2023-03-17 10:34:15 +01:00
---
nextcloud_enabled : true
nextcloud_identifier : nextcloud
nextcloud_scheme : https
# The fully-qualified name of your Nextcloud server (e.g. `nextcloud.example.com`)
nextcloud_hostname : ''
nextcloud_path_prefix : /
2023-11-21 15:25:02 +01:00
nextcloud_version : 27.1 .3
2023-03-17 10:34:15 +01:00
nextcloud_uid : ''
nextcloud_gid : ''
2023-03-29 13:12:41 +02:00
nextcloud_systemd_required_services_list : "{{ nextcloud_systemd_required_services_list_default + nextcloud_systemd_required_services_list_auto + nextcloud_systemd_required_services_list_custom }}"
nextcloud_systemd_required_services_list_default : [ 'docker.service' ]
nextcloud_systemd_required_services_list_auto : [ ]
nextcloud_systemd_required_services_list_custom : [ ]
2023-03-17 10:34:15 +01:00
nextcloud_base_path : "{{ nextcloud_base_path }}/nextcloud"
nextcloud_config_path : "{{ nextcloud_base_path }}/config"
nextcloud_data_path : "{{ nextcloud_base_path }}/data"
2023-04-03 09:19:13 +02:00
nextcloud_redis_session_ini_path : "{{ nextcloud_base_path }}/redis-session.ini"
2023-03-17 10:34:15 +01:00
nextcloud_customized_container_src_path : "{{ nextcloud_base_path }}/customized-container-src"
# SVG support for imagick can be setup like this:
# https://docs.nextcloud.com/server/24/admin_manual/configuration_server/theming.html?highlight=libmagickcore%20q16%20extra#theming-of-icons
# However, using Imagick may have a negative effect on security, that is the reason
# behind not installing it by default. See:
# https://github.com/nextcloud/server/issues/13099
# Tread wisely!
nextcloud_container_image_customizations_php_imageick_installation_enabled : false
nextcloud_container_image_customizations_php_imageick_installation_package : "libmagickcore-6.q16-6-extra"
Preview generator setup (#7)
* Preview generator setup
Enable the variable nextcloud_preview_enabled and you are good to go.
Some important aspects of usage:
- the preview generator has two stages [according to their readme](https://github.com/nextcloud/previewgenerator)
- a generate-all phase, which has to be executed only a single time
- a pre-generate phase, that should be run in a cronjob.
That runs quite fast if the generate-all phase finishd.
We do not want to run the generate-all phase multiple times, so its execution has to be followed somehow.
This is done by creating a file on the host side and both the task that executes generate-all
and both the cronjob checks its existance.
Multiple vaiables are also defined and the corresponding default values are also set.
These values are based on the [upstream readme](https://github.com/nextcloud/previewgenerator) and also on experience.
Feel free to change anything.
Once installed, the playbook needs to be called with the adjust-nextcloud-config tag.
This tag sets up the variables and calls the generate-all script, that will also create the file---signalling
its finished state---on the host.
*** As this may take a long time, be sure to only call it when you have time to leave it running!!! ***
The playbook calls generate-all asynchronously, but it will timeout after about 27h.
On 60GBs, most if images, it took about 10 minutes to finish.
If it takes more time, you may want to start it from the host by calling
```sh
/usr/bin/env docker exec mash-nextcloud-server php /var/www/html/occ preview:generate-all
```
If the nextcloud_preview_enabled value is set back to false, the host side files are cleaned up
and also the cron job is changed, not to call prevew generation again however, the database and generated
previews are kept intact.
* fix playbook format suggestions by Slavi (see conversation in !7)
2023-09-16 09:01:20 +02:00
# Preview generator setup
#
# Enable the variable nextcloud_preview_enabled and you are good to go.
#
# Some important aspects of usage:
# - the preview generator has two stages [according to their readme](https://github.com/nextcloud/previewgenerator)
# - a generate-all phase, which has to be executed only a single time
# - a pre-generate phase, that should be run in a cronjob.
# That runs quite fast if the generate-all phase finishd.
# We do not want to run the generate-all phase multiple times, so its execution has to be followed somehow.
# This is done by creating a file on the host side and both the task that executes generate-all
# and both the cronjob checks its existance.
#
# Multiple vaiables are also defined and the corresponding default values are also set.
# These values are based on the [upstream readme](https://github.com/nextcloud/previewgenerator) and also on experience.
# Feel free to change anything.
#
# Once installed, the playbook needs to be called with the adjust-nextcloud-config tag.
# This tag sets up the variables and calls the generate-all script, that will also create the file---signalling
# its finished state---on the host.
# *** As this may take a long time, be sure to only call it when you have time to leave it running!!! ***
# The playbook calls generate-all asynchronously, but it will timeout after about 27h.
# On 60GBs, most if images, it took about 10 minutes to finish.
# If it takes more time, you may want to start it from the host by calling
# ```sh
# /usr/bin/env docker exec mash-nextcloud-server php /var/www/html/occ preview:generate-all
# ```
#
# If the nextcloud_preview_enabled value is set back to false, the host side files are cleaned up
# and also the cron job is changed, not to call prevew generation again however, the database and generated
# previews are kept intact.
nextcloud_preview_enabled : false
nextcloud_preview_folder_name : "preview-generator"
nextcloud_preview_docker_folder : "/{{ nextcloud_preview_folder_name }}"
nextcloud_preview_host_folder : "{{ nextcloud_customized_container_src_path }}/{{ nextcloud_preview_folder_name }}"
nextcloud_preview_first_run_finished_filename : "finished-first-run.keepit"
nextcloud_preview_squareSizes : "\"64 256 1024 2048\""
nextcloud_preview_widthSizes : "\"64 256 1024 2048\""
nextcloud_preview_heightSizes : "\"64 256 1024 2048\""
nextcloud_preview_preview_max_x : 2048
nextcloud_preview_preview_max_y : 2048
nextcloud_preview_system_jpeg_quality : 60
nextcloud_preview_app_jpeg_quality : "60"
2023-03-17 10:34:15 +01:00
# nextcloud_container_image_customizations_enabled controls whether a customized Nextcloud image will be built.
#
# We toggle this variable to `true` when certain features which require a custom build are enabled.
# Feel free to toggle this to `true` yourself and specify build steps in `nextcloud_container_image_customizations_dockerfile_body_custom`.
#
# See:
# - `roles/nextcloud-server/templates/customizations/Dockerfile.j2`
# - `nextcloud_container_image_customizations_dockerfile_body_custom`
# - `nextcloud_container_image_customized`
# - `nextcloud_container_image_final`
nextcloud_container_image_customizations_enabled : "{{ nextcloud_container_image_customizations_php_imageick_installation_enabled }}"
# nextcloud_container_image_customizations_dockerfile_body_custom contains your custom Dockerfile steps
# for building your customized Nextcloud image based on the original (upstream) image (`nextcloud_container_image`).
# A `FROM ...` clause is included automatically so you don't have to.
#
# Example:
# nextcloud_container_image_customizations_dockerfile_body_custom: |
# RUN echo 'This is a custom step for building the customized container image for Nextcloud.'
# RUN echo 'You can override nextcloud_container_image_customizations_dockerfile_body_custom to add your own steps.'
# RUN echo 'You do NOT need to include a FROM clause yourself.'
nextcloud_container_image_customizations_dockerfile_body_custom : ''
nextcloud_container_image : "{{ nextcloud_container_image_registry_prefix }}nextcloud:{{ nextcloud_container_image_tag }}"
nextcloud_container_image_tag : "{{ nextcloud_version }}-apache"
nextcloud_container_image_force_pull : "{{ nextcloud_container_image.endswith(':latest') }}"
nextcloud_container_image_registry_prefix : docker.io/
# nextcloud_container_image_customized is the name of the locally built Nextcloud image
# which adds various customizations on top of the original (upstream) Nextcloud image.
# This image will be based on the upstream `nextcloud_container_image` image, only if `nextcloud_container_image_customizations_enabled: true`.
nextcloud_container_image_customized : "localhost/nextcloud:{{ nextcloud_container_image_tag }}-customized"
# nextcloud_container_image_final holds the name of the Nextcloud image to run depending on whether or not customizations are enabled.
nextcloud_container_image_final : "{{ nextcloud_container_image_customized if nextcloud_container_image_customizations_enabled else nextcloud_container_image }} "
# A list of extra arguments to pass to the container
nextcloud_container_extra_arguments : [ ]
# Controls whether the nextcloud-apache container's memory usage
# is limited and to what extent.
#
# When set, these options are passed to `docker run`
# as `--memory=..` and `--memory-swap=..` respectively.
#
# Expected value format is `[integer][unit]`. E.g. 100M, 1G
#
# If `nextcloud_container_memory_swap_limit` is set,
# it represents the total memory that can be used (memory + swap),
# so it must always be at least as large as `nextcloud_container_memory_limit`.
# To disable swapping, make it the same as `nextcloud_container_memory_limit`.
nextcloud_container_memory_limit : ""
nextcloud_container_memory_swap_limit : ""
# Controls whether the nextcloud-apache container exposes its HTTP port (tcp/80 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:37150"), or empty string to not expose.
nextcloud_container_http_host_bind_port : ""
# nextcloud_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `nextcloud_container_labels_additional_labels`.
nextcloud_container_labels_traefik_enabled : true
nextcloud_container_labels_traefik_docker_network : ''
nextcloud_container_labels_traefik_hostname : "{{ nextcloud_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/nextcloud`).
nextcloud_container_labels_traefik_path_prefix : "{{ nextcloud_path_prefix }}"
# Controls whether `/.well-known/{carddav,caldav}` will be redirected to `/remote.php/dav/`
nextcloud_container_labels_traefik_dav_redirect_regex_enabled : true
nextcloud_container_labels_traefik_rule : "Host(`{{ nextcloud_container_labels_traefik_hostname }}`){% if nextcloud_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ nextcloud_container_labels_traefik_path_prefix | quote }}`){% endif %}"
nextcloud_container_labels_traefik_priority : 0
nextcloud_container_labels_traefik_entrypoints : web-secure
nextcloud_container_labels_traefik_tls : "{{ nextcloud_container_labels_traefik_entrypoints != 'web' }}"
nextcloud_container_labels_traefik_tls_certResolver : default # noqa var-naming
# Controls which additional headers to attach to all HTTP requests.
# To add your own custom request headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom`
nextcloud_container_labels_traefik_additional_request_headers : "{{ nextcloud_container_labels_traefik_additional_request_headers_auto | combine(nextcloud_container_labels_traefik_additional_request_headers_custom) }}"
nextcloud_container_labels_traefik_additional_request_headers_auto : |
{{
{}
| combine ({'Front-End-Https': 'on'} if nextcloud_scheme == 'https' else {})
}}
nextcloud_container_labels_traefik_additional_request_headers_custom : {}
# Controls which additional headers to attach to all HTTP responses.
# To add your own custom response headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom`
nextcloud_container_labels_traefik_additional_response_headers : "{{ nextcloud_container_labels_traefik_additional_response_headers_auto | combine(nextcloud_container_labels_traefik_additional_response_headers_custom) }}"
nextcloud_container_labels_traefik_additional_response_headers_auto : |
{{
{}
| combine ({'X-XSS-Protection': nextcloud_http_header_xss_protection} if nextcloud_http_header_xss_protection else {})
| combine ({'X-Frame-Options': nextcloud_http_header_frame_options} if nextcloud_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': nextcloud_http_header_content_type_options} if nextcloud_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': nextcloud_http_header_content_security_policy} if nextcloud_http_header_content_security_policy else {})
| combine ({'Permission-Policy': nextcloud_http_header_content_permission_policy} if nextcloud_http_header_content_permission_policy else {})
| combine ({'Strict-Transport-Security': nextcloud_http_header_strict_transport_security} if nextcloud_http_header_strict_transport_security and nextcloud_container_labels_traefik_tls else {})
}}
nextcloud_container_labels_traefik_additional_response_headers_custom : {}
2023-11-21 15:23:48 +01:00
# A list of middlewares to add to the service.
# Add your own via the `nextcloud_container_labels_traefik_http_middlewares_custom` variable.
nextcloud_container_labels_traefik_http_middlewares : "{{ nextcloud_container_labels_traefik_http_middlewares_default + nextcloud_container_labels_traefik_http_middlewares_auto + nextcloud_container_labels_traefik_http_middlewares_custom }}"
nextcloud_container_labels_traefik_http_middlewares_default : |
{{
([{
'priority' : 1000 ,
'name' : (nextcloud_identifier + '-slashless-redirect'),
'type' : 'redirectregex' ,
'config' : {
'regex' : '^(' + nextcloud_container_labels_traefik_path_prefix | quote + ')$',
'replacement' : '${1}/' ,
},
}] if nextcloud_container_labels_traefik_path_prefix != '/' else [])
+
([{
'priority' : 2000 ,
'name' : (nextcloud_identifier + '-dav-redirectregex'),
'type' : 'redirectregex' ,
'config' : {
'permanent' : 'true' ,
'regex' : ('^' + nextcloud_scheme + '://' + nextcloud_hostname | quote + '/.well-known/(?:card|cal)dav$'),
'replacement' : (nextcloud_scheme + '://' + nextcloud_hostname + '/remote.php/dav/'),
},
}] if nextcloud_container_labels_traefik_dav_redirect_regex_enabled else [])
+
([{
'priority' : 3000 ,
'name' : (nextcloud_identifier + '-strip-prefix'),
'type' : 'stripprefix' ,
'config' : {
'prefixes' : nextcloud_container_labels_traefik_path_prefix,
},
}] if nextcloud_container_labels_traefik_path_prefix != '/' else [])
+
([{
'priority' : 4000 ,
'name' : (nextcloud_identifier + '-add-request-headers'),
'type' : 'headers' ,
'config_key_prefix' : 'customrequestheaders.' ,
'config' : nextcloud_container_labels_traefik_additional_request_headers,
}] if nextcloud_container_labels_traefik_additional_request_headers.keys() | length > 0 else [])
+
([{
'priority' : 5000 ,
'name' : (nextcloud_identifier + '-add-response-headers'),
'type' : 'headers' ,
'config_key_prefix' : 'customresponseheaders.' ,
'config' : nextcloud_container_labels_traefik_additional_response_headers,
}] if nextcloud_container_labels_traefik_additional_response_headers.keys() | length > 0 else [])
}}
nextcloud_container_labels_traefik_http_middlewares_auto : [ ]
nextcloud_container_labels_traefik_http_middlewares_custom : [ ]
2023-03-17 10:34:15 +01:00
# nextcloud_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `roles/custom/nextcloud/templates/labels.j2` for details.
#
# Example:
# nextcloud_container_labels_additional_labels: |
# my.label=1
# another.label="here"
nextcloud_container_labels_additional_labels : ''
# nextcloud_container_additional_environment_variables contains a multiline string with additional environment variables to pass to the container.
#
# Example:
# nextcloud_container_additional_environment_variables: |
# VAR=1
# ANOTHER=value
nextcloud_container_additional_environment_variables : ''
# A list of additional "mounts" to be mounted in the container.
# Contains definition objects like this:
# nextcloud_container_additional_mounts:
# - "type=bind|volume|tmpfs,source=/outside,target=/inside,readonly,bind-propagation=slave"
nextcloud_container_additional_mounts : [ ]
nextcloud_container_network : "{{ nextcloud_identifier }}"
# A list of additional container networks that the container would be connected to.
# The playbook does not create these networks, so make sure they already exist.
2023-03-29 13:12:41 +02:00
nextcloud_container_additional_networks : "{{ nextcloud_container_additional_networks_auto + nextcloud_container_additional_networks_custom }}"
nextcloud_container_additional_networks_auto : [ ]
nextcloud_container_additional_networks_custom : [ ]
2023-03-17 10:34:15 +01:00
nextcloud_database_type : postgres
nextcloud_database_hostname : ''
nextcloud_database_port : 5432
nextcloud_database_name : nextcloud
nextcloud_database_username : ''
nextcloud_database_password : ''
# A list of configuration parameters for Nextcloud.
# To define your own, we advise editing `nextcloud_config_additional_parameters`.
nextcloud_config_parameters : "{{ nextcloud_config_default_parameters + nextcloud_config_additional_parameters }}"
# Default configuration parameters to apply to Nextcloud.
# To add your own additional parameters, use `nextcloud_config_additional_parameters`.
# To get rid of these defaults, redefine `nextcloud_config_default_parameters` or `nextcloud_config_parameters`.
nextcloud_config_default_parameters :
- key : overwriteprotocol
value : "https"
type : string
- key : overwrite.cli.url
value : "{{ nextcloud_url }}"
type : string
- key : overwritewebroot
value : "{{ nextcloud_path_prefix }}"
type : string
- key : htaccess.RewriteBase
value : "{{ nextcloud_path_prefix }}"
type : string
# Add your custom Nextcloud configuration parameters here.
#
# Example:
# nextcloud_config_additional_parameters:
# - key: mail_smtphost
# value: smtp.example.com
# type: string
nextcloud_config_additional_parameters : [ ]
# nextcloud_cron_schedule contains a systemd OnCalendar definition which controls how often `cron.timer` runs
# The default value means 'every 15 minutes'.
# Learn more here: https://man.archlinux.org/man/systemd.time.7
nextcloud_cron_schedule : '*:0/15:0'
# Specifies the value of the `X-XSS-Protection` header
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
#
# Learn more about it is here:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# - https://portswigger.net/web-security/cross-site-scripting/reflected
nextcloud_http_header_xss_protection : "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
nextcloud_http_header_frame_options : SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
nextcloud_http_header_content_type_options : nosniff
# Specifies the value of the `Content-Security-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
nextcloud_http_header_content_security_policy : frame-ancestors 'self'
# Specifies the value of the `Permission-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
nextcloud_http_header_content_permission_policy : "{{ 'interest-cohort=()' if nextcloud_floc_optout_enabled else '' }}"
# Specifies the value of the `Strict-Transport-Security` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
nextcloud_http_header_strict_transport_security : "max-age=31536000; includeSubDomains{{ '; preload' if nextcloud_hsts_preload_enabled else '' }}"
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
#
# Learn more about what it is here:
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
# - https://amifloced.org/
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
# See: `nextcloud_content_permission_policy`
nextcloud_floc_optout_enabled : true
# Controls if HSTS preloading is enabled
#
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
# indicates a willingness to be "preloaded" into browsers:
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
# For more information visit:
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# - https://hstspreload.org/#opt-in
# See: `nextcloud_http_header_strict_transport_security`
nextcloud_hsts_preload_enabled : false
2023-03-17 12:51:45 +01:00
# Collabora Online integration.
# See the `collabora-online` role.
nextcloud_collabora_app_wopi_url : ''
nextcloud_collabora_app_wopi_allowlist : '10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16'
2023-03-25 15:46:17 +01:00
# Redis intergration.
nextcloud_redis_hostname : ''
nextcloud_redis_port : 6379