Whitelisted Server IP's and implemented deactivation option for ldap user directory in nextcloud

roles/docker-matomo/tasks/main.yml

@@ -18,4 +18,18 @@
 - name: run the docker matomo tasks once
   set_fact:
     run_once_docker_matomo: true
-  when: run_once_docker_matomo is not defined
+  when: run_once_docker_matomo is not defined
+
+- name: Exclude global IPs in Matomo
+  uri:
+    url: "{{ matomo_index_php_url }}"
+    method: POST
+    body_format: form-urlencoded
+    body:
+      module: API
+      method: SitesManager.setGlobalExcludedIps
+      excludedIps: "{{ matomo_excluded_ips | join(',') }}"
+      format: json
+      token_auth: "{{ matomo_auth_token }}"
+    return_content: yes
+    status_code: 200

roles/docker-matomo/vars/configuration.yml

@@ -23,4 +23,5 @@ csp:
       unsafe-eval:   true
 domains:
   aliases:
-    - "analytics.{{ primary_domain }}"
+    - "analytics.{{ primary_domain }}"
+excluded_ips: "{{ networks.internet.values() | list }}"

roles/docker-matomo/vars/main.yml

@@ -1,6 +1,10 @@
 ---
-application_id:     "matomo"
-database_type:      "mariadb"
+application_id:       "matomo"
+database_type:        "mariadb"
+matomo_excluded_ips:  "{{ applications.matomo.excluded_ips }}"
+matomo_index_php_url: "{{ web_protocol }}://{{ domains | get_domain('matomo') }}/index.php"
+matomo_auth_token:    "{{ applications.matomo.credentials.auth_token }}"
+
 
 # I don't know if this is still necessary
-domain:             "{{ domains | get_domain(application_id) }}"
+domain:               "{{ domains | get_domain(application_id) }}"

roles/docker-nextcloud/templates/env.j2

@@ -31,7 +31,7 @@ NEXTCLOUD_ADMIN_PASSWORD=       "{{applications[application_id].credentials.admi
 
 NEXTCLOUD_TRUSTED_DOMAINS=      "{{domains | get_domain(application_id)}}"
 # Whitelist local docker gateway in Nextcloud to prevent brute-force throtteling
-TRUSTED_PROXIES=                "192.168.102.65"
+TRUSTED_PROXIES=                "{{ networks.internet.values() | select | join(',') }}"
 OVERWRITECLIURL=                "{{ web_protocol }}://{{domains | get_domain(application_id)}}"
 OVERWRITEPROTOCOL=              "https"
 

roles/docker-nextcloud/vars/configuration.yml

@@ -222,6 +222,8 @@ plugins:
   user_ldap:
     # Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap)
     enabled: "{{ applications.nextcloud.features.ldap | default(true) }}"
+    user_directory:
+      enabled:  true # Enables the LDAP User Directory Search
   user_oidc:
     # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc)
     enabled:    "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}"

roles/docker-nextcloud/vars/plugins/user_ldap.yml

@@ -163,7 +163,7 @@ plugin_configuration:
   -
     appid: "user_ldap"
     configkey: "s01ldap_userlist_filter"
-    configvalue: "{{ ldap.filters.users.all }}"
+    configvalue: "{% if applications[application_id].plugins.user_ldap.user_directory.enabled %}{{ ldap.filters.users.all }}{% endif %}"
   -
     appid: "user_ldap"
     configkey: "s01use_memberof_to_detect_membership"

roles/docker-yourls/meta/schema.yml

@@ -4,11 +4,6 @@ credentials:
     algorithm: "sha256"
     validation: "^[a-f0-9]{64}$"
 
-  database_password:
-    description: "Password for the YOURLS database user"
-    algorithm: "bcrypt"
-    validation: "^\\$2[aby]\\$.{56}$"
-
   oauth2_proxy_cookie_secret:
     description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
     algorithm: "random_hex_16"

roles/nginx-modifier-matomo/tasks/main.yml

@@ -5,12 +5,12 @@
     msg:
       domain: "{{ domain }}"
       base_domain: "{{ base_domain }}"
-      verification_url: "{{ verification_url }}"
+      matomo_verification_url: "{{ matomo_verification_url }}"
   when: enable_debug | bool
 
 - name: "Check if site {{ domain }} is allready registered at Matomo"
   uri:
-    url:            "{{verification_url}}"
+    url:            "{{ matomo_verification_url }}"
     method:         GET
     return_content: yes
     status_code:    200
@@ -29,9 +29,9 @@
 
 - name: Add site to Matomo and get ID if not exists
   uri:
-    url: "{{ web_protocol }}://{{ domains.matomo }}/index.php"
+    url: "{{ matomo_index_php_url }}"
     method: POST
-    body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ applications.matomo.credentials.auth_token }}&format=json"
+    body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ matomo_auth_token }}&format=json"
     body_format: form-urlencoded
     status_code: 200
     return_content: yes

roles/nginx-modifier-matomo/vars/main.yml

@@ -1,2 +1,4 @@
-base_domain:      "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
-verification_url: "{{ web_protocol }}://{{domains | get_domain('matomo')}}/index.php?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{base_domain}}&format=json&token_auth={{applications.matomo.credentials.auth_token}}"
+base_domain:              "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
+matomo_index_php_url:     "{{ web_protocol }}://{{ domains | get_domain('matomo') }}/index.php"
+matomo_auth_token:        "{{ applications.matomo.credentials.auth_token }}"
+matomo_verification_url:  "{{ matomo_index_php_url }}?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{ base_domain }}&format=json&token_auth={{ matomo_auth_token }}"