--- argument_specs: main: short_description: Deploy Nextcloud (fpm) + Redis + Postgres via Docker Compose. description: - Renders a Compose stack for Nextcloud with traefik labels, optional Collabora WOPI integration, optional draw.io integration, optional notify_push companion, optional S3 primary storage, OIDC providers and LDAP user backend. - "All C(occ)-driven configuration tasks are idempotent: each setting is read with C(config:app:get) (or C(ldap:show-config)) first and only written when the stored value differs." options: docker_compose_base_dir: type: path default: /etc/docker/compose docker_volume_base_dir: type: path default: /srv/data nextcloud_service_name: type: str default: nextcloud nextcloud_docker_compose_dir: type: path nextcloud_docker_volume_dir: type: path nextcloud_domains: type: list elements: str default: ['nextcloud.local.test'] description: - FQDNs the nextcloud router accepts. The first entry is the canonical domain (used for C(OVERWRITEHOST) and the C(notify_push) setup). Further entries cover internal C(*.int.*) names so Collabora's WOPI callback hits the instance on a name with a valid certificate. nextcloud_image: type: str default: nextcloud:fpm nextcloud_redis_image: type: str default: redis:latest nextcloud_port: type: int default: 80 nextcloud_extra_hosts: type: list elements: str default: [] nextcloud_extra_networks: type: list elements: str default: [] nextcloud_allow_local_remote_servers: type: bool default: false description: Allow requests to local network from Nextcloud (dev only). nextcloud_postgres_image: type: str default: postgres:15 nextcloud_postgres_db: type: str default: nextcloud nextcloud_postgres_user: type: str default: nextcloud nextcloud_postgres_password: type: str required: true nextcloud_backend_network: type: str default: nextcloud-internal nextcloud_traefik_network: type: str default: proxy nextcloud_use_ssl: type: bool default: true nextcloud_enable_collabora: type: bool default: true nextcloud_collabora_domain: type: str default: office.local.test description: Hostname Nextcloud uses to talk to Collabora server-to-server. nextcloud_collabora_public_domain: type: str description: - Optional browser-facing hostname for Collabora; defaults to C(nextcloud_collabora_domain) when unset. Set when split-horizon uses different names for browser and server traffic. nextcloud_collabora_disable_cert_verification: type: bool default: false nextcloud_enable_drawio: type: bool default: false description: Enable the integration_drawio Nextcloud app and configure the URL/theme. nextcloud_drawio_url: type: str default: '' description: Public draw.io URL used by the integration_drawio app. nextcloud_drawio_theme: type: str choices: [kennedy, atlas, dark, sketch, min] default: kennedy nextcloud_drawio_offline: type: str choices: ['yes', 'no'] default: 'yes' nextcloud_use_s3_storage: type: bool default: false description: Use S3 primary object storage instead of the local data dir. nextcloud_s3_key: type: str default: changeme nextcloud_s3_secret: type: str default: changeme nextcloud_s3_region: type: str default: us-east-1 nextcloud_s3_bucket: type: str default: nextcloud nextcloud_s3_host: type: str default: s3.example.com nextcloud_s3_port: type: int default: 443 nextcloud_s3_ssl: type: bool default: true nextcloud_s3_usepath_style: type: bool default: true nextcloud_s3_autocreate: type: bool default: false nextcloud_admin_user: type: str default: admin nextcloud_admin_password: type: str required: true nextcloud_memory_limit_mb: type: int default: 1024 nextcloud_upload_limit_mb: type: int default: 2048 nextcloud_scale_factor: type: int default: 2 nextcloud_trusted_proxies: type: str default: '172.16.0.0/12' description: Trusted proxy CIDR(s) — by default the Docker internal range. nextcloud_enable_notify_push: type: bool default: false nextcloud_notify_push_image: type: str default: icewind1991/notify_push:1.3.1 nextcloud_notify_push_domain: type: str description: - Hostname used when calling C(occ notify_push:setup). Defaults to the first C(nextcloud_domains) entry. Override with an internal FQDN to avoid hairpinning the setup check through the DMZ; the FQDN must also be in C(nextcloud_domains). nextcloud_apps_to_install: type: list elements: str default: - groupfolders - richdocuments - spreed - user_ldap - user_oidc - whiteboard - files_lock - notify_push description: - Non-default Nextcloud apps to install + enable. Install/enable detection is idempotent — re-runs report C(ok) when the app is already present and enabled. nextcloud_oidc_allow_selfsigned: type: bool default: false nextcloud_oidc_providers: type: list elements: dict default: [] description: OIDC providers registered with the user_oidc app. options: identifier: type: str required: true display_name: type: str required: true client_id: type: str required: true client_secret: type: str required: true discovery_url: type: str required: true scope: type: str default: openid email profile unique_uid: type: bool default: true check_bearer: type: bool default: false send_id_token_hint: type: bool default: true mapping: type: dict nextcloud_oidc_providers_removed: type: list elements: str default: [] nextcloud_ldap_enabled: type: bool default: false nextcloud_ldap_config: type: dict default: {} description: - Key/value pairs passed to C(occ ldap:set-config s01 KEY VALUE). The role reads the current config first and only invokes C(set-config) when a stored value differs.