redeploy nextcloud with ldap #96
8 changed files with 105 additions and 18 deletions
|
@ -75,30 +75,35 @@ services:
|
||||||
- nextcloud-redis
|
- nextcloud-redis
|
||||||
- nextcloud-cron
|
- nextcloud-cron
|
||||||
environment:
|
environment:
|
||||||
|
# redis
|
||||||
REDIS_HOST: nextcloud-redis
|
REDIS_HOST: nextcloud-redis
|
||||||
REDIS_HOST_PASSWORD: "{{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}"
|
REDIS_HOST_PASSWORD: "{{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}"
|
||||||
|
# mysql
|
||||||
MYSQL_DATABASE: nextcloud
|
MYSQL_DATABASE: nextcloud
|
||||||
MYSQL_USER: nextcloud
|
MYSQL_USER: nextcloud
|
||||||
MYSQL_PASSWORD: "{{ lookup('keepass', 'nextcloud_mysql_password', 'password') }}"
|
MYSQL_PASSWORD: "{{ lookup('keepass', 'nextcloud_mysql_password', 'password') }}"
|
||||||
MYSQL_HOST: nextcloud-db
|
MYSQL_HOST: nextcloud-db
|
||||||
|
# admin
|
||||||
|
NEXTCLOUD_ADMIN_USER: n-admin
|
||||||
|
NEXTCLOUD_ADMIN_PASSWORD: "{{ lookup('keepass', 'nextcloud_admin_user_password', 'password') }}"
|
||||||
|
# misc
|
||||||
NEXTCLOUD_TRUSTED_DOMAINS: "nextcloud.mgrote.net"
|
NEXTCLOUD_TRUSTED_DOMAINS: "nextcloud.mgrote.net"
|
||||||
SMTP_HOST: mail-relay
|
|
||||||
#SMTP_SECURE: tls
|
|
||||||
SMTP_PORT: 25
|
|
||||||
#SMTP_AUTHTYPE: LOGIN
|
|
||||||
SMTP_NAME: info@mgrote.net
|
|
||||||
#SMTP_PASSWORD: "{{ lookup('keepass', 'strato_smtp_password', 'password') }}"
|
|
||||||
MAIL_FROM_ADDRESS: info@mgrote.net
|
|
||||||
PHP_MEMORY_LIMIT: 1024M
|
PHP_MEMORY_LIMIT: 1024M
|
||||||
PHP_UPLOAD_LIMIT: 10G
|
PHP_UPLOAD_LIMIT: 10G
|
||||||
APACHE_DISABLE_REWRITE_IP: 1
|
APACHE_DISABLE_REWRITE_IP: 1
|
||||||
TRUSTED_PROXIES: "192.168.48.0/24" # Subnetz in dem sich traefik befindet
|
TRUSTED_PROXIES: "172.18.0.0/24" # Subnetz in dem sich traefik befindet
|
||||||
NEXTCLOUD_UPLOAD_LIMIT: 10G
|
NEXTCLOUD_UPLOAD_LIMIT: 10G
|
||||||
NEXTCLOUD_MAX_TIME: 3600
|
NEXTCLOUD_MAX_TIME: 3600
|
||||||
APACHE_BODY_LIMIT: 0 # unlimited, https://github.com/nextcloud/docker/issues/1796
|
APACHE_BODY_LIMIT: 0 # unlimited, https://github.com/nextcloud/docker/issues/1796
|
||||||
volumes:
|
volumes:
|
||||||
- app:/var/www/html
|
- app:/var/www/html
|
||||||
- data:/var/www/html/data
|
- data:/var/www/html/data
|
||||||
|
# hook-script nach install welches die ldap-config setzt, je einmal nach install und vor starten
|
||||||
|
- ./ldap.sh:/docker-entrypoint-hooks.d/post-installation/ldap.sh
|
||||||
|
- ./ldap.sh:/docker-entrypoint-hooks.d/before-starting/ldap.sh
|
||||||
|
# weitere scripte
|
||||||
|
- ./misc.sh:/docker-entrypoint-hooks.d/post-installation/misc.sh
|
||||||
|
- ./misc.sh:/docker-entrypoint-hooks.d/before-starting/misc.sh
|
||||||
networks:
|
networks:
|
||||||
- intern
|
- intern
|
||||||
- traefik
|
- traefik
|
||||||
|
@ -139,10 +144,3 @@ volumes:
|
||||||
db:
|
db:
|
||||||
app:
|
app:
|
||||||
data:
|
data:
|
||||||
|
|
||||||
######## Doku ########
|
|
||||||
# Telefonregion
|
|
||||||
# docker exec --user www-data nextcloud-app php occ config:system:set default_phone_region --value="DE"
|
|
||||||
# https://help.nextcloud.com/t/nextcloud-wont-load-any-mixed-content/13565/3
|
|
||||||
# docker exec --user www-data nextcloud-app php occ config:system:set overwriteprotocol --value="https"
|
|
||||||
# docker exec --user www-data nextcloud-app php occ config:system:set overwrite.cli.url --value="http://nextcloud.mgrote.net"
|
|
||||||
|
|
49
docker-compose/nextcloud/ldap.sh.j2
Normal file
49
docker-compose/nextcloud/ldap.sh.j2
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Vorraussetzungen siehe https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md
|
||||||
|
# lldap_bind_user=nextcloud_bind_user
|
||||||
|
# lldap_bind_user_pass="{{ lookup('keepass', 'nextcloud_lldap_bind_user_pass', 'password') }}"
|
||||||
|
# lldap_bind_user_groups=lldap_strict_readonly
|
||||||
|
|
||||||
|
php occ app:install user_ldap
|
||||||
|
php occ app:enable user_ldap
|
||||||
|
#php occ ldap:create-empty-config # wird nur bei komplett neuer nextcloud benötigt, legt sonst bei jedem durchlauf weitere ldap-configs an
|
||||||
|
|
||||||
|
# EDIT: domain
|
||||||
|
php occ ldap:set-config s01 ldapHost "ldap://ldap.mgrote.net."
|
||||||
|
php occ ldap:set-config s01 ldapPort 3890
|
||||||
|
# EDIT: admin user
|
||||||
|
php occ ldap:set-config s01 ldapAgentName "uid=nextcloud_bind_user,ou=people,dc=mgrote,dc=net"
|
||||||
|
# EDIT: password
|
||||||
|
php occ ldap:set-config s01 ldapAgentPassword "{{ lookup('keepass', 'nextcloud_lldap_bind_user_pass', 'password') }}"
|
||||||
|
# EDIT: Base DN
|
||||||
|
php occ ldap:set-config s01 ldapBase "dc=mgrote,dc=net"
|
||||||
|
php occ ldap:set-config s01 ldapBaseUsers "dc=mgrote,dc=net"
|
||||||
|
php occ ldap:set-config s01 ldapBaseGroups "dc=mgrote,dc=net"
|
||||||
|
php occ ldap:set-config s01 ldapConfigurationActive 1
|
||||||
|
php occ ldap:set-config s01 ldapLoginFilter "(&(&(objectclass=person)(memberOf=cn=nextcloud,ou=groups,dc=mgrote,dc=net))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))"
|
||||||
|
# EDIT: nextcloud group, contains the users who can login to Nextcloud
|
||||||
|
php occ ldap:set-config s01 ldapUserFilter "(&(objectclass=person)(memberOf=cn=nextcloud,ou=groups,dc=mgrote,dc=net))"
|
||||||
|
php occ ldap:set-config s01 ldapUserFilterMode 0
|
||||||
|
php occ ldap:set-config s01 ldapUserFilterObjectclass person
|
||||||
|
php occ ldap:set-config s01 turnOnPasswordChange 0
|
||||||
|
php occ ldap:set-config s01 ldapCacheTTL 600
|
||||||
|
php occ ldap:set-config s01 ldapExperiencedAdmin 0
|
||||||
|
php occ ldap:set-config s01 ldapGidNumber gidNumber
|
||||||
|
php occ ldap:set-config s01 ldapGroupMemberAssocAttr uniqueMember
|
||||||
|
php occ ldap:set-config s01 ldapEmailAttribute "mail"
|
||||||
|
php occ ldap:set-config s01 ldapLoginFilterEmail 0
|
||||||
|
php occ ldap:set-config s01 ldapLoginFilterUsername 1
|
||||||
|
php occ ldap:set-config s01 ldapMatchingRuleInChainState unknown
|
||||||
|
php occ ldap:set-config s01 ldapNestedGroups 0
|
||||||
|
php occ ldap:set-config s01 ldapPagingSize 500
|
||||||
|
php occ ldap:set-config s01 ldapTLS 0
|
||||||
|
php occ ldap:set-config s01 ldapUserAvatarRule default
|
||||||
|
php occ ldap:set-config s01 ldapUserDisplayName displayname
|
||||||
|
php occ ldap:set-config s01 ldapUserFilterMode 1
|
||||||
|
php occ ldap:set-config s01 ldapUuidGroupAttribute auto
|
||||||
|
php occ ldap:set-config s01 ldapUuidUserAttribute auto
|
||||||
|
php occ ldap:set-config s01 ldapExpertUsernameAttr user_id
|
||||||
|
php occ ldap:set-config s01 ldap_mark_remnants_as_disabled 1
|
||||||
|
|
||||||
|
# damit der Login über LDAP geht muss das Attribute "DisplayName" gesetzt sein!
|
BIN
docker-compose/nextcloud/mail_settings.png
Normal file
BIN
docker-compose/nextcloud/mail_settings.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 7.2 KiB |
37
docker-compose/nextcloud/misc.sh.j2
Normal file
37
docker-compose/nextcloud/misc.sh.j2
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Telefonregion
|
||||||
|
php occ config:system:set default_phone_region --value="DE"
|
||||||
|
|
||||||
|
# https://help.nextcloud.com/t/nextcloud-wont-load-any-mixed-content/13565/3
|
||||||
|
php occ config:system:set overwriteprotocol --value="https"
|
||||||
|
php occ config:system:set overwrite.cli.url --value="http://nextcloud.mgrote.net"
|
||||||
|
|
||||||
|
# https://docs.nextcloud.com/server/29/admin_manual/configuration_server/background_jobs_configuration.html
|
||||||
|
php occ config:system:set maintenance_window_start --type=integer --value=1
|
||||||
|
|
||||||
|
# disable unused apps
|
||||||
|
php occ app:disable dashboard firstrunwizard federation federatedfilesharing nextcloud_announcements recommendations circles survey_client user_status weather_status photos
|
||||||
|
|
||||||
|
# enable extra apps
|
||||||
|
php occ app:enable twofactor_totp calendar contacts checksum epubviewer dicomviewer impersonate metadata quota_warning event_update_notification
|
||||||
|
|
||||||
|
# cron
|
||||||
|
php occ background:cron
|
||||||
|
|
||||||
|
# tz
|
||||||
|
php occ config:system:set logtimezone --value="Europe/Berlin"
|
||||||
|
|
||||||
|
# mail
|
||||||
|
php occ config:system:set mail_from_address --value="nextcloud@mgrote.net"
|
||||||
|
php occ config:system:set mail_smtpmode --value="smtp"
|
||||||
|
php occ config:system:set mail_sendmailmode --value="smtp"
|
||||||
|
php occ config:system:set mail_smtphost --value="mail-relay"y
|
||||||
|
php occ config:system:set mail_smtpport --value="25"
|
||||||
|
|
||||||
|
# status
|
||||||
|
echo Status
|
||||||
|
php occ status
|
||||||
|
php occ user:list
|
||||||
|
|
||||||
|
# adhoc: docker exec --user www-data nextcloud-app php occ config:system:set trusted_domains 2 -- value=docker10.mgrote.net
|
|
@ -23,6 +23,11 @@ ufw_rules:
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
comment: 'lldap'
|
comment: 'lldap'
|
||||||
from_ip: 192.168.2.0/24
|
from_ip: 192.168.2.0/24
|
||||||
|
- rule: allow
|
||||||
|
to_port: "{{ lldap_http_port }}"
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'lldap'
|
||||||
|
from_ip: 10.25.0.0/24
|
||||||
- rule: allow
|
- rule: allow
|
||||||
to_port: 3890
|
to_port: 3890
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
|
|
|
@ -32,8 +32,6 @@ cifs_mounts:
|
||||||
### mgrote_docker-compose-inline
|
### mgrote_docker-compose-inline
|
||||||
compose_owner: "docker-user"
|
compose_owner: "docker-user"
|
||||||
compose_group: "docker-user"
|
compose_group: "docker-user"
|
||||||
compose_file_permissions: "644"
|
|
||||||
compose_dir_permissions: "755"
|
|
||||||
compose_dest_basedir: "/docker"
|
compose_dest_basedir: "/docker"
|
||||||
compose_src_basedir: "{{ inventory_dir }}/docker-compose"
|
compose_src_basedir: "{{ inventory_dir }}/docker-compose"
|
||||||
compose_files:
|
compose_files:
|
||||||
|
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
|
@ -3,7 +3,7 @@
|
||||||
compose_owner: "docker-user"
|
compose_owner: "docker-user"
|
||||||
compose_group: "docker-user"
|
compose_group: "docker-user"
|
||||||
# default permissions for all files and directories
|
# default permissions for all files and directories
|
||||||
compose_file_permissions: "644"
|
compose_file_permissions: "755"
|
||||||
compose_dir_permissions: "755"
|
compose_dir_permissions: "755"
|
||||||
# where to store the compose-files on the destination system
|
# where to store the compose-files on the destination system
|
||||||
compose_dest_basedir: "/docker" # without trailing "/"
|
compose_dest_basedir: "/docker" # without trailing "/"
|
||||||
|
|
Loading…
Reference in a new issue