Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions
digitalboard.core/roles/nextcloud
History
Exact
Simon Bärlocher 3ace667b6c
feat(services): refine split-horizon OIDC routing and harden nextcloud patch 
- authentik: address the rewrite service by compose service name instead
  of a network alias on the public FQDN, which shadowed extra_hosts pins
  and broke OIDC discovery for c-ares-based (Node) resolvers
- homarr: add homarr_extra_hosts to pin the IdP FQDN to a LAN IP so OIDC
  discovery stays in-network while the issuer matches the browser-facing URL
- opnform: add opnform_oidc_sso_redirect_root to 302 the root URL to the
  SSO path (deep-links untouched, /login?bypass=1 break-glass); restart
  ingress via container restart so envsubst re-renders nginx.conf
- nextcloud: make the UserConfig sed workaround fail loud on upstream
  drift instead of silently skipping (nextcloud/server#59629)
- gitignore: exclude the local .ansible/ collection cache
2026-06-02 13:44:08 +02:00
..
defaults feat: drop blanket recreates, ACME-DNS knobs, notify_push override 2026-05-27 23:12:23 +02:00
handlers feat: add basic nextcloud role 2025-12-19 14:17:08 +01:00
meta docs(collection): document all roles and fix metadata drift 2026-05-27 23:12:24 +02:00
tasks feat(services): refine split-horizon OIDC routing and harden nextcloud patch 2026-06-02 13:44:08 +02:00
templates feat: drop blanket recreates, ACME-DNS knobs, notify_push override 2026-05-27 23:12:23 +02:00
tests feat: add basic nextcloud role 2025-12-19 14:17:08 +01:00
vars feat: add basic nextcloud role 2025-12-19 14:17:08 +01:00
README.md docs(collection): document all roles and fix metadata drift 2026-05-27 23:12:24 +02:00

README.md

Nextcloud

Ansible role to deploy Nextcloud (fpm) with Postgres and Redis via Docker Compose, optional Collabora WOPI integration, optional draw.io integration, optional notify_push companion, optional S3 primary storage, plus OIDC and LDAP user backends.

What this role does

  • Renders the Compose stack with traefik labels and TLS
  • Installs and enables a configurable list of Nextcloud apps idempotently
  • Configures Collabora (richdocuments), draw.io, OIDC providers and LDAP via occ — every setting is read first and only written when the stored value differs, so re-runs don't churn
  • Sets up notify_push (when enabled)
  • Applies an in-container PHP source workaround for the upstream UserConfig::getValueBool TypeError (nextcloud/server#59629, fixed in master via PR #59646 with no stable33 backport before 33.0.4). Idempotent via grep guard; remove the patch task once nextcloud_image is >= 33.0.4.

Requirements

  • Docker and Docker Compose installed on the target host
  • Ansible collection: community.docker
  • Traefik with a shared nextcloud_traefik_network (default proxy)

Role variables

Full spec with types and defaults: meta/argument_specs.yml. The most common overrides:

Service

  • nextcloud_domains: FQDNs the router accepts. First entry is the canonical hostname (used for OVERWRITEHOST and notify_push setup). Further entries cover internal *.int.* names so Collabora's WOPI callback hits the instance on a name with a valid cert.
  • nextcloud_admin_password, nextcloud_postgres_password (required).
  • nextcloud_memory_limit_mb, nextcloud_upload_limit_mb.

Collabora

  • nextcloud_enable_collabora: toggle integration with a separately deployed Collabora server (see the collabora role).
  • nextcloud_collabora_domain: server-to-server hostname.
  • nextcloud_collabora_public_domain (optional): browser-facing hostname when split-horizon uses different names.

Draw.io

  • nextcloud_enable_drawio: enable the integration_drawio app.
  • nextcloud_drawio_url: public draw.io URL.
  • nextcloud_drawio_theme, nextcloud_drawio_offline.

Notify push

  • nextcloud_enable_notify_push: deploy the notify_push companion.
  • nextcloud_notify_push_domain (optional): override the hostname used by occ notify_push:setup to avoid hairpinning through the DMZ.

S3 primary storage

Set nextcloud_use_s3_storage: true plus the nextcloud_s3_* block to point Nextcloud at an external S3-compatible store (e.g. Garage, MinIO).

OIDC

nextcloud_oidc_providers is a list of OIDC providers registered with user_oidc. Required fields per entry: identifier, display_name, client_id, client_secret, discovery_url.

LDAP

Set nextcloud_ldap_enabled: true and provide nextcloud_ldap_config as a dict of occ ldap:set-config s01 KEY VALUE pairs. The role reads the current LDAP config via occ ldap:show-config s01 --output=json and only calls ldap:set-config for keys whose stored value differs.

Dependencies

  • Traefik network (nextcloud_traefik_network, default proxy)
  • Optional: collabora, drawio, garage roles for the corresponding integrations
  • Optional: an OIDC provider (Keycloak, authentik) reachable from Nextcloud and a 389ds LDAP server when using user_ldap

Example playbook

- hosts: app_servers
  roles:
    - role: digitalboard.core.nextcloud
      vars:
        nextcloud_domains:
          - "cloud.example.com"
          - "cloud.int.example.com"
        nextcloud_admin_password: "{{ vault_nextcloud_admin_password }}"
        nextcloud_postgres_password: "{{ vault_nextcloud_pg_password }}"

        nextcloud_enable_collabora: true
        nextcloud_collabora_domain: "office.int.example.com"
        nextcloud_collabora_public_domain: "office.example.com"

        nextcloud_enable_notify_push: true
        nextcloud_notify_push_domain: "cloud.int.example.com"

        nextcloud_oidc_providers:
          - identifier: authentik
            display_name: "Login with Authentik"
            client_id: nextcloud
            client_secret: "{{ vault_nextcloud_oidc_secret }}"
            discovery_url: "https://auth.example.com/application/o/nextcloud/.well-known/openid-configuration"
            mapping:
              uid: preferred_username
              display_name: name
              email: email
              groups: groups

License

MIT-0