Compare commits
	
		
			1 Commits
		
	
	
		
			0.7.3
			...
			e9b5475a39
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| e9b5475a39 | 
							
								
								
									
										11
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										11
									
								
								README.md
									
									
									
									
									
								
							| @@ -7,19 +7,12 @@ and managing nextcloud installations | |||||||
|  |  | ||||||
| ## Roles | ## Roles | ||||||
|  |  | ||||||
| - [`server`](roles/server/README.md): For deploying | - [`roles/server`](roles/server/README.md): For deploying | ||||||
|   and configuring a bare nextcloud instance in a docker container. |   and configuring a bare nextcloud instance in a docker container. | ||||||
|   Supports both the `-apache` (default) and `-fpm` variants. |   Supports both the `-apache` (default) and `-fpm` variants. | ||||||
| - [`apps`](roles/apps/README.md): | - [`roles/apps`](roles/apps/README.md): | ||||||
|   For managing nextcloud apps in an already installed nextcloud |   For managing nextcloud apps in an already installed nextcloud | ||||||
|   server instance. Can install, remove, enable/disable and update apps. |   server instance. Can install, remove, enable/disable and update apps. | ||||||
| - [`ldap_user_backend`](roles/ldap_user_backend/README.md): |  | ||||||
|   Manages LDAP authentication sources in installed nextcloud instances. |  | ||||||
| - [`oidc_user_backend`](roles/oidc_user_backend/README.md): |  | ||||||
|   Manage OIDC authentication sources in installed nextcloud instances. |  | ||||||
| - [`nginx_fpm_proxy`](roles/nginx_fpm_proxy/README.md): |  | ||||||
|   Reverse proxy role which connects to nextcloud using FPM |  | ||||||
|   and serves static content. |  | ||||||
|  |  | ||||||
| ## License | ## License | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										17
									
								
								galaxy.yml
									
									
									
									
									
								
							
							
						
						
									
										17
									
								
								galaxy.yml
									
									
									
									
									
								
							| @@ -1,18 +1,15 @@ | |||||||
| namespace: finallycoffee | namespace: finallycoffee | ||||||
| name: nextcloud | name: nextcloud | ||||||
| version: "0.7.3" | version: 0.3.0 | ||||||
| readme: README.md | readme: README.md | ||||||
| authors: | authors: | ||||||
| - transcaffeine <transcaffeine@finally.coffee> | - Johanna Dorothea Reichmann <transcaffeine@finallycoffee.eu> | ||||||
| description: Installing and configuring nextcloud (and related apps/services) using docker | description: Installing and configuring nextcloud (and related apps/services) using docker | ||||||
| dependencies: | dependencies: | ||||||
|   "community.docker": "^3.0.0" |   "community.docker": "^1.10.0" | ||||||
| license_file: LICENSE.md | license: | ||||||
|  | - CNPLv7+ | ||||||
| build_ignore: | build_ignore: | ||||||
| - '*.tar.gz' | - '*.tar.gz' | ||||||
| repository: https://git.finally.coffee/finallycoffee/nextcloud | repository: https://git.finallycoffee.eu/finallycoffee.eu/nextcloud | ||||||
| issues: https://codeberg.org/finallycoffee/ansible-collection-nextcloud/issues | issues: https://git.finallycoffee.eu/finallycoffee.eu/nextcloud/issues | ||||||
| tags: |  | ||||||
|   - nextcloud |  | ||||||
|   - nextcloud_apps |  | ||||||
|   - docker |  | ||||||
|   | |||||||
| @@ -1,3 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| requires_ansible: ">=2.15" |  | ||||||
| @@ -1,9 +1,7 @@ | |||||||
| --- | --- | ||||||
|  |  | ||||||
| - name: restart-nextcloud | - name: restart-nextcloud | ||||||
|   community.docker.docker_container: |   docker_container: | ||||||
|     name: "{{ nextcloud_container_name }}" |     name: "{{ nextcloud_container_name }}" | ||||||
|     state: started |     state: started | ||||||
|     restart: true |     restart: yes | ||||||
|     comparisons: |  | ||||||
|       '*': ignore |  | ||||||
|   | |||||||
| @@ -1,12 +0,0 @@ | |||||||
| --- |  | ||||||
| allow_duplicates: true |  | ||||||
| dependencies: [] |  | ||||||
| galaxy_info: |  | ||||||
|   role_name: apps |  | ||||||
|   description: Install Nextcloud apps using ansible |  | ||||||
|   galaxy_tags: |  | ||||||
|     - nextcloud |  | ||||||
|     - owncloud |  | ||||||
|     - apps |  | ||||||
|     - nextcloud-apps |  | ||||||
|     - docker |  | ||||||
| @@ -1,7 +1,7 @@ | |||||||
| --- | --- | ||||||
|  |  | ||||||
| - name: Ensure nextcloud user is created | - name: Ensure nextcloud user is created | ||||||
|   ansible.builtin.user: |   user: | ||||||
|     name: "{{ nextcloud_run_user }}" |     name: "{{ nextcloud_run_user }}" | ||||||
|     state: present |     state: present | ||||||
|   register: nextcloud_user_res |   register: nextcloud_user_res | ||||||
|   | |||||||
| @@ -25,13 +25,3 @@ nextcloud app installed. For starting a nextcloud instance, see the | |||||||
|   the URL to the nextcloud server, including protocol (and port, if |   the URL to the nextcloud server, including protocol (and port, if | ||||||
|   non-standard), and `nc_ldap_api_basic_auth_[user|password]` contain the |   non-standard), and `nc_ldap_api_basic_auth_[user|password]` contain the | ||||||
|   credentials of an admin user with the rights to edit the LDAP settings. |   credentials of an admin user with the rights to edit the LDAP settings. | ||||||
| 
 |  | ||||||
| - Set `nc_ldap_test_configuration` to `true`/`false` to have the role issue a |  | ||||||
|   nextcloud-provided test of the configured LDAP configuration, this corresponds |  | ||||||
|   to a `occ ldap:test-config <id>`. |  | ||||||
| 
 |  | ||||||
| For most of the options, see the |  | ||||||
| [nextcloud manual on configuration keys](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap_api.html#configuration-keys), |  | ||||||
| the config keys are mapped 1:1 with a prefix of `nc_ldap_config_` and |  | ||||||
| the so-called "snake-case" (`ldap_backup_host`), so `ldapUserFilterMode` becomes |  | ||||||
| `nc_ldap_config_ldap_user_filter_mode`. |  | ||||||
| @@ -1,7 +1,6 @@ | |||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| nc_ldap_api_method: occ | nc_ldap_api_method: occ | ||||||
| nc_ldap_test_configuration: true |  | ||||||
| 
 | 
 | ||||||
| nc_ldap_api_instance_url: http://localhost | nc_ldap_api_instance_url: http://localhost | ||||||
| nc_ldap_api_basic_auth_user: | nc_ldap_api_basic_auth_user: | ||||||
							
								
								
									
										4
									
								
								roles/ldap-user-backend/meta/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								roles/ldap-user-backend/meta/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | collections: | ||||||
|  |   - community.docker | ||||||
							
								
								
									
										81
									
								
								roles/ldap-user-backend/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										81
									
								
								roles/ldap-user-backend/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,81 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | - name: Set default api parameters for HTTP | ||||||
|  |   meta: noop | ||||||
|  |   vars: &api_defaults | ||||||
|  |     http_agent: "{{ nc_ldap_meta_http_agent }}" | ||||||
|  |     headers: "{{ nc_ldap_api_headers }}" | ||||||
|  |     url_username: "{{ nc_ldap_api_basic_auth_user }}" | ||||||
|  |     url_password: "{{ nc_ldap_api_basic_auth_password }}" | ||||||
|  |     force_basic_auth: yes | ||||||
|  |     force: yes | ||||||
|  |   when: nc_ldap_api_method == 'http' | ||||||
|  |  | ||||||
|  | - name: Check if configuration with given config ID already exists (occ) | ||||||
|  |   docker_container_exec: | ||||||
|  |     container: "{{ nc_ldap_container }}" | ||||||
|  |     command: "{{ nc_ldap_occ_command }} ldap:show-config --output json {{ '--show-password' if nc_ldap_config_agent_password else '' }} {{ nc_ldap_config_id }}" | ||||||
|  |     user: "{{ nc_ldap_occ_user }}" | ||||||
|  |     tty: yes | ||||||
|  |   when: nc_ldap_api_method == 'occ' | ||||||
|  |   changed_when: false | ||||||
|  |   check_mode: false | ||||||
|  |   register: nc_ldap_existing_config_occ | ||||||
|  |  | ||||||
|  | - name: Check if configuration with given config ID already exists (http) | ||||||
|  |   uri: | ||||||
|  |     <<: *api_defaults | ||||||
|  |     url: "{{ nc_ldap_api_path }}/{{ nc_ldap_config_id }}{{ query_params }}" | ||||||
|  |     method: GET | ||||||
|  |   vars: | ||||||
|  |     query_params: "?showPassword={{ '1' if nc_ldap_config_agent_password else '0' }}&format={{nc_ldap_api_parameter_format }}" | ||||||
|  |   when: nc_ldap_api_method == 'http' | ||||||
|  |   register: nc_ldap_existing_config_api | ||||||
|  |  | ||||||
|  | # TODO: Can we force an ID on POST? | ||||||
|  | - name: Create ldap configuration with id={{ nc_ldap_config_id }} (http) | ||||||
|  |   uri: | ||||||
|  |     <<: *api_defaults | ||||||
|  |     url: "{{ nc_ldap_api_path }}" | ||||||
|  |     method: POST | ||||||
|  |   when: nc_ldap_api_method == 'http' and nc_ldap_existing_config_api.status != 200 | ||||||
|  |  | ||||||
|  | - name: Create ldap configuration with id={{ nc_ldap_config_id }} (occ) | ||||||
|  |   docker_container_exec: | ||||||
|  |     container: "{{ nc_ldap_container }}" | ||||||
|  |     command: "{{ nc_ldap_occ_command }} ldap:create-empty-config --output json {{ nc_ldap_config_id }}" | ||||||
|  |     user: "{{ nc_ldap_occ_user }}" | ||||||
|  |     tty: yes | ||||||
|  |   when: nc_ldap_api_method == 'occ' and nc_ldap_existing_config_occ.rc != 0 and nc_ldap_config_id not in (nc_ldap_existing_config_occ.stdout | from_json).keys() | ||||||
|  |  | ||||||
|  | - name: Parse output of query command to dict | ||||||
|  |   set_fact: | ||||||
|  |     nc_ldap_existing_config: "{{ nc_ldap_existing_config_occ.stdout | from_json }}" | ||||||
|  |   changed_when: false | ||||||
|  |  | ||||||
|  | - name: Create changeset | ||||||
|  |   set_fact: | ||||||
|  |     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" | ||||||
|  |   vars: | ||||||
|  |     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" | ||||||
|  |   loop: "{{ nc_ldap_config_keys.keys() }}" | ||||||
|  |   when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item] | ||||||
|  |  | ||||||
|  | - name: Ensure ldap configuration is in sync (http) | ||||||
|  |   uri: | ||||||
|  |     <<: *api_defaults | ||||||
|  |     url: | ||||||
|  |     method: PUT | ||||||
|  |     body: | ||||||
|  |     body_format: "form-urlencoded" | ||||||
|  |   loop: "{{ nc_ldap_config_changeset | dict2items }}" | ||||||
|  |   when: nc_ldap_api_method == 'http' | ||||||
|  |  | ||||||
|  | - name: Ensure ldap configuration is in sync (occ) | ||||||
|  |   docker_container_exec: | ||||||
|  |     container: "{{ nc_ldap_container }}" | ||||||
|  |     command: "{{ nc_ldap_occ_command }} ldap:set-config \"{{ nc_ldap_config_id }}\" \"{{ item.key }}\" \"{{ item.value }}\"" | ||||||
|  |     user: "{{ nc_ldap_occ_user }}" | ||||||
|  |     tty: yes | ||||||
|  |   loop: "{{ nc_ldap_config_changeset | dict2items }}" | ||||||
|  |   when: nc_ldap_api_method == 'occ' | ||||||
| @@ -1,12 +0,0 @@ | |||||||
| --- |  | ||||||
| allow_duplicates: true |  | ||||||
| dependencies: [] |  | ||||||
| galaxy_info: |  | ||||||
|   role_name: ldap_user_backend |  | ||||||
|   description: Configure a nextcloud ldap user backend using ansible |  | ||||||
|   galaxy_tags: |  | ||||||
|     - nextcloud |  | ||||||
|     - owncloud |  | ||||||
|     - ldap |  | ||||||
|     - authentication |  | ||||||
|     - docker |  | ||||||
| @@ -1,49 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| - name: Set default api parameters for HTTP |  | ||||||
|   ansible.builtin.meta: noop |  | ||||||
|   vars: &api_defaults |  | ||||||
|     http_agent: "{{ nc_ldap_meta_http_agent }}" |  | ||||||
|     headers: "{{ nc_ldap_api_headers }}" |  | ||||||
|     url_username: "{{ nc_ldap_api_basic_auth_user }}" |  | ||||||
|     url_password: "{{ nc_ldap_api_basic_auth_password }}" |  | ||||||
|     force_basic_auth: yes |  | ||||||
|     force: yes |  | ||||||
|  |  | ||||||
| - name: Check if configuration with given config ID already exists |  | ||||||
|   ansible.builtin.uri: |  | ||||||
|     <<: *api_defaults |  | ||||||
|     url: "{{ nc_ldap_api_path }}/{{ nc_ldap_config_id }}{{ query_params }}" |  | ||||||
|     method: GET |  | ||||||
|   vars: |  | ||||||
|     query_params: "?showPassword={{ '1' if nc_ldap_config_agent_password else '0' }}&format={{nc_ldap_api_parameter_format }}" |  | ||||||
|   register: nc_ldap_existing_config_api |  | ||||||
|  |  | ||||||
| # TODO: Can we force an ID on POST? |  | ||||||
| - name: Create ldap configuration with id={{ nc_ldap_config_id }} |  | ||||||
|   ansible.builtin.uri: |  | ||||||
|     <<: *api_defaults |  | ||||||
|     url: "{{ nc_ldap_api_path }}" |  | ||||||
|     method: POST |  | ||||||
|   when: nc_ldap_existing_config_api.status != 200 |  | ||||||
|  |  | ||||||
| - name: Parse output of query command to dict |  | ||||||
|   ansible.builtin.set_fact: |  | ||||||
|     nc_ldap_existing_config: "{{ nc_ldap_existing_config_api.stdout | from_json }}" |  | ||||||
|   changed_when: false |  | ||||||
|  |  | ||||||
| - name: Create changeset |  | ||||||
|   ansible.builtin.set_fact: |  | ||||||
|     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" |  | ||||||
|   vars: |  | ||||||
|     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" |  | ||||||
|   loop: "{{ nc_ldap_config_keys.keys() }}" |  | ||||||
|   when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item] |  | ||||||
|  |  | ||||||
| - name: Ensure ldap configuration is in sync (http) |  | ||||||
|   ansible.builtin.uri: |  | ||||||
|     <<: *api_defaults |  | ||||||
|     url: "{{ nc_lap_api_path }}/{{ nc_ldap_config_id }}" |  | ||||||
|     method: PUT |  | ||||||
|     body: "{{ { 'configData': nc_ldap_config_changeset } }}" |  | ||||||
|     body_format: "form-urlencoded" |  | ||||||
| @@ -1,49 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| - name: Check if configuration with given config ID already exists |  | ||||||
|   community.docker.docker_container_exec: |  | ||||||
|     container: "{{ nc_ldap_container }}" |  | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:show-config --output json {{ '--show-password' if nc_ldap_config_agent_password else '' }} {{ nc_ldap_config_id }}" |  | ||||||
|     user: "{{ nc_ldap_occ_user }}" |  | ||||||
|     tty: yes |  | ||||||
|   changed_when: false |  | ||||||
|   check_mode: false |  | ||||||
|   register: nc_ldap_existing_config_occ |  | ||||||
|  |  | ||||||
| - name: Create ldap configuration with id={{ nc_ldap_config_id }} |  | ||||||
|   community.docker.docker_container_exec: |  | ||||||
|     container: "{{ nc_ldap_container }}" |  | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:create-empty-config --output json {{ nc_ldap_config_id }}" |  | ||||||
|     user: "{{ nc_ldap_occ_user }}" |  | ||||||
|     tty: yes |  | ||||||
|   when: nc_ldap_existing_config_occ.rc != 0 and nc_ldap_config_id not in (nc_ldap_existing_config_occ.stdout | from_json).keys() |  | ||||||
|  |  | ||||||
| - name: Parse output of query command to dict |  | ||||||
|   ansible.builtin.set_fact: |  | ||||||
|     nc_ldap_existing_config: "{{ nc_ldap_existing_config_occ.stdout | from_json }}" |  | ||||||
|   changed_when: false |  | ||||||
|  |  | ||||||
| - name: Create changeset |  | ||||||
|   ansible.builtin.set_fact: |  | ||||||
|     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" |  | ||||||
|   vars: |  | ||||||
|     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" |  | ||||||
|   loop: "{{ nc_ldap_config_keys.keys() }}" |  | ||||||
|   when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item] |  | ||||||
|  |  | ||||||
| - name: Ensure ldap configuration is in sync |  | ||||||
|   community.docker.docker_container_exec: |  | ||||||
|     container: "{{ nc_ldap_container }}" |  | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:set-config \"{{ nc_ldap_config_id }}\" \"{{ item.key }}\" \"{{ item.value }}\"" |  | ||||||
|     user: "{{ nc_ldap_occ_user }}" |  | ||||||
|     tty: yes |  | ||||||
|   loop: "{{ nc_ldap_config_changeset | dict2items }}" |  | ||||||
|  |  | ||||||
| - name: Ensure ldap configuration is working |  | ||||||
|   community.docker.docker_container_exec: |  | ||||||
|     container: "{{ nc_ldap_container }}" |  | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:test-config {{ nc_ldap_config_id }}" |  | ||||||
|     user: "{{ nc_ldap_occ_user }}" |  | ||||||
|     tty: yes |  | ||||||
|   changed_when: false |  | ||||||
|   when: nc_ldap_test_configuration |  | ||||||
| @@ -1,10 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| - name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is http |  | ||||||
|   ansible.builtin.include_tasks: load_config_http.yml |  | ||||||
|   when: nc_ldap_api_method == 'http' |  | ||||||
|  |  | ||||||
| - name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is occ |  | ||||||
|   ansible.builtin.include_tasks: load_config_occ.yml |  | ||||||
|   when: nc_ldap_api_method == 'occ' |  | ||||||
|  |  | ||||||
| @@ -1,22 +0,0 @@ | |||||||
| # `finallycoffee.nextcloud.nginx-fpm-proxy` ansible role |  | ||||||
|  |  | ||||||
| Ansible role for serving nextcloud static content and connecting to dynamic content via PHP-FPM. |  | ||||||
|  |  | ||||||
| ## Prerequisites |  | ||||||
|  |  | ||||||
| A running nextcloud instance with FPM available either via IP+port or a unix socket. |  | ||||||
|  |  | ||||||
| ## Configuration |  | ||||||
|  |  | ||||||
| - Set `nextcloud_nginx_data_path` to the data directory of the nextcloud instance, |  | ||||||
|   from where static content etc is served from. |  | ||||||
|  |  | ||||||
| - `nextcloud_nginx_storage_path` needs to be set to the storage path of the nextcloud |  | ||||||
|   instance, where user data is stored. Usually this is `{{ nextcloud_nginx_data_path }}/data`. |  | ||||||
|  |  | ||||||
| - Set `nextcloud_nginx_fpm_socket_dir` to the directory containing the FPM socket, |  | ||||||
|   called `nextcloud.sock` by default. This can be overridden in `nextcloud_nginx_fpm_socket_path`. |  | ||||||
|  |  | ||||||
| - If FPM is not used via a unix socket, set `nextcloud_nginx_fpm_server_ip` and |  | ||||||
|   `nextcloud_nginx_fpm_server_port` accordingly. Note that the IP must be reachable |  | ||||||
|   from inside the nginx container. |  | ||||||
| @@ -1,22 +0,0 @@ | |||||||
| --- |  | ||||||
| nextcloud_nginx_version: "1.27.3" |  | ||||||
| nextcloud_nginx_basepath: /opt/nextcloud-nginx |  | ||||||
| nextcloud_nginx_config: "{{ nextcloud_nginx_basepath }}/nextcloud.conf" |  | ||||||
| nextcloud_nginx_servernames: ~ |  | ||||||
|  |  | ||||||
| nextcloud_nginx_container_name: nextcloud_nginx |  | ||||||
| nextcloud_nginx_container_image: "docker.io/library/nginx" |  | ||||||
| nextcloud_nginx_container_image_flavor: "alpine" |  | ||||||
| nextcloud_nginx_container_image_ref: "{{ nextcloud_nginx_container_image }}:{{ nextcloud_nginx_version }}{{ '-' + nextcloud_nginx_container_image_flavor if nextcloud_nginx_container_image_flavor else ''}}" |  | ||||||
| nextcloud_nginx_container_image_force_pull: false |  | ||||||
| nextcloud_nginx_container_extra_volumes: [] |  | ||||||
| nextcloud_nginx_container_extra_labels: {} |  | ||||||
| nextcloud_nginx_container_extra_env: {} |  | ||||||
| nextcloud_nginx_container_restart_policy: unless-stopped |  | ||||||
|  |  | ||||||
| nextcloud_nginx_fpm_server_ip: ~ |  | ||||||
| nextcloud_nginx_fpm_server_port: 9000 |  | ||||||
| nextcloud_nginx_fpm_socket_dir: ~ |  | ||||||
| nextcloud_nginx_fpm_socket_path: "{{ nextcloud_nginx_fpm_socket_dir }}/nextcloud.sock" |  | ||||||
| nextcloud_nginx_data_path: ~ |  | ||||||
| nextcloud_nginx_storage_path: ~ |  | ||||||
| @@ -1,8 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| - name: Restart nextcloud nginx fpm proxy container |  | ||||||
|   listen: restart-nextcloud-nginx |  | ||||||
|   docker_container: |  | ||||||
|     name: "{{ nextcloud_nginx_container_name }}" |  | ||||||
|     state: started |  | ||||||
|     restart: yes |  | ||||||
| @@ -1,12 +0,0 @@ | |||||||
| --- |  | ||||||
| allow_duplicates: true |  | ||||||
| dependencies: [] |  | ||||||
| galaxy_info: |  | ||||||
|   role_name: nginx_fpm_proxy |  | ||||||
|   description: Configure nginx as a FPM proxy for nextcloud |  | ||||||
|   galaxy_tags: |  | ||||||
|     - nextcloud |  | ||||||
|     - owncloud |  | ||||||
|     - nginx |  | ||||||
|     - fpm |  | ||||||
|     - docker |  | ||||||
| @@ -1,37 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| - name: Create directory for nginx config |  | ||||||
|   ansible.builtin.file: |  | ||||||
|     path: "{{ nextcloud_nginx_basepath }}" |  | ||||||
|     state: directory |  | ||||||
|     mode: 0750 |  | ||||||
|  |  | ||||||
| - name: Template nginx reverse proxy config for nextcloud |  | ||||||
|   ansible.builtin.template: |  | ||||||
|     src: nextcloud-nginx.conf.j2 |  | ||||||
|     dest: "{{ nextcloud_nginx_config }}" |  | ||||||
|   vars: |  | ||||||
|     fpm_server: "{{ nextcloud_nginx_fpm_server_ip }}" |  | ||||||
|     fpm_server_port: "{{ nextcloud_nginx_fpm_server_port }}" |  | ||||||
|     fpm_socket: "{{ nextcloud_nginx_fpm_socket_path }}" |  | ||||||
|     domain: "{{ nextcloud_nginx_servernames }}" |  | ||||||
|   notify: restart-nextcloud-nginx |  | ||||||
|  |  | ||||||
| - name: Ensure nginx docker image is pulled |  | ||||||
|   community.general.docker_image: |  | ||||||
|     name: "{{ nextcloud_nginx_container_image_ref }}" |  | ||||||
|     state: present |  | ||||||
|     source: pull |  | ||||||
|     force_source: "{{ nextcloud_nginx_container_image_force_pull }}" |  | ||||||
|  |  | ||||||
| - name: Ensure nginx is running for FPM and static file serving |  | ||||||
|   community.docker.docker_container: |  | ||||||
|     env: "{{ nextcloud_nginx_container_env }}" |  | ||||||
|     name: "{{ nextcloud_nginx_container_name }}" |  | ||||||
|     image: "{{ nextcloud_nginx_container_image_ref }}" |  | ||||||
|     ports: "{{ nextcloud_nginx_container_ports  | default(omit, true) }}" |  | ||||||
|     volumes: "{{ nextcloud_nginx_container_volumes }}" |  | ||||||
|     labels: "{{ nextcloud_nginx_container_labels | default(omit, true) }}" |  | ||||||
|     networks: "{{ nextcloud_nginx_container_networks | default(omit, true) }}" |  | ||||||
|     restart_policy: "{{ nextcloud_nginx_container_restart_policy }}" |  | ||||||
|     state: started |  | ||||||
| @@ -1,207 +0,0 @@ | |||||||
| upstream php-handler { |  | ||||||
| {% if fpm_socket %} |  | ||||||
| {% if fpm_socket is not string %} |  | ||||||
| {% for upstream in fpm_socket %} |  | ||||||
|     server unix:{{ upstream }}; |  | ||||||
| {% endfor %} |  | ||||||
| {% else %} |  | ||||||
|     server unix:{{ fpm_socket }}; |  | ||||||
| {% endif %} |  | ||||||
| {% else %} |  | ||||||
|     server {{ fpm_server }}:{{ fpm_server_port }}; |  | ||||||
| {% endif %} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| server { |  | ||||||
|     listen 80; |  | ||||||
|     listen [::]:80; |  | ||||||
|     server_name {{ domain | join(' ') }}; |  | ||||||
|  |  | ||||||
|     # Path to the root of your installation |  | ||||||
|     root /var/www/nextcloud; |  | ||||||
|  |  | ||||||
|     # Add headers to serve security related headers |  | ||||||
|     # Before enabling Strict-Transport-Security headers please read into this |  | ||||||
|     # topic first. |  | ||||||
|     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; |  | ||||||
|  |  | ||||||
|     # Prevent nginx HTTP Server Detection |  | ||||||
|     server_tokens off; |  | ||||||
|  |  | ||||||
|     # set max upload size |  | ||||||
|     client_max_body_size {{ nextcloud_php_upload_limit }}; |  | ||||||
|     client_body_timeout 300s; |  | ||||||
|     fastcgi_buffers 128 4K; |  | ||||||
|  |  | ||||||
|     # Enable gzip but do not remove ETag headers |  | ||||||
|     gzip on; |  | ||||||
|     gzip_vary on; |  | ||||||
|     gzip_comp_level 4; |  | ||||||
|     gzip_min_length 256; |  | ||||||
|     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; |  | ||||||
|     gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; |  | ||||||
|  |  | ||||||
|     # Uncomment if your server is build with the ngx_pagespeed module |  | ||||||
|     # This module is currently not supported. |  | ||||||
|     #pagespeed off; |  | ||||||
|  |  | ||||||
|     # The settings allows you to optimize the HTTP2 bandwidth. |  | ||||||
|     # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ |  | ||||||
|     # for tuning hints |  | ||||||
|     client_body_buffer_size 512k; |  | ||||||
|  |  | ||||||
|     # HTTP response headers borrowed from Nextcloud `.htaccess` |  | ||||||
|     add_header Referrer-Policy "no-referrer" always; |  | ||||||
|     add_header X-Content-Type-Options "nosniff" always; |  | ||||||
|     add_header X-Frame-Options "SAMEORIGIN" always; |  | ||||||
|     add_header X-Permitted-Cross-Domain-Policies "none" always; |  | ||||||
|     add_header X-Robots-Tag "noindex, nofollow" always; |  | ||||||
|     add_header X-XSS-Protection "1; mode=block" always; |  | ||||||
|  |  | ||||||
|     # Remove X-Powered-By, which is an information leak |  | ||||||
|     fastcgi_hide_header X-Powered-By; |  | ||||||
|  |  | ||||||
|     # Set .mjs and .wasm MIME types |  | ||||||
|     # Either include it in the default mime.types list |  | ||||||
|     # and include that list explicitly or add the file extension |  | ||||||
|     # only for Nextcloud like below: |  | ||||||
|     include mime.types; |  | ||||||
|     types { |  | ||||||
|         text/javascript js; |  | ||||||
| 	application/javascript mjs; |  | ||||||
| 	application/wasm wasm; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     # Specify how to handle directories -- specifying `/index.php$request_uri` |  | ||||||
|     # here as the fallback means that Nginx always exhibits the desired behaviour |  | ||||||
|     # when a client requests a path that corresponds to a directory that exists |  | ||||||
|     # on the server. In particular, if that directory contains an index.php file, |  | ||||||
|     # that file is correctly served; if it doesn't, then the request is passed to |  | ||||||
|     # the front-end controller. This consistent behaviour means that we don't need |  | ||||||
|     # to specify custom rules for certain paths (e.g. images and other assets, |  | ||||||
|     # `/updater`, `/ocs-provider`), and thus |  | ||||||
|     # `try_files $uri $uri/ /index.php$request_uri` |  | ||||||
|     # always provides the desired behaviour. |  | ||||||
|     index index.php index.html /index.php$request_uri; |  | ||||||
|  |  | ||||||
|     # Rule borrowed from `.htaccess` to handle Microsoft DAV clients |  | ||||||
|     location = / { |  | ||||||
|         if ( $http_user_agent ~ ^DavClnt ) { |  | ||||||
|             return 302 /remote.php/webdav/$is_args$args; |  | ||||||
|         } |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     location = /robots.txt { |  | ||||||
|         allow all; |  | ||||||
|         log_not_found off; |  | ||||||
|         access_log off; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     # Make a regex exception for `/.well-known` so that clients can still |  | ||||||
|     # access it despite the existence of the regex rule |  | ||||||
|     # `location ~ /(\.|autotest|...)` which would otherwise handle requests |  | ||||||
|     # for `/.well-known`. |  | ||||||
|     location ^~ /.well-known { |  | ||||||
|         # The rules in this block are an adaptation of the rules |  | ||||||
|         # in `.htaccess` that concern `/.well-known`. |  | ||||||
|  |  | ||||||
|         location = /.well-known/carddav { return 301 https://$host/remote.php/dav; } |  | ||||||
|         location = /.well-known/caldav  { return 301 https://$host/remote.php/dav; } |  | ||||||
|  |  | ||||||
|         location = /.well-known/webfinger  { return 301 https://$host/index.php/.well-known/webfinger; } |  | ||||||
|         location = /.well-known/nodeinfo   { return 301 https://$host/index.php/.well-known/nodeinfo; } |  | ||||||
|  |  | ||||||
|         location /.well-known/acme-challenge    { try_files $uri $uri/ =404; } |  | ||||||
|         location /.well-known/pki-validation    { try_files $uri $uri/ =404; } |  | ||||||
|  |  | ||||||
|         # Let Nextcloud's API for `/.well-known` URIs handle all other |  | ||||||
|         # requests by passing them to the front-end controller. |  | ||||||
|         return 301 /index.php$request_uri; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     # Rules borrowed from `.htaccess` to hide certain paths from clients |  | ||||||
|     location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; } |  | ||||||
|     location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; } |  | ||||||
|  |  | ||||||
|     # Ensure this block, which passes PHP files to the PHP process, is above the blocks |  | ||||||
|     # which handle static assets (as seen below). If this block is not declared first, |  | ||||||
|     # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` |  | ||||||
|     # to the URI, resulting in a HTTP 500 error response. |  | ||||||
|     location ~ \.php(?:$|/) { |  | ||||||
|         # Required for legacy support |  | ||||||
|         rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; |  | ||||||
|  |  | ||||||
|         fastcgi_split_path_info ^(.+?\.php)(/.*)$; |  | ||||||
|         set $path_info $fastcgi_path_info; |  | ||||||
|  |  | ||||||
|         try_files $fastcgi_script_name =404; |  | ||||||
|  |  | ||||||
|         include fastcgi_params; |  | ||||||
|         fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; |  | ||||||
|         fastcgi_param PATH_INFO $path_info; |  | ||||||
|         fastcgi_param HTTPS on; |  | ||||||
|  |  | ||||||
|         fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice |  | ||||||
|         fastcgi_param front_controller_active true;     # Enable pretty urls |  | ||||||
|         fastcgi_pass php-handler; |  | ||||||
|  |  | ||||||
|         fastcgi_intercept_errors on; |  | ||||||
|         fastcgi_request_buffering off; |  | ||||||
|  |  | ||||||
|         fastcgi_max_temp_file_size 0; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     # Adding the cache control header for js, css and map files |  | ||||||
|     # Make sure it is BELOW the PHP block |  | ||||||
|     location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { |  | ||||||
|         expires 1d; |  | ||||||
|         # How `sendfile`, `tcp_nopush` and `tcp_nodelay` interact |  | ||||||
|         # https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765?gi=f11af534b564 |  | ||||||
|         sendfile on; # use `sendfile` syscall, which is a DMA (zero-copy) call |  | ||||||
|         tcp_nopush on; # wait until the file is fully "read" |  | ||||||
|         tcp_nodelay on; # always immediately flush, never wait for a full packet worth of data (default wait interval = 200ms) |  | ||||||
|         aio on; #async IO for files |  | ||||||
|         open_file_cache max=10000; # cache metadata for up to 10000 files |  | ||||||
|         open_file_cache_valid 3600s; # previous cache is valid for 1h |  | ||||||
|         open_file_cache_errors off; # except if there was an error, that is not cached |  | ||||||
|         try_files $uri /index.php$request_uri; |  | ||||||
|         add_header Cache-Control "public, max-age=15778463"; |  | ||||||
|         # Add headers to serve security related headers (It is intended to |  | ||||||
|         # have those duplicated to the ones above) |  | ||||||
|         # Before enabling Strict-Transport-Security headers please read into |  | ||||||
|         # this topic first. |  | ||||||
|         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; |  | ||||||
|         # |  | ||||||
|         # WARNING: Only add the preload option once you read about |  | ||||||
|         # the consequences in https://hstspreload.org/. This option |  | ||||||
|         # will add the domain to a hardcoded list that is shipped |  | ||||||
|         # in all major browsers and getting removed from this list |  | ||||||
|         # could take several months. |  | ||||||
|         add_header Referrer-Policy "no-referrer" always; |  | ||||||
|         add_header X-Content-Type-Options "nosniff" always; |  | ||||||
|         add_header X-Download-Options "noopen" always; |  | ||||||
|         add_header X-Frame-Options "SAMEORIGIN" always; |  | ||||||
|         add_header X-Permitted-Cross-Domain-Policies "none" always; |  | ||||||
|         add_header X-Robots-Tag "none" always; |  | ||||||
|         add_header X-XSS-Protection "1; mode=block" always; |  | ||||||
|  |  | ||||||
|         # Optional: Don't log access to assets |  | ||||||
|         access_log off; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     location ~ \.woff2?$ { |  | ||||||
|         try_files $uri /index.php$request_uri; |  | ||||||
|         expires 7d;         # Cache-Control policy borrowed from `.htaccess` |  | ||||||
|         access_log off;     # Optional: Don't log access to assets |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     # Rule borrowed from `.htaccess` |  | ||||||
|     location /remote { |  | ||||||
|         return 301 /remote.php$request_uri; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     location / { |  | ||||||
|         try_files $uri $uri/ /index.php$request_uri; |  | ||||||
|     } |  | ||||||
| } |  | ||||||
| @@ -1,18 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| nextcloud_nginx_container_volumes_base: >-2 |  | ||||||
|   {{ |  | ||||||
|     [ |  | ||||||
|       nextcloud_nginx_config + ':/etc/nginx/conf.d/nextcloud.conf:ro', |  | ||||||
|       nextcloud_nginx_data_path + ':/var/www/nextcloud:ro', |  | ||||||
|       nextcloud_nginx_storage_path + ':/var/www/nextcloud/data:rw' |  | ||||||
|     ] |  | ||||||
|     + ([nextcloud_nginx_fpm_socket_dir + ':' + nextcloud_nginx_fpm_socket_dir + ':rw'] if nextcloud_nginx_fpm_socket_dir else []) |  | ||||||
|   }} |  | ||||||
| nextcloud_nginx_container_labels_base: |  | ||||||
|   version: "{{ nextcloud_nginx_version }}" |  | ||||||
| nextcloud_nginx_container_env_base: {} |  | ||||||
|  |  | ||||||
| nextcloud_nginx_container_volumes: "{{ nextcloud_nginx_container_volumes_base + nextcloud_nginx_container_extra_volumes }}" |  | ||||||
| nextcloud_nginx_container_labels: "{{ nextcloud_nginx_container_labels_base | combine(nextcloud_nginx_container_extra_labels) }}" |  | ||||||
| nextcloud_nginx_container_env: "{{ nextcloud_nginx_container_env_base | combine(nextcloud_nginx_container_extra_env) }}" |  | ||||||
| @@ -1,26 +0,0 @@ | |||||||
| # `finallycoffee.nextcloud.oidc_user_backend` ansible role |  | ||||||
|  |  | ||||||
| Configure OIDC user backends in nextcloud using this ansible role. |  | ||||||
| This role can be run multiple times with different arguments in order to |  | ||||||
| configure multiple oidc-based user backends. |  | ||||||
|  |  | ||||||
| ## Configuration |  | ||||||
|  |  | ||||||
| Set `oidc_user_backend_provider_identifier` to a unique identifier. |  | ||||||
| Populate your provider information in the `oidc_user_backend_config_provider_provider_(settings_)` |  | ||||||
| like this: |  | ||||||
|  |  | ||||||
| ```yaml |  | ||||||
| oidc_user_backend_config_provider_identifier: my_provider |  | ||||||
| oidc_user_backend_config_provider_discovery_endpoint: https://idp.example.com/ |  | ||||||
| oidc_user_backend_config_provider_client_id: my-client-id |  | ||||||
| oidc_user_backend_config_provider_client_secret: my-client-secret |  | ||||||
|  |  | ||||||
| # All options to the occ command are avaible in the |  | ||||||
| # `oidc_user_backend_config_provider_settings_` namespace |  | ||||||
| oidc_user_backend_config_provider_settings_unique_id: true |  | ||||||
| oidc_user_backend_config_provider_settings_send_id_token_hint: true |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_display_name: name |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_uid: preferred_username |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_email: email |  | ||||||
| ``` |  | ||||||
| @@ -1,40 +0,0 @@ | |||||||
| --- |  | ||||||
| oidc_user_backend_config_provider_identifier: ~ |  | ||||||
| oidc_user_backend_config_provider_client_id: ~ |  | ||||||
| oidc_user_backend_config_provider_client_secret: ~ |  | ||||||
| oidc_user_backend_config_provider_discovery_endpoint: ~ |  | ||||||
| oidc_user_backend_config_provider_end_session_endpoint: ~ |  | ||||||
| oidc_user_backend_config_provider_scopes: |  | ||||||
|   - openid |  | ||||||
|   - email |  | ||||||
|   - profile |  | ||||||
|  |  | ||||||
| oidc_user_backend_config_provider_settings_unique_uid: true |  | ||||||
| oidc_user_backend_config_provider_settings_check_bearer: true |  | ||||||
| oidc_user_backend_config_provider_settings_send_id_token_hint: true |  | ||||||
| oidc_user_backend_config_provider_settings_bearer_provisioning: false |  | ||||||
| oidc_user_backend_config_provider_settings_extra_claims: [] |  | ||||||
| oidc_user_backend_config_provider_settings_provider_based_id: false |  | ||||||
| oidc_user_backend_config_provider_settings_group_provisioning: false |  | ||||||
|  |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_display_name: name |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_email: email |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_quota: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_uid: sub |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_groups: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_address: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_street_address: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_postal_code: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_locality: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_region: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_country: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_website: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_avatar: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_twitter: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_fediverse: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_organisation: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_role: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_headline: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_biography: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_phone: ~ |  | ||||||
| oidc_user_backend_config_provider_settings_mapping_gender: ~ |  | ||||||
| @@ -1,5 +0,0 @@ | |||||||
| --- |  | ||||||
| oidc_user_backend_deployment_method: host |  | ||||||
| oidc_user_backend_deployment_become_user: ~ |  | ||||||
| oidc_user_backend_deployment_method_docker_container_name: nextcloud |  | ||||||
| oidc_user_backend_deployment_method_podman_container_name: nextcloud |  | ||||||
| @@ -1,15 +0,0 @@ | |||||||
| --- |  | ||||||
| oidc_user_backend_occ_command: "php occ" |  | ||||||
| oidc_user_backend_occ_user_oidc_provider_identifier: >-2 |  | ||||||
|   {{ oidc_user_backend_config_provider_identifier }} |  | ||||||
| oidc_user_backend_force_update: false |  | ||||||
|  |  | ||||||
| oidc_user_backend_occ_user_oidc_provider_set_command: >-2 |  | ||||||
|   {{ oidc_user_backend_occ_command }} user_oidc:provider |  | ||||||
|   {{ oidc_user_backend_occ_user_oidc_provider_options }} |  | ||||||
|   {{ oidc_user_backend_occ_user_oidc_provider_identifier }} |  | ||||||
| oidc_user_backend_occ_user_oidc_provider_list_command: >-2 |  | ||||||
|   {{ oidc_user_backend_occ_command }} user_oidc:provider --output=json |  | ||||||
| oidc_user_backend_occ_user_oidc_provider_get_command: >-2 |  | ||||||
|   {{ oidc_user_backend_occ_command }} user_oidc:provider --output=json |  | ||||||
|   {{ oidc_user_backend_occ_user_oidc_provider_identifier }} |  | ||||||
| @@ -1,12 +0,0 @@ | |||||||
| --- |  | ||||||
| allow_duplicates: true |  | ||||||
| dependencies: [] |  | ||||||
| galaxy_info: |  | ||||||
|   role_name: oidc_user_backend |  | ||||||
|   description: Configure a nextcloud oidc user backend using ansible |  | ||||||
|   galaxy_tags: |  | ||||||
|     - nextcloud |  | ||||||
|     - owncloud |  | ||||||
|     - oidc |  | ||||||
|     - authentication |  | ||||||
|     - docker |  | ||||||
| @@ -1,41 +0,0 @@ | |||||||
| --- |  | ||||||
| - name: Execute OCC command (host) |  | ||||||
|   ansible.builtin.command: |  | ||||||
|     cmd: "{{ oidc_user_backend_occ_command_to_exec }}" |  | ||||||
|   become_user: "{{ oidc_user_backend_occ_user_to_become }}" |  | ||||||
|   register: oidc_user_backend_occ_command_result_host |  | ||||||
|   when: oidc_user_backend_deployment_method == 'host' |  | ||||||
|  |  | ||||||
| - name: Execute OCC command (docker) |  | ||||||
|   community.docker.docker_container_exec: |  | ||||||
|     container: >-2 |  | ||||||
|       {{ oidc_user_backend_deployment_method_docker_container_name }} |  | ||||||
|     command: "{{ oidc_user_backend_occ_command_to_exec }}" |  | ||||||
|     user: "{{ oidc_user_backend_occ_user_to_become | default(omit, true) }}" |  | ||||||
|   register: oidc_user_backend_occ_command_result_docker |  | ||||||
|   when: oidc_user_backend_deployment_method == 'docker' |  | ||||||
|  |  | ||||||
| - name: Execute OCC command (podman) |  | ||||||
|   containers.podman.podman_container_exec: |  | ||||||
|     name: >-2 |  | ||||||
|       {{ oidc_user_backend_deployment_method_podman_container_name }} |  | ||||||
|     command: "{{ oidc_user_backend_occ_command_to_exec }}" |  | ||||||
|     user: "{{ oidc_user_backend_occ_user_to_become | default(omit, true) }}" |  | ||||||
|   register: oidc_user_backend_occ_command_result_podman |  | ||||||
|   when: oidc_user_backend_deployment_method == 'podman' |  | ||||||
|  |  | ||||||
| - name: Register result into variable |  | ||||||
|   ansible.builtin.set_fact: { |  | ||||||
|     "{{ oidc_user_backend_occ_command_result_var }}" : "{{ |  | ||||||
|       oidc_user_backend_occ_command_result.stdout | string | from_json |  | ||||||
|     }}" |  | ||||||
|   } |  | ||||||
|   vars: |  | ||||||
|     oidc_user_backend_occ_result_map: |  | ||||||
|       host: "{{ oidc_user_backend_occ_command_result_host }}" |  | ||||||
|       docker: "{{ oidc_user_backend_occ_command_result_docker }}" |  | ||||||
|       podman: "{{ oidc_user_backend_occ_command_result_podman }}" |  | ||||||
|     oidc_user_backend_occ_command_result: >-2 |  | ||||||
|       {{ oidc_user_backend_occ_result_map[oidc_user_backend_deployment_method] |  | ||||||
|       | default(false, true) }} |  | ||||||
|   when: oidc_user_backend_occ_command_result_var | default(false, true) |  | ||||||
| @@ -1,52 +0,0 @@ | |||||||
| --- |  | ||||||
| - name: Check if deployment method is supported |  | ||||||
|   ansible.builtin.fail: |  | ||||||
|     msg: >-2 |  | ||||||
|       Deployment method '{{ oidc_user_backend_deployment_method }}' is not supported! |  | ||||||
|       Supported are: {{ oidc_user_backend_deployment_methods | join(', ') }} |  | ||||||
|   when: oidc_user_backend_deployment_method not in oidc_user_backend_deployment_methods |  | ||||||
|  |  | ||||||
| - name: Lookup become user info |  | ||||||
|   ansible.builtin.user: |  | ||||||
|     name: "{{ oidc_user_backend_deployment_become_user }}" |  | ||||||
|     state: present |  | ||||||
|   check_mode: true |  | ||||||
|   register: oidc_user_backend_deployment_become_user_info |  | ||||||
|   when: oidc_user_backend_deployment_become_user | default(false, true) |  | ||||||
|  |  | ||||||
| - name: Retrieve configured providers |  | ||||||
|   ansible.builtin.include_tasks: |  | ||||||
|     file: execute-occ.yml |  | ||||||
|   vars: |  | ||||||
|     oidc_user_backend_occ_command_to_exec: >- |  | ||||||
|       {{ oidc_user_backend_occ_user_oidc_provider_get_command }} |  | ||||||
|     oidc_user_backend_occ_user_to_become: "{{ oidc_user_backend_deployment_become_user_info.uid }}" |  | ||||||
|     oidc_user_backend_occ_command_result_var: "oidc_user_backend_occ_user_oidc_provider" |  | ||||||
|  |  | ||||||
| - name: Check if provider information should be updated |  | ||||||
|   set_fact: |  | ||||||
|     oidc_user_backend_backend_force_update: true |  | ||||||
|   loop: "{{ lookup('ansible.utils.to_paths', oidc_user_backend_occ_user_oidc_provider) | dict2items }}" |  | ||||||
|   loop_control: |  | ||||||
|     label: "{{ item.key }}" |  | ||||||
|   vars: |  | ||||||
|     target_config: >-2 |  | ||||||
|       {{ lookup('ansible.utils.to_paths', oidc_user_backend_occ_user_oidc_config_provider_dict) }} |  | ||||||
|   when: |  | ||||||
|     - item.key not in oidc_user_backend_occ_user_oidc_provider_ignored_settings |  | ||||||
|     - (item.value != None) and (target_config[item.key] != None) |  | ||||||
|     - >-2 |  | ||||||
|         (target_config[item.key] != None) | ternary( |  | ||||||
|           (item.value != target_config[item.key]), |  | ||||||
|           (item.value | string | length > 0) |  | ||||||
|         ) |  | ||||||
|  |  | ||||||
| - name: Update configuration for provider '{{ oidc_user_backend_config_provider_identifier }}' |  | ||||||
|   ansible.builtin.include_tasks: |  | ||||||
|     file: execute-occ.yml |  | ||||||
|   vars: |  | ||||||
|     oidc_user_backend_occ_command_to_exec: >- |  | ||||||
|       {{ oidc_user_backend_occ_user_oidc_provider_set_command }} |  | ||||||
|     oidc_user_backend_occ_user_to_become: "{{ oidc_user_backend_deployment_become_user_info.uid }}" |  | ||||||
|     oidc_user_backend_occ_command_result_var: ~ |  | ||||||
|   when: oidc_user_backend_backend_force_update | default(false, true) |  | ||||||
| @@ -1,9 +0,0 @@ | |||||||
| --- |  | ||||||
| oidc_user_backend_deployment_methods: |  | ||||||
|   - host |  | ||||||
|   - docker |  | ||||||
|   - podman |  | ||||||
|  |  | ||||||
| oidc_user_backend_occ_user_oidc_provider_ignored_settings: |  | ||||||
|   - 'id' |  | ||||||
|   - 'settings.bearerProvisioning' |  | ||||||
| @@ -1,43 +0,0 @@ | |||||||
| --- |  | ||||||
| # JSON structure of the `occ` response with `--output=json` |  | ||||||
| oidc_user_backend_occ_user_oidc_config_provider_dict: |  | ||||||
|   identifier: "{{ oidc_user_backend_config_provider_identifier }}" |  | ||||||
|   clientId: "{{ oidc_user_backend_config_provider_client_id }}" |  | ||||||
|   clientSecret: "{{ oidc_user_backend_config_provider_client_secret }}" |  | ||||||
|   discoveryEndpoint: "{{ oidc_user_backend_config_provider_discovery_endpoint }}" |  | ||||||
|   endSessionEndpoint: "{{ oidc_user_backend_config_provider_end_session_endpoint }}" |  | ||||||
|   scope: "{{ oidc_user_backend_config_provider_scopes | default([], true) | join(' ') }}" |  | ||||||
|   settings: |  | ||||||
|     uniqueUid: >-2 |  | ||||||
|       {{ oidc_user_backend_config_provider_settings_unique_uid | bool }} |  | ||||||
|     providerBasedId: >-2 |  | ||||||
|       {{ oidc_user_backend_config_provider_settings_provider_based_id | bool }} |  | ||||||
|     checkBearer: >-2 |  | ||||||
|       {{ oidc_user_backend_config_provider_settings_check_bearer | bool }} |  | ||||||
|     sendIdTokenHint: >-2 |  | ||||||
|       {{ oidc_user_backend_config_provider_settings_send_id_token_hint | bool }} |  | ||||||
|     groupProvisioning: >-2 |  | ||||||
|       {{ oidc_user_backend_config_provider_settings_group_provisioning | bool }} |  | ||||||
|     extraClaims: >-2 |  | ||||||
|       {{ oidc_user_backend_config_provider_settings_extra_claims | default([]) | join(' ') }} |  | ||||||
|     mappingDisplayName: "{{ oidc_user_backend_config_provider_settings_mapping_display_name }}" |  | ||||||
|     mappingEmail: "{{ oidc_user_backend_config_provider_settings_mapping_email }}" |  | ||||||
|     mappingQuota: "{{ oidc_user_backend_config_provider_settings_mapping_quota }}" |  | ||||||
|     mappingUid: "{{ oidc_user_backend_config_provider_settings_mapping_uid }}" |  | ||||||
|     mappingGroups: "{{ oidc_user_backend_config_provider_settings_mapping_groups }}" |  | ||||||
|     mappingWebsite: "{{ oidc_user_backend_config_provider_settings_mapping_website }}" |  | ||||||
|     mappingAvatar: "{{ oidc_user_backend_config_provider_settings_mapping_avatar }}" |  | ||||||
|     mappingTwitter: "{{ oidc_user_backend_config_provider_settings_mapping_twitter }}" |  | ||||||
|     mappingFediverse: "{{ oidc_user_backend_config_provider_settings_mapping_fediverse }}" |  | ||||||
|     mappingOrganisation: "{{ oidc_user_backend_config_provider_settings_mapping_organisation }}" |  | ||||||
|     mappingRole: "{{ oidc_user_backend_config_provider_settings_mapping_role }}" |  | ||||||
|     mappingHeadline: "{{ oidc_user_backend_config_provider_settings_mapping_headline }}" |  | ||||||
|     mappingBiography: "{{ oidc_user_backend_config_provider_settings_mapping_biography }}" |  | ||||||
|     mappingPhonenumber: "{{ oidc_user_backend_config_provider_settings_mapping_phone }}" |  | ||||||
|     mappingGender: "{{ oidc_user_backend_config_provider_settings_mapping_gender }}" |  | ||||||
|     mappingAddress: "{{ oidc_user_backend_config_provider_settings_mapping_address }}" |  | ||||||
|     mappingStreetaddress: "{{ oidc_user_backend_config_provider_settings_mapping_street_address }}" |  | ||||||
|     mappingPostalcode: "{{ oidc_user_backend_config_provider_settings_mapping_postal_code }}" |  | ||||||
|     mappingLocality: "{{ oidc_user_backend_config_provider_settings_mapping_locality }}" |  | ||||||
|     mappingRegion: "{{ oidc_user_backend_config_provider_settings_mapping_region }}" |  | ||||||
|     mappingCountry: "{{ oidc_user_backend_config_provider_settings_mapping_country }}" |  | ||||||
| @@ -1,54 +0,0 @@ | |||||||
| --- |  | ||||||
| # Structure how `occ user_oidc:provider [options] [<identifier>]` expects them |  | ||||||
| oidc_user_backend_occ_user_oidc_provider_options_dict: |  | ||||||
|   clientid: "{{ oidc_user_backend_config_provider_client_id }}" |  | ||||||
|   clientsecret: "{{ oidc_user_backend_config_provider_client_secret }}" |  | ||||||
|   discoveryuri: "{{ oidc_user_backend_config_provider_discovery_endpoint }}" |  | ||||||
|   endsessionendpointuri: "{{ oidc_user_backend_config_provider_end_session_endpoint }}" |  | ||||||
|   scope: "'{{ oidc_user_backend_config_provider_scopes | default([], true) | join(' ') }}'" |  | ||||||
|   "unique-uid": >-2 |  | ||||||
|     {{ oidc_user_backend_config_provider_settings_unique_uid | bool | ternary(1, 0) }} |  | ||||||
|   "check-bearer": >-2 |  | ||||||
|     {{ oidc_user_backend_config_provider_settings_check_bearer | bool | ternary(1, 0) }} |  | ||||||
|   "send-id-token-hint": >-2 |  | ||||||
|     {{ oidc_user_backend_config_provider_settings_send_id_token_hint | bool | ternary(1, 0) }} |  | ||||||
|   "group-provisioning": >-2 |  | ||||||
|     {{ oidc_user_backend_config_provider_settings_group_provisioning | bool | ternary(1, 0) }} |  | ||||||
|   "extra-claims": >-2 |  | ||||||
|     {{ (oidc_user_backend_config_provider_settings_extra_claims | default([]) | length > 0) |  | ||||||
|        | ternary(oidc_user_backend_config_provider_settings_extra_claims | join(' ') | quote, '') }} |  | ||||||
|  |  | ||||||
| oidc_user_backend_occ_user_oidc_provider_mapping_options_dict: |  | ||||||
|   "display-name": "{{ oidc_user_backend_config_provider_settings_mapping_display_name }}" |  | ||||||
|   email: "{{ oidc_user_backend_config_provider_settings_mapping_email }}" |  | ||||||
|   quota: "{{ oidc_user_backend_config_provider_settings_mapping_quota }}" |  | ||||||
|   uid: "{{ oidc_user_backend_config_provider_settings_mapping_uid }}" |  | ||||||
|   groups: "{{ oidc_user_backend_config_provider_settings_mapping_groups }}" |  | ||||||
|   website: "{{ oidc_user_backend_config_provider_settings_mapping_website }}" |  | ||||||
|   avatar: "{{ oidc_user_backend_config_provider_settings_mapping_avatar }}" |  | ||||||
|   twitter: "{{ oidc_user_backend_config_provider_settings_mapping_twitter }}" |  | ||||||
|   fediverse: "{{ oidc_user_backend_config_provider_settings_mapping_fediverse }}" |  | ||||||
|   organisation: "{{ oidc_user_backend_config_provider_settings_mapping_organisation }}" |  | ||||||
|   role: "{{ oidc_user_backend_config_provider_settings_mapping_role }}" |  | ||||||
|   headline: "{{ oidc_user_backend_config_provider_settings_mapping_headline }}" |  | ||||||
|   biography: "{{ oidc_user_backend_config_provider_settings_mapping_biography }}" |  | ||||||
|   phone: "{{ oidc_user_backend_config_provider_settings_mapping_phone }}" |  | ||||||
|   gender: "{{ oidc_user_backend_config_provider_settings_mapping_gender }}" |  | ||||||
|   address: "{{ oidc_user_backend_config_provider_settings_mapping_address }}" |  | ||||||
|   street_address: "{{ oidc_user_backend_config_provider_settings_mapping_street_address }}" |  | ||||||
|   postal_code: "{{ oidc_user_backend_config_provider_settings_mapping_postal_code }}" |  | ||||||
|   locality: "{{ oidc_user_backend_config_provider_settings_mapping_locality }}" |  | ||||||
|   region: "{{ oidc_user_backend_config_provider_settings_mapping_region }}" |  | ||||||
|   country: "{{ oidc_user_backend_config_provider_settings_mapping_country }}" |  | ||||||
|  |  | ||||||
| oidc_user_backend_occ_user_oidc_provider_options: >-2 |  | ||||||
|   {% for tuple in oidc_user_backend_occ_user_oidc_provider_options_dict | dict2items %} |  | ||||||
|   {% if tuple.value | default(false, true) %} |  | ||||||
|   --{{ tuple.key }}={{ tuple.value }} |  | ||||||
|   {% endif %} |  | ||||||
|   {% endfor %} |  | ||||||
|   {% for tuple in oidc_user_backend_occ_user_oidc_provider_mapping_options_dict | dict2items %} |  | ||||||
|   {% if tuple.value | default(false, true) %} |  | ||||||
|   --mapping-{{ tuple.key }}={{ tuple.value }} |  | ||||||
|   {% endif %} |  | ||||||
|   {% endfor %} |  | ||||||
| @@ -12,10 +12,3 @@ so the host file permissions remain comprehensible. | |||||||
| - `nextcloud_socket_path`: Setting this (to, for example, `{{ nextcloud_basepath }}/socket`), | - `nextcloud_socket_path`: Setting this (to, for example, `{{ nextcloud_basepath }}/socket`), | ||||||
|   will make FPM listen on `{{ nextcloud_socket_path }}/nextcloud.sock` on the host, enabling |   will make FPM listen on `{{ nextcloud_socket_path }}/nextcloud.sock` on the host, enabling | ||||||
|   you to use FPM to interface with nextcloud. |   you to use FPM to interface with nextcloud. | ||||||
|  |  | ||||||
| ### Redis over UNIX-Socket |  | ||||||
|  |  | ||||||
| Set `REDIS_HOST` to a path in the container where the socket is mapped using |  | ||||||
| `nextcloud_container_extra_environment`. Also set `REDIS_HOST_PORT` to 0 |  | ||||||
| explicitely, as `redis.config.php` will set it to `null` otherwise, resulting |  | ||||||
| in an exception. Set your redis password in `REDIS_HOST_PASSWORD`. |  | ||||||
|   | |||||||
| @@ -1,5 +1,6 @@ | |||||||
| --- | --- | ||||||
| nextcloud_version: "30.0.5" |  | ||||||
|  | nextcloud_version: 22.2.0 | ||||||
| nextcloud_user: nextcloud | nextcloud_user: nextcloud | ||||||
| nextcloud_basepath: /opt/nextcloud | nextcloud_basepath: /opt/nextcloud | ||||||
| nextcloud_config_path: "{{ nextcloud_basepath }}/config" | nextcloud_config_path: "{{ nextcloud_basepath }}/config" | ||||||
| @@ -19,20 +20,9 @@ nextcloud_database_pass: ~ | |||||||
| nextcloud_database_host: localhost | nextcloud_database_host: localhost | ||||||
|  |  | ||||||
| nextcloud_container_name: nextcloud | nextcloud_container_name: nextcloud | ||||||
| nextcloud_container_image_server: docker.io | nextcloud_container_image: docker.io/library/nextcloud | ||||||
| nextcloud_container_image_namespace: library |  | ||||||
| nextcloud_container_image_name: nextcloud |  | ||||||
| nextcloud_container_image: >-2 |  | ||||||
|   {{ |  | ||||||
|     [ |  | ||||||
|       nextcloud_container_image_server, |  | ||||||
|       nextcloud_container_image_namespace, |  | ||||||
|       nextcloud_container_image_name, |  | ||||||
|     ] | join('/') |  | ||||||
|   }} |  | ||||||
| nextcloud_container_image_variant: "-fpm-alpine" | nextcloud_container_image_variant: "-fpm-alpine" | ||||||
| nextcloud_container_image_ref: >-2 | nextcloud_container_image_ref: "{{ nextcloud_container_name }}:{{ nextcloud_version }}{{ nextcloud_container_image_variant }}" | ||||||
|   {{ nextcloud_container_image }}:{{ nextcloud_version }}{{ nextcloud_container_image_variant }} |  | ||||||
| nextcloud_container_image_force_source: false | nextcloud_container_image_force_source: false | ||||||
| nextcloud_container_restart_policy: "unless-stopped" | nextcloud_container_restart_policy: "unless-stopped" | ||||||
|  |  | ||||||
| @@ -51,23 +41,24 @@ nextcloud_container_extra_labels: {} | |||||||
| nextcloud_container_extra_environment: {} | nextcloud_container_extra_environment: {} | ||||||
|  |  | ||||||
| nextcloud_container_networks: ~ | nextcloud_container_networks: ~ | ||||||
|  | nextcloud_container_purge_other_networks: true | ||||||
|  |  | ||||||
| nextcloud_paths: | nextcloud_paths: | ||||||
|   - path: "{{ nextcloud_config_path }}" |   - path: "{{ nextcloud_config_path }}" | ||||||
|     mode: "0755" |     mode: "0755" | ||||||
|     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" |     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||||
|     group: root |     group: "root" | ||||||
|   - path: "{{ nextcloud_data_path }}" |   - path: "{{ nextcloud_data_path }}" | ||||||
|     mode: "0755" |     mode: "0755" | ||||||
|     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" |     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||||
|     group: "{{ nextcloud_user_info.group | default(nextcloud_user) }}" |     group: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||||
|   - path: "{{ nextcloud_fpm_config_path }}" |   - path: "{{ nextcloud_fpm_config_path }}" | ||||||
|     mode: "0750" |     mode: "0750" | ||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|   - path: "{{ nextcloud_storage_path }}" |   - path: "{{ nextcloud_storage_path }}" | ||||||
|     mode: "0770" |     mode: "0770" | ||||||
|     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" |     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||||
|     group: "root" |     group: "root" | ||||||
|  |  | ||||||
| # PHP OpCache tuning | # PHP OpCache tuning | ||||||
|   | |||||||
| @@ -1,10 +0,0 @@ | |||||||
| --- |  | ||||||
| allow_duplicates: true |  | ||||||
| dependencies: [] |  | ||||||
| galaxy_info: |  | ||||||
|   role_name: server |  | ||||||
|   description: Deploy nextcloud server, the self-hosted nextcloud |  | ||||||
|   galaxy_tags: |  | ||||||
|     - nextcloud |  | ||||||
|     - owncloud |  | ||||||
|     - docker |  | ||||||
| @@ -1,6 +1,6 @@ | |||||||
| --- | --- | ||||||
|  |  | ||||||
| - name: Ensure {{ key }} is set to {{ '***' if ['pass', 'secret', 'key']|select('in', key) else value }} | - name: Ensure {{ key }} is set to {{ value }} | ||||||
|   block: |   block: | ||||||
|     - name: Check value of {{ key }} |     - name: Check value of {{ key }} | ||||||
|       community.docker.docker_container_exec: |       community.docker.docker_container_exec: | ||||||
| @@ -9,13 +9,9 @@ | |||||||
|         user: "{{ nextcloud_user_info.uid }}" |         user: "{{ nextcloud_user_info.uid }}" | ||||||
|         tty: yes |         tty: yes | ||||||
|       register: nextcloud_current_config_entry |       register: nextcloud_current_config_entry | ||||||
|       until: nextcloud_current_config_entry is success |  | ||||||
|       retries: 30 |  | ||||||
|       delay: 10 |  | ||||||
|       check_mode: false |  | ||||||
|       changed_when: false |       changed_when: false | ||||||
|  |  | ||||||
|     - name: Set {{ key }} to {{ '***' if (['pass', 'secret', 'key']|select('in', key)) else value }} |     - name: Set {{ key }} to {{ value }} | ||||||
|       community.docker.docker_container_exec: |       community.docker.docker_container_exec: | ||||||
|         container: "{{ nextcloud_container_name }}" |         container: "{{ nextcloud_container_name }}" | ||||||
|         command: "{{ nextcloud_occ_command }} config:{{ type }}:set {{ scope }} {{ entry }} --type={{ value_type }} --value={{ value }} -n" |         command: "{{ nextcloud_occ_command }} config:{{ type }}:set {{ scope }} {{ entry }} --type={{ value_type }} --value={{ value }} -n" | ||||||
| @@ -28,9 +24,9 @@ | |||||||
|     value_type: >- |     value_type: >- | ||||||
|       {% if value is boolean %} |       {% if value is boolean %} | ||||||
|       boolean |       boolean | ||||||
|       {% elif value is integer %} |       {% elsif value is integer %} | ||||||
|       integer |       integer | ||||||
|       {% elif value is float %} |       {% elsif value is float %} | ||||||
|       float |       float | ||||||
|       {% else %} |       {% else %} | ||||||
|       string |       string | ||||||
|   | |||||||
| @@ -1,14 +1,14 @@ | |||||||
| --- | --- | ||||||
|  |  | ||||||
| - name: Create nextcloud user | - name: Create nextcloud user | ||||||
|   ansible.builtin.user: |   user: | ||||||
|     name: "{{ nextcloud_user }}" |     name: "{{ nextcloud_user }}" | ||||||
|     state: present |     state: present | ||||||
|     system: yes |     system: yes | ||||||
|   register: nextcloud_user_info |   register: nextcloud_user_info | ||||||
|  |  | ||||||
| - name: Map nextcloud socket path if defined | - name: Map nextcloud socket path if defined | ||||||
|   ansible.builtin.set_fact: |   set_fact: | ||||||
|     nextcloud_paths: "{{ nextcloud_paths + [ socket_dir ] }}" |     nextcloud_paths: "{{ nextcloud_paths + [ socket_dir ] }}" | ||||||
|     nextcloud_container_base_volumes: "{{ nextcloud_container_base_volumes + [ socket_map ] }}" |     nextcloud_container_base_volumes: "{{ nextcloud_container_base_volumes + [ socket_map ] }}" | ||||||
|   vars: |   vars: | ||||||
| @@ -21,7 +21,7 @@ | |||||||
|   when: nextcloud_socket_path is defined and nextcloud_socket_path is string |   when: nextcloud_socket_path is defined and nextcloud_socket_path is string | ||||||
|  |  | ||||||
| - name: Ensure nextcloud directories exist and have correct permissions | - name: Ensure nextcloud directories exist and have correct permissions | ||||||
|   ansible.builtin.file: |   file: | ||||||
|     path: "{{ item.path }}" |     path: "{{ item.path }}" | ||||||
|     state: directory |     state: directory | ||||||
|     mode: "{{ item.mode }}" |     mode: "{{ item.mode }}" | ||||||
| @@ -29,15 +29,15 @@ | |||||||
|     group: "{{ item.group }}" |     group: "{{ item.group }}" | ||||||
|   loop: "{{ nextcloud_paths }}" |   loop: "{{ nextcloud_paths }}" | ||||||
|  |  | ||||||
| - name: Ensure docker container image '{{ nextcloud_container_image_ref }}' for nextcloud is pulled | - name: Ensure docker container for nextcloud is pulled | ||||||
|   community.docker.docker_image: |   docker_image: | ||||||
|     name: "{{ nextcloud_container_image_ref }}" |     name: "{{ nextcloud_container_image_ref }}" | ||||||
|     state: present |     state: present | ||||||
|     source: pull |     source: pull | ||||||
|     force_source: "{{ nextcloud_container_image_force_source }}" |     force_source: "{{ nextcloud_container_image_force_source }}" | ||||||
|  |  | ||||||
| - name: Template OpCache configuration | - name: Template OpCache configuration | ||||||
|   ansible.builtin.template: |   template: | ||||||
|     src: nextcloud-fpm-opcache.ini.j2 |     src: nextcloud-fpm-opcache.ini.j2 | ||||||
|     dest: "{{ nextcloud_fpm_config_path }}/opcache.ini" |     dest: "{{ nextcloud_fpm_config_path }}/opcache.ini" | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -47,7 +47,7 @@ | |||||||
|     - reload-nextcloud |     - reload-nextcloud | ||||||
|  |  | ||||||
| - name: Template PHP FPM configuration | - name: Template PHP FPM configuration | ||||||
|   ansible.builtin.template: |   template: | ||||||
|     src: nextcloud-fpm.ini.j2 |     src: nextcloud-fpm.ini.j2 | ||||||
|     dest: "{{ nextcloud_fpm_config_path }}/fpm.ini" |     dest: "{{ nextcloud_fpm_config_path }}/fpm.ini" | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -57,7 +57,7 @@ | |||||||
|     - reload-nextcloud |     - reload-nextcloud | ||||||
|  |  | ||||||
| - name: Template PHP FPM docker-specific configuration | - name: Template PHP FPM docker-specific configuration | ||||||
|   ansible.builtin.template: |   template: | ||||||
|     src: nextcloud-fpm-docker.ini.j2 |     src: nextcloud-fpm-docker.ini.j2 | ||||||
|     dest: "{{ nextcloud_fpm_config_path }}/fpm-docker.ini" |     dest: "{{ nextcloud_fpm_config_path }}/fpm-docker.ini" | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -67,7 +67,7 @@ | |||||||
|     - reload-nextcloud |     - reload-nextcloud | ||||||
|  |  | ||||||
| - name: Template modified /etc/passwd for nextcloud container | - name: Template modified /etc/passwd for nextcloud container | ||||||
|   ansible.builtin.template: |   template: | ||||||
|     src: nextcloud-passwd.j2 |     src: nextcloud-passwd.j2 | ||||||
|     dest: "{{ nextcloud_basepath }}/nextcloud-passwd" |     dest: "{{ nextcloud_basepath }}/nextcloud-passwd" | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -77,7 +77,7 @@ | |||||||
|     - reload-nextcloud |     - reload-nextcloud | ||||||
|  |  | ||||||
| - name: Template modified /etc/passwd for nextcloud container | - name: Template modified /etc/passwd for nextcloud container | ||||||
|   ansible.builtin.template: |   template: | ||||||
|     src: nextcloud-group.j2 |     src: nextcloud-group.j2 | ||||||
|     dest: "{{ nextcloud_basepath }}/nextcloud-group" |     dest: "{{ nextcloud_basepath }}/nextcloud-group" | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -87,7 +87,7 @@ | |||||||
|     - reload-nextcloud |     - reload-nextcloud | ||||||
|  |  | ||||||
| - name: Template systemd service for nextcloud's cron job | - name: Template systemd service for nextcloud's cron job | ||||||
|   ansible.builtin.template: |   template: | ||||||
|     src: systemd-nextcloud-cron.service.j2 |     src: systemd-nextcloud-cron.service.j2 | ||||||
|     dest: /etc/systemd/system/nextcloud-cron.service |     dest: /etc/systemd/system/nextcloud-cron.service | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -98,7 +98,7 @@ | |||||||
|     - reload-systemd |     - reload-systemd | ||||||
|  |  | ||||||
| - name: Template timer for nextcloud's cron job | - name: Template timer for nextcloud's cron job | ||||||
|   ansible.builtin.template: |   template: | ||||||
|     src: systemd-nextcloud-cron.timer.j2 |     src: systemd-nextcloud-cron.timer.j2 | ||||||
|     dest: /etc/systemd/system/nextcloud-cron.timer |     dest: /etc/systemd/system/nextcloud-cron.timer | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -109,34 +109,34 @@ | |||||||
|     - reload-systemd |     - reload-systemd | ||||||
|  |  | ||||||
| - name: Flush handlers now to ensure systemd can know about the timer before it's enabled | - name: Flush handlers now to ensure systemd can know about the timer before it's enabled | ||||||
|   ansible.builtin.meta: flush_handlers |   meta: flush_handlers | ||||||
|  |  | ||||||
| - name: Ensure docker container for nextcloud is running | - name: Ensure docker container for nextcloud is running | ||||||
|   community.docker.docker_container: |   docker_container: | ||||||
|     name: "{{ nextcloud_container_name }}" |     name: "{{ nextcloud_container_name }}" | ||||||
|     image: "{{ nextcloud_container_image_ref }}" |     image: "{{ nextcloud_container_image_ref }}" | ||||||
|     volumes: "{{ nextcloud_container_volumes }}" |     volumes: "{{ nextcloud_container_volumes }}" | ||||||
|     labels: "{{ nextcloud_container_labels }}" |     labels: "{{ nextcloud_container_labels }}" | ||||||
|     env: "{{ nextcloud_container_env }}" |     env: "{{ nextcloud_container_env }}" | ||||||
|     etc_hosts: "{{ nextcloud_container_etc_hosts | default(omit, true) }}" |  | ||||||
|     networks: "{{ nextcloud_container_networks | default(omit, true) }}" |     networks: "{{ nextcloud_container_networks | default(omit, true) }}" | ||||||
|  |     purge_networks: "{{ nextcloud_container_purge_other_networks }}" | ||||||
|     restart_policy: "{{ nextcloud_container_restart_policy }}" |     restart_policy: "{{ nextcloud_container_restart_policy }}" | ||||||
|     state: started |     state: started | ||||||
|  |  | ||||||
| - name: Enable systemd timer for nextcloud cron | - name: Enable systemd timer for nextcloud cron | ||||||
|   ansible.builtin.systemd: |   systemd: | ||||||
|     name: "nextcloud-cron.timer" |     name: "nextcloud-cron.timer" | ||||||
|     enabled: yes |     enabled: yes | ||||||
|   when: nextcloud_background_job_mode == 'cron' |   when: nextcloud_background_job_mode == 'cron' | ||||||
|  |  | ||||||
| - name: Ensure systemd timer for nextcloud cron is started | - name: Ensure systemd timer for nextcloud cron is started | ||||||
|   ansible.builtin.systemd: |   systemd: | ||||||
|     name: "nextcloud-cron.timer" |     name: "nextcloud-cron.timer" | ||||||
|     state: started |     state: started | ||||||
|   when: nextcloud_background_job_mode == 'cron' |   when: nextcloud_background_job_mode == 'cron' | ||||||
|  |  | ||||||
| - name: Configure nextcloud | - name: Configure nextcloud | ||||||
|   ansible.builtin.include_tasks: |   include_tasks: | ||||||
|     file: configure-single-setting.yml |     file: configure-single-setting.yml | ||||||
|   vars: |   vars: | ||||||
|     key: "{{ item.key | replace('[', '.') | replace(']', '.') }}" |     key: "{{ item.key | replace('[', '.') | replace(']', '.') }}" | ||||||
|   | |||||||
| @@ -4,7 +4,7 @@ user = www-data | |||||||
| group = www-data | group = www-data | ||||||
|  |  | ||||||
| {% if nextcloud_socket_path is defined and nextcloud_socket_path is string %} | {% if nextcloud_socket_path is defined and nextcloud_socket_path is string %} | ||||||
| listen = {{ nextcloud_container_php_socket_path }}/{{ nextcloud_container_name }}.sock | listen = {{ nextcloud_container_php_socket_path }}/nextcloud.sock | ||||||
| listen.owner = www-data | listen.owner = www-data | ||||||
| listen.group = www-data | listen.group = www-data | ||||||
| listen.mode = 0666 | listen.mode = 0666 | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user