Optimized OIDC Login for Nextcloud

group_vars/all/01_modes.yml

@@ -5,4 +5,4 @@ mode_reset:   false # Cleans up all CyMaIS files. It's necessary to run to whole
 mode_test:    false # Executes test routines instead of productive routines
 mode_update:  true  # Executes updates
 mode_backup:  true  # Activates the backup before the update procedure
-mode_cleanup: false # Cleanup unused files and configurations
+mode_cleanup: true  # Cleanup unused files and configurations

group_vars/all/07_applications.yml

@@ -245,11 +245,11 @@ defaults_applications:
   nextcloud:
     version:                "production"                          # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
     ldap:
-      enabled:              True                                  # Enables LDAP by default, missing ansible setup tasks @todo setup
+      enabled:              True                                  # Enables LDAP by default
     oidc:
       enabled:              true                                  # Activate OIDC for Nextcloud
       # floavor decides which OICD plugin should be used. 
-      # Available options: login, sociallogin
+      # Available options: oidc_login, sociallogin
       # @see https://apps.nextcloud.com/apps/oidc_login
       # @see https://apps.nextcloud.com/apps/sociallogin
       flavor:               "sociallogin"                         # Keeping on sociallogin because the other option is not implemented yet                                             
@@ -263,6 +263,8 @@ defaults_applications:
         username:           "{{users.administrator.username}}"
         initial_password:   "{{users.administrator.initial_password}}"
     default_quota:          '1000000000'                          # Quota to assign if no quota is specified in the OIDC response (bytes)
+    legacy_login_mask:   
+      enabled:              False                                 # If true, then legacy  login mask is shown. Otherwise just SSO 
       
   ## OAuth2 Proxy
   oauth2_proxy:

roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif

@@ -1,7 +1,4 @@
 # nextcloud.schema
-# This schema is deactivated, because with keycloak it's impossible to set schemas to new created users
-# Until then the managament is done over keycloak
-# @todo activate in ldap 
 
 dn: cn=nextcloud,cn=schema,cn=config
 objectClass: olcSchemaConfig

roles/docker-nextcloud/tasks/config.yml

@@ -1,18 +1,18 @@
-- name: "Substitute http with https in {{ nextcloud_config_file_path }}"
+- name: "Substitute http with https in {{ nextcloud_config_file_host_path }}"
   replace:
-    path: "{{ nextcloud_config_file_path }}"
+    path: "{{ nextcloud_config_file_host_path }}"
     regexp: "http://{{ domain | regex_escape }}"
     replace: "https://{{ domain }}"
   notify:
     - docker compose restart
 
-#- name: Ensure 'overwriteprotocol' is set to 'https' in Nextcloud {{ nextcloud_config_file_path }}
+#- name: Ensure 'overwriteprotocol' is set to 'https' in Nextcloud {{ nextcloud_config_file_host_path }}
 #  block:
 #     Deactivated because it was really heavy to fix. 
 #     @todo implement
 #    - name: Check if 'overwriteprotocol' is already set
 #      lineinfile:
-#        path: "{{ nextcloud_config_file_path }}"
+#        path: "{{ nextcloud_config_file_host_path }}"
 #        regexp: "^\s*overwriteprotocol\s*=>\s*http"
 #        line: "overwriteprotocol => 'https',"
 #        backrefs: yes
@@ -22,7 +22,7 @@
 #
 #    - name: Add 'overwriteprotocol' => 'https' if not present
 #      lineinfile:
-#        path: "{{ nextcloud_config_file_path }}"
+#        path: "{{ nextcloud_config_file_host_path }}"
 #        regexp: "^\s*\);$"
 #        line: "overwriteprotocol => 'https',"
 #        insertafter: "^\s*\);$"

roles/docker-nextcloud/tasks/ldap.yml

@@ -2,6 +2,10 @@
 # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
 # @todo implement
 
+- name: install LDAP plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install user_ldap"
+  ignore_errors: true
+
 - name: Activate Nextcloud LDAP App
   command: "docker exec -u www-data {{ nextcloud_application_container_name }} php occ app:enable user_ldap"
 
@@ -14,3 +18,8 @@
   command: >
     docker exec -u www-data {{ nextcloud_application_container_name }}
     php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}"
+
+- name: Set Nextcloud LDAP bind password
+  command: >
+    docker exec -u www-data {{ nextcloud_application_container_name }}
+    php occ ldap:set-config s01 ldapAgentPassword "{{ ldap.bind_credential }}"

roles/docker-nextcloud/tasks/legacy_login_mask.yml

@@ -0,0 +1,5 @@
+- name: Set hide_login_form to true
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ config:system:set --type boolean --value {{ (not applications[application_id].legacy_login_mask.enabled) | lower }} hide_login_form"
+
+- name: "Set auth.webauthn.enabled to false"
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ config:system:set --type boolean --value {{applications[application_id].legacy_login_mask.enabled | lower}} auth.webauthn.enabled"

roles/docker-nextcloud/tasks/main.yml

@@ -3,6 +3,19 @@
   include_role: 
     name: docker-central-database
 
+- name: copy oidc.config.php
+  template: 
+    src: oidc.config.php.j2
+    dest: "{{nextcloud_host_oidc_login_path}}"
+    owner: 82 # User www-data in Nextcloud container
+    group: 82 # User www-data in Nextcloud container
+  when: applications[application_id].oidc.flavor == "oidc_login" 
+
+- name: Remove OIDC configuration lines from config.php if present (container)
+  command: >
+    docker exec -u www-data {{ nextcloud_application_container_name }} sh -c "sed -i '/CONFIG_EXTRA = include.*oidc\.config\.php/d' /var/www/html/config/config.php && sed -i '/CONFIG = array_merge(\\$CONFIG, \\$CONFIG_EXTRA)/d' /var/www/html/config/config.php"
+  when: applications[application_id].oidc.flavor == "sociallogin" and mode_cleanup | bool 
+
 - name: "include role for {{application_id}} to recieve certs & do modification routines"
   include_role:
     name: nginx-https-get-cert-modify-all
@@ -23,7 +36,7 @@
   include_tasks: copy-docker-compose-and-env.yml
 
 - name: "Include OIDC-specific tasks with flavor {{applications[application_id].oidc.flavor}}"
-  include_tasks: "oidc_{{applications[application_id].oidc.flavor}}.yml"
+  include_tasks: "{{applications[application_id].oidc.flavor}}.yml"
   when: applications[application_id].oidc.enabled | bool
 
 - name: Include LDAP specific tasks
@@ -31,4 +44,7 @@
   when: applications[application_id].ldap.enabled | bool
 
 - name: Include Config specific tasks
-  include_tasks: config.yml
+  include_tasks: config.yml
+
+- name: De\Activate legacy login mask
+  include_tasks: legacy_login_mask.yml

roles/docker-nextcloud/tasks/oidc_login

@@ -1 +0,0 @@
-# @todo implement this flavor

roles/docker-nextcloud/tasks/oidc_login.yml

@@ -0,0 +1,13 @@
+- name: enable sociallogin plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:disable sociallogin"
+  ignore_errors: true
+  when: 
+    - mode_cleanup | bool
+
+- name: install oidc_login plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install oidc_login"
+  ignore_errors: true
+
+- name: Add OIDC configuration if not implemented yet
+  command: >
+    docker exec -u www-data {{ nextcloud_application_container_name }} sh -c 'grep -q "CONFIG_EXTRA = include" ./config/config.php || echo -e "\n\$CONFIG_EXTRA = include '\''{{nextcloud_docker_oidc_login_config_path}}'\'';\n\$CONFIG = array_merge(\$CONFIG, \$CONFIG_EXTRA);" >> ./config/config.php'

roles/docker-nextcloud/tasks/oidc_sociallogin.yml

@@ -1,36 +0,0 @@
-# @See https://chatgpt.com/share/6798189e-9c00-800f-923c-5ce3cfbdf405
-
-- name: Flush all handlers immediately so that occ can be used
-  meta: flush_handlers
-
-- name: Set hide_login_form to true
-  command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value true hide_login_form"
-
-- name: "Set auth.webauthn.enabled to false"
-  command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value false auth.webauthn.enabled"
-
-- name: Set allow_login_connect to 1
-  command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:app:set sociallogin allow_login_connect --value='1'"
-  # This configuration allows users to connect multiple accounts to their Nextcloud profile
-  # using the sociallogin app.
-
-- name: install sociallogin plugin
-  command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ app:install sociallogin"
-  ignore_errors: true
-
-- name: enable sociallogin plugin
-  command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ app:enable sociallogin"
-
-- name: Set custom_providers
-  command: >
-    docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ
-    config:app:set sociallogin custom_providers
-    --value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
-  # This configuration defines custom OpenID Connect (OIDC) providers for authentication.
-  # In this case, it sets up a Keycloak provider with details like URLs for authorization,
-  # token retrieval, user info, and logout, as well as the client ID and secret.
-
-- name: Set prevent_create_email_exists to 1
-  command: 'docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:app:set sociallogin prevent_create_email_exists --value="1"'
-  # This configuration prevents the creation of new Nextcloud users if an account with the
-  # same email address already exists in the system. It helps avoid duplicate accounts.

roles/docker-nextcloud/tasks/sociallogin.yml

@@ -0,0 +1,27 @@
+# @See https://chatgpt.com/share/6798189e-9c00-800f-923c-5ce3cfbdf405
+
+- name: Flush all handlers immediately so that occ can be used
+  meta: flush_handlers
+
+- name: enable oidc_login plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:disable oidc_login"
+  ignore_errors: true
+  when: 
+    - mode_cleanup | bool  
+
+- name: install sociallogin plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:install sociallogin"
+  ignore_errors: true
+
+- name: enable sociallogin plugin
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} {{nextcloud_docker_path}}occ app:enable sociallogin"
+
+- name: Load Sociallogin configuration variables
+  include_vars:
+    file: sociallogin.yml
+
+- name: Configure Sociallogin
+  loop: "{{ nextcloud_sociallogin_configuration}}"
+  command: >
+    docker exec -u www-data {{ nextcloud_application_container_name }}
+    php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}"

roles/docker-nextcloud/templates/docker-compose.yml.j2

@@ -6,11 +6,14 @@ services:
 
   application:
     image: "nextcloud:{{applications.nextcloud.version}}-fpm-alpine"
-    container_name: {{nextcloud_application_container_name}} 
+    container_name: {{nextcloud_application_container_name}}
     volumes:
-      - data:/var/www/html
+      - data:{{nextcloud_docker_path}}
+{% if applications[application_id].oidc.flavor == "login" %}
+      - {{nextcloud_host_oidc_login_path}}:{{nextcloud_docker_oidc_login_config_path}}:ro
+{% endif %}
     healthcheck:
-      test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php /var/www/html/occ status"]
+      test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_path}}occ status"]
       interval: 1m
       timeout: 10s
       retries: 3
@@ -47,10 +50,10 @@ services:
     logging:
       driver: journald
     volumes:
-      - data:/var/www/html
+      - data:{{nextcloud_docker_path}}
     entrypoint: /cron.sh
     healthcheck:
-      test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php /var/www/html/occ status"]
+      test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_path}}occ status"]
       interval: 1m
       timeout: 10s
       retries: 3

roles/docker-nextcloud/templates/oidc.config.php.j2

@@ -1,12 +1,13 @@
+<?php
 # Check out: https://github.com/pulsejet/nextcloud-oidc-login
 
-$CONFIG = array (
+return array (
     // Some Nextcloud options that might make sense here
     'allow_user_to_change_display_name' => false,
     'lost_password_link' => 'disabled',
 
     // URL of provider. All other URLs are auto-discovered from .well-known
-    'oidc_login_provider_url' => 'https://{{domains.keycloak}}',
+    'oidc_login_provider_url' => 'https://{{oidc.client.issuer_url}}',
 
     // Client ID and secret registered with the provider
     'oidc_login_client_id' => '{{oidc.client.id}}',
@@ -95,10 +96,10 @@ $CONFIG = array (
         'id' => 'username',
         'name' => 'name',
         'mail' => 'email',
-        'quota' => 'nextcloudQuota',
+        # 'quota' => 'nextcloudQuota',  # Not implemented yet
-        'home' => 'homeDirectory',
+        # 'home' => 'homeDirectory',    # Not implemented yet
         'ldap_uid' => 'uid',
-        'groups' => 'ownCloudGroups',
+        # 'groups' => 'ownCloudGroups', # Not implemented yet
         'login_filter' => 'realm_access_roles',
     //    'photoURL' => 'picture',
     //    'is_admin' => 'ownCloudAdmin',

roles/docker-nextcloud/vars/ldap.yml

@@ -24,11 +24,6 @@ nextcloud_ldap_configuration:
     configkey: "s01last_jpegPhoto_lookup"
     configvalue: 0
 
-  -
-    appid: "user_ldap"
-    configkey: "s01ldap_agent_password"
-    configvalue: "{{ldap.bind_credential}}"
-
   -
     appid: "user_ldap"
     configkey: "s01ldap_backup_port"
@@ -42,12 +37,12 @@ nextcloud_ldap_configuration:
   -
     appid: "user_ldap"
     configkey: "s01ldap_base_groups"
-    configvalue: "{{ldap.dn.groups}}"
+    configvalue: "{{ldap.dn.root}}"
 
   -
     appid: "user_ldap"
     configkey: "s01ldap_base_users"
-    configvalue: "{{ldap.dn.users}}"
+    configvalue: "{{ldap.dn.root}}}"
 
   -
     appid: "user_ldap"

roles/docker-nextcloud/vars/main.yml

@@ -1,9 +1,12 @@
 ---
-application_id:                       "nextcloud"
+application_id:                           "nextcloud"
-database_password:  	                "{{applications.nextcloud.credentials.database_password}}"
+database_password:  	                    "{{applications.nextcloud.credentials.database_password}}"
-database_type:                        "mariadb"
+database_type:                            "mariadb"
-nextcloud_application_container_name: "nextcloud-application"
+nextcloud_application_container_name:     "nextcloud-application"
-nextcloud_nginx_container_name:       "nextcloud-web"
+nextcloud_nginx_container_name:           "nextcloud-web"
-nextcloud_config_file_path:           "/var/lib/docker/volumes/nextcloud_data/_data/config/config.php"
+nextcloud_config_file_host_path:          "/var/lib/docker/volumes/nextcloud_data/_data/config/config.php"
-domain:                               "{{domains[application_id]}}"
+domain:                                   "{{domains[application_id]}}"
-http_port:                            "{{ ports.localhost.http[application_id] }}"
+http_port:                                "{{ ports.localhost.http[application_id] }}"
+nextcloud_docker_path:                    "/var/www/html/"
+nextcloud_docker_oidc_login_config_path:  "{{nextcloud_docker_path}}config/oidc.config.php"
+nextcloud_host_oidc_login_path:           "{{docker_compose.directories.volumes}}/oidc.config.php"

roles/docker-nextcloud/vars/sociallogin.yml

@@ -0,0 +1,72 @@
+nextcloud_sociallogin_configuration:
+  -
+    appid: "sociallogin"
+    # This configuration allows users to connect multiple accounts to their Nextcloud profile
+    # using the sociallogin app.
+    configkey: "allow_login_connect"
+    configvalue: 1
+  -
+    appid: "sociallogin"
+    configkey: "auto_create_groups"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "button_text_wo_prefix"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "create_disabled_users"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    # This configuration defines custom OpenID Connect (OIDC) providers for authentication.
+    # In this case, it sets up a Keycloak provider with details like URLs for authorization,
+    # token retrieval, user info, and logout, as well as the client ID and secret.
+    configkey: "custom_providers"
+    configvalue: '{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
+  -
+    appid: "sociallogin"
+    configkey: "disable_notify_admins"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "disable_registration"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "enabled"
+    configvalue: "yes"
+  -
+    appid: "sociallogin"
+    configkey: "hide_default_login"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "no_prune_user_groups"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "oauth_providers"
+    configvalue: "null"
+  -
+    appid: "sociallogin"
+    # This configuration prevents the creation of new Nextcloud users if an account with the
+    # same email address already exists in the system. It helps avoid duplicate accounts.
+    configkey: "prevent_create_email_exists"
+    configvalue: 1
+  -
+    appid: "sociallogin"
+    configkey: "restrict_users_wo_assigned_groups"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "restrict_users_wo_mapped_groups"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "types"
+    configvalue: ""
+  -
+    appid: "sociallogin"
+    configkey: "update_profile_on_login"
+    configvalue: 1