kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 15:06:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimized Nextcloud for OIDC flavor login and adapted user administrator credentials

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-02-25 15:17:56 +01:00
parent ab258cb6dd
commit 9a9bae4f2c
47 changed files with 393 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
group_vars/all/00_general.yml
View File

@@ -9,10 +9,18 @@ primary_domain_tld: "localhost" # Top Le
primary_domain_sld: "cymais" # Second Level Domain of the server
primary_domain: "{{primary_domain_sld}}.{{primary_domain_tld}}" # Primary Domain of the server
# Helper Variables
_users_administrator_username: "{{ users.administrator.username | default('administrator') }}"
_users_administrator_email: "{{ users.administrator.email | default(_users_administrator_username ~ '@' ~ primary_domain) }}"
# Administrator
administrator_username: "administrator" # Username of the administrator
administrator_email: "{{administrator_username}}@{{primary_domain}}" # Email of the administrator
# administrator_initial_password: Null # Example initialisation password needs to be set in inventory file
default_users:
administrator:
username: "{{_users_administrator_username}}" # Username of the administrator
email: "{{_users_administrator_email}}" # Email of the administrator
# initial_password: Null # Example initialisation password needs to be set in inventory file
uid: 1001 # Posix User ID
gid: 1001 # Posix Group ID
# Test Email
test_email: "test@{{primary_domain}}"

79
group_vars/all/07_applications.yml
View File

@@ -16,8 +16,8 @@ defaults_applications:
akaunting:
version: "latest"
company_name: "{{primary_domain}}"
company_email: "{{administrator_email}}"
setup_admin_email: "{{administrator_email}}"
company_email: "{{users.administrator.email}}"
setup_admin_email: "{{users.administrator.email}}"
database:
central_storage: True
@@ -44,7 +44,9 @@ defaults_applications:
## Bluesky
bluesky:
administrator_email: "{{administrator_email}}"
users:
administrator:
email: "{{users.administrator.email}}"
pds:
version: "latest"
#jwt_secret: # Needs to be defined in inventory file - Use: openssl rand -base64 64 | tr -d '\n'
@@ -70,14 +72,15 @@ defaults_applications:
oidc:
enabled: true # Activate OIDC. Plugin is not working yet
database:
central_storage: True
central_storage: True
## Funkwhale
funkwhale:
version: "1.4.0"
ldap_enabled: True # Enables LDAP by default
ldap:
enabled: True # Enables LDAP by default
database:
central_storage: True
central_storage: True
## Gitea
gitea:
@@ -98,10 +101,13 @@ defaults_applications:
## Keycloak
keycloak:
version: "latest"
administrator_username: "{{administrator_username}}" # Administrator Username for Keycloak
ldap_enabled: True # Enables LDAP by default
users:
administrator:
username: "{{users.administrator.username}}" # Administrator Username for Keycloak
ldap:
enabled: True # Enables LDAP by default
database:
central_storage: True
central_storage: True
# database_password: # Needs to be defined in inventory file
# administrator_password: # Needs to be defined in inventory file
@@ -109,7 +115,7 @@ defaults_applications:
ldap:
lam:
version: "latest"
administrator_password: "{{administrator_initial_password}}" # CHANGE for security reasons
administrator_password: "{{users.administrator.initial_password}}" # CHANGE for security reasons
openldap:
version: "latest"
network:
@@ -119,8 +125,11 @@ defaults_applications:
phpldapadmin:
version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest
webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin
administrator_username: "{{administrator_username}}"
ldap_enabled: True # Should have the same value as applications.ldap.openldap.network.local.
users:
administrator:
username: "{{users.administrator.username}}"
ldap:
enabled: True # Should have the same value as applications.ldap.openldap.network.local.
force_import: false # Forces the import of the LDIF files when set to true
oauth2_proxy:
enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface
@@ -134,7 +143,9 @@ defaults_applications:
## Listmonk
listmonk:
administrator_username: "{{administrator_username}}" # Listmonk administrator account username
users:
administrator:
username: "{{users.administrator.username}}" # Listmonk administrator account username
public_api_activated: False # Security hole. Can be used for spaming
version: "latest" # Docker Image version
setup: false # Set true in inventory file to execute the setup and initializing procedures
@@ -197,7 +208,9 @@ defaults_applications:
## Matrix
matrix:
administrator_username: "{{administrator_username}}" # Accountname of the matrix admin
users:
administrator:
username: "{{users.administrator.username}}" # Accountname of the matrix admin
playbook_tags: "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start
role: "compose" # Role to setup Matrix. Valid values: ansible, compose
server_name: "{{primary_domain}}" # Adress for the account names etc.
@@ -214,8 +227,10 @@ defaults_applications:
## Moodle
moodle:
site_titel: "Global Learning Academy on {{primary_domain}}"
administrator_name: "{{administrator_username}}"
administrator_email: "{{administrator_email}}"
users:
administrator:
username: "{{users.administrator.username}}"
email: "{{users.administrator.email}}"
version: "latest"
database:
central_storage: True
@@ -228,17 +243,26 @@ defaults_applications:
## Nextcloud
nextcloud:
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
ldap_enabled: True # Enables LDAP by default, missing ansible setup tasks @todo setup
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
ldap:
enabled: True # Enables LDAP by default, missing ansible setup tasks @todo setup
oidc:
enabled: true # Activate OIDC for Nextcloud
force_import: False # Forces the import of the LDIF files
enabled: true # Activate OIDC for Nextcloud
# floavor decides which OICD plugin should be used.
# Available options: login, sociallogin
# @see https://apps.nextcloud.com/apps/oidc_login
# @see https://apps.nextcloud.com/apps/sociallogin
flavor: "sociallogin" # Keeping on sociallogin because the other option is not implemented yet
force_import: False # Forces the import of the LDIF files
database:
central_storage: True
central_storage: True
credentials:
# database_password: Null # Needs to be set in inventory file
administrator_username: "{{administrator_username}}"
administrator_initial_password: "{{administrator_initial_password}}"
# database_password: Null # Needs to be set in inventory file
users:
administrator:
username: "{{users.administrator.username}}"
initial_password: "{{users.administrator.initial_password}}"
default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes)
## OAuth2 Proxy
oauth2_proxy:
@@ -255,7 +279,8 @@ defaults_applications:
application: "proxy"
port: "80"
# cookie_secret: None # Set via openssl rand -hex 16
ldap_enabled: True # Enables LDAP by default
ldap:
enabled: True # Enables LDAP by default
database:
central_storage: True
css:
@@ -312,7 +337,9 @@ defaults_applications:
## YOURLS
yourls:
administrator_username: "{{administrator_username}}"
users:
administrator:
username: "{{users.administrator.username}}"
version: "latest"
oauth2_proxy:
enabled: true

2
group_vars/all/11_iam.yml
View File

@@ -39,7 +39,7 @@ ldap:
# Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).
root: "{{_ldap_dn_base}}"
# Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain.
administrator: "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}"
administrator: "cn={{applications.ldap.users.administrator.username}},{{_ldap_dn_base}}"
# Dn from which the users should be read
users: "ou=users,{{_ldap_dn_base}}"
# Dn from which the groups should be read

12
group_vars/all/14_service_provider.yml
View File

@@ -16,14 +16,14 @@ defaults_service_provider:
logo: https://cloud.veen.world/s/logo_cymais_512x512/download
favicon: https://cloud.veen.world/s/veen_world_favicon/download
contact:
bluesky: "{{ '@' ~ administrator_username ~ '.' ~ domains.bluesky_api if 'bluesky' in group_names else '' }}"
bluesky: "{{ '@' ~ users.administrator.username ~ '.' ~ domains.bluesky_api if 'bluesky' in group_names else '' }}"
email: "contact@{{ primary_domain }}"
mastodon: "{{ '@' ~ administrator_username ~ '@' ~ domains.mastodon if 'mastodon' in group_names else '' }}"
matrix: "{{ '@' ~ administrator_username ~ ':' ~ domains.matrix_synapse if 'matrix' in group_names else '' }}"
peertube: "{{ '@' ~ administrator_username ~ '@' ~ domains.peertube if 'peertube' in group_names else '' }}"
pixelfed: "{{ '@' ~ administrator_username ~ '@' ~ domains.pixelfed if 'pixelfed' in group_names else '' }}"
mastodon: "{{ '@' ~ users.administrator.username ~ '@' ~ domains.mastodon if 'mastodon' in group_names else '' }}"
matrix: "{{ '@' ~ users.administrator.username ~ ':' ~ domains.matrix_synapse if 'matrix' in group_names else '' }}"
peertube: "{{ '@' ~ users.administrator.username ~ '@' ~ domains.peertube if 'peertube' in group_names else '' }}"
pixelfed: "{{ '@' ~ users.administrator.username ~ '@' ~ domains.pixelfed if 'pixelfed' in group_names else '' }}"
phone: "+0 000 000 404"
wordpress: "{{ '@' ~ administrator_username ~ '@' ~ domains.wordpress[0] if 'wordpress' in group_names else '' }}"
wordpress: "{{ '@' ~ users.administrator.username ~ '@' ~ domains.wordpress[0] if 'wordpress' in group_names else '' }}"
legal:
editorial_responsible: "Johannes Gutenberg"