kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 15:06:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-07-08 23:43:13 +02:00
parent 6b87a049d4
commit 563d5fd528
1242 changed files with 2301 additions and 1355 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/web-app-nextcloud/templates/config/README.md Normal file
View File

@@ -0,0 +1,2 @@
This folder contains configuration files which will be loaded direct into the config.php
If you don't use nested configuration, concider to use the vars/system.yml file instead, because it's a cleaner way to set the configuration.

14
roles/web-app-nextcloud/templates/config/memcache.config.php.j2 Normal file
View File

@@ -0,0 +1,14 @@
<?php
# Implementing redis configuration
return array (
# For single server setup APCu is recommended, for multi server setup Redis
'memcache.local' => '\\OC\\Memcache\\{% if deployment_mode == "single" %}APCu{% else %}Redis{% endif %}',
# The following lines are configured via the environment variables
# 'memcache.locking' => '\\OC\\Memcache\\Redis',
# 'redis' =>
# array (
# 'host' => 'redis',
# 'port' => 6379,
# )
);

220
roles/web-app-nextcloud/templates/config/oidc.config.php.j2 Normal file
View File

@@ -0,0 +1,220 @@
<?php
# Implementing OICD configuration
{% if applications[application_id].oidc.flavor == "oidc_login" %}
# Check out: https://github.com/pulsejet/nextcloud-oidc-login
return array (
// Some Nextcloud options that might make sense here
'allow_user_to_change_display_name' => false,
'lost_password_link' => 'disabled',
// URL of provider. All other URLs are auto-discovered from .well-known
'oidc_login_provider_url' => '{{oidc.client.issuer_url}}',
// Client ID and secret registered with the provider
'oidc_login_client_id' => '{{oidc.client.id}}',
'oidc_login_client_secret' => '{{oidc.client.secret}}',
// Automatically redirect the login page to the provider
'oidc_login_auto_redirect' => true,
// Redirect to this page after logging out the user
'oidc_login_logout_url' => 'https://{{domains | get_domain(application_id)}}',
// If set to true the user will be redirected to the
// logout endpoint of the OIDC provider after logout
// in Nextcloud. After successfull logout the OIDC
// provider will redirect back to 'oidc_login_logout_url' (MUST be set).
'oidc_login_end_session_redirect' => true,
// Quota to assign if no quota is specified in the OIDC response (bytes)
//
// NOTE: If you want to allow NextCloud to manage quotas, omit this option. Do not set it to
// zero or -1 or ''.
'oidc_login_default_quota' => '{{applications[application_id].default_quota}}',
// Login button text
'oidc_login_button_text' => '{{oidc.button_text}}',
// Hide the NextCloud password change form.
'oidc_login_hide_password_form' => true,
// Use ID Token instead of UserInfo
'oidc_login_use_id_token' => true,
// Attribute map for OIDC response. Available keys are:
// * id: Unique identifier for username
// * name: Full name
// If set to null, existing display name won't be overwritten
// * mail: Email address
// If set to null, existing email address won't be overwritten
// * quota: Nextcloud storage quota
// * home: Home directory location. A symlink or external storage to this location is used
// * ldap_uid: LDAP uid to search for when running in proxy mode
// * groups: Array or space separated string of Nextcloud groups for the user.
// Note that the name here corresponds to the GID of the group and not the display name
// In the admin panel, the GID may be obtained from the URL when editing a group
// * login_filter: Array or space separated string. If 'oidc_login_filter_allowed_values' is
// set, it is checked against these values.
// * photoURL: The URL of the user avatar. The nextcloud server will download the picture
// at user login. This may lead to security issues. Use with care.
// This will only be effective if oidc_login_update_avatar is enabled.
// * is_admin: If this value is truthy, the user is added to the admin group (optional)
//
// The attributes in the OIDC response are flattened by adding the nested
// array key as the prefix and an underscore. Thus,
//
// $profile = [
// 'id' => 1234,
// 'attributes' => [
// 'uid' => 'myuid',
// 'abc' => 'xyz'
// ],
// 'list' => ['one', 'two']
// ];
//
// would become,
//
// $profile = [
// 'id' => 1234,
// 'attributes' => [
// 'uid' => 'myuid',
// 'abc' => 'xyz'
// ],
// 'attributes_uid' => 'myuid',
// 'attributes_abc' => 'xyz',
// 'list' => ['one', 'two'],
// 'list_0' => 'one',
// 'list_1' => 'two',
// 'list_one' => 'one',
// 'list_two' => 'two',
// ]
//
// https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
//
// note: on Keycloak, OIDC name claim = "${given_name} ${family_name}" or one of them if any is missing
//
'oidc_login_attributes' => array (
'id' => '{{ldap.user.attributes.id}}',
'name' => 'name',
'mail' => 'email',
'quota' => '{{ ldap.user.attributes.nextcloud_quota }}',
# 'home' => 'homeDirectory', # Not implemented yet
'ldap_uid' => '{{oidc.attributes.username}}',
# 'groups' => 'ownCloudGroups', # Not implemented yet
# 'login_filter' => 'realm_access_roles',
// 'photoURL' => 'picture',
// 'is_admin' => 'ownCloudAdmin',
),
// Default group to add users to (optional, defaults to nothing)
// 'oidc_login_default_group' => 'oidc',
// DEPRECATED: This option will be removed in a future release. Use
// 'login_filter' and 'oidc_login_filter_allowed_values' instead.
//
// Allow only users in configured group(s) to access Nextcloud. In case the user
// is not assigned to this group (read from oidc_login_attributes) the login
// will not be allowed for this user.
//
// Must be specified as an array of groups that are allowed to access Nextcloud.
// e.g. 'oidc_login_allowed_groups' => array('group1', 'group2')
'oidc_login_allowed_groups' => null,
// Allow only users in configured value(s) to access Nextcloud. In case the user
// is not assigned to this value (read from oidc_login_attributes) the login
// will not be allowed for this user.
//
// Must be specified as an array of values (e.g. roles) that are allowed to
// access Nextcloud. e.g. 'oidc_login_filter_allowed_values' => array('role1', 'role2')
'oidc_login_filter_allowed_values' => null,
// Use external storage instead of a symlink to the home directory
// Requires the files_external app to be enabled
'oidc_login_use_external_storage' => false,
// Set OpenID Connect scope
'oidc_login_scope' => 'openid profile',
// Run in LDAP proxy mode
// In this mode, instead of creating users of its own, OIDC login
// will get the existing user from an LDAP database and only
// perform authentication with OIDC. All user data will be derived
// from the LDAP database instead of the OIDC user response
//
// The `id` attribute in `oidc_login_attributes` must return the
// "Internal Username" (see expert settings in LDAP integration)
'oidc_login_proxy_ldap' => {{ applications | is_feature_enabled('ldap',application_id) | string | lower }},
// Disable creation of users new to Nextcloud from OIDC login.
// A user may be known to the IdP but not (yet) known to Nextcloud.
// This setting controls what to do in this case.
// - 'true' (default): if the user authenticates to the IdP but is not known to Nextcloud,
// then they will be returned to the login screen and not allowed entry;
// - 'false': if the user authenticates but is not yet known to Nextcloud,
// then the user will be automatically created; note that with this setting,
// you will be allowing (or relying on) a third-party (the IdP) to create new users
'oidc_login_disable_registration' => true,
// Fallback to direct login if login from OIDC fails
// Note that no error message will be displayed if enabled
'oidc_login_redir_fallback' => false,
// Use an alternative login page
// This page will be php-included instead of a redirect if specified
// For example, setting it to `assets/login.php` will use that file
// in the nextcloud base directory
// Note: the PHP variable $OIDC_LOGIN_URL is available for redirect URI
// Note: you may want to try setting `oidc_login_logout_url` to your
// base URL if you face issues regarding re-login after logout
'oidc_login_alt_login_page' => false,
// For development, you may disable TLS verification. Default value is `true`
// which should be kept in production
'oidc_login_tls_verify' => true,
// If you get your groups from the oidc_login_attributes, you might want
// to create them if they are not already existing, Default is `false`.
'oidc_create_groups' => false,
// Enable use of WebDAV via OIDC bearer token.
'oidc_login_webdav_enabled' => false,
// Enable authentication with user/password for DAV clients that do not
// support token authentication (e.g. DAVx⁵)
'oidc_login_password_authentication' => false,
// The time in seconds used to cache public keys from provider.
// The default value is 1 day.
'oidc_login_public_key_caching_time' => 86400,
// The minimum time in seconds to wait between requests to the jwks_uri endpoint.
// Avoids that the provider will be DoSed when someone requests with unknown kids.
// The default is 10 seconds.
'oidc_login_min_time_between_jwks_requests' => 10,
// The time in seconds used to cache the OIDC well-known configuration from the provider.
// The default value is 1 day.
'oidc_login_well_known_caching_time' => 86400,
// If true, nextcloud will download user avatars on login.
// This may lead to security issues as the server does not control
// which URLs will be requested. Use with care.
'oidc_login_update_avatar' => false,
// If true, the default Nextcloud proxy won't be used to make internals OIDC call.
// The default is false.
'oidc_login_skip_proxy' => false,
// Code challenge method for PKCE flow.
// Possible values are:
// - 'S256'
// - 'plain'
// The default value is empty, which won't apply the PKCE flow.
'oidc_login_code_challenge_method' => '',
);
{% else %}
return [];
{% endif %}

12
roles/web-app-nextcloud/templates/config/turnserver.config.php.j2.draft Normal file
View File

@@ -0,0 +1,12 @@
<?php
# Activates the turn server
# @see https://nextcloud-talk.readthedocs.io/en/latest/TURN/
return 'turn_servers' => [
[
'host' => 'coturn',
'port' => 3478,
'secret' => 'my-secret-key',
'protocols' => 'udp,tcp'
]
];

81
roles/web-app-nextcloud/templates/docker-compose.yml.j2 Normal file
View File

@@ -0,0 +1,81 @@
{% include 'roles/docker-compose/templates/base.yml.j2' %}
application:
image: "nextcloud:{{applications.nextcloud.version}}-fpm-alpine"
container_name: {{applications.nextcloud.container.application}}
volumes:
- data:{{nextcloud_docker_work_directory}}
- {{nextcloud_host_config_additives_directory}}:{{nextcloud_docker_config_additives_directory}}:ro
healthcheck:
test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_work_directory}}occ status"]
interval: 1m
timeout: 10s
retries: 3
{% include 'roles/docker-container/templates/base.yml.j2' %}
{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
ipv4_address: 192.168.102.69
# @Todo activate
#nc-talk:
# image: nextcloud/aio-talk:latest
# container_name: talk_hpb
# hostname: hpb_yt
# restart: unless-stopped
# init: true
# ports:
# - 3478:3478/tcp #TURN TCP
# - 3478:3478/udp #TURN UDP
# - 8181:8081/tcp #Signaling
# environment:
# - NC_DOMAIN=cloud.yourdomain.tld
# - TALK_HOST=signaling.yourdomain.tld
# - TURN_SECRET=${TURN_SECRET}
# - SIGNALING_SECRET=${SIGNALING_SECRET}
# - TZ=Europe/Berlin
# - TALK_PORT=3478
# - INTERNAL_SECRET=${INTERNAL_SECRET}
# networks:
# - nxnetwork_yt
web:
image: nginx:alpine
container_name: {{applications.nextcloud.container.proxy}}
logging:
driver: journald
restart: {{docker_restart_policy}}
ports:
- "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}"
volumes:
- "{{docker_compose.directories.volumes}}nginx.conf:/etc/nginx/nginx.conf:ro"
volumes_from:
- application
{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
networks:
default:
ipv4_address: 192.168.102.67
cron:
container_name: nextcloud-cron
image: "nextcloud:{{applications.nextcloud.version}}-fpm-alpine"
restart: {{docker_restart_policy}}
logging:
driver: journald
volumes:
- data:{{nextcloud_docker_work_directory}}
entrypoint: /cron.sh
healthcheck:
test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_work_directory}}occ status"]
interval: 1m
timeout: 10s
retries: 3
{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
ipv4_address: 192.168.102.70
{% include 'roles/docker-compose/templates/volumes.yml.j2' %}
data:
redis:
{% include 'roles/docker-compose/templates/networks.yml.j2' %}

40
roles/web-app-nextcloud/templates/env.j2 Normal file
View File

@@ -0,0 +1,40 @@
# @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html
# @See https://github.com/nextcloud/docker/blob/master/README.md
# Database Configuration
MYSQL_DATABASE= "{{database_name}}"
MYSQL_USER= "{{database_username}}"
MYSQL_PASSWORD= "{{database_password}}"
MYSQL_HOST= "{{database_host}}:{{database_port}}"
# PHP
PHP_MEMORY_LIMIT= "{{applications[application_id].performance.php.memory_limit}}"
PHP_UPLOAD_LIMIT= "{{applications[application_id].performance.php.upload_limit}}"
PHP_OPCACHE_MEMORY_CONSUMPTION= "{{applications[application_id].performance.php.opcache_memory_consumption}}"
# Email Configuration
SMTP_HOST= {{system_email.host}}
SMTP_SECURE= {{ 'ssl' if system_email.tls else '' }}
SMTP_PORT= {{system_email.port}}
SMTP_NAME= {{ users['no-reply'].email }}
SMTP_PASSWORD= {{ users['no-reply'].mailu_token }}
# Email from configuration
MAIL_FROM_ADDRESS= "{{ users['no-reply'].username }}"
MAIL_DOMAIN= "{{system_email.domain}}"
# Initial Admin Data
NEXTCLOUD_ADMIN_USER= "{{applications[application_id].users.administrator.username}}"
NEXTCLOUD_ADMIN_PASSWORD= "{{applications[application_id].credentials.administrator_password}}"
# Security
NEXTCLOUD_TRUSTED_DOMAINS= "{{domains | get_domain(application_id)}}"
# Whitelist local docker gateway in Nextcloud to prevent brute-force throtteling
TRUSTED_PROXIES= "{{ networks.internet.values() | select | join(',') }}"
OVERWRITECLIURL= "{{ domains | get_url(application_id, web_protocol) }}"
OVERWRITEPROTOCOL= "https"
# Redis Configuration
REDIS_HOST= redis
REDIS_PORT= 6379

11
roles/web-app-nextcloud/templates/include.php.j2 Normal file
View File

@@ -0,0 +1,11 @@
{% raw %}
// Include and merge all PHP config files from cymais
$CONFIG_EXTRA = [];
foreach (glob("{% endraw %}{{ nextcloud_docker_config_additives_directory }}{% raw %}*.php") as $file) {
$CONFIG_EXTRA = array_merge($CONFIG_EXTRA, include $file);
}
$CONFIG = array_merge($CONFIG, $CONFIG_EXTRA);
{% endraw %}

183
roles/web-app-nextcloud/templates/nginx/docker.conf.j2 Normal file
View File

@@ -0,0 +1,183 @@
# Internal configuration file for nextcloud
# Verify time by time, that this rules are valid:
# https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
worker_processes auto;
# @see https://chatgpt.com/share/67aa3ce9-eea0-800f-85e8-ac54a3810b13
error_log /proc/self/fd/2 {% if enable_debug | bool %}debug{% else %}warn{% endif %};
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
types {
application/javascript mjs;
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /proc/self/fd/1 main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
fastcgi_send_timeout 900s;
fastcgi_read_timeout 900s;
proxy_buffering off;
#gzip on;
upstream php-handler {
server application:9000;
}
server {
listen 80;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/html;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; }
location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
# Added due to this error: https://help.nextcloud.com/t/ldap-ad-authnetication-500-error-on-ajax-request/107168/3
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.(otf|woff2?)$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
}

36
roles/web-app-nextcloud/templates/nginx/host.conf.j2 Normal file
View File

@@ -0,0 +1,36 @@
{# This is the nginx configuration file for the proxy server #}
server
{
server_name {{domain}};
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Set X-Robots-Tag to noindex, nofollow on all responses
add_header X-Robots-Tag "noindex, nofollow";
# set max upload size
client_max_body_size 10G;
client_body_buffer_size 400M;
fastcgi_buffers 64 4K;
{% include 'roles/webserver-proxy-core/templates/location/proxy_basic.conf.j2' %}
location ^~ /.well-known {
rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last;
rewrite ^/\.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/\.well-known/webfinger /public.php?service=webfinger last;
rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last;
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; }
location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; }
try_files $uri $uri/ =404;
}
}