test nextcloud

group_vars/test

@@ -44,6 +44,10 @@ oauth_global:
   logout_url: https://uffd.test-warpzone.de/logout
   metrics_url: https://uffd.test-warpzone.de/metrics
 
+oidc_global:
+  provider_url: https://uffd.test-warpzone.de
+  logout_url: https://uffd.test-warpzone.de/logout
+
 # Matrix Settings 
 matrix:
   domain: matrix.warpzone.ms

site.yml

@@ -54,7 +54,12 @@
         basedir: "/srv/{{ servicename }}",
         domain: "verwaltung-git.test-warpzone.de"
       }
-
+    - { 
+        role: testserver/docker_nextcloud, tags: nextcloud,
+        servicename: "nextcloud",
+        basedir: "/srv/{{ servicename }}",
+        domain: "verwaltung.test-warpzone.de" 
+      }
 
 
 ##################################################

testserver/docker_nextcloud/tasks/main.yml

+---
+
+- include_tasks: ../functions/get_secret.yml
+  with_items:
+    - { path: "{{ basedir }}/secrets/nextcloud_admin_pass",  length: 24 }
+    - { path: "{{ basedir }}/secrets/nextcloud_oidc_secret",  length: 32 }
+    - { path: "{{ basedir }}/secrets/mysql_admin_pass",  length: 24 }
+    - { path: "{{ basedir }}/secrets/mysql_user_pass",  length: 12 }
+
+
+- name: create folder struct for nextcloud
+  file: 
+    path: "{{ item }}"
+    state: "directory"
+    owner: www-data
+    group: root
+  with_items:
+    - "{{ basedir }}"
+    - "{{ basedir }}/data/"
+    - "{{ basedir }}/data/config/"
+    - "{{ basedir }}/db/"
+    - "{{ basedir }}/tmp/"
+    - "{{ basedir }}/secrets/"
+
+
+- name: Docker Compose Konfig-Datei erstellen
+  template: 
+    src: "{{ item }}" 
+    dest: "{{ basedir }}/{{ item }}"
+  with_items:
+    - "docker-compose.yml"
+    - "memory-limit.ini"
+
+- name: Nextcloud Konfig-Dateien erstellen
+  template: 
+    src: "{{ item }}" 
+    dest: "{{ basedir }}/data/config/{{ item }}"
+  with_items:
+    - "custom.config.php"
+    - "oidc.config.php"
+
+- name: Script Helper erstellen
+  template: 
+    src: "{{ item }}" 
+    dest: "{{ basedir }}/{{ item }}"
+    mode: u+x
+  with_items:
+    - "occ.sh"
+
+- name: start nextcloud docker
+  community.docker.docker_compose_v2:
+    project_src: "{{ basedir }}"
+    state: present
+
+

testserver/docker_nextcloud/templates/custom.config.php

+<?php
+$CONFIG = array (
+
+    // Default language
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/language_configuration.html#default-language
+    'default_language' => 'de',
+
+    // Default locale
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/language_configuration.html#default-locale
+    'default_locale' => 'de_DE',
+
+    // Default Phone Region
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#default-phone-region
+    'default_phone_region' => 'DE',
+
+    // Default Timezone
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#default-timezone
+    'default_timezone' => 'Europe/Berlin',
+
+    // Overwrite Host
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#overwritehost
+    'overwritehost' => '{{ domain }}',
+
+    // Overwrite Protocoll 
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#overwriteprotocol
+    'overwriteprotocol' => 'https',
+
+    // Overwrite Url for CLI Access
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#overwrite-cli-url
+    'overwrite.cli.url' => 'https://{{ domain }}',
+
+    // Trusted Domains
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trusted-domains
+    'trusted_domains' =>
+    array (
+        0 => '{{ domain }}',
+        1 => 'app',
+    ),
+
+    // Forwarded for Headers
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#forwarded-for-headers
+    'forwarded_for_headers' => ['HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'],
+
+    // Run Maintenance Jobs at any time
+    // https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#parameters
+    'maintenance_window_start' => 100,
+);
\ No newline at end of file

testserver/docker_nextcloud/templates/docker-compose.yml

+version: "3"
+
+services:
+
+  redis:
+
+    image: redis:7-alpine
+    restart: always
+    networks:
+      - default
+
+
+  mysql:
+
+    image: mariadb:11
+    restart: always
+    volumes:
+      - /srv/nextcloud/db/:/var/lib/mysql
+    environment:
+      MYSQL_ROOT_PASSWORD: "{{ mysql_admin_pass }}"
+      MYSQL_PASSWORD: "{{ mysql_user_pass }}"
+      MYSQL_DATABASE: nextcloud
+      MYSQL_USER: nextcloud
+    networks:
+      - default
+
+
+  app:
+
+    image: nextcloud:28-apache
+    restart: always
+    volumes:
+      - /srv/nextcloud/data/:/var/www/html/
+      - /srv/nextcloud/tmp/:/tmp/nextcloudtemp/
+      - /srv/nextcloud/memory-limit.ini:/usr/local/etc/php/conf.d/memory-limit.ini:ro
+      - /srv/jameica-vnc/work/:/jameica-work/
+    environment:
+      REDIS_HOST: redis
+      MYSQL_DATABASE: nextcloud
+      MYSQL_USER: nextcloud
+      MYSQL_PASSWORD: "{{ mysql_user_pass }}"
+      MYSQL_HOST: mysql
+      NEXTCLOUD_ADMIN_USER: "admin"
+      NEXTCLOUD_ADMIN_PASSWORD: "{{nextcloud_admin_pass}}"
+      NEXTCLOUD_UPDATE: "1"
+      OVERWRITEPROTOCOL: https
+      OVERWRITECLIURL: https://{{ domain }}
+      OVERWRITEHOST: {{ domain }}
+      APPIMAGE_EXTRACT_AND_RUN: 1
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80 
+    networks:
+      - default      
+      - web  
+    
+
+  webcron:
+    
+    image: jsonfry/curl-cron:latest 
+    restart: always
+    depends_on:
+      - app
+    environment:
+      OPTIONS: "--insecure https://{{ domain }}/cron.php"
+      CRON_SCHEDULE: "*/5 * * * *"
+    networks:
+      - default
+
+
+networks:
+  web:
+    external: true    

testserver/docker_nextcloud/templates/memory-limit.ini

+memory_limit=-1

testserver/docker_nextcloud/templates/occ.sh

+#!/bin/bash
+
+# Wrapper zur ausführung des OCC Kommendos im Docker 
+docker-compose exec app su www-data -s "/bin/sh" -c "php /var/www/html/occ $1 $2 $3"
\ No newline at end of file

testserver/docker_nextcloud/templates/oidc.config.php

+<?php
+$CONFIG = array (
+
+    // Some Nextcloud options that might make sense here
+    'allow_user_to_change_display_name' => false,
+    'lost_password_link' => 'disabled',
+
+    // URL of provider. All other URLs are auto-discovered from .well-known
+    'oidc_login_provider_url' => '{{ oidc_global.provider_url }}',
+
+    // Client ID and secret registered with the provider
+    'oidc_login_client_id' => 'nextcloud',
+    'oidc_login_client_secret' => '{{ nextcloud_oidc_secret }}',
+
+    // Automatically redirect the login page to the provider
+    'oidc_login_auto_redirect' => true,
+
+    // Redirect to this page after logging out the user
+    'oidc_login_logout_url' => '{{ oidc_global.logout_url }}',
+
+    // If set to true the user will be redirected to the
+    // logout endpoint of the OIDC provider after logout
+    // in Nextcloud. After successfull logout the OIDC
+    // provider will redirect back to 'oidc_login_logout_url' (MUST be set).
+    'oidc_login_end_session_redirect' => false,
+
+    // Login button text
+    'oidc_login_button_text' => 'Log in with OpenID/uffd',
+
+    // Hide the NextCloud password change form.
+    'oidc_login_hide_password_form' => true,
+
+    // Use ID Token instead of UserInfo
+    'oidc_login_use_id_token' => false,
+
+    // Attribute map for OIDC response. 
+    'oidc_login_attributes' => array (
+        'id' => 'sub',
+        'name' => 'name',
+        'mail' => 'email',
+        'groups' => 'groups',
+        'is_admin' => 'groups_nextcloud_admin' 
+    ),
+
+    // Default group to add users to (optional, defaults to nothing)
+    //'oidc_login_default_group' => 'oidc',
+
+    // Set OpenID Connect scope
+    'oidc_login_scope' => 'openid profile email groups',
+
+    // Auto create of users new to Nextcloud from OIDC login.
+    'oidc_login_disable_registration' => false,
+
+    // Fallback to direct login if login from OIDC fails
+    'oidc_login_redir_fallback' => false,
+
+    // Auto create of groups
+    'oidc_create_groups' => false,
+
+    // Enable use of WebDAV via OIDC bearer token.
+    'oidc_login_webdav_enabled' => false,
+
+    // Enable authentication with user/password for DAV clients that do not
+    // support token authentication (e.g. DAVx⁵)
+    'oidc_login_password_authentication' => true,
+
+    // The time in seconds used to cache public keys from provider.
+    // The default value is 1 day.
+    'oidc_login_public_key_caching_time' => 86400,
+
+    // The minimum time in seconds to wait between requests to the jwks_uri endpoint.
+    // Avoids that the provider will be DoSed when someone requests with unknown kids.
+    // The default is 10 seconds.
+    'oidc_login_min_time_between_jwks_requests' => 10,
+
+    // The time in seconds used to cache the OIDC well-known configuration from the provider.
+    // The default value is 1 day.
+    'oidc_login_well_known_caching_time' => 86400,
+
+);
\ No newline at end of file