Fix idp & co, add base ak setup

modules/server/containers/apps/authentik.nix

@@ -84,6 +84,40 @@ in {
       # Define the command wrapper
       AK="${pkgs.podman}/bin/podman --events-backend=none exec -u root authentik-worker ak"
 
+      $AK shell <<EOF
+from authentik.core.models import Group
+
+groups = ["admin", "cloud"]
+for name in groups:
+  Group.objects.get_or_create(name=name)
+EOF
+      
+      $AK shell <<EOF
+from authentik.core.models import User, Group
+from authentik.managed.models import ManagedObject
+
+# 1. Create the custom admin user
+user, created = User.objects.get_or_create(
+  username="your_admin_name",
+  defaults={
+    "name": "System Administrator",
+    "email": "admin@test.helcel.net",
+    "is_superuser": True,
+    "is_staff": True,
+  }
+)
+user.set_password("your_secure_password")
+user.save()
+
+admin_group = Group.objects.get(name="admin")
+user.ak_groups.add(admin_group)
+
+ManagedObject.objects.get_or_create(
+  identifier="initial-setup-complete",
+  defaults={"model": "authentik_core.user"}
+)
+EOF
+
       $AK apply_blueprint /blueprints/custom/traefik.yaml
       ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
 

modules/server/containers/apps/nextcloud.nix

@@ -140,16 +140,18 @@ in {
         $OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}"
         $OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/sso/binding/redirect/"
         $OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/slo/binding/redirect/"
-        AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -t -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';" | sed '/---/d' | tr -d '+ \n')
+        AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
         $OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT" 
 
         $OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
         $OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
         $OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
 
-        # $OCC saml:config:set 1 --general-allowed_groups="cloud,admin"
+        $OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
+        $OCC group:add admin || true
+        $OCC group:add cloud || true
         $OCC config:app:set user_saml general-group_provisioning --value="0"
-        $OCC config:app:set user_saml general-require_provisioning_groups --value="0"
+        $OCC config:app:set user_saml general-require_provisioning_groups --value="1"
         ''}
         # configure side_menu ...
         FOLDERS=$($OCC teamfolders:list --format=json)

modules/server/containers/data/authentik/nextcloud.yaml

@@ -34,6 +34,14 @@ entries:
             authentik_core.propertymapping,
             [name, "authentik default SAML Mapping: Groups"],
           ]
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: Username"],
+          ]
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: User ID"],
+          ]
 
         # - !Find [
         #     authentik_providers_saml.samlpropertymapping,