Initial version of nextcloud collection

Signed-off-by: Nis Wechselberg <enbewe@enbewe.de>

roles/nextcloud/defaults/main.yml

@@ -0,0 +1,20 @@
+---
+nextcloud_podman_network: 'nextcloud'
+
+nextcloud_db_container_name: nextcloud-db
+nextcloud_db_image_name: 'docker.io/library/postgres'
+nextcloud_db_image_tag: '16.6'
+nextcloud_db_volume: 'nextcloud-db'
+
+nextcloud_redis_container_name: nextcloud-redis
+nextcloud_redis_image_name: 'docker.io/library/redis'
+nextcloud_redis_image_tag: '7.4.1-alpine'
+nextcloud_redis_volume: 'nextcloud-redis'
+
+nextcloud_cron_container_name: 'nextcloud-cron'
+
+nextcloud_app_container_name: 'nextcloud-app'
+nextcloud_app_image_name: 'docker.io/library/nextcloud'
+nextcloud_app_image_tag: '30.0.4-apache'
+nextcloud_app_volume: 'nextcloud-app'
+nextcloud_app_environments: {}

roles/nextcloud/handlers/main.yml

@@ -0,0 +1,89 @@
+---
+- name: 'Reload nextcloud services'
+  become: true
+  ansible.builtin.service:
+    daemon_reload: true
+
+- name: 'Restart nextcloud network'
+  become: true
+  ansible.builtin.service:
+    name: '{{ nextcloud_podman_network }}-network'
+    state: 'restarted'
+  notify: 
+    - 'Restart nextcloud-app container'
+    # - 'Restart nextcloud-cron container'
+    - 'Restart nextcloud-db container'
+    - 'Restart nextcloud-redis container'
+
+- name: 'Restart nextcloud volumes'
+  become: true
+  ansible.builtin.service:
+    name: '{{ item }}'
+    state: 'restarted'
+  loop:
+    - '{{ nextcloud_app_volume }}-volume'
+    - '{{ nextcloud_db_volume }}-volume'
+    - '{{ nextcloud_redis_volume }}-volume'
+  notify: 
+    - 'Restart nextcloud-app container'
+    # - 'Restart nextcloud-cron container'
+    - 'Restart nextcloud-db container'
+    - 'Restart nextcloud-redis container'
+
+
+- name: 'Restart nextcloud-db image'
+  become: true
+  ansible.builtin.service:
+    name: 'nextcloud-db-image'
+    state: 'restarted'
+  notify:
+    - 'Restart nextcloud-db container'
+
+- name: 'Restart nextcloud-redis image'
+  become: true
+  ansible.builtin.service:
+    name: 'nextcloud-redis-image'
+    state: 'restarted'
+  notify:
+    - 'Restart nextcloud-redis container'
+
+- name: 'Restart nextcloud-app image'
+  become: true
+  ansible.builtin.service:
+    name: 'nextcloud-app-image'
+    state: 'restarted'
+  notify:
+    - 'Restart nextcloud-app container'
+    # - 'Restart nextcloud-cron container'
+
+- name: 'Restart nextcloud-db container'
+  become: true
+  ansible.builtin.service:
+    name: '{{ nextcloud_db_container_name }}'
+    state: 'restarted'
+  notify: 
+    - 'Restart nextcloud-app container'
+    # - 'Restart nextcloud-cron container'
+
+- name: 'Restart nextcloud-redis container'
+  become: true
+  ansible.builtin.service:
+    name: '{{ nextcloud_redis_container_name }}'
+    state: 'restarted'
+  notify: 
+    - 'Restart nextcloud-app container'
+    # - 'Restart nextcloud-cron container'
+
+- name: 'Restart nextcloud-app container'
+  become: true
+  ansible.builtin.service:
+    name: '{{ nextcloud_app_container_name }}'
+    state: 'restarted'
+
+# - name: 'Restart nextcloud-cron container'
+#   become: true
+#   ansible.builtin.service:
+#     name: '{{ nextcloud_cron_container_name }}'
+#     state: 'restarted'
+
+

roles/nextcloud/tasks/main.yml

@@ -0,0 +1,209 @@
+---
+- name: 'Ensure needed software is installed'
+  become: true
+  ansible.builtin.apt:
+    name: 'podman'
+    state: 'present'
+
+- name: 'Prepare nextcloud network'
+  become: true
+  containers.podman.podman_network:
+    name: '{{ nextcloud_podman_network }}'
+    state: 'quadlet'
+  notify:
+    - 'Reload nextcloud services'
+    - 'Restart nextcloud network'
+
+- name: 'Create nextcloud volumes'
+  become: true
+  containers.podman.podman_volume:
+    name: '{{ item }}'
+    state: 'quadlet'
+  loop:
+    - '{{ nextcloud_app_volume }}'
+    - '{{ nextcloud_db_volume }}'
+    - '{{ nextcloud_redis_volume }}'
+  notify:
+    - 'Reload nextcloud services'
+    - 'Restart nextcloud volumes'
+
+- name: 'Define nextcloud-db image'
+  become: true
+  containers.podman.podman_image:
+    name: '{{ nextcloud_db_image_name }}:{{ nextcloud_db_image_tag }}'
+    quadlet_filename: 'nextcloud-db'
+    state: 'quadlet'
+  notify:
+    - 'Reload nextcloud services'
+    - 'Restart nextcloud-db image'
+
+- name: 'Define nextcloud-redis image'
+  become: true
+  containers.podman.podman_image:
+    name: '{{ nextcloud_redis_image_name }}:{{ nextcloud_redis_image_tag }}'
+    quadlet_filename: 'nextcloud-redis'
+    state: 'quadlet'
+  notify:
+    - 'Reload nextcloud services'
+    - 'Restart nextcloud-redis image'
+
+- name: 'Define nextcloud-app image'
+  become: true
+  containers.podman.podman_image:
+    name: '{{ nextcloud_app_image_name }}:{{ nextcloud_app_image_tag }}'
+    quadlet_filename: 'nextcloud-app'
+    state: 'quadlet'
+  notify:
+    - 'Reload nextcloud services'
+    - 'Restart nextcloud-app image'
+
+- name: 'Prepare nextcloud config files location'
+  become: true
+  ansible.builtin.file:
+    path: '/etc/nextcloud'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: 'u=rwx,g=rx,o=rx'
+
+- name: 'Create config files for nextcloud'
+  become: true
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: 33
+    group: 33
+    mode: '{{ item.mode }}'
+  notify: 
+    - 'Restart nextcloud-app container'
+    # - 'Restart nextcloud-cron container'
+  loop:
+    - src: 'oidc.config.php.j2'
+      dest: '/etc/nextcloud/oidc.config.php'
+      mode: 'u=rw,g=r,o=r'
+    - src: 'ansible.config.php.j2'
+      dest: '/etc/nextcloud/ansible.config.php'
+      mode: 'u=rw,g=r,o=r'
+    - src: 'copy_config.sh.j2'
+      dest: '/etc/nextcloud/copy_config.sh'
+      mode: 'u=rwx,g=rx,o=rx'
+
+- name: 'Create nextcloud-db container'
+  become: true
+  containers.podman.podman_container:
+    name: '{{ nextcloud_db_container_name }}'
+    image: 'nextcloud-db.image'
+    network: '{{ nextcloud_podman_network }}.network'
+    state: 'quadlet'
+    volume:
+      - '{{ nextcloud_db_volume }}.volume:/var/lib/postgresql/data/'
+    env:
+      POSTGRES_DB: '{{ nextcloud_db_database }}'
+      POSTGRES_USER: '{{ nextcloud_db_user }}'
+      POSTGRES_PASSWORD: '{{ nextcloud_db_password }}'
+    quadlet_options: |
+      [Install]
+      WantedBy=default.target
+      [Unit]
+      Requires={{ nextcloud_podman_network }}-network.service
+      Requires={{ nextcloud_db_volume }}-volume.service
+      After={{ nextcloud_podman_network }}-network.service
+      After={{ nextcloud_db_volume }}-volume.service
+  notify:
+    - 'Reload nextcloud services'
+    - 'Restart nextcloud-db container'
+
+- name: 'Create nextcloud-redis container'
+  become: true
+  containers.podman.podman_container:
+    name: '{{ nextcloud_redis_container_name }}'
+    image: 'nextcloud-redis.image'
+    network: '{{ nextcloud_podman_network }}.network'
+    state: 'quadlet'
+    volume:
+      - '{{ nextcloud_redis_volume }}.volume:/data'
+    quadlet_options: |
+      [Install]
+      WantedBy=default.target
+      [Unit]
+      Requires={{ nextcloud_podman_network }}-network.service
+      Requires={{ nextcloud_redis_volume }}-volume.service
+      After={{ nextcloud_podman_network }}-network.service
+      After={{ nextcloud_redis_volume }}-volume.service
+  notify:
+    - 'Reload nextcloud services'
+    - 'Restart nextcloud-redis container'
+
+# - name: 'Create nextcloud-cron container'
+#   become: true
+#   containers.podman.podman_container:
+#     name: '{{ nextcloud_cron_container_name }}'
+#     image: 'nextcloud-app.image'
+#     network: '{{ nextcloud_podman_network }}.network'
+#     state: 'quadlet'
+#     entrypoint: '/cron.sh'
+#     volume:
+#       - '{{ nextcloud_app_volume }}.volume:/var/www/html'
+#       - '/etc/nextcloud/oidc.config.php:/docker-entrypoint-hooks.d/before-starting/oidc.config.php'
+#       - '/etc/nextcloud/copy_config.sh:/docker-entrypoint-hooks.d/before-starting/copy_config.sh'
+#     quadlet_options: |
+#       [Install]
+#       WantedBy=default.target
+#       [Unit]
+#       Requires={{ nextcloud_podman_network }}-network.service
+#       Requires={{ nextcloud_app_volume }}-volume.service
+#       Requires=nextcloud-db.service
+#       Requires=nextcloud-redis.service
+#       After={{ nextcloud_podman_network }}-network.service
+#       After={{ nextcloud_app_volume }}-volume.service
+#       After=nextcloud-db.service
+#       After=nextcloud-redis.service
+#   notify:
+#     - 'Reload nextcloud services'
+#     - 'Restart nextcloud-cron container'
+
+- name: 'Create nextcloud-app container'
+  become: true
+  containers.podman.podman_container:
+    name: '{{ nextcloud_app_container_name }}'
+    image: 'nextcloud-app.image'
+    network: '{{ nextcloud_podman_network }}.network'
+    state: 'quadlet'
+    volume:
+      - '{{ nextcloud_app_volume }}.volume:/var/www/html'
+      - '/etc/nextcloud/oidc.config.php:/docker-entrypoint-hooks.d/before-starting/oidc.config.php'
+      - '/etc/nextcloud/ansible.config.php:/docker-entrypoint-hooks.d/before-starting/ansible.config.php'
+      - '/etc/nextcloud/copy_config.sh:/docker-entrypoint-hooks.d/before-starting/copy_config.sh'
+    env: '{{ nextcloud_app_environments }}'
+    quadlet_options: |
+      [Install]
+      WantedBy=default.target
+      [Unit]
+      Requires={{ nextcloud_podman_network }}-network.service
+      Requires={{ nextcloud_app_volume }}-volume.service
+      Requires=nextcloud-db.service
+      Requires=nextcloud-redis.service
+      After={{ nextcloud_podman_network }}-network.service
+      After={{ nextcloud_app_volume }}-volume.service
+      After=nextcloud-db.service
+      After=nextcloud-redis.service
+  notify:
+    - 'Reload nextcloud services'
+    - 'Restart nextcloud-app container'
+
+- name: 'Flush handlers'
+  ansible.builtin.meta: flush_handlers
+
+- name: 'Configure apps'
+  become: true
+  enbewe.nextcloud.nextcloud_app:
+    state: '{{ item.key }}'
+    name: '{{ item.value }}'
+    force: true
+    container_name: '{{ nextcloud_app_container_name }}'
+  retries: 30
+  delay: 10
+  notify:
+    # - 'Restart nextcloud-cron container'
+    - 'Restart nextcloud-app container'
+  loop: '{{ nextcloud_apps | dict2items }}'

roles/nextcloud/templates/ansible.config.php.j2

@@ -0,0 +1,9 @@
+<?php
+$CONFIG = array (
+  'allow_user_to_change_display_name' => {{ nextcloud_oidc_allow_user_change_display_name | default('false') }},
+  'skeletondirectory' => '',
+  'templatedirectory' => '',
+  'hide_login_form' => {{ nextcloud_oidc_hide_password_form | default('false') }},
+  'maintenance_window_start' => {{ nextcloud_maintenance_window_start | default(2) }},
+  'default_phone_region' => '{{ nextcloud_default_phone_region | default('DE') }}',
+);

roles/nextcloud/templates/copy_config.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+cp /docker-entrypoint-hooks.d/before-starting/*.config.php /var/www/html/config/

roles/nextcloud/templates/oidc.config.php.j2

@@ -0,0 +1,123 @@
+<?php
+$CONFIG = array (
+  // Some Nextcloud options that might make sense here
+  'allow_user_to_change_display_name' => {{ nextcloud_oidc_allow_user_change_display_name | default('false') }},
+  'lost_password_link' => '{{ nextcloud_oidc_lost_password_link | default('disabled') }}',
+
+  // URL of provider. All other URLs are auto-discovered from .well-known
+  'oidc_login_provider_url' => '{{ nextcloud_oidc_provider_url }}',
+
+  // Client ID and secret registered with the provider
+  'oidc_login_client_id' => '{{ nextcloud_oidc_client_id }}',
+  'oidc_login_client_secret' => '{{ nextcloud_oidc_client_secret }}',
+
+  // Automatically redirect the login page to the provider
+  'oidc_login_auto_redirect' => {{ nextcloud_oidc_auto_redirect | default('false') }},
+
+  // Redirect to this page after logging out the user
+  'oidc_login_logout_url' => '{{ nextcloud_oidc_logout_url | default('') }}',
+
+  // If set to true the user will be redirected to the logout endpoint of the OIDC provider after logout
+  // in Nextcloud. After successfull logout the OIDC provider will redirect back to 'oidc_login_logout_url' (MUST be set).
+  'oidc_login_end_session_redirect' => {{ nextcloud_oidc_end_session_redirect | default('false') }},
+
+  // Login button text
+  'oidc_login_button_text' => '{{ nextcloud_oidc_button_text | default('Log in with Open ID') }}',
+
+  // Hide the NextCloud password change form.
+  'oidc_login_hide_password_form' => {{ nextcloud_oidc_hide_password_form | default('false') }},
+
+  // Use ID Token instead of UserInfo
+  'oidc_login_use_id_token' => {{ nextcloud_oidc_use_id_token | default('false') }},
+
+  // Attribute map for OIDC response. Available keys are:
+  //   * id:           Unique identifier for username
+  //   * name:         Full name
+  //                      If set to null, existing display name won't be overwritten
+  //   * mail:         Email address
+  //                      If set to null, existing email address won't be overwritten
+  //   * quota:        Nextcloud storage quota
+  //   * home:         Home directory location. A symlink or external storage to this location is used
+  //   * ldap_uid:     LDAP uid to search for when running in proxy mode
+  //   * groups:       Array or space separated string of Nextcloud groups for the user.
+  //                   Note that the name here corresponds to the GID of the group and not the display name
+  //                   In the admin panel, the GID may be obtained from the URL when editing a group
+  //   * login_filter: Array or space separated string. If 'oidc_login_filter_allowed_values' is
+  //                      set, it is checked against these values.
+  //   * photoURL:     The URL of the user avatar. The nextcloud server will download the picture
+  //                      at user login. This may lead to security issues. Use with care.
+  //                      This will only be effective if oidc_login_update_avatar is enabled.
+  //   * is_admin:     If this value is truthy, the user is added to the admin group (optional)
+  'oidc_login_attributes' => array (
+    'id' => 'sub',
+    'name' => 'name',
+    'mail' => 'email',
+    'groups' => 'groups',
+    'is_admin' => 'groups_{{ nextcloud_oidc_admin_group | default('cloud_admin') }}',
+  ),
+
+  // Allow only users in configured value(s) to access Nextcloud. In case the user
+  // is not assigned to this value (read from oidc_login_attributes) the login
+  // will not be allowed for this user.
+  //
+  // Must be specified as an array of values (e.g. roles) that are allowed to
+  // access Nextcloud. e.g. 'oidc_login_filter_allowed_values' => array('role1', 'role2')
+  'oidc_login_filter_allowed_values' => null,
+
+  // Set OpenID Connect scope
+  'oidc_login_scope' => '{{ nextcloud_oidc_scope | default('openid profile') }}',
+
+  // Disable creation of users new to Nextcloud from OIDC login.
+  // A user may be known to the IdP but not (yet) known to Nextcloud.
+  // This setting controls what to do in this case.
+  // - 'true' (default): if the user authenticates to the IdP but is not known to Nextcloud,
+  //     then they will be returned to the login screen and not allowed entry;
+  // - 'false': if the user authenticates but is not yet known to Nextcloud,
+  //     then the user will be automatically created; note that with this setting,
+  //     you will be allowing (or relying on) a third-party (the IdP) to create new users
+  'oidc_login_disable_registration' => {{ nextcloud_oidc_disable_registration | default('true') }},
+
+  // For development, you may disable TLS verification. Default value is `true`
+  // which should be kept in production
+  'oidc_login_tls_verify' => {{ nextcloud_oidc_tls_verify | default('true') }},
+
+  // If you get your groups from the oidc_login_attributes, you might want
+  // to create them if they are not already existing, Default is `false`.
+  'oidc_create_groups' => {{ nextcloud_oidc_create_groups | default('false') }},
+
+  // Enable use of WebDAV via OIDC bearer token.
+  'oidc_login_webdav_enabled' => false,
+
+  // Enable authentication with user/password for DAV clients that do not
+  // support token authentication (e.g. DAVx⁵)
+  'oidc_login_password_authentication' => false,
+
+  // The time in seconds used to cache public keys from provider.
+  // The default value is 1 day.
+  'oidc_login_public_key_caching_time' => 86400,
+
+  // The minimum time in seconds to wait between requests to the jwks_uri endpoint.
+  // Avoids that the provider will be DoSed when someone requests with unknown kids.
+  // The default is 10 seconds.
+  'oidc_login_min_time_between_jwks_requests' => 10,
+
+  // The time in seconds used to cache the OIDC well-known configuration from the provider.
+  // The default value is 1 day.
+  'oidc_login_well_known_caching_time' => 86400,
+
+  // If true, nextcloud will download user avatars on login.
+  // This may lead to security issues as the server does not control
+  // which URLs will be requested. Use with care.
+  'oidc_login_update_avatar' => false,
+
+  // If true, the default Nextcloud proxy won't be used to make internals OIDC call.
+  // The default is false.
+  'oidc_login_skip_proxy' => false,
+
+  // Code challenge method for PKCE flow.
+  // Possible values are:
+  //	- 'S256'
+  //	- 'plain'
+  // The default value is empty, which won't apply the PKCE flow.
+  'oidc_login_code_challenge_method' => '',
+);