2025-04-28 18:30:24 +02:00
19 changed files with 60 additions and 323 deletions
--- a/group_vars/all/11_iam.yml
+++ b/group_vars/all/11_iam.yml
@ -35,15 +35,5 @@ oauth2_proxy_active:                         false
 #############################################
 ### LDAP                                  ###
 #############################################
-
+# Activate LDAP network for insecure communitation on localhot between different container instances. Set in vars/main.yml
 # Activate local LDAP network for communitation on localhot between different docker containers
 # 
 # Set in vars/main.yml via:
 #   ldap_network_enabled: "{{ldap.enabled}}"
 #
 # This leads to that the local ldap networks get enabled, if LDAP is enabled
 ldap_network_enabled:                  false
 ldap:
  enabled:  true # Enable or disable LDAP
--- a/group_vars/all/13_theming.yml
+++ b/group_vars/all/13_theming.yml
@ -11,7 +11,7 @@ global_theming:
      # For dark mode: a dark, blue–gray background
      background_dark: "#2E3B4E"
      # For the text – true black
-      text: "#2E3B4E"
+      text: "#000000"
      # Accent color (e.g., for links or buttons) – a golden tone symbolizing the sun
      accent: "#FFD700"
      # As the positive/success color – a light, slightly grayish green (forest)
--- a/roles/docker-funkwhale/vars/main.yml
+++ b/roles/docker-funkwhale/vars/main.yml
@ -2,7 +2,7 @@ application_id:                                 "funkwhale"
 nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 512M;"
 database_password:                              "{{funkwhale_database_password}}"
 database_type:                                  "postgres"
-ldap_network_enabled:                           "{{ldap.enabled}}"
+ldap_network_enabled:                           true  # Activate LDAP network
 media_root:                                     "/srv/funkwhale/data/"
 static_root:                                    "{{media_root}}static"
 celeryd_concurrency:                            1
--- a/roles/docker-keycloak/vars/main.yml
+++ b/roles/docker-keycloak/vars/main.yml
@ -1,4 +1,4 @@
-application_id:  	      "keycloak"
+application_id:  	    "keycloak"
-database_type:          "postgres"
+database_type:        "postgres"
-database_password:      "{{keycloak_database_password}}"
+database_password:    "{{keycloak_database_password}}"
-ldap_network_enabled:   "{{ldap.enabled}}"
+ldap_network_enabled: true  # Activate LDAP network
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@ -11,4 +11,4 @@ oauth2_proxy_active:                        true
 enable_wildcard_certificate:  false # Activate dedicated Certificate
-ldap_network_enabled:         "{{ldap.enabled}}"
+ldap_network_enabled:         true  # Activate LDAP network
--- a/roles/docker-mybb/templates/default.conf
+++ b/roles/docker-mybb/templates/default.conf
@ -4,7 +4,7 @@ upstream mybb {
 server {
    listen 80;
-    error_log /proc/self/fd/2 {% if enable_debug | bool %}debug{% else %}warn{% endif %};
+    error_log stderr debug;
    root /var/www/html;
    index index.html index.php;
--- a/roles/docker-nextcloud/README.md
+++ b/roles/docker-nextcloud/README.md
@ -117,17 +117,6 @@ docker-compose exec -it nextcloud_database_1 mysql -u nextcloud -pPASSWORD123413
 docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --off
 ```
 ---
 # Identity and Access Management (IAM)
 ## OpenID Connect (OIDC) Support 🔐
 OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific tasks are included when enabled, allowing integration of external authentication providers seamlessly.
 ## LDAP 
 ---
 ## Architecture
@ -167,6 +156,12 @@ docker-compose logs web --tail 1000 | grep 504
 - [Nextcloud Talk Plugin and Turnserver in Docker](https://forum.openmediavault.org/index.php?thread/31782-docker-nextcloud-talk-plugin-and-turnserver/)
 - [Nextcloud Talk on Docker: Turn Server Issues](https://help.nextcloud.com/t/nextcloud-talk-im-docker/container/turn-server-auf-docker-host-kein-video/84133/10)
 ---
 ## OIDC (OpenID Connect) Support 🔐
 OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific tasks are included when enabled, allowing integration of external authentication providers seamlessly.
 ---
 ## Author
--- a/roles/docker-nextcloud/handlers/main.yml
+++ b/roles/docker-nextcloud/handlers/main.yml
@ -1,5 +0,0 @@
 ---
 - name: restart docker nginx service
  command:
    cmd: "docker exec {{nextcloud_nginx_container_name}} nginx -s reload"
  listen: restart docker nginx service
--- a/roles/docker-nextcloud/tasks/ldap.yml
+++ b/roles/docker-nextcloud/tasks/ldap.yml
@ -1,3 +0,0 @@
 # @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
 # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
 #docker compose exec -u www-data application php occ app:enable user_ldap
--- a/roles/docker-nextcloud/tasks/main.yml
+++ b/roles/docker-nextcloud/tasks/main.yml
@ -6,25 +6,21 @@
 - name: "include task certbot-and-globals.yml"
  include_tasks: certbot-and-globals.yml
- name: create nextcloud nginx proxy configuration file
+- name: configure {{domain}}.conf
  template: 
-    src:  "proxy-nginx.conf.j2" 
+    src:  "templates/nextcloud.conf.j2" 
    dest: "{{nginx.directories.http.servers}}{{domain}}.conf"
  notify: restart nginx
- name: create internal nextcloud nginx configuration
+- name: create nginx.conf
  template: 
-    src:  "internal-nginx.conf.j2" 
+    src:  "templates/nginx.conf.j2" 
    dest: "{{docker_compose.directories.volumes}}nginx.conf"
-  notify: restart docker nginx service
+  notify: docker compose project setup
 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
- name: Include OIDC-specific tasks
+- name: Include OIDC-specific tasks if OIDC client is active
-  include_tasks: oidc.yml
+  include_tasks: oidc_tasks.yml
  when: oidc.enabled | bool
 - name: Include LDAP specific tasks
  include_tasks: ldap.yml
  when: ldap.enabled | bool
--- a/roles/docker-nextcloud/tasks/oidc_tasks.yml
+++ b/roles/docker-nextcloud/tasks/oidc_tasks.yml
--- a/roles/docker-nextcloud/templates/docker-compose.yml.j2
+++ b/roles/docker-nextcloud/templates/docker-compose.yml.j2
@ -15,7 +15,7 @@ services:
  web:
    image: nginx:alpine
-    container_name: {{nextcloud_nginx_container_name}}
+    container_name: nextcloud-web
    logging:
      driver: journald
    restart: {{docker_restart_policy}}
--- a/roles/docker-nextcloud/templates/env.j2
+++ b/roles/docker-nextcloud/templates/env.j2
@ -1,5 +1,4 @@
-# @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html
+# See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html
 # @See https://github.com/nextcloud/docker/blob/master/README.md
 # Database Configuration
 MYSQL_DATABASE= "{{database_name}}"
@ -18,5 +17,5 @@ SMTP_NAME=      {{system_email.username}}
 SMTP_PASSWORD=  {{system_email.password}}
 # Email from configuration
-MAIL_FROM_ADDRESS=no-reply
+MAIL_FROM_ADDRESS= no-reply
 MAIL_DOMAIN= {{system_email.domain}}
--- a/roles/docker-nextcloud/templates/internal-new.conf.j2
+++ b/roles/docker-nextcloud/templates/internal-new.conf.j2
@ -1,194 +0,0 @@
 # Internal configuration file for nextcloud
 worker_processes auto;
 # @see https://chatgpt.com/share/67aa3ce9-eea0-800f-85e8-ac54a3810b13
 error_log   /proc/self/fd/2 warn;
 pid         /var/run/nginx.pid;
 events {
    worker_connections  1024;
 }
 http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    types {
        application/javascript mjs;
    }
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /proc/self/fd/1 main;
    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout     65;
    fastcgi_send_timeout  900s;
    fastcgi_read_timeout  900s;
    proxy_buffering       off;
    #gzip  on;
    upstream php-handler {
        server application:9000;
    }
    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
    map $arg_v $asset_immutable {
        "" "";
        default ", immutable";
    }
    server {
        listen 80;
        # HSTS settings
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        # set max upload size
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;
        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
        # Pagespeed is not supported by Nextcloud, so if your server is built
        # with the `ngx_pagespeed` module, uncomment this line to disable it.
        #pagespeed off;
        # HTTP response headers borrowed from Nextcloud `.htaccess`
        add_header Referrer-Policy                      "no-referrer"           always;
        add_header X-Content-Type-Options               "nosniff"               always;
        add_header X-Download-Options                   "noopen"                always;
        add_header X-Frame-Options                      "SAMEORIGIN"            always;
        add_header X-Permitted-Cross-Domain-Policies    "none"                  always;
        add_header X-Robots-Tag                         "noindex, nofollow"     always;
        add_header X-XSS-Protection                     "1; mode=block"         always;
        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;
        # Path to the root of your installation
        root /var/www/html;
        # Specify how to handle directories -- specifying `/index.php$request_uri`
        # here as the fallback means that Nginx always exhibits the desired behaviour
        # when a client requests a path that corresponds to a directory that exists
        # on the server. In particular, if that directory contains an index.php file,
        # that file is correctly served; if it doesn't, then the request is passed to
        # the front-end controller. This consistent behaviour means that we don't need
        # to specify custom rules for certain paths (e.g. images and other assets,
        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
        # `try_files $uri $uri/ /index.php$request_uri`
        # always provides the desired behaviour.
        index index.php index.html /index.php$request_uri;
        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
        location = / {
            if ( $http_user_agent ~ ^DavClnt ) {
                return 302 /remote.php/webdav/$is_args$args;
            }
        }
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
        # Make a regex exception for `/.well-known` so that clients can still
        # access it despite the existence of the regex rule
        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
        # for `/.well-known`.
        location ^~ /.well-known {
            # The rules in this block are an adaptation of the rules
            # in `.htaccess` that concern `/.well-known`.
            location = /.well-known/carddav { return 301 /remote.php/dav/; }
            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
            location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; }
            location = /.well-known/nodeinfo  { return 301 /index.php/.well-known/nodeinfo; }
            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
            # Let Nextcloud's API for `/.well-known` URIs handle all other
            # requests by passing them to the front-end controller.
            return 301 /index.php$request_uri;
        }
        # Rules borrowed from `.htaccess` to hide certain paths from clients
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
        # which handle static assets (as seen below). If this block is not declared first,
        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
            # Added due to this error: https://help.nextcloud.com/t/ldap-ad-authnetication-500-error-on-ajax-request/107168/3
            #rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;
            try_files $fastcgi_script_name =404;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $path_info;
            #fastcgi_param HTTPS on;
            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
            fastcgi_param front_controller_active true;     # Enable pretty urls
            fastcgi_pass php-handler;
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }
        # Serve static files
        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
            try_files $uri /index.php$request_uri;
            # HTTP response headers borrowed from Nextcloud `.htaccess`
            add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
            add_header Referrer-Policy                   "no-referrer"       always;
            add_header X-Content-Type-Options            "nosniff"           always;
            add_header X-Frame-Options                   "SAMEORIGIN"        always;
            add_header X-Permitted-Cross-Domain-Policies "none"              always;
            add_header X-Robots-Tag                      "noindex, nofollow" always;
            add_header X-XSS-Protection                  "1; mode=block"     always;
            access_log off;     # Optional: Don't log access to assets
        }
        location ~ \.(otf|woff2?)$ {
            try_files $uri /index.php$request_uri;
            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }
        # Rule borrowed from `.htaccess`
        location /remote {
            return 301 /remote.php$request_uri;
        }
        location / {
            try_files $uri $uri/ /index.php$request_uri;
        }
    }
 }
--- a/roles/docker-nextcloud/templates/proxy-nginx.conf.j2
+++ b/roles/docker-nextcloud/templates/proxy-nginx.conf.j2
@ -1,5 +1,3 @@
 # This is the nginx configuration file for the proxy server
 server
 {
  server_name {{domain}};
--- a/roles/docker-nextcloud/templates/internal-nginx.conf.j2
+++ b/roles/docker-nextcloud/templates/internal-nginx.conf.j2
@ -1,11 +1,6 @@
 # Internal configuration file for nextcloud
 # Verify time by time, that this rules are valid:
 # https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
 worker_processes auto;
-# @see https://chatgpt.com/share/67aa3ce9-eea0-800f-85e8-ac54a3810b13
+error_log  /var/log/nginx/error.log warn;
 error_log   /proc/self/fd/2 {% if enable_debug | bool %}debug{% else %}warn{% endif %};
 pid        /var/run/nginx.pid;
@ -24,7 +19,7 @@ http {
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
-    access_log /proc/self/fd/1 main;
+    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
@ -137,10 +132,6 @@ http {
        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
            # Added due to this error: https://help.nextcloud.com/t/ldap-ad-authnetication-500-error-on-ajax-request/107168/3
            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;
@ -159,13 +150,13 @@ http {
            fastcgi_request_buffering off;
        }
-        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
+        location ~ \.(?:css|js|svg|gif)$ {
            try_files $uri /index.php$request_uri;
            expires 6M;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }
-        location ~ \.(otf|woff2?)$ {
+        location ~ \.woff2?$ {
            try_files $uri /index.php$request_uri;
            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
--- a/roles/docker-nextcloud/vars/main.yml
+++ b/roles/docker-nextcloud/vars/main.yml
@ -2,6 +2,4 @@
 application_id:                       "nextcloud"
 database_password:  	                "{{nextcloud_database_password}}"
 database_type:                        "mariadb"
-nextcloud_application_container_name: "nextcloud-application"
+nextcloud_application_container_name: "nextcloud-application"
 nextcloud_nginx_container_name:       "nextcloud-web"
 ldap_network_enabled:                 "{{ldap.enabled}}"
--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@ -15,4 +15,4 @@ dummy_volume:                                 "{{docker_compose.directories.volu
 oauth2_proxy_upstream_application_and_port:   "proxy:80"
 oauth2_proxy_active:                          true
-ldap_network_enabled:                         "{{ldap.enabled}}"
+ldap_network_enabled:                         true  # Activate LDAP network
--- a/roles/nginx-global-css/templates/global.css.j2
+++ b/roles/nginx-global-css/templates/global.css.j2
@ -36,24 +36,6 @@
    --bs-btn-color: var(--background-dark-color);
 }
 /** Mastodon Overrides **/
 :root{
    --surface-variant-background-color: var(--button-bg-color)
 }
 /** Nextcloud Specific**/
 :root{
    --color-main-background: var(--background-color);
    --color-main-background-rgb: var(--background-color);
    --color-primary-element: var(--button-bg-color);
    --color-main-text: var(--background-dark-color);
    --color-background-hover: var(--secondary-color);
    /** Calendar **/
    --color-background-dark: var(--info-color); /** Days which aren't in the current month **/
    --color-primary-element-light: var(--secondary-color);
 }
 /* Peertube Overrides */
 :root {
    --mainColor: var(--primary-color);
@ -78,6 +60,7 @@ button, .btn {
    background-color: var(--button-bg-color) !important;
    color: var(--primary-color) !important;
    border-color: var(--border-color) !important;
    box-shadow: var(--small-shadow) !important;
    cursor: pointer;
 }
@ -111,7 +94,7 @@ input, textarea, select {
 }
 input:focus, textarea:focus, select:focus {
    border-color: var(--primary-color) !important;
-    /** box-shadow: 0 0 5px var(--shadow-color);**/
+    box-shadow: 0 0 5px var(--shadow-color);
 }
 /* Navigation (Background and Text Colors) */
@ -136,22 +119,25 @@ input:focus, textarea:focus, select:focus {
 th, td {
    border-color: var(--border-color) !important;
 }
 thead {
-    background-color: var(--button-bg-color) !important;
+    background-color: var(--primary-color);
-    color: var(--background-dark-color) !important;
+    color: var(--background-dark-color);
 }
 /* Cards / Containers (Background, Border, and Shadow)
   Cards now use a slightly lighter background and a bold, clear shadow */
 .card {
    background-color: var(--card-bg-color) !important;
-    /** box-shadow: var(--large-shadow) !important;**/
+    box-shadow: var(--large-shadow) !important;
    border-color: var(--border-color) !important;
 }
 /* Headings (Text Color) */
-h1, h2, h3, h4, h5, h6, p{
+h1, h2 {
    color: var(--text-color);
 }
 div#mastodon p{
    color: var(--background-dark-color) !important;
 }
@ -160,7 +146,7 @@ h1, h2, h3, h4, h5, h6, p{
 .nav-item .dropdown-menu {
    background-color: var(--background-color) !important;
    color: var(--text-color) !important;
-    /**box-shadow: 0 4px 20px rgba(0, 0, 0, 0.3);**/
+    box-shadow: 0 4px 20px rgba(0, 0, 0, 0.3);
 }
 .dropdown-item {
@ -178,43 +164,29 @@ h1, h2, h3, h4, h5, h6, p{
 button.icon-button {
    color: var(--button-text-color) !important;
 }
 /** Mastodon Specific **/ 
 div#mastodon div.compose-panel div.compose-form__highlightable{
    background-color: var(--background-color) !important;
 }
-div#mastodon strong{
+/* Dark Mode Adjustments (Background and Text Colors) */
-    color: var(--background-dark-color) !important;
+@media (prefers-color-scheme: dark) {
    h1, h2 {
        color: #ffffff !important;
        text-shadow: 2px 2px 5px rgba(255, 255, 255, 0.3);
    }
    body {
        background-color: var(--background-dark-color) !important;
        color: var(--text-color) !important;
    }
    input, textarea, select {
        color: var(--button-text-color) !important;
        background-color: var(--background-dark-color) !important;
    }
    div#mastodon p{
        color: var(--button-text-color) !important;
    }
 }
 /** Nextcloud specific **/
-html.ng-csp header#header{
+button.files-list__row-name-link, button.button-vue{
    color: var(--background-color) !important;
    background-color: var(--button-bg-color) !important;
 }
 html.ng-csp button.files-list__row-name-link, html.ng-csp button.button-vue{
    background-color: transparent !important;
    color: background-color: var(--button-bg-color) !important;
 }
 div#content-vue p, div#content-vue span{
    color: var(--background-dark-color) !important;
 }
 /** OpenProject **/
 header.op-app-header{
    background-color: var(--background-dark-color) !important;
    color: var(--text-color) !important;
 }
 /** Open Project **/
 div#wrapper button, div#wrapper input, button.top-menu-search-button, div.menu-sidebar a{
    background-color: transparent !important;
 }
 main-menu-toggle button{
    border: 0px none !important;
 }
 /* Peertube specific configuration */
`@ -11,4 +11,4 @@ oauth2_proxy_active: true`

	`enable_wildcard_certificate: false # Activate dedicated Certificate`	`enable_wildcard_certificate: false # Activate dedicated Certificate`

	`ldap_network_enabled: "{{ldap.enabled}}"`	`ldap_network_enabled: true # Activate LDAP network`