Whitelisted Server IP's and implemented deactivation option for ldap user directory in nextcloud

2025-07-02 23:22:02 +02:00 · 2025-07-01 02:25:05 +02:00 · 2025-07-01 02:25:05 +02:00 · 15121fd905
commit 15121fd905
parent b83d596789
9 changed files with 36 additions and 18 deletions
--- a/roles/docker-matomo/tasks/main.yml
+++ b/roles/docker-matomo/tasks/main.yml
@ -19,3 +19,17 @@
  set_fact:
    run_once_docker_matomo: true
  when: run_once_docker_matomo is not defined
+
+- name: Exclude global IPs in Matomo
+  uri:
+    url: "{{ matomo_index_php_url }}"
+    method: POST
+    body_format: form-urlencoded
+    body:
+      module: API
+      method: SitesManager.setGlobalExcludedIps
+      excludedIps: "{{ matomo_excluded_ips | join(',') }}"
+      format: json
+      token_auth: "{{ matomo_auth_token }}"
+    return_content: yes
+    status_code: 200
--- a/roles/docker-matomo/vars/configuration.yml
+++ b/roles/docker-matomo/vars/configuration.yml
@ -24,3 +24,4 @@ csp:
 domains:
  aliases:
    - "analytics.{{ primary_domain }}"
+excluded_ips: "{{ networks.internet.values() | list }}"
--- a/roles/docker-matomo/vars/main.yml
+++ b/roles/docker-matomo/vars/main.yml
@ -1,6 +1,10 @@
 ---
-application_id:     "matomo"
-database_type:      "mariadb"
+application_id:       "matomo"
+database_type:        "mariadb"
+matomo_excluded_ips:  "{{ applications.matomo.excluded_ips }}"
+matomo_index_php_url: "{{ web_protocol }}://{{ domains | get_domain('matomo') }}/index.php"
+matomo_auth_token:    "{{ applications.matomo.credentials.auth_token }}"
+

 # I don't know if this is still necessary
-domain:             "{{ domains | get_domain(application_id) }}"
+domain:               "{{ domains | get_domain(application_id) }}"
--- a/roles/docker-nextcloud/templates/env.j2
+++ b/roles/docker-nextcloud/templates/env.j2
@ -31,7 +31,7 @@ NEXTCLOUD_ADMIN_PASSWORD=       "{{applications[application_id].credentials.admi

 NEXTCLOUD_TRUSTED_DOMAINS=      "{{domains | get_domain(application_id)}}"
 # Whitelist local docker gateway in Nextcloud to prevent brute-force throtteling
-TRUSTED_PROXIES=                "192.168.102.65"
+TRUSTED_PROXIES=                "{{ networks.internet.values() | select | join(',') }}"
 OVERWRITECLIURL=                "{{ web_protocol }}://{{domains | get_domain(application_id)}}"
 OVERWRITEPROTOCOL=              "https"

--- a/roles/docker-nextcloud/vars/configuration.yml
+++ b/roles/docker-nextcloud/vars/configuration.yml
@ -222,6 +222,8 @@ plugins:
  user_ldap:
    # Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap)
    enabled: "{{ applications.nextcloud.features.ldap | default(true) }}"
+    user_directory:
+      enabled:  true # Enables the LDAP User Directory Search
  user_oidc:
    # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc)
    enabled:    "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}"
--- a/roles/docker-nextcloud/vars/plugins/user_ldap.yml
+++ b/roles/docker-nextcloud/vars/plugins/user_ldap.yml
@ -163,7 +163,7 @@ plugin_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_userlist_filter"
-    configvalue: "{{ ldap.filters.users.all }}"
+    configvalue: "{% if applications[application_id].plugins.user_ldap.user_directory.enabled %}{{ ldap.filters.users.all }}{% endif %}"
  -
    appid: "user_ldap"
    configkey: "s01use_memberof_to_detect_membership"
--- a/roles/docker-yourls/meta/schema.yml
+++ b/roles/docker-yourls/meta/schema.yml
@ -4,11 +4,6 @@ credentials:
    algorithm: "sha256"
    validation: "^[a-f0-9]{64}$"

-  database_password:
-    description: "Password for the YOURLS database user"
-    algorithm: "bcrypt"
-    validation: "^\\$2[aby]\\$.{56}$"
-
  oauth2_proxy_cookie_secret:
    description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)"
    algorithm: "random_hex_16"
--- a/roles/nginx-modifier-matomo/tasks/main.yml
+++ b/roles/nginx-modifier-matomo/tasks/main.yml
@ -5,12 +5,12 @@
    msg:
      domain: "{{ domain }}"
      base_domain: "{{ base_domain }}"
-      verification_url: "{{ verification_url }}"
+      matomo_verification_url: "{{ matomo_verification_url }}"
  when: enable_debug | bool

 - name: "Check if site {{ domain }} is allready registered at Matomo"
  uri:
-    url:            "{{verification_url}}"
+    url:            "{{ matomo_verification_url }}"
    method:         GET
    return_content: yes
    status_code:    200
@ -29,9 +29,9 @@

 - name: Add site to Matomo and get ID if not exists
  uri:
-    url: "{{ web_protocol }}://{{ domains.matomo }}/index.php"
+    url: "{{ matomo_index_php_url }}"
    method: POST
-    body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ applications.matomo.credentials.auth_token }}&format=json"
+    body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ matomo_auth_token }}&format=json"
    body_format: form-urlencoded
    status_code: 200
    return_content: yes
--- a/roles/nginx-modifier-matomo/vars/main.yml
+++ b/roles/nginx-modifier-matomo/vars/main.yml
@ -1,2 +1,4 @@
-base_domain:      "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
-verification_url: "{{ web_protocol }}://{{domains | get_domain('matomo')}}/index.php?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{base_domain}}&format=json&token_auth={{applications.matomo.credentials.auth_token}}"
+base_domain:              "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
+matomo_index_php_url:     "{{ web_protocol }}://{{ domains | get_domain('matomo') }}/index.php"
+matomo_auth_token:        "{{ applications.matomo.credentials.auth_token }}"
+matomo_verification_url:  "{{ matomo_index_php_url }}?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{ base_domain }}&format=json&token_auth={{ matomo_auth_token }}"