06c2e30867
It doesn't seem like this has been causing any (major) issues, but it's better to have it be correct anyway.
405 lines
20 KiB
YAML
405 lines
20 KiB
YAML
---
|
|
|
|
nextcloud_enabled: true
|
|
|
|
nextcloud_identifier: nextcloud
|
|
|
|
nextcloud_scheme: https
|
|
|
|
# The fully-qualified name of your Nextcloud server (e.g. `nextcloud.example.com`)
|
|
nextcloud_hostname: ''
|
|
|
|
nextcloud_path_prefix: /
|
|
|
|
nextcloud_version: 27.1.4
|
|
|
|
nextcloud_uid: ''
|
|
nextcloud_gid: ''
|
|
|
|
nextcloud_systemd_required_services_list: "{{ nextcloud_systemd_required_services_list_default + nextcloud_systemd_required_services_list_auto + nextcloud_systemd_required_services_list_custom }}"
|
|
nextcloud_systemd_required_services_list_default: ['docker.service']
|
|
nextcloud_systemd_required_services_list_auto: []
|
|
nextcloud_systemd_required_services_list_custom: []
|
|
|
|
nextcloud_base_path: "{{ nextcloud_base_path }}/nextcloud"
|
|
nextcloud_config_path: "{{ nextcloud_base_path }}/config"
|
|
nextcloud_data_path: "{{ nextcloud_base_path }}/data"
|
|
nextcloud_redis_session_ini_path: "{{ nextcloud_base_path }}/redis-session.ini"
|
|
nextcloud_customized_container_src_path: "{{ nextcloud_base_path }}/customized-container-src"
|
|
|
|
# Preview generator setup
|
|
#
|
|
# Enable the variable nextcloud_preview_enabled and you are good to go.
|
|
#
|
|
# Some important aspects of usage:
|
|
# - the preview generator has two stages [according to their readme](https://github.com/nextcloud/previewgenerator)
|
|
# - a generate-all phase, which has to be executed only a single time
|
|
# - a pre-generate phase, that should be run in a cronjob.
|
|
# That runs quite fast if the generate-all phase finishd.
|
|
# We do not want to run the generate-all phase multiple times, so its execution has to be followed somehow.
|
|
# This is done by creating a file on the host side and both the task that executes generate-all
|
|
# and both the cronjob checks its existance.
|
|
#
|
|
# Multiple vaiables are also defined and the corresponding default values are also set.
|
|
# These values are based on the [upstream readme](https://github.com/nextcloud/previewgenerator) and also on experience.
|
|
# Feel free to change anything.
|
|
#
|
|
# Once installed, the playbook needs to be called with the adjust-nextcloud-config tag.
|
|
# This tag sets up the variables and calls the generate-all script, that will also create the file---signalling
|
|
# its finished state---on the host.
|
|
# *** As this may take a long time, be sure to only call it when you have time to leave it running!!! ***
|
|
# The playbook calls generate-all asynchronously, but it will timeout after about 27h.
|
|
# On 60GBs, most if images, it took about 10 minutes to finish.
|
|
# If it takes more time, you may want to start it from the host by calling
|
|
# ```sh
|
|
# /usr/bin/env docker exec mash-nextcloud-server php /var/www/html/occ preview:generate-all
|
|
# ```
|
|
#
|
|
# If the nextcloud_preview_enabled value is set back to false, the host side files are cleaned up
|
|
# and also the cron job is changed, not to call prevew generation again however, the database and generated
|
|
# previews are kept intact.
|
|
nextcloud_preview_enabled: false
|
|
nextcloud_preview_folder_name: "preview-generator"
|
|
nextcloud_preview_docker_folder: "/{{ nextcloud_preview_folder_name }}"
|
|
nextcloud_preview_host_folder: "{{ nextcloud_customized_container_src_path }}/{{ nextcloud_preview_folder_name }}"
|
|
nextcloud_preview_first_run_finished_filename: "finished-first-run.keepit"
|
|
nextcloud_preview_squareSizes: "\"64 256 1024 2048\""
|
|
nextcloud_preview_widthSizes: "\"64 256 1024 2048\""
|
|
nextcloud_preview_heightSizes: "\"64 256 1024 2048\""
|
|
nextcloud_preview_preview_max_x: 2048
|
|
nextcloud_preview_preview_max_y: 2048
|
|
nextcloud_preview_system_jpeg_quality: 60
|
|
nextcloud_preview_app_jpeg_quality: "60"
|
|
|
|
# nextcloud_container_image_customizations_enabled controls whether a customized Nextcloud image will be built.
|
|
#
|
|
# We toggle this variable to `true` when certain features which require a custom build are enabled.
|
|
# Feel free to toggle this to `true` yourself and specify build steps in `nextcloud_container_image_customizations_dockerfile_body_custom`.
|
|
#
|
|
# See:
|
|
# - `roles/nextcloud-server/templates/customizations/Dockerfile.j2`
|
|
# - `nextcloud_container_image_customizations_dockerfile_body_custom`
|
|
# - `nextcloud_container_image_customized`
|
|
# - `nextcloud_container_image_final`
|
|
nextcloud_container_image_customizations_enabled: |
|
|
{{
|
|
(
|
|
nextcloud_container_image_customizations_php_imagick_installation_enabled
|
|
or
|
|
nextcloud_container_image_customizations_samba_enabled
|
|
or
|
|
nextcloud_container_image_customizations_packages_to_install | length > 0
|
|
)
|
|
}}
|
|
|
|
# SVG support for imagick can be setup like this:
|
|
# https://docs.nextcloud.com/server/24/admin_manual/configuration_server/theming.html?highlight=libmagickcore%20q16%20extra#theming-of-icons
|
|
# However, using Imagick may have a negative effect on security, that is the reason
|
|
# behind not installing it by default. See:
|
|
# https://github.com/nextcloud/server/issues/13099
|
|
# Tread wisely!
|
|
nextcloud_container_image_customizations_php_imagick_installation_enabled: false
|
|
nextcloud_container_image_customizations_php_imagick_installation_packages: ['libmagickcore-6.q16-6-extra']
|
|
|
|
# Samba (SMB) support for Windows fileshares can be setup using the toggle below, which
|
|
# installs the smbclient package per the example here https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/smb/apache/Dockerfile
|
|
# Also see ../../templates/customizations/Dockerfile.j2
|
|
nextcloud_container_image_customizations_samba_enabled: false
|
|
nextcloud_container_image_customizations_samba_packages: ['procps', 'smbclient']
|
|
|
|
# A list of packages to install in the customized Nextcloud container image.
|
|
# To add your own, use `nextcloud_container_image_customizations_packages_to_install_custom`
|
|
nextcloud_container_image_customizations_packages_to_install: "{{ (nextcloud_container_image_customizations_packages_to_install_auto + nextcloud_container_image_customizations_packages_to_install_custom) | unique }}"
|
|
nextcloud_container_image_customizations_packages_to_install_auto: |
|
|
{{
|
|
(nextcloud_container_image_customizations_php_imageick_installation_packages if nextcloud_container_image_customizations_php_imagick_installation_enabled else [])
|
|
+
|
|
(nextcloud_container_image_customizations_samba_packages if nextcloud_container_image_customizations_samba_enabled else [])
|
|
}}
|
|
nextcloud_container_image_customizations_packages_to_install_custom: []
|
|
|
|
# nextcloud_container_image_customizations_dockerfile_body_custom contains your custom Dockerfile steps
|
|
# for building your customized Nextcloud image based on the original (upstream) image (`nextcloud_container_image`).
|
|
# A `FROM ...` clause is included automatically so you don't have to.
|
|
#
|
|
# Example:
|
|
# nextcloud_container_image_customizations_dockerfile_body_custom: |
|
|
# RUN echo 'This is a custom step for building the customized container image for Nextcloud.'
|
|
# RUN echo 'You can override nextcloud_container_image_customizations_dockerfile_body_custom to add your own steps.'
|
|
# RUN echo 'You do NOT need to include a FROM clause yourself.'
|
|
nextcloud_container_image_customizations_dockerfile_body_custom: ''
|
|
|
|
nextcloud_container_image: "{{ nextcloud_container_image_registry_prefix }}nextcloud:{{ nextcloud_container_image_tag }}"
|
|
nextcloud_container_image_tag: "{{ nextcloud_version }}-apache"
|
|
nextcloud_container_image_force_pull: "{{ nextcloud_container_image.endswith(':latest') }}"
|
|
nextcloud_container_image_registry_prefix: docker.io/
|
|
|
|
# nextcloud_container_image_customized is the name of the locally built Nextcloud image
|
|
# which adds various customizations on top of the original (upstream) Nextcloud image.
|
|
# This image will be based on the upstream `nextcloud_container_image` image, only if `nextcloud_container_image_customizations_enabled: true`.
|
|
nextcloud_container_image_customized: "localhost/nextcloud:{{ nextcloud_container_image_tag }}-customized"
|
|
|
|
# nextcloud_container_image_final holds the name of the Nextcloud image to run depending on whether or not customizations are enabled.
|
|
nextcloud_container_image_final: "{{ nextcloud_container_image_customized if nextcloud_container_image_customizations_enabled else nextcloud_container_image }}"
|
|
|
|
# A list of extra arguments to pass to the container
|
|
nextcloud_container_extra_arguments: []
|
|
|
|
# Controls whether the nextcloud-apache container's memory usage
|
|
# is limited and to what extent.
|
|
#
|
|
# When set, these options are passed to `docker run`
|
|
# as `--memory=..` and `--memory-swap=..` respectively.
|
|
#
|
|
# Expected value format is `[integer][unit]`. E.g. 100M, 1G
|
|
#
|
|
# If `nextcloud_container_memory_swap_limit` is set,
|
|
# it represents the total memory that can be used (memory + swap),
|
|
# so it must always be at least as large as `nextcloud_container_memory_limit`.
|
|
# To disable swapping, make it the same as `nextcloud_container_memory_limit`.
|
|
nextcloud_container_memory_limit: ""
|
|
nextcloud_container_memory_swap_limit: ""
|
|
|
|
# Controls whether the nextcloud-apache container exposes its HTTP port (tcp/80 in the container).
|
|
#
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:37150"), or empty string to not expose.
|
|
nextcloud_container_http_host_bind_port: ""
|
|
|
|
# nextcloud_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
|
# See `../templates/labels.j2` for details.
|
|
#
|
|
# To inject your own other container labels, see `nextcloud_container_labels_additional_labels`.
|
|
nextcloud_container_labels_traefik_enabled: true
|
|
nextcloud_container_labels_traefik_docker_network: ''
|
|
nextcloud_container_labels_traefik_hostname: "{{ nextcloud_hostname }}"
|
|
# The path prefix must either be `/` or not end with a slash (e.g. `/nextcloud`).
|
|
nextcloud_container_labels_traefik_path_prefix: "{{ nextcloud_path_prefix }}"
|
|
# Controls whether `/.well-known/{carddav,caldav}` will be redirected to `/remote.php/dav/`
|
|
nextcloud_container_labels_traefik_dav_redirect_regex_enabled: true
|
|
nextcloud_container_labels_traefik_rule: "Host(`{{ nextcloud_container_labels_traefik_hostname }}`){% if nextcloud_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ nextcloud_container_labels_traefik_path_prefix | quote }}`){% endif %}"
|
|
nextcloud_container_labels_traefik_priority: 0
|
|
nextcloud_container_labels_traefik_entrypoints: web-secure
|
|
nextcloud_container_labels_traefik_tls: "{{ nextcloud_container_labels_traefik_entrypoints != 'web' }}"
|
|
nextcloud_container_labels_traefik_tls_certResolver: default # noqa var-naming
|
|
|
|
# Controls which additional headers to attach to all HTTP requests.
|
|
# To add your own custom request headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom`
|
|
nextcloud_container_labels_traefik_additional_request_headers: "{{ nextcloud_container_labels_traefik_additional_request_headers_auto | combine(nextcloud_container_labels_traefik_additional_request_headers_custom) }}"
|
|
nextcloud_container_labels_traefik_additional_request_headers_auto: |
|
|
{{
|
|
{}
|
|
| combine ({'Front-End-Https': 'on'} if nextcloud_scheme == 'https' else {})
|
|
}}
|
|
nextcloud_container_labels_traefik_additional_request_headers_custom: {}
|
|
|
|
# Controls which additional headers to attach to all HTTP responses.
|
|
# To add your own custom response headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom`
|
|
nextcloud_container_labels_traefik_additional_response_headers: "{{ nextcloud_container_labels_traefik_additional_response_headers_auto | combine(nextcloud_container_labels_traefik_additional_response_headers_custom) }}"
|
|
nextcloud_container_labels_traefik_additional_response_headers_auto: |
|
|
{{
|
|
{}
|
|
| combine ({'X-XSS-Protection': nextcloud_http_header_xss_protection} if nextcloud_http_header_xss_protection else {})
|
|
| combine ({'X-Frame-Options': nextcloud_http_header_frame_options} if nextcloud_http_header_frame_options else {})
|
|
| combine ({'X-Content-Type-Options': nextcloud_http_header_content_type_options} if nextcloud_http_header_content_type_options else {})
|
|
| combine ({'Content-Security-Policy': nextcloud_http_header_content_security_policy} if nextcloud_http_header_content_security_policy else {})
|
|
| combine ({'Permission-Policy': nextcloud_http_header_content_permission_policy} if nextcloud_http_header_content_permission_policy else {})
|
|
| combine ({'Strict-Transport-Security': nextcloud_http_header_strict_transport_security} if nextcloud_http_header_strict_transport_security and nextcloud_container_labels_traefik_tls else {})
|
|
}}
|
|
nextcloud_container_labels_traefik_additional_response_headers_custom: {}
|
|
|
|
# A list of middlewares to add to the service.
|
|
# Add your own via the `nextcloud_container_labels_traefik_http_middlewares_custom` variable.
|
|
nextcloud_container_labels_traefik_http_middlewares: "{{ nextcloud_container_labels_traefik_http_middlewares_default + nextcloud_container_labels_traefik_http_middlewares_auto + nextcloud_container_labels_traefik_http_middlewares_custom }}"
|
|
|
|
nextcloud_container_labels_traefik_http_middlewares_default: |
|
|
{{
|
|
([{
|
|
'priority': 1000,
|
|
'name': (nextcloud_identifier + '-slashless-redirect'),
|
|
'type': 'redirectregex',
|
|
'config': {
|
|
'regex': '^(' + nextcloud_container_labels_traefik_path_prefix | quote + ')$',
|
|
'replacement': '${1}/',
|
|
},
|
|
}] if nextcloud_container_labels_traefik_path_prefix != '/' else [])
|
|
|
|
+
|
|
|
|
([{
|
|
'priority': 2000,
|
|
'name': (nextcloud_identifier + '-dav-redirectregex'),
|
|
'type': 'redirectregex',
|
|
'config': {
|
|
'permanent': 'true',
|
|
'regex': ('^' + nextcloud_scheme + '://' + nextcloud_hostname | quote + '/.well-known/(?:card|cal)dav$'),
|
|
'replacement': (nextcloud_scheme + '://' + nextcloud_hostname + '/remote.php/dav/'),
|
|
},
|
|
}] if nextcloud_container_labels_traefik_dav_redirect_regex_enabled else [])
|
|
|
|
+
|
|
|
|
([{
|
|
'priority': 3000,
|
|
'name': (nextcloud_identifier + '-strip-prefix'),
|
|
'type': 'stripprefix',
|
|
'config': {
|
|
'prefixes': nextcloud_container_labels_traefik_path_prefix,
|
|
},
|
|
}] if nextcloud_container_labels_traefik_path_prefix != '/' else [])
|
|
|
|
+
|
|
|
|
([{
|
|
'priority': 4000,
|
|
'name': (nextcloud_identifier + '-add-request-headers'),
|
|
'type': 'headers',
|
|
'config_key_prefix': 'customrequestheaders.',
|
|
'config': nextcloud_container_labels_traefik_additional_request_headers,
|
|
}] if nextcloud_container_labels_traefik_additional_request_headers.keys() | length > 0 else [])
|
|
|
|
+
|
|
|
|
([{
|
|
'priority': 5000,
|
|
'name': (nextcloud_identifier + '-add-response-headers'),
|
|
'type': 'headers',
|
|
'config_key_prefix': 'customresponseheaders.',
|
|
'config': nextcloud_container_labels_traefik_additional_response_headers,
|
|
}] if nextcloud_container_labels_traefik_additional_response_headers.keys() | length > 0 else [])
|
|
}}
|
|
|
|
nextcloud_container_labels_traefik_http_middlewares_auto: []
|
|
nextcloud_container_labels_traefik_http_middlewares_custom: []
|
|
|
|
# nextcloud_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
|
# See `../templates/labels.j2` for details.
|
|
#
|
|
# Example:
|
|
# nextcloud_container_labels_additional_labels: |
|
|
# my.label=1
|
|
# another.label="here"
|
|
nextcloud_container_labels_additional_labels: ''
|
|
|
|
# nextcloud_container_additional_environment_variables contains a multiline string with additional environment variables to pass to the container.
|
|
#
|
|
# Example:
|
|
# nextcloud_container_additional_environment_variables: |
|
|
# VAR=1
|
|
# ANOTHER=value
|
|
nextcloud_container_additional_environment_variables: ''
|
|
|
|
# A list of additional "mounts" to be mounted in the container.
|
|
# Contains definition objects like this:
|
|
# nextcloud_container_additional_mounts:
|
|
# - "type=bind|volume|tmpfs,source=/outside,target=/inside,readonly,bind-propagation=slave"
|
|
nextcloud_container_additional_mounts: []
|
|
|
|
nextcloud_container_network: "{{ nextcloud_identifier }}"
|
|
|
|
# A list of additional container networks that the container would be connected to.
|
|
# The playbook does not create these networks, so make sure they already exist.
|
|
nextcloud_container_additional_networks: "{{ nextcloud_container_additional_networks_auto + nextcloud_container_additional_networks_custom }}"
|
|
nextcloud_container_additional_networks_auto: []
|
|
nextcloud_container_additional_networks_custom: []
|
|
|
|
nextcloud_database_type: postgres
|
|
nextcloud_database_hostname: ''
|
|
nextcloud_database_port: 5432
|
|
nextcloud_database_name: nextcloud
|
|
nextcloud_database_username: ''
|
|
nextcloud_database_password: ''
|
|
|
|
# A list of configuration parameters for Nextcloud.
|
|
# To define your own, we advise editing `nextcloud_config_additional_parameters`.
|
|
nextcloud_config_parameters: "{{ nextcloud_config_default_parameters + nextcloud_config_additional_parameters }}"
|
|
|
|
# Default configuration parameters to apply to Nextcloud.
|
|
# To add your own additional parameters, use `nextcloud_config_additional_parameters`.
|
|
# To get rid of these defaults, redefine `nextcloud_config_default_parameters` or `nextcloud_config_parameters`.
|
|
nextcloud_config_default_parameters:
|
|
- key: overwriteprotocol
|
|
value: "https"
|
|
type: string
|
|
- key: overwrite.cli.url
|
|
value: "{{ nextcloud_url }}"
|
|
type: string
|
|
- key: overwritewebroot
|
|
value: "{{ nextcloud_path_prefix }}"
|
|
type: string
|
|
- key: htaccess.RewriteBase
|
|
value: "{{ nextcloud_path_prefix }}"
|
|
type: string
|
|
|
|
# Add your custom Nextcloud configuration parameters here.
|
|
#
|
|
# Example:
|
|
# nextcloud_config_additional_parameters:
|
|
# - key: mail_smtphost
|
|
# value: smtp.example.com
|
|
# type: string
|
|
nextcloud_config_additional_parameters: []
|
|
|
|
# nextcloud_cron_schedule contains a systemd OnCalendar definition which controls how often `cron.timer` runs
|
|
# The default value means 'every 15 minutes'.
|
|
# Learn more here: https://man.archlinux.org/man/systemd.time.7
|
|
nextcloud_cron_schedule: '*:0/15:0'
|
|
|
|
# Specifies the value of the `X-XSS-Protection` header
|
|
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
|
|
#
|
|
# Learn more about it is here:
|
|
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
|
# - https://portswigger.net/web-security/cross-site-scripting/reflected
|
|
nextcloud_http_header_xss_protection: "1; mode=block"
|
|
|
|
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
|
|
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
|
nextcloud_http_header_frame_options: SAMEORIGIN
|
|
|
|
# Specifies the value of the `X-Content-Type-Options` header.
|
|
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
|
nextcloud_http_header_content_type_options: nosniff
|
|
|
|
# Specifies the value of the `Content-Security-Policy` header.
|
|
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
|
nextcloud_http_header_content_security_policy: frame-ancestors 'self'
|
|
|
|
# Specifies the value of the `Permission-Policy` header.
|
|
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
|
|
nextcloud_http_header_content_permission_policy: "{{ 'interest-cohort=()' if nextcloud_floc_optout_enabled else '' }}"
|
|
|
|
# Specifies the value of the `Strict-Transport-Security` header.
|
|
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
|
nextcloud_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if nextcloud_hsts_preload_enabled else '' }}"
|
|
|
|
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
|
|
#
|
|
# Learn more about what it is here:
|
|
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
|
|
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
|
|
# - https://amifloced.org/
|
|
#
|
|
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
|
|
# See: `nextcloud_content_permission_policy`
|
|
nextcloud_floc_optout_enabled: true
|
|
|
|
# Controls if HSTS preloading is enabled
|
|
#
|
|
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
|
|
# indicates a willingness to be "preloaded" into browsers:
|
|
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
|
# For more information visit:
|
|
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
|
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
|
# - https://hstspreload.org/#opt-in
|
|
# See: `nextcloud_http_header_strict_transport_security`
|
|
nextcloud_hsts_preload_enabled: false
|
|
|
|
# Collabora Online integration.
|
|
# See the `collabora-online` role.
|
|
nextcloud_collabora_app_wopi_url: ''
|
|
nextcloud_collabora_app_wopi_allowlist: '10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16'
|
|
|
|
# Redis intergration.
|
|
nextcloud_redis_hostname: ''
|
|
nextcloud_redis_port: 6379
|