Optimized OIDC Login for Nextcloud

2025-08-29 15:06:26 +02:00 · 2025-02-25 19:35:48 +01:00
parent 9a9bae4f2c
commit 72b787814e
16 changed files with 181 additions and 75 deletions
--- a/roles/docker-nextcloud/vars/ldap.yml
+++ b/roles/docker-nextcloud/vars/ldap.yml
@@ -24,11 +24,6 @@ nextcloud_ldap_configuration:
    configkey: "s01last_jpegPhoto_lookup"
    configvalue: 0

-  -
-    appid: "user_ldap"
-    configkey: "s01ldap_agent_password"
-    configvalue: "{{ldap.bind_credential}}"
-
  -
    appid: "user_ldap"
    configkey: "s01ldap_backup_port"
@@ -42,12 +37,12 @@ nextcloud_ldap_configuration:
  -
    appid: "user_ldap"
    configkey: "s01ldap_base_groups"
-    configvalue: "{{ldap.dn.groups}}"
+    configvalue: "{{ldap.dn.root}}"

  -
    appid: "user_ldap"
    configkey: "s01ldap_base_users"
-    configvalue: "{{ldap.dn.users}}"
+    configvalue: "{{ldap.dn.root}}}"

  -
    appid: "user_ldap"
--- a/roles/docker-nextcloud/vars/main.yml
+++ b/roles/docker-nextcloud/vars/main.yml
@@ -1,9 +1,12 @@
 ---
-application_id:                       "nextcloud"
-database_password:  	                "{{applications.nextcloud.credentials.database_password}}"
-database_type:                        "mariadb"
-nextcloud_application_container_name: "nextcloud-application"
-nextcloud_nginx_container_name:       "nextcloud-web"
-nextcloud_config_file_path:           "/var/lib/docker/volumes/nextcloud_data/_data/config/config.php"
-domain:                               "{{domains[application_id]}}"
-http_port:                            "{{ ports.localhost.http[application_id] }}"
+application_id:                           "nextcloud"
+database_password:  	                    "{{applications.nextcloud.credentials.database_password}}"
+database_type:                            "mariadb"
+nextcloud_application_container_name:     "nextcloud-application"
+nextcloud_nginx_container_name:           "nextcloud-web"
+nextcloud_config_file_host_path:          "/var/lib/docker/volumes/nextcloud_data/_data/config/config.php"
+domain:                                   "{{domains[application_id]}}"
+http_port:                                "{{ ports.localhost.http[application_id] }}"
+nextcloud_docker_path:                    "/var/www/html/"
+nextcloud_docker_oidc_login_config_path:  "{{nextcloud_docker_path}}config/oidc.config.php"
+nextcloud_host_oidc_login_path:           "{{docker_compose.directories.volumes}}/oidc.config.php"
--- a/roles/docker-nextcloud/vars/sociallogin.yml
+++ b/roles/docker-nextcloud/vars/sociallogin.yml
@@ -0,0 +1,72 @@
+nextcloud_sociallogin_configuration:
+  -
+    appid: "sociallogin"
+    # This configuration allows users to connect multiple accounts to their Nextcloud profile
+    # using the sociallogin app.
+    configkey: "allow_login_connect"
+    configvalue: 1
+  -
+    appid: "sociallogin"
+    configkey: "auto_create_groups"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "button_text_wo_prefix"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "create_disabled_users"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    # This configuration defines custom OpenID Connect (OIDC) providers for authentication.
+    # In this case, it sets up a Keycloak provider with details like URLs for authorization,
+    # token retrieval, user info, and logout, as well as the client ID and secret.
+    configkey: "custom_providers"
+    configvalue: '{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
+  -
+    appid: "sociallogin"
+    configkey: "disable_notify_admins"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "disable_registration"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "enabled"
+    configvalue: "yes"
+  -
+    appid: "sociallogin"
+    configkey: "hide_default_login"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "no_prune_user_groups"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "oauth_providers"
+    configvalue: "null"
+  -
+    appid: "sociallogin"
+    # This configuration prevents the creation of new Nextcloud users if an account with the
+    # same email address already exists in the system. It helps avoid duplicate accounts.
+    configkey: "prevent_create_email_exists"
+    configvalue: 1
+  -
+    appid: "sociallogin"
+    configkey: "restrict_users_wo_assigned_groups"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "restrict_users_wo_mapped_groups"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "types"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "update_profile_on_login"
+    configvalue: 1