chore: wip on demo-gymburgdorf inventory and architecture notes

2026-05-18 15:20:01 +02:00 · 2026-05-18 15:20:01 +02:00 · 103d95740d
commit 103d95740d
parent 56bff066f7
16 changed files with 455 additions and 8 deletions
--- a/inventories/demo-gymburgdorf/host_vars/application/nextcloud.yml
+++ b/inventories/demo-gymburgdorf/host_vars/application/nextcloud.yml
@ -0,0 +1,90 @@
+---
+# Bao secret <mount>/data/nextcloud expected to contain:
+#   postgres_password, admin_password
+_nextcloud: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/nextcloud', url=vault_addr) }}"
+_authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"
+
+nextcloud_domain: "cloud.gymb.souveredu.ch"
+nextcloud_postgres_password: "{{ _nextcloud.postgres_password }}"
+nextcloud_admin_user: admin
+nextcloud_admin_password: "{{ _nextcloud.admin_password }}"
+
+nextcloud_enable_notify_push: true
+
+# Collabora integration
+nextcloud_enable_collabora: true
+nextcloud_collabora_domain: "office.gymb.souveredu.ch"
+
+# Draw.io integration
+nextcloud_enable_drawio: true
+nextcloud_drawio_url: "https://draw.gymb.souveredu.ch"
+
+nextcloud_apps_to_install:
+  - groupfolders
+  - richdocuments
+  - spreed
+  - user_ldap
+  - user_oidc
+  - whiteboard
+  - drawio
+  - files_lock
+  - notify_push
+
+# S3 primary storage via Garage
+nextcloud_use_s3_storage: true
+nextcloud_s3_key: "{{ lookup('digitalboard.core.garage_credentials', 'nextcloud', host='storage')['key_id'] }}"
+nextcloud_s3_secret: "{{ lookup('digitalboard.core.garage_credentials', 'nextcloud', host='storage')['secret_key'] }}"
+nextcloud_s3_bucket: "nextcloud"
+nextcloud_s3_host: "{{ hostvars['storage']['garage_s3_domain'] }}"
+nextcloud_s3_port: 443
+nextcloud_s3_ssl: true
+nextcloud_s3_usepath_style: true
+
+# Share the LDAP docker network with the authentik LDAP outpost
+nextcloud_extra_networks:
+  - ldap
+
+# LDAP backend (Authentik LDAP outpost)
+nextcloud_ldap_enabled: true
+nextcloud_ldap_config:
+  ldapHost: "ldap://authentik-outpost-ldap-ldap-1"
+  ldapPort: "3389"
+  ldapAgentName: "cn=akadmin,ou=users,dc=gymb,dc=souveredu,dc=ch"
+  ldapAgentPassword: "{{ _authentik.admin_password }}"
+  ldapBase: "dc=gymb,dc=souveredu,dc=ch"
+  ldapBaseUsers: "ou=users,dc=gymb,dc=souveredu,dc=ch"
+  ldapTLS: "0"
+  turnOffCertCheck: "1"
+  ldapUserFilter: "(&(objectClass=user)(cn=*))"
+  ldapUserFilterObjectclass: "user"
+  ldapLoginFilter: "(&(objectClass=user)(cn=%uid))"
+  ldapLoginFilterUsername: "1"
+  ldapUserDisplayName: "cn"
+  ldapEmailAttribute: "mail"
+  ldapExpertUsernameAttr: "cn"
+  ldapExpertUUIDUserAttr: "uid"
+  ldapExpertUUIDGroupAttr: "uid"
+  ldapBaseGroups: "ou=groups,dc=gymb,dc=souveredu,dc=ch"
+  ldapGroupFilter: "(&(objectClass=group))"
+  ldapGroupFilterObjectclass: "group"
+  ldapGroupDisplayName: "cn"
+  ldapGroupMemberAssocAttr: "member"
+  ldapAdminGroup: "admins"
+  ldapCacheTTL: "600"
+  ldapPagingSize: "500"
+  ldapExperiencedAdmin: "1"
+  ldapConfigurationActive: "1"
+
+# OIDC providers for login (Authentik)
+nextcloud_oidc_providers:
+  - identifier: authentik
+    display_name: "Login with Authentik"
+    client_id: nextcloud
+    client_secret: "{{ _authentik.nextcloud_oidc_secret }}"
+    discovery_url: "https://auth.gymb.souveredu.ch/application/o/nextcloud/.well-known/openid-configuration"
+    scope: "openid email profile"
+    unique_uid: true
+    mapping:
+      uid: preferred_username
+      display_name: name
+      email: email