kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 15:06:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-07-08 23:43:13 +02:00
parent 6b87a049d4
commit 563d5fd528
1242 changed files with 2301 additions and 1355 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
roles/web-app-nextcloud/README.md Normal file
View File

@@ -0,0 +1,32 @@
# Nextcloud
## Description
Elevate your collaboration with Nextcloud, a vibrant self-hosted cloud solution designed for dynamic file sharing, seamless communication, and effortless teamwork. Nextcloud offers a full suite of integrated tools—including LDAP and OIDC authentication, Redis caching, and automated plugin management via OCC—to empower a secure, extensible, and production-ready cloud environment.
## Overview
This role provisions a complete Nextcloud deployment using Docker Compose. It automates the setup of the Nextcloud application along with its underlying MariaDB database and configures the system for secure public access via an Nginx reverse proxy. The deployment includes automated configuration merging into `config.php`, health check routines, and integrated support for backup and recovery operations.
## Features
- **Fully Dockerized Deployment:** Simplifies installation using Docker Compose for the Nextcloud application and its MariaDB backend.
- **Secure Access:** Integrates with an Nginx reverse proxy for encrypted, high-performance access.
- **Robust Authentication:** Supports LDAP and OIDC for secure identity and access management.
- **Automated Configuration Management:** Uses additive configuration files to dynamically merge system settings into `config.php`.
- **Integrated Backup & Recovery:** Provides built-in support for backup and restoration operations to safeguard your data.
- **Extensible Plugin Framework:** Easily manage and configure hundreds of Nextcloud plugins using the OCC command line tool.
## Documentation
A detailled documentation for the use and administration of Nextcloud on CyMaIS you will find [here](docs/README.md)
## Further Resources
- [Nextcloud Official Website](https://nextcloud.com/)
- [Nextcloud Docker Documentation](https://github.com/nextcloud/docker)
- [Nextcloud Admin Manual](https://docs.nextcloud.com/server/latest/admin_manual/)
- [Nextcloud Admin Manual](https://docs.nextcloud.com/server/latest/admin_manual/)
- [LDAP Integration Guide](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html)
- [OIDC Login Plugin (pulsejet)](https://github.com/pulsejet/nextcloud-oidc-login)
- [Sociallogin Plugin (Official)](https://apps.nextcloud.com/apps/sociallogin)

2
roles/web-app-nextcloud/Todo.md Normal file
View File

@@ -0,0 +1,2 @@
# Todo
- Implement Collabora and Talk Supper . [See](https://www.youtube.com/watch?v=7cRmvTyt1ik)

20
roles/web-app-nextcloud/docs/Administration.md Normal file
View File

@@ -0,0 +1,20 @@
# Administration
Instructions for manual administrative operations like container login, config file edits, and post-update recovery actions.
## Modify Config 🔧
### Enter the Container
```bash
docker-compose exec -it application /bin/sh
```
### Modify the Configuration
Inside the container, install a text editor and edit the config:
```bash
apk add --no-cache nano && nano config/config.php
```
## Logs
The logs you will find here on the host: **/var/lib/docker/volumes/nextcloud_data/_data/data/nextcloud.log**

32
roles/web-app-nextcloud/docs/Applications.md Normal file
View File

@@ -0,0 +1,32 @@
# Nextcloud Applications
Details on specific apps like Cospend, including related SQL queries and debugging tips.
## receive Plugin Information
To receive the relevant configuration options for a plugin type:
```bash
docker compose exec -u www-data application php occ config:list oidc_login
```
## App Relevant Tables 🗃️
- `oc_appconfig`
- `oc_migrations`
## LDAP
## Cospend
### Relevant SQL Commands for Cospend
Debugguging Migrations:
https://github.com/julien-nc/cospend-nc/issues/325
```sql
-- Show all Cospend Tables
SHOW TABLES where Tables_in_nextcloud LIKE "%cospend%";
-- Show Cospend Configuration
SELECT * FROM `oc_appconfig` WHERE appid LIKE "%cospend%";
-- Show Cospend Database Migrations
SELECT * FROM `oc_migrations` WHERE app LIKE "%cospend%";
```

15
roles/web-app-nextcloud/docs/Database.md Normal file
View File

@@ -0,0 +1,15 @@
# Database Management (local)
To manage the database if you installed it locally use the following comments. If you have created the database via the central database option, look for the related documentation.
## Database Access
To access the database, execute:
```bash
docker-compose exec -it database mysql -u nextcloud -D nextcloud -p
```
### Recreate Database with New Volume
```bash
docker-compose run --detach --name database --env MYSQL_USER="nextcloud" --env MYSQL_PASSWORD=PASSWORD --env MYSQL_ROOT_PASSWORD=PASSWORD --env MYSQL_DATABASE="nextcloud" -v nextcloud_database:/var/lib/mysql
```

72
roles/web-app-nextcloud/docs/IAM.md Normal file
View File

@@ -0,0 +1,72 @@
# Identity and Access Management
IAM(Identity and Access Management) is setup via Keycloak and LDAP.
## OpenID Connect (OIDC) Support 🔐
OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific tasks are included when enabled, allowing integration of external authentication providers seamlessly.
### Verify OIDC Configuration
```bash
docker compose exec -u www-data application /var/www/html/occ config:app:get sociallogin custom_providers
```
## LDAP
More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
## Get LDAP Configuration
```bash
docker compose exec -u www-data application php occ ldap:show-config
```
## Get all relevant entries except password
```sql
SELECT * FROM `oc_appconfig` WHERE appid LIKE "%ldap%" and configkey != "s01ldap_agent_password";
```
## Update User with LDAP values
```bash
docker compose exec -it -u www-data application php occ ldap:check-user --update {{username}}
```
## Update LDAP Sync
```bash
docker compose exec -u www-data application php occ user:sync-account-data
```
### Update Each User
If you want to update **every LDAP user**, run:
```bash
for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
docker compose exec -u www-data application php occ ldap:check-user --update "$user"
done
```
### Unlink All
```bash
for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
echo "Unlinking user from LDAP: $user"
echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
done
```
### Reset LDAP Links for Orphaned Users
Run this **corrected script**:
```bash
for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
echo "Resetting LDAP link for user: $user"
echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
done
```
## Federation
If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid.

41
roles/web-app-nextcloud/docs/LDAP.md Normal file
View File

@@ -0,0 +1,41 @@
## Add LDAP Users Manually for Immediate Sharing
In a default Nextcloud + LDAP setup, user accounts are only created in the internal Nextcloud database **after their first login**. This means that even if a user exists in LDAP, they **cannot receive shared files or folders** until they have logged in at least once—or are manually synchronized.
To make LDAP users available for sharing **without requiring initial login**, follow these steps:
### 1. Search for the User in LDAP
Check if the user exists in the configured LDAP directory:
```bash
docker exec -u www-data nextcloud-application php occ ldap:search <username>
```
If the user is found, proceed to the next step.
### 2. Create the User in Nextcloud from LDAP
Manually trigger a sync to register the user in the Nextcloud database:
```bash
docker exec -u www-data nextcloud-application php occ ldap:check-user --update <username>
```
**Example:**
```bash
docker exec -u www-data nextcloud-application php occ ldap:check-user --update viktoriakaffanke
```
Once executed, the user becomes fully available in the system—for sharing, group membership, and permissions—even without logging in.
### 3. Synchronize All Known Users (Optional)
To synchronize account data (display name, mail address, group memberships, etc.) for **all users** currently known to Nextcloud:
```bash
docker exec -u www-data nextcloud-application php occ user:sync-account-data
```
This step is especially useful after modifying LDAP attributes or group memberships, ensuring up-to-date data in the Nextcloud UI and permission system.

28
roles/web-app-nextcloud/docs/OCC.md Normal file
View File

@@ -0,0 +1,28 @@
# OCC (Nextcloud Command Line) 🔧
Reference for frequently used OCC commands, including user and app management.
## General Use
To use OCC, run:
```bash
docker-compose exec -it -u www-data application /var/www/html/occ
```
## App Administration
```bash
docker compose exec -u www-data application php occ config:list {{app_name}}
```
## Initialize Duplicates
```bash
docker-compose exec -it -u www-data application /var/www/html/occ duplicates:find-all --output
```
## Unlock Files
```bash
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --on
docker-compose exec -it nextcloud_database_1 mysql -u nextcloud -pPASSWORD1234132 -D nextcloud -e "delete from oc_file_locks where 1"
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --off
```

14
roles/web-app-nextcloud/docs/README.md Normal file
View File

@@ -0,0 +1,14 @@
# Nextcloud Docs for CyMaIS
This folder contains the Nextcloud Docs for CyMaIS.
## Index
Operational guidance can be found in the following supporting documentation files:
- [Applications.md](Applications.md)
- [Architecture.md](Architecture.md)
- [Administration.md](Administration.md)
- [Update.md](Update.md)
- [OCC.md](OCC.md)
- [Database.md](Database.md)
- [IAM.md](IAM.md)

53
roles/web-app-nextcloud/docs/Update.md Normal file
View File

@@ -0,0 +1,53 @@
# Update 🔄
To update the Nextcloud container, execute the following commands on the server:
```bash
docker exec -it -u www-data nextcloud-application /var/www/html/occ maintenance:mode --on &&
export COMPOSE_HTTP_TIMEOUT=600 &&
export DOCKER_CLIENT_TIMEOUT=600 &&
docker-compose down
```
Afterwards, update the ***applications.nextcloud.version*** variable to the next version and run this repository with this Ansible role.
> **Note:**
> It is only possible to update from one to the next major version at a time.
> Wait for the update to finish.
Verify the update by checking the logs:
```bash
docker-compose logs application
```
and
```bash
docker-compose exec -it application top
```
If Nextcloud remains in maintenance mode after the update, try the following:
```bash
docker exec -it -u www-data nextcloud-application/var/www/html/occ maintenance:mode --on
docker exec -it -u www-data nextcloud-application /var/www/html/occ upgrade
docker exec -it -u www-data nextcloud-application /var/www/html/occ maintenance:mode --off
```
If the update process fails, execute:
```bash
docker exec -it -u www-data nextcloud-application /var/www/html/occ maintenance:repair --include-expensive
```
and disable any non-functioning apps.
---
## Recover Latest Backup 💾
```bash
cd {{path_docker_compose_instances}}nextcloud &&
docker-compose down &&
docker-compose exec -i database mysql -u nextcloud -pPASSWORT nextcloud < "/Backups/$(sha256sum /etc/machine-id | head -c 64)/backup-docker-to-local/latest/nextcloud_database/sql/backup.sql" &&
cd {{path_administrator_scripts}}backup-docker-to-local &&
bash ./recover-web-app-from-local.sh "nextcloud_data" "$(sha256sum /etc/machine-id | head -c 64)"
```
## Other Resources
- [Nextcloud Upgrade via Docker by Goneuland](https://goneuland.de/nextcloud-upgrade-auf-neue-versionen-mittels-docker/)

43
roles/web-app-nextcloud/docs/Users.md Normal file
View File

@@ -0,0 +1,43 @@
# User Administration
### List Users
```bash
docker compose exec -it -u www-data application php occ user:list
```
### Get User Info
```bash
docker compose exec -u www-data application php occ user:info {{username}}
```
### Sync Users
```bash
docker compose exec -it -u www-data application php occ user:sync
```
### Create user via CLI
```bash
docker compose exec -it -u www-data application php occ user:add {{username}}
```
### Make user admin via cli
```bash
docker compose exec -it -u www-data application php occ group:adduser admin {{username}}
```
### Delete user via CLI
```bash
docker compose exec -it -u www-data application php occ user:delete {{username}}
```
### Delete all User (if no ldap is used)
```bash
for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
docker compose exec -u www-data application php occ user:delete "$user"
done
```
### Identify users which exist still in nextcloud but not in LDAP anymore
```bash
occ ldap:show-remnants
```

6
roles/web-app-nextcloud/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: restart nextcloud nginx service
command:
cmd: "docker exec {{applications.nextcloud.container.proxy}} nginx -s reload"
listen: restart nextcloud nginx service
ignore_errors: true # Ignoring if container is restarting

35
roles/web-app-nextcloud/meta/main.yml Normal file
View File

@@ -0,0 +1,35 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Elevate your collaboration with Nextcloud, a vibrant self-hosted cloud solution designed for dynamic file sharing, seamless communication, and effortless teamwork. Embrace unparalleled control, flexibility, and a boosted digital workspace that adapts to your every need."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- nextcloud
- docker
- nginx
- oidc
- ldap
- automation
- cloud
- web
- php
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais/web-app-nextcloud"
logo:
class: "fa-solid fa-cloud"
run_after:
- web-app-collabora
- web-app-keycloak
- web-app-mastodon
- service-rdbms-mariadb

6
roles/web-app-nextcloud/meta/schema.yml Normal file
View File

@@ -0,0 +1,6 @@
credentials:
administrator_password:
description: "Initial password for the Nextcloud administrator (change immediately and enable 2FA)"
algorithm: "sha256"
validation: "^[a-f0-9]{64}$"

7
roles/web-app-nextcloud/meta/users.yml Normal file
View File

@@ -0,0 +1,7 @@
users:
administrator:
username: "administrator"
no-reply:
username: "no-reply"
roles:
- mail-bot

18
roles/web-app-nextcloud/tasks/config.yml Normal file
View File

@@ -0,0 +1,18 @@
- name: Merge all files in cymais directory (container)
block:
- name: Add dynamic config merging from Jinja template
template:
src: include.php.j2
dest: "{{nextcloud_host_include_instructions_file}}"
notify: docker compose restart
- name: Copy include instructions to the container
command: >
docker cp {{ nextcloud_host_include_instructions_file }} {{ applications.nextcloud.container.application }}:{{nextcloud_docker_include_instructions_file}}
- name: Append generated config to config.php only if not present
command: >
docker exec -u {{nextcloud_docker_user}} {{ applications.nextcloud.container.application }} sh -c "
grep -q '{{ nextcloud_docker_config_additives_directory }}' {{ nextcloud_docker_config_file }} ||
cat {{nextcloud_docker_include_instructions_file}} >> {{ nextcloud_docker_config_file }}"
notify: docker compose restart

72
roles/web-app-nextcloud/tasks/main.yml Normal file
View File

@@ -0,0 +1,72 @@
---
- name: "include service-rdbms-central"
include_role:
name: service-rdbms-central
- name: "create {{ nextcloud_host_config_additives_directory }}"
file:
path: "{{ nextcloud_host_config_additives_directory }}"
state: directory
mode: 0755
- name: "Create config files at {{ nextcloud_host_config_additives_directory }}"
template:
src: "{{ item }}"
dest: "{{ nextcloud_host_config_additives_directory }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
owner: "{{nextcloud_docker_user_id}}"
group: "{{nextcloud_docker_user_id}}"
loop: "{{ lookup('fileglob', role_path ~ '/templates/config/*.j2', wantlist=True) }}"
# Not all type of changes take instantly place. Due to this reason a rebuild is required.
notify: docker compose up
- name: "include role for {{application_id}} to receive certs & do modification routines"
include_role:
name: webserver-composer
- name: create nextcloud nginx proxy configuration file
template:
src: "nginx/host.conf.j2"
dest: "{{nginx.directories.http.servers}}{{domains | get_domain(application_id)}}.conf"
notify: restart nginx
- name: create internal nextcloud nginx configuration
template:
src: "nginx/docker.conf.j2"
dest: "{{docker_compose.directories.volumes}}nginx.conf"
notify: restart nextcloud nginx service
- name: Flush all handlers immediately so that occ can be used
meta: flush_handlers
- name: Setup config.php
include_tasks: config.yml
- name: Setup Nextcloud Plugins
include_tasks: plugin.yml
loop: "{{applications[application_id].plugins | dict2items }}"
loop_control:
loop_var: plugin_item
vars:
plugin_key: "{{ plugin_item.key }}"
plugin_value: "{{ plugin_item.value }}"
- name: Load system configuration
include_tasks: system.yml
- name: Add missing database indices in Nextcloud
command: >
{{nextcloud_docker_exec_occ}} db:add-missing-indices
register: db_indices_result
changed_when: >
'Adding additional' in db_indices_result.stdout or
'Removing' in db_indices_result.stdout or
'updated successfully' in db_indices_result.stdout
failed_when: db_indices_result.rc != 0
- name: Ensure Nextcloud administrator is in the 'admin' group
command: >
docker exec -u {{ nextcloud_docker_user }} {{ applications.nextcloud.container.application }}
php occ group:adduser admin {{ applications.nextcloud.users.administrator.username }}
register: add_admin_to_group
changed_when: "'Added user' in add_admin_to_group.stdout"
failed_when: add_admin_to_group.rc != 0 and "'is already a member of' not in add_admin_to_group.stderr"

74
roles/web-app-nextcloud/tasks/plugin.yml Normal file
View File

@@ -0,0 +1,74 @@
- name: "Disable incompatible plugins for {{plugin_key}}."
command: "{{nextcloud_docker_exec_occ}} app:disable {{incompatible_plugin}}"
loop: "{{plugin_value.incompatible_plugins}}"
loop_control:
loop_var: incompatible_plugin
register: disable_incompatible_plugin_result
changed_when: disable_incompatible_plugin_result.rc == 0 and ("No such app enabled" not in disable_incompatible_plugin_result.stdout)
when:
- plugin_value.incompatible_plugins is defined and plugin_value.incompatible_plugins | length > 0
- plugin_value.enabled | bool
- name: disable {{ plugin_key }} nextcloud plugin
command: "{{nextcloud_docker_exec_occ}} app:disable {{ plugin_key }}"
register: disable_result
changed_when: disable_result.rc == 0 and ("No such app enabled" not in disable_result.stdout)
when: not (plugin_value.enabled | bool)
- name: install {{ plugin_key }} nextcloud plugin
command: "{{ nextcloud_docker_exec_occ }} app:install {{ plugin_key }}"
register: install_result
failed_when: >
install_result.rc != 0
and
("already installed" not in install_result.stdout)
and
("not compatible with this version of the server" not in install_result.stdout)
changed_when: >
install_result.rc == 0
and
("already installed" not in install_result.stdout)
when: plugin_value.enabled | bool
- block:
- name: enable {{plugin_key}} nextcloud plugin
command: "{{nextcloud_docker_exec_occ}} app:enable {{plugin_key}}"
register: enable_result
changed_when: enable_result.rc == 0 and ("already enabled" not in enable_result.stdout)
- name: Check if {{nextcloud_control_node_plugin_vars_directory}}{{ plugin_key }}.yml exists
stat:
path: "{{nextcloud_control_node_plugin_vars_directory}}{{ plugin_key }}.yml"
delegate_to: localhost
become: false
register: plugin_vars_file
- name: "Load {{ plugin_key }} configuration variables"
include_vars:
file: "{{nextcloud_control_node_plugin_vars_directory}}{{ plugin_key }}.yml"
when: plugin_vars_file.stat.exists
- name: "Set {{ item.configkey }} for {{ item.appid }}"
loop: "{{ plugin_configuration }}"
command: >
{{ nextcloud_docker_exec_occ }} config:app:set {{ item.appid }} {{ item.configkey }} --value '{{ item.configvalue | to_json if item.configvalue is mapping else item.configvalue }}'
register: config_set_result
changed_when: (config_set_result.stdout is defined) and ("Config value were not updated" not in config_set_result.stdout)
when: plugin_vars_file.stat.exists
- name: Check if {{nextcloud_control_node_plugin_tasks_directory}}{{ plugin_key }}.yml exists
stat:
path: "{{nextcloud_control_node_plugin_tasks_directory}}{{ plugin_key }}.yml"
delegate_to: localhost
become: false
register: plugin_tasks_file
- name: "include {{nextcloud_control_node_plugin_tasks_directory}}{{ plugin_key }}.yml"
include_tasks: "{{nextcloud_control_node_plugin_tasks_directory}}{{ plugin_key }}.yml"
when: plugin_tasks_file.stat.exists
when:
- plugin_value.enabled | bool
- install_result is defined
- >
install_result.rc == 0
or "already installed" in install_result.stdout

6
roles/web-app-nextcloud/tasks/plugins/user_ldap.yml Normal file
View File

@@ -0,0 +1,6 @@
# @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
# @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
- name: Set Nextcloud LDAP bind password
command: >
{{ nextcloud_docker_exec_occ }} ldap:set-config s01 ldapAgentPassword "{{ ldap.bind_credential }}"

8
roles/web-app-nextcloud/tasks/system.yml Normal file
View File

@@ -0,0 +1,8 @@
- name: Load System Nextcloud configuration variables
include_vars:
file: system.yml
- name: Apply Nextcloud configurations
loop: "{{ nextcloud_system_config }}"
command: "{{nextcloud_docker_exec_occ}} config:system:set {{ item.parameter }}{% if item.type is defined %} --type {{ item.type }}{% endif %} --value {{ item.value }}"
# No good changed_when condition available

2
roles/web-app-nextcloud/templates/config/README.md Normal file
View File

@@ -0,0 +1,2 @@
This folder contains configuration files which will be loaded direct into the config.php
If you don't use nested configuration, concider to use the vars/system.yml file instead, because it's a cleaner way to set the configuration.

14
roles/web-app-nextcloud/templates/config/memcache.config.php.j2 Normal file
View File

@@ -0,0 +1,14 @@
<?php
# Implementing redis configuration
return array (
# For single server setup APCu is recommended, for multi server setup Redis
'memcache.local' => '\\OC\\Memcache\\{% if deployment_mode == "single" %}APCu{% else %}Redis{% endif %}',
# The following lines are configured via the environment variables
# 'memcache.locking' => '\\OC\\Memcache\\Redis',
# 'redis' =>
# array (
# 'host' => 'redis',
# 'port' => 6379,
# )
);

220
roles/web-app-nextcloud/templates/config/oidc.config.php.j2 Normal file
View File

@@ -0,0 +1,220 @@
<?php
# Implementing OICD configuration
{% if applications[application_id].oidc.flavor == "oidc_login" %}
# Check out: https://github.com/pulsejet/nextcloud-oidc-login
return array (
// Some Nextcloud options that might make sense here
'allow_user_to_change_display_name' => false,
'lost_password_link' => 'disabled',
// URL of provider. All other URLs are auto-discovered from .well-known
'oidc_login_provider_url' => '{{oidc.client.issuer_url}}',
// Client ID and secret registered with the provider
'oidc_login_client_id' => '{{oidc.client.id}}',
'oidc_login_client_secret' => '{{oidc.client.secret}}',
// Automatically redirect the login page to the provider
'oidc_login_auto_redirect' => true,
// Redirect to this page after logging out the user
'oidc_login_logout_url' => 'https://{{domains | get_domain(application_id)}}',
// If set to true the user will be redirected to the
// logout endpoint of the OIDC provider after logout
// in Nextcloud. After successfull logout the OIDC
// provider will redirect back to 'oidc_login_logout_url' (MUST be set).
'oidc_login_end_session_redirect' => true,
// Quota to assign if no quota is specified in the OIDC response (bytes)
//
// NOTE: If you want to allow NextCloud to manage quotas, omit this option. Do not set it to
// zero or -1 or ''.
'oidc_login_default_quota' => '{{applications[application_id].default_quota}}',
// Login button text
'oidc_login_button_text' => '{{oidc.button_text}}',
// Hide the NextCloud password change form.
'oidc_login_hide_password_form' => true,
// Use ID Token instead of UserInfo
'oidc_login_use_id_token' => true,
// Attribute map for OIDC response. Available keys are:
// * id: Unique identifier for username
// * name: Full name
// If set to null, existing display name won't be overwritten
// * mail: Email address
// If set to null, existing email address won't be overwritten
// * quota: Nextcloud storage quota
// * home: Home directory location. A symlink or external storage to this location is used
// * ldap_uid: LDAP uid to search for when running in proxy mode
// * groups: Array or space separated string of Nextcloud groups for the user.
// Note that the name here corresponds to the GID of the group and not the display name
// In the admin panel, the GID may be obtained from the URL when editing a group
// * login_filter: Array or space separated string. If 'oidc_login_filter_allowed_values' is
// set, it is checked against these values.
// * photoURL: The URL of the user avatar. The nextcloud server will download the picture
// at user login. This may lead to security issues. Use with care.
// This will only be effective if oidc_login_update_avatar is enabled.
// * is_admin: If this value is truthy, the user is added to the admin group (optional)
//
// The attributes in the OIDC response are flattened by adding the nested
// array key as the prefix and an underscore. Thus,
//
// $profile = [
// 'id' => 1234,
// 'attributes' => [
// 'uid' => 'myuid',
// 'abc' => 'xyz'
// ],
// 'list' => ['one', 'two']
// ];
//
// would become,
//
// $profile = [
// 'id' => 1234,
// 'attributes' => [
// 'uid' => 'myuid',
// 'abc' => 'xyz'
// ],
// 'attributes_uid' => 'myuid',
// 'attributes_abc' => 'xyz',
// 'list' => ['one', 'two'],
// 'list_0' => 'one',
// 'list_1' => 'two',
// 'list_one' => 'one',
// 'list_two' => 'two',
// ]
//
// https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
//
// note: on Keycloak, OIDC name claim = "${given_name} ${family_name}" or one of them if any is missing
//
'oidc_login_attributes' => array (
'id' => '{{ldap.user.attributes.id}}',
'name' => 'name',
'mail' => 'email',
'quota' => '{{ ldap.user.attributes.nextcloud_quota }}',
# 'home' => 'homeDirectory', # Not implemented yet
'ldap_uid' => '{{oidc.attributes.username}}',
# 'groups' => 'ownCloudGroups', # Not implemented yet
# 'login_filter' => 'realm_access_roles',
// 'photoURL' => 'picture',
// 'is_admin' => 'ownCloudAdmin',
),
// Default group to add users to (optional, defaults to nothing)
// 'oidc_login_default_group' => 'oidc',
// DEPRECATED: This option will be removed in a future release. Use
// 'login_filter' and 'oidc_login_filter_allowed_values' instead.
//
// Allow only users in configured group(s) to access Nextcloud. In case the user
// is not assigned to this group (read from oidc_login_attributes) the login
// will not be allowed for this user.
//
// Must be specified as an array of groups that are allowed to access Nextcloud.
// e.g. 'oidc_login_allowed_groups' => array('group1', 'group2')
'oidc_login_allowed_groups' => null,
// Allow only users in configured value(s) to access Nextcloud. In case the user
// is not assigned to this value (read from oidc_login_attributes) the login
// will not be allowed for this user.
//
// Must be specified as an array of values (e.g. roles) that are allowed to
// access Nextcloud. e.g. 'oidc_login_filter_allowed_values' => array('role1', 'role2')
'oidc_login_filter_allowed_values' => null,
// Use external storage instead of a symlink to the home directory
// Requires the files_external app to be enabled
'oidc_login_use_external_storage' => false,
// Set OpenID Connect scope
'oidc_login_scope' => 'openid profile',
// Run in LDAP proxy mode
// In this mode, instead of creating users of its own, OIDC login
// will get the existing user from an LDAP database and only
// perform authentication with OIDC. All user data will be derived
// from the LDAP database instead of the OIDC user response
//
// The `id` attribute in `oidc_login_attributes` must return the
// "Internal Username" (see expert settings in LDAP integration)
'oidc_login_proxy_ldap' => {{ applications | is_feature_enabled('ldap',application_id) | string | lower }},
// Disable creation of users new to Nextcloud from OIDC login.
// A user may be known to the IdP but not (yet) known to Nextcloud.
// This setting controls what to do in this case.
// - 'true' (default): if the user authenticates to the IdP but is not known to Nextcloud,
// then they will be returned to the login screen and not allowed entry;
// - 'false': if the user authenticates but is not yet known to Nextcloud,
// then the user will be automatically created; note that with this setting,
// you will be allowing (or relying on) a third-party (the IdP) to create new users
'oidc_login_disable_registration' => true,
// Fallback to direct login if login from OIDC fails
// Note that no error message will be displayed if enabled
'oidc_login_redir_fallback' => false,
// Use an alternative login page
// This page will be php-included instead of a redirect if specified
// For example, setting it to `assets/login.php` will use that file
// in the nextcloud base directory
// Note: the PHP variable $OIDC_LOGIN_URL is available for redirect URI
// Note: you may want to try setting `oidc_login_logout_url` to your
// base URL if you face issues regarding re-login after logout
'oidc_login_alt_login_page' => false,
// For development, you may disable TLS verification. Default value is `true`
// which should be kept in production
'oidc_login_tls_verify' => true,
// If you get your groups from the oidc_login_attributes, you might want
// to create them if they are not already existing, Default is `false`.
'oidc_create_groups' => false,
// Enable use of WebDAV via OIDC bearer token.
'oidc_login_webdav_enabled' => false,
// Enable authentication with user/password for DAV clients that do not
// support token authentication (e.g. DAVx⁵)
'oidc_login_password_authentication' => false,
// The time in seconds used to cache public keys from provider.
// The default value is 1 day.
'oidc_login_public_key_caching_time' => 86400,
// The minimum time in seconds to wait between requests to the jwks_uri endpoint.
// Avoids that the provider will be DoSed when someone requests with unknown kids.
// The default is 10 seconds.
'oidc_login_min_time_between_jwks_requests' => 10,
// The time in seconds used to cache the OIDC well-known configuration from the provider.
// The default value is 1 day.
'oidc_login_well_known_caching_time' => 86400,
// If true, nextcloud will download user avatars on login.
// This may lead to security issues as the server does not control
// which URLs will be requested. Use with care.
'oidc_login_update_avatar' => false,
// If true, the default Nextcloud proxy won't be used to make internals OIDC call.
// The default is false.
'oidc_login_skip_proxy' => false,
// Code challenge method for PKCE flow.
// Possible values are:
// - 'S256'
// - 'plain'
// The default value is empty, which won't apply the PKCE flow.
'oidc_login_code_challenge_method' => '',
);
{% else %}
return [];
{% endif %}

12
roles/web-app-nextcloud/templates/config/turnserver.config.php.j2.draft Normal file
View File

@@ -0,0 +1,12 @@
<?php
# Activates the turn server
# @see https://nextcloud-talk.readthedocs.io/en/latest/TURN/
return 'turn_servers' => [
[
'host' => 'coturn',
'port' => 3478,
'secret' => 'my-secret-key',
'protocols' => 'udp,tcp'
]
];

81
roles/web-app-nextcloud/templates/docker-compose.yml.j2 Normal file
View File

@@ -0,0 +1,81 @@
{% include 'roles/docker-compose/templates/base.yml.j2' %}
application:
image: "nextcloud:{{applications.nextcloud.version}}-fpm-alpine"
container_name: {{applications.nextcloud.container.application}}
volumes:
- data:{{nextcloud_docker_work_directory}}
- {{nextcloud_host_config_additives_directory}}:{{nextcloud_docker_config_additives_directory}}:ro
healthcheck:
test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_work_directory}}occ status"]
interval: 1m
timeout: 10s
retries: 3
{% include 'roles/docker-container/templates/base.yml.j2' %}
{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
ipv4_address: 192.168.102.69
# @Todo activate
#nc-talk:
# image: nextcloud/aio-talk:latest
# container_name: talk_hpb
# hostname: hpb_yt
# restart: unless-stopped
# init: true
# ports:
# - 3478:3478/tcp #TURN TCP
# - 3478:3478/udp #TURN UDP
# - 8181:8081/tcp #Signaling
# environment:
# - NC_DOMAIN=cloud.yourdomain.tld
# - TALK_HOST=signaling.yourdomain.tld
# - TURN_SECRET=${TURN_SECRET}
# - SIGNALING_SECRET=${SIGNALING_SECRET}
# - TZ=Europe/Berlin
# - TALK_PORT=3478
# - INTERNAL_SECRET=${INTERNAL_SECRET}
# networks:
# - nxnetwork_yt
web:
image: nginx:alpine
container_name: {{applications.nextcloud.container.proxy}}
logging:
driver: journald
restart: {{docker_restart_policy}}
ports:
- "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}"
volumes:
- "{{docker_compose.directories.volumes}}nginx.conf:/etc/nginx/nginx.conf:ro"
volumes_from:
- application
{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
networks:
default:
ipv4_address: 192.168.102.67
cron:
container_name: nextcloud-cron
image: "nextcloud:{{applications.nextcloud.version}}-fpm-alpine"
restart: {{docker_restart_policy}}
logging:
driver: journald
volumes:
- data:{{nextcloud_docker_work_directory}}
entrypoint: /cron.sh
healthcheck:
test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_work_directory}}occ status"]
interval: 1m
timeout: 10s
retries: 3
{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
ipv4_address: 192.168.102.70
{% include 'roles/docker-compose/templates/volumes.yml.j2' %}
data:
redis:
{% include 'roles/docker-compose/templates/networks.yml.j2' %}

40
roles/web-app-nextcloud/templates/env.j2 Normal file
View File

@@ -0,0 +1,40 @@
# @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html
# @See https://github.com/nextcloud/docker/blob/master/README.md
# Database Configuration
MYSQL_DATABASE= "{{database_name}}"
MYSQL_USER= "{{database_username}}"
MYSQL_PASSWORD= "{{database_password}}"
MYSQL_HOST= "{{database_host}}:{{database_port}}"
# PHP
PHP_MEMORY_LIMIT= "{{applications[application_id].performance.php.memory_limit}}"
PHP_UPLOAD_LIMIT= "{{applications[application_id].performance.php.upload_limit}}"
PHP_OPCACHE_MEMORY_CONSUMPTION= "{{applications[application_id].performance.php.opcache_memory_consumption}}"
# Email Configuration
SMTP_HOST= {{system_email.host}}
SMTP_SECURE= {{ 'ssl' if system_email.tls else '' }}
SMTP_PORT= {{system_email.port}}
SMTP_NAME= {{ users['no-reply'].email }}
SMTP_PASSWORD= {{ users['no-reply'].mailu_token }}
# Email from configuration
MAIL_FROM_ADDRESS= "{{ users['no-reply'].username }}"
MAIL_DOMAIN= "{{system_email.domain}}"
# Initial Admin Data
NEXTCLOUD_ADMIN_USER= "{{applications[application_id].users.administrator.username}}"
NEXTCLOUD_ADMIN_PASSWORD= "{{applications[application_id].credentials.administrator_password}}"
# Security
NEXTCLOUD_TRUSTED_DOMAINS= "{{domains | get_domain(application_id)}}"
# Whitelist local docker gateway in Nextcloud to prevent brute-force throtteling
TRUSTED_PROXIES= "{{ networks.internet.values() | select | join(',') }}"
OVERWRITECLIURL= "{{ domains | get_url(application_id, web_protocol) }}"
OVERWRITEPROTOCOL= "https"
# Redis Configuration
REDIS_HOST= redis
REDIS_PORT= 6379

11
roles/web-app-nextcloud/templates/include.php.j2 Normal file
View File

@@ -0,0 +1,11 @@
{% raw %}
// Include and merge all PHP config files from cymais
$CONFIG_EXTRA = [];
foreach (glob("{% endraw %}{{ nextcloud_docker_config_additives_directory }}{% raw %}*.php") as $file) {
$CONFIG_EXTRA = array_merge($CONFIG_EXTRA, include $file);
}
$CONFIG = array_merge($CONFIG, $CONFIG_EXTRA);
{% endraw %}

183
roles/web-app-nextcloud/templates/nginx/docker.conf.j2 Normal file
View File

@@ -0,0 +1,183 @@
# Internal configuration file for nextcloud
# Verify time by time, that this rules are valid:
# https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
worker_processes auto;
# @see https://chatgpt.com/share/67aa3ce9-eea0-800f-85e8-ac54a3810b13
error_log /proc/self/fd/2 {% if enable_debug | bool %}debug{% else %}warn{% endif %};
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
types {
application/javascript mjs;
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /proc/self/fd/1 main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
fastcgi_send_timeout 900s;
fastcgi_read_timeout 900s;
proxy_buffering off;
#gzip on;
upstream php-handler {
server application:9000;
}
server {
listen 80;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/html;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; }
location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
# Added due to this error: https://help.nextcloud.com/t/ldap-ad-authnetication-500-error-on-ajax-request/107168/3
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.(otf|woff2?)$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
}

36
roles/web-app-nextcloud/templates/nginx/host.conf.j2 Normal file
View File

@@ -0,0 +1,36 @@
{# This is the nginx configuration file for the proxy server #}
server
{
server_name {{domain}};
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Set X-Robots-Tag to noindex, nofollow on all responses
add_header X-Robots-Tag "noindex, nofollow";
# set max upload size
client_max_body_size 10G;
client_body_buffer_size 400M;
fastcgi_buffers 64 4K;
{% include 'roles/webserver-proxy-core/templates/location/proxy_basic.conf.j2' %}
location ^~ /.well-known {
rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last;
rewrite ^/\.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/\.well-known/webfinger /public.php?service=webfinger last;
rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last;
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; }
location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; }
try_files $uri $uri/ =404;
}
}

2
roles/web-app-nextcloud/vars/README.md Normal file
View File

@@ -0,0 +1,2 @@
# Variables
This folder contains the Nextcloud Variables

236
roles/web-app-nextcloud/vars/configuration.yml Normal file
View File

@@ -0,0 +1,236 @@
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
csp:
flags:
style-src:
unsafe-inline: true
script-src-elem:
unsafe-inline: true
whitelist:
font-src:
- "data:"
domains:
canonical:
- "cloud.{{ primary_domain }}"
docker:
services:
redis:
enabled: true
database:
enabled: true
oidc:
enabled: "{{ applications.nextcloud.features.oidc | default(true) }}" # Activate OIDC for Nextcloud
# floavor decides which OICD plugin should be used.
# Available options: oidc_login, sociallogin
# @see https://apps.nextcloud.com/apps/oidc_login
# @see https://apps.nextcloud.com/apps/sociallogin
flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet
features:
matomo: true
css: false
portfolio_iframe: true
ldap: true
oidc: true
central_database: true
default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes)
legacy_login_mask:
enabled: False # If true, then legacy login mask is shown. Otherwise just SSO
container:
application: "nextcloud-application" # Nextcloud application container name
proxy: "nextcloud-web" # Nextcloud Proxy Container Name
collabora: "nextcloud-collabora"
performance:
php:
memory_limit: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory limit
upload_limit: "5G" # Set upload limit to 5GB for big media files
opcache_memory_consumption: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory consumption
plugins:
# List for Nextcloud Plugin Routine
# Decides if plugins should be activated or deactivated
appointments:
# Nextcloud appointments: handles scheduling and appointment management (https://apps.nextcloud.com/apps/appointments)
enabled: true
bbb:
# Nextcloud BigBlueButton integration: enables video conferencing using BigBlueButton (https://apps.nextcloud.com/apps/bbb)
enabled: "{{ 'bigbluebutton' in group_names | lower }}"
#- bookmarks
# # Nextcloud Bookmarks: manage and share your bookmarks easily (https://apps.nextcloud.com/apps/bookmarks)
# enabled: false
calendar:
# Nextcloud calendar: manages calendar events and scheduling (https://apps.nextcloud.com/apps/calendar)
enabled: true
cfg_share_links:
# Nextcloud share links configuration: customizes sharing settings and link options (https://apps.nextcloud.com/apps/cfg_share_links)
enabled: true
collectives:
# Nextcloud collectives: supports collaborative group management and sharing (https://apps.nextcloud.com/apps/collectives)
enabled: true
contacts:
# Nextcloud contacts: manages address book and contact information (https://apps.nextcloud.com/apps/contacts)
enabled: true
cospend:
# Nextcloud cospend: manages shared expenses and spending tracking (https://apps.nextcloud.com/apps/cospend)
enabled: true
deck:
# Nextcloud Deck: organizes tasks and projects using Kanban boards (https://apps.nextcloud.com/apps/deck)
# When Taiga is activated, this plugin is deactivated, because Taiga is the prefered application.
enabled: "{{ 'taiga' not in group_names | lower }}"
drawio:
# Nextcloud draw.io: integrates diagram creation and editing tools (https://apps.nextcloud.com/apps/drawio)
enabled: true
duplicatefinder:
# Nextcloud duplicate finder: scans and identifies duplicate files (https://apps.nextcloud.com/apps/duplicatefinder)
enabled: true
emlviewer:
# Nextcloud EML Viewer: previews and manages EML email files (https://apps.nextcloud.com/apps/emlviewer)
enabled: true
event_update_notification:
# Nextcloud event update notification: sends alerts when events are updated (https://apps.nextcloud.com/apps/event_update_notification)
enabled: true
epubviewer:
# Nextcloud EPUB Viewer: enables reading and previewing EPUB e-books (https://apps.nextcloud.com/apps/epubviewer)
enabled: true
external:
# Nextcloud External: Adds links to external services (https://apps.nextcloud.com/apps/external)
enabled: true
#files_accesscontrol
# # Nextcloud Files Access Control: restricts file access based on defined rules (https://apps.nextcloud.com/apps/files_accesscontrol)
# enabled: false
#files_archive
# # Nextcloud Files Archive: compresses and archives files for efficient storage (https://apps.nextcloud.com/apps/files_archive)
# enabled: false
#files_automatedtagging
# # Nextcloud Files Automated Tagging: automatically tags files to improve organization (https://apps.nextcloud.com/apps/files_automatedtagging)
# enabled: false
files_bpm:
# Nextcloud Files BPM: integrates business process management for file workflows (https://apps.nextcloud.com/apps/files_bpm)
enabled: true
files_downloadactivity:
# Nextcloud Files Download Activity: tracks and logs file download events (https://apps.nextcloud.com/apps/files_downloadactivity)
enabled: true
files_linkeditor:
# Nextcloud files link editor: allows customization of shared file links (https://apps.nextcloud.com/apps/files_linkeditor)
enabled: true
files_mindmap:
# Nextcloud Files Mindmap: visualizes file relationships as mind maps (https://apps.nextcloud.com/apps/files_mindmap)
enabled: true
files_texteditor:
# Nextcloud Files Text Editor: provides an online editor for text files (https://apps.nextcloud.com/apps/files_texteditor)
# Not available for Nextcloud < 27
enabled: false
fileslibreofficeedit:
# Nextcloud LibreOffice integration: allows online editing of documents with LibreOffice (https://apps.nextcloud.com/apps/fileslibreofficeedit)
enabled: true
forms:
# Nextcloud forms: facilitates creation of forms and surveys (https://apps.nextcloud.com/apps/forms)
enabled: true
gestion:
# Nextcloud Gestion: manages administrative tasks and workflows (https://apps.nextcloud.com/apps/gestion)
enabled: true
groupfolders:
# Nextcloud Group Folders: centralizes shared folders for group collaboration (https://apps.nextcloud.com/apps/groupfolders)
enabled: true
gpxpod:
# Nextcloud GPX pod: visualizes GPS tracks and GPX data (https://apps.nextcloud.com/apps/gpxpod)
enabled: true
integration_discourse:
# Nextcloud Integration Discourse: connects Nextcloud with Discourse forums (https://apps.nextcloud.com/apps/integration_discourse)
enabled: false
integration_gitlab:
# Nextcloud Integration GitLab: connects Nextcloud with GitLab repositories (https://apps.nextcloud.com/apps/integration_gitlab)
enabled: "{{ 'gitlab' in group_names | lower }}"
integration_github:
# Nextcloud Integration GitHub: integrates GitHub repositories with Nextcloud (https://apps.nextcloud.com/apps/integration_github)
enabled: false
integration_google:
# Nextcloud Integration Google: connects Google services with Nextcloud (https://apps.nextcloud.com/apps/integration_google)
enabled: true
integration_mastodon:
# Nextcloud Integration Mastodon: connects Nextcloud with the Mastodon social network (https://apps.nextcloud.com/apps/integration_mastodon)
enabled: "{{ 'mastodon' in group_names | lower }}"
integration_openai:
# Nextcloud Integration OpenAI: brings OpenAI functionalities into Nextcloud (https://apps.nextcloud.com/apps/integration_openai)
enabled: false
integration_openproject:
# Nextcloud Integration OpenProject: integrates project management features from OpenProject (https://apps.nextcloud.com/apps/integration_openproject)
enabled: "{{ 'openproject' in group_names | lower }}"
integration_peertube:
# Nextcloud Integration PeerTube: connects to PeerTube for video sharing (https://apps.nextcloud.com/apps/integration_peertube)
enabled: "{{ 'peertube' in group_names | lower }}"
#keeweb
# # Nextcloud KeeWeb: integrates the KeeWeb password manager within Nextcloud (https://apps.nextcloud.com/apps/keeweb)
# # This isn't maintained anymore. The alternatives don't support keepass files
# enabled: false
keeporsweep:
# Nextcloud keep or sweep: helps manage and clean up files and data (https://apps.nextcloud.com/apps/keeporsweep)
enabled: true
mail:
# Nextcloud mail: integrated email client for managing mail accounts (https://apps.nextcloud.com/apps/mail)
enabled: true
maps:
# Nextcloud maps: provides mapping and location services integration (https://apps.nextcloud.com/apps/maps)
enabled: true
metadata:
# Nextcloud Metadata: manages and displays file metadata for enhanced organization (https://apps.nextcloud.com/apps/metadata)
enabled: true
news:
# Nextcloud News: aggregates and displays news feeds directly in Nextcloud (https://apps.nextcloud.com/apps/news)
enabled: true
oidc_login:
# Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/oidc_login)
enabled: "{{ _applications_nextcloud_oidc_flavor=='oidc_login' | lower }}"
incompatible_plugins:
- user_oidc # Will be disabled
- sociallogin # Will be disabled
phonetrack:
# Nextcloud phone track: tracks and monitors mobile device usage (https://apps.nextcloud.com/apps/phonetrack)
enabled: true
polls:
# Nextcloud polls: facilitates creation and management of user polls (https://apps.nextcloud.com/apps/polls)
enabled: true
quota_warning:
# Nextcloud quota warning: notifies users when storage limits are reached (https://apps.nextcloud.com/apps/quota_warning)
enabled: true
recognize:
# Nextcloud recognize: performs image recognition tasks (https://apps.nextcloud.com/apps/recognize)
enabled: false # Deactivated because it let to bugs
richdocuments:
# Nextcloud Rich Documents: provides collaborative document editing capabilities (https://apps.nextcloud.com/apps/richdocuments)
enabled: false # @todo To set it default to true activate https://hub.docker.com/r/collabora/code before
sociallogin:
# Nextcloud social login: allows authentication using social networks (https://apps.nextcloud.com/apps/sociallogin)
enabled: "{{ _applications_nextcloud_oidc_flavor=='sociallogin' | lower }}"
incompatible_plugins:
- user_oidc # Will be disabled
- oidc_login # Will be disabled
spreed:
# Nextcloud Spreed: offers video conferencing and chat functionalities (https://apps.nextcloud.com/apps/spreed)
enabled: false # @todo to activate it first implement web-app-coturn and activate it
tables:
# Nextcloud tables: allows creation and editing of tables within the interface (https://apps.nextcloud.com/apps/tables)
enabled: true
tasks:
# Nextcloud tasks: manages personal or group tasks and to-do lists (https://apps.nextcloud.com/apps/tasks)
enabled: true
#terms_of_service
# # Nextcloud Terms of Service: manages user acceptance of terms and conditions (https://apps.nextcloud.com/apps/terms_of_service)
# enabled: false
twofactor_nextcloud_notification:
# Nextcloud two-factor notification: sends notifications for two-factor authentication events (https://apps.nextcloud.com/apps/twofactor_nextcloud_notification)
enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active
twofactor_totp:
# Nextcloud two-factor TOTP: provides time-based one-time password authentication (https://apps.nextcloud.com/apps/twofactor_totp)
enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active
user_ldap:
# Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap)
enabled: "{{ applications.nextcloud.features.ldap | default(true) }}"
user_directory:
enabled: true # Enables the LDAP User Directory Search
user_oidc:
# Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc)
enabled: "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}"
incompatible_plugins:
- oidc_login
- sociallogin
whiteboard:
# Nextcloud Whiteboard: provides a collaborative drawing and brainstorming tool (https://apps.nextcloud.com/apps/whiteboard)
enabled: true

39
roles/web-app-nextcloud/vars/main.yml Normal file
View File

@@ -0,0 +1,39 @@
---
# General
application_id: "nextcloud" # Application identifier
container_port: 80
# Database
database_password: "{{applications.nextcloud.credentials.database_password}}" # Database password
database_type: "mariadb" # Database flavor
# Networking
domain: "{{ domains | get_domain(application_id) }}" # Public domain at which Nextcloud will be accessable
http_port: "{{ ports.localhost.http[application_id] }}" # Port at which nextcloud is reachable in the local network
# Control Node
nextcloud_control_node_plugin_vars_directory: "{{role_path}}/vars/plugins/" # Folder in which the files for the plugin configuration are stored
nextcloud_control_node_plugin_tasks_directory: "{{role_path}}/tasks/plugins/" # Folder which contains the files for extra plugin configuration tasks
# Host
## Host Paths
nextcloud_host_config_additives_directory: "{{docker_compose.directories.volumes}}cymais/" # This folder is the path to which the additive configurations will be copied
nextcloud_host_include_instructions_file: "{{docker_compose.directories.volumes}}includes.php" # Path to the instruction file on the host. Responsible for loading the additional configurations
# Docker
## User Configuration
nextcloud_docker_user_id: 82 # UID of the www-data user
nextcloud_docker_user: "www-data" # Name of the www-data user (Set here to easy change it in the future)
## Internal Paths
nextcloud_docker_work_directory: "/var/www/html/" # Name of the workdir in which the application is stored
nextcloud_docker_config_directory: "{{nextcloud_docker_work_directory}}config/" # Folder in which the Nextcloud configurations are stored
nextcloud_docker_config_file: "{{nextcloud_docker_config_directory}}config.php" # Path to the Nextcloud configuration file
nextcloud_docker_config_additives_directory: "{{nextcloud_docker_config_directory}}cymais/" # Path to the folder which contains additional configurations
nextcloud_docker_include_instructions_file: "/tmp/includes.php" # Path to the temporary file which will be included to the config.php to load the additional configurations
## Execution
nextcloud_docker_exec: "docker exec -u {{ nextcloud_docker_user }} {{ applications.nextcloud.container.application }}" # General execute composition
nextcloud_docker_exec_occ: "{{nextcloud_docker_exec}} {{ nextcloud_docker_work_directory }}occ" # Execute docker occ command

2
roles/web-app-nextcloud/vars/plugins/README.md Normal file
View File

@@ -0,0 +1,2 @@
# Plugins
This folder contains the plugin specific configurations which will be applied

7
roles/web-app-nextcloud/vars/plugins/bbb.yml Normal file
View File

@@ -0,0 +1,7 @@
plugin_configuration:
- appid: "bbb"
configkey: "api.secret"
configvalue: "{{ applications.bigbluebutton.credentials.shared_secret }}"
- appid: "bbb"
configkey: "api.url"
configvalue: "{{ domains | get_url('bigbluebutton', web_protocol) }}{{applications.bigbluebutton.api_suffix}}"

86
roles/web-app-nextcloud/vars/plugins/sociallogin.yml Normal file
View File

@@ -0,0 +1,86 @@
plugin_configuration:
-
appid: "sociallogin"
# This configuration allows users to connect multiple accounts to their Nextcloud profile
# using the sociallogin app.
configkey: "allow_login_connect"
configvalue: 1
-
appid: "sociallogin"
configkey: "auto_create_groups"
configvalue: ""
-
appid: "sociallogin"
configkey: "button_text_wo_prefix"
configvalue: ""
-
appid: "sociallogin"
configkey: "create_disabled_users"
configvalue: ""
-
appid: "sociallogin"
# This configuration defines custom OpenID Connect (OIDC) providers for authentication.
# In this case, it sets up a Keycloak provider with details like URLs for authorization,
# token retrieval, user info, and logout, as well as the client ID and secret.
configkey: "custom_providers"
configvalue:
custom_oidc:
- name: "{{ domains | get_domain('keycloak') }}"
title: "keycloak"
style: "keycloak"
authorizeUrl: "{{ oidc.client.authorize_url }}"
tokenUrl: "{{ oidc.client.token_url }}"
displayNameClaim: ""
userInfoUrl: "{{ oidc.client.user_info_url }}"
logoutUrl: "{{ oidc.client.logout_url }}"
clientId: "{{ oidc.client.id }}"
clientSecret: "{{ oidc.client.secret }}"
scope: "openid"
groupsClaim: ""
defaultGroup: ""
-
appid: "sociallogin"
configkey: "disable_notify_admins"
configvalue: ""
-
appid: "sociallogin"
configkey: "disable_registration"
configvalue: ""
-
appid: "sociallogin"
configkey: "enabled"
configvalue: "yes"
-
appid: "sociallogin"
configkey: "hide_default_login"
configvalue: ""
-
appid: "sociallogin"
configkey: "no_prune_user_groups"
configvalue: ""
-
appid: "sociallogin"
configkey: "oauth_providers"
configvalue: "null"
-
appid: "sociallogin"
# This configuration prevents the creation of new Nextcloud users if an account with the
# same email address already exists in the system. It helps avoid duplicate accounts.
configkey: "prevent_create_email_exists"
configvalue: 1
-
appid: "sociallogin"
configkey: "restrict_users_wo_assigned_groups"
configvalue: ""
-
appid: "sociallogin"
configkey: "restrict_users_wo_mapped_groups"
configvalue: ""
-
appid: "sociallogin"
configkey: "types"
configvalue: ""
-
appid: "sociallogin"
configkey: "update_profile_on_login"
configvalue: 1

184
roles/web-app-nextcloud/vars/plugins/user_ldap.yml Normal file
View File

@@ -0,0 +1,184 @@
plugin_configuration:
-
appid: "user_ldap"
configkey: "background_sync_interval"
configvalue: 43200
-
appid: "user_ldap"
configkey: "background_sync_offset"
configvalue: 0
-
appid: "user_ldap"
configkey: "background_sync_prefix"
configvalue: "s01"
-
appid: "user_ldap"
configkey: "enabled"
configvalue: "yes"
-
appid: "user_ldap"
configkey: "s01last_jpegPhoto_lookup"
configvalue: 0
-
appid: "user_ldap"
configkey: "s01ldap_backup_port"
configvalue: "{{ ports.localhost.ldap.ldap }}" # This is just optimized for local port @todo implement for external ports as well
-
appid: "user_ldap"
configkey: "s01ldap_base"
configvalue: "{{ldap.dn.root}}"
-
appid: "user_ldap"
configkey: "s01ldap_base_groups"
configvalue: "{{ldap.dn.root}}"
-
appid: "user_ldap"
configkey: "s01ldap_base_users"
configvalue: "{{ldap.dn.ou.users}}"
-
appid: "user_ldap"
configkey: "s01ldap_cache_ttl"
configvalue: 600
-
appid: "user_ldap"
configkey: "s01ldap_configuration_active"
configvalue: 1
-
appid: "user_ldap"
configkey: "s01ldap_connection_timeout"
configvalue: 15
-
appid: "user_ldap"
configkey: "s01ldap_display_name"
configvalue: "cn"
-
appid: "user_ldap"
configkey: "s01ldap_dn"
configvalue: "{{ldap.dn.administrator.data}}"
-
appid: "user_ldap"
configkey: "s01ldap_email_attr"
configvalue: "mail"
-
appid: "user_ldap"
configkey: "s01ldap_experienced_admin"
configvalue: 0
-
appid: "user_ldap"
configkey: "s01ldap_gid_number"
configvalue: "gidNumber"
-
appid: "user_ldap"
configkey: "s01ldap_group_display_name"
configvalue: "cn"
-
appid: "user_ldap"
configkey: "s01ldap_group_filter"
configvalue: "(&(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))"
-
appid: "user_ldap"
configkey: "s01ldap_group_filter_mode"
configvalue: 0
-
appid: "user_ldap"
configkey: "s01ldap_group_member_assoc_attribute"
configvalue: "uniqueMember"
-
appid: "user_ldap"
configkey: "s01ldap_groupfilter_objectclass"
configvalue: "groupOfUniqueNames\nposixGroup"
-
appid: "user_ldap"
configkey: "s01ldap_host"
configvalue: "{{ldap.server.domain}}"
-
appid: "user_ldap"
configkey: "s01ldap_login_filter"
configvalue: "{{ ldap.filters.users.login }}"
-
appid: "user_ldap"
configkey: "s01ldap_login_filter_mode"
configvalue: 0
-
appid: "user_ldap"
configkey: "s01ldap_loginfilter_email"
configvalue: 0
-
appid: "user_ldap"
configkey: "s01ldap_loginfilter_username"
configvalue: 1
-
appid: "user_ldap"
configkey: "s01ldap_mark_remnants_as_disabled"
configvalue: 0
-
appid: "user_ldap"
configkey: "s01ldap_matching_rule_in_chain_state"
configvalue: "unknown"
-
appid: "user_ldap"
configkey: "s01ldap_nested_groups"
configvalue: 0
-
appid: "user_ldap"
configkey: "s01ldap_paging_size"
configvalue: 500
-
appid: "user_ldap"
configkey: "s01ldap_port"
configvalue: 389
-
appid: "user_ldap"
configkey: "s01ldap_turn_off_cert_check"
configvalue: 0
-
appid: "user_ldap"
configkey: "s01ldap_turn_on_pwd_change"
configvalue: 0
-
appid: "user_ldap"
configkey: "s01ldap_user_avatar_rule"
configvalue: "default"
-
appid: "user_ldap"
configkey: "s01ldap_user_filter_mode"
configvalue: 0
-
appid: "user_ldap"
configkey: "s01ldap_userfilter_objectclass"
configvalue: "inetOrgPerson"
-
appid: "user_ldap"
configkey: "s01ldap_userlist_filter"
configvalue: |-
{% if applications[application_id].plugins.user_ldap.user_directory.enabled %}
{{ ldap.filters.users.all }}
{% else %}
()
{% endif %}
-
appid: "user_ldap"
configkey: "s01use_memberof_to_detect_membership"
configvalue: 1
-
appid: "user_ldap"
configkey: "types"
configvalue: "authentication"
-
appid: "user_ldap"
configkey: "s01ldap_expert_username_attr"
configvalue: "{{ldap.user.attributes.id}}"

21
roles/web-app-nextcloud/vars/system.yml Normal file
View File

@@ -0,0 +1,21 @@
nextcloud_system_config:
- parameter: "hide_login_form"
type: "boolean"
value: "{{ (not applications[application_id].legacy_login_mask.enabled) | lower }}"
- parameter: "auth.webauthn.enabled"
type: "boolean"
value: "{{ applications[application_id].legacy_login_mask.enabled | lower }}"
- parameter: "maintenance_window_start"
type: "integer"
value: "{{ on_calendar_nextcloud }}"
- parameter: "default_phone_region"
value: "{{ HOST_LL | upper }}"
- parameter: "trusted_domains 0"
value: "{{domains | get_domain(application_id)}}"
- parameter: "overwrite.cli.url"
value: "{{ domains | get_url(application_id, web_protocol) }}"