Digitalboard/digitalboard.core
5
2
Fork 0
Code Pull requests Releases Packages Activity Actions

Compare commits

base: Digitalboard:main
Branches Tags
Digitalboard:main
Digitalboard:feature/vagrant-pebble-knot-acme
Digitalboard:feature/homarr
..
compare: Digitalboard:feature/homarr
Branches Tags
Digitalboard:feature/vagrant-pebble-knot-acme
Digitalboard:main
Digitalboard:feature/homarr

2 commits
main ... feature/ho

Author SHA1 Message Date
Tobias Wüst
d3bdb1fdec
chore: base config and deployment for role homarr 2026-01-23 15:47:15 +01:00
Tobias Wüst
029b1a86d4
chore: add new boilerplate role for homarr 2026-01-23 15:47:15 +01:00
57 changed files with 100 additions and 1835 deletions
Download patch file Download diff file Expand all files Collapse all files

32
roles/389ds/defaults/main.yml
View file

@ -1,32 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# defaults file for 389ds
# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data
# 389ds-specific configuration
ds389_service_name: 389ds
ds389_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ ds389_service_name }}"
ds389_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ ds389_service_name }}"
# 389ds service configuration
ds389_image: "docker.io/389ds/dirsrv:3.1"
ds389_suffix: "dc=example,dc=com"
ds389_root_dn: "cn=Directory Manager"
ds389_root_password: "changeme"
# Instance configuration
ds389_instance_name: "localhost"
ds389_hostname: "{{ ds389_service_name }}"
# Network configuration
ds389_backend_network: "backend"
ds389_ldap_port: 3389
ds389_ldaps_port: 3636
# Base OUs to create after container starts
ds389_base_ous:
- users
- groups

3
roles/389ds/handlers/main.yml
View file

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# handlers file for 389ds

35
roles/389ds/meta/main.yml
View file

@ -1,35 +0,0 @@
#SPDX-License-Identifier: MIT-0
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.2
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

76
roles/389ds/tasks/main.yml
View file

@ -1,76 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for 389ds
- name: Create docker compose directory
file:
path: "{{ ds389_docker_compose_dir }}"
state: directory
mode: '0755'
- name: Create 389ds data directory
file:
path: "{{ ds389_docker_volume_dir }}/data"
state: directory
mode: '0755'
- name: Create 389ds config directory
file:
path: "{{ ds389_docker_volume_dir }}/config"
state: directory
mode: '0755'
- name: Create docker-compose file for 389ds
template:
src: docker-compose.yml.j2
dest: "{{ ds389_docker_compose_dir }}/docker-compose.yml"
mode: '0644'
- name: Start 389ds container
community.docker.docker_compose_v2:
project_src: "{{ ds389_docker_compose_dir }}"
state: present
- name: Wait for LDAP to be ready
shell: >
docker compose -f {{ ds389_docker_compose_dir }}/docker-compose.yml
exec -T {{ ds389_service_name }} ldapsearch -H ldap://localhost:3389 -x
-D "{{ ds389_root_dn }}" -w "{{ ds389_root_password }}"
-b "" -s base "(objectClass=*)"
register: ds389_ldap_ready
retries: 30
delay: 2
until: ds389_ldap_ready.rc == 0
changed_when: false
no_log: true
- name: Ensure backend and suffix exist
shell: >
docker compose -f {{ ds389_docker_compose_dir }}/docker-compose.yml
exec -T {{ ds389_service_name }} dsconf localhost backend create
--suffix "{{ ds389_suffix }}" --be-name userroot --create-suffix
register: ds389_backend_result
failed_when:
- ds389_backend_result.rc != 0
- "'already exists' not in ds389_backend_result.stderr"
- "'suffix exists' not in ds389_backend_result.stderr"
changed_when: ds389_backend_result.rc == 0
- name: Template base OUs LDIF
template:
src: base-ous.ldif.j2
dest: "{{ ds389_docker_volume_dir }}/data/base-ous.ldif"
mode: '0644'
- name: Apply base OUs LDIF
shell: >
docker compose -f {{ ds389_docker_compose_dir }}/docker-compose.yml
exec -T {{ ds389_service_name }} ldapadd -H ldap://localhost:3389 -x
-D "{{ ds389_root_dn }}" -w "{{ ds389_root_password }}"
-f /data/base-ous.ldif
register: ds389_ldapadd_result
failed_when:
- ds389_ldapadd_result.rc != 0
- "'Already exists' not in ds389_ldapadd_result.stderr"
changed_when: "'Already exists' not in ds389_ldapadd_result.stderr"
no_log: true

7
roles/389ds/templates/base-ous.ldif.j2
View file

@ -1,7 +0,0 @@
{% for ou in ds389_base_ous %}
dn: ou={{ ou }},{{ ds389_suffix }}
changetype: add
objectClass: organizationalUnit
ou: {{ ou }}
{% endfor %}

19
roles/389ds/templates/docker-compose.yml.j2
View file

@ -1,19 +0,0 @@
services:
{{ ds389_service_name }}:
image: {{ ds389_image }}
hostname: {{ ds389_hostname }}
restart: unless-stopped
environment:
DS_SUFFIX_NAME: {{ ds389_suffix }}
DS_DM_PASSWORD: {{ ds389_root_password }}
ports:
- "{{ ds389_ldap_port }}:3389"
- "{{ ds389_ldaps_port }}:3636"
volumes:
- {{ ds389_docker_volume_dir }}/data:/data
- {{ ds389_docker_volume_dir }}/config:/etc/dirsrv/slapd-{{ ds389_instance_name }}
networks:
- {{ ds389_backend_network }}
networks:
{{ ds389_backend_network }}:

38
roles/collabora/README.md
View file

@ -1,38 +0,0 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

35
roles/collabora/defaults/main.yml
View file

@ -1,35 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# defaults file for collabora
# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data
# Collabora-specific configuration
collabora_service_name: collabora
collabora_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ collabora_service_name }}"
collabora_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ collabora_service_name }}"
# Service configuration
collabora_domain: "office.local.test"
collabora_image: "collabora/code:latest"
collabora_port: 9980
collabora_extra_hosts: []
# Traefik configuration
collabora_traefik_network: "proxy"
collabora_use_ssl: true
# SSL verification for WOPI callbacks (set to false for self-signed certs)
collabora_ssl_verification: true
# Allowed WOPI host domains (Nextcloud, OpenCloud WOPI server, etc.)
# These domains are allowed to send WOPI requests to Collabora.
# Each entry is used as a regex pattern (dots are auto-escaped).
collabora_allowed_domains:
- "nextcloud.local.test"
# Domains allowed to embed Collabora in an iframe (Nextcloud, OpenCloud, etc.)
collabora_frame_ancestors:
- "nextcloud.local.test"

8
roles/collabora/handlers/main.yml
View file

@ -1,8 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# handlers file for collabora
- name: restart collabora
community.docker.docker_compose_v2:
project_src: "{{ collabora_docker_compose_dir }}"
state: restarted

35
roles/collabora/meta/main.yml
View file

@ -1,35 +0,0 @@
#SPDX-License-Identifier: MIT-0
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.2
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

34
roles/collabora/tasks/main.yml
View file

@ -1,34 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for collabora
- name: Create docker compose directory
file:
path: "{{ collabora_docker_compose_dir }}"
state: directory
mode: '0755'
- name: Create collabora volume directory
file:
path: "{{ collabora_docker_volume_dir }}"
state: directory
mode: '0755'
- name: Create coolwsd configuration
template:
src: coolwsd.xml.j2
dest: "{{ collabora_docker_volume_dir }}/coolwsd.xml"
mode: '0644'
notify: restart collabora
- name: Create docker-compose file for collabora
template:
src: docker-compose.yml.j2
dest: "{{ collabora_docker_compose_dir }}/docker-compose.yml"
mode: '0644'
notify: restart collabora
- name: Start collabora container
community.docker.docker_compose_v2:
project_src: "{{ collabora_docker_compose_dir }}"
state: present

340
roles/collabora/templates/coolwsd.xml.j2
View file

@ -1,340 +0,0 @@
<!-- Managed by Ansible - do not edit manually -->
<!-- Based on Collabora CODE default coolwsd.xml with alias_groups and frame_ancestors customized -->
<config>
<accessibility desc="Accessibility settings">
<enable type="bool" default="false">false</enable>
</accessibility>
<allowed_languages desc="List of supported languages on this instance." default="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru">de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru</allowed_languages>
<languagetool desc="Remote API settings for spell and grammar checking">
<enabled type="bool" default="false">false</enabled>
<base_url type="string" default=""></base_url>
<user_name type="string" default=""></user_name>
<api_key type="string" default=""></api_key>
<ssl_verification type="string" default="true">true</ssl_verification>
<rest_protocol type="string" default=""></rest_protocol>
</languagetool>
<deepl desc="DeepL API settings">
<enabled type="bool" default="false">false</enabled>
<api_url type="string" default=""></api_url>
<auth_key type="string" default=""></auth_key>
</deepl>
<sys_template_path type="path" relative="true" default="systemplate"></sys_template_path>
<child_root_path type="path" relative="true" default="jails"></child_root_path>
<mount_jail_tree type="bool" default="true">true</mount_jail_tree>
<server_name type="string" default=""></server_name>
<file_server_root_path type="path" relative="true" default="browser/../"></file_server_root_path>
<hexify_embedded_urls type="bool" default="false">false</hexify_embedded_urls>
<experimental_features type="bool" default="true">true</experimental_features>
<memproportion type="double" default="80.0"></memproportion>
<num_prespawn_children type="uint" default="4">4</num_prespawn_children>
<fetch_update_check type="uint" default="10">10</fetch_update_check>
<allow_update_popup type="bool" default="true">true</allow_update_popup>
<per_document>
<max_concurrency type="uint" default="4">4</max_concurrency>
<batch_priority type="uint" default="5">5</batch_priority>
<bgsave_priority type="uint" default="5">5</bgsave_priority>
<bgsave_timeout_secs type="uint" default="120">120</bgsave_timeout_secs>
<redlining_as_comments type="bool" default="false">false</redlining_as_comments>
<pdf_resolution_dpi type="uint" default="96">96</pdf_resolution_dpi>
<idle_timeout_secs type="uint" default="3600">3600</idle_timeout_secs>
<idlesave_duration_secs type="uint" default="30">30</idlesave_duration_secs>
<autosave_duration_secs type="uint" default="300">300</autosave_duration_secs>
<background_autosave type="bool" default="true">true</background_autosave>
<background_manualsave type="bool" default="true">true</background_manualsave>
<always_save_on_exit type="bool" default="false">false</always_save_on_exit>
<limit_virt_mem_mb type="uint">0</limit_virt_mem_mb>
<limit_stack_mem_kb type="uint">8000</limit_stack_mem_kb>
<limit_file_size_mb type="uint">0</limit_file_size_mb>
<limit_num_open_files type="uint">0</limit_num_open_files>
<limit_load_secs type="uint" default="100">100</limit_load_secs>
<limit_store_failures type="uint" default="5">5</limit_store_failures>
<limit_convert_secs type="uint" default="100">100</limit_convert_secs>
<min_time_between_saves_ms type="uint" default="500">500</min_time_between_saves_ms>
<min_time_between_uploads_ms type="uint" default="5000">5000</min_time_between_uploads_ms>
<cleanup enable="true">
<cleanup_interval_ms type="uint" default="10000">10000</cleanup_interval_ms>
<bad_behavior_period_secs type="uint" default="60">60</bad_behavior_period_secs>
<idle_time_secs type="uint" default="300">300</idle_time_secs>
<limit_dirty_mem_mb type="uint" default="3072">3072</limit_dirty_mem_mb>
<limit_cpu_per type="uint" default="85">85</limit_cpu_per>
<lost_kit_grace_period_secs default="120">120</lost_kit_grace_period_secs>
</cleanup>
</per_document>
<per_view>
<out_of_focus_timeout_secs type="uint" default="300">300</out_of_focus_timeout_secs>
<idle_timeout_secs type="uint" default="900">900</idle_timeout_secs>
<custom_os_info type="string" default=""></custom_os_info>
<min_saved_message_timeout_secs type="uint" default="6">6</min_saved_message_timeout_secs>
</per_view>
<ver_suffix type="string" default=""></ver_suffix>
<logging>
<color type="bool">true</color>
<level type="string" default="warning">warning</level>
<level_startup type="string" default="trace">trace</level_startup>
<disabled_areas type="string" default="Socket,WebSocket,Admin,Pixel">Socket,WebSocket,Admin,Pixel</disabled_areas>
<most_verbose_level_settable_from_client type="string" default="notice">notice</most_verbose_level_settable_from_client>
<least_verbose_level_settable_from_client type="string" default="fatal">fatal</least_verbose_level_settable_from_client>
<protocol type="bool">false</protocol>
<lokit_sal_log type="string" default="-INFO-WARN">-INFO-WARN</lokit_sal_log>
<file enable="false">
<property name="path">/var/log/coolwsd.log</property>
<property name="rotation">never</property>
<property name="archive">timestamp</property>
<property name="compress">true</property>
<property name="purgeAge">10 days</property>
<property name="purgeCount">10</property>
<property name="rotateOnOpen">true</property>
<property name="flush">false</property>
</file>
<anonymize>
<anonymize_user_data type="bool" default="false">false</anonymize_user_data>
<anonymization_salt type="uint" default="82589933">82589933</anonymization_salt>
</anonymize>
<docstats type="bool" default="false">false</docstats>
<userstats type="bool" default="false">false</userstats>
<disable_server_audit type="bool" default="false">false</disable_server_audit>
</logging>
<canvas_slideshow_enabled type="bool" default="true">true</canvas_slideshow_enabled>
<logging_ui_cmd>
<merge type="bool" default="true">true</merge>
<merge_display_end_time type="bool" default="false">true</merge_display_end_time>
<file enable="false">
<property name="path">/var/log/coolwsd-ui-cmd.log</property>
<property name="purgeCount">10</property>
<property name="rotateOnOpen">true</property>
<property name="flush">false</property>
</file>
</logging_ui_cmd>
<trace_event enable="false">
<path type="string" default="/var/log/coolwsd.trace.json">/var/log/coolwsd.trace.json</path>
</trace_event>
<browser_logging default="false">false</browser_logging>
<trace enable="false">
<path compress="true" snapshot="false"></path>
<filter>
<message></message>
</filter>
<outgoing>
<record default="false">false</record>
</outgoing>
</trace>
<net>
<proto type="string" default="all">all</proto>
<listen type="string" default="any">any</listen>
<service_root type="path" default=""></service_root>
<post_allow allow="true">
<host>192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>127\.0\.0\.1</host>
<host>::ffff:127\.0\.0\.1</host>
<host>::1</host>
<host>172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
</post_allow>
<lok_allow>
<host>192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>127\.0\.0\.1</host>
<host>::ffff:127\.0\.0\.1</host>
<host>::1</host>
<host>172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host>localhost</host>
</lok_allow>
<content_security_policy></content_security_policy>
<frame_ancestors>{{ collabora_frame_ancestors | map('regex_replace', '^(.*)$', 'https://\\1') | join(' ') }}</frame_ancestors>
<connection_timeout_secs type="int" default="30">30</connection_timeout_secs>
<proxy_prefix type="bool" default="false">false</proxy_prefix>
</net>
<ssl>
<enable type="bool" default="true">true</enable>
<termination type="bool" default="false">false</termination>
<cert_file_path type="path" relative="false">/etc/coolwsd/cert.pem</cert_file_path>
<key_file_path type="path" relative="false">/etc/coolwsd/key.pem</key_file_path>
<ca_file_path type="path" relative="false">/etc/coolwsd/ca-chain.cert.pem</ca_file_path>
<ssl_verification type="string" default="false">false</ssl_verification>
<cipher_list default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
<hpkp enable="false" report_only="false">
<max_age enable="true" type="uint" default="1000">1000</max_age>
<report_uri enable="false" type="string"></report_uri>
<pins><pin></pin></pins>
</hpkp>
<sts>
<enabled type="bool" default="false">false</enabled>
<max_age type="int" default="31536000">31536000</max_age>
</sts>
</ssl>
<security>
<seccomp type="bool" default="true">true</seccomp>
<capabilities type="bool" default="true">true</capabilities>
<jwt_expiry_secs type="int" default="1800">1800</jwt_expiry_secs>
<enable_macros_execution type="bool" default="false">false</enable_macros_execution>
<macro_security_level type="int" default="1">1</macro_security_level>
<enable_websocket_urp type="bool" default="false">false</enable_websocket_urp>
<enable_metrics_unauthenticated type="bool" default="false">false</enable_metrics_unauthenticated>
<server_signature type="bool" default="false">false</server_signature>
</security>
<certificates>
<database_path type="string" default=""></database_path>
</certificates>
<watermark>
<opacity type="double" default="0.2">0.2</opacity>
<text type="string"></text>
</watermark>
<user_interface>
<mode type="string" default="default">default</mode>
<use_integration_theme type="bool" default="true">true</use_integration_theme>
<statusbar_save_indicator type="bool" default="true">true</statusbar_save_indicator>
</user_interface>
<storage>
<filesystem allow="false" />
<wopi allow="true">
<max_file_size type="uint">0</max_file_size>
<locking>
<refresh type="int" default="900">900</refresh>
</locking>
<alias_groups mode="groups">
{% for domain in collabora_allowed_domains %}
<group>
<host allow="true">https://{{ domain }}:443</host>
</group>
{% endfor %}
</alias_groups>
<is_legacy_server type="bool" default="false">false</is_legacy_server>
</wopi>
<ssl>
<as_scheme type="bool" default="true">true</as_scheme>
<enable type="bool"></enable>
<cert_file_path type="path" relative="false"></cert_file_path>
<key_file_path type="path" relative="false"></key_file_path>
<ca_file_path type="path" relative="false"></ca_file_path>
<cipher_list></cipher_list>
</ssl>
</storage>
<admin_console>
<enable type="bool" default="true">true</enable>
<enable_pam type="bool" default="false">false</enable_pam>
<username></username>
<password></password>
<logging>
<admin_login type="bool" default="true">true</admin_login>
<metrics_fetch type="bool" default="true">true</metrics_fetch>
<monitor_connect type="bool" default="true">true</monitor_connect>
<admin_action type="bool" default="true">true</admin_action>
</logging>
</admin_console>
<monitors></monitors>
<quarantine_files default="false" enable="false">
<limit_dir_size_mb default="250" type="uint">250</limit_dir_size_mb>
<max_versions_to_maintain default="5" type="uint">5</max_versions_to_maintain>
<path type="path" relative="false"></path>
<expiry_min type="int" default="3000">3000</expiry_min>
</quarantine_files>
<cache_files>
<path type="path" relative="false"></path>
<expiry_min type="int" default="3000">1000</expiry_min>
</cache_files>
<extra_export_formats>
<impress_swf type="bool" default="false">false</impress_swf>
<impress_bmp type="bool" default="false">false</impress_bmp>
<impress_gif type="bool" default="false">false</impress_gif>
<impress_png type="bool" default="false">false</impress_png>
<impress_svg type="bool" default="false">false</impress_svg>
<impress_tiff type="bool" default="false">false</impress_tiff>
</extra_export_formats>
<serverside_config>
<idle_timeout_secs type="uint" default="3600">3600</idle_timeout_secs>
</serverside_config>
<remote_config>
<remote_url type="string" default=""></remote_url>
</remote_config>
<stop_on_config_change type="bool" default="false">false</stop_on_config_change>
<remote_font_config>
<url type="string" default=""></url>
</remote_font_config>
<fonts_missing>
<handling type="string" default="log">log</handling>
</fonts_missing>
<indirection_endpoint>
<url type="string" default=""></url>
<migration_timeout_secs type="uint" default="180">180</migration_timeout_secs>
<geolocation_setup>
<enable type="bool" default="false">false</enable>
<timezone type="string"></timezone>
<allowed_websocket_origins></allowed_websocket_origins>
</geolocation_setup>
<server_name type="string" default=""></server_name>
</indirection_endpoint>
<home_mode>
<enable type="bool" default="false">false</enable>
</home_mode>
<zotero>
<enable type="bool" default="true">true</enable>
</zotero>
<help_url type="string" default="https://help.collaboraoffice.com/help.html?">https://help.collaboraoffice.com/help.html?</help_url>
<overwrite_mode>
<enable type="bool" default="false">false</enable>
</overwrite_mode>
<wasm>
<enable type="bool" default="false">false</enable>
<force type="bool" default="false">false</force>
</wasm>
<document_signing>
<enable type="bool" default="true">true</enable>
</document_signing>
</config>

34
roles/collabora/templates/docker-compose.yml.j2
View file

@ -1,34 +0,0 @@
services:
collabora:
image: {{ collabora_image }}
container_name: {{ collabora_service_name }}
restart: unless-stopped
environment:
extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:ssl.ssl_verification={{ collabora_ssl_verification | string | lower }}"
volumes:
- {{ collabora_docker_volume_dir }}/coolwsd.xml:/etc/coolwsd/coolwsd.xml:ro
cap_add:
- MKNOD
networks:
- {{ collabora_traefik_network }}
{% if collabora_extra_hosts is defined and collabora_extra_hosts | length > 0 %}
extra_hosts:
{% for host in collabora_extra_hosts %}
- "{{ host }}"
{% endfor %}
{% endif %}
labels:
- traefik.enable=true
- traefik.docker.network={{ collabora_traefik_network }}
- traefik.http.routers.{{ collabora_service_name }}.rule=Host(`{{ collabora_domain }}`)
- traefik.http.services.{{ collabora_service_name }}.loadbalancer.server.port={{ collabora_port }}
{% if collabora_use_ssl %}
- traefik.http.routers.{{ collabora_service_name }}.entrypoints=websecure
- traefik.http.routers.{{ collabora_service_name }}.tls=true
{% else %}
- traefik.http.routers.{{ collabora_service_name }}.entrypoints=web
{% endif %}
networks:
{{ collabora_traefik_network }}:
external: true

3
roles/collabora/tests/inventory
View file

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
localhost

6
roles/collabora/tests/test.yml
View file

@ -1,6 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
- hosts: localhost
remote_user: root
roles:
- collabora

38
roles/drawio/README.md
View file

@ -1,38 +0,0 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

20
roles/drawio/defaults/main.yml
View file

@ -1,20 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# defaults file for drawio
# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
# Drawio-specific configuration
drawio_service_name: drawio
drawio_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ drawio_service_name }}"
# Service configuration
drawio_domain: "drawio.local.test"
drawio_image: "jgraph/drawio:latest"
drawio_port: 8080
drawio_extra_hosts: []
# Traefik configuration
drawio_traefik_network: "proxy"
drawio_use_ssl: true

8
roles/drawio/handlers/main.yml
View file

@ -1,8 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# handlers file for drawio
- name: restart drawio
community.docker.docker_compose_v2:
project_src: "{{ drawio_docker_compose_dir }}"
state: restarted

21
roles/drawio/tasks/main.yml
View file

@ -1,21 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for drawio
- name: Create docker compose directory
file:
path: "{{ drawio_docker_compose_dir }}"
state: directory
mode: '0755'
- name: Create docker-compose file for drawio
template:
src: docker-compose.yml.j2
dest: "{{ drawio_docker_compose_dir }}/docker-compose.yml"
mode: '0644'
notify: restart drawio
- name: Start drawio container
community.docker.docker_compose_v2:
project_src: "{{ drawio_docker_compose_dir }}"
state: present

28
roles/drawio/templates/docker-compose.yml.j2
View file

@ -1,28 +0,0 @@
services:
drawio:
image: {{ drawio_image }}
container_name: {{ drawio_service_name }}
restart: unless-stopped
networks:
- {{ drawio_traefik_network }}
{% if drawio_extra_hosts is defined and drawio_extra_hosts | length > 0 %}
extra_hosts:
{% for host in drawio_extra_hosts %}
- "{{ host }}"
{% endfor %}
{% endif %}
labels:
- traefik.enable=true
- traefik.docker.network={{ drawio_traefik_network }}
- traefik.http.routers.{{ drawio_service_name }}.rule=Host(`{{ drawio_domain }}`)
- traefik.http.services.{{ drawio_service_name }}.loadbalancer.server.port={{ drawio_port }}
{% if drawio_use_ssl %}
- traefik.http.routers.{{ drawio_service_name }}.entrypoints=websecure
- traefik.http.routers.{{ drawio_service_name }}.tls=true
{% else %}
- traefik.http.routers.{{ drawio_service_name }}.entrypoints=web
{% endif %}
networks:
{{ drawio_traefik_network }}:
external: true

3
roles/drawio/tests/inventory
View file

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
localhost

6
roles/drawio/tests/test.yml
View file

@ -1,6 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
- hosts: localhost
remote_user: root
roles:
- drawio

3
roles/drawio/vars/main.yml
View file

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# vars file for drawio

2
roles/389ds/README.md → roles/homarr/README.md
View file

@ -35,4 +35,4 @@ BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

23
roles/homarr/defaults/main.yml Normal file
View file

@ -0,0 +1,23 @@
#SPDX-License-Identifier: MIT-0
---
# defaults file for homarr
# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data
# homarr-specific configuration
homarr_service_name: homarr
homarr_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ homarr_service_name }}"
homarr_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ homarr_service_name }}"
# Service configuration
homarr_domain: "homarr.local.test"
homarr_image: "ghcr.io/homarr-labs/homarr:latest"
homarr_secret_encription_key: "CHANGE_ME"
homarr_port: 7575
homarr_use_docker: false
# Traefik configuration
homarr_traefik_network: "proxy"
homarr_use_ssl: true

2
roles/collabora/vars/main.yml → roles/homarr/handlers/main.yml
View file

@ -1,3 +1,3 @@
#SPDX-License-Identifier: MIT-0
---
# vars file for collabora
# handlers file for homarr

2
roles/drawio/meta/main.yml → roles/homarr/meta/main.yml
View file

@ -32,4 +32,4 @@ galaxy_info:
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
# if you add dependencies to this list.

19
roles/homarr/tasks/main.yml Normal file
View file

@ -0,0 +1,19 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for homarr
- name: Create docker compose directory
file:
path: "{{ homarr_docker_compose_dir }}"
state: directory
mode: '0755'
- name: Create docker-compose file for homarr
template:
src: docker-compose.yml.j2
dest: "{{ homarr_docker_compose_dir }}/docker-compose.yml"
mode: '0644'
- name: Start homarr containers
community.docker.docker_compose_v2:
project_src: "{{ homarr_docker_compose_dir }}"
state: present

31
roles/homarr/templates/docker-compose.yml.j2 Normal file
View file

@ -0,0 +1,31 @@
#---------------------------------------------------------------------#
# Homarr - A simple, yet powerful dashboard for your server. #
#---------------------------------------------------------------------#
services:
homarr:
container_name: {{ homarr_service_name }}
image: {{ homarr_image }}
restart: unless-stopped
volumes:
{% if homarr_use_docker %}
- /var/run/docker.sock:/var/run/docker.sock # Optional, only if you want docker integration
{% endif %}
- {{ homarr_docker_volume_dir }}/homarr/appdata:/appdata
environment:
- SECRET_ENCRYPTION_KEY={{ homarr_secret_encryption_key }}
networks:
- {{ homarr_traefik_network }}
labels:
- traefik.enable=true
- traefik.docker.network={{ homarr_traefik_network }}
- traefik.http.routers.{{ homarr_service_name }}.rule=Host(`{{ homarr_domain }}`)
{% if homarr_use_ssl %}
- traefik.http.routers.{{ homarr_service_name }}.entrypoints=websecure
- traefik.http.routers.{{ homarr_service_name }}.tls=true
{% else %}
- traefik.http.routers.{{ homarr_service_name }}.entrypoints=web
{% endif %}
- traefik.http.services.{{ homarr_service_name }}.loadbalancer.server.port={{ homarr_port }}
networks:
{{ homarr_traefik_network }}:
external: true

1
roles/389ds/tests/inventory → roles/homarr/tests/inventory
View file

@ -1,3 +1,2 @@
#SPDX-License-Identifier: MIT-0
localhost

2
roles/389ds/tests/test.yml → roles/homarr/tests/test.yml
View file

@ -3,4 +3,4 @@
- hosts: localhost
remote_user: root
roles:
- 389ds
- homarr

2
roles/389ds/vars/main.yml → roles/homarr/vars/main.yml
View file

@ -1,3 +1,3 @@
#SPDX-License-Identifier: MIT-0
---
# vars file for 389ds
# vars file for homarr

94
roles/keycloak/defaults/main.yml
View file

@ -33,97 +33,3 @@ keycloak_use_ssl: true
keycloak_log_level: "INFO"
keycloak_proxy_mode: "edge"
keycloak_gzip_enabled: false # Disable GZIP encoding to avoid MIME type issues
# Extra CA certificates to trust (host paths to PEM files)
keycloak_truststore_certificates: []
# - /srv/data/389ds/data/ssca/ca.crt
# Extra /etc/hosts entries for the Keycloak container
keycloak_extra_hosts: []
# - "ldap:192.168.56.11"
# Provisioning configuration
keycloak_provisioning_enabled: false
# Realm configuration
keycloak_realm: "default"
keycloak_realm_display_name: "Default Realm"
# Auth URL for API access (used by provisioning tasks)
keycloak_auth_url: "{{ 'https' if keycloak_use_ssl else 'http' }}://{{ keycloak_domain }}"
# Groups to provision
keycloak_groups: []
# - name: admins
# - name: users
# Local users to provision
keycloak_local_users: []
# - username: admin
# first_name: "Admin"
# last_name: "User"
# email: "admin@example.com"
# password: "changeme"
# groups:
# - name: admins
# OIDC clients to provision
keycloak_oidc_clients: []
# - client_id: nextcloud
# name: "Nextcloud"
# client_secret: "changeme"
# redirect_uris:
# - "https://nextcloud.example.com/apps/user_oidc/code"
# default_client_scopes:
# - openid
# - email
# - profile
# Identity providers (e.g., Entra ID, Google)
keycloak_identity_providers: []
# - alias: entra-id
# display_name: "Login with Microsoft"
# provider_id: oidc
# config:
# clientId: "{{ entra_client_id }}"
# clientSecret: "{{ entra_client_secret }}"
# authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
# tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
# defaultScope: "openid profile email"
# Resources to remove from Keycloak (cleanup)
# Add names/aliases here when removing from the lists above
keycloak_removed_users: []
# - olduser
keycloak_removed_groups: []
# - oldgroup
keycloak_removed_clients: []
# - old-client
keycloak_removed_identity_providers: []
# - old-idp
# LDAP user federations
keycloak_user_federations: []
# - name: ldap-389ds
# provider_id: ldap
# config:
# editMode: WRITABLE
# syncRegistrations: "true"
# importEnabled: "true"
# vendor: rhds
# connectionUrl: "ldaps://ldap.example.com:636"
# usersDn: "ou=users,dc=example,dc=com"
# bindDn: "cn=Directory Manager"
# bindCredential: "changeme"
# usernameLDAPAttribute: uid
# rdnLDAPAttribute: uid
# uuidLDAPAttribute: nsuniqueid
# userObjectClasses: "inetOrgPerson, organizationalPerson"
# authType: simple
# useTruststoreSpi: never
keycloak_removed_user_federations: []
# - old-federation

24
roles/keycloak/tasks/main.yml
View file

@ -13,8 +13,6 @@
path: "{{ keycloak_docker_volume_dir }}/data"
state: directory
mode: '0755'
owner: "1000"
group: "1000"
- name: Create postgres data directory
file:
@ -32,25 +30,3 @@
community.docker.docker_compose_v2:
project_src: "{{ keycloak_docker_compose_dir }}"
state: present
- name: Wait for Keycloak health endpoint
uri:
url: "{{ keycloak_auth_url }}/health/ready"
method: GET
status_code: 200
validate_certs: false
register: keycloak_health
until: keycloak_health.status == 200
retries: 30
delay: 10
delegate_to: localhost
become: false
when: keycloak_provisioning_enabled | bool
- name: Run Keycloak provisioning
ansible.builtin.include_tasks: provisioning.yml
args:
apply:
become: false
delegate_to: localhost
when: keycloak_provisioning_enabled | bool

190
roles/keycloak/tasks/provisioning.yml
View file

@ -1,190 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# Keycloak provisioning tasks
# Create realm (if not master)
- name: Create Keycloak realm
community.general.keycloak_realm:
auth_keycloak_url: "{{ keycloak_auth_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ keycloak_realm }}"
display_name: "{{ keycloak_realm_display_name }}"
enabled: true
state: present
validate_certs: false
no_log: true
when: keycloak_realm != "master"
# Cleanup: Remove deleted identity providers
- name: Remove deleted identity providers
community.general.keycloak_identity_provider:
auth_keycloak_url: "{{ keycloak_auth_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ keycloak_realm }}"
alias: "{{ item }}"
state: absent
validate_certs: false
loop: "{{ keycloak_removed_identity_providers }}"
no_log: true
# Cleanup: Remove deleted user federations
- name: Remove deleted user federations
community.general.keycloak_user_federation:
auth_keycloak_url: "{{ keycloak_auth_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ keycloak_realm }}"
name: "{{ item }}"
state: absent
validate_certs: false
loop: "{{ keycloak_removed_user_federations }}"
no_log: true
# Cleanup: Remove deleted clients
- name: Remove deleted clients
community.general.keycloak_client:
auth_keycloak_url: "{{ keycloak_auth_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ keycloak_realm }}"
client_id: "{{ item }}"
state: absent
validate_certs: false
loop: "{{ keycloak_removed_clients }}"
no_log: true
# Cleanup: Remove deleted users
- name: Remove deleted users
community.general.keycloak_user:
auth_keycloak_url: "{{ keycloak_auth_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ keycloak_realm }}"
username: "{{ item }}"
state: absent
validate_certs: false
loop: "{{ keycloak_removed_users }}"
no_log: true
# Cleanup: Remove deleted groups
- name: Remove deleted groups
community.general.keycloak_group:
auth_keycloak_url: "{{ keycloak_auth_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ keycloak_realm }}"
name: "{{ item }}"
state: absent
validate_certs: false
loop: "{{ keycloak_removed_groups }}"
no_log: true
# Create groups
- name: Create groups
community.general.keycloak_group:
auth_keycloak_url: "{{ keycloak_auth_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ keycloak_realm }}"
name: "{{ item.name }}"
state: present
validate_certs: false
loop: "{{ keycloak_groups }}"
no_log: true
# Create user federations (LDAP)
- name: Create user federations
community.general.keycloak_user_federation:
auth_keycloak_url: "{{ keycloak_auth_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ keycloak_realm }}"
name: "{{ item.name }}"
provider_id: "{{ item.provider_id }}"
provider_type: org.keycloak.storage.UserStorageProvider
config: "{{ item.config }}"
mappers: "{{ item.mappers | default(omit) }}"
bind_credential_update_mode: only_indirect
state: present
validate_certs: false
loop: "{{ keycloak_user_federations }}"
no_log: true
# Create local users
- name: Create local users
community.general.keycloak_user:
auth_keycloak_url: "{{ keycloak_auth_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ keycloak_realm }}"
username: "{{ item.username }}"
first_name: "{{ item.first_name | default(omit) }}"
last_name: "{{ item.last_name | default(omit) }}"
email: "{{ item.email | default(omit) }}"
enabled: "{{ item.enabled | default(true) }}"
email_verified: "{{ item.email_verified | default(true) }}"
credentials:
- type: password
value: "{{ item.password }}"
temporary: false
groups: "{{ item.groups | default([]) }}"
state: present
validate_certs: false
loop: "{{ keycloak_local_users }}"
no_log: true
# Create OIDC clients
- name: Create OIDC clients
community.general.keycloak_client:
auth_keycloak_url: "{{ keycloak_auth_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ keycloak_realm }}"
client_id: "{{ item.client_id }}"
name: "{{ item.name | default(item.client_id) }}"
enabled: true
client_authenticator_type: client-secret
secret: "{{ item.client_secret }}"
redirect_uris: "{{ item.redirect_uris | default([]) }}"
web_origins: "{{ item.web_origins | default(['+']) }}"
standard_flow_enabled: true
implicit_flow_enabled: false
direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(false) }}"
protocol: openid-connect
default_client_scopes: "{{ item.default_client_scopes | default(['openid', 'email', 'profile']) }}"
protocol_mappers: "{{ item.protocol_mappers | default(omit) }}"
state: present
validate_certs: false
loop: "{{ keycloak_oidc_clients }}"
no_log: true
# Create identity providers
- name: Create identity providers
community.general.keycloak_identity_provider:
auth_keycloak_url: "{{ keycloak_auth_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ keycloak_realm }}"
alias: "{{ item.alias }}"
display_name: "{{ item.display_name | default(item.alias) }}"
provider_id: "{{ item.provider_id }}"
enabled: "{{ item.enabled | default(true) }}"
trust_email: "{{ item.trust_email | default(true) }}"
first_broker_login_flow_alias: "{{ item.first_broker_login_flow_alias | default('first broker login') }}"
config: "{{ item.config }}"
state: present
validate_certs: false
loop: "{{ keycloak_identity_providers }}"
no_log: true

13
roles/keycloak/templates/docker-compose.yml.j2
View file

@ -32,26 +32,13 @@ services:
KC_SPI_RESOURCE_ENCODING_GZIP_CACHE_DIR: /opt/keycloak/data/gzip-cache
KC_PROXY: {{ keycloak_proxy_mode }}
KC_HOSTNAME: {{ keycloak_domain }}
KC_HEALTH_ENABLED: "true"
{% if keycloak_truststore_certificates | length > 0 %}
KC_TRUSTSTORE_PATHS: "{{ keycloak_truststore_certificates | map('regex_replace', '^.*/(.*)$', '/opt/keycloak/certs/\\1') | join(',') }}"
{% endif %}
depends_on:
- postgres
volumes:
- {{ keycloak_docker_volume_dir }}/data:/opt/keycloak/data
{% for cert in keycloak_truststore_certificates %}
- {{ cert }}:/opt/keycloak/certs/{{ cert | basename }}:ro
{% endfor %}
networks:
- {{ keycloak_backend_network }}
- {{ keycloak_traefik_network }}
{% if keycloak_extra_hosts | length > 0 %}
extra_hosts:
{% for host in keycloak_extra_hosts %}
- "{{ host }}"
{% endfor %}
{% endif %}
tmpfs:
- /opt/keycloak/data/tmp:size=1024m
labels:

68
roles/nextcloud/defaults/main.yml
View file

@ -14,7 +14,6 @@ nextcloud_image: "nextcloud:fpm"
nextcloud_redis_image: "redis:latest"
nextcloud_port: 80
nextcloud_extra_hosts: []
nextcloud_allow_local_remote_servers: false # Set to true to allow requests to local network (dev only)
nextcloud_postgres_image: "postgres:15"
nextcloud_postgres_db: nextcloud
@ -27,14 +26,10 @@ nextcloud_use_ssl: true
nextcloud_enable_collabora: true
nextcloud_collabora_domain: "office.local.test"
nextcloud_collabora_service_name: collabora
nextcloud_collabora_image: collabora/code:latest
nextcloud_collabora_disable_cert_verification: false
# Draw.io integration (set nextcloud_drawio_url to enable)
nextcloud_enable_drawio: false
nextcloud_drawio_url: ""
nextcloud_drawio_theme: "kennedy"
nextcloud_drawio_offline: "yes"
nextcloud_use_s3_storage: false
nextcloud_s3_key: changeme
nextcloud_s3_secret: changeme
@ -53,12 +48,6 @@ nextcloud_upload_limit_mb: 2048
nextcloud_scale_factor: 2
# Trusted proxies (Docker internal networks)
nextcloud_trusted_proxies: "172.16.0.0/12"
# File locking and real-time push notifications
nextcloud_enable_notify_push: false
# Non-default apps to install and enable
nextcloud_apps_to_install:
- groupfolders
@ -66,55 +55,4 @@ nextcloud_apps_to_install:
- spreed
- user_ldap
- user_oidc
- whiteboard
- files_lock
- notify_push
# OIDC provider configuration
nextcloud_oidc_allow_selfsigned: false # Set to true to disable SSL verification for OIDC providers (dev only)
nextcloud_oidc_providers: []
# - identifier: keycloak
# display_name: "Login with Keycloak"
# client_id: "nextcloud"
# client_secret: "changeme"
# discovery_url: "https://keycloak.example.com/realms/default/.well-known/openid-configuration"
# scope: "openid email profile"
# unique_uid: true
# check_bearer: false
# send_id_token_hint: true
# mapping:
# uid: preferred_username
# display_name: name
# email: email
# groups: groups
# OIDC providers to remove
nextcloud_oidc_providers_removed: []
# - old-provider
# LDAP configuration
nextcloud_ldap_enabled: false
nextcloud_ldap_config: {}
# Example for 389ds with Keycloak user federation:
# ldapHost: "ldaps://389ds"
# ldapPort: "3636"
# ldapAgentName: "cn=Directory Manager"
# ldapAgentPassword: "changeme"
# ldapBase: "dc=example,dc=com"
# ldapBaseUsers: "ou=users,dc=example,dc=com"
# ldapBaseGroups: "dc=example,dc=com"
# ldapTLS: "0"
# turnOffCertCheck: "0"
# ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))"
# ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))"
# ldapUserDisplayName: "displayname"
# ldapEmailAttribute: "mail"
# ldapExpertUsernameAttr: "uid"
# ldapExpertUUIDUserAttr: "nsuniqueid"
# ldapBaseGroups: "ou=groups,dc=example,dc=com"
# ldapGroupFilter: "(&(objectClass=groupOfNames))"
# ldapGroupFilterObjectclass: "groupOfNames"
# ldapGroupDisplayName: "cn"
# ldapGroupMemberAssocAttr: "member"
# ldapAdminGroup: "admins"
# ldapConfigurationActive: "1"
- whiteboard

7
roles/nextcloud/tasks/collabora.yml
View file

@ -14,9 +14,4 @@
- name: Set Collabora WOPI allowlist
community.docker.docker_container_exec:
container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
command: php /var/www/html/occ config:app:set richdocuments wopi_allowlist --value=''
- name: Activate richdocuments configuration (fetch discovery from Collabora)
community.docker.docker_container_exec:
container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
command: php /var/www/html/occ richdocuments:activate-config
command: php /var/www/html/occ config:app:set richdocuments wopi_allowlist --value=''

19
roles/nextcloud/tasks/drawio.yml
View file

@ -1,19 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for configuring draw.io in Nextcloud
- name: Configure draw.io URL
community.docker.docker_container_exec:
container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
command: php /var/www/html/occ config:app:set drawio DrawioUrl --value={{ nextcloud_drawio_url }}
when: nextcloud_drawio_url | length > 0
- name: Configure draw.io theme
community.docker.docker_container_exec:
container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
command: php /var/www/html/occ config:app:set drawio DrawioTheme --value={{ nextcloud_drawio_theme }}
- name: Configure draw.io offline mode
community.docker.docker_container_exec:
container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
command: php /var/www/html/occ config:app:set drawio DrawioOffline --value={{ nextcloud_drawio_offline }}

41
roles/nextcloud/tasks/ldap.yml
View file

@ -1,41 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# LDAP configuration for Nextcloud user_ldap app
- name: Check if LDAP configuration exists
community.docker.docker_container_exec:
container: "{{ nextcloud_service_name }}-nextcloud-1"
command: php /var/www/html/occ ldap:show-config
register: ldap_show_config
changed_when: false
- name: Create LDAP configuration
community.docker.docker_container_exec:
container: "{{ nextcloud_service_name }}-nextcloud-1"
command: php /var/www/html/occ ldap:create-empty-config
when: "'s01' not in ldap_show_config.stdout"
- name: Configure LDAP settings
community.docker.docker_container_exec:
container: "{{ nextcloud_service_name }}-nextcloud-1"
argv:
- php
- /var/www/html/occ
- ldap:set-config
- s01
- "{{ item.key }}"
- "{{ item.value | string }}"
loop: "{{ nextcloud_ldap_config | dict2items }}"
loop_control:
label: "{{ item.key }}"
no_log: true
- name: Test LDAP configuration
community.docker.docker_container_exec:
container: "{{ nextcloud_service_name }}-nextcloud-1"
command: php /var/www/html/occ ldap:test-config s01
register: ldap_test_result
changed_when: false
failed_when:
- ldap_test_result.rc != 0
- "'succeeded' not in (ldap_test_result.stdout | default('') | lower)"

24
roles/nextcloud/tasks/main.yml
View file

@ -55,33 +55,9 @@
- (nextcloud_ready.stdout | from_json).installed == true
changed_when: false
- name: Deploy local network config file
ansible.builtin.template:
src: local-network.config.php.j2
dest: "{{ nextcloud_docker_volume_dir }}/nextcloud/config/local-network.config.php"
owner: www-data
group: www-data
mode: '0640'
- name: Install nextcloud plugins
ansible.builtin.include_tasks: plugins.yml
- name: Configure nextcloud collabora
ansible.builtin.include_tasks: collabora.yml
when: nextcloud_enable_collabora
- name: Configure nextcloud draw.io
ansible.builtin.include_tasks: drawio.yml
when: nextcloud_enable_drawio
- name: Configure notify_push
ansible.builtin.include_tasks: notify_push.yml
when: nextcloud_enable_notify_push
- name: Configure LDAP backend
ansible.builtin.include_tasks: ldap.yml
when: nextcloud_ldap_enabled
- name: Configure OIDC providers
ansible.builtin.include_tasks: oidc.yml
when: nextcloud_oidc_providers | length > 0 or nextcloud_oidc_providers_removed | length > 0

8
roles/nextcloud/tasks/notify_push.yml
View file

@ -1,8 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for configuring notify_push in Nextcloud
- name: Configure notify_push base endpoint
community.docker.docker_container_exec:
container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
command: php /var/www/html/occ notify_push:setup https://{{ nextcloud_domain }}/push

53
roles/nextcloud/tasks/oidc.yml
View file

@ -1,53 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# OIDC provider configuration for Nextcloud user_oidc app
- name: Deploy OIDC config file
ansible.builtin.template:
src: oidc.config.php.j2
dest: "{{ nextcloud_docker_volume_dir }}/nextcloud/config/oidc.config.php"
owner: www-data
group: www-data
mode: '0640'
- name: Remove deleted OIDC providers
community.docker.docker_container_exec:
container: "{{ nextcloud_service_name }}-nextcloud-1"
command: php /var/www/html/occ user_oidc:provider:delete "{{ item }}" --force
loop: "{{ nextcloud_oidc_providers_removed }}"
register: oidc_delete_result
changed_when: "'deleted' in (oidc_delete_result.stdout | default('') | lower)"
failed_when:
- oidc_delete_result.rc != 0
- "'not found' not in (oidc_delete_result.stderr | default('') | lower)"
- "'does not exist' not in (oidc_delete_result.stderr | default('') | lower)"
- name: Create or update OIDC providers
vars:
_mapping: "{{ item.mapping | default({}) }}"
_base_args:
- php
- /var/www/html/occ
- user_oidc:provider
- "{{ item.identifier }}"
- "--clientid={{ item.client_id }}"
- "--clientsecret={{ item.client_secret }}"
- "--discoveryuri={{ item.discovery_url }}"
- "--unique-uid={{ '1' if item.unique_uid | default(true) else '0' }}"
- "--check-bearer={{ '1' if item.check_bearer | default(false) else '0' }}"
- "--send-id-token-hint={{ '1' if item.send_id_token_hint | default(true) else '0' }}"
_optional_args: "{{
((['--scope=' ~ item.scope]) if item.scope is defined else []) +
((['--group-provisioning=1']) if item.group_provisioning | default(false) else []) +
((['--mapping-uid=' ~ _mapping.uid]) if _mapping.uid is defined else []) +
((['--mapping-display-name=' ~ _mapping.display_name]) if _mapping.display_name is defined else []) +
((['--mapping-email=' ~ _mapping.email]) if _mapping.email is defined else []) +
((['--mapping-groups=' ~ _mapping.groups]) if _mapping.groups is defined else [])
}}"
community.docker.docker_container_exec:
container: "{{ nextcloud_service_name }}-nextcloud-1"
argv: "{{ _base_args + _optional_args }}"
loop: "{{ nextcloud_oidc_providers }}"
register: oidc_create_result
changed_when: "'created' in (oidc_create_result.stdout | default('') | lower) or 'updated' in (oidc_create_result.stdout | default('') | lower)"
no_log: true

41
roles/nextcloud/templates/docker-compose.yml.j2
View file

@ -61,7 +61,7 @@ services:
PHP_UPLOAD_LIMIT: {{ nextcloud_upload_limit_mb }}M
OVERWRITEPROTOCOL: https
OVERWRITEHOST: {{ nextcloud_domain }}
TRUSTED_PROXIES: "{{ nextcloud_trusted_proxies }}"
TRUSTED_PROXIES: "172.18.0.0/16 172.16.9.88/16 172.16.17.0/24 172.16.9.88"
volumes:
- {{ nextcloud_docker_volume_dir }}/nextcloud/:/var/www/html
networks:
@ -86,7 +86,7 @@ services:
PHP_UPLOAD_LIMIT: {{ nextcloud_upload_limit_mb }}M
OVERWRITEPROTOCOL: https
OVERWRITEHOST: {{ nextcloud_domain }}
TRUSTED_PROXIES: "{{ nextcloud_trusted_proxies }}"
TRUSTED_PROXIES: "172.18.0.0/16 172.16.9.88/16 172.16.17.0/24 172.16.9.88"
{% if nextcloud_use_s3_storage %}
OBJECTSTORE_S3_KEY: {{ nextcloud_s3_key }}
OBJECTSTORE_S3_SECRET: {{ nextcloud_s3_secret }}
@ -109,37 +109,32 @@ services:
{% endfor %}
{% endif %}
{% if nextcloud_enable_notify_push %}
notify-push:
image: icewind1991/notify_push
{% if nextcloud_enable_collabora %}
collabora:
image: {{ nextcloud_collabora_image }}
restart: always
depends_on:
- redis
- db
volumes:
- {{ nextcloud_docker_volume_dir }}/nextcloud/:/var/www/html
environment:
PORT: "7867"
REDIS_URL: "redis://redis:6379"
DATABASE_URL: "postgres://{{ nextcloud_postgres_user }}:{{ nextcloud_postgres_password }}@db:5432/{{ nextcloud_postgres_db }}"
DATABASE_PREFIX: "oc_"
NEXTCLOUD_URL: "http://nginx"
domain: ^{{ nextcloud_domain | replace('.', '\\.') }}$
extra_params: >-
--o:ssl.enable=false
--o:ssl.termination=true
--o:net.frame_ancestors=https://{{ nextcloud_domain }}
cap_add:
- MKNOD
networks:
- {{ nextcloud_backend_network }}
- {{ nextcloud_traefik_network }}
labels:
- traefik.enable=true
- traefik.docker.network={{ nextcloud_traefik_network }}
- traefik.http.routers.{{ nextcloud_service_name }}-push.rule=Host(`{{ nextcloud_domain }}`) && PathPrefix(`/push`)
- traefik.http.services.{{ nextcloud_service_name }}-push.loadbalancer.server.port=7867
- traefik.http.routers.{{ nextcloud_collabora_service_name }}.rule=Host(`{{ nextcloud_collabora_domain }}`)
- traefik.http.services.{{ nextcloud_collabora_service_name }}.loadbalancer.server.port=9980
{% if nextcloud_use_ssl %}
- traefik.http.routers.{{ nextcloud_service_name }}-push.entrypoints=websecure
- traefik.http.routers.{{ nextcloud_service_name }}-push.tls=true
- traefik.http.routers.{{ nextcloud_collabora_service_name }}.entrypoints=websecure
- traefik.http.routers.{{ nextcloud_collabora_service_name }}.tls=true
{% else %}
- traefik.http.routers.{{ nextcloud_service_name }}-push.entrypoints=web
- traefik.http.routers.{{ nextcloud_collabora_service_name }}.entrypoints=web
{% endif %}
- traefik.http.middlewares.{{ nextcloud_service_name }}-push-https.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.{{ nextcloud_service_name }}-push.middlewares={{ nextcloud_service_name }}-push-https
{% endif %}
networks:

4
roles/nextcloud/templates/local-network.config.php.j2
View file

@ -1,4 +0,0 @@
<?php
$CONFIG = array (
'allow_local_remote_servers' => {{ nextcloud_allow_local_remote_servers | lower }},
);

6
roles/nextcloud/templates/oidc.config.php.j2
View file

@ -1,6 +0,0 @@
<?php
$CONFIG = array (
'user_oidc' => array (
'httpclient.allowselfsigned' => {{ nextcloud_oidc_allow_selfsigned | lower }},
),
);

38
roles/opencloud/README.md
View file

@ -1,38 +0,0 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

85
roles/opencloud/defaults/main.yml
View file

@ -1,85 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# defaults file for opencloud
# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data
# OpenCloud-specific configuration
opencloud_service_name: opencloud
opencloud_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ opencloud_service_name }}"
opencloud_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ opencloud_service_name }}"
# Service configuration
opencloud_domain: "opencloud.local.test"
opencloud_image: "opencloudeu/opencloud:latest"
opencloud_port: 9200
opencloud_admin_password: "admin"
opencloud_log_level: "warn"
opencloud_extra_hosts: []
# Traefik configuration
opencloud_traefik_network: "proxy"
opencloud_use_ssl: true
# OIDC configuration (leave empty to use built-in IDP)
opencloud_oidc_issuer: ""
opencloud_oidc_client_id: "opencloud"
opencloud_oidc_client_secret: ""
opencloud_oidc_rewrite_wellknown: true
opencloud_oidc_user_claim: "preferred_username"
opencloud_oidc_user_cs3_claim: "username"
opencloud_oidc_account_edit_url: ""
opencloud_oidc_autoprovision_accounts: true
# S3 storage configuration (leave empty to use local storage)
opencloud_use_s3_storage: false
opencloud_s3_endpoint: ""
opencloud_s3_region: "us-east-1"
opencloud_s3_access_key: ""
opencloud_s3_secret_key: ""
opencloud_s3_bucket: "opencloud"
# Collabora integration (set opencloud_collabora_domain to enable)
opencloud_collabora_domain: ""
opencloud_wopi_domain: ""
opencloud_collabora_insecure: true
# LDAP configuration (set opencloud_ldap_uri to enable external LDAP)
opencloud_ldap_uri: ""
opencloud_ldap_insecure: true
opencloud_ldap_bind_dn: ""
opencloud_ldap_bind_password: ""
opencloud_ldap_user_base_dn: ""
opencloud_ldap_group_base_dn: ""
opencloud_ldap_user_schema_id: "nsuniqueid"
opencloud_ldap_user_schema_id_is_octet_string: true
opencloud_ldap_user_schema_username: "uid"
opencloud_ldap_user_schema_mail: "mail"
opencloud_ldap_user_schema_display_name: "displayName"
opencloud_ldap_group_schema_id: "nsuniqueid"
opencloud_ldap_group_schema_id_is_octet_string: true
opencloud_ldap_group_schema_groupname: "cn"
opencloud_ldap_group_schema_member: "member"
opencloud_ldap_write_enabled: false
# Role assignment via OIDC (set opencloud_role_assignment_driver to "oidc" to enable)
opencloud_role_assignment_driver: "default"
opencloud_role_assignment_oidc_claim: "groups"
opencloud_role_mapping: []
# Example mapping LDAP groups to OpenCloud roles:
# opencloud_role_mapping:
# - role_name: admin
# claim_value: admins
# - role_name: user
# claim_value: users
# Draw.io integration (set opencloud_drawio_url to enable)
opencloud_drawio_url: ""
opencloud_drawio_theme: "minimal"
opencloud_drawio_extension_image: "opencloudeu/web-extensions:draw-io-latest"
# CSP configuration (extra URLs to allow in connect-src and frame-src)
opencloud_csp_extra_connect_src: []
opencloud_csp_extra_frame_src: []

8
roles/opencloud/handlers/main.yml
View file

@ -1,8 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# handlers file for opencloud
- name: restart opencloud
community.docker.docker_compose_v2:
project_src: "{{ opencloud_docker_compose_dir }}"
state: restarted

35
roles/opencloud/meta/main.yml
View file

@ -1,35 +0,0 @@
#SPDX-License-Identifier: MIT-0
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.2
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

82
roles/opencloud/tasks/main.yml
View file

@ -1,82 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for opencloud
- name: Create docker compose directory
file:
path: "{{ opencloud_docker_compose_dir }}"
state: directory
mode: '0755'
- name: Create opencloud data directory
file:
path: "{{ opencloud_docker_volume_dir }}/data"
state: directory
owner: "1000"
group: "1000"
mode: '0750'
- name: Create opencloud config directory
file:
path: "{{ opencloud_docker_volume_dir }}/config"
state: directory
owner: "1000"
group: "1000"
mode: '0750'
- name: Create CSP override file
template:
src: csp-override.yaml.j2
dest: "{{ opencloud_docker_volume_dir }}/config/csp-override.yaml"
owner: "1000"
group: "1000"
mode: '0644'
when: opencloud_csp_extra_connect_src | length > 0 or opencloud_csp_extra_frame_src | length > 0
notify: restart opencloud
- name: Create proxy role assignment config
template:
src: proxy.yaml.j2
dest: "{{ opencloud_docker_volume_dir }}/config/proxy.yaml"
owner: "1000"
group: "1000"
mode: '0644'
when: opencloud_role_assignment_driver == "oidc" and opencloud_role_mapping | length > 0
notify: restart opencloud
- name: Create draw.io extension apps directory
file:
path: "{{ opencloud_docker_volume_dir }}/data/web/assets/apps/draw-io"
state: directory
owner: "1000"
group: "1000"
mode: '0755'
when: opencloud_drawio_url | length > 0
- name: Create draw.io extension config
copy:
content: |
{
"config": {
"url": "{{ opencloud_drawio_url }}",
"theme": "{{ opencloud_drawio_theme }}"
}
}
dest: "{{ opencloud_docker_volume_dir }}/data/web/assets/apps/draw-io/config.json"
owner: "1000"
group: "1000"
mode: '0644'
when: opencloud_drawio_url | length > 0
notify: restart opencloud
- name: Create docker-compose file for opencloud
template:
src: docker-compose.yml.j2
dest: "{{ opencloud_docker_compose_dir }}/docker-compose.yml"
mode: '0644'
notify: restart opencloud
- name: Start opencloud container
community.docker.docker_compose_v2:
project_src: "{{ opencloud_docker_compose_dir }}"
state: present

20
roles/opencloud/templates/csp-override.yaml.j2
View file

@ -1,20 +0,0 @@
directives:
connect-src:
- "'self'"
- "blob:"
- "https://raw.githubusercontent.com/opencloud-eu/awesome-apps/"
- "https://update.opencloud.eu/"
{% for url in opencloud_csp_extra_connect_src %}
- "{{ url }}"
{% endfor %}
{% if opencloud_csp_extra_frame_src | length > 0 %}
frame-src:
- "'self'"
{% for url in opencloud_csp_extra_frame_src %}
- "{{ url }}"
{% endfor %}
{% endif %}
script-src:
- "'self'"
- "'unsafe-inline'"
- "'unsafe-eval'"

138
roles/opencloud/templates/docker-compose.yml.j2
View file

@ -1,138 +0,0 @@
services:
{% if opencloud_drawio_url %}
drawio-ext:
image: {{ opencloud_drawio_extension_image }}
entrypoint: /bin/sh
command: ["-c", "cp -R /usr/share/nginx/html/apps/draw-io/ /apps/"]
volumes:
- {{ opencloud_docker_volume_dir }}/data/web/assets/apps:/apps
{% endif %}
opencloud:
image: {{ opencloud_image }}
container_name: {{ opencloud_service_name }}
restart: unless-stopped
{% if opencloud_drawio_url %}
depends_on:
drawio-ext:
condition: service_completed_successfully
{% endif %}
entrypoint:
- /bin/sh
command: ["-c", "opencloud init || true; opencloud server"]
volumes:
- {{ opencloud_docker_volume_dir }}/config:/etc/opencloud
- {{ opencloud_docker_volume_dir }}/data:/var/lib/opencloud
environment:
{% if opencloud_use_ssl %}
OC_URL: "https://{{ opencloud_domain }}"
{% else %}
OC_URL: "http://{{ opencloud_domain }}"
{% endif %}
OC_INSECURE: "true"
OC_LOG_LEVEL: "{{ opencloud_log_level }}"
PROXY_TLS: "false"
{% if opencloud_csp_extra_connect_src | length > 0 or opencloud_csp_extra_frame_src | length > 0 %}
PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION: "/etc/opencloud/csp-override.yaml"
{% endif %}
IDM_ADMIN_PASSWORD: "{{ opencloud_admin_password }}"
{% if opencloud_role_assignment_driver == "oidc" %}
PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "{{ opencloud_role_assignment_oidc_claim }}"
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
{% endif %}
{% if opencloud_oidc_issuer %}
OC_OIDC_ISSUER: "{{ opencloud_oidc_issuer }}"
OC_OIDC_CLIENT_ID: "{{ opencloud_oidc_client_id }}"
{% if opencloud_oidc_client_secret %}
OC_OIDC_CLIENT_SECRET: "{{ opencloud_oidc_client_secret }}"
{% endif %}
PROXY_OIDC_REWRITE_WELLKNOWN: "{{ opencloud_oidc_rewrite_wellknown | string | lower }}"
PROXY_USER_OIDC_CLAIM: "{{ opencloud_oidc_user_claim }}"
PROXY_USER_CS3_CLAIM: "{{ opencloud_oidc_user_cs3_claim }}"
PROXY_AUTOPROVISION_ACCOUNTS: "{{ opencloud_oidc_autoprovision_accounts | string | lower }}"
{% if opencloud_oidc_account_edit_url %}
WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "{{ opencloud_oidc_account_edit_url }}"
{% endif %}
{% endif %}
{% if opencloud_use_s3_storage %}
STORAGE_USERS_DRIVER: "decomposeds3"
STORAGE_USERS_DECOMPOSEDS3_ENDPOINT: "{{ opencloud_s3_endpoint }}"
STORAGE_USERS_DECOMPOSEDS3_REGION: "{{ opencloud_s3_region }}"
STORAGE_USERS_DECOMPOSEDS3_ACCESS_KEY: "{{ opencloud_s3_access_key }}"
STORAGE_USERS_DECOMPOSEDS3_SECRET_KEY: "{{ opencloud_s3_secret_key }}"
STORAGE_USERS_DECOMPOSEDS3_BUCKET: "{{ opencloud_s3_bucket }}"
{% endif %}
{% if opencloud_ldap_uri %}
# Disable built-in IDM when using external LDAP
OC_EXCLUDE_RUN_SERVICES: "idm"
IDM_CREATE_DEMO_USERS: "false"
# LDAP connection
OC_LDAP_URI: "{{ opencloud_ldap_uri }}"
OC_LDAP_INSECURE: "{{ opencloud_ldap_insecure | string | lower }}"
OC_LDAP_BIND_DN: "{{ opencloud_ldap_bind_dn }}"
OC_LDAP_BIND_PASSWORD: "{{ opencloud_ldap_bind_password }}"
# LDAP user/group base
OC_LDAP_USER_BASE_DN: "{{ opencloud_ldap_user_base_dn }}"
OC_LDAP_GROUP_BASE_DN: "{{ opencloud_ldap_group_base_dn }}"
# LDAP user schema
OC_LDAP_USER_SCHEMA_ID: "{{ opencloud_ldap_user_schema_id }}"
OC_LDAP_USER_SCHEMA_ID_IS_OCTET_STRING: "{{ opencloud_ldap_user_schema_id_is_octet_string | string | lower }}"
OC_LDAP_USER_SCHEMA_USERNAME: "{{ opencloud_ldap_user_schema_username }}"
OC_LDAP_USER_SCHEMA_MAIL: "{{ opencloud_ldap_user_schema_mail }}"
OC_LDAP_USER_SCHEMA_DISPLAY_NAME: "{{ opencloud_ldap_user_schema_display_name }}"
# LDAP group schema
OC_LDAP_GROUP_SCHEMA_ID: "{{ opencloud_ldap_group_schema_id }}"
OC_LDAP_GROUP_SCHEMA_ID_IS_OCTET_STRING: "{{ opencloud_ldap_group_schema_id_is_octet_string | string | lower }}"
OC_LDAP_GROUP_SCHEMA_GROUPNAME: "{{ opencloud_ldap_group_schema_groupname }}"
OC_LDAP_GROUP_SCHEMA_MEMBER: "{{ opencloud_ldap_group_schema_member }}"
GRAPH_LDAP_SERVER_WRITE_ENABLED: "{{ opencloud_ldap_write_enabled | string | lower }}"
{% endif %}
{% if opencloud_collabora_domain %}
OC_ADD_RUN_SERVICES: "collaboration"
COLLABORA_DOMAIN: "{{ opencloud_collabora_domain }}"
COLLABORATION_APP_NAME: "CollaboraOnline"
COLLABORATION_APP_PRODUCT: "Collabora"
COLLABORATION_APP_ADDR: "https://{{ opencloud_collabora_domain }}"
COLLABORATION_APP_INSECURE: "{{ opencloud_collabora_insecure | string | lower }}"
COLLABORATION_APP_PROOF_DISABLE: "{{ opencloud_collabora_insecure | string | lower }}"
COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "{{ opencloud_collabora_insecure | string | lower }}"
COLLABORATION_HTTP_ADDR: "0.0.0.0:9300"
COLLABORATION_WOPI_SRC: "https://{{ opencloud_wopi_domain }}"
FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: "eu.opencloud.api.collaboration"
{% endif %}
networks:
- {{ opencloud_traefik_network }}
{% if opencloud_extra_hosts is defined and opencloud_extra_hosts | length > 0 %}
extra_hosts:
{% for host in opencloud_extra_hosts %}
- "{{ host }}"
{% endfor %}
{% endif %}
labels:
- traefik.enable=true
- traefik.docker.network={{ opencloud_traefik_network }}
- traefik.http.routers.{{ opencloud_service_name }}.rule=Host(`{{ opencloud_domain }}`)
{% if opencloud_use_ssl %}
- traefik.http.routers.{{ opencloud_service_name }}.entrypoints=websecure
- traefik.http.routers.{{ opencloud_service_name }}.tls=true
{% else %}
- traefik.http.routers.{{ opencloud_service_name }}.entrypoints=web
{% endif %}
- traefik.http.services.{{ opencloud_service_name }}.loadbalancer.server.port={{ opencloud_port }}
{% if opencloud_collabora_domain %}
- traefik.http.routers.{{ opencloud_service_name }}.service={{ opencloud_service_name }}
- traefik.http.routers.{{ opencloud_service_name }}-wopi.rule=Host(`{{ opencloud_wopi_domain }}`)
- traefik.http.routers.{{ opencloud_service_name }}-wopi.service={{ opencloud_service_name }}-wopi
- traefik.http.services.{{ opencloud_service_name }}-wopi.loadbalancer.server.port=9300
{% if opencloud_use_ssl %}
- traefik.http.routers.{{ opencloud_service_name }}-wopi.entrypoints=websecure
- traefik.http.routers.{{ opencloud_service_name }}-wopi.tls=true
{% else %}
- traefik.http.routers.{{ opencloud_service_name }}-wopi.entrypoints=web
{% endif %}
{% endif %}
networks:
{{ opencloud_traefik_network }}:
external: true

9
roles/opencloud/templates/proxy.yaml.j2
View file

@ -1,9 +0,0 @@
role_assignment:
driver: oidc
oidc_role_mapper:
role_claim: {{ opencloud_role_assignment_oidc_claim }}
role_mapping:
{% for mapping in opencloud_role_mapping %}
- role_name: {{ mapping.role_name }}
claim_value: "{{ mapping.claim_value }}"
{% endfor %}

3
roles/opencloud/tests/inventory
View file

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
localhost

6
roles/opencloud/tests/test.yml
View file

@ -1,6 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
- hosts: localhost
remote_user: root
roles:
- opencloud

3
roles/opencloud/vars/main.yml
View file

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# vars file for opencloud