Merge branch 'master' of ssh://gitlab.warpzone.ms:444/infrastruktur/ansible-warpzone

site.yml

@@ -393,7 +393,8 @@
       }
     - { 
         role: verwaltung/docker_nextcloud, tags: [ nextcloud, docker_services ],
-        servicename: "nextcloud",        
+        servicename: "nextcloud",      
+        basedir: /srv/nextcloud,  
         domain: "verwaltung.warpzone.ms" 
       }
     - { 

verwaltung/docker_nextcloud/Documentation.md

+
+# Overview 
+
+* Authentication to Nextcloud is only possible with an account in uffd, regular authentication is disabled 
+* All users with group 'nextcloud_access' can access Nextcloud, the user in Nextcloud is created on first login 
+* Users with group 'nextcloud_admin' are added to the Administrators group in Nextcloud 
+* Additional groups are assigned if the name of the group matches in uffd and Nextloud
+
+# Setup OIDC Authentication via uffd 
+
+Uffd Reference: https://git.cccv.de/uffd
+
+## Remarks and limitations 
+
+* Only the numeric user id from uffd can be used in nextcloud. 
+* The admin group in nextcloud is added/removed if the group nextcloud_admin is set in uffd
+* Groups must be created manually, groups are assigned and revoked on login 
+
+## Setup in Nextcloud 
+
+Nextcloud App: OpenID Connect Login (Category: Integration)
+
+The App must be installed manually with the initial admin User or via occ command. 
+Configuration ist provided in the config file 'oidc.config.php'
+
+https://apps.nextcloud.com/apps/oidc_login
+https://github.com/pulsejet/nextcloud-oidc-login
+
+
+## Setup in uffd
+
+Create Groups:
+
+- nextcloud_access: General Access to Nextcloud 
+- nextcloud_admin: This Group will be Mapped to the Group admin in Nextcloud 
+- 
+
+Create a Service / OAuth Client: 
+
+Only Users with goup nextcloud_access can access Nextcloud 
+
+Client-ID: nextcloud 
+Client-Secret: from file nextcloud_oidc_secret on the server
+Redirect-URIs: 
+* https://<nextcloud Server Url>/index.php/apps/oidc_login/oidc
+* https://<nextcloud Server Url>/apps/oidc_login/oidc
+

verwaltung/docker_nextcloud/tasks/main.yml

@@ -2,9 +2,10 @@
 
 - include_tasks: ../functions/get_secret.yml
   with_items:
-    - { path: /srv/nextcloud/nextcloud_admin_pass,  length: 24 }
-    - { path: /srv/nextcloud/mysql_admin_pass,  length: 24 }
-    - { path: /srv/nextcloud/mysql_user_pass,  length: 12 }
+    - { path: "{{ basedir }}/secrets/nextcloud_admin_pass",  length: 24 }
+    - { path: "{{ basedir }}/secrets/nextcloud_oidc_secret",  length: 32 }
+    - { path: "{{ basedir }}/secrets/mysql_admin_pass",  length: 24 }
+    - { path: "{{ basedir }}/secrets/mysql_user_pass",  length: 12 }
 
 
 - name: "create folder struct for {{ servicename }}"
@@ -14,22 +15,42 @@
     owner: www-data
     group: root
   with_items:
-    - "/srv/nextcloud/"
-    - "/srv/nextcloud/data/"
-    - "/srv/nextcloud/db/"
-    - "/srv/nextcloud/tmp/"
+    - "{{ basedir }}"
+    - "{{ basedir }}/data/"
+    - "{{ basedir }}/data/config/"
+    - "{{ basedir }}/db/"
+    - "{{ basedir }}/tmp/"
+    - "{{ basedir }}/secrets/"
 
 
 - name: Docker Compose Konfig-Datei erstellen
   template: 
     src: "{{ item }}" 
-    dest: "/srv/nextcloud/{{ item }}"
+    dest: "{{ basedir }}/{{ item }}"
   with_items:
     - "docker-compose.yml"
     - "memory-limit.ini"
+
+
+- name: Nextcloud Konfig-Dateien erstellen
+  template: 
+    src: "{{ item }}" 
+    dest: "{{ basedir }}/data/config/{{ item }}"
+  with_items:
+    - "custom.config.php"
+    - "oidc.config.php"
   register: config_files
 
 
+- name: Script Helper erstellen
+  template: 
+    src: "{{ item }}" 
+    dest: "{{ basedir }}/{{ item }}"
+    mode: u+x
+  with_items:
+    - "occ.sh"
+
+
 - name: "stop {{ servicename }} docker"
   community.docker.docker_compose_v2:
     project_src: "{{ basedir }}"

verwaltung/docker_nextcloud/templates/custom.config.php

+<?php
+$CONFIG = array (
+
+    // Default language
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/language_configuration.html#default-language
+    'default_language' => 'de',
+
+    // Default locale
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/language_configuration.html#default-locale
+    'default_locale' => 'de_DE',
+
+    // Default Phone Region
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#default-phone-region
+    'default_phone_region' => 'DE',
+
+    // Default Timezone
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#default-timezone
+    'default_timezone' => 'Europe/Berlin',
+
+    // Overwrite Host
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#overwritehost
+    'overwritehost' => '{{ domain }}',
+
+    // Overwrite Protocoll 
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#overwriteprotocol
+    'overwriteprotocol' => 'https',
+
+    // Overwrite Url for CLI Access
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#overwrite-cli-url
+    'overwrite.cli.url' => 'https://{{ domain }}',
+
+    // Trusted Domains
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trusted-domains
+    'trusted_domains' =>
+    array (
+        0 => '{{ domain }}',
+        1 => 'app',
+    ),
+
+    // Forwarded for Headers
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#forwarded-for-headers
+    'forwarded_for_headers' => ['HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'],
+
+    // Run Maintenance Jobs at any time
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#parameters
+    'maintenance_window_start' => 100,
+);
\ No newline at end of file

verwaltung/docker_nextcloud/templates/docker-compose.yml

@@ -41,6 +41,7 @@ services:
       MYSQL_HOST: mysql
       NEXTCLOUD_ADMIN_USER: "admin"
       NEXTCLOUD_ADMIN_PASSWORD: "{{nextcloud_admin_pass}}"
+      NEXTCLOUD_UPDATE: "1"
       OVERWRITEPROTOCOL: https
       OVERWRITECLIURL: https://{{ domain }}
       OVERWRITEHOST: {{ domain }}

verwaltung/docker_nextcloud/templates/occ.sh

+#!/bin/bash
+
+# Wrapper zur ausführung des OCC Kommendos im Docker 
+docker-compose exec app su www-data -s "/bin/sh" -c "php /var/www/html/occ $1 $2 $3"
\ No newline at end of file

verwaltung/docker_nextcloud/templates/oidc.config.php

+<?php
+$CONFIG = array (
+
+    // Some Nextcloud options that might make sense here
+    'allow_user_to_change_display_name' => false,
+    'lost_password_link' => 'disabled',
+
+    // URL of provider. All other URLs are auto-discovered from .well-known
+    'oidc_login_provider_url' => '{{ oidc_global.provider_url }}',
+
+    // Client ID and secret registered with the provider
+    'oidc_login_client_id' => 'nextcloud',
+    'oidc_login_client_secret' => '{{ nextcloud_oidc_secret }}',
+
+    // Automatically redirect the login page to the provider
+    'oidc_login_auto_redirect' => true,
+
+    // Redirect to this page after logging out the user
+    'oidc_login_logout_url' => '{{ oidc_global.logout_url }}',
+
+    // If set to true the user will be redirected to the
+    // logout endpoint of the OIDC provider after logout
+    // in Nextcloud. After successfull logout the OIDC
+    // provider will redirect back to 'oidc_login_logout_url' (MUST be set).
+    'oidc_login_end_session_redirect' => false,
+
+    // Login button text
+    'oidc_login_button_text' => 'Log in with OpenID/uffd',
+
+    // Hide the NextCloud password change form.
+    'oidc_login_hide_password_form' => true,
+
+    // Use ID Token instead of UserInfo
+    'oidc_login_use_id_token' => false,
+
+    // Attribute map for OIDC response. 
+    'oidc_login_attributes' => array (
+        'id' => 'preferred_username',
+        'name' => 'name',
+        'mail' => 'email',
+        'groups' => 'groups',
+        'is_admin' => 'groups_nextcloud_admin' 
+    ),
+
+    // Default group to add users to (optional, defaults to nothing)
+    //'oidc_login_default_group' => 'oidc',
+
+    // Set OpenID Connect scope
+    'oidc_login_scope' => 'openid profile email groups',
+
+    // Auto create of users new to Nextcloud from OIDC login.
+    'oidc_login_disable_registration' => false,
+
+    // Fallback to direct login if login from OIDC fails
+    'oidc_login_redir_fallback' => false,
+
+    // Auto create of groups
+    'oidc_create_groups' => false,
+
+    // Enable use of WebDAV via OIDC bearer token.
+    'oidc_login_webdav_enabled' => false,
+
+    // Enable authentication with user/password for DAV clients that do not
+    // support token authentication (e.g. DAVx⁵)
+    'oidc_login_password_authentication' => true,
+
+    // The time in seconds used to cache public keys from provider.
+    // The default value is 1 day.
+    'oidc_login_public_key_caching_time' => 86400,
+
+    // The minimum time in seconds to wait between requests to the jwks_uri endpoint.
+    // Avoids that the provider will be DoSed when someone requests with unknown kids.
+    // The default is 10 seconds.
+    'oidc_login_min_time_between_jwks_requests' => 10,
+
+    // The time in seconds used to cache the OIDC well-known configuration from the provider.
+    // The default value is 1 day.
+    'oidc_login_well_known_caching_time' => 86400,
+
+);
\ No newline at end of file