From d20e900ab2bfc59f4087ea307ec01b5faef04c33 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Fri, 28 Feb 2025 13:19:34 +0100
Subject: [PATCH] Optimized Nextcloud Configuration
---
group_vars/all/07_applications.yml | 3 +-
roles/docker-nextcloud/handlers/main.yml | 4 +-
roles/docker-nextcloud/tasks/config.yml | 33 --------
roles/docker-nextcloud/tasks/ldap.yml | 17 ----
.../tasks/legacy_login_mask.yml | 5 --
roles/docker-nextcloud/tasks/main.yml | 80 +++++++++++--------
roles/docker-nextcloud/tasks/oidc_login.yml | 3 -
roles/docker-nextcloud/tasks/plugin.yml | 46 +++++++----
roles/docker-nextcloud/tasks/plugins/ldap.yml | 6 ++
roles/docker-nextcloud/tasks/sociallogin.yml | 11 ---
roles/docker-nextcloud/tasks/system.yml | 8 ++
.../templates/config/README.md | 2 +
.../templates/{ => config}/oidc.config.php.j2 | 9 ++-
.../templates/config/redis.config.php.j2 | 11 +++
.../templates/docker-compose.yml.j2 | 10 +--
roles/docker-nextcloud/templates/env.j2 | 20 ++---
.../docker-nextcloud/templates/include.php.j2 | 11 +++
.../docker.conf.j2} | 0
.../host.conf.j2} | 0
roles/docker-nextcloud/vars/main.yml | 45 ++++++++---
roles/docker-nextcloud/vars/plugins/README.md | 1 +
.../vars/{ => plugins}/ldap.yml | 2 +-
.../vars/{ => plugins}/sociallogin.yml | 2 +-
roles/docker-nextcloud/vars/system.yml | 23 ++++++
24 files changed, 207 insertions(+), 145 deletions(-)
delete mode 100644 roles/docker-nextcloud/tasks/config.yml
delete mode 100644 roles/docker-nextcloud/tasks/ldap.yml
delete mode 100644 roles/docker-nextcloud/tasks/legacy_login_mask.yml
delete mode 100644 roles/docker-nextcloud/tasks/oidc_login.yml
create mode 100644 roles/docker-nextcloud/tasks/plugins/ldap.yml
delete mode 100644 roles/docker-nextcloud/tasks/sociallogin.yml
create mode 100644 roles/docker-nextcloud/tasks/system.yml
create mode 100644 roles/docker-nextcloud/templates/config/README.md
rename roles/docker-nextcloud/templates/{ => config}/oidc.config.php.j2 (98%)
create mode 100644 roles/docker-nextcloud/templates/config/redis.config.php.j2
create mode 100644 roles/docker-nextcloud/templates/include.php.j2
rename roles/docker-nextcloud/templates/{internal-nginx.conf.j2 => nginx/docker.conf.j2} (100%)
rename roles/docker-nextcloud/templates/{proxy-nginx.conf.j2 => nginx/host.conf.j2} (100%)
create mode 100644 roles/docker-nextcloud/vars/plugins/README.md
rename roles/docker-nextcloud/vars/{ => plugins}/ldap.yml (99%)
rename roles/docker-nextcloud/vars/{ => plugins}/sociallogin.yml (98%)
create mode 100644 roles/docker-nextcloud/vars/system.yml
diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml
index d67ec1a6..2ebfa4bb 100644
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@@ -305,7 +305,8 @@ defaults_applications:
enabled: true
deck:
# Nextcloud Deck: organizes tasks and projects using Kanban boards (https://apps.nextcloud.com/apps/deck)
- enabled: true
+ # When Taiga is activated, this plugin is deactivated, because Taiga is the prefered application.
+ enabled: "{{ 'taiga' not in group_names | lower }}"
drawio:
# Nextcloud draw.io: integrates diagram creation and editing tools (https://apps.nextcloud.com/apps/drawio)
enabled: true
diff --git a/roles/docker-nextcloud/handlers/main.yml b/roles/docker-nextcloud/handlers/main.yml
index d47215e0..a08fc44e 100644
--- a/roles/docker-nextcloud/handlers/main.yml
+++ b/roles/docker-nextcloud/handlers/main.yml
@@ -1,6 +1,6 @@
---
-- name: restart docker nginx service
+- name: restart nextcloud nginx service
command:
cmd: "docker exec {{applications.nextcloud.container.proxy}} nginx -s reload"
- listen: restart docker nginx service
+ listen: restart nextcloud nginx service
ignore_errors: true # Ignoring if container is restarting
diff --git a/roles/docker-nextcloud/tasks/config.yml b/roles/docker-nextcloud/tasks/config.yml
deleted file mode 100644
index a34de1f2..00000000
--- a/roles/docker-nextcloud/tasks/config.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-- name: "Substitute http with https in {{ nextcloud_config_file_host_path }}"
- replace:
- path: "{{ nextcloud_config_file_host_path }}"
- regexp: "http://{{ domain | regex_escape }}"
- replace: "https://{{ domain }}"
- notify:
- - docker compose restart
-
-#- name: Ensure 'overwriteprotocol' is set to 'https' in Nextcloud {{ nextcloud_config_file_host_path }}
-# block:
-# Deactivated because it was really heavy to fix.
-# @todo implement
-# - name: Check if 'overwriteprotocol' is already set
-# lineinfile:
-# path: "{{ nextcloud_config_file_host_path }}"
-# regexp: "^\s*overwriteprotocol\s*=>\s*http"
-# line: "overwriteprotocol => 'https',"
-# backrefs: yes
-# state: present
-# notify:
-# - docker compose restart
-#
-# - name: Add 'overwriteprotocol' => 'https' if not present
-# lineinfile:
-# path: "{{ nextcloud_config_file_host_path }}"
-# regexp: "^\s*\);$"
-# line: "overwriteprotocol => 'https',"
-# insertafter: "^\s*\);$"
-# state: present
-# notify:
-# - docker compose restart
-# notify:
-# - docker compose restart
diff --git a/roles/docker-nextcloud/tasks/ldap.yml b/roles/docker-nextcloud/tasks/ldap.yml
deleted file mode 100644
index b500765e..00000000
--- a/roles/docker-nextcloud/tasks/ldap.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-# @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
-# @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
-# @todo implement
-- name: Load LDAP Nextcloud configuration variables
- include_vars:
- file: ldap.yml
-
-- name: Set Nextcloud LDAP config
- loop: "{{ nextcloud_ldap_configuration }}"
- command: >
- docker exec -u www-data {{ applications.nextcloud.container.application }}
- php occ config:app:set {{ item.appid }} {{ item.configkey }} --value "{{ item.configvalue }}"
-
-- name: Set Nextcloud LDAP bind password
- command: >
- docker exec -u www-data {{ applications.nextcloud.container.application }}
- php occ ldap:set-config s01 ldapAgentPassword "{{ ldap.bind_credential }}"
diff --git a/roles/docker-nextcloud/tasks/legacy_login_mask.yml b/roles/docker-nextcloud/tasks/legacy_login_mask.yml
deleted file mode 100644
index 632bfd26..00000000
--- a/roles/docker-nextcloud/tasks/legacy_login_mask.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: Set hide_login_form to true
- command: "docker exec -u www-data {{applications.nextcloud.container.application}} {{nextcloud_docker_path}}occ config:system:set --type boolean --value {{ (not applications[application_id].legacy_login_mask.enabled) | lower }} hide_login_form"
-
-- name: "Set auth.webauthn.enabled to false"
- command: "docker exec -u www-data {{applications.nextcloud.container.application}} {{nextcloud_docker_path}}occ config:system:set --type boolean --value {{applications[application_id].legacy_login_mask.enabled | lower}} auth.webauthn.enabled"
\ No newline at end of file
diff --git a/roles/docker-nextcloud/tasks/main.yml b/roles/docker-nextcloud/tasks/main.yml
index 40f2c45c..c837d1d5 100644
--- a/roles/docker-nextcloud/tasks/main.yml
+++ b/roles/docker-nextcloud/tasks/main.yml
@@ -3,22 +3,20 @@
include_role:
name: docker-central-database
-- name: copy oidc.config.php
- template:
- src: oidc.config.php.j2
- dest: "{{nextcloud_host_oidc_login_path}}"
- owner: 82 # User www-data in Nextcloud container
- group: 82 # User www-data in Nextcloud container
- when: applications[application_id].oidc.flavor == "oidc_login"
+- name: "create {{ nextcloud_docker_config_additives_directory }}"
+ file:
+ path: "{{ nextcloud_docker_config_additives_directory }}"
+ state: directory
+ mode: 0755
-- name: Remove OIDC configuration lines from config.php if present (container)
- command: >
- docker exec -u www-data {{ applications.nextcloud.container.application }} sh -c "sed -i '/CONFIG_EXTRA = include.*oidc\.config\.php/d' /var/www/html/config/config.php && sed -i '/CONFIG = array_merge(\\$CONFIG, \\$CONFIG_EXTRA)/d' /var/www/html/config/config.php"
- when: applications[application_id].oidc.flavor == "sociallogin" and mode_cleanup | bool
-
-- name: Set maintanance window
- command: >
- docker exec -u www-data {{ applications.nextcloud.container.application }} php occ config:system:set maintenance_window_start --type=integer --value={{on_calendar_nextcloud}}"
+- name: "Create config files at {{ nextcloud_docker_config_additives_directory }}"
+ template:
+ src: "{{ item }}"
+ dest: "{{ nextcloud_docker_config_additives_directory }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
+ owner: "{{nextcloud_docker_user_id}}"
+ group: "{{nextcloud_docker_user_id}}"
+ loop: "{{ lookup('fileglob', role_path ~ '/templates/config/*.j2', wantlist=True) }}"
+ notify: docker compose restart
- name: "include role for {{application_id}} to recieve certs & do modification routines"
include_role:
@@ -26,15 +24,15 @@
- name: create nextcloud nginx proxy configuration file
template:
- src: "proxy-nginx.conf.j2"
+ src: "nginx/host.conf.j2"
dest: "{{nginx.directories.http.servers}}{{domains[application_id]}}.conf"
notify: restart nginx
- name: create internal nextcloud nginx configuration
template:
- src: "internal-nginx.conf.j2"
+ src: "nginx/docker.conf.j2"
dest: "{{docker_compose.directories.volumes}}nginx.conf"
- notify: restart docker nginx service
+ notify: restart nextcloud nginx service
- name: "copy docker-compose.yml and env file"
include_tasks: copy-docker-compose-and-env.yml
@@ -42,25 +40,43 @@
- name: Flush all handlers immediately so that occ can be used
meta: flush_handlers
+- name: Merge all files in cymais directory (container)
+ block:
+ - name: Add dynamic config merging from Jinja template
+ template:
+ src: include.php.j2
+ dest: "{{nextcloud_host_include_instructions_file}}"
+ notify: docker compose restart
+
+ - name: Copy include instructions to the container
+ command: >
+ docker cp {{ nextcloud_host_include_instructions_file }} {{ applications.nextcloud.container.application }}:{{nextcloud_docker_include_instructions_file}}
+
+ - name: Append generated config to config.php only if not present
+ command: >
+ docker exec -u {{nextcloud_docker_user}} {{ applications.nextcloud.container.application }} sh -c "
+ grep -q 'foreach (glob(\"{{ nextcloud_docker_config_additives_directory }}*.php\") as \$file)' {{ nextcloud_docker_config_file }} ||
+ cat {{nextcloud_docker_include_instructions_file}} >> {{ nextcloud_docker_config_file }}"
+ notify: docker compose restart
+
- name: Setup Nextcloud Plugins
include_tasks: plugin.yml
loop: "{{applications[application_id].plugins | dict2items }}"
loop_control:
loop_var: plugin_item
vars:
- plugin_name: "{{ plugin_item.key }}"
- plugin_configuration: "{{ plugin_item.value }}"
+ plugin_key: "{{ plugin_item.key }}"
+ plugin_value: "{{ plugin_item.value }}"
-- name: "Include OIDC-specific tasks with flavor {{applications[application_id].oidc.flavor}}"
- include_tasks: "{{applications[application_id].oidc.flavor}}.yml"
- when: applications[application_id].oidc.enabled | bool
+- name: Load system configuration
+ include_tasks: system.yml
-- name: Include LDAP specific tasks
- include_tasks: ldap.yml
- when: applications[application_id].ldap.enabled | bool
-
-- name: Include Config specific tasks
- include_tasks: config.yml
-
-- name: De\Activate legacy login mask
- include_tasks: legacy_login_mask.yml
\ No newline at end of file
+- name: Add missing database indices in Nextcloud
+ command: >
+ {{nextcloud_docker_exec_occ}} db:add-missing-indices
+ register: db_indices_result
+ changed_when: >
+ 'Adding additional' in db_indices_result.stdout or
+ 'Removing' in db_indices_result.stdout or
+ 'updated successfully' in db_indices_result.stdout
+ failed_when: db_indices_result.rc != 0
diff --git a/roles/docker-nextcloud/tasks/oidc_login.yml b/roles/docker-nextcloud/tasks/oidc_login.yml
deleted file mode 100644
index 1506fd4f..00000000
--- a/roles/docker-nextcloud/tasks/oidc_login.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-- name: Add OIDC configuration if not implemented yet
- command: >
- docker exec -u www-data {{ applications.nextcloud.container.application }} sh -c 'grep -q "CONFIG_EXTRA = include" ./config/config.php || echo -e "\n\$CONFIG_EXTRA = include '\''{{nextcloud_docker_oidc_login_config_path}}'\'';\n\$CONFIG = array_merge(\$CONFIG, \$CONFIG_EXTRA);" >> ./config/config.php'
diff --git a/roles/docker-nextcloud/tasks/plugin.yml b/roles/docker-nextcloud/tasks/plugin.yml
index 054c880d..96f979d6 100644
--- a/roles/docker-nextcloud/tasks/plugin.yml
+++ b/roles/docker-nextcloud/tasks/plugin.yml
@@ -1,29 +1,47 @@
-- name: "Disable incompatible plugins for {{plugin_name}}."
- command: "docker exec -u www-data {{applications.nextcloud.container.application}} {{nextcloud_docker_path}}occ app:disable {{incompatible_plugin}}"
- loop: "{{plugin_configuration.incompatible_plugins}}"
+- name: "Disable incompatible plugins for {{plugin_key}}."
+ command: "{{nextcloud_docker_exec_occ}} app:disable {{incompatible_plugin}}"
+ loop: "{{plugin_value.incompatible_plugins}}"
loop_control:
loop_var: incompatible_plugin
register: disable_incompatible_plugin_result
changed_when: disable_incompatible_plugin_result.rc == 0 and ("No such app enabled" not in disable_incompatible_plugin_result.stdout)
when:
- - plugin_configuration.incompatible_plugins is defined and plugin_configuration.incompatible_plugins | length > 0
- - plugin_configuration.enabled | bool
+ - plugin_value.incompatible_plugins is defined and plugin_value.incompatible_plugins | length > 0
+ - plugin_value.enabled | bool
-- name: disable {{ plugin_name }} nextcloud plugin
- command: "docker exec -u www-data {{ applications.nextcloud.container.application }} {{ nextcloud_docker_path }}occ app:disable {{ plugin_name }}"
+- name: disable {{ plugin_key }} nextcloud plugin
+ command: "{{nextcloud_docker_exec_occ}} app:disable {{ plugin_key }}"
register: disable_result
changed_when: disable_result.rc == 0 and ("No such app enabled" not in disable_result.stdout)
- when: not (plugin_configuration.enabled | bool)
+ when: not (plugin_value.enabled | bool)
-- name: install {{ plugin_name }} nextcloud plugin
- command: "docker exec -u www-data {{ applications.nextcloud.container.application }} {{ nextcloud_docker_path }}occ app:install {{ plugin_name }}"
+- name: install {{ plugin_key }} nextcloud plugin
+ command: "{{nextcloud_docker_exec_occ}} app:install {{ plugin_key }}"
register: install_result
failed_when: install_result.rc != 0 and ("already installed" not in install_result.stdout)
changed_when: install_result.rc == 0 and ("already installed" not in install_result.stdout)
- when: plugin_configuration.enabled | bool
+ when: plugin_value.enabled | bool
-- name: enable {{plugin_name}} nextcloud plugin
- command: "docker exec -u www-data {{applications.nextcloud.container.application}} {{nextcloud_docker_path}}occ app:enable {{plugin_name}}"
+- name: enable {{plugin_key}} nextcloud plugin
+ command: "{{nextcloud_docker_exec_occ}} app:enable {{plugin_key}}"
register: enable_result
changed_when: enable_result.rc == 0 and ("already enabled" not in enable_result.stdout)
- when: plugin_configuration.enabled | bool
\ No newline at end of file
+ when: plugin_value.enabled | bool
+
+- name: Check if {{nextcloud_localhost_plugin_configuration_directory}}{{ plugin_key }}.yml exists
+ stat:
+ path: "{{nextcloud_localhost_plugin_configuration_directory}}{{ plugin_key }}.yml"
+ register: plugin_config_file
+
+- name: Apply configuration to {{ plugin_key }}
+ block:
+ - name: Load {{ plugin_key }} configuration variables
+ include_vars:
+ file: "{{nextcloud_localhost_plugin_configuration_directory}}{{ plugin_key }}.yml"
+
+ - name: "Set {{ item.configkey }} for {{ item.appid }}"
+ loop: "{{ plugin_configuration }}"
+ command: >
+ {{ nextcloud_docker_exec_occ }} config:app:set {{ item.appid }} {{ item.configkey }} --value '{{ item.configvalue | to_json if item.configvalue is mapping else item.configvalue }}'
+
+ when: plugin_config_file.stat.exists
diff --git a/roles/docker-nextcloud/tasks/plugins/ldap.yml b/roles/docker-nextcloud/tasks/plugins/ldap.yml
new file mode 100644
index 00000000..269340c0
--- /dev/null
+++ b/roles/docker-nextcloud/tasks/plugins/ldap.yml
@@ -0,0 +1,6 @@
+# @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
+# @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
+
+- name: Set Nextcloud LDAP bind password
+ command: >
+ {{ nextcloud_docker_exec_occ }} ldap:set-config s01 ldapAgentPassword "{{ ldap.bind_credential }}"
\ No newline at end of file
diff --git a/roles/docker-nextcloud/tasks/sociallogin.yml b/roles/docker-nextcloud/tasks/sociallogin.yml
deleted file mode 100644
index 72794ded..00000000
--- a/roles/docker-nextcloud/tasks/sociallogin.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-# @See https://chatgpt.com/share/6798189e-9c00-800f-923c-5ce3cfbdf405
-- name: Load Sociallogin configuration variables
- include_vars:
- file: sociallogin.yml
-
-- name: Configure Sociallogin
- loop: "{{ nextcloud_sociallogin_configuration}}"
- # The | to_json function is necessary to escape custom_providers correct.
- command: >
- docker exec -u www-data {{ applications.nextcloud.container.application }}
- php occ config:app:set {{ item.appid }} {{ item.configkey }} --value '{{ item.configvalue | to_json if item.configvalue is mapping else item.configvalue }}'
\ No newline at end of file
diff --git a/roles/docker-nextcloud/tasks/system.yml b/roles/docker-nextcloud/tasks/system.yml
new file mode 100644
index 00000000..7ae7786f
--- /dev/null
+++ b/roles/docker-nextcloud/tasks/system.yml
@@ -0,0 +1,8 @@
+- name: Load System Nextcloud configuration variables
+ include_vars:
+ file: system.yml
+
+- name: Apply Nextcloud configurations
+ loop: "{{ nextcloud_system_config }}"
+ command: "{{nextcloud_docker_exec_occ}} config:system:set {{ item.parameter }}{% if item.type is defined %} --type {{ item.type }}{% endif %} --value {{ item.value }}"
+ # No good changed_when condition available
\ No newline at end of file
diff --git a/roles/docker-nextcloud/templates/config/README.md b/roles/docker-nextcloud/templates/config/README.md
new file mode 100644
index 00000000..e1337020
--- /dev/null
+++ b/roles/docker-nextcloud/templates/config/README.md
@@ -0,0 +1,2 @@
+This folder contains configuration files which will be loaded direct into the config.php
+If you don't use nested configuration, concider to use the vars/system.yml file instead, because it's a cleaner way to set the configuration.
\ No newline at end of file
diff --git a/roles/docker-nextcloud/templates/oidc.config.php.j2 b/roles/docker-nextcloud/templates/config/oidc.config.php.j2
similarity index 98%
rename from roles/docker-nextcloud/templates/oidc.config.php.j2
rename to roles/docker-nextcloud/templates/config/oidc.config.php.j2
index 73019de8..1086bd51 100644
--- a/roles/docker-nextcloud/templates/oidc.config.php.j2
+++ b/roles/docker-nextcloud/templates/config/oidc.config.php.j2
@@ -1,4 +1,8 @@
<?php
+# Implementing OICD configuration
+
+{% if applications[application_id].oidc.flavor == "oidc_login" | bool %}
+
# Check out: https://github.com/pulsejet/nextcloud-oidc-login
return array (
@@ -210,4 +214,7 @@ return array (
// - 'plain'
// The default value is empty, which won't apply the PKCE flow.
'oidc_login_code_challenge_method' => '',
-);
\ No newline at end of file
+);
+{% else %}
+return [];
+{% endif %}
\ No newline at end of file
diff --git a/roles/docker-nextcloud/templates/config/redis.config.php.j2 b/roles/docker-nextcloud/templates/config/redis.config.php.j2
new file mode 100644
index 00000000..0a94de63
--- /dev/null
+++ b/roles/docker-nextcloud/templates/config/redis.config.php.j2
@@ -0,0 +1,11 @@
+<?php
+
+# Implementing redis configuration
+return array (
+ 'memcache.locking' => '\\OC\\Memcache\\Redis',
+ 'redis' =>
+ array (
+ 'host' => 'redis',
+ 'port' => 6379,
+ )
+);
diff --git a/roles/docker-nextcloud/templates/docker-compose.yml.j2 b/roles/docker-nextcloud/templates/docker-compose.yml.j2
index a30ed3ef..50fd20ec 100644
--- a/roles/docker-nextcloud/templates/docker-compose.yml.j2
+++ b/roles/docker-nextcloud/templates/docker-compose.yml.j2
@@ -8,12 +8,12 @@ services:
image: "nextcloud:{{applications.nextcloud.version}}-fpm-alpine"
container_name: {{applications.nextcloud.container.application}}
volumes:
- - data:{{nextcloud_docker_path}}
+ - data:{{nextcloud_docker_work_directory}}
{% if applications[application_id].oidc.flavor == "oidc_login" %}
- - {{nextcloud_host_oidc_login_path}}:{{nextcloud_docker_oidc_login_config_path}}:ro
+ - {{nextcloud_host_config_additives_directory}}:{{nextcloud_docker_config_additives_directory}}:ro
{% endif %}
healthcheck:
- test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_path}}occ status"]
+ test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_work_directory}}occ status"]
interval: 1m
timeout: 10s
retries: 3
@@ -50,10 +50,10 @@ services:
logging:
driver: journald
volumes:
- - data:{{nextcloud_docker_path}}
+ - data:{{nextcloud_docker_work_directory}}
entrypoint: /cron.sh
healthcheck:
- test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_path}}occ status"]
+ test: ["CMD", "su", "www-data", "-s", "/bin/sh", "-c", "php {{nextcloud_docker_work_directory}}occ status"]
interval: 1m
timeout: 10s
retries: 3
diff --git a/roles/docker-nextcloud/templates/env.j2 b/roles/docker-nextcloud/templates/env.j2
index 7842b99f..1d49cb6e 100644
--- a/roles/docker-nextcloud/templates/env.j2
+++ b/roles/docker-nextcloud/templates/env.j2
@@ -2,20 +2,20 @@
# @See https://github.com/nextcloud/docker/blob/master/README.md
# Database Configuration
-MYSQL_DATABASE= "{{database_name}}"
-MYSQL_USER= "{{database_username}}"
-MYSQL_PASSWORD= "{{database_password}}"
-MYSQL_HOST= "{{database_host}}:{{database_port}}"
+MYSQL_DATABASE= "{{database_name}}"
+MYSQL_USER= "{{database_username}}"
+MYSQL_PASSWORD= "{{database_password}}"
+MYSQL_HOST= "{{database_host}}:{{database_port}}"
# Memory
-PHP_MEMORY_LIMIT= 1G # Required for plugin duplicate finder
+PHP_MEMORY_LIMIT= 1G # Required for plugin duplicate finder
# Email Configuration
-SMTP_HOST= {{system_email.host}}
-SMTP_SECURE= {{ 'ssl' if system_email.tls else '' }}
-SMTP_PORT= {{system_email.port}}
-SMTP_NAME= {{system_email.username}}
-SMTP_PASSWORD= {{system_email.password}}
+SMTP_HOST= {{system_email.host}}
+SMTP_SECURE= {{ 'ssl' if system_email.tls else '' }}
+SMTP_PORT= {{system_email.port}}
+SMTP_NAME= {{system_email.username}}
+SMTP_PASSWORD= {{system_email.password}}
# Email from configuration
MAIL_FROM_ADDRESS= "{{system_email.local}}"
diff --git a/roles/docker-nextcloud/templates/include.php.j2 b/roles/docker-nextcloud/templates/include.php.j2
new file mode 100644
index 00000000..9a8d24a4
--- /dev/null
+++ b/roles/docker-nextcloud/templates/include.php.j2
@@ -0,0 +1,11 @@
+{% raw %}
+// Include and merge all PHP config files from cymais
+
+$CONFIG_EXTRA = [];
+
+foreach (glob("{% endraw %}{{ nextcloud_docker_config_additives_directory }}{% raw %}*.php") as $file) {
+ $CONFIG_EXTRA = array_merge($CONFIG_EXTRA, include $file);
+}
+
+$CONFIG = array_merge($CONFIG, $CONFIG_EXTRA);
+{% endraw %}
\ No newline at end of file
diff --git a/roles/docker-nextcloud/templates/internal-nginx.conf.j2 b/roles/docker-nextcloud/templates/nginx/docker.conf.j2
similarity index 100%
rename from roles/docker-nextcloud/templates/internal-nginx.conf.j2
rename to roles/docker-nextcloud/templates/nginx/docker.conf.j2
diff --git a/roles/docker-nextcloud/templates/proxy-nginx.conf.j2 b/roles/docker-nextcloud/templates/nginx/host.conf.j2
similarity index 100%
rename from roles/docker-nextcloud/templates/proxy-nginx.conf.j2
rename to roles/docker-nextcloud/templates/nginx/host.conf.j2
diff --git a/roles/docker-nextcloud/vars/main.yml b/roles/docker-nextcloud/vars/main.yml
index d8319c82..8ad2ac93 100644
--- a/roles/docker-nextcloud/vars/main.yml
+++ b/roles/docker-nextcloud/vars/main.yml
@@ -1,10 +1,37 @@
---
-application_id: "nextcloud"
-database_password: "{{applications.nextcloud.credentials.database_password}}"
-database_type: "mariadb"
-nextcloud_config_file_host_path: "/var/lib/docker/volumes/nextcloud_data/_data/config/config.php"
-domain: "{{domains[application_id]}}"
-http_port: "{{ ports.localhost.http[application_id] }}"
-nextcloud_docker_path: "/var/www/html/"
-nextcloud_docker_oidc_login_config_path: "{{nextcloud_docker_path}}config/oidc.config.php"
-nextcloud_host_oidc_login_path: "{{docker_compose.directories.volumes}}/oidc.config.php"
+# General
+application_id: "nextcloud" # Application identifier
+
+# Database
+database_password: "{{applications.nextcloud.credentials.database_password}}" # Database password
+database_type: "mariadb" # Database flavor
+
+# Networking
+domain: "{{domains[application_id]}}" # Public domain at which Nextcloud will be accessable
+http_port: "{{ ports.localhost.http[application_id] }}" # Port at which nextcloud is reachable in the local network
+
+# Localhost
+nextcloud_localhost_plugin_configuration_directory: "{{role_path}}/plugins/" # Folder in which the files for the plugin configuration are stored
+
+# Host
+
+## Host Paths
+nextcloud_host_config_additives_directory: "{{docker_compose.directories.volumes}}cymais/" # This folder is the path to which the additive configurations will be copied
+nextcloud_host_include_instructions_file: "{{docker_compose.directories.volumes}}includes.php" # Path to the isntruction file on the host. Responsible for loading the additional configurations
+
+# Docker
+
+## User Configuration
+nextcloud_docker_user_id: 82 # UID of the www-data user
+nextcloud_docker_user: "www-data" # Name of the www-data user (Set here to easy change it in the future)
+
+## Internal Paths
+nextcloud_docker_work_directory: "/var/www/html/" # Name of the workdir in which the application is stored
+nextcloud_docker_config_directory: "{{nextcloud_docker_work_directory}}config/" # Folder in which the Nextcloud configurations are stored
+nextcloud_docker_config_file: "{{nextcloud_docker_config_directory}}config.php" # Path to the Nextcloud configuration file
+nextcloud_docker_config_additives_directory: "{{nextcloud_docker_config_directory}}cymais/" # Path to the folder which contains additional configurations
+nextcloud_docker_include_instructions_file: "/tmp/includes.php" # Path to the temporary file which will be included to the config.php to load the additional configurations
+
+## Execution
+nextcloud_docker_exec: "docker exec -u {{ nextcloud_docker_user }} {{ applications.nextcloud.container.application }}" # General execute composition
+nextcloud_docker_exec_occ: "{{nextcloud_docker_exec}} {{ nextcloud_docker_work_directory }}occ" # Execute docker occ command
\ No newline at end of file
diff --git a/roles/docker-nextcloud/vars/plugins/README.md b/roles/docker-nextcloud/vars/plugins/README.md
new file mode 100644
index 00000000..608d50fe
--- /dev/null
+++ b/roles/docker-nextcloud/vars/plugins/README.md
@@ -0,0 +1 @@
+This folder contains the plugin specific configurations which willö be applied
\ No newline at end of file
diff --git a/roles/docker-nextcloud/vars/ldap.yml b/roles/docker-nextcloud/vars/plugins/ldap.yml
similarity index 99%
rename from roles/docker-nextcloud/vars/ldap.yml
rename to roles/docker-nextcloud/vars/plugins/ldap.yml
index f8922743..43044c36 100644
--- a/roles/docker-nextcloud/vars/ldap.yml
+++ b/roles/docker-nextcloud/vars/plugins/ldap.yml
@@ -1,4 +1,4 @@
-nextcloud_ldap_configuration:
+plugin_configuration:
-
appid: "user_ldap"
configkey: "background_sync_interval"
diff --git a/roles/docker-nextcloud/vars/sociallogin.yml b/roles/docker-nextcloud/vars/plugins/sociallogin.yml
similarity index 98%
rename from roles/docker-nextcloud/vars/sociallogin.yml
rename to roles/docker-nextcloud/vars/plugins/sociallogin.yml
index 27d5a667..62d83abf 100644
--- a/roles/docker-nextcloud/vars/sociallogin.yml
+++ b/roles/docker-nextcloud/vars/plugins/sociallogin.yml
@@ -1,4 +1,4 @@
-nextcloud_sociallogin_configuration:
+plugin_configuration:
-
appid: "sociallogin"
# This configuration allows users to connect multiple accounts to their Nextcloud profile
diff --git a/roles/docker-nextcloud/vars/system.yml b/roles/docker-nextcloud/vars/system.yml
new file mode 100644
index 00000000..5f118b79
--- /dev/null
+++ b/roles/docker-nextcloud/vars/system.yml
@@ -0,0 +1,23 @@
+nextcloud_system_config:
+ - parameter: "hide_login_form"
+ type: "boolean"
+ value: "{{ (not applications[application_id].legacy_login_mask.enabled) | lower }}"
+
+ - parameter: "auth.webauthn.enabled"
+ type: "boolean"
+ value: "{{ applications[application_id].legacy_login_mask.enabled | lower }}"
+
+ - parameter: "maintenance_window_start"
+ type: "integer"
+ value: "{{ on_calendar_nextcloud }}"
+
+ - parameter: "default_phone_region"
+ value: "{{ locale | upper }}"
+
+ # Force https
+ - parameter: "overwrite.cli.url"
+ value: "https://{{domains[application_id]}}"
+
+ # Force https
+ - parameter: "overwriteprotocol"
+ value: "https"
\ No newline at end of file