From d517f77b6ceb7a76fb17b1054ee4d2ce760d3b39 Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Fri, 13 Mar 2026 15:22:09 +0100
Subject: [PATCH] feat: add file_lock and notify_push configuration to
 nextcloud role

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
---
 roles/nextcloud/defaults/main.yml             |  8 ++++
 roles/nextcloud/tasks/main.yml                |  4 ++
 roles/nextcloud/tasks/notify_push.yml         |  8 ++++
 .../nextcloud/templates/docker-compose.yml.j2 | 37 ++++++++++++++++++-
 4 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100644 roles/nextcloud/tasks/notify_push.yml

diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml
index ddafddf..a437ce6 100644
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@@ -53,6 +53,12 @@ nextcloud_upload_limit_mb: 2048
 
 nextcloud_scale_factor: 2
 
+# Trusted proxies (Docker internal networks)
+nextcloud_trusted_proxies: "172.16.0.0/12"
+
+# File locking and real-time push notifications
+nextcloud_enable_notify_push: false
+
 # Non-default apps to install and enable
 nextcloud_apps_to_install:
   - groupfolders
@@ -61,6 +67,8 @@ nextcloud_apps_to_install:
   - user_ldap
   - user_oidc
   - whiteboard
+  - files_lock
+  - notify_push
 
 # OIDC provider configuration
 nextcloud_oidc_allow_selfsigned: false  # Set to true to disable SSL verification for OIDC providers (dev only)
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index c849b17..530baf7 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -74,6 +74,10 @@
   ansible.builtin.include_tasks: drawio.yml
   when: nextcloud_enable_drawio
 
+- name: Configure notify_push
+  ansible.builtin.include_tasks: notify_push.yml
+  when: nextcloud_enable_notify_push
+
 - name: Configure LDAP backend
   ansible.builtin.include_tasks: ldap.yml
   when: nextcloud_ldap_enabled
diff --git a/roles/nextcloud/tasks/notify_push.yml b/roles/nextcloud/tasks/notify_push.yml
new file mode 100644
index 0000000..18dbb8b
--- /dev/null
+++ b/roles/nextcloud/tasks/notify_push.yml
@@ -0,0 +1,8 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks file for configuring notify_push in Nextcloud
+
+- name: Configure notify_push base endpoint
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: php /var/www/html/occ notify_push:setup https://{{ nextcloud_domain }}/push
\ No newline at end of file
diff --git a/roles/nextcloud/templates/docker-compose.yml.j2 b/roles/nextcloud/templates/docker-compose.yml.j2
index 3ae9fd5..9a98033 100644
--- a/roles/nextcloud/templates/docker-compose.yml.j2
+++ b/roles/nextcloud/templates/docker-compose.yml.j2
@@ -61,7 +61,7 @@ services:
       PHP_UPLOAD_LIMIT: {{  nextcloud_upload_limit_mb }}M
       OVERWRITEPROTOCOL: https
       OVERWRITEHOST: {{ nextcloud_domain }}
-      TRUSTED_PROXIES: "172.18.0.0/16 172.16.9.88/16 172.16.17.0/24 172.16.9.88"
+      TRUSTED_PROXIES: "{{ nextcloud_trusted_proxies }}"
     volumes:
       - {{ nextcloud_docker_volume_dir }}/nextcloud/:/var/www/html
     networks:
@@ -86,7 +86,7 @@ services:
       PHP_UPLOAD_LIMIT: {{  nextcloud_upload_limit_mb }}M
       OVERWRITEPROTOCOL: https
       OVERWRITEHOST: {{ nextcloud_domain }}
-      TRUSTED_PROXIES: "172.18.0.0/16 172.16.9.88/16 172.16.17.0/24 172.16.9.88"
+      TRUSTED_PROXIES: "{{ nextcloud_trusted_proxies }}"
 {% if nextcloud_use_s3_storage %}
       OBJECTSTORE_S3_KEY: {{ nextcloud_s3_key }}
       OBJECTSTORE_S3_SECRET: {{ nextcloud_s3_secret }}
@@ -109,6 +109,39 @@ services:
 {% endfor %}
 {% endif %}
 
+{% if nextcloud_enable_notify_push %}
+  notify-push:
+    image: icewind1991/notify_push
+    restart: always
+    depends_on:
+      - redis
+      - db
+    volumes:
+      - {{ nextcloud_docker_volume_dir }}/nextcloud/:/var/www/html
+    environment:
+      PORT: "7867"
+      REDIS_URL: "redis://redis:6379"
+      DATABASE_URL: "postgres://{{ nextcloud_postgres_user }}:{{ nextcloud_postgres_password }}@db:5432/{{ nextcloud_postgres_db }}"
+      DATABASE_PREFIX: "oc_"
+      NEXTCLOUD_URL: "http://nginx"
+    networks:
+      - {{ nextcloud_backend_network }}
+      - {{ nextcloud_traefik_network }}
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network={{ nextcloud_traefik_network }}
+      - traefik.http.routers.{{ nextcloud_service_name }}-push.rule=Host(`{{ nextcloud_domain }}`) && PathPrefix(`/push`)
+      - traefik.http.services.{{ nextcloud_service_name }}-push.loadbalancer.server.port=7867
+{% if nextcloud_use_ssl %}
+      - traefik.http.routers.{{ nextcloud_service_name }}-push.entrypoints=websecure
+      - traefik.http.routers.{{ nextcloud_service_name }}-push.tls=true
+{% else %}
+      - traefik.http.routers.{{ nextcloud_service_name }}-push.entrypoints=web
+{% endif %}
+      - traefik.http.middlewares.{{ nextcloud_service_name }}-push-https.headers.customrequestheaders.X-Forwarded-Proto=https
+      - traefik.http.routers.{{ nextcloud_service_name }}-push.middlewares={{ nextcloud_service_name }}-push-https
+{% endif %}
+
 networks:
   {{ nextcloud_backend_network }}:
   {{ nextcloud_traefik_network }}: