feat: add nextcloud oidc provisioning

roles/nextcloud/defaults/main.yml

@@ -14,6 +14,7 @@ nextcloud_image: "nextcloud:fpm"
 nextcloud_redis_image: "redis:latest"
 nextcloud_port: 80
 nextcloud_extra_hosts: []
+nextcloud_allow_local_remote_servers: false  # Set to true to allow requests to local network (dev only)
 
 nextcloud_postgres_image: "postgres:15"
 nextcloud_postgres_db: nextcloud
@@ -56,3 +57,25 @@ nextcloud_apps_to_install:
   - user_ldap
   - user_oidc
   - whiteboard
+
+# OIDC provider configuration
+nextcloud_oidc_allow_selfsigned: false  # Set to true to disable SSL verification for OIDC providers (dev only)
+nextcloud_oidc_providers: []
+# - identifier: keycloak
+#   display_name: "Login with Keycloak"
+#   client_id: "nextcloud"
+#   client_secret: "changeme"
+#   discovery_url: "https://keycloak.example.com/realms/default/.well-known/openid-configuration"
+#   scope: "openid email profile"
+#   unique_uid: true
+#   check_bearer: false
+#   send_id_token_hint: true
+#   mapping:
+#     uid: preferred_username
+#     display_name: name
+#     email: email
+#     groups: groups
+
+# OIDC providers to remove
+nextcloud_oidc_providers_removed: []
+# - old-provider

roles/nextcloud/tasks/main.yml

@@ -55,9 +55,21 @@
     - (nextcloud_ready.stdout | from_json).installed == true
   changed_when: false
 
+- name: Deploy local network config file
+  ansible.builtin.template:
+    src: local-network.config.php.j2
+    dest: "{{ nextcloud_docker_volume_dir }}/nextcloud/config/local-network.config.php"
+    owner: www-data
+    group: www-data
+    mode: '0640'
+
 - name: Install nextcloud plugins
   ansible.builtin.include_tasks: plugins.yml
 
 - name: Configure nextcloud collabora
   ansible.builtin.include_tasks: collabora.yml
   when: nextcloud_enable_collabora
+
+- name: Configure OIDC providers
+  ansible.builtin.include_tasks: oidc.yml
+  when: nextcloud_oidc_providers | length > 0 or nextcloud_oidc_providers_removed | length > 0

roles/nextcloud/tasks/oidc.yml

@@ -0,0 +1,53 @@
+#SPDX-License-Identifier: MIT-0
+---
+# OIDC provider configuration for Nextcloud user_oidc app
+
+- name: Deploy OIDC config file
+  ansible.builtin.template:
+    src: oidc.config.php.j2
+    dest: "{{ nextcloud_docker_volume_dir }}/nextcloud/config/oidc.config.php"
+    owner: www-data
+    group: www-data
+    mode: '0640'
+
+- name: Remove deleted OIDC providers
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_service_name }}-nextcloud-1"
+    command: php /var/www/html/occ user_oidc:provider:delete "{{ item }}" --force
+  loop: "{{ nextcloud_oidc_providers_removed }}"
+  register: oidc_delete_result
+  changed_when: "'deleted' in (oidc_delete_result.stdout | default('') | lower)"
+  failed_when:
+    - oidc_delete_result.rc != 0
+    - "'not found' not in (oidc_delete_result.stderr | default('') | lower)"
+    - "'does not exist' not in (oidc_delete_result.stderr | default('') | lower)"
+
+- name: Create or update OIDC providers
+  vars:
+    _mapping: "{{ item.mapping | default({}) }}"
+    _base_args:
+      - php
+      - /var/www/html/occ
+      - user_oidc:provider
+      - "{{ item.identifier }}"
+      - "--clientid={{ item.client_id }}"
+      - "--clientsecret={{ item.client_secret }}"
+      - "--discoveryuri={{ item.discovery_url }}"
+      - "--unique-uid={{ '1' if item.unique_uid | default(true) else '0' }}"
+      - "--check-bearer={{ '1' if item.check_bearer | default(false) else '0' }}"
+      - "--send-id-token-hint={{ '1' if item.send_id_token_hint | default(true) else '0' }}"
+    _optional_args: "{{
+        ((['--scope=' ~ item.scope]) if item.scope is defined else []) +
+        ((['--group-provisioning=1']) if item.group_provisioning | default(false) else []) +
+        ((['--mapping-uid=' ~ _mapping.uid]) if _mapping.uid is defined else []) +
+        ((['--mapping-display-name=' ~ _mapping.display_name]) if _mapping.display_name is defined else []) +
+        ((['--mapping-email=' ~ _mapping.email]) if _mapping.email is defined else []) +
+        ((['--mapping-groups=' ~ _mapping.groups]) if _mapping.groups is defined else [])
+      }}"
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_service_name }}-nextcloud-1"
+    argv: "{{ _base_args + _optional_args }}"
+  loop: "{{ nextcloud_oidc_providers }}"
+  register: oidc_create_result
+  changed_when: "'created' in (oidc_create_result.stdout | default('') | lower) or 'updated' in (oidc_create_result.stdout | default('') | lower)"
+  no_log: true

roles/nextcloud/templates/local-network.config.php.j2

@@ -0,0 +1,4 @@
+<?php
+$CONFIG = array (
+  'allow_local_remote_servers' => {{ nextcloud_allow_local_remote_servers | lower }},
+);

roles/nextcloud/templates/oidc.config.php.j2

@@ -0,0 +1,6 @@
+<?php
+$CONFIG = array (
+  'user_oidc' => array (
+    'httpclient.allowselfsigned' => {{ nextcloud_oidc_allow_selfsigned | lower }},
+  ),
+);