kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-02-22 12:29:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implemented automatic OIDC connection for Nextcloud

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-02-06 23:04:37 +01:00
parent eaeab18103
commit b1ff11a0b8
3 changed files with 115 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
roles/docker-nextcloud/README.md
View File

@ -1,61 +1,71 @@
# role docker-nextcloud
# Docker Nextcloud Role 🚀
## modify config
Enter container:
This repository contains an Ansible role for deploying and managing [Nextcloud](https://nextcloud.com/) using [Docker](https://www.docker.com/). It covers configuration modifications, updates, backups, database management, and more. Additionally, OIDC (OpenID Connect) is supported (for example, via **Keycloak**).
> **Developed by:** Kevin Veen-Birkenbach
> **Website:** [https://www.veen.world/](https://www.veen.world/)
>
> *This README.md was created with the help of [ChatGPT](https://chatgpt.com/share/67a5312c-7248-800f-ae27-0288c1c82f1d).*
---
## Modify Config 🔧
### Enter the Container
```bash
docker-compose exec -it application /bin/sh
docker-compose exec -it application /bin/sh
```
Afterwards modify config:
### Modify the Configuration
Inside the container, install a text editor and edit the config:
```bash
apk add --no-cache nano && nano config/config.php
```
## update
---
To update the nextcloud container execute the following commands on the server:
## Update 🔄
To update the Nextcloud container, execute the following commands on the server:
```bash
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --on &&
export COMPOSE_HTTP_TIMEOUT=600 &&
export DOCKER_CLIENT_TIMEOUT=600 &&
docker-compose down
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --on &&
export COMPOSE_HTTP_TIMEOUT=600 &&
export DOCKER_CLIENT_TIMEOUT=600 &&
docker-compose down
```
Afterwards update the ***applications.nextcloud.version*** variable to the next version and run the this repository with this ansible role.
Afterwards, update the ***applications.nextcloud.version*** variable to the next version and run this repository with this Ansible role.
It is only possible to update from one to the next major version at a time
Wait for the update to finish.
You can verify that the update is finished by checking the following logs:
> **Note:**
> It is only possible to update from one to the next major version at a time.
> Wait for the update to finish.
Verify the update by checking the logs:
```bash
docker-compose logs application
```
and
```bash
docker-compose exec -it application top
```
If nextcloud stays in the maintenance mode after the update try the following:
If Nextcloud remains in maintenance mode after the update, try the following:
```bash
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --on
docker-compose exec -it -u www-data application /var/www/html/occ upgrade
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --off
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --on
docker-compose exec -it -u www-data application /var/www/html/occ upgrade
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --off
```
If the update process fails execute
If the update process fails, execute:
```bash
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:repair --include-expensive
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:repair --include-expensive
```
and disable any non-functioning apps.
and disable the not functioning apps.
---
## Recover Latest Backup 💾
## recover latest backup
```bash
cd {{path_docker_compose_instances}}nextcloud &&
docker-compose down &&
@ -64,77 +74,99 @@ cd {{path_administrator_scripts}}backup-docker-to-local &&
bash ./recover-docker-from-local.sh "nextcloud_data" "$(sha256sum /etc/machine-id | head -c 64)"
```
## database
### database access
To access the database execute
---
## Database Management 🗄️
### Database Access
To access the database, execute:
```bash
docker-compose exec -it database mysql -u nextcloud -D nextcloud -p
docker-compose exec -it database mysql -u nextcloud -D nextcloud -p
```
### recreate database with new volume:
### Recreate Database with New Volume
```bash
docker-compose run --detach --name database --env MYSQL_USER="nextcloud" --env MYSQL_PASSWORD=PASSWORD --env MYSQL_ROOT_PASSWORD=PASSWORD --env MYSQL_DATABASE="nextcloud" -v nextcloud_database:/var/lib/mysql
```
The process can be checked with:
```bash
Check the process with:
```sql
show processlist;
```
## occ
---
To use occ run:
## OCC (Nextcloud Command Line) 🔧
To use OCC, run:
```bash
docker-compose exec -it -u www-data application /var/www/html/occ
docker-compose exec -it -u www-data application /var/www/html/occ
```
## app relevant tables
- oc_appconfig
- oc_migrations
---
### initialize duplicates
## App Relevant Tables 🗃️
- `oc_appconfig`
- `oc_migrations`
### Initialize Duplicates
```bash
docker-compose exec -it -u www-data application /var/www/html/occ duplicates:find-all --output
docker-compose exec -it -u www-data application /var/www/html/occ duplicates:find-all --output
```
### unlock files
### Unlock Files
```bash
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --on
docker-compose exec -it nextcloud_database_1 mysql -u nextcloud -pPASSWORD1234132 -D nextcloud -e "delete from oc_file_locks where 1"
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --off
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --on
docker-compose exec -it nextcloud_database_1 mysql -u nextcloud -pPASSWORD1234132 -D nextcloud -e "delete from oc_file_locks where 1"
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --off
```
## architecture
### Maria DB
Until NC24 MariaDB version has to be used.
---
## performance
### 504 Gateway Timeout
## Architecture
### MariaDB
Until Nextcloud 24, the MariaDB version must be used.
---
## Performance: 504 Gateway Timeout ⏱️
```bash
docker-compose logs web --tail 1000 | grep 504
docker-compose logs web --tail 1000 | grep 504
```
#### See
- https://support.f5.com/csp/article/K48373902
- https://github.com/nextcloud/server/issues/25436
- https://help.nextcloud.com/t/update-to-next-cloud-21-0-2-has-get-an-error/117028/23?page=2
- https://serverfault.com/questions/178671/nginx-php-fpm-504-gateway-time-out-error-with-almost-zero-load-on-a-test-se
- https://help.nextcloud.com/t/solved-manual-lemp-install-php-fpm-timing-out/39070
#### See:
- [F5 Support: K48373902](https://support.f5.com/csp/article/K48373902)
- [Nextcloud Server Issue #25436](https://github.com/nextcloud/server/issues/25436)
- [Nextcloud 21.0.2 Update Error](https://help.nextcloud.com/t/update-to-next-cloud-21-0-2-has-get-an-error/117028/23?page=2)
- [ServerFault: Nginx PHP-FPM 504 Error](https://serverfault.com/questions/178671/nginx-php-fpm-504-gateway-time-out-error-with-almost-zero-load-on-a-test-se)
- [Manual LEMP Install Timeout](https://help.nextcloud.com/t/solved-manual-lemp-install-php-fpm-timing-out/39070)
## further information
- https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/docker-compose.yml
- https://goneuland.de/nextcloud-upgrade-auf-neue-versionen-mittels-docker/
- https://help.nextcloud.com/t/cant-start-nextcloud-because-the-version-of-the-data-is-higher-than-the-docker-image-version-and-downgrading-is-not-supported/109438
- https://github.com/nextcloud/docker/issues/1302
- https://help.nextcloud.com/t/update-to-22-failed-with-database-error-updated/120682
- https://help.nextcloud.com/t/nc-update-to-21-0-0-beta1-exception-database-error/101124/4
- https://wolfgang.gassler.org/reset-password-mariadb-mysql-docker/
- https://unix.stackexchange.com/questions/478855/ansible-docker/container/and-depends-on
- https://github.com/gdiepen/docker-convenience-scripts
- https://help.nextcloud.com/t/several-issues-after-upgrading-to-nextcloud-21/113118/3
- https://forum.openmediavault.org/index.php?thread/31782-docker-nextcloud-talk-plugin-and-turnserver/
- https://help.nextcloud.com/t/nextcloud-talk-im-docker/container/turn-server-auf-docker-host-kein-video/84133/10
---
## Further Information
- [Nextcloud Docker Example with Nginx Proxy, MariaDB, and FPM](https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/docker-compose.yml)
- [Nextcloud Upgrade via Docker by Goneuland](https://goneuland.de/nextcloud-upgrade-auf-neue-versionen-mittels-docker/)
- [Nextcloud Data Version Issue](https://help.nextcloud.com/t/cant-start-nextcloud-because-the-version-of-the-data-is-higher-than-the-docker-image-version-and-downgrading-is-not-supported/109438)
- [Nextcloud Docker Issue #1302](https://github.com/nextcloud/docker/issues/1302)
- [Update to Nextcloud 22 Failed Database Error](https://help.nextcloud.com/t/update-to-22-failed-with-database-error-updated/120682)
- [Nextcloud 21.0.0-beta1 Database Error](https://help.nextcloud.com/t/nc-update-to-21-0-0-beta1-exception-database-error/101124/4)
- [Reset Password for MariaDB/MySQL in Docker](https://wolfgang.gassler.org/reset-password-mariadb-mysql-docker/)
- [Ansible Docker Container and depends_on Issue](https://unix.stackexchange.com/questions/478855/ansible-docker/container/and-depends-on)
- [Docker Convenience Scripts by gdiepen](https://github.com/gdiepen/docker-convenience-scripts)
- [Issues After Upgrading to Nextcloud 21](https://help.nextcloud.com/t/several-issues-after-upgrading-to-nextcloud-21/113118/3)
- [Nextcloud Talk Plugin and Turnserver in Docker](https://forum.openmediavault.org/index.php?thread/31782-docker-nextcloud-talk-plugin-and-turnserver/)
- [Nextcloud Talk on Docker: Turn Server Issues](https://help.nextcloud.com/t/nextcloud-talk-im-docker/container/turn-server-auf-docker-host-kein-video/84133/10)
---
## OIDC (OpenID Connect) Support 🔐
OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific tasks are included when enabled, allowing integration of external authentication providers seamlessly.
---
*Enjoy and happy containerizing! 😄*

7
roles/docker-nextcloud/tasks/main.yml
View File

@ -32,7 +32,6 @@
force: yes
notify: docker compose project setup
# @todo activate
#- name: Include OIDC-specific tasks if OIDC client is active
# include_tasks: oidc_tasks.yml
# when: oidc.enabled | bool
- name: Include OIDC-specific tasks if OIDC client is active
include_tasks: oidc_tasks.yml
when: oidc.enabled | bool

16
roles/docker-nextcloud/tasks/oidc_tasks.yml
View File

@ -6,28 +6,24 @@
- name: Set hide_login_form to true
command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value true hide_login_form"
- name: Set auth.webauthn.enabled to false
command: docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value false auth.webauthn.enabled"
- name: "Set auth.webauthn.enabled to false"
command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:system:set --type boolean --value false auth.webauthn.enabled"
- name: Set allow_login_connect to 1
command: >
docker-compose exec -u www-data application /var/www/html/occ
config:app:set sociallogin allow_login_connect --value="1"
command: "docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:app:set sociallogin allow_login_connect --value='1'"
# This configuration allows users to connect multiple accounts to their Nextcloud profile
# using the sociallogin app.
- name: Set custom_providers
command: >
docker-compose exec -u www-data application /var/www/html/occ
docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ
config:app:set sociallogin custom_providers
--value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
--value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","style":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
# This configuration defines custom OpenID Connect (OIDC) providers for authentication.
# In this case, it sets up a Keycloak provider with details like URLs for authorization,
# token retrieval, user info, and logout, as well as the client ID and secret.
- name: Set prevent_create_email_exists to 1
command: >
docker-compose exec -u www-data application /var/www/html/occ
config:app:set sociallogin prevent_create_email_exists --value="1"
command: 'docker exec -u www-data {{nextcloud_application_container_name}} /var/www/html/occ config:app:set sociallogin prevent_create_email_exists --value="1"'
# This configuration prevents the creation of new Nextcloud users if an account with the
# same email address already exists in the system. It helps avoid duplicate accounts.