From aa36fa812c911e4908025e22c88ad738e69346c4 Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Sun, 10 May 2026 19:14:37 +0200
Subject: [PATCH] Foix blueprint

---
 modules/server/containers/data/authentik/nextcloud.yaml | 4 ++++
 modules/server/containers/data/authentik/traefik.yaml   | 7 ++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/modules/server/containers/data/authentik/nextcloud.yaml b/modules/server/containers/data/authentik/nextcloud.yaml
index 759b55a..8c688a1 100644
--- a/modules/server/containers/data/authentik/nextcloud.yaml
+++ b/modules/server/containers/data/authentik/nextcloud.yaml
@@ -66,6 +66,10 @@ entries:
           authentik_crypto.certificatekeypair,
           [name, "authentik Self-signed Certificate"],
         ]
+      sign_assertion: true
+      sign_response: false
+      digest_algorithm: "http://w3.org"
+      signature_algorithm: "http://w3.org"
 
   # 2. Create the Application
   - model: authentik_core.application
diff --git a/modules/server/containers/data/authentik/traefik.yaml b/modules/server/containers/data/authentik/traefik.yaml
index 2f11d42..c12d472 100644
--- a/modules/server/containers/data/authentik/traefik.yaml
+++ b/modules/server/containers/data/authentik/traefik.yaml
@@ -15,19 +15,16 @@ entries:
       invalidation_flow:
         !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
 
-      # For domain-wide, external_host must be the root domain or the auth domain
       external_host: https://@AUTHENTIK_DOMAIN@
-
-      # This allows the cookie to work across *.@COOKIE_DOMAIN@
       cookie_domain: "@COOKIE_DOMAIN@"
 
-      mode: forward_auth
+      mode: forward_auth_domain
       intercept_header_auth: true
 
   # 2. The Application (Required to link the provider)
   - model: authentik_core.application
     identifiers:
-      slug: authentik-proxy-root
+      slug: authentik-proxy
     attrs:
       name: "Domain Auth Provider"
       provider: