From 4c2ef6e2641c72b99f80058f7376c54d01523bb7 Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Sun, 10 May 2026 18:51:58 +0200
Subject: [PATCH] Fix blueprints

---
 modules/server/containers/apps/authentik.nix  |  4 +--
 .../containers/data/authentik/nextcloud.yaml  |  3 +++
 .../containers/data/authentik/traefik.yaml    | 25 +++++++++++++------
 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/modules/server/containers/apps/authentik.nix b/modules/server/containers/apps/authentik.nix
index bdfa0ff..2dbaa45 100644
--- a/modules/server/containers/apps/authentik.nix
+++ b/modules/server/containers/apps/authentik.nix
@@ -84,8 +84,8 @@ in {
       # Define the command wrapper
       AK="${pkgs.podman}/bin/podman --events-backend=none exec -u root authentik-worker ak"
 
-      $AK blueprint_apply /blueprints/custom/traefik.yaml
-      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK blueprint_apply /blueprints/custom/nextcloud.yaml''}
+      $AK apply_blueprint /blueprints/custom/traefik.yaml
+      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
 
       echo "Completed Authentik Setup"
       '';
diff --git a/modules/server/containers/data/authentik/nextcloud.yaml b/modules/server/containers/data/authentik/nextcloud.yaml
index 6f207bf..c187158 100644
--- a/modules/server/containers/data/authentik/nextcloud.yaml
+++ b/modules/server/containers/data/authentik/nextcloud.yaml
@@ -12,6 +12,9 @@ entries:
           authentik_flows.flow,
           [slug, default-provider-authorization-explicit-consent],
         ]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+
       # Adjust these URLs to match your Nextcloud domain
       acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
       audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
diff --git a/modules/server/containers/data/authentik/traefik.yaml b/modules/server/containers/data/authentik/traefik.yaml
index 441c4cb..4378474 100644
--- a/modules/server/containers/data/authentik/traefik.yaml
+++ b/modules/server/containers/data/authentik/traefik.yaml
@@ -7,14 +7,18 @@ entries:
     identifiers:
       name: Domain Wide Proxy
     attrs:
-      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-explicit-consent]]
-      
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-explicit-consent],
+        ]
+
       # For domain-wide, external_host must be the root domain or the auth domain
       external_host: https://@AUTHENTIK_DOMAIN@
-      
+
       # This allows the cookie to work across *.@COOKIE_DOMAIN@
-      cookie_domain: @COOKIE_DOMAIN@
-      
+      cookie_domain: "@COOKIE_DOMAIN@"
+
       mode: forward_auth
       intercept_header_auth: true
 
@@ -24,7 +28,11 @@ entries:
       slug: authentik-proxy-root
     attrs:
       name: "Domain Auth Provider"
-      provider: !Find [authentik_providers_proxy.proxyprovider, [name, Domain Wide Proxy]]
+      provider:
+        !Find [
+          authentik_providers_proxy.proxyprovider,
+          [name, Domain Wide Proxy],
+        ]
 
   # 3. Add to Outpost
   - model: authentik_outposts.outpost
@@ -32,4 +40,7 @@ entries:
       name: authentik Embedded Outpost
     attrs:
       providers:
-        - !Find [authentik_providers_proxy.proxyprovider, [name, Domain Wide Proxy]]
+        - !Find [
+            authentik_providers_proxy.proxyprovider,
+            [name, Domain Wide Proxy],
+          ]