locals {
    script-wrap = <<-EOF
  #!/bin/bash
  cp /etc/local-ca/ca.crt /usr/local/share/ca-certificates/
  /usr/sbin/update-ca-certificates
  chown www-data ./config || :
  exec /bin/sh /entrypoint.sh "$@"
  EOF
    script-head = <<-EOF
  #!/bin/bash
  export user=www-data
  run_as() {
      if [ "$(id -u)" = 0 ]; then
          su -p "$user" -s /bin/sh -c "$*"
      else
          sh -c "$*"
      fi
  }
  run_as ./occ  --no-warnings config:system:set trusted_domains 0 --value=nextcloud
  run_as ./occ  --no-warnings config:system:set trusted_domains 1 --value="${local.dns_name}"
  run_as ./occ app:install user_oidc ||:
  run_as ./occ user_oidc:provider "$${OAUTH2_CONNECTOR_NAME}" --clientid="$${OAUTH2_CLIENT_ID}" \
    --clientsecret="$${OAUTH2_CLIENT_SECRET}" \
    --discoveryuri="$${OAUTH2_DISCOVER_URI}"
  EOF
    script-apps = concat(
        var.apps.deck?["run_as ./occ app:install deck ||:"]:[],
        var.apps.calendar?["run_as ./occ app:install calendar ||:"]:[],
        var.apps.contacts?["run_as ./occ app:install contacts ||:"]:[],
        var.apps.groupfolders?["run_as ./occ app:install groupfolders ||:"]:[],
        var.apps.notes?["run_as ./occ app:install notes ||:"]:[],
        var.apps.tasks?["run_as ./occ app:install tasks ||:"]:[],
        var.apps.audioplayer?["run_as ./occ app:install audioplayer ||:"]:[],
        var.apps.bpm?["run_as ./occ app:install files_bpm ||:"]:[],
        var.apps.mindmap?["run_as ./occ app:install files_mindmap ||:"]:[],
        var.apps.music?["run_as ./occ app:install music ||:"]:[],
        var.apps.bookmarks?["run_as ./occ app:install bookmarks ||:"]:[],
        var.apps.texteditor?["run_as ./occ app:install files_texteditor ||:"]:[],
        var.apps.passman?["run_as ./occ app:install passman ||:"]:[],
        var.apps.tables?["run_as ./occ app:install tables ||:"]:[],
        var.apps.collabora?[
          "run_as ./occ app:install richdocuments ||:",
          "run_as ./occ app:enable richdocuments ||:",
          "run_as ./occ config:app:set richdocuments wopi_url --value=\"https://collabora.${local.dns_name}/\"",
          "run_as ./occ config:app:set richdocuments federation_use_trusted_domains --value=yes",
          "run_as ./occ richdocuments:activate-config ||:",
        ]:["run_as ./occ app:disable richdocuments ||:"],
        var.apps.onlyoffice?[
          "run_as ./occ app:install onlyoffice ||:",
          "run_as ./occ app:enable onlyoffice ||:",
          "run_as ./occ --no-warnings config:app:set onlyoffice DocumentServerUrl --value=\"https://onlyoffice.${local.dns_name}/\"",
          "run_as ./occ --no-warnings config:app:set onlyoffice DocumentServerInternalUrl --value=\"http://${var.instance}-onlyoffice/\"",
          "run_as ./occ --no-warnings config:app:set onlyoffice StorageUrl --value=\"http://nextcloud/\"",
          "run_as ./occ --no-warnings config:app:set onlyoffice jwt_secret --value=\"$${ONLYOFFICE_JWT_SECRET}\"",
        ]:["run_as ./occ app:disable onlyoffice ||:"],
        var.apps.spreed?["run_as ./occ app:install spreed ||:"]:[],
        ["run_as ./occ upgrade ||:","run_as ./occ maintenance:mode --off ||:"])
    data-config-init = {
      "autostart.sh" = join("\n", concat([local.script-head],local.script-apps))
      "wrapper" = local.script-wrap
    }
}

resource "kubectl_manifest" "nextcloud-config" {
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: "${var.component}-${var.instance}-init"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common_labels)}
    data: ${jsonencode(local.data-config-init)}
  EOF
}