diff --git a/docker-compose/nextcloud/docker-compose.yml.j2 b/docker-compose/nextcloud/docker-compose.yml.j2 index fd6cb40e..15ad1f1d 100644 --- a/docker-compose/nextcloud/docker-compose.yml.j2 +++ b/docker-compose/nextcloud/docker-compose.yml.j2 @@ -75,30 +75,35 @@ services: - nextcloud-redis - nextcloud-cron environment: + # redis REDIS_HOST: nextcloud-redis REDIS_HOST_PASSWORD: "{{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}" + # mysql MYSQL_DATABASE: nextcloud MYSQL_USER: nextcloud MYSQL_PASSWORD: "{{ lookup('keepass', 'nextcloud_mysql_password', 'password') }}" MYSQL_HOST: nextcloud-db + # admin + NEXTCLOUD_ADMIN_USER: n-admin + NEXTCLOUD_ADMIN_PASSWORD: "{{ lookup('keepass', 'nextcloud_admin_user_password', 'password') }}" + # misc NEXTCLOUD_TRUSTED_DOMAINS: "nextcloud.mgrote.net" - SMTP_HOST: mail-relay - #SMTP_SECURE: tls - SMTP_PORT: 25 - #SMTP_AUTHTYPE: LOGIN - SMTP_NAME: info@mgrote.net - #SMTP_PASSWORD: "{{ lookup('keepass', 'strato_smtp_password', 'password') }}" - MAIL_FROM_ADDRESS: info@mgrote.net PHP_MEMORY_LIMIT: 1024M PHP_UPLOAD_LIMIT: 10G APACHE_DISABLE_REWRITE_IP: 1 - TRUSTED_PROXIES: "192.168.48.0/24" # Subnetz in dem sich traefik befindet + TRUSTED_PROXIES: "172.18.0.0/24" # Subnetz in dem sich traefik befindet NEXTCLOUD_UPLOAD_LIMIT: 10G NEXTCLOUD_MAX_TIME: 3600 APACHE_BODY_LIMIT: 0 # unlimited, https://github.com/nextcloud/docker/issues/1796 volumes: - app:/var/www/html - data:/var/www/html/data + # hook-script nach install welches die ldap-config setzt, je einmal nach install und vor starten + - ./ldap.sh:/docker-entrypoint-hooks.d/post-installation/ldap.sh + - ./ldap.sh:/docker-entrypoint-hooks.d/before-starting/ldap.sh + # weitere scripte + - ./misc.sh:/docker-entrypoint-hooks.d/post-installation/misc.sh + - ./misc.sh:/docker-entrypoint-hooks.d/before-starting/misc.sh networks: - intern - traefik @@ -139,10 +144,3 @@ volumes: db: app: data: - -######## Doku ######## -# Telefonregion -# docker exec --user www-data nextcloud-app php occ config:system:set default_phone_region --value="DE" -# https://help.nextcloud.com/t/nextcloud-wont-load-any-mixed-content/13565/3 -# docker exec --user www-data nextcloud-app php occ config:system:set overwriteprotocol --value="https" -# docker exec --user www-data nextcloud-app php occ config:system:set overwrite.cli.url --value="http://nextcloud.mgrote.net" diff --git a/docker-compose/nextcloud/ldap.sh.j2 b/docker-compose/nextcloud/ldap.sh.j2 new file mode 100644 index 00000000..18ad03c7 --- /dev/null +++ b/docker-compose/nextcloud/ldap.sh.j2 @@ -0,0 +1,49 @@ +#!/bin/bash + +# Vorraussetzungen siehe https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md +# lldap_bind_user=nextcloud_bind_user +# lldap_bind_user_pass="{{ lookup('keepass', 'nextcloud_lldap_bind_user_pass', 'password') }}" +# lldap_bind_user_groups=lldap_strict_readonly + +php occ app:install user_ldap +php occ app:enable user_ldap +#php occ ldap:create-empty-config # wird nur bei komplett neuer nextcloud benötigt, legt sonst bei jedem durchlauf weitere ldap-configs an + +# EDIT: domain +php occ ldap:set-config s01 ldapHost "ldap://ldap.mgrote.net." +php occ ldap:set-config s01 ldapPort 3890 +# EDIT: admin user +php occ ldap:set-config s01 ldapAgentName "uid=nextcloud_bind_user,ou=people,dc=mgrote,dc=net" +# EDIT: password +php occ ldap:set-config s01 ldapAgentPassword "{{ lookup('keepass', 'nextcloud_lldap_bind_user_pass', 'password') }}" +# EDIT: Base DN +php occ ldap:set-config s01 ldapBase "dc=mgrote,dc=net" +php occ ldap:set-config s01 ldapBaseUsers "dc=mgrote,dc=net" +php occ ldap:set-config s01 ldapBaseGroups "dc=mgrote,dc=net" +php occ ldap:set-config s01 ldapConfigurationActive 1 +php occ ldap:set-config s01 ldapLoginFilter "(&(&(objectclass=person)(memberOf=cn=nextcloud,ou=groups,dc=mgrote,dc=net))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))" +# EDIT: nextcloud group, contains the users who can login to Nextcloud +php occ ldap:set-config s01 ldapUserFilter "(&(objectclass=person)(memberOf=cn=nextcloud,ou=groups,dc=mgrote,dc=net))" +php occ ldap:set-config s01 ldapUserFilterMode 0 +php occ ldap:set-config s01 ldapUserFilterObjectclass person +php occ ldap:set-config s01 turnOnPasswordChange 0 +php occ ldap:set-config s01 ldapCacheTTL 600 +php occ ldap:set-config s01 ldapExperiencedAdmin 0 +php occ ldap:set-config s01 ldapGidNumber gidNumber +php occ ldap:set-config s01 ldapGroupMemberAssocAttr uniqueMember +php occ ldap:set-config s01 ldapEmailAttribute "mail" +php occ ldap:set-config s01 ldapLoginFilterEmail 0 +php occ ldap:set-config s01 ldapLoginFilterUsername 1 +php occ ldap:set-config s01 ldapMatchingRuleInChainState unknown +php occ ldap:set-config s01 ldapNestedGroups 0 +php occ ldap:set-config s01 ldapPagingSize 500 +php occ ldap:set-config s01 ldapTLS 0 +php occ ldap:set-config s01 ldapUserAvatarRule default +php occ ldap:set-config s01 ldapUserDisplayName displayname +php occ ldap:set-config s01 ldapUserFilterMode 1 +php occ ldap:set-config s01 ldapUuidGroupAttribute auto +php occ ldap:set-config s01 ldapUuidUserAttribute auto +php occ ldap:set-config s01 ldapExpertUsernameAttr user_id +php occ ldap:set-config s01 ldap_mark_remnants_as_disabled 1 + +# damit der Login über LDAP geht muss das Attribute "DisplayName" gesetzt sein! diff --git a/docker-compose/nextcloud/mail_settings.png b/docker-compose/nextcloud/mail_settings.png new file mode 100644 index 00000000..e1138de7 Binary files /dev/null and b/docker-compose/nextcloud/mail_settings.png differ diff --git a/docker-compose/nextcloud/misc.sh.j2 b/docker-compose/nextcloud/misc.sh.j2 new file mode 100644 index 00000000..51446b53 --- /dev/null +++ b/docker-compose/nextcloud/misc.sh.j2 @@ -0,0 +1,37 @@ +#!/bin/bash + +# Telefonregion +php occ config:system:set default_phone_region --value="DE" + +# https://help.nextcloud.com/t/nextcloud-wont-load-any-mixed-content/13565/3 +php occ config:system:set overwriteprotocol --value="https" +php occ config:system:set overwrite.cli.url --value="http://nextcloud.mgrote.net" + +# https://docs.nextcloud.com/server/29/admin_manual/configuration_server/background_jobs_configuration.html +php occ config:system:set maintenance_window_start --type=integer --value=1 + +# disable unused apps +php occ app:disable dashboard firstrunwizard federation federatedfilesharing nextcloud_announcements recommendations circles survey_client user_status weather_status photos + +# enable extra apps +php occ app:enable twofactor_totp calendar contacts checksum epubviewer dicomviewer impersonate metadata quota_warning event_update_notification + +# cron +php occ background:cron + +# tz +php occ config:system:set logtimezone --value="Europe/Berlin" + +# mail +php occ config:system:set mail_from_address --value="nextcloud@mgrote.net" +php occ config:system:set mail_smtpmode --value="smtp" +php occ config:system:set mail_sendmailmode --value="smtp" +php occ config:system:set mail_smtphost --value="mail-relay"y +php occ config:system:set mail_smtpport --value="25" + +# status +echo Status +php occ status +php occ user:list + +# adhoc: docker exec --user www-data nextcloud-app php occ config:system:set trusted_domains 2 -- value=docker10.mgrote.net diff --git a/group_vars/ldap.yml b/group_vars/ldap.yml index eb8db91b..219b3acb 100644 --- a/group_vars/ldap.yml +++ b/group_vars/ldap.yml @@ -23,6 +23,11 @@ ufw_rules: protocol: tcp comment: 'lldap' from_ip: 192.168.2.0/24 + - rule: allow + to_port: "{{ lldap_http_port }}" + protocol: tcp + comment: 'lldap' + from_ip: 10.25.0.0/24 - rule: allow to_port: 3890 protocol: tcp diff --git a/host_vars/docker10.mgrote.net.yml b/host_vars/docker10.mgrote.net.yml index 41929c7d..439136f6 100644 --- a/host_vars/docker10.mgrote.net.yml +++ b/host_vars/docker10.mgrote.net.yml @@ -32,8 +32,6 @@ cifs_mounts: ### mgrote_docker-compose-inline compose_owner: "docker-user" compose_group: "docker-user" -compose_file_permissions: "644" -compose_dir_permissions: "755" compose_dest_basedir: "/docker" compose_src_basedir: "{{ inventory_dir }}/docker-compose" compose_files: diff --git a/keepass_db.kdbx b/keepass_db.kdbx index 7ee31d06..71bcee96 100644 Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ diff --git a/roles/mgrote_docker_compose_inline/defaults/main.yml b/roles/mgrote_docker_compose_inline/defaults/main.yml index d541a689..063cc566 100644 --- a/roles/mgrote_docker_compose_inline/defaults/main.yml +++ b/roles/mgrote_docker_compose_inline/defaults/main.yml @@ -3,7 +3,7 @@ compose_owner: "docker-user" compose_group: "docker-user" # default permissions for all files and directories -compose_file_permissions: "644" +compose_file_permissions: "755" compose_dir_permissions: "755" # where to store the compose-files on the destination system compose_dest_basedir: "/docker" # without trailing "/"