kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-07-02 23:22:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Whitelisted Server IP's and implemented deactivation option for ldap user directory in nextcloud

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-07-01 02:25:05 +02:00
parent b83d596789
commit 15121fd905
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
9 changed files with 36 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
roles/docker-matomo/tasks/main.yml
View File

@ -18,4 +18,18 @@
- name: run the docker matomo tasks once - name: run the docker matomo tasks once
set_fact: set_fact:
run_once_docker_matomo: true run_once_docker_matomo: true
when: run_once_docker_matomo is not defined when: run_once_docker_matomo is not defined
- name: Exclude global IPs in Matomo
uri:
url: "{{ matomo_index_php_url }}"
method: POST
body_format: form-urlencoded
body:
module: API
method: SitesManager.setGlobalExcludedIps
excludedIps: "{{ matomo_excluded_ips | join(',') }}"
format: json
token_auth: "{{ matomo_auth_token }}"
return_content: yes
status_code: 200

3
roles/docker-matomo/vars/configuration.yml
View File

@ -23,4 +23,5 @@ csp:
unsafe-eval: true unsafe-eval: true
domains: domains:
aliases: aliases:
- "analytics.{{ primary_domain }}" - "analytics.{{ primary_domain }}"
excluded_ips: "{{ networks.internet.values() | list }}"

10
roles/docker-matomo/vars/main.yml
View File

@ -1,6 +1,10 @@
--- ---
application_id: "matomo" application_id: "matomo"
database_type: "mariadb" database_type: "mariadb"
matomo_excluded_ips: "{{ applications.matomo.excluded_ips }}"
matomo_index_php_url: "{{ web_protocol }}://{{ domains | get_domain('matomo') }}/index.php"
matomo_auth_token: "{{ applications.matomo.credentials.auth_token }}"
# I don't know if this is still necessary # I don't know if this is still necessary
domain: "{{ domains | get_domain(application_id) }}" domain: "{{ domains | get_domain(application_id) }}"

2
roles/docker-nextcloud/templates/env.j2
View File

@ -31,7 +31,7 @@ NEXTCLOUD_ADMIN_PASSWORD= "{{applications[application_id].credentials.admi
NEXTCLOUD_TRUSTED_DOMAINS= "{{domains | get_domain(application_id)}}" NEXTCLOUD_TRUSTED_DOMAINS= "{{domains | get_domain(application_id)}}"
# Whitelist local docker gateway in Nextcloud to prevent brute-force throtteling # Whitelist local docker gateway in Nextcloud to prevent brute-force throtteling
TRUSTED_PROXIES= "192.168.102.65" TRUSTED_PROXIES= "{{ networks.internet.values() | select | join(',') }}"
OVERWRITECLIURL= "{{ web_protocol }}://{{domains | get_domain(application_id)}}" OVERWRITECLIURL= "{{ web_protocol }}://{{domains | get_domain(application_id)}}"
OVERWRITEPROTOCOL= "https" OVERWRITEPROTOCOL= "https"

2
roles/docker-nextcloud/vars/configuration.yml
View File

@ -222,6 +222,8 @@ plugins:
user_ldap: user_ldap:
# Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap) # Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap)
enabled: "{{ applications.nextcloud.features.ldap | default(true) }}" enabled: "{{ applications.nextcloud.features.ldap | default(true) }}"
user_directory:
enabled: true # Enables the LDAP User Directory Search
user_oidc: user_oidc:
# Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc) # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc)
enabled: "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}" enabled: "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}"

2
roles/docker-nextcloud/vars/plugins/user_ldap.yml
View File

@ -163,7 +163,7 @@ plugin_configuration:
- -
appid: "user_ldap" appid: "user_ldap"
configkey: "s01ldap_userlist_filter" configkey: "s01ldap_userlist_filter"
configvalue: "{{ ldap.filters.users.all }}" configvalue: "{% if applications[application_id].plugins.user_ldap.user_directory.enabled %}{{ ldap.filters.users.all }}{% endif %}"
- -
appid: "user_ldap" appid: "user_ldap"
configkey: "s01use_memberof_to_detect_membership" configkey: "s01use_memberof_to_detect_membership"

5
roles/docker-yourls/meta/schema.yml
View File

@ -4,11 +4,6 @@ credentials:
algorithm: "sha256" algorithm: "sha256"
validation: "^[a-f0-9]{64}$" validation: "^[a-f0-9]{64}$"
database_password:
description: "Password for the YOURLS database user"
algorithm: "bcrypt"
validation: "^\\$2[aby]\\$.{56}$"
oauth2_proxy_cookie_secret: oauth2_proxy_cookie_secret:
description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)" description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
algorithm: "random_hex_16" algorithm: "random_hex_16"

8
roles/nginx-modifier-matomo/tasks/main.yml
View File

@ -5,12 +5,12 @@
msg: msg:
domain: "{{ domain }}" domain: "{{ domain }}"
base_domain: "{{ base_domain }}" base_domain: "{{ base_domain }}"
verification_url: "{{ verification_url }}" matomo_verification_url: "{{ matomo_verification_url }}"
when: enable_debug | bool when: enable_debug | bool
- name: "Check if site {{ domain }} is allready registered at Matomo" - name: "Check if site {{ domain }} is allready registered at Matomo"
uri: uri:
url: "{{verification_url}}" url: "{{ matomo_verification_url }}"
method: GET method: GET
return_content: yes return_content: yes
status_code: 200 status_code: 200
@ -29,9 +29,9 @@
- name: Add site to Matomo and get ID if not exists - name: Add site to Matomo and get ID if not exists
uri: uri:
url: "{{ web_protocol }}://{{ domains.matomo }}/index.php" url: "{{ matomo_index_php_url }}"
method: POST method: POST
body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ applications.matomo.credentials.auth_token }}&format=json" body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ matomo_auth_token }}&format=json"
body_format: form-urlencoded body_format: form-urlencoded
status_code: 200 status_code: 200
return_content: yes return_content: yes

6
roles/nginx-modifier-matomo/vars/main.yml
View File

@ -1,2 +1,4 @@
base_domain: "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}" base_domain: "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
verification_url: "{{ web_protocol }}://{{domains | get_domain('matomo')}}/index.php?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{base_domain}}&format=json&token_auth={{applications.matomo.credentials.auth_token}}" matomo_index_php_url: "{{ web_protocol }}://{{ domains | get_domain('matomo') }}/index.php"
matomo_auth_token: "{{ applications.matomo.credentials.auth_token }}"
matomo_verification_url: "{{ matomo_index_php_url }}?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{ base_domain }}&format=json&token_auth={{ matomo_auth_token }}"