kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-03-31 14:24:16 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimized OIDC Login for Nextcloud

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-02-25 19:35:48 +01:00
parent 9a9bae4f2c
commit 72b787814e
16 changed files with 181 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
group_vars/all/01_modes.yml
View File

@ -5,4 +5,4 @@ mode_reset: false # Cleans up all CyMaIS files. It's necessary to run to whole
mode_test: false # Executes test routines instead of productive routines
mode_update: true # Executes updates
mode_backup: true # Activates the backup before the update procedure
mode_cleanup: false # Cleanup unused files and configurations
mode_cleanup: true # Cleanup unused files and configurations

6
group_vars/all/07_applications.yml
View File

@ -245,11 +245,11 @@ defaults_applications:
nextcloud:
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
ldap:
enabled: True # Enables LDAP by default, missing ansible setup tasks @todo setup
enabled: True # Enables LDAP by default
oidc:
enabled: true # Activate OIDC for Nextcloud
# floavor decides which OICD plugin should be used.
# Available options: login, sociallogin
# Available options: oidc_login, sociallogin
# @see https://apps.nextcloud.com/apps/oidc_login
# @see https://apps.nextcloud.com/apps/sociallogin
flavor: "sociallogin" # Keeping on sociallogin because the other option is not implemented yet
@ -263,6 +263,8 @@ defaults_applications:
username: "{{users.administrator.username}}"
initial_password: "{{users.administrator.initial_password}}"
default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes)
legacy_login_mask:
enabled: False # If true, then legacy login mask is shown. Otherwise just SSO
## OAuth2 Proxy
oauth2_proxy:

3
roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif_deactivated → roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif
View File

@ -1,7 +1,4 @@
# nextcloud.schema
# This schema is deactivated, because with keycloak it's impossible to set schemas to new created users
# Until then the managament is done over keycloak
# @todo activate in ldap
dn: cn=nextcloud,cn=schema,cn=config
objectClass: olcSchemaConfig

10
roles/docker-nextcloud/tasks/config.yml
View File

@ -1,18 +1,18 @@
- name: "Substitute http with https in {{ nextcloud_config_file_path }}"
- name: "Substitute http with https in {{ nextcloud_config_file_host_path }}"
replace:
path: "{{ nextcloud_config_file_path }}"
path: "{{ nextcloud_config_file_host_path }}"
regexp: "http://{{ domain | regex_escape }}"
replace: "https://{{ domain }}"
notify:
- docker compose restart
#- name: Ensure 'overwriteprotocol' is set to 'https' in Nextcloud {{ nextcloud_config_file_path }}
#- name: Ensure 'overwriteprotocol' is set to 'https' in Nextcloud {{ nextcloud_config_file_host_path }}
# block:
# Deactivated because it was really heavy to fix.
# @todo implement
# - name: Check if 'overwriteprotocol' is already set
# lineinfile:
# path: "{{ nextcloud_config_file_path }}"
# path: "{{ nextcloud_config_file_host_path }}"
# regexp: "^\s*overwriteprotocol\s*=>\s*http"
# line: "overwriteprotocol => 'https',"
# backrefs: yes
@ -22,7 +22,7 @@
#
# - name: Add 'overwriteprotocol' => 'https' if not present
# lineinfile:
# path: "{{ nextcloud_config_file_path }}"
# path: "{{ nextcloud_config_file_host_path }}"
# regexp: "^\s*\);$"
# line: "overwriteprotocol => 'https',"
# insertafter: "^\s*\);$"

9
roles/docker-nextcloud/tasks/ldap.yml
View File

@ -2,6 +2,10 @@
# @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
# @todo implement
- name: install LDAP plugin
command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install user_ldap"
ignore_errors: true
- name: Activate Nextcloud LDAP App
command: "docker exec -u www-data {{ nextcloud_application_container_name }} php occ app:enable user_ldap"
@ -14,3 +18,8 @@
command: >
docker exec -u www-data {{ nextcloud_application_container_name }}
php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}"
- name: Set Nextcloud LDAP bind password
command: >
docker exec -u www-data {{ nextcloud_application_container_name }}
php occ ldap:set-config s01 ldapAgentPassword "{{ ldap.bind_credential }}"

5
roles/docker-nextcloud/tasks/legacy_login_mask.yml Normal file
View File

@ -0,0 +1,5 @@
- name: Set hide_login_form to true
command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ config:system:set --type boolean --value {{ (not applications[application_id].legacy_login_mask.enabled) | lower }} hide_login_form"
- name: "Set auth.webauthn.enabled to false"
command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ config:system:set --type boolean --value {{applications[application_id].legacy_login_mask.enabled | lower}} auth.webauthn.enabled"

20
roles/docker-nextcloud/tasks/main.yml
View File

@ -3,6 +3,19 @@
include_role:
name: docker-central-database
- name: copy oidc.config.php
template:
src: oidc.config.php.j2
dest: "{{nextcloud_host_oidc_login_path}}"
owner: 82 # User www-data in Nextcloud container
group: 82 # User www-data in Nextcloud container
when: applications[application_id].oidc.flavor == "oidc_login"
- name: Remove OIDC configuration lines from config.php if present (container)
command: >
docker exec -u www-data {{ nextcloud_application_container_name }} sh -c "sed -i '/CONFIG_EXTRA = include.*oidc\.config\.php/d' /var/www/html/config/config.php && sed -i '/CONFIG = array_merge(\\$CONFIG, \\$CONFIG_EXTRA)/d' /var/www/html/config/config.php"
when: applications[application_id].oidc.flavor == "sociallogin" and mode_cleanup | bool
- name: "include role for {{application_id}} to recieve certs & do modification routines"
include_role:
name: nginx-https-get-cert-modify-all
@ -23,7 +36,7 @@
include_tasks: copy-docker-compose-and-env.yml
- name: "Include OIDC-specific tasks with flavor {{applications[application_id].oidc.flavor}}"
include_tasks: "oidc_{{applications[application_id].oidc.flavor}}.yml"
include_tasks: "{{applications[application_id].oidc.flavor}}.yml"
when: applications[application_id].oidc.enabled | bool
- name: Include LDAP specific tasks
@ -31,4 +44,7 @@
when: applications[application_id].ldap.enabled | bool
- name: Include Config specific tasks
include_tasks: config.yml
include_tasks: config.yml
- name: De\Activate legacy login mask
include_tasks: legacy_login_mask.yml

1
roles/docker-nextcloud/tasks/oidc_login
View File

@ -1 +0,0 @@
# @todo implement this flavor

13
roles/docker-nextcloud/tasks/oidc_login.yml Normal file
View File

@ -0,0 +1,13 @@
- name: enable sociallogin plugin
command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:disable sociallogin"
ignore_errors: true
when:
- mode_cleanup | bool
- name: install oidc_login plugin
command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install oidc_login"
ignore_errors: true
- name: Add OIDC configuration if not implemented yet
command: >
docker exec -u www-data {{ nextcloud_application_container_name }} sh -c 'grep -q "CONFIG_EXTRA = include" ./config/config.php || echo -e "\n\$CONFIG_EXTRA = include '\''{{nextcloud_docker_oidc_login_config_path}}'\'';\n\$CONFIG = array_merge(\$CONFIG, \$CONFIG_EXTRA);" >> ./config/config.php'

36
roles/docker-nextcloud/tasks/oidc_sociallogin.yml
View File

@ -1,36 +0,0 @@
# @See https://chatgpt.com/share/6798189e-9c00-800f-923c-5ce3cfbdf405
- name: Flush all handlers immediately so that occ can be used
meta: flush_handlers
- name: Set hide_login_form to true
command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value true hide_login_form"
- name: "Set auth.webauthn.enabled to false"
command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value false auth.webauthn.enabled"
- name: Set allow_login_connect to 1
command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:app:set sociallogin allow_login_connect --value='1'"
# This configuration allows users to connect multiple accounts to their Nextcloud profile
# using the sociallogin app.
- name: install sociallogin plugin
command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ app:install sociallogin"
ignore_errors: true
- name: enable sociallogin plugin
command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ app:enable sociallogin"
- name: Set custom_providers
command: >
docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ
config:app:set sociallogin custom_providers
--value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
# This configuration defines custom OpenID Connect (OIDC) providers for authentication.
# In this case, it sets up a Keycloak provider with details like URLs for authorization,
# token retrieval, user info, and logout, as well as the client ID and secret.
- name: Set prevent_create_email_exists to 1
command: 'docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:app:set sociallogin prevent_create_email_exists --value="1"'
# This configuration prevents the creation of new Nextcloud users if an account with the
# same email address already exists in the system. It helps avoid duplicate accounts.

27
roles/docker-nextcloud/tasks/sociallogin.yml Normal file
View File

@ -0,0 +1,27 @@
# @See https://chatgpt.com/share/6798189e-9c00-800f-923c-5ce3cfbdf405
- name: Flush all handlers immediately so that occ can be used
meta: flush_handlers
- name: enable oidc_login plugin
command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:disable oidc_login"
ignore_errors: true
when:
- mode_cleanup | bool
- name: install sociallogin plugin
command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install sociallogin"
ignore_errors: true
- name: enable sociallogin plugin
command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:enable sociallogin"
- name: Load Sociallogin configuration variables
include_vars:
file: sociallogin.yml
- name: Configure Sociallogin
loop: "{{ nextcloud_sociallogin_configuration}}"
command: >
docker exec -u www-data {{ nextcloud_application_container_name }}
php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}"

13
roles/docker-nextcloud/templates/docker-compose.yml.j2
View File

@ -6,11 +6,14 @@ services:
application:
image: "nextcloud:{{applications.nextcloud.version}}-fpm-alpine"
container_name: {{nextcloud_application_container_name}}
container_name: {{nextcloud_application_container_name}}
volumes:
- data:/var/www/html
- data:{{nextcloud_docker_path}}
{% if applications[application_id].oidc.flavor == "login" %}
- {{nextcloud_host_oidc_login_path}}:{{nextcloud_docker_oidc_login_config_path}}:ro
{% endif %}
healthcheck:
test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php /var/www/html/occ status"]
test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_path}}occ status"]
interval: 1m
timeout: 10s
retries: 3
@ -47,10 +50,10 @@ services:
logging:
driver: journald
volumes:
- data:/var/www/html
- data:{{nextcloud_docker_path}}
entrypoint: /cron.sh
healthcheck:
test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php /var/www/html/occ status"]
test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_path}}occ status"]
interval: 1m
timeout: 10s
retries: 3

11
roles/docker-nextcloud/templates/oidc.php.j2 → roles/docker-nextcloud/templates/oidc.config.php.j2
View File

@ -1,12 +1,13 @@
<?php
# Check out: https://github.com/pulsejet/nextcloud-oidc-login
$CONFIG = array (
return array (
// Some Nextcloud options that might make sense here
'allow_user_to_change_display_name' => false,
'lost_password_link' => 'disabled',
// URL of provider. All other URLs are auto-discovered from .well-known
'oidc_login_provider_url' => 'https://{{domains.keycloak}}',
'oidc_login_provider_url' => 'https://{{oidc.client.issuer_url}}',
// Client ID and secret registered with the provider
'oidc_login_client_id' => '{{oidc.client.id}}',
@ -95,10 +96,10 @@ $CONFIG = array (
'id' => 'username',
'name' => 'name',
'mail' => 'email',
'quota' => 'nextcloudQuota',
'home' => 'homeDirectory',
# 'quota' => 'nextcloudQuota', # Not implemented yet
# 'home' => 'homeDirectory', # Not implemented yet
'ldap_uid' => 'uid',
'groups' => 'ownCloudGroups',
# 'groups' => 'ownCloudGroups', # Not implemented yet
'login_filter' => 'realm_access_roles',
// 'photoURL' => 'picture',
// 'is_admin' => 'ownCloudAdmin',

9
roles/docker-nextcloud/vars/ldap.yml
View File

@ -24,11 +24,6 @@ nextcloud_ldap_configuration:
configkey: "s01last_jpegPhoto_lookup"
configvalue: 0
-
appid: "user_ldap"
configkey: "s01ldap_agent_password"
configvalue: "{{ldap.bind_credential}}"
-
appid: "user_ldap"
configkey: "s01ldap_backup_port"
@ -42,12 +37,12 @@ nextcloud_ldap_configuration:
-
appid: "user_ldap"
configkey: "s01ldap_base_groups"
configvalue: "{{ldap.dn.groups}}"
configvalue: "{{ldap.dn.root}}"
-
appid: "user_ldap"
configkey: "s01ldap_base_users"
configvalue: "{{ldap.dn.users}}"
configvalue: "{{ldap.dn.root}}}"
-
appid: "user_ldap"

19
roles/docker-nextcloud/vars/main.yml
View File

@ -1,9 +1,12 @@
---
application_id: "nextcloud"
database_password: "{{applications.nextcloud.credentials.database_password}}"
database_type: "mariadb"
nextcloud_application_container_name: "nextcloud-application"
nextcloud_nginx_container_name: "nextcloud-web"
nextcloud_config_file_path: "/var/lib/docker/volumes/nextcloud_data/_data/config/config.php"
domain: "{{domains[application_id]}}"
http_port: "{{ ports.localhost.http[application_id] }}"
application_id: "nextcloud"
database_password: "{{applications.nextcloud.credentials.database_password}}"
database_type: "mariadb"
nextcloud_application_container_name: "nextcloud-application"
nextcloud_nginx_container_name: "nextcloud-web"
nextcloud_config_file_host_path: "/var/lib/docker/volumes/nextcloud_data/_data/config/config.php"
domain: "{{domains[application_id]}}"
http_port: "{{ ports.localhost.http[application_id] }}"
nextcloud_docker_path: "/var/www/html/"
nextcloud_docker_oidc_login_config_path: "{{nextcloud_docker_path}}config/oidc.config.php"
nextcloud_host_oidc_login_path: "{{docker_compose.directories.volumes}}/oidc.config.php"

72
roles/docker-nextcloud/vars/sociallogin.yml Normal file
View File

@ -0,0 +1,72 @@
nextcloud_sociallogin_configuration:
-
appid: "sociallogin"
# This configuration allows users to connect multiple accounts to their Nextcloud profile
# using the sociallogin app.
configkey: "allow_login_connect"
configvalue: 1
-
appid: "sociallogin"
configkey: "auto_create_groups"
configvalue: ""
-
appid: "sociallogin"
configkey: "button_text_wo_prefix"
configvalue: ""
-
appid: "sociallogin"
configkey: "create_disabled_users"
configvalue: ""
-
appid: "sociallogin"
# This configuration defines custom OpenID Connect (OIDC) providers for authentication.
# In this case, it sets up a Keycloak provider with details like URLs for authorization,
# token retrieval, user info, and logout, as well as the client ID and secret.
configkey: "custom_providers"
configvalue: '{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
-
appid: "sociallogin"
configkey: "disable_notify_admins"
configvalue: ""
-
appid: "sociallogin"
configkey: "disable_registration"
configvalue: ""
-
appid: "sociallogin"
configkey: "enabled"
configvalue: "yes"
-
appid: "sociallogin"
configkey: "hide_default_login"
configvalue: ""
-
appid: "sociallogin"
configkey: "no_prune_user_groups"
configvalue: ""
-
appid: "sociallogin"
configkey: "oauth_providers"
configvalue: "null"
-
appid: "sociallogin"
# This configuration prevents the creation of new Nextcloud users if an account with the
# same email address already exists in the system. It helps avoid duplicate accounts.
configkey: "prevent_create_email_exists"
configvalue: 1
-
appid: "sociallogin"
configkey: "restrict_users_wo_assigned_groups"
configvalue: ""
-
appid: "sociallogin"
configkey: "restrict_users_wo_mapped_groups"
configvalue: ""
-
appid: "sociallogin"
configkey: "types"
configvalue: ""
-
appid: "sociallogin"
configkey: "update_profile_on_login"
configvalue: 1