Added OIDC automation draft for nextcloud

2025-10-31 02:10:05 +00:00 · 2025-01-28 00:38:09 +01:00
parent 6f851973fa
commit 7e2966b02c
5 changed files with 46 additions and 4 deletions
--- a/group_vars/all
+++ b/group_vars/all
@@ -251,6 +251,10 @@ oidc_client_id:                   "{{primary_domain}}"
 oidc_client_realm:                "{{primary_domain}}"   
 oidc_client_issuer_url:           "https://{{domain_keycloak}}/realms/{{oidc_client_realm}}"
 oidc_client_discovery_document:   "{{oidc_client_issuer_url}}/.well-known/openid-configuration"
+oidc_client_authorize_url:        "https://auth.veen.world/realms/veen.world/protocol/openid-connect/auth"
+oidc_client_toke_url:             "https://auth.veen.world/realms/veen.world/protocol/openid-connect/token"
+oidc_client_user_info_url:        "https://auth.veen.world/realms/veen.world/protocol/openid-connect/userinfo"
+oidc_client_logout_url:           "https://auth.veen.world/realms/veen.world/protocol/openid-connect/logout"
 # oidc_client_secret:             "{{oidc_client_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible

 #### LDAP
--- a/roles/docker-nextcloud/tasks/main.yml
+++ b/roles/docker-nextcloud/tasks/main.yml
@@ -22,3 +22,7 @@
    src:  docker-compose.yml.j2 
    dest: "{{docker_compose_instance_directory}}docker-compose.yml"
  notify: docker compose project setup
+
+#- name: Include OIDC-specific tasks if OIDC client is active
+#  include_tasks: oidc_tasks.yml
+#  when: oidc_client_active | bool
--- a/roles/docker-nextcloud/tasks/oidc_tasks.yml
+++ b/roles/docker-nextcloud/tasks/oidc_tasks.yml
@@ -0,0 +1,33 @@
+# @See https://chatgpt.com/share/6798189e-9c00-800f-923c-5ce3cfbdf405
+
+- name: Flush all handlers immediately so that occ can be used
+  meta: flush_handlers
+
+- name: Set hide_login_form to true
+  command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value true hide_login_form"
+
+- name: Set auth.webauthn.enabled to false
+  command: docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value false auth.webauthn.enabled"
+
+- name: Set allow_login_connect to 1
+  command: >
+    docker-compose exec -u www-data application /var/www/html/occ
+    config:app:set sociallogin allow_login_connect --value="1"
+  # This configuration allows users to connect multiple accounts to their Nextcloud profile
+  # using the sociallogin app.
+
+- name: Set custom_providers
+  command: >
+    docker-compose exec -u www-data application /var/www/html/occ
+    config:app:set sociallogin custom_providers
+    --value='{"custom_oidc":[{"name":"{{domain_keycloak}}","title":"keycloak","authorizeUrl":"{{oidc_client_authorize_url}}","tokenUrl":"{{oidc_client_toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc_client_user_info_url}}","logoutUrl":"{{oidc_client_logout_url}}","clientId":"{{oidc_client_id}}","clientSecret":"{{oidc_client_secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
+  # This configuration defines custom OpenID Connect (OIDC) providers for authentication.
+  # In this case, it sets up a Keycloak provider with details like URLs for authorization,
+  # token retrieval, user info, and logout, as well as the client ID and secret.
+
+- name: Set prevent_create_email_exists to 1
+  command: >
+    docker-compose exec -u www-data application /var/www/html/occ
+    config:app:set sociallogin prevent_create_email_exists --value="1"
+  # This configuration prevents the creation of new Nextcloud users if an account with the
+  # same email address already exists in the system. It helps avoid duplicate accounts.
--- a/roles/docker-nextcloud/templates/docker-compose.yml.j2
+++ b/roles/docker-nextcloud/templates/docker-compose.yml.j2
@@ -6,7 +6,7 @@ services:

  application:
    image: "nextcloud:{{nextcloud_version}}-fpm-alpine"
-    container_name: nextcloud-application
+    container_name: {{nextcloud_application_container_name}} 
    restart: {{docker_restart_policy}}
    logging:
      driver: journald
--- a/roles/docker-nextcloud/vars/main.yml
+++ b/roles/docker-nextcloud/vars/main.yml
@@ -1,4 +1,5 @@
 ---
-docker_compose_project_name:        "nextcloud"
-database_password:  	              "{{nextcloud_database_password}}"
-database_type:                      "mariadb"
+docker_compose_project_name:          "nextcloud"
+database_password:  	                "{{nextcloud_database_password}}"
+database_type:                        "mariadb"
+nextcloud_application_container_name: "nextcloud-application"