diff --git a/group_vars/all/01_modes.yml b/group_vars/all/01_modes.yml index 59a04716..f07f02d1 100644 --- a/group_vars/all/01_modes.yml +++ b/group_vars/all/01_modes.yml @@ -5,4 +5,4 @@ mode_reset: false # Cleans up all CyMaIS files. It's necessary to run to whole mode_test: false # Executes test routines instead of productive routines mode_update: true # Executes updates mode_backup: true # Activates the backup before the update procedure -mode_cleanup: false # Cleanup unused files and configurations \ No newline at end of file +mode_cleanup: true # Cleanup unused files and configurations \ No newline at end of file diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index 9c32a697..e0bf8e0b 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -245,11 +245,11 @@ defaults_applications: nextcloud: version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ ldap: - enabled: True # Enables LDAP by default, missing ansible setup tasks @todo setup + enabled: True # Enables LDAP by default oidc: enabled: true # Activate OIDC for Nextcloud # floavor decides which OICD plugin should be used. - # Available options: login, sociallogin + # Available options: oidc_login, sociallogin # @see https://apps.nextcloud.com/apps/oidc_login # @see https://apps.nextcloud.com/apps/sociallogin flavor: "sociallogin" # Keeping on sociallogin because the other option is not implemented yet @@ -263,6 +263,8 @@ defaults_applications: username: "{{users.administrator.username}}" initial_password: "{{users.administrator.initial_password}}" default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes) + legacy_login_mask: + enabled: False # If true, then legacy login mask is shown. Otherwise just SSO ## OAuth2 Proxy oauth2_proxy: diff --git a/roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif_deactivated b/roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif similarity index 69% rename from roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif_deactivated rename to roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif index 23b99a25..aa562319 100644 --- a/roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif_deactivated +++ b/roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif @@ -1,7 +1,4 @@ # nextcloud.schema -# This schema is deactivated, because with keycloak it's impossible to set schemas to new created users -# Until then the managament is done over keycloak -# @todo activate in ldap dn: cn=nextcloud,cn=schema,cn=config objectClass: olcSchemaConfig diff --git a/roles/docker-nextcloud/tasks/config.yml b/roles/docker-nextcloud/tasks/config.yml index 0ac4389d..a34de1f2 100644 --- a/roles/docker-nextcloud/tasks/config.yml +++ b/roles/docker-nextcloud/tasks/config.yml @@ -1,18 +1,18 @@ -- name: "Substitute http with https in {{ nextcloud_config_file_path }}" +- name: "Substitute http with https in {{ nextcloud_config_file_host_path }}" replace: - path: "{{ nextcloud_config_file_path }}" + path: "{{ nextcloud_config_file_host_path }}" regexp: "http://{{ domain | regex_escape }}" replace: "https://{{ domain }}" notify: - docker compose restart -#- name: Ensure 'overwriteprotocol' is set to 'https' in Nextcloud {{ nextcloud_config_file_path }} +#- name: Ensure 'overwriteprotocol' is set to 'https' in Nextcloud {{ nextcloud_config_file_host_path }} # block: # Deactivated because it was really heavy to fix. # @todo implement # - name: Check if 'overwriteprotocol' is already set # lineinfile: -# path: "{{ nextcloud_config_file_path }}" +# path: "{{ nextcloud_config_file_host_path }}" # regexp: "^\s*overwriteprotocol\s*=>\s*http" # line: "overwriteprotocol => 'https'," # backrefs: yes @@ -22,7 +22,7 @@ # # - name: Add 'overwriteprotocol' => 'https' if not present # lineinfile: -# path: "{{ nextcloud_config_file_path }}" +# path: "{{ nextcloud_config_file_host_path }}" # regexp: "^\s*\);$" # line: "overwriteprotocol => 'https'," # insertafter: "^\s*\);$" diff --git a/roles/docker-nextcloud/tasks/ldap.yml b/roles/docker-nextcloud/tasks/ldap.yml index 640588cf..9d4a87b5 100644 --- a/roles/docker-nextcloud/tasks/ldap.yml +++ b/roles/docker-nextcloud/tasks/ldap.yml @@ -2,6 +2,10 @@ # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55 # @todo implement +- name: install LDAP plugin + command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install user_ldap" + ignore_errors: true + - name: Activate Nextcloud LDAP App command: "docker exec -u www-data {{ nextcloud_application_container_name }} php occ app:enable user_ldap" @@ -14,3 +18,8 @@ command: > docker exec -u www-data {{ nextcloud_application_container_name }} php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}" + +- name: Set Nextcloud LDAP bind password + command: > + docker exec -u www-data {{ nextcloud_application_container_name }} + php occ ldap:set-config s01 ldapAgentPassword "{{ ldap.bind_credential }}" diff --git a/roles/docker-nextcloud/tasks/legacy_login_mask.yml b/roles/docker-nextcloud/tasks/legacy_login_mask.yml new file mode 100644 index 00000000..0f8f9bef --- /dev/null +++ b/roles/docker-nextcloud/tasks/legacy_login_mask.yml @@ -0,0 +1,5 @@ +- name: Set hide_login_form to true + command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ config:system:set --type boolean --value {{ (not applications[application_id].legacy_login_mask.enabled) | lower }} hide_login_form" + +- name: "Set auth.webauthn.enabled to false" + command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ config:system:set --type boolean --value {{applications[application_id].legacy_login_mask.enabled | lower}} auth.webauthn.enabled" \ No newline at end of file diff --git a/roles/docker-nextcloud/tasks/main.yml b/roles/docker-nextcloud/tasks/main.yml index 0611464c..f51d08d0 100644 --- a/roles/docker-nextcloud/tasks/main.yml +++ b/roles/docker-nextcloud/tasks/main.yml @@ -3,6 +3,19 @@ include_role: name: docker-central-database +- name: copy oidc.config.php + template: + src: oidc.config.php.j2 + dest: "{{nextcloud_host_oidc_login_path}}" + owner: 82 # User www-data in Nextcloud container + group: 82 # User www-data in Nextcloud container + when: applications[application_id].oidc.flavor == "oidc_login" + +- name: Remove OIDC configuration lines from config.php if present (container) + command: > + docker exec -u www-data {{ nextcloud_application_container_name }} sh -c "sed -i '/CONFIG_EXTRA = include.*oidc\.config\.php/d' /var/www/html/config/config.php && sed -i '/CONFIG = array_merge(\\$CONFIG, \\$CONFIG_EXTRA)/d' /var/www/html/config/config.php" + when: applications[application_id].oidc.flavor == "sociallogin" and mode_cleanup | bool + - name: "include role for {{application_id}} to recieve certs & do modification routines" include_role: name: nginx-https-get-cert-modify-all @@ -23,7 +36,7 @@ include_tasks: copy-docker-compose-and-env.yml - name: "Include OIDC-specific tasks with flavor {{applications[application_id].oidc.flavor}}" - include_tasks: "oidc_{{applications[application_id].oidc.flavor}}.yml" + include_tasks: "{{applications[application_id].oidc.flavor}}.yml" when: applications[application_id].oidc.enabled | bool - name: Include LDAP specific tasks @@ -31,4 +44,7 @@ when: applications[application_id].ldap.enabled | bool - name: Include Config specific tasks - include_tasks: config.yml \ No newline at end of file + include_tasks: config.yml + +- name: De\Activate legacy login mask + include_tasks: legacy_login_mask.yml \ No newline at end of file diff --git a/roles/docker-nextcloud/tasks/oidc_login b/roles/docker-nextcloud/tasks/oidc_login deleted file mode 100644 index 0f30b364..00000000 --- a/roles/docker-nextcloud/tasks/oidc_login +++ /dev/null @@ -1 +0,0 @@ -# @todo implement this flavor \ No newline at end of file diff --git a/roles/docker-nextcloud/tasks/oidc_login.yml b/roles/docker-nextcloud/tasks/oidc_login.yml new file mode 100644 index 00000000..bc79cc86 --- /dev/null +++ b/roles/docker-nextcloud/tasks/oidc_login.yml @@ -0,0 +1,13 @@ +- name: enable sociallogin plugin + command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:disable sociallogin" + ignore_errors: true + when: + - mode_cleanup | bool + +- name: install oidc_login plugin + command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install oidc_login" + ignore_errors: true + +- name: Add OIDC configuration if not implemented yet + command: > + docker exec -u www-data {{ nextcloud_application_container_name }} sh -c 'grep -q "CONFIG_EXTRA = include" ./config/config.php || echo -e "\n\$CONFIG_EXTRA = include '\''{{nextcloud_docker_oidc_login_config_path}}'\'';\n\$CONFIG = array_merge(\$CONFIG, \$CONFIG_EXTRA);" >> ./config/config.php' diff --git a/roles/docker-nextcloud/tasks/oidc_sociallogin.yml b/roles/docker-nextcloud/tasks/oidc_sociallogin.yml deleted file mode 100644 index da5113d7..00000000 --- a/roles/docker-nextcloud/tasks/oidc_sociallogin.yml +++ /dev/null @@ -1,36 +0,0 @@ -# @See https://chatgpt.com/share/6798189e-9c00-800f-923c-5ce3cfbdf405 - -- name: Flush all handlers immediately so that occ can be used - meta: flush_handlers - -- name: Set hide_login_form to true - command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value true hide_login_form" - -- name: "Set auth.webauthn.enabled to false" - command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value false auth.webauthn.enabled" - -- name: Set allow_login_connect to 1 - command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:app:set sociallogin allow_login_connect --value='1'" - # This configuration allows users to connect multiple accounts to their Nextcloud profile - # using the sociallogin app. - -- name: install sociallogin plugin - command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ app:install sociallogin" - ignore_errors: true - -- name: enable sociallogin plugin - command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ app:enable sociallogin" - -- name: Set custom_providers - command: > - docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ - config:app:set sociallogin custom_providers - --value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}' - # This configuration defines custom OpenID Connect (OIDC) providers for authentication. - # In this case, it sets up a Keycloak provider with details like URLs for authorization, - # token retrieval, user info, and logout, as well as the client ID and secret. - -- name: Set prevent_create_email_exists to 1 - command: 'docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:app:set sociallogin prevent_create_email_exists --value="1"' - # This configuration prevents the creation of new Nextcloud users if an account with the - # same email address already exists in the system. It helps avoid duplicate accounts. \ No newline at end of file diff --git a/roles/docker-nextcloud/tasks/sociallogin.yml b/roles/docker-nextcloud/tasks/sociallogin.yml new file mode 100644 index 00000000..9e6776d3 --- /dev/null +++ b/roles/docker-nextcloud/tasks/sociallogin.yml @@ -0,0 +1,27 @@ +# @See https://chatgpt.com/share/6798189e-9c00-800f-923c-5ce3cfbdf405 + +- name: Flush all handlers immediately so that occ can be used + meta: flush_handlers + +- name: enable oidc_login plugin + command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:disable oidc_login" + ignore_errors: true + when: + - mode_cleanup | bool + +- name: install sociallogin plugin + command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install sociallogin" + ignore_errors: true + +- name: enable sociallogin plugin + command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:enable sociallogin" + +- name: Load Sociallogin configuration variables + include_vars: + file: sociallogin.yml + +- name: Configure Sociallogin + loop: "{{ nextcloud_sociallogin_configuration}}" + command: > + docker exec -u www-data {{ nextcloud_application_container_name }} + php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}" \ No newline at end of file diff --git a/roles/docker-nextcloud/templates/docker-compose.yml.j2 b/roles/docker-nextcloud/templates/docker-compose.yml.j2 index 4a9bacb7..c9504921 100644 --- a/roles/docker-nextcloud/templates/docker-compose.yml.j2 +++ b/roles/docker-nextcloud/templates/docker-compose.yml.j2 @@ -6,11 +6,14 @@ services: application: image: "nextcloud:{{applications.nextcloud.version}}-fpm-alpine" - container_name: {{nextcloud_application_container_name}} + container_name: {{nextcloud_application_container_name}} volumes: - - data:/var/www/html + - data:{{nextcloud_docker_path}} +{% if applications[application_id].oidc.flavor == "login" %} + - {{nextcloud_host_oidc_login_path}}:{{nextcloud_docker_oidc_login_config_path}}:ro +{% endif %} healthcheck: - test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php /var/www/html/occ status"] + test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_path}}occ status"] interval: 1m timeout: 10s retries: 3 @@ -47,10 +50,10 @@ services: logging: driver: journald volumes: - - data:/var/www/html + - data:{{nextcloud_docker_path}} entrypoint: /cron.sh healthcheck: - test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php /var/www/html/occ status"] + test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_path}}occ status"] interval: 1m timeout: 10s retries: 3 diff --git a/roles/docker-nextcloud/templates/oidc.php.j2 b/roles/docker-nextcloud/templates/oidc.config.php.j2 similarity index 97% rename from roles/docker-nextcloud/templates/oidc.php.j2 rename to roles/docker-nextcloud/templates/oidc.config.php.j2 index 4d524629..aed085b1 100644 --- a/roles/docker-nextcloud/templates/oidc.php.j2 +++ b/roles/docker-nextcloud/templates/oidc.config.php.j2 @@ -1,12 +1,13 @@ + false, 'lost_password_link' => 'disabled', // URL of provider. All other URLs are auto-discovered from .well-known - 'oidc_login_provider_url' => 'https://{{domains.keycloak}}', + 'oidc_login_provider_url' => 'https://{{oidc.client.issuer_url}}', // Client ID and secret registered with the provider 'oidc_login_client_id' => '{{oidc.client.id}}', @@ -95,10 +96,10 @@ $CONFIG = array ( 'id' => 'username', 'name' => 'name', 'mail' => 'email', - 'quota' => 'nextcloudQuota', - 'home' => 'homeDirectory', + # 'quota' => 'nextcloudQuota', # Not implemented yet + # 'home' => 'homeDirectory', # Not implemented yet 'ldap_uid' => 'uid', - 'groups' => 'ownCloudGroups', + # 'groups' => 'ownCloudGroups', # Not implemented yet 'login_filter' => 'realm_access_roles', // 'photoURL' => 'picture', // 'is_admin' => 'ownCloudAdmin', diff --git a/roles/docker-nextcloud/vars/ldap.yml b/roles/docker-nextcloud/vars/ldap.yml index 4bfc60a7..152f1eb9 100644 --- a/roles/docker-nextcloud/vars/ldap.yml +++ b/roles/docker-nextcloud/vars/ldap.yml @@ -24,11 +24,6 @@ nextcloud_ldap_configuration: configkey: "s01last_jpegPhoto_lookup" configvalue: 0 - - - appid: "user_ldap" - configkey: "s01ldap_agent_password" - configvalue: "{{ldap.bind_credential}}" - - appid: "user_ldap" configkey: "s01ldap_backup_port" @@ -42,12 +37,12 @@ nextcloud_ldap_configuration: - appid: "user_ldap" configkey: "s01ldap_base_groups" - configvalue: "{{ldap.dn.groups}}" + configvalue: "{{ldap.dn.root}}" - appid: "user_ldap" configkey: "s01ldap_base_users" - configvalue: "{{ldap.dn.users}}" + configvalue: "{{ldap.dn.root}}}" - appid: "user_ldap" diff --git a/roles/docker-nextcloud/vars/main.yml b/roles/docker-nextcloud/vars/main.yml index 4241c56c..30479fae 100644 --- a/roles/docker-nextcloud/vars/main.yml +++ b/roles/docker-nextcloud/vars/main.yml @@ -1,9 +1,12 @@ --- -application_id: "nextcloud" -database_password: "{{applications.nextcloud.credentials.database_password}}" -database_type: "mariadb" -nextcloud_application_container_name: "nextcloud-application" -nextcloud_nginx_container_name: "nextcloud-web" -nextcloud_config_file_path: "/var/lib/docker/volumes/nextcloud_data/_data/config/config.php" -domain: "{{domains[application_id]}}" -http_port: "{{ ports.localhost.http[application_id] }}" \ No newline at end of file +application_id: "nextcloud" +database_password: "{{applications.nextcloud.credentials.database_password}}" +database_type: "mariadb" +nextcloud_application_container_name: "nextcloud-application" +nextcloud_nginx_container_name: "nextcloud-web" +nextcloud_config_file_host_path: "/var/lib/docker/volumes/nextcloud_data/_data/config/config.php" +domain: "{{domains[application_id]}}" +http_port: "{{ ports.localhost.http[application_id] }}" +nextcloud_docker_path: "/var/www/html/" +nextcloud_docker_oidc_login_config_path: "{{nextcloud_docker_path}}config/oidc.config.php" +nextcloud_host_oidc_login_path: "{{docker_compose.directories.volumes}}/oidc.config.php" \ No newline at end of file diff --git a/roles/docker-nextcloud/vars/sociallogin.yml b/roles/docker-nextcloud/vars/sociallogin.yml new file mode 100644 index 00000000..6ff34fd8 --- /dev/null +++ b/roles/docker-nextcloud/vars/sociallogin.yml @@ -0,0 +1,72 @@ +nextcloud_sociallogin_configuration: + - + appid: "sociallogin" + # This configuration allows users to connect multiple accounts to their Nextcloud profile + # using the sociallogin app. + configkey: "allow_login_connect" + configvalue: 1 + - + appid: "sociallogin" + configkey: "auto_create_groups" + configvalue: "" + - + appid: "sociallogin" + configkey: "button_text_wo_prefix" + configvalue: "" + - + appid: "sociallogin" + configkey: "create_disabled_users" + configvalue: "" + - + appid: "sociallogin" + # This configuration defines custom OpenID Connect (OIDC) providers for authentication. + # In this case, it sets up a Keycloak provider with details like URLs for authorization, + # token retrieval, user info, and logout, as well as the client ID and secret. + configkey: "custom_providers" + configvalue: '{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}' + - + appid: "sociallogin" + configkey: "disable_notify_admins" + configvalue: "" + - + appid: "sociallogin" + configkey: "disable_registration" + configvalue: "" + - + appid: "sociallogin" + configkey: "enabled" + configvalue: "yes" + - + appid: "sociallogin" + configkey: "hide_default_login" + configvalue: "" + - + appid: "sociallogin" + configkey: "no_prune_user_groups" + configvalue: "" + - + appid: "sociallogin" + configkey: "oauth_providers" + configvalue: "null" + - + appid: "sociallogin" + # This configuration prevents the creation of new Nextcloud users if an account with the + # same email address already exists in the system. It helps avoid duplicate accounts. + configkey: "prevent_create_email_exists" + configvalue: 1 + - + appid: "sociallogin" + configkey: "restrict_users_wo_assigned_groups" + configvalue: "" + - + appid: "sociallogin" + configkey: "restrict_users_wo_mapped_groups" + configvalue: "" + - + appid: "sociallogin" + configkey: "types" + configvalue: "" + - + appid: "sociallogin" + configkey: "update_profile_on_login" + configvalue: 1 \ No newline at end of file