1bdf626c18
(Currently there are no actual "details" there, other than the location of the reference.)
379 lines
19 KiB
YAML
379 lines
19 KiB
YAML
---
|
|
|
|
nextcloud_enabled: true
|
|
|
|
nextcloud_identifier: nextcloud
|
|
|
|
nextcloud_scheme: https
|
|
|
|
# The fully-qualified name of your Nextcloud server (e.g. `nextcloud.example.com`)
|
|
nextcloud_hostname: ''
|
|
|
|
nextcloud_path_prefix: /
|
|
|
|
nextcloud_version: 27.1.4
|
|
|
|
nextcloud_uid: ''
|
|
nextcloud_gid: ''
|
|
|
|
nextcloud_systemd_required_services_list: "{{ nextcloud_systemd_required_services_list_default + nextcloud_systemd_required_services_list_auto + nextcloud_systemd_required_services_list_custom }}"
|
|
nextcloud_systemd_required_services_list_default: ['docker.service']
|
|
nextcloud_systemd_required_services_list_auto: []
|
|
nextcloud_systemd_required_services_list_custom: []
|
|
|
|
nextcloud_base_path: "{{ nextcloud_base_path }}/nextcloud"
|
|
nextcloud_config_path: "{{ nextcloud_base_path }}/config"
|
|
nextcloud_data_path: "{{ nextcloud_base_path }}/data"
|
|
nextcloud_redis_session_ini_path: "{{ nextcloud_base_path }}/redis-session.ini"
|
|
nextcloud_customized_container_src_path: "{{ nextcloud_base_path }}/customized-container-src"
|
|
|
|
# SVG support for imagick can be setup like this:
|
|
# https://docs.nextcloud.com/server/24/admin_manual/configuration_server/theming.html?highlight=libmagickcore%20q16%20extra#theming-of-icons
|
|
# However, using Imagick may have a negative effect on security, that is the reason
|
|
# behind not installing it by default. See:
|
|
# https://github.com/nextcloud/server/issues/13099
|
|
# Tread wisely!
|
|
nextcloud_container_image_customizations_php_imageick_installation_enabled: false
|
|
nextcloud_container_image_customizations_php_imageick_installation_package: "libmagickcore-6.q16-6-extra"
|
|
|
|
# Preview generator setup
|
|
#
|
|
# Enable the variable nextcloud_preview_enabled and you are good to go.
|
|
#
|
|
# Some important aspects of usage:
|
|
# - the preview generator has two stages [according to their readme](https://github.com/nextcloud/previewgenerator)
|
|
# - a generate-all phase, which has to be executed only a single time
|
|
# - a pre-generate phase, that should be run in a cronjob.
|
|
# That runs quite fast if the generate-all phase finishd.
|
|
# We do not want to run the generate-all phase multiple times, so its execution has to be followed somehow.
|
|
# This is done by creating a file on the host side and both the task that executes generate-all
|
|
# and both the cronjob checks its existance.
|
|
#
|
|
# Multiple vaiables are also defined and the corresponding default values are also set.
|
|
# These values are based on the [upstream readme](https://github.com/nextcloud/previewgenerator) and also on experience.
|
|
# Feel free to change anything.
|
|
#
|
|
# Once installed, the playbook needs to be called with the adjust-nextcloud-config tag.
|
|
# This tag sets up the variables and calls the generate-all script, that will also create the file---signalling
|
|
# its finished state---on the host.
|
|
# *** As this may take a long time, be sure to only call it when you have time to leave it running!!! ***
|
|
# The playbook calls generate-all asynchronously, but it will timeout after about 27h.
|
|
# On 60GBs, most if images, it took about 10 minutes to finish.
|
|
# If it takes more time, you may want to start it from the host by calling
|
|
# ```sh
|
|
# /usr/bin/env docker exec mash-nextcloud-server php /var/www/html/occ preview:generate-all
|
|
# ```
|
|
#
|
|
# If the nextcloud_preview_enabled value is set back to false, the host side files are cleaned up
|
|
# and also the cron job is changed, not to call prevew generation again however, the database and generated
|
|
# previews are kept intact.
|
|
nextcloud_preview_enabled: false
|
|
nextcloud_preview_folder_name: "preview-generator"
|
|
nextcloud_preview_docker_folder: "/{{ nextcloud_preview_folder_name }}"
|
|
nextcloud_preview_host_folder: "{{ nextcloud_customized_container_src_path }}/{{ nextcloud_preview_folder_name }}"
|
|
nextcloud_preview_first_run_finished_filename: "finished-first-run.keepit"
|
|
nextcloud_preview_squareSizes: "\"64 256 1024 2048\""
|
|
nextcloud_preview_widthSizes: "\"64 256 1024 2048\""
|
|
nextcloud_preview_heightSizes: "\"64 256 1024 2048\""
|
|
nextcloud_preview_preview_max_x: 2048
|
|
nextcloud_preview_preview_max_y: 2048
|
|
nextcloud_preview_system_jpeg_quality: 60
|
|
nextcloud_preview_app_jpeg_quality: "60"
|
|
|
|
# nextcloud_container_image_customizations_enabled controls whether a customized Nextcloud image will be built.
|
|
#
|
|
# We toggle this variable to `true` when certain features which require a custom build are enabled.
|
|
# Feel free to toggle this to `true` yourself and specify build steps in `nextcloud_container_image_customizations_dockerfile_body_custom`.
|
|
#
|
|
# See:
|
|
# - `roles/nextcloud-server/templates/customizations/Dockerfile.j2`
|
|
# - `nextcloud_container_image_customizations_dockerfile_body_custom`
|
|
# - `nextcloud_container_image_customized`
|
|
# - `nextcloud_container_image_final`
|
|
nextcloud_container_image_customizations_enabled: "{{ nextcloud_container_image_customizations_php_imageick_installation_enabled }}"
|
|
|
|
# nextcloud_container_image_customizations_dockerfile_body_custom contains your custom Dockerfile steps
|
|
# for building your customized Nextcloud image based on the original (upstream) image (`nextcloud_container_image`).
|
|
# A `FROM ...` clause is included automatically so you don't have to.
|
|
#
|
|
# Example:
|
|
# nextcloud_container_image_customizations_dockerfile_body_custom: |
|
|
# RUN echo 'This is a custom step for building the customized container image for Nextcloud.'
|
|
# RUN echo 'You can override nextcloud_container_image_customizations_dockerfile_body_custom to add your own steps.'
|
|
# RUN echo 'You do NOT need to include a FROM clause yourself.'
|
|
nextcloud_container_image_customizations_dockerfile_body_custom: ''
|
|
|
|
nextcloud_container_image: "{{ nextcloud_container_image_registry_prefix }}nextcloud:{{ nextcloud_container_image_tag }}"
|
|
nextcloud_container_image_tag: "{{ nextcloud_version }}-apache"
|
|
nextcloud_container_image_force_pull: "{{ nextcloud_container_image.endswith(':latest') }}"
|
|
nextcloud_container_image_registry_prefix: docker.io/
|
|
|
|
# nextcloud_container_image_customized is the name of the locally built Nextcloud image
|
|
# which adds various customizations on top of the original (upstream) Nextcloud image.
|
|
# This image will be based on the upstream `nextcloud_container_image` image, only if `nextcloud_container_image_customizations_enabled: true`.
|
|
nextcloud_container_image_customized: "localhost/nextcloud:{{ nextcloud_container_image_tag }}-customized"
|
|
|
|
# nextcloud_container_image_final holds the name of the Nextcloud image to run depending on whether or not customizations are enabled.
|
|
nextcloud_container_image_final: "{{ nextcloud_container_image_customized if nextcloud_container_image_customizations_enabled else nextcloud_container_image }} "
|
|
|
|
# A list of extra arguments to pass to the container
|
|
nextcloud_container_extra_arguments: []
|
|
|
|
# Controls whether the nextcloud-apache container's memory usage
|
|
# is limited and to what extent.
|
|
#
|
|
# When set, these options are passed to `docker run`
|
|
# as `--memory=..` and `--memory-swap=..` respectively.
|
|
#
|
|
# Expected value format is `[integer][unit]`. E.g. 100M, 1G
|
|
#
|
|
# If `nextcloud_container_memory_swap_limit` is set,
|
|
# it represents the total memory that can be used (memory + swap),
|
|
# so it must always be at least as large as `nextcloud_container_memory_limit`.
|
|
# To disable swapping, make it the same as `nextcloud_container_memory_limit`.
|
|
nextcloud_container_memory_limit: ""
|
|
nextcloud_container_memory_swap_limit: ""
|
|
|
|
# Controls whether the nextcloud-apache container exposes its HTTP port (tcp/80 in the container).
|
|
#
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:37150"), or empty string to not expose.
|
|
nextcloud_container_http_host_bind_port: ""
|
|
|
|
# nextcloud_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
|
# See `../templates/labels.j2` for details.
|
|
#
|
|
# To inject your own other container labels, see `nextcloud_container_labels_additional_labels`.
|
|
nextcloud_container_labels_traefik_enabled: true
|
|
nextcloud_container_labels_traefik_docker_network: ''
|
|
nextcloud_container_labels_traefik_hostname: "{{ nextcloud_hostname }}"
|
|
# The path prefix must either be `/` or not end with a slash (e.g. `/nextcloud`).
|
|
nextcloud_container_labels_traefik_path_prefix: "{{ nextcloud_path_prefix }}"
|
|
# Controls whether `/.well-known/{carddav,caldav}` will be redirected to `/remote.php/dav/`
|
|
nextcloud_container_labels_traefik_dav_redirect_regex_enabled: true
|
|
nextcloud_container_labels_traefik_rule: "Host(`{{ nextcloud_container_labels_traefik_hostname }}`){% if nextcloud_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ nextcloud_container_labels_traefik_path_prefix | quote }}`){% endif %}"
|
|
nextcloud_container_labels_traefik_priority: 0
|
|
nextcloud_container_labels_traefik_entrypoints: web-secure
|
|
nextcloud_container_labels_traefik_tls: "{{ nextcloud_container_labels_traefik_entrypoints != 'web' }}"
|
|
nextcloud_container_labels_traefik_tls_certResolver: default # noqa var-naming
|
|
|
|
# Controls which additional headers to attach to all HTTP requests.
|
|
# To add your own custom request headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom`
|
|
nextcloud_container_labels_traefik_additional_request_headers: "{{ nextcloud_container_labels_traefik_additional_request_headers_auto | combine(nextcloud_container_labels_traefik_additional_request_headers_custom) }}"
|
|
nextcloud_container_labels_traefik_additional_request_headers_auto: |
|
|
{{
|
|
{}
|
|
| combine ({'Front-End-Https': 'on'} if nextcloud_scheme == 'https' else {})
|
|
}}
|
|
nextcloud_container_labels_traefik_additional_request_headers_custom: {}
|
|
|
|
# Controls which additional headers to attach to all HTTP responses.
|
|
# To add your own custom response headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom`
|
|
nextcloud_container_labels_traefik_additional_response_headers: "{{ nextcloud_container_labels_traefik_additional_response_headers_auto | combine(nextcloud_container_labels_traefik_additional_response_headers_custom) }}"
|
|
nextcloud_container_labels_traefik_additional_response_headers_auto: |
|
|
{{
|
|
{}
|
|
| combine ({'X-XSS-Protection': nextcloud_http_header_xss_protection} if nextcloud_http_header_xss_protection else {})
|
|
| combine ({'X-Frame-Options': nextcloud_http_header_frame_options} if nextcloud_http_header_frame_options else {})
|
|
| combine ({'X-Content-Type-Options': nextcloud_http_header_content_type_options} if nextcloud_http_header_content_type_options else {})
|
|
| combine ({'Content-Security-Policy': nextcloud_http_header_content_security_policy} if nextcloud_http_header_content_security_policy else {})
|
|
| combine ({'Permission-Policy': nextcloud_http_header_content_permission_policy} if nextcloud_http_header_content_permission_policy else {})
|
|
| combine ({'Strict-Transport-Security': nextcloud_http_header_strict_transport_security} if nextcloud_http_header_strict_transport_security and nextcloud_container_labels_traefik_tls else {})
|
|
}}
|
|
nextcloud_container_labels_traefik_additional_response_headers_custom: {}
|
|
|
|
# A list of middlewares to add to the service.
|
|
# Add your own via the `nextcloud_container_labels_traefik_http_middlewares_custom` variable.
|
|
nextcloud_container_labels_traefik_http_middlewares: "{{ nextcloud_container_labels_traefik_http_middlewares_default + nextcloud_container_labels_traefik_http_middlewares_auto + nextcloud_container_labels_traefik_http_middlewares_custom }}"
|
|
|
|
nextcloud_container_labels_traefik_http_middlewares_default: |
|
|
{{
|
|
([{
|
|
'priority': 1000,
|
|
'name': (nextcloud_identifier + '-slashless-redirect'),
|
|
'type': 'redirectregex',
|
|
'config': {
|
|
'regex': '^(' + nextcloud_container_labels_traefik_path_prefix | quote + ')$',
|
|
'replacement': '${1}/',
|
|
},
|
|
}] if nextcloud_container_labels_traefik_path_prefix != '/' else [])
|
|
|
|
+
|
|
|
|
([{
|
|
'priority': 2000,
|
|
'name': (nextcloud_identifier + '-dav-redirectregex'),
|
|
'type': 'redirectregex',
|
|
'config': {
|
|
'permanent': 'true',
|
|
'regex': ('^' + nextcloud_scheme + '://' + nextcloud_hostname | quote + '/.well-known/(?:card|cal)dav$'),
|
|
'replacement': (nextcloud_scheme + '://' + nextcloud_hostname + '/remote.php/dav/'),
|
|
},
|
|
}] if nextcloud_container_labels_traefik_dav_redirect_regex_enabled else [])
|
|
|
|
+
|
|
|
|
([{
|
|
'priority': 3000,
|
|
'name': (nextcloud_identifier + '-strip-prefix'),
|
|
'type': 'stripprefix',
|
|
'config': {
|
|
'prefixes': nextcloud_container_labels_traefik_path_prefix,
|
|
},
|
|
}] if nextcloud_container_labels_traefik_path_prefix != '/' else [])
|
|
|
|
+
|
|
|
|
([{
|
|
'priority': 4000,
|
|
'name': (nextcloud_identifier + '-add-request-headers'),
|
|
'type': 'headers',
|
|
'config_key_prefix': 'customrequestheaders.',
|
|
'config': nextcloud_container_labels_traefik_additional_request_headers,
|
|
}] if nextcloud_container_labels_traefik_additional_request_headers.keys() | length > 0 else [])
|
|
|
|
+
|
|
|
|
([{
|
|
'priority': 5000,
|
|
'name': (nextcloud_identifier + '-add-response-headers'),
|
|
'type': 'headers',
|
|
'config_key_prefix': 'customresponseheaders.',
|
|
'config': nextcloud_container_labels_traefik_additional_response_headers,
|
|
}] if nextcloud_container_labels_traefik_additional_response_headers.keys() | length > 0 else [])
|
|
}}
|
|
|
|
nextcloud_container_labels_traefik_http_middlewares_auto: []
|
|
nextcloud_container_labels_traefik_http_middlewares_custom: []
|
|
|
|
# nextcloud_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
|
# See `../templates/labels.j2` for details.
|
|
#
|
|
# Example:
|
|
# nextcloud_container_labels_additional_labels: |
|
|
# my.label=1
|
|
# another.label="here"
|
|
nextcloud_container_labels_additional_labels: ''
|
|
|
|
# nextcloud_container_additional_environment_variables contains a multiline string with additional environment variables to pass to the container.
|
|
#
|
|
# Example:
|
|
# nextcloud_container_additional_environment_variables: |
|
|
# VAR=1
|
|
# ANOTHER=value
|
|
nextcloud_container_additional_environment_variables: ''
|
|
|
|
# A list of additional "mounts" to be mounted in the container.
|
|
# Contains definition objects like this:
|
|
# nextcloud_container_additional_mounts:
|
|
# - "type=bind|volume|tmpfs,source=/outside,target=/inside,readonly,bind-propagation=slave"
|
|
nextcloud_container_additional_mounts: []
|
|
|
|
nextcloud_container_network: "{{ nextcloud_identifier }}"
|
|
|
|
# A list of additional container networks that the container would be connected to.
|
|
# The playbook does not create these networks, so make sure they already exist.
|
|
nextcloud_container_additional_networks: "{{ nextcloud_container_additional_networks_auto + nextcloud_container_additional_networks_custom }}"
|
|
nextcloud_container_additional_networks_auto: []
|
|
nextcloud_container_additional_networks_custom: []
|
|
|
|
nextcloud_database_type: postgres
|
|
nextcloud_database_hostname: ''
|
|
nextcloud_database_port: 5432
|
|
nextcloud_database_name: nextcloud
|
|
nextcloud_database_username: ''
|
|
nextcloud_database_password: ''
|
|
|
|
# A list of configuration parameters for Nextcloud.
|
|
# To define your own, we advise editing `nextcloud_config_additional_parameters`.
|
|
nextcloud_config_parameters: "{{ nextcloud_config_default_parameters + nextcloud_config_additional_parameters }}"
|
|
|
|
# Default configuration parameters to apply to Nextcloud.
|
|
# To add your own additional parameters, use `nextcloud_config_additional_parameters`.
|
|
# To get rid of these defaults, redefine `nextcloud_config_default_parameters` or `nextcloud_config_parameters`.
|
|
nextcloud_config_default_parameters:
|
|
- key: overwriteprotocol
|
|
value: "https"
|
|
type: string
|
|
- key: overwrite.cli.url
|
|
value: "{{ nextcloud_url }}"
|
|
type: string
|
|
- key: overwritewebroot
|
|
value: "{{ nextcloud_path_prefix }}"
|
|
type: string
|
|
- key: htaccess.RewriteBase
|
|
value: "{{ nextcloud_path_prefix }}"
|
|
type: string
|
|
|
|
# Add your custom Nextcloud configuration parameters here.
|
|
#
|
|
# Example:
|
|
# nextcloud_config_additional_parameters:
|
|
# - key: mail_smtphost
|
|
# value: smtp.example.com
|
|
# type: string
|
|
nextcloud_config_additional_parameters: []
|
|
|
|
# nextcloud_cron_schedule contains a systemd OnCalendar definition which controls how often `cron.timer` runs
|
|
# The default value means 'every 15 minutes'.
|
|
# Learn more here: https://man.archlinux.org/man/systemd.time.7
|
|
nextcloud_cron_schedule: '*:0/15:0'
|
|
|
|
# Specifies the value of the `X-XSS-Protection` header
|
|
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
|
|
#
|
|
# Learn more about it is here:
|
|
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
|
# - https://portswigger.net/web-security/cross-site-scripting/reflected
|
|
nextcloud_http_header_xss_protection: "1; mode=block"
|
|
|
|
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
|
|
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
|
nextcloud_http_header_frame_options: SAMEORIGIN
|
|
|
|
# Specifies the value of the `X-Content-Type-Options` header.
|
|
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
|
nextcloud_http_header_content_type_options: nosniff
|
|
|
|
# Specifies the value of the `Content-Security-Policy` header.
|
|
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
|
nextcloud_http_header_content_security_policy: frame-ancestors 'self'
|
|
|
|
# Specifies the value of the `Permission-Policy` header.
|
|
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
|
|
nextcloud_http_header_content_permission_policy: "{{ 'interest-cohort=()' if nextcloud_floc_optout_enabled else '' }}"
|
|
|
|
# Specifies the value of the `Strict-Transport-Security` header.
|
|
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
|
nextcloud_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if nextcloud_hsts_preload_enabled else '' }}"
|
|
|
|
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
|
|
#
|
|
# Learn more about what it is here:
|
|
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
|
|
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
|
|
# - https://amifloced.org/
|
|
#
|
|
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
|
|
# See: `nextcloud_content_permission_policy`
|
|
nextcloud_floc_optout_enabled: true
|
|
|
|
# Controls if HSTS preloading is enabled
|
|
#
|
|
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
|
|
# indicates a willingness to be "preloaded" into browsers:
|
|
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
|
# For more information visit:
|
|
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
|
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
|
# - https://hstspreload.org/#opt-in
|
|
# See: `nextcloud_http_header_strict_transport_security`
|
|
nextcloud_hsts_preload_enabled: false
|
|
|
|
# Collabora Online integration.
|
|
# See the `collabora-online` role.
|
|
nextcloud_collabora_app_wopi_url: ''
|
|
nextcloud_collabora_app_wopi_allowlist: '10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16'
|
|
|
|
# Redis intergration.
|
|
nextcloud_redis_hostname: ''
|
|
nextcloud_redis_port: 6379
|