Optimized OIDC Login for Nextcloud

2025-08-29 15:06:26 +02:00 · 2025-02-25 19:35:48 +01:00
parent 9a9bae4f2c
commit 72b787814e
16 changed files with 181 additions and 75 deletions
--- a/roles/docker-nextcloud/tasks/config.yml
+++ b/roles/docker-nextcloud/tasks/config.yml
@@ -1,18 +1,18 @@
- name: "Substitute http with https in {{ nextcloud_config_file_path }}"
+- name: "Substitute http with https in {{ nextcloud_config_file_host_path }}"
  replace:
-    path: "{{ nextcloud_config_file_path }}"
+    path: "{{ nextcloud_config_file_host_path }}"
    regexp: "http://{{ domain | regex_escape }}"
    replace: "https://{{ domain }}"
  notify:
    - docker compose restart

-#- name: Ensure 'overwriteprotocol' is set to 'https' in Nextcloud {{ nextcloud_config_file_path }}
+#- name: Ensure 'overwriteprotocol' is set to 'https' in Nextcloud {{ nextcloud_config_file_host_path }}
 #  block:
 #     Deactivated because it was really heavy to fix. 
 #     @todo implement
 #    - name: Check if 'overwriteprotocol' is already set
 #      lineinfile:
-#        path: "{{ nextcloud_config_file_path }}"
+#        path: "{{ nextcloud_config_file_host_path }}"
 #        regexp: "^\s*overwriteprotocol\s*=>\s*http"
 #        line: "overwriteprotocol => 'https',"
 #        backrefs: yes
@@ -22,7 +22,7 @@
 #
 #    - name: Add 'overwriteprotocol' => 'https' if not present
 #      lineinfile:
-#        path: "{{ nextcloud_config_file_path }}"
+#        path: "{{ nextcloud_config_file_host_path }}"
 #        regexp: "^\s*\);$"
 #        line: "overwriteprotocol => 'https',"
 #        insertafter: "^\s*\);$"
--- a/roles/docker-nextcloud/tasks/ldap.yml
+++ b/roles/docker-nextcloud/tasks/ldap.yml
@@ -2,6 +2,10 @@
 # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
 # @todo implement

+- name: install LDAP plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install user_ldap"
+  ignore_errors: true
+
 - name: Activate Nextcloud LDAP App
  command: "docker exec -u www-data {{ nextcloud_application_container_name }} php occ app:enable user_ldap"

@@ -14,3 +18,8 @@
  command: >
    docker exec -u www-data {{ nextcloud_application_container_name }}
    php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}"
+
+- name: Set Nextcloud LDAP bind password
+  command: >
+    docker exec -u www-data {{ nextcloud_application_container_name }}
+    php occ ldap:set-config s01 ldapAgentPassword "{{ ldap.bind_credential }}"
--- a/roles/docker-nextcloud/tasks/legacy_login_mask.yml
+++ b/roles/docker-nextcloud/tasks/legacy_login_mask.yml
@@ -0,0 +1,5 @@
+- name: Set hide_login_form to true
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ config:system:set --type boolean --value {{ (not applications[application_id].legacy_login_mask.enabled) | lower }} hide_login_form"
+
+- name: "Set auth.webauthn.enabled to false"
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ config:system:set --type boolean --value {{applications[application_id].legacy_login_mask.enabled | lower}} auth.webauthn.enabled"
--- a/roles/docker-nextcloud/tasks/main.yml
+++ b/roles/docker-nextcloud/tasks/main.yml
@@ -3,6 +3,19 @@
  include_role: 
    name: docker-central-database

+- name: copy oidc.config.php
+  template: 
+    src: oidc.config.php.j2
+    dest: "{{nextcloud_host_oidc_login_path}}"
+    owner: 82 # User www-data in Nextcloud container
+    group: 82 # User www-data in Nextcloud container
+  when: applications[application_id].oidc.flavor == "oidc_login" 
+
+- name: Remove OIDC configuration lines from config.php if present (container)
+  command: >
+    docker exec -u www-data {{ nextcloud_application_container_name }} sh -c "sed -i '/CONFIG_EXTRA = include.*oidc\.config\.php/d' /var/www/html/config/config.php && sed -i '/CONFIG = array_merge(\\$CONFIG, \\$CONFIG_EXTRA)/d' /var/www/html/config/config.php"
+  when: applications[application_id].oidc.flavor == "sociallogin" and mode_cleanup | bool 
+
 - name: "include role for {{application_id}} to recieve certs & do modification routines"
  include_role:
    name: nginx-https-get-cert-modify-all
@@ -23,7 +36,7 @@
  include_tasks: copy-docker-compose-and-env.yml

 - name: "Include OIDC-specific tasks with flavor {{applications[application_id].oidc.flavor}}"
-  include_tasks: "oidc_{{applications[application_id].oidc.flavor}}.yml"
+  include_tasks: "{{applications[application_id].oidc.flavor}}.yml"
  when: applications[application_id].oidc.enabled | bool

 - name: Include LDAP specific tasks
@@ -31,4 +44,7 @@
  when: applications[application_id].ldap.enabled | bool

 - name: Include Config specific tasks
-  include_tasks: config.yml
+  include_tasks: config.yml
+
+- name: De\Activate legacy login mask
+  include_tasks: legacy_login_mask.yml
--- a/roles/docker-nextcloud/tasks/oidc_login
+++ b/roles/docker-nextcloud/tasks/oidc_login
@@ -1 +0,0 @@
-# @todo implement this flavor
--- a/roles/docker-nextcloud/tasks/oidc_login.yml
+++ b/roles/docker-nextcloud/tasks/oidc_login.yml
@@ -0,0 +1,13 @@
+- name: enable sociallogin plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:disable sociallogin"
+  ignore_errors: true
+  when: 
+    - mode_cleanup | bool
+
+- name: install oidc_login plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install oidc_login"
+  ignore_errors: true
+
+- name: Add OIDC configuration if not implemented yet
+  command: >
+    docker exec -u www-data {{ nextcloud_application_container_name }} sh -c 'grep -q "CONFIG_EXTRA = include" ./config/config.php || echo -e "\n\$CONFIG_EXTRA = include '\''{{nextcloud_docker_oidc_login_config_path}}'\'';\n\$CONFIG = array_merge(\$CONFIG, \$CONFIG_EXTRA);" >> ./config/config.php'
--- a/roles/docker-nextcloud/tasks/oidc_sociallogin.yml
+++ b/roles/docker-nextcloud/tasks/oidc_sociallogin.yml
@@ -1,36 +0,0 @@
-# @See https://chatgpt.com/share/6798189e-9c00-800f-923c-5ce3cfbdf405
-
- name: Flush all handlers immediately so that occ can be used
-  meta: flush_handlers
-
- name: Set hide_login_form to true
-  command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value true hide_login_form"
-
- name: "Set auth.webauthn.enabled to false"
-  command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value false auth.webauthn.enabled"
-
- name: Set allow_login_connect to 1
-  command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:app:set sociallogin allow_login_connect --value='1'"
-  # This configuration allows users to connect multiple accounts to their Nextcloud profile
-  # using the sociallogin app.
-
- name: install sociallogin plugin
-  command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ app:install sociallogin"
-  ignore_errors: true
-
- name: enable sociallogin plugin
-  command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ app:enable sociallogin"
-
- name: Set custom_providers
-  command: >
-    docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ
-    config:app:set sociallogin custom_providers
-    --value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
-  # This configuration defines custom OpenID Connect (OIDC) providers for authentication.
-  # In this case, it sets up a Keycloak provider with details like URLs for authorization,
-  # token retrieval, user info, and logout, as well as the client ID and secret.
-
- name: Set prevent_create_email_exists to 1
-  command: 'docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:app:set sociallogin prevent_create_email_exists --value="1"'
-  # This configuration prevents the creation of new Nextcloud users if an account with the
-  # same email address already exists in the system. It helps avoid duplicate accounts.
--- a/roles/docker-nextcloud/tasks/sociallogin.yml
+++ b/roles/docker-nextcloud/tasks/sociallogin.yml
@@ -0,0 +1,27 @@
+# @See https://chatgpt.com/share/6798189e-9c00-800f-923c-5ce3cfbdf405
+
+- name: Flush all handlers immediately so that occ can be used
+  meta: flush_handlers
+
+- name: enable oidc_login plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:disable oidc_login"
+  ignore_errors: true
+  when: 
+    - mode_cleanup | bool  
+
+- name: install sociallogin plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install sociallogin"
+  ignore_errors: true
+
+- name: enable sociallogin plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:enable sociallogin"
+
+- name: Load Sociallogin configuration variables
+  include_vars:
+    file: sociallogin.yml
+
+- name: Configure Sociallogin
+  loop: "{{ nextcloud_sociallogin_configuration}}"
+  command: >
+    docker exec -u www-data {{ nextcloud_application_container_name }}
+    php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}"