kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-06-25 11:45:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kevinveenbirkenbach:92000e5d433e94418adb9288208fb99e6496f0b0
Branches Tags
kevinveenbirkenbach:master
..
compare: kevinveenbirkenbach:99f633d222c20e0063a24c4b26835c7bc917465e
Branches Tags
kevinveenbirkenbach:master

7 Commits
92000e5d43 ... 99f633d222

Author SHA1 Message Date
Kevin Veen-Birkenbach
99f633d222
Optimized nextcloud keycloak ldap implementation 2025-03-21 22:50:48 +01:00
Kevin Veen-Birkenbach
e2166235ad
Adapted portfolio url for keycloak 2025-03-21 20:25:46 +01:00
Kevin Veen-Birkenbach
bb48e8ae36
Solved portfolio bug, entered keycloak entries for portfolio, added hints to phpmyadmin and updated mailu documentary 2025-03-21 20:19:12 +01:00
Kevin Veen-Birkenbach
12ad339221
Addapted css for phpmyadmin 2025-03-21 18:56:20 +01:00
Kevin Veen-Birkenbach
0928245853
Solved nextcloud plugin bugs in context ldap 2025-03-21 18:43:06 +01:00
Kevin Veen-Birkenbach
c51f935eff
Solved ldap_user nextcloud var import bug (hopefully) and optimized README.md's and metas 2025-03-21 18:01:11 +01:00
Kevin Veen-Birkenbach
e4a0473f9e
Optimized css for phpmyadmin 2025-03-21 17:19:07 +01:00
32 changed files with 653 additions and 306 deletions
Show Stats Expand all files Collapse all files

4
group_vars/all/00_general.yml
View File

@ -68,6 +68,4 @@ matomo_tracking_enabled_default: true # Enables\Disables Matomo track
css_enabled_default: true # Enables\Disables Global CSS on all html pages by default.
## iframe for primary domain
# Enables\Disables the possibility to be embedded via iframe by default.
# Enable conciously on every app in which it makes sense, due to that this a potential security risk
landingpage_iframe_enabled_default: false
landingpage_iframe_enabled_default: true # Enables\Disables the possibility to be embedded via iframe by default.

48
group_vars/all/07_applications.yml
View File

@ -32,8 +32,8 @@ defaults_applications:
## Assets Server
assets_server:
source_directory: "{{ playbook_dir }}/assets" # Directory from which the assets will be copied
url: "https://{{domains.file_server}}/assets}}" # Public address of the assets directory
source_directory: "{{ playbook_dir }}/assets" # Directory from which the assets will be copied
url: "https://{{domains.file_server}}/assets" # Public address of the assets directory
## Attendize
attendize:
@ -338,33 +338,33 @@ defaults_applications:
## Nextcloud
nextcloud:
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
ldap:
enabled: True # Enables LDAP by default
enabled: True # Enables LDAP by default
oidc:
enabled: "{{ _applications_nextcloud_oidc_enabled }}" # Activate OIDC for Nextcloud
enabled: "{{ _applications_nextcloud_oidc_enabled }}" # Activate OIDC for Nextcloud
# floavor decides which OICD plugin should be used.
# Available options: oidc_login, sociallogin
# @see https://apps.nextcloud.com/apps/oidc_login
# @see https://apps.nextcloud.com/apps/sociallogin
flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet
flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet
matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking
css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style
landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe
landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe
database:
central_storage: True # Activate Central Database Storage
central_storage: True # Activate Central Database Storage
credentials:
# database_password: Null # Needs to be set in inventory file
# database_password: Null # Needs to be set in inventory file
users:
administrator:
username: "{{users.administrator.username}}"
initial_password: "{{users.administrator.initial_password}}" # Keep in mind to change the password fast after creation and activate 2FA
default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes)
username: "{{users.administrator.username}}"
initial_password: "{{users.administrator.initial_password}}" # Keep in mind to change the password fast after creation and activate 2FA
default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes)
legacy_login_mask:
enabled: False # If true, then legacy login mask is shown. Otherwise just SSO
enabled: False # If true, then legacy login mask is shown. Otherwise just SSO
container:
application: "nextcloud-application" # Nextcloud application container name
proxy: "nextcloud-web" # Nextcloud Proxy Container Name
application: "nextcloud-application" # Nextcloud application container name
proxy: "nextcloud-web" # Nextcloud Proxy Container Name
performance:
php:
memory_limit: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory limit
@ -600,17 +600,17 @@ defaults_applications:
## PHPMyAdmin
phpmyadmin:
version: "latest"
autologin: false # This is a high security risk. Just activate this option if you know what you're doing
version: "latest"
autologin: false # This is a high security risk. Just activate this option if you know what you're doing
oauth2_proxy:
enabled: true
port: "80"
application: "application"
# cookie_secret: None # Set via openssl rand -hex 16
enabled: true
port: "80"
application: "application"
# cookie_secret: None # Set via openssl rand -hex 16
database:
central_storage: True # Activate Central Database Storage
central_storage: True # Activate Central Database Storage
css:
enabled: False # The css needs more optimation for PHPMyAdmin
enabled: False # The css needs more optimation for PHPMyAdmin
matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking
css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style
landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe
@ -639,7 +639,7 @@ defaults_applications:
# Snipe-IT
snipe_it:
version: "latest"
version: "latest"
database:
central_storage: True # Activate Central Database Storage
matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking

4
group_vars/all/14_service_provider.yml
View File

@ -13,8 +13,8 @@ defaults_service_provider:
platform:
titel: "CyMaIS Plattform Demo"
subtitel: "Demo of the Cyber Master Infrastructur Solution Plattform"
logo: "{{applications.assets_server.url}}/logo.png"
favicon: "{{applications.assets_server.url}}/favicon.ico"
logo: "{{applications.assets_server.url}}/img/logo.png"
favicon: "{{applications.assets_server.url}}/img/favicon.ico"
contact:
bluesky: "{{ '@' ~ users.administrator.username ~ '.' ~ domains.bluesky_api if 'bluesky' in group_names else '' }}"
email: "contact@{{ primary_domain }}"

25
roles/backup-data-to-usb/README.md
View File

@ -1,25 +1,30 @@
# Automated USB Backup
# Docker 🐳
## Description
This Ansible role automates data backups to a swappable USB device. It triggers the backup process automatically when the USB is mounted, allowing for customizable source and destination paths and integrating with systemd for reliable execution.
This Ansible role installs and manages Docker on Arch Linux systems. It ensures that Docker and Docker Compose are available, configured, and ready to run containerized workloads, while enabling seamless integration with system roles and administrative tasks.
Checkout the [administration reference](./Administration.md) for volume cleanup, container resets, and Docker network recovery.
## Overview
Optimized for Archlinux, this role ensures that backups are performed consistently with minimal manual intervention. It leverages efficient synchronization methods and provides a seamless integration with systemd to manage the backup service.
Tailored for Arch Linux, this role handles the installation of Docker and Docker Compose using the systems package manager. It sets up a secure environment for managing Compose instances and ensures the Docker service is properly enabled and restarted. In addition, the role flags its state so that dependent roles can execute conditionally.
## Purpose
The primary purpose of this role is to simplify the backup process for systems that rely on removable USB devices. It is designed to reduce the risk of data loss by automating backups, ensuring that data is safely and consistently synchronized whenever the device is connected.
The purpose of this role is to automate the provisioning of Docker environments in a consistent and maintainable way. It reduces manual setup steps and enables clean integration with other infrastructure roles, making it ideal for production or homelab deployments.
## Features
- **Automatic Trigger:** Initiates the backup process immediately upon USB mount.
- **Customizable Paths:** Easily configure the source directory and backup destination.
- **Systemd Integration:** Manages the backup process via a dedicated systemd service.
- **Efficient Synchronization:** Utilizes rsync with incremental backup strategies for optimal performance.
- **Optimized for Archlinux:** Tailored for Archlinux systems using the rolling release model.
- **Installs Docker & Docker Compose:** Uses `pacman` to install necessary packages.
- **Service Management:** Automatically enables and restarts the Docker service.
- **Secure Directory Creation:** Creates a secure location for Docker Compose instance files.
- **Run-once Setup Logic:** Ensures idempotent execution by controlling task flow with internal flags.
- **System Role Integration:** Sets internal state (`docker_enabled`) for use by other CyMaIS roles.
## Credits 📝
Developed and maintained by **Kevin Veen-Birkenbach**. Special thanks to [OpenAI ChatGPT](https://chat.openai.com/share/a75ca771-d8a4-4b75-9912-c515ba371ae4) for its assistance in developing this role.
Developed and maintained by **Kevin Veen-Birkenbach**.
Learn more at [www.veen.world](https://www.veen.world)
Part of the [CyMaIS Project](https://github.com/kevinveenbirkenbach/cymais)
License: [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl)

2
roles/docker-discourse/templates/discourse_application.yml.j2
View File

@ -124,7 +124,7 @@ run:
#- exec: rails r "User.find_by_email('{{users.administrator.email}}').update(username: '{{users.administrator.username}}')"
# The following code is just an inspiration, how to connect with the oidc account. as long as this is not set the admini account needs to be manually connected with oidc
# docker exec -it discourse_application rails runner "user = User.find_by_email('test@flock.town'); UserAuth.create(user_id: user.id, provider: 'oidc', uid: 'eindeutige_oidc_id', info: { name: user.username, email: user.email })"
# docker exec -it discourse_application rails runner "user = User.find_by_email('test@cymais.cloud'); UserAuth.create(user_id: user.id, provider: 'oidc', uid: 'eindeutige_oidc_id', info: { name: user.username, email: user.email })"
# OIDC Activation
- exec: rails r "SiteSetting.openid_connect_enabled = true"

22
roles/docker-keycloak/templates/import/realm.json.j2
View File

@ -885,6 +885,7 @@
"email"
],
"optionalClientScopes": [
"nextcloud",
"address",
"phone",
"organization",
@ -1195,7 +1196,7 @@
{
"id": "15dd4961-5b4f-4635-a3f1-a21e1fa7bf3a",
"name": "nextcloud",
"description": "",
"description": "Optimized mappers for nextcloud oidc_login with ldap.",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "false",
@ -1222,6 +1223,25 @@
"claim.name": "nextcloudQuota",
"jsonType.label": "int"
}
},
{
"id": "018c63c6-3fea-43fe-abbf-2c17e3f2353f",
"name": "UID Mapper",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"aggregate.attrs": "false",
"introspection.token.claim": "true",
"multivalued": "false",
"userinfo.token.claim": "true",
"user.attribute": "username",
"id.token.claim": "true",
"lightweight.claim": "false",
"access.token.claim": "true",
"claim.name": "{{ldap.attributes.user_id}}",
"jsonType.label": "String"
}
}
]
},

7
roles/docker-mailu/Administration.md
View File

@ -32,13 +32,6 @@ To resend queued mails, use this command:
docker-compose exec -it smtp postqueue -f
```
# Testing 🧪
Use the following tools for testing:
- [SSL-Tools Mailserver Test](https://de.ssl-tools.net/mailservers/)
- [TestEmail.de](http://testemail.de/)
# Updates 🔄
For instructions on updating your Mailu setup, follow the official [Mailu maintenance guide](https://mailu.io/master/maintain.html).

6
roles/docker-mailu/Testing.md Normal file
View File

@ -0,0 +1,6 @@
# Test Server Instance
Use the following tools to test your server instance:
- [SSL-Tools Mailserver Test](https://de.ssl-tools.net/mailservers/)
- [TestEmail.de](http://testemail.de/)

108
roles/docker-mailu/User_Administration.md Normal file
View File

@ -0,0 +1,108 @@
# User Administration
## Promoting an OIDC User to Admin 🧑‍💼
If your administrator logs in via OpenID Connect (OIDC) and you don't want to create a separate local user, you can promote the existing OIDC-authenticated user to a global admin directly in the Mailu database using the CLI.
Follow these steps:
1. Enter the Mailu `admin` container shell:
```bash
docker exec -it mailu-admin-1 flask shell
```
2. Inside the interactive shell, run the following commands:
```python
from mailu import models, db
user = models.User.query.filter_by(email='admin@example.com').first()
user.global_admin = True
db.session.commit()
```
Replace `admin@example.com` with the OIDC email address used to log in.
3. Exit the shell:
```python
exit()
```
Your OIDC-authenticated user is now a full **global admin** and has access to all administrative functions in the Mailu interface.
> 💡 Tip: This method is useful when you're using federated login and want to avoid managing separate local admin credentials.
Klar! Hier ist die Anleitung zur Änderung der primären Domain eines Mailu-Benutzers, speziell für **MariaDB** als Datenbank-Backend, auf **Englisch** und im gleichen Stil wie deine Doku:
---
## Changing the Primary Domain of a Mailu Account (MariaDB) 🌐
Mailu links user accounts to specific domains, so changing a user's primary domain cannot be done via the admin interface. You need to update it manually via the database.
> ⚠️ **Warning:** Always back up your database before performing manual operations.
### Steps for MariaDB:
1. Connect to the Mailu MariaDB container:
```bash
docker compose exec -it database mariadb -u mailu -p
```
Enter the password when prompted (you can find it in your `docker-compose.yml` or `.env` file).
2. Select the Mailu database (usually named `mailu`):
```sql
USE mailu;
```
3. Update the user's domain and email:
```sql
UPDATE user SET email='newname@newdomain.com', domain_name='newdomain.com' WHERE email='oldname@olddomain.com';
```
If needed, also update the local part (username):
```sql
UPDATE user SET localpart='newname' WHERE email='newname@newdomain.com';
```
4. If the new domain does not exist yet, insert it into the `domain` table:
```sql
INSERT INTO domain (name, max_users, max_aliases, max_quota_bytes, comment, enabled)
VALUES ('newdomain.com', 100, 100, 10737418240, 'New domain', true);
```
5. If the user had aliases, update the `alias` table accordingly.
---
### Alternative: Recreate the User
If you prefer not to modify the database manually:
- Delete the old user via the admin UI
- Create a new user under the desired domain
- Migrate emails using IMAP tools (e.g. `imapsync`)
---
### Update DNS and Mailu Configuration
Ensure that the new domain is correctly set up:
- Add it to `HOSTNAMES` in your `docker-compose.yml`
- Set up proper DNS records (MX, SPF, DKIM, DMARC)
- If using Let's Encrypt (`TLS_FLAVOR=cert`), make sure the domain is included in `LETSENCRYPT_HOSTS`
> 💡 **Tip:** Mailu must be aware of the domain both in its configuration and the database for mail routing and certificate issuance to work correctly.
---
Wenn du willst, kann ich dir das gleich in eine fertige Markdown-Datei oder ein Doku-Format einfügen.

5
roles/docker-mariadb/README.md
View File

@ -1,4 +1,4 @@
# MariaDB Docker Ansible Role
# MariaDB
## Overview
This Ansible role facilitates the deployment of a MariaDB server using Docker. It is designed to ensure ease of installation and configuration, with the flexibility to adapt to different environments.
@ -25,3 +25,6 @@ Configure the role by setting the required variables. These can be set in the pl
## Contributing
Contributions to this project are welcome. Please submit issues and pull requests with your suggestions.
## Other Ressources
- [Reset Password for MariaDB/MySQL in Docker](https://wolfgang.gassler.org/reset-password-mariadb-mysql-docker/)

179
roles/docker-nextcloud/Administration.md
View File

@ -1,5 +1,7 @@
# Administration
Instructions for manual administrative operations like container login, config file edits, and post-update recovery actions.
## Modify Config 🔧
### Enter the Container
@ -12,180 +14,3 @@ Inside the container, install a text editor and edit the config:
```bash
apk add --no-cache nano && nano config/config.php
```
---
## Update 🔄
To update the Nextcloud container, execute the following commands on the server:
```bash
docker exec -it -u www-data nextcloud-application /var/www/html/occ maintenance:mode --on &&
export COMPOSE_HTTP_TIMEOUT=600 &&
export DOCKER_CLIENT_TIMEOUT=600 &&
docker-compose down
```
Afterwards, update the ***applications.nextcloud.version*** variable to the next version and run this repository with this Ansible role.
> **Note:**
> It is only possible to update from one to the next major version at a time.
> Wait for the update to finish.
Verify the update by checking the logs:
```bash
docker-compose logs application
```
and
```bash
docker-compose exec -it application top
```
If Nextcloud remains in maintenance mode after the update, try the following:
```bash
docker exec -it -u www-data nextcloud-application/var/www/html/occ maintenance:mode --on
docker exec -it -u www-data nextcloud-application /var/www/html/occ upgrade
docker exec -it -u www-data nextcloud-application /var/www/html/occ maintenance:mode --off
```
If the update process fails, execute:
```bash
docker exec -it -u www-data nextcloud-application /var/www/html/occ maintenance:repair --include-expensive
```
and disable any non-functioning apps.
---
## Recover Latest Backup 💾
```bash
cd {{path_docker_compose_instances}}nextcloud &&
docker-compose down &&
docker-compose exec -i database mysql -u nextcloud -pPASSWORT nextcloud < "/Backups/$(sha256sum /etc/machine-id | head -c 64)/backup-docker-to-local/latest/nextcloud_database/sql/backup.sql" &&
cd {{path_administrator_scripts}}backup-docker-to-local &&
bash ./recover-docker-from-local.sh "nextcloud_data" "$(sha256sum /etc/machine-id | head -c 64)"
```
---
## Database Management 🗄️
### Database Access
To access the database, execute:
```bash
docker-compose exec -it database mysql -u nextcloud -D nextcloud -p
```
### Recreate Database with New Volume
```bash
docker-compose run --detach --name database --env MYSQL_USER="nextcloud" --env MYSQL_PASSWORD=PASSWORD --env MYSQL_ROOT_PASSWORD=PASSWORD --env MYSQL_DATABASE="nextcloud" -v nextcloud_database:/var/lib/mysql
```
---
## OCC (Nextcloud Command Line) 🔧
To use OCC, run:
```bash
docker-compose exec -it -u www-data application /var/www/html/occ
```
### User Administration
#### List Users
```bash
docker compose exec -it -u www-data application php occ user:list
```
#### Sync Users
```bash
docker compose exec -it -u www-data application php occ user:sync
```
#### Create user via CLI
```bash
docker compose exec -it -u www-data application php occ user:add {{username}}
```
#### Make user admin via cli
```bash
docker compose exec -it -u www-data application php occ group:adduser admin {{username}}
```
#### Delete user via CLI
```bash
docker compose exec -it -u www-data application php occ user:delete {{username}}
```
---
### App Administration
```bash
docker compose exec -u www-data application php occ config:list {{app_name}}
```
### Initialize Duplicates
```bash
docker-compose exec -it -u www-data application /var/www/html/occ duplicates:find-all --output
```
### Unlock Files
```bash
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --on
docker-compose exec -it nextcloud_database_1 mysql -u nextcloud -pPASSWORD1234132 -D nextcloud -e "delete from oc_file_locks where 1"
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --off
```
---
## Apps
### App Relevant Tables 🗃️
- `oc_appconfig`
- `oc_migrations`
### Cospend
#### Relevant SQL Commands for Cospend
Debugguging Migrations:
https://github.com/julien-nc/cospend-nc/issues/325
```sql
-- Show all Cospend Tables
SHOW TABLES where Tables_in_nextcloud LIKE "%cospend%";
-- Show Cospend Configuration
SELECT * FROM `oc_appconfig` WHERE appid LIKE "%cospend%";
-- Show Cospend Database Migrations
SELECT * FROM `oc_migrations` WHERE app LIKE "%cospend%";
```
# IAM
IAM(Identity and Access Management) is setup via Keycloak and LDAP.
## OpenID Connect (OIDC) Support 🔐
OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific tasks are included when enabled, allowing integration of external authentication providers seamlessly.
### Verify OIDC Configuration
```bash
docker compose exec -u www-data application /var/www/html/occ config:app:get sociallogin custom_providers
```
## LDAP
More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
## Get all relevant entries except password
```sql
SELECT * FROM `oc_appconfig` WHERE appid LIKE "%ldap%" and configkey != "s01ldap_agent_password";
```
## Update User with LDAP values
```bash
docker compose exec -it -u www-data application php occ ldap:check-user --update {{username}}
```
## Federation
If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid.

32
roles/docker-nextcloud/Applications.md Normal file
View File

@ -0,0 +1,32 @@
# Nextcloud Applications
Details on specific apps like Cospend, including related SQL queries and debugging tips.
## Recieve Plugin Information
To recieve the relevant configuration options for a plugin type:
```bash
docker compose exec -u www-data application php occ config:list oidc_login
```
## App Relevant Tables 🗃️
- `oc_appconfig`
- `oc_migrations`
## LDAP
## Cospend
### Relevant SQL Commands for Cospend
Debugguging Migrations:
https://github.com/julien-nc/cospend-nc/issues/325
```sql
-- Show all Cospend Tables
SHOW TABLES where Tables_in_nextcloud LIKE "%cospend%";
-- Show Cospend Configuration
SELECT * FROM `oc_appconfig` WHERE appid LIKE "%cospend%";
-- Show Cospend Database Migrations
SELECT * FROM `oc_migrations` WHERE app LIKE "%cospend%";
```

4
roles/docker-nextcloud/Architecture.md Normal file
View File

@ -0,0 +1,4 @@
# Administration
## Other Resources
- [Nextcloud Docker Example with Nginx Proxy, MariaDB, and FPM](https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/docker-compose.yml)

15
roles/docker-nextcloud/Database.md Normal file
View File

@ -0,0 +1,15 @@
# Database Management (local)
To manage the database if you installed it locally use the following comments. If you have created the database via the central database option, look for the related documentation.
## Database Access
To access the database, execute:
```bash
docker-compose exec -it database mysql -u nextcloud -D nextcloud -p
```
### Recreate Database with New Volume
```bash
docker-compose run --detach --name database --env MYSQL_USER="nextcloud" --env MYSQL_PASSWORD=PASSWORD --env MYSQL_ROOT_PASSWORD=PASSWORD --env MYSQL_DATABASE="nextcloud" -v nextcloud_database:/var/lib/mysql
```

72
roles/docker-nextcloud/IAM.md Normal file
View File

@ -0,0 +1,72 @@
# Identity and Access Management
IAM(Identity and Access Management) is setup via Keycloak and LDAP.
## OpenID Connect (OIDC) Support 🔐
OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific tasks are included when enabled, allowing integration of external authentication providers seamlessly.
### Verify OIDC Configuration
```bash
docker compose exec -u www-data application /var/www/html/occ config:app:get sociallogin custom_providers
```
## LDAP
More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
## Get LDAP Configuration
```bash
docker compose exec -u www-data application php occ ldap:show-config
```
## Get all relevant entries except password
```sql
SELECT * FROM `oc_appconfig` WHERE appid LIKE "%ldap%" and configkey != "s01ldap_agent_password";
```
## Update User with LDAP values
```bash
docker compose exec -it -u www-data application php occ ldap:check-user --update {{username}}
```
## Update LDAP Sync
```bash
docker compose exec -u www-data application php occ user:sync-account-data
```
### Update Each User
If you want to update **every LDAP user**, run:
```bash
for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
docker compose exec -u www-data application php occ ldap:check-user --update "$user"
done
```
### Unlink All
```bash
for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
echo "Unlinking user from LDAP: $user"
echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
done
```
### Reset LDAP Links for Orphaned Users
Run this **corrected script**:
```bash
for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
echo "Resetting LDAP link for user: $user"
echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
done
```
## Federation
If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid.

71
roles/docker-nextcloud/OCC.md Normal file
View File

@ -0,0 +1,71 @@
# OCC (Nextcloud Command Line) 🔧
Reference for frequently used OCC commands, including user and app management.
## General Use
To use OCC, run:
```bash
docker-compose exec -it -u www-data application /var/www/html/occ
```
## User Administration
### List Users
```bash
docker compose exec -it -u www-data application php occ user:list
```
### Get User Info
```bash
docker compose exec -u www-data application php occ user:info {{username}}
```
### Sync Users
```bash
docker compose exec -it -u www-data application php occ user:sync
```
### Create user via CLI
```bash
docker compose exec -it -u www-data application php occ user:add {{username}}
```
### Make user admin via cli
```bash
docker compose exec -it -u www-data application php occ group:adduser admin {{username}}
```
### Delete user via CLI
```bash
docker compose exec -it -u www-data application php occ user:delete {{username}}
```
### Delete all User (if no ldap is used)
```bash
for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
docker compose exec -u www-data application php occ user:delete "$user"
done
```
### Identify users which exist still in nextcloud but not in LDAP anymore
```bash
occ ldap:show-remnants
```
## App Administration
```bash
docker compose exec -u www-data application php occ config:list {{app_name}}
```
## Initialize Duplicates
```bash
docker-compose exec -it -u www-data application /var/www/html/occ duplicates:find-all --output
```
## Unlock Files
```bash
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --on
docker-compose exec -it nextcloud_database_1 mysql -u nextcloud -pPASSWORD1234132 -D nextcloud -e "delete from oc_file_locks where 1"
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --off
```

57
roles/docker-nextcloud/README.md
View File

@ -1,24 +1,45 @@
# Nextcloud Server
# Nextcloud
This repository contains an Ansible role for deploying and managing [Nextcloud](https://nextcloud.com/) using [Docker](https://www.docker.com/). It covers configuration modifications, updates, backups, database management, and more. Additionally, OIDC (OpenID Connect) is supported (for example, via **Keycloak**).
---
## Description
## Other Resources
This Ansible role provisions a production-grade **Nextcloud** deployment using Docker Compose. It includes support for LDAP and OIDC authentication, Redis caching, secure configuration management, and declarative plugin control via `occ`. The setup is modular and integrates cleanly into larger infrastructure environments.
- [Nextcloud Docker Example with Nginx Proxy, MariaDB, and FPM](https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/docker-compose.yml)
- [Nextcloud Upgrade via Docker by Goneuland](https://goneuland.de/nextcloud-upgrade-auf-neue-versionen-mittels-docker/)
- [Nextcloud Data Version Issue](https://help.nextcloud.com/t/cant-start-nextcloud-because-the-version-of-the-data-is-higher-than-the-docker-image-version-and-downgrading-is-not-supported/109438)
- [Nextcloud Docker Issue #1302](https://github.com/nextcloud/docker/issues/1302)
- [Update to Nextcloud 22 Failed Database Error](https://help.nextcloud.com/t/update-to-22-failed-with-database-error-updated/120682)
- [Nextcloud 21.0.0-beta1 Database Error](https://help.nextcloud.com/t/nc-update-to-21-0-0-beta1-exception-database-error/101124/4)
- [Reset Password for MariaDB/MySQL in Docker](https://wolfgang.gassler.org/reset-password-mariadb-mysql-docker/)
- [Ansible Docker Container and depends_on Issue](https://unix.stackexchange.com/questions/478855/ansible-docker/container/and-depends-on)
- [Docker Convenience Scripts by gdiepen](https://github.com/gdiepen/docker-convenience-scripts)
- [Issues After Upgrading to Nextcloud 21](https://help.nextcloud.com/t/several-issues-after-upgrading-to-nextcloud-21/113118/3)
- [Nextcloud Talk Plugin and Turnserver in Docker](https://forum.openmediavault.org/index.php?thread/31782-docker-nextcloud-talk-plugin-and-turnserver/)
- [Nextcloud Talk on Docker: Turn Server Issues](https://help.nextcloud.com/t/nextcloud-talk-im-docker/container/turn-server-auf-docker-host-kein-video/84133/10)
## Overview
---
*Enjoy and happy containerizing! 😄*
The role ensures consistent deployments, full automation, and secure configuration injection into `config.php` using additive includes. Authentication is handled through LDAP and OIDC (e.g., via Keycloak), and backup/recovery operations are fully supported.
## Purpose
To automate the deployment of **secure, extensible, and production-ready Nextcloud instances** using Docker and Ansible.
## Features
- Dockerized Nextcloud (PHP-FPM, Nginx, Cron, Redis)
- Templated Nginx configuration (internal and external)
- Automated certificate and HTTPS proxy integration
- Healthcheck support
- Backup & recovery integration
- IAM & SOO
- Hundreds of integrated plugins
## Related Documentation
Here are all supporting documentation files within this role:
| Topic | Description |
|-------|-------------|
| [Applications](Applications.md) | SQL examples and debug notes for plugins like **Cospend** |
| [Architecture](Architecture.md) | Overview of architectural integrations |
| [Administration](Administration.md) | Manual operations like update, config edits, recovery |
| [Update](Update.md) | Step-by-step update and restore instructions |
| [OCC](OCC.md) | Nextcloud CLI usage guide (user management, config, maintenance) |
| [Database](Database.md) | Managing the database (local mode) |
| [IAM](IAM.md) | LDAP & OIDC Identity and Access Management |
## External Resources
- [Nextcloud Docker Documentation](https://github.com/nextcloud/docker)
- [Nextcloud Admin Manual](https://docs.nextcloud.com/server/latest/admin_manual/)
- [LDAP Integration Guide](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html)
- [OIDC Login Plugin (pulsejet)](https://github.com/pulsejet/nextcloud-oidc-login)
- [Sociallogin Plugin (Official)](https://apps.nextcloud.com/apps/sociallogin)

53
roles/docker-nextcloud/Update.md Normal file
View File

@ -0,0 +1,53 @@
# Update 🔄
To update the Nextcloud container, execute the following commands on the server:
```bash
docker exec -it -u www-data nextcloud-application /var/www/html/occ maintenance:mode --on &&
export COMPOSE_HTTP_TIMEOUT=600 &&
export DOCKER_CLIENT_TIMEOUT=600 &&
docker-compose down
```
Afterwards, update the ***applications.nextcloud.version*** variable to the next version and run this repository with this Ansible role.
> **Note:**
> It is only possible to update from one to the next major version at a time.
> Wait for the update to finish.
Verify the update by checking the logs:
```bash
docker-compose logs application
```
and
```bash
docker-compose exec -it application top
```
If Nextcloud remains in maintenance mode after the update, try the following:
```bash
docker exec -it -u www-data nextcloud-application/var/www/html/occ maintenance:mode --on
docker exec -it -u www-data nextcloud-application /var/www/html/occ upgrade
docker exec -it -u www-data nextcloud-application /var/www/html/occ maintenance:mode --off
```
If the update process fails, execute:
```bash
docker exec -it -u www-data nextcloud-application /var/www/html/occ maintenance:repair --include-expensive
```
and disable any non-functioning apps.
---
## Recover Latest Backup 💾
```bash
cd {{path_docker_compose_instances}}nextcloud &&
docker-compose down &&
docker-compose exec -i database mysql -u nextcloud -pPASSWORT nextcloud < "/Backups/$(sha256sum /etc/machine-id | head -c 64)/backup-docker-to-local/latest/nextcloud_database/sql/backup.sql" &&
cd {{path_administrator_scripts}}backup-docker-to-local &&
bash ./recover-docker-from-local.sh "nextcloud_data" "$(sha256sum /etc/machine-id | head -c 64)"
```
## Other Resources
- [Nextcloud Upgrade via Docker by Goneuland](https://goneuland.de/nextcloud-upgrade-auf-neue-versionen-mittels-docker/)

30
roles/docker-nextcloud/meta/main.yml Normal file
View File

@ -0,0 +1,30 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: >
Provisions a secure and production-ready Nextcloud instance,
with support for LDAP, OIDC, SSO, and automated plugin configuration.
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- nextcloud
- docker
- nginx
- oidc
- ldap
- automation
- cloud
- web
- php
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais/docker-nextcloud"

25
roles/docker-nextcloud/tasks/plugin.yml
View File

@ -28,20 +28,33 @@
changed_when: enable_result.rc == 0 and ("already enabled" not in enable_result.stdout)
when: plugin_value.enabled | bool
- name: Check if {{nextcloud_localhost_plugin_configuration_directory}}{{ plugin_key }}.yml exists
- name: Check if {{nextcloud_control_node_plugin_vars_directory}}{{ plugin_key }}.yml exists
stat:
path: "{{nextcloud_localhost_plugin_configuration_directory}}{{ plugin_key }}.yml"
register: plugin_config_file
path: "{{nextcloud_control_node_plugin_vars_directory}}{{ plugin_key }}.yml"
delegate_to: localhost
become: false
register: plugin_vars_file
- name: Apply configuration to {{ plugin_key }}
block:
- name: Load {{ plugin_key }} configuration variables
include_vars:
file: "{{nextcloud_localhost_plugin_configuration_directory}}{{ plugin_key }}.yml"
file: "{{nextcloud_control_node_plugin_vars_directory}}{{ plugin_key }}.yml"
- name: "Set {{ item.configkey }} for {{ item.appid }}"
loop: "{{ plugin_configuration }}"
command: >
{{ nextcloud_docker_exec_occ }} config:app:set {{ item.appid }} {{ item.configkey }} --value '{{ item.configvalue | to_json if item.configvalue is mapping else item.configvalue }}'
when: plugin_config_file.stat.exists
when: plugin_vars_file.stat.exists
- name: Check if {{nextcloud_control_node_plugin_tasks_directory}}{{ plugin_key }}.yml exists
stat:
path: "{{nextcloud_control_node_plugin_tasks_directory}}{{ plugin_key }}.yml"
delegate_to: localhost
become: false
register: plugin_tasks_file
- name: "include {{nextcloud_control_node_plugin_tasks_directory}}{{ plugin_key }}.yml"
include_tasks: "{{nextcloud_control_node_plugin_tasks_directory}}{{ plugin_key }}.yml"
when: plugin_tasks_file.stat.exists

0
roles/docker-nextcloud/tasks/plugins/ldap.yml → roles/docker-nextcloud/tasks/plugins/user_ldap.yml
View File

4
roles/docker-nextcloud/templates/config/oidc.config.php.j2
View File

@ -97,10 +97,10 @@ return array (
// note: on Keycloak, OIDC name claim = "${given_name} ${family_name}" or one of them if any is missing
//
'oidc_login_attributes' => array (
'id' => 'username',
'id' => '{{ldap.attributes.user_id}}',
'name' => 'name',
'mail' => 'email',
# 'quota' => 'nextcloudQuota', # Not implemented yet
'quota' => 'nextcloudQuota',
# 'home' => 'homeDirectory', # Not implemented yet
'ldap_uid' => 'preferred_username',
# 'groups' => 'ownCloudGroups', # Not implemented yet

2
roles/docker-nextcloud/vars/README.md Normal file
View File

@ -0,0 +1,2 @@
# Variables
This folder contains the Nextcloud Variables

5
roles/docker-nextcloud/vars/main.yml
View File

@ -10,8 +10,9 @@ database_type: "mariadb"
domain: "{{domains[application_id]}}" # Public domain at which Nextcloud will be accessable
http_port: "{{ ports.localhost.http[application_id] }}" # Port at which nextcloud is reachable in the local network
# Localhost
nextcloud_localhost_plugin_configuration_directory: "{{role_path}}/plugins/" # Folder in which the files for the plugin configuration are stored
# Control Node
nextcloud_control_node_plugin_vars_directory: "{{role_path}}/vars/plugins/" # Folder in which the files for the plugin configuration are stored
nextcloud_control_node_plugin_tasks_directory: "{{role_path}}/tasks/plugins/" # Folder which contains the files for extra plugin configuration tasks
# Host

3
roles/docker-nextcloud/vars/plugins/README.md
View File

@ -1 +1,2 @@
This folder contains the plugin specific configurations which willö be applied
# Plugins
This folder contains the plugin specific configurations which will be applied

0
roles/docker-nextcloud/vars/plugins/ldap.yml → roles/docker-nextcloud/vars/plugins/user_ldap.yml
View File

2
roles/docker-phpmyadmin/templates/env.j2
View File

@ -1,3 +1,5 @@
# Configuration @see https://hub.docker.com/_/phpmyadmin
PMA_HOST= central-mariadb
{% if applications.phpmyadmin.autologin | bool %}
PMA_USER= root

22
roles/docker-portfolio/templates/config.yaml.j2
View File

@ -210,7 +210,7 @@ cards:
- icon:
class: "fa-solid fa-envelope"
title: "Mailu Mail Server"
title: "Mail Server"
text: "Revolutionize your email communications with Mailu, a secure and flexible mail server solution that integrates seamlessly into your workflow. Experience enhanced reliability, robust security, and an energetic approach to managing your digital correspondence."
url: https://{{domains.mailu}}
link_text: "Elevate Your Email Now!"
@ -680,8 +680,26 @@ navigation:
description: Manage User via Keycloak
icon:
class: fas fa-user-shield
url: https://{{domains.keycloak}}/admin
iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }}
children:
- name: Administration
description: Access the central admin console
icon:
class: fa-solid fa-shield-halved
url: https://{{domains.keycloak}}/admin
iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }}
- name: Profile
description: Update your personal admin settings
icon:
class: fa-solid fa-user-gear
url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/account
iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }}
- name: Logout
description: End your admin session securely
icon:
class: fa-solid fa-right-from-bracket
url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/protocol/openid-connect/logout
iframe: false
{% endif %}
{% if "ldap" in group_names %}

43
roles/docker/Administration.md Normal file
View File

@ -0,0 +1,43 @@
# Administration 🛠️
## List Unused Volumes
```bash
docker volume ls -q -f "dangling=true"
```
## Remove All Unused Volumes
```bash
docker volume rm $(docker volume ls -q -f "dangling=true")
```
## Network Issues Fixes
```bash
docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q)
docker network prune -f
systemctl stop docker
rm -fv /var/lib/docker/network/files/local-kv.db
systemctl start docker
```
---
# Warning ⚠️
**Caution:** The following instructions will delete **all Docker containers and volumes** on your server.
Make sure you have backups or that you're certain you want to clean your Docker environment completely.
---
## Cleaning Up Docker Containers and Volumes 🧹
### Delete All Docker Containers
```bash
docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q)
```
### Delete All Docker Volumes
```bash
docker volume rm $(docker volume ls -q)
```

48
roles/docker/README.md
View File

@ -2,52 +2,4 @@
This role is part of the [CyMaIS Project](https://github.com/kevinveenbirkenbach/cymais), maintained and developed by [Kevin Veen-Birkenbach](https://www.veen.world/).
---
## Maintenance 🛠️
### List Unused Volumes
```bash
docker volume ls -q -f "dangling=true"
```
### Remove All Unused Volumes
```bash
docker volume rm $(docker volume ls -q -f "dangling=true")
```
### Network Issues Fixes
```bash
docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q)
docker network prune -f
systemctl stop docker
rm -fv /var/lib/docker/network/files/local-kv.db
systemctl start docker
```
---
## Warning ⚠️
**Caution:** The following instructions will delete **all Docker containers and volumes** on your server.
Make sure you have backups or that you're certain you want to clean your Docker environment completely.
---
## Cleaning Up Docker Containers and Volumes 🧹
### Delete All Docker Containers
```bash
docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q)
```
### Delete All Docker Volumes
```bash
docker volume rm $(docker volume ls -q)
```
---
Enjoy using this role and happy containerizing! 🎉

28
roles/docker/meta/main.yml
View File

@ -1,3 +1,31 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: >
Installs and maintains Docker.
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- docker
- container
- infrastructure
- automation
- cleanup
- linux
- system
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais/docker"
dependencies:
- backup-docker-to-local
- user-administrator

33
roles/nginx-modifier-css/templates/global.css.j2
View File

@ -816,7 +816,7 @@ input:checked {
option {
background-color: var(--color-82);
color: var(--color-99);
color: var(--color-07);
}
/* Tables (Borders and Header Colors) */
@ -1099,6 +1099,37 @@ div.page-wrapper{
background: var(--color-50);
}
.table {
--bs-table-bg: var(--color-99); /* #fff → white */
--bs-table-border-color: var(--color-99); /* #fff → white */
--bs-table-striped-bg: var(--color-90); /* #dfdfdf → light gray */
--bs-table-hover-color: var(--color-01); /* #000 → black */
}
.table thead th {
background-image: linear-gradient(var(--color-90), var(--color-80));
border-color: var(--color-99);
}
.table th, .table td {
text-shadow: 0 1px 0 var(--color-60);
}
div.tools, .tblFooters {
color: var(--color-01);
background: var(--color-62);
}
.navigation {
background: linear-gradient(var(--color-87), var(--color-69));
}
.pma-fieldset {
border-color: var(--color-17);
background: var(--color-80);
}
/** Taiga specific configuration **/
section.main.kanban{