feat(nextcloud): integrate Talk & Whiteboard; refactor to NEXTCLOUD_* vars; full-stack setup

config(ports): add Nextcloud websocket port (4003); canonical domains (nextcloud/talk/whiteboard)

refactor: unify get_app_conf usage & Jinja spacing; migrate paths/handlers to new NEXTCLOUD_* vars

feat(plugins): split plugin routines; configure Whiteboard via occ (URL + JWT)

fix(oidc): use NEXTCLOUD_URL for logout; correct LDAP attribute mappings; add OIDC flavor switch

feat: Whiteboard container & reverse-proxy location; Talk STUN/WS ports; Redis URL for Whiteboard

chore: drop obsolete TODO; minor cleanups in oauth2-proxy, matrix, peertube, pgadmin, phpldapadmin, pixelfed, phpmyadmin

security(schema): Bluesky jwt_secret now base64_prefixed_32; add Nextcloud whiteboard_jwt_secret

db: normalize postgres image tag templating; central DB host checks spacing fixes

ops: add full-stack bootstrap (certs, proxy, volumes); internal nginx config reload handler update

refs: https://chatgpt.com/share/68b5f5b7-8d64-800f-b001-1241f818dc0e

roles/web-app-nextcloud/templates/config/oidc.config.php.j2

@@ -1,7 +1,7 @@
 <?php
 # Implementing OICD configuration
 
-{% if applications | get_app_conf(application_id, 'oidc.flavor', True) == "oidc_login" %}
+{% if applications | get_app_conf(application_id, 'oidc.flavor') == "oidc_login" %}
 
 # Check out: https://github.com/pulsejet/nextcloud-oidc-login
 
@@ -21,7 +21,7 @@ return array (
     'oidc_login_auto_redirect' => true,
 
     // Redirect to this page after logging out the user
-    'oidc_login_logout_url' => 'https://{{ domains | get_domain(application_id) }}',
+    'oidc_login_logout_url' => '{{ NEXTCLOUD_URL }}',
 
     // If set to true the user will be redirected to the
     // logout endpoint of the OIDC provider after logout
@@ -33,7 +33,7 @@ return array (
     //
     // NOTE: If you want to allow NextCloud to manage quotas, omit this option. Do not set it to
     // zero or -1 or ''.
-    'oidc_login_default_quota' => '{{applications | get_app_conf(application_id, 'default_quota', True)}}',
+    'oidc_login_default_quota' => '{{ applications | get_app_conf(application_id, 'default_quota', True)}}',
 
     // Login button text
     'oidc_login_button_text' => '{{ OIDC.BUTTON_TEXT }}',
@@ -97,7 +97,7 @@ return array (
     // note: on Keycloak, OIDC name claim = "${given_name} ${family_name}" or one of them if any is missing
     //
     'oidc_login_attributes' => array (
-        'id' => '{{LDAP.USER.ATTRIBUTES.ID}}',
+        'id' => '{{ LDAP.USER.ATTRIBUTES.ID }}',
         'name' => 'name',
         'mail' => 'email',
         'quota' => '{{ LDAP.USER.ATTRIBUTES.NEXTCLOUD_QUOTA }}',

roles/web-app-nextcloud/templates/docker-compose.yml.j2

@@ -1,11 +1,11 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ nextcloud_image }}:{{ nextcloud_version }}"
+    image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}"
     container_name: {{ NEXTCLOUD_CONTAINER }}
     volumes:
       - data:{{ NEXTCLOUD_DOCKER_WORK_DIRECTORY }}
-      - {{ nextcloud_host_config_additives_directory }}:{{ nextcloud_docker_config_additives_directory }}:ro
+      - {{ NEXTCLOUD_HOST_CONF_ADD_PATH }}:{{ NEXTCLOUD_DOCKER_CONF_ADD_PATH }}:ro
     healthcheck:
       test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{ NEXTCLOUD_DOCKER_WORK_DIRECTORY }}occ status"]
       interval: 1m
@@ -16,25 +16,36 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
         ipv4_address: 192.168.102.69
 
-{% if nextcloud_talk_enabled %}
+{% if NEXTCLOUD_TALK_ENABLED %}
   talk:
     {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ nextcloud_talk_image }}:{{ nextcloud_talk_version }}"
-    container_name: {{ nextcloud_talk_name }}
-    hostname: hpb_yt
+    image: "{{ NEXTCLOUD_TALK_IMAGE }}:{{ NEXTCLOUD_TALK_VERSION }}"
+    container_name: {{ NEXTCLOUD_TALK_CONTAINER }}
     init: true
     ports:
-      - {{ networks.internet.ip4 }}:{{ nextcloud_talk_stun_port }}:3478/tcp #TURN TCP
-      - {{ networks.internet.ip4 }}:{{ nextcloud_talk_stun_port }}:3478/udp #TURN UDP
-      - {{ networks.internet.ip4 }}:8181:8081/tcp                           #Signaling @todo needs to be optimized
+      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:3478/tcp #TURN TCP
+      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:3478/udp #TURN UDP
+      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_WS_PORT }}:8081/tcp
     networks:
       default:
         ipv4_address: 192.168.102.68
 {% endif %}
 
+{% if NEXTCLOUD_WHITEBOARD_ENABLED %}
+  whiteboard:
+    {% include 'roles/docker-container/templates/base.yml.j2' %}
+    image: "{{ NEXTCLOUD_WHITEBOARD_IMAGE }}:{{ NEXTCLOUD_WHITEBOARD_VERSION }}"
+    container_name: {{ NEXTCLOUD_WHITEBOARD_CONTAINER }}
+    expose:
+      - "{{ NEXTCLOUD_WHITEBOARD_INTERNAL_PORT }}"
+    networks:
+      default:
+        ipv4_address: 192.168.102.71
+{% endif %}
+
   proxy:
-    image: "{{ nextcloud_proxy_image }}:{{ nextcloud_proxy_version }}"
-    container_name: "{{ nextcloud_proxy_name }}"
+    image: "{{ NEXTCLOUD_PROXY_IMAGE }}:{{ NEXTCLOUD_PROXY_VERSION }}"
+    container_name: "{{ NEXTCLOUD_PROXY_CONTAINER }}"
     logging:
       driver: journald
     restart: {{ DOCKER_RESTART_POLICY }}
@@ -51,8 +62,8 @@
         ipv4_address: 192.168.102.67
 
   cron:
-    container_name: "{{ nextcloud_cron_name }}"
-    image: "{{ nextcloud_image }}:{{ nextcloud_version }}"
+    container_name: "{{ NEXTCLOUD_CRON_CONTAINER }}"
+    image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}"
     restart: {{ DOCKER_RESTART_POLICY }}
     logging:
       driver: journald
@@ -70,6 +81,6 @@
 
 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
   data:
-    name: {{ nextcloud_volume }}
+    name: {{ NEXTCLOUD_VOLUME }}
 
 {% include 'roles/docker-compose/templates/networks.yml.j2' %}

roles/web-app-nextcloud/templates/env.j2

@@ -8,9 +8,9 @@ MYSQL_PASSWORD=                 "{{ database_password }}"
 MYSQL_HOST=                     "{{ database_host }}:{{ database_port }}"
       
 # PHP
-PHP_MEMORY_LIMIT=               "{{applications | get_app_conf(application_id, 'performance.php.memory_limit')}}"
-PHP_UPLOAD_LIMIT=               "{{applications | get_app_conf(application_id, 'performance.php.upload_limit')}}"
-PHP_OPCACHE_MEMORY_CONSUMPTION= "{{applications | get_app_conf(application_id, 'performance.php.opcache_memory_consumption')}}"
+PHP_MEMORY_LIMIT=               "{{ applications | get_app_conf(application_id, 'performance.php.memory_limit') }}"
+PHP_UPLOAD_LIMIT=               "{{ applications | get_app_conf(application_id, 'performance.php.upload_limit') }}"
+PHP_OPCACHE_MEMORY_CONSUMPTION= "{{ applications | get_app_conf(application_id, 'performance.php.opcache_memory_consumption') }}"
       
 # Email Configuration
 SMTP_HOST=                      {{ SYSTEM_EMAIL.HOST }}
@@ -24,30 +24,38 @@ MAIL_FROM_ADDRESS=              "{{ users['no-reply'].username }}"
 MAIL_DOMAIN=                    "{{ SYSTEM_EMAIL.DOMAIN }}"
 
 # Initial Admin Data
-NEXTCLOUD_ADMIN_USER=           "{{applications | get_app_conf(application_id, 'users.administrator.username')}}"
-NEXTCLOUD_ADMIN_PASSWORD=       "{{applications | get_app_conf(application_id, 'credentials.administrator_password')}}"
+NEXTCLOUD_ADMIN_USER=           "{{ NEXTCLOUD_ADMINISTRATOR_USER }}"
+NEXTCLOUD_ADMIN_PASSWORD=       "{{ NEXTCLOUD_ADMINISTRATOR_PASSWORD }}"
 
 # Security
 
-NEXTCLOUD_TRUSTED_DOMAINS=      "{{ domains[application_id] | select | join(',') }}"
+NEXTCLOUD_TRUSTED_DOMAINS=      "{{ NEXTCLOUD_DOMAIN }}"
 # Whitelist local docker gateway in Nextcloud to prevent brute-force throtteling
 TRUSTED_PROXIES=                "{{ networks.internet.values() | select | join(',') }}"
-OVERWRITECLIURL=                "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
-OVERWRITEPROTOCOL=              "https"
+OVERWRITECLIURL=                "{{ NEXTCLOUD_URL }}"
+OVERWRITEPROTOCOL=              "{{ WEB_PROTOCOL }}"
 
 # Redis Configuration
 REDIS_HOST=                     redis
 REDIS_PORT=                     6379
 
-{% if nextcloud_talk_enabled %}
+{% if NEXTCLOUD_TALK_ENABLED %}
 # Talk Configuration
 # This code was just moved here during refactoring and isn't tested yet.
 # @todo move it to an own env file for encapsulation reasons
-NC_DOMAIN=cloud.yourdomain.tld
-TALK_HOST=signaling.yourdomain.tld
+NC_DOMAIN={{ NEXTCLOUD_DOMAIN }}
+TALK_HOST={{ NEXTCLOUD_TALK_DOMAIN }}
 TURN_SECRET=${TURN_SECRET}
 SIGNALING_SECRET=${SIGNALING_SECRET}
 TZ=Europe/Berlin
 TALK_PORT=3478
 INTERNAL_SECRET=${INTERNAL_SECRET}
+{% endif %}
+
+{% if NEXTCLOUD_WHITEBOARD_ENABLED %}
+# @todo move it to an own env file for encapsuling reasons
+NEXTCLOUD_URL=                  "{{ NEXTCLOUD_URL }}"
+JWT_SECRET_KEY=                 "{{ NEXTCLOUD_WHITEBOARD_JWT }}"
+STORAGE_STRATEGY=redis
+REDIS_URL=redis://redis:6379/0
 {% endif %}

roles/web-app-nextcloud/templates/include.php.j2

@@ -3,7 +3,7 @@
 
 $CONFIG_EXTRA = [];
 
-foreach (glob("{% endraw %}{{ nextcloud_docker_config_additives_directory }}{% raw %}*.php") as $file) {
+foreach (glob("{% endraw %}{{ NEXTCLOUD_DOCKER_CONF_ADD_PATH }}{% raw %}*.php") as $file) {
     $CONFIG_EXTRA = array_merge($CONFIG_EXTRA, include $file);
 }
 

roles/web-app-nextcloud/templates/nginx/docker.conf.j2

@@ -179,5 +179,15 @@ http {
         location / {
             try_files $uri $uri/ /index.php$request_uri;
         }
+
+        location {{ NEXTCLOUD_WHITEBOARD_LOCATION }} {
+            proxy_pass         http://whiteboard:{{ NEXTCLOUD_WHITEBOARD_INTERNAL_PORT }}/;
+            proxy_http_version 1.1;
+            proxy_set_header   Host              $host;
+            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header   Upgrade           $http_upgrade;
+            proxy_set_header   Connection        "upgrade";
+            proxy_read_timeout 3600;
+        }
     }
 }