diff --git a/site.yml b/site.yml index 88393b1c99843dc514779a2a0e80f69ddc6d1b50..b7477b14ffec7847fd2d9a9a9346517b04d721ba 100644 --- a/site.yml +++ b/site.yml @@ -393,7 +393,8 @@ } - { role: verwaltung/docker_nextcloud, tags: [ nextcloud, docker_services ], - servicename: "nextcloud", + servicename: "nextcloud", + basedir: /srv/nextcloud, domain: "verwaltung.warpzone.ms" } - { diff --git a/verwaltung/docker_nextcloud/Documentation.md b/verwaltung/docker_nextcloud/Documentation.md new file mode 100644 index 0000000000000000000000000000000000000000..5a234b5cedaf20cf4179b4f7d02a9df0d1e3e15d --- /dev/null +++ b/verwaltung/docker_nextcloud/Documentation.md @@ -0,0 +1,47 @@ + +# Overview + +* Authentication to Nextcloud is only possible with an account in uffd, regular authentication is disabled +* All users with group 'nextcloud_access' can access Nextcloud, the user in Nextcloud is created on first login +* Users with group 'nextcloud_admin' are added to the Administrators group in Nextcloud +* Additional groups are assigned if the name of the group matches in uffd and Nextloud + +# Setup OIDC Authentication via uffd + +Uffd Reference: https://git.cccv.de/uffd + +## Remarks and limitations + +* Only the numeric user id from uffd can be used in nextcloud. +* The admin group in nextcloud is added/removed if the group nextcloud_admin is set in uffd +* Groups must be created manually, groups are assigned and revoked on login + +## Setup in Nextcloud + +Nextcloud App: OpenID Connect Login (Category: Integration) + +The App must be installed manually with the initial admin User or via occ command. +Configuration ist provided in the config file 'oidc.config.php' + +https://apps.nextcloud.com/apps/oidc_login +https://github.com/pulsejet/nextcloud-oidc-login + + +## Setup in uffd + +Create Groups: + +- nextcloud_access: General Access to Nextcloud +- nextcloud_admin: This Group will be Mapped to the Group admin in Nextcloud +- + +Create a Service / OAuth Client: + +Only Users with goup nextcloud_access can access Nextcloud + +Client-ID: nextcloud +Client-Secret: from file nextcloud_oidc_secret on the server +Redirect-URIs: +* https://<nextcloud Server Url>/index.php/apps/oidc_login/oidc +* https://<nextcloud Server Url>/apps/oidc_login/oidc + diff --git a/verwaltung/docker_nextcloud/tasks/main.yml b/verwaltung/docker_nextcloud/tasks/main.yml index 0d8f70c67c95420db3c9b9fb5f472e980352ab6f..b70c077e061182cc6352068bdcded25ec1697b16 100644 --- a/verwaltung/docker_nextcloud/tasks/main.yml +++ b/verwaltung/docker_nextcloud/tasks/main.yml @@ -2,9 +2,10 @@ - include_tasks: ../functions/get_secret.yml with_items: - - { path: /srv/nextcloud/nextcloud_admin_pass, length: 24 } - - { path: /srv/nextcloud/mysql_admin_pass, length: 24 } - - { path: /srv/nextcloud/mysql_user_pass, length: 12 } + - { path: "{{ basedir }}/secrets/nextcloud_admin_pass", length: 24 } + - { path: "{{ basedir }}/secrets/nextcloud_oidc_secret", length: 32 } + - { path: "{{ basedir }}/secrets/mysql_admin_pass", length: 24 } + - { path: "{{ basedir }}/secrets/mysql_user_pass", length: 12 } - name: "create folder struct for {{ servicename }}" @@ -14,22 +15,42 @@ owner: www-data group: root with_items: - - "/srv/nextcloud/" - - "/srv/nextcloud/data/" - - "/srv/nextcloud/db/" - - "/srv/nextcloud/tmp/" + - "{{ basedir }}" + - "{{ basedir }}/data/" + - "{{ basedir }}/data/config/" + - "{{ basedir }}/db/" + - "{{ basedir }}/tmp/" + - "{{ basedir }}/secrets/" - name: Docker Compose Konfig-Datei erstellen template: src: "{{ item }}" - dest: "/srv/nextcloud/{{ item }}" + dest: "{{ basedir }}/{{ item }}" with_items: - "docker-compose.yml" - "memory-limit.ini" + + +- name: Nextcloud Konfig-Dateien erstellen + template: + src: "{{ item }}" + dest: "{{ basedir }}/data/config/{{ item }}" + with_items: + - "custom.config.php" + - "oidc.config.php" register: config_files +- name: Script Helper erstellen + template: + src: "{{ item }}" + dest: "{{ basedir }}/{{ item }}" + mode: u+x + with_items: + - "occ.sh" + + - name: "stop {{ servicename }} docker" community.docker.docker_compose_v2: project_src: "{{ basedir }}" diff --git a/verwaltung/docker_nextcloud/templates/custom.config.php b/verwaltung/docker_nextcloud/templates/custom.config.php new file mode 100644 index 0000000000000000000000000000000000000000..c3aa1e968fb2987ee105ea5cb88c3c7e8f06ccff --- /dev/null +++ b/verwaltung/docker_nextcloud/templates/custom.config.php @@ -0,0 +1,47 @@ +<?php +$CONFIG = array ( + + // Default language + // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/language_configuration.html#default-language + 'default_language' => 'de', + + // Default locale + // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/language_configuration.html#default-locale + 'default_locale' => 'de_DE', + + // Default Phone Region + // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#default-phone-region + 'default_phone_region' => 'DE', + + // Default Timezone + // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#default-timezone + 'default_timezone' => 'Europe/Berlin', + + // Overwrite Host + // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#overwritehost + 'overwritehost' => '{{ domain }}', + + // Overwrite Protocoll + // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#overwriteprotocol + 'overwriteprotocol' => 'https', + + // Overwrite Url for CLI Access + // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#overwrite-cli-url + 'overwrite.cli.url' => 'https://{{ domain }}', + + // Trusted Domains + // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trusted-domains + 'trusted_domains' => + array ( + 0 => '{{ domain }}', + 1 => 'app', + ), + + // Forwarded for Headers + // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#forwarded-for-headers + 'forwarded_for_headers' => ['HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'], + + // Run Maintenance Jobs at any time + // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#parameters + 'maintenance_window_start' => 100, +); \ No newline at end of file diff --git a/verwaltung/docker_nextcloud/templates/docker-compose.yml b/verwaltung/docker_nextcloud/templates/docker-compose.yml index eff55e74f9464ddd10ea488cb64574699568703c..3940dbefe94003b452bf780081ed2f04df060025 100644 --- a/verwaltung/docker_nextcloud/templates/docker-compose.yml +++ b/verwaltung/docker_nextcloud/templates/docker-compose.yml @@ -41,6 +41,7 @@ services: MYSQL_HOST: mysql NEXTCLOUD_ADMIN_USER: "admin" NEXTCLOUD_ADMIN_PASSWORD: "{{nextcloud_admin_pass}}" + NEXTCLOUD_UPDATE: "1" OVERWRITEPROTOCOL: https OVERWRITECLIURL: https://{{ domain }} OVERWRITEHOST: {{ domain }} diff --git a/verwaltung/docker_nextcloud/templates/occ.sh b/verwaltung/docker_nextcloud/templates/occ.sh new file mode 100644 index 0000000000000000000000000000000000000000..e430d8b46bf9f4c2815bc0bf2d8f7b486d892b4d --- /dev/null +++ b/verwaltung/docker_nextcloud/templates/occ.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# Wrapper zur ausführung des OCC Kommendos im Docker +docker-compose exec app su www-data -s "/bin/sh" -c "php /var/www/html/occ $1 $2 $3" \ No newline at end of file diff --git a/verwaltung/docker_nextcloud/templates/oidc.config.php b/verwaltung/docker_nextcloud/templates/oidc.config.php new file mode 100644 index 0000000000000000000000000000000000000000..f12afea3c432fdffd9425cdafb99e90e309ee4a8 --- /dev/null +++ b/verwaltung/docker_nextcloud/templates/oidc.config.php @@ -0,0 +1,80 @@ +<?php +$CONFIG = array ( + + // Some Nextcloud options that might make sense here + 'allow_user_to_change_display_name' => false, + 'lost_password_link' => 'disabled', + + // URL of provider. All other URLs are auto-discovered from .well-known + 'oidc_login_provider_url' => '{{ oidc_global.provider_url }}', + + // Client ID and secret registered with the provider + 'oidc_login_client_id' => 'nextcloud', + 'oidc_login_client_secret' => '{{ nextcloud_oidc_secret }}', + + // Automatically redirect the login page to the provider + 'oidc_login_auto_redirect' => true, + + // Redirect to this page after logging out the user + 'oidc_login_logout_url' => '{{ oidc_global.logout_url }}', + + // If set to true the user will be redirected to the + // logout endpoint of the OIDC provider after logout + // in Nextcloud. After successfull logout the OIDC + // provider will redirect back to 'oidc_login_logout_url' (MUST be set). + 'oidc_login_end_session_redirect' => false, + + // Login button text + 'oidc_login_button_text' => 'Log in with OpenID/uffd', + + // Hide the NextCloud password change form. + 'oidc_login_hide_password_form' => true, + + // Use ID Token instead of UserInfo + 'oidc_login_use_id_token' => false, + + // Attribute map for OIDC response. + 'oidc_login_attributes' => array ( + 'id' => 'preferred_username', + 'name' => 'name', + 'mail' => 'email', + 'groups' => 'groups', + 'is_admin' => 'groups_nextcloud_admin' + ), + + // Default group to add users to (optional, defaults to nothing) + //'oidc_login_default_group' => 'oidc', + + // Set OpenID Connect scope + 'oidc_login_scope' => 'openid profile email groups', + + // Auto create of users new to Nextcloud from OIDC login. + 'oidc_login_disable_registration' => false, + + // Fallback to direct login if login from OIDC fails + 'oidc_login_redir_fallback' => false, + + // Auto create of groups + 'oidc_create_groups' => false, + + // Enable use of WebDAV via OIDC bearer token. + 'oidc_login_webdav_enabled' => false, + + // Enable authentication with user/password for DAV clients that do not + // support token authentication (e.g. DAVxâµ) + 'oidc_login_password_authentication' => true, + + // The time in seconds used to cache public keys from provider. + // The default value is 1 day. + 'oidc_login_public_key_caching_time' => 86400, + + // The minimum time in seconds to wait between requests to the jwks_uri endpoint. + // Avoids that the provider will be DoSed when someone requests with unknown kids. + // The default is 10 seconds. + 'oidc_login_min_time_between_jwks_requests' => 10, + + // The time in seconds used to cache the OIDC well-known configuration from the provider. + // The default value is 1 day. + 'oidc_login_well_known_caching_time' => 86400, + +); \ No newline at end of file