feat(nextcloud): integrate Talk & Whiteboard; refactor to NEXTCLOUD_* vars; full-stack setup

config(ports): add Nextcloud websocket port (4003); canonical domains (nextcloud/talk/whiteboard)

refactor: unify get_app_conf usage & Jinja spacing; migrate paths/handlers to new NEXTCLOUD_* vars

feat(plugins): split plugin routines; configure Whiteboard via occ (URL + JWT)

fix(oidc): use NEXTCLOUD_URL for logout; correct LDAP attribute mappings; add OIDC flavor switch

feat: Whiteboard container & reverse-proxy location; Talk STUN/WS ports; Redis URL for Whiteboard

chore: drop obsolete TODO; minor cleanups in oauth2-proxy, matrix, peertube, pgadmin, phpldapadmin, pixelfed, phpmyadmin

security(schema): Bluesky jwt_secret now base64_prefixed_32; add Nextcloud whiteboard_jwt_secret

db: normalize postgres image tag templating; central DB host checks spacing fixes

ops: add full-stack bootstrap (certs, proxy, volumes); internal nginx config reload handler update

refs: https://chatgpt.com/share/68b5f5b7-8d64-800f-b001-1241f818dc0e

roles/web-app-nextcloud/tasks/01_fullstack.yml

@@ -0,0 +1,37 @@
+- name: "include role for {{ application_id }} to receive certs & do modification routines for '{{ domain }}:{{ port }}'"
+  include_role:
+    name: sys-util-csp-cert
+
+- name: create nextcloud proxy configuration file
+  template: 
+    src:    "nginx/host.conf.j2" 
+    dest:   "{{ NEXTCLOUD_HOST_NGINX_PATH }}"
+  notify: restart openresty
+
+- name: "load docker and db for {{ application_id }}"
+  include_role: 
+    name: sys-stk-back-stateful
+  vars:
+    docker_compose_flush_handlers: false
+
+- name: "create {{ NEXTCLOUD_HOST_CONF_ADD_PATH }}"
+  file:
+    path: "{{ NEXTCLOUD_HOST_CONF_ADD_PATH }}"
+    state: directory
+    mode: "0755"
+
+- name: "Create config files at {{ NEXTCLOUD_HOST_CONF_ADD_PATH }}"
+  template:
+    src:    "{{ item }}"
+    dest:   "{{ NEXTCLOUD_HOST_CONF_ADD_PATH }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
+    owner:  "{{ NEXTCLOUD_DOCKER_USER_id }}"
+    group:  "{{ NEXTCLOUD_DOCKER_USER_id }}"
+  loop:     "{{ lookup('fileglob', role_path ~ '/templates/config/*.j2', wantlist=True) }}"
+  # Not all type of changes take instantly place. Due to this reason a rebuild is required.
+  notify: docker compose up
+
+- name: create internal nextcloud nginx configuration
+  template: 
+    src:  "nginx/docker.conf.j2" 
+    dest: "{{ [docker_compose.directories.volumes, 'nginx.conf'] | path_join }}"
+  notify: restart nextcloud nginx service

roles/web-app-nextcloud/tasks/02_config.yml

@@ -3,7 +3,7 @@
     - name: Add dynamic config merging from Jinja template
       template:
         src: include.php.j2
-        dest: "{{ nextcloud_host_include_instructions_file }}"
+        dest: "{{ NEXTCLOUD_HOST_INCL_PATH }}"
       notify: docker compose restart
 
     - name: Flush handlers so Nextcloud container is restarted and ready
@@ -19,11 +19,11 @@
 
     - name: Copy include instructions to the container
       command: >
-        docker cp {{ nextcloud_host_include_instructions_file }} {{ NEXTCLOUD_CONTAINER }}:{{ nextcloud_docker_include_instructions_file }}
+        docker cp {{ NEXTCLOUD_HOST_INCL_PATH }} {{ NEXTCLOUD_CONTAINER }}:{{ NEXTCLOUD_DOCKER_INCL_PATH }}
 
     - name: Append generated config to config.php only if not present
       command: >
         docker exec -u {{ NEXTCLOUD_DOCKER_USER }} {{ NEXTCLOUD_CONTAINER }} sh -c "
-          grep -q '{{ nextcloud_docker_config_additives_directory }}' {{ nextcloud_docker_config_file }} || 
-          cat {{ nextcloud_docker_include_instructions_file }} >> {{ nextcloud_docker_config_file }}"
+          grep -q '{{ NEXTCLOUD_DOCKER_CONF_ADD_PATH }}' {{ NEXTCLOUD_DOCKER_CONFIG_FILE }} || 
+          cat {{ NEXTCLOUD_DOCKER_INCL_PATH }} >> {{ NEXTCLOUD_DOCKER_CONFIG_FILE }}"
       notify: docker compose restart

roles/web-app-nextcloud/tasks/04_admin.yml

@@ -1,7 +1,7 @@
 - name: Ensure Nextcloud administrator is in the 'admin' group
   command: >
     docker exec -u {{ NEXTCLOUD_DOCKER_USER }} {{ NEXTCLOUD_CONTAINER }}
-    php occ group:adduser admin {{ nextcloud_administrator_username }}
+    php occ group:adduser admin {{ NEXTCLOUD_ADMINISTRATOR_USERNAME }}
   register: add_admin_to_group
   changed_when: "not ASYNC_ENABLED and 'Added user' in (add_admin_to_group.stdout | default(''))"
   failed_when: >

roles/web-app-nextcloud/tasks/06_setup_plugin.yml

@@ -1,5 +1,5 @@
 - block:
-    - include_tasks: 06_plugin_routines.yml
+    - include_tasks: _plugin_a_routines.yml
   when: plugin_value.enabled | bool
 
 - name: disable {{ plugin_key }} nextcloud plugin

roles/web-app-nextcloud/tasks/_plugin_a_routines.yml

@@ -35,9 +35,12 @@
     and
     ("already installed" not in install_result.stdout)
 
-- include_tasks: 07_plugin_enable_and_configure.yml
+- include_tasks: _plugin_b_enable_and_configure.yml
   when:
     - install_result is defined 
     - >
       install_result.rc == 0
-      or "already installed" in install_result.stdout
+      or "already installed" in install_result.stdout
+  vars:
+    plugin_task_path: "{{ NEXTCLOUD_CNODE_PLUGIN_TASKS_PATH }}{{ plugin_key }}.yml"
+    plugin_vars_path: "{{ NEXTCLOUD_CNODE_PLUGIN_VARS_PATH }}{{ plugin_key }}.yml"

roles/web-app-nextcloud/tasks/_plugin_b_enable_and_configure.yml

@@ -3,16 +3,16 @@
   register: enable_result
   changed_when: enable_result.rc == 0 and ("already enabled" not in enable_result.stdout)
 
-- name: Check if {{ nextcloud_control_node_plugin_vars_directory }}{{ plugin_key }}.yml exists
+- name: Check if {{ plugin_vars_path }} exists
   stat:
-    path: "{{ nextcloud_control_node_plugin_vars_directory }}{{ plugin_key }}.yml"
+    path: "{{ plugin_vars_path }}"
   delegate_to: localhost
   become: false
   register: plugin_vars_file
 
 - name: "Load {{ plugin_key }} configuration variables"
   include_vars:
-    file: "{{ nextcloud_control_node_plugin_vars_directory }}{{ plugin_key }}.yml"
+    file: "{{ plugin_vars_path }}"
   when: plugin_vars_file.stat.exists
 
 - name: "Set plugin configuration (batched shell, no async)"
@@ -35,13 +35,13 @@
   async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
   poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
 
-- name: Check if {{ nextcloud_control_node_plugin_tasks_directory }}{{ plugin_key }}.yml exists
+- name: Check if {{ plugin_task_path }} exists
   stat:
-    path: "{{ nextcloud_control_node_plugin_tasks_directory }}{{ plugin_key }}.yml"
+    path: "{{ plugin_task_path }}"
   delegate_to: localhost
   become: false
   register: plugin_tasks_file
 
-- name: "include {{ nextcloud_control_node_plugin_tasks_directory }}{{ plugin_key }}.yml"
-  include_tasks: "{{ nextcloud_control_node_plugin_tasks_directory }}{{ plugin_key }}.yml"
+- name: "include {{ plugin_task_path }}"
+  include_tasks: "{{ plugin_task_path }}"
   when: plugin_tasks_file.stat.exists

roles/web-app-nextcloud/tasks/main.yml

@@ -1,75 +1,39 @@
 ---
-- name: "Install Collabora Dependency"
-  include_role:
-    name: web-svc-collabora
-  vars:
-    flush_handlers: true
-  when:    
-    - run_once_web_svc_collabora is not defined
-    - NEXTCLOUD_COLLABORA_ENABLED | bool
-
-- name: "include role for {{ application_id }} to receive certs & do modification routines"
-  include_role:
-    name: sys-util-csp-cert
-
-- name: create nextcloud proxy configuration file
-  template: 
-    src:  "nginx/host.conf.j2" 
-    dest: "{{ nextcloud_host_nginx_path }}"
-  notify: restart openresty
-
-- name: "load docker and db for {{ application_id }}"
+- name: "load docker, db and proxy for {{ application_id }}"
   include_role: 
-    name: sys-stk-back-stateful
+    name: sys-stk-full-stateful
   vars:
-    docker_compose_flush_handlers: false
 
-- name: "create {{ nextcloud_host_config_additives_directory }}"
-  file:
-    path: "{{ nextcloud_host_config_additives_directory }}"
-    state: directory
-    mode: "0755"
-
-- name: "Create config files at {{ nextcloud_host_config_additives_directory }}"
-  template:
-    src:    "{{ item }}"
-    dest:   "{{ nextcloud_host_config_additives_directory }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
-    owner:  "{{ NEXTCLOUD_DOCKER_USER_id }}"
-    group:  "{{ NEXTCLOUD_DOCKER_USER_id }}"
-  loop:     "{{ lookup('fileglob', role_path ~ '/templates/config/*.j2', wantlist=True) }}"
-  # Not all type of changes take instantly place. Due to this reason a rebuild is required.
-  notify: docker compose up
-
-- name: create internal nextcloud nginx configuration
-  template: 
-    src:  "nginx/docker.conf.j2" 
-    dest: "{{ docker_compose.directories.volumes }}nginx.conf"
-  notify: restart nextcloud nginx service
+- name: Setup the full docker stack
+  include_tasks: 01_fullstack.yml
+  vars:
+    domain:     "{{ NEXTCLOUD_DOMAIN }}"
+    http_port:  "{{ NEXTCLOUD_PORT }}"
 
 - name: Setup config.php 
-  include_tasks: 01_config.yml
+  include_tasks: 02_config.yml
 
 - name: Flush all handlers immediately so that occ can be used
   meta: flush_handlers
 
 - name: Update\Upgrade Nextcloud
-  include_tasks: 02_upgrade.yml
+  include_tasks: 03_upgrade.yml
   when: MODE_UPDATE | bool
 
 - name: Load system configuration steps
   include_tasks: "{{ item }}"
   loop:
-    - 03_admin.yml
-    - 04_system_config.yml
+    - 04_admin.yml
+    - 05_system_config.yml
 
 - name: Setup Nextcloud Plugins
-  include_tasks: 05_plugin.yml
-  loop: "{{ applications | get_app_conf(application_id, 'plugins', True) | dict2items }}"
+  include_tasks: 06_setup_plugin.yml
+  loop: "{{ NEXTCLOUD_PLUGIN_ITEMS }}"
   loop_control:
     loop_var: plugin_item
   vars:
     plugin_key:   "{{ plugin_item.key }}"
     plugin_value: "{{ plugin_item.value }}"
-  when: nextcloud_plugins_enabled
+  when: NEXTCLOUD_PLUGINS_ENABLED
 
 

roles/web-app-nextcloud/tasks/plugins/richdocuments.yml

@@ -0,0 +1,7 @@
+- name: "Install Collabora Dependency"
+  include_role:
+    name: web-svc-collabora
+  vars:
+    flush_handlers: true
+  when:    
+    - run_once_web_svc_collabora is not defined

roles/web-app-nextcloud/tasks/plugins/whiteboard.yml

@@ -0,0 +1,9 @@
+- name: Set Whiteboard Configuration
+  ansible.builtin.shell: >
+    {{ NEXTCLOUD_DOCKER_EXEC_OCC }} config:app:set whiteboard collabBackendUrl --value='{{ NEXTCLOUD_WHITEBOARD_URL }}'
+    && {{ NEXTCLOUD_DOCKER_EXEC_OCC }} config:app:set whiteboard jwt_secret_key --value='{{ NEXTCLOUD_WHITEBOARD_JWT }}'
+  args:
+    executable: /bin/bash
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"