redeploy nextcloud with ldap (#96)

Reviewed-on: #96

docker-compose/nextcloud/docker-compose.yml.j2

@@ -75,30 +75,35 @@ services:
       - nextcloud-redis
       - nextcloud-cron
     environment:
+        # redis
         REDIS_HOST: nextcloud-redis
         REDIS_HOST_PASSWORD: "{{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}"
+        # mysql
         MYSQL_DATABASE: nextcloud
         MYSQL_USER: nextcloud
         MYSQL_PASSWORD: "{{ lookup('keepass', 'nextcloud_mysql_password', 'password') }}"
         MYSQL_HOST: nextcloud-db
+        # admin
+        NEXTCLOUD_ADMIN_USER: n-admin
+        NEXTCLOUD_ADMIN_PASSWORD: "{{ lookup('keepass', 'nextcloud_admin_user_password', 'password') }}"
+        # misc
         NEXTCLOUD_TRUSTED_DOMAINS: "nextcloud.mgrote.net"
-        SMTP_HOST: mail-relay
-        #SMTP_SECURE: tls
-        SMTP_PORT: 25
-        #SMTP_AUTHTYPE: LOGIN
-        SMTP_NAME: info@mgrote.net
-        #SMTP_PASSWORD: "{{ lookup('keepass', 'strato_smtp_password', 'password') }}"
-        MAIL_FROM_ADDRESS: info@mgrote.net
         PHP_MEMORY_LIMIT: 1024M
         PHP_UPLOAD_LIMIT: 10G
         APACHE_DISABLE_REWRITE_IP: 1
-        TRUSTED_PROXIES: "192.168.48.0/24" # Subnetz in dem sich traefik befindet
+        TRUSTED_PROXIES: "172.18.0.0/24" # Subnetz in dem sich traefik befindet
         NEXTCLOUD_UPLOAD_LIMIT: 10G
         NEXTCLOUD_MAX_TIME: 3600
         APACHE_BODY_LIMIT: 0 # unlimited, https://github.com/nextcloud/docker/issues/1796
     volumes:
       - app:/var/www/html
       - data:/var/www/html/data
+      # hook-script nach install welches die ldap-config setzt, je einmal nach install und vor starten
+      - ./ldap.sh:/docker-entrypoint-hooks.d/post-installation/ldap.sh
+      - ./ldap.sh:/docker-entrypoint-hooks.d/before-starting/ldap.sh
+      # weitere scripte
+      - ./misc.sh:/docker-entrypoint-hooks.d/post-installation/misc.sh
+      - ./misc.sh:/docker-entrypoint-hooks.d/before-starting/misc.sh
     networks:
       - intern
       - traefik
@@ -139,10 +144,3 @@ volumes:
   db:
   app:
   data:
-
-######## Doku ########
-# Telefonregion
-# docker exec --user www-data nextcloud-app php occ config:system:set default_phone_region --value="DE"
-# https://help.nextcloud.com/t/nextcloud-wont-load-any-mixed-content/13565/3
-# docker exec --user www-data nextcloud-app php occ config:system:set overwriteprotocol --value="https"
-# docker exec --user www-data nextcloud-app php occ config:system:set overwrite.cli.url --value="http://nextcloud.mgrote.net"

docker-compose/nextcloud/ldap.sh.j2

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Vorraussetzungen siehe https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md
+# lldap_bind_user=nextcloud_bind_user
+# lldap_bind_user_pass="{{ lookup('keepass', 'nextcloud_lldap_bind_user_pass', 'password') }}"
+# lldap_bind_user_groups=lldap_strict_readonly
+
+php occ app:install user_ldap
+php occ app:enable user_ldap
+#php occ ldap:create-empty-config # wird nur bei komplett neuer nextcloud benötigt, legt sonst bei jedem durchlauf weitere ldap-configs an
+
+# EDIT: domain
+php occ ldap:set-config s01 ldapHost "ldap://ldap.mgrote.net."
+php occ ldap:set-config s01 ldapPort 3890
+# EDIT: admin user
+php occ ldap:set-config s01 ldapAgentName "uid=nextcloud_bind_user,ou=people,dc=mgrote,dc=net"
+# EDIT: password
+php occ ldap:set-config s01 ldapAgentPassword "{{ lookup('keepass', 'nextcloud_lldap_bind_user_pass', 'password') }}"
+# EDIT: Base DN
+php occ ldap:set-config s01 ldapBase "dc=mgrote,dc=net"
+php occ ldap:set-config s01 ldapBaseUsers "dc=mgrote,dc=net"
+php occ ldap:set-config s01 ldapBaseGroups "dc=mgrote,dc=net"
+php occ ldap:set-config s01 ldapConfigurationActive 1
+php occ ldap:set-config s01 ldapLoginFilter "(&(&(objectclass=person)(memberOf=cn=nextcloud,ou=groups,dc=mgrote,dc=net))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))"
+# EDIT: nextcloud group, contains the users who can login to Nextcloud
+php occ ldap:set-config s01 ldapUserFilter "(&(objectclass=person)(memberOf=cn=nextcloud,ou=groups,dc=mgrote,dc=net))"
+php occ ldap:set-config s01 ldapUserFilterMode 0
+php occ ldap:set-config s01 ldapUserFilterObjectclass person
+php occ ldap:set-config s01 turnOnPasswordChange 0
+php occ ldap:set-config s01 ldapCacheTTL 600
+php occ ldap:set-config s01 ldapExperiencedAdmin 0
+php occ ldap:set-config s01 ldapGidNumber gidNumber
+php occ ldap:set-config s01 ldapGroupMemberAssocAttr uniqueMember
+php occ ldap:set-config s01 ldapEmailAttribute "mail"
+php occ ldap:set-config s01 ldapLoginFilterEmail 0
+php occ ldap:set-config s01 ldapLoginFilterUsername 1
+php occ ldap:set-config s01 ldapMatchingRuleInChainState unknown
+php occ ldap:set-config s01 ldapNestedGroups 0
+php occ ldap:set-config s01 ldapPagingSize 500
+php occ ldap:set-config s01 ldapTLS 0
+php occ ldap:set-config s01 ldapUserAvatarRule default
+php occ ldap:set-config s01 ldapUserDisplayName displayname
+php occ ldap:set-config s01 ldapUserFilterMode 1
+php occ ldap:set-config s01 ldapUuidGroupAttribute auto
+php occ ldap:set-config s01 ldapUuidUserAttribute auto
+php occ ldap:set-config s01 ldapExpertUsernameAttr user_id
+php occ ldap:set-config s01 ldap_mark_remnants_as_disabled 1
+
+# damit der Login über LDAP geht muss das Attribute "DisplayName" gesetzt sein!

docker-compose/nextcloud/misc.sh.j2

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Telefonregion
+php occ config:system:set default_phone_region --value="DE"
+
+# https://help.nextcloud.com/t/nextcloud-wont-load-any-mixed-content/13565/3
+php occ config:system:set overwriteprotocol --value="https"
+php occ config:system:set overwrite.cli.url --value="http://nextcloud.mgrote.net"
+
+# https://docs.nextcloud.com/server/29/admin_manual/configuration_server/background_jobs_configuration.html
+php occ config:system:set maintenance_window_start --type=integer --value=1
+
+# disable unused apps
+php occ app:disable dashboard firstrunwizard federation federatedfilesharing nextcloud_announcements recommendations circles survey_client user_status weather_status photos
+
+# enable extra apps
+php occ app:enable twofactor_totp calendar contacts checksum epubviewer dicomviewer impersonate metadata quota_warning event_update_notification
+
+# cron
+php occ background:cron
+
+# tz
+php occ config:system:set logtimezone --value="Europe/Berlin"
+
+# mail
+php occ config:system:set mail_from_address --value="nextcloud@mgrote.net"
+php occ config:system:set mail_smtpmode --value="smtp"
+php occ config:system:set mail_sendmailmode --value="smtp"
+php occ config:system:set mail_smtphost --value="mail-relay"y
+php occ config:system:set mail_smtpport --value="25"
+
+# status
+echo Status
+php occ status
+php occ user:list
+
+# adhoc: docker exec --user www-data nextcloud-app php occ config:system:set trusted_domains 2 -- value=docker10.mgrote.net

group_vars/ldap.yml

@@ -23,6 +23,11 @@ ufw_rules:
     protocol: tcp
     comment: 'lldap'
     from_ip: 192.168.2.0/24
+  - rule: allow
+    to_port: "{{ lldap_http_port }}"
+    protocol: tcp
+    comment: 'lldap'
+    from_ip: 10.25.0.0/24
   - rule: allow
     to_port: 3890
     protocol: tcp

host_vars/docker10.mgrote.net.yml

@@ -32,8 +32,6 @@ cifs_mounts:
 ### mgrote_docker-compose-inline
 compose_owner: "docker-user"
 compose_group: "docker-user"
-compose_file_permissions: "644"
-compose_dir_permissions: "755"
 compose_dest_basedir: "/docker"
 compose_src_basedir: "{{ inventory_dir }}/docker-compose"
 compose_files:

roles/mgrote_docker_compose_inline/defaults/main.yml

@@ -3,7 +3,7 @@
 compose_owner: "docker-user"
 compose_group: "docker-user"
 # default permissions for all files and directories
-compose_file_permissions: "644"
+compose_file_permissions: "755"
 compose_dir_permissions: "755"
 # where to store the compose-files on the destination system
 compose_dest_basedir: "/docker" # without trailing "/"