "NO"  # Default phone region code (ISO 3166-1 alpha-2)

# =================================================================
# Apps Configuration
# =================================================================

# Apps to install and enable
nextcloud_apps_install:
  - user_oidc
  - calendar
  - contacts

# =================================================================
# Email/SMTP Configuration (Optional)
# =================================================================

nextcloud_email_enabled: true  # Master switch - set to true to enable SMTP

# SMTP Server Configuration
nextcloud_smtp_mode: "smtp"  # smtp, sendmail, qmail
nextcloud_smtp_host: "smtp.titan.email"  # e.g., smtp.gmail.com, smtp.fastmail.com
nextcloud_smtp_port: 587  # 587 for TLS, 465 for SSL, 25 for plain
nextcloud_smtp_secure: "tls"  # tls, ssl, or empty string for no encryption
nextcloud_smtp_auth: true  # Enable SMTP authentication
nextcloud_smtp_authtype: "PLAIN"  # LOGIN or PLAIN
nextcloud_smtp_username: "hello@jnss.me"  # SMTP username
nextcloud_smtp_password: "{{ vault_nextcloud_smtp_password | default('') }}"

# Email Addressing
nextcloud_mail_from_address: "hello"  # Local part only (before @)
nextcloud_mail_domain: "jnss.me"  # Domain part (after @)

# Admin User Email (set at line 55 in Core Configuration section)

# =================================================================
# OIDC/SSO Configuration (Optional)
# =================================================================

nextcloud_oidc_enabled: true  # Master switch - set to true to enable OIDC

# Provider Configuration
nextcloud_oidc_provider_id: "authentik"  # Provider identifier (slug)
nextcloud_oidc_provider_name: "Authentik"  # Display name (shown on login button)
nextcloud_oidc_client_id: "{{ vault_nextcloud_oidc_client_id | default('') }}"
nextcloud_oidc_client_secret: "{{ vault_nextcloud_oidc_client_secret | default('') }}"
nextcloud_oidc_discovery_url: "https://auth.jnss.me/application/o/nextcloud/.well-known/openid-configuration"  # Full discovery URL, e.g., https://auth.example.com/application/o/nextcloud/.well-known/openid-configuration

# Scopes (based on Authentik integration guide)
# The 'nextcloud' scope is a custom scope you must create in Authentik
nextcloud_oidc_scope: "email profile nextcloud openid"

# Provider Options
nextcloud_oidc_unique_uid: false  # Hash provider+user ID to prevent account takeover (recommended: true)
nextcloud_oidc_check_bearer: false  # Check bearer tokens for API/WebDAV calls
nextcloud_oidc_send_id_token_hint: true  # Send ID token hint during logout

# Attribute Mappings (based on Authentik integration guide)
nextcloud_oidc_mapping_display_name: "name"  # Claim for display name
nextcloud_oidc_mapping_email: "email"  # Claim for email
nextcloud_oidc_mapping_quota: "quota"  # Claim for quota (from Authentik property mapping)
nextcloud_oidc_mapping_uid: "preferred_username"  # Claim for user ID
nextcloud_oidc_mapping_groups: "groups"  # Claim for groups (from Authentik property mapping)

# Group Provisioning (based on Authentik integration guide)
nextcloud_oidc_group_provisioning: true  # Auto-create groups from OIDC provider

# Single Login Option
nextcloud_oidc_single_login: true  # If true and only one provider, auto-redirect to SSO

# =================================================================
# Caddy Integration
# =================================================================

# Caddy configuration (assumes caddy role provides these variables)
caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"
caddy_log_dir: "/var/log/caddy"
caddy_user: "caddy"

# =================================================================
# Infrastructure Dependencies (Read-only)
# =================================================================
# These variables reference infrastructure services defined by their roles
# Applications MUST NOT modify these values - they are provided by infrastructure

# PostgreSQL socket configuration (managed by postgresql role)
postgresql_unix_socket_directories: "/var/run/postgresql"
postgresql_client_group: "postgres-clients"
postgresql_port: 5432
postgresql_unix_socket_enabled: true

# Valkey socket configuration (managed by valkey role)
valkey_unix_socket_path: "/var/run/valkey/valkey.sock"
valkey_password: "{{ vault_valkey_password }}"
valkey_client_group: "valkey-clients"
valkey_unix_socket_enabled: true