Whitelisted Server IP's and implemented deactivation option for ldap user directory in nextcloud

This commit is contained in:
Kevin Veen-Birkenbach 2025-07-01 02:25:05 +02:00
parent b83d596789
commit 15121fd905
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
9 changed files with 36 additions and 18 deletions

View File

@ -18,4 +18,18 @@
- name: run the docker matomo tasks once
set_fact:
run_once_docker_matomo: true
when: run_once_docker_matomo is not defined
when: run_once_docker_matomo is not defined
- name: Exclude global IPs in Matomo
uri:
url: "{{ matomo_index_php_url }}"
method: POST
body_format: form-urlencoded
body:
module: API
method: SitesManager.setGlobalExcludedIps
excludedIps: "{{ matomo_excluded_ips | join(',') }}"
format: json
token_auth: "{{ matomo_auth_token }}"
return_content: yes
status_code: 200

View File

@ -23,4 +23,5 @@ csp:
unsafe-eval: true
domains:
aliases:
- "analytics.{{ primary_domain }}"
- "analytics.{{ primary_domain }}"
excluded_ips: "{{ networks.internet.values() | list }}"

View File

@ -1,6 +1,10 @@
---
application_id: "matomo"
database_type: "mariadb"
application_id: "matomo"
database_type: "mariadb"
matomo_excluded_ips: "{{ applications.matomo.excluded_ips }}"
matomo_index_php_url: "{{ web_protocol }}://{{ domains | get_domain('matomo') }}/index.php"
matomo_auth_token: "{{ applications.matomo.credentials.auth_token }}"
# I don't know if this is still necessary
domain: "{{ domains | get_domain(application_id) }}"
domain: "{{ domains | get_domain(application_id) }}"

View File

@ -31,7 +31,7 @@ NEXTCLOUD_ADMIN_PASSWORD= "{{applications[application_id].credentials.admi
NEXTCLOUD_TRUSTED_DOMAINS= "{{domains | get_domain(application_id)}}"
# Whitelist local docker gateway in Nextcloud to prevent brute-force throtteling
TRUSTED_PROXIES= "192.168.102.65"
TRUSTED_PROXIES= "{{ networks.internet.values() | select | join(',') }}"
OVERWRITECLIURL= "{{ web_protocol }}://{{domains | get_domain(application_id)}}"
OVERWRITEPROTOCOL= "https"

View File

@ -222,6 +222,8 @@ plugins:
user_ldap:
# Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap)
enabled: "{{ applications.nextcloud.features.ldap | default(true) }}"
user_directory:
enabled: true # Enables the LDAP User Directory Search
user_oidc:
# Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc)
enabled: "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}"

View File

@ -163,7 +163,7 @@ plugin_configuration:
-
appid: "user_ldap"
configkey: "s01ldap_userlist_filter"
configvalue: "{{ ldap.filters.users.all }}"
configvalue: "{% if applications[application_id].plugins.user_ldap.user_directory.enabled %}{{ ldap.filters.users.all }}{% endif %}"
-
appid: "user_ldap"
configkey: "s01use_memberof_to_detect_membership"

View File

@ -4,11 +4,6 @@ credentials:
algorithm: "sha256"
validation: "^[a-f0-9]{64}$"
database_password:
description: "Password for the YOURLS database user"
algorithm: "bcrypt"
validation: "^\\$2[aby]\\$.{56}$"
oauth2_proxy_cookie_secret:
description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
algorithm: "random_hex_16"

View File

@ -5,12 +5,12 @@
msg:
domain: "{{ domain }}"
base_domain: "{{ base_domain }}"
verification_url: "{{ verification_url }}"
matomo_verification_url: "{{ matomo_verification_url }}"
when: enable_debug | bool
- name: "Check if site {{ domain }} is allready registered at Matomo"
uri:
url: "{{verification_url}}"
url: "{{ matomo_verification_url }}"
method: GET
return_content: yes
status_code: 200
@ -29,9 +29,9 @@
- name: Add site to Matomo and get ID if not exists
uri:
url: "{{ web_protocol }}://{{ domains.matomo }}/index.php"
url: "{{ matomo_index_php_url }}"
method: POST
body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ applications.matomo.credentials.auth_token }}&format=json"
body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ matomo_auth_token }}&format=json"
body_format: form-urlencoded
status_code: 200
return_content: yes

View File

@ -1,2 +1,4 @@
base_domain: "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
verification_url: "{{ web_protocol }}://{{domains | get_domain('matomo')}}/index.php?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{base_domain}}&format=json&token_auth={{applications.matomo.credentials.auth_token}}"
base_domain: "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
matomo_index_php_url: "{{ web_protocol }}://{{ domains | get_domain('matomo') }}/index.php"
matomo_auth_token: "{{ applications.matomo.credentials.auth_token }}"
matomo_verification_url: "{{ matomo_index_php_url }}?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{ base_domain }}&format=json&token_auth={{ matomo_auth_token }}"