locals {
    script-wrap = <<-EOF
  #!/bin/bash
  cp /etc/local-ca/ca.crt /usr/local/share/ca-certificates/
  update-ca-certificate
  exec /entrypoint.sh "$@"
  EOF
    script-head = <<-EOF
  #!/bin/bash
  export user=www-data
  run_as() {
      if [ "$(id -u)" = 0 ]; then
          su -p "$user" -s /bin/sh -c "$*"
      else
          sh -c "$*"
      fi
  }
  run_as ./occ app:install user_oidc ||:
  run_as ./occ user_oidc:provider "$${OAUTH2_CONNECTOR_NAME}" --clientid="$${OAUTH2_CLIENT_ID}" \
    --clientsecret="$${OAUTH2_CLIENT_SECRET}" \
    --discoveryuri="$${OAUTH2_DISCOVER_URI}"
  EOF
    script-apps = concat(
        var.apps.deck?["run_as ./occ app:install deck ||:"]:[],
        var.apps.calendar?["run_as ./occ app:install calendar ||:"]:[],
        var.apps.contacts?["run_as ./occ app:install contacts ||:"]:[],
        var.apps.groupfolders?["run_as ./occ app:install groupfolders ||:"]:[],
        var.apps.notes?["run_as ./occ app:install notes ||:"]:[],
        var.apps.tasks?["run_as ./occ app:install tasks ||:"]:[],
        var.apps.spreed?["run_as ./occ app:install spreed ||:"]:[])
    data-config-init = {
      "autostart.sh" = join("\n", concat([local.script-head],local.script-apps))
      "wrapper" = local.script-wrap
    }
}

resource "kubectl_manifest" "nextcloud-config" {
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: "${var.component}-${var.instance}-init"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common-labels)}
    data: ${jsonencode(local.data-config-init)}
  EOF
}