1
0
Fork 0
mash-ansible-role-nextcloud/defaults/main.yml
2023-12-13 16:09:11 +02:00

405 lines
20 KiB
YAML

---
nextcloud_enabled: true
nextcloud_identifier: nextcloud
nextcloud_scheme: https
# The fully-qualified name of your Nextcloud server (e.g. `nextcloud.example.com`)
nextcloud_hostname: ''
nextcloud_path_prefix: /
nextcloud_version: 28.0.0
nextcloud_uid: ''
nextcloud_gid: ''
nextcloud_systemd_required_services_list: "{{ nextcloud_systemd_required_services_list_default + nextcloud_systemd_required_services_list_auto + nextcloud_systemd_required_services_list_custom }}"
nextcloud_systemd_required_services_list_default: ['docker.service']
nextcloud_systemd_required_services_list_auto: []
nextcloud_systemd_required_services_list_custom: []
nextcloud_base_path: "{{ nextcloud_base_path }}/nextcloud"
nextcloud_config_path: "{{ nextcloud_base_path }}/config"
nextcloud_data_path: "{{ nextcloud_base_path }}/data"
nextcloud_redis_session_ini_path: "{{ nextcloud_base_path }}/redis-session.ini"
nextcloud_customized_container_src_path: "{{ nextcloud_base_path }}/customized-container-src"
# Preview generator setup
#
# Enable the variable nextcloud_preview_enabled and you are good to go.
#
# Some important aspects of usage:
# - the preview generator has two stages [according to their readme](https://github.com/nextcloud/previewgenerator)
# - a generate-all phase, which has to be executed only a single time
# - a pre-generate phase, that should be run in a cronjob.
# That runs quite fast if the generate-all phase finishd.
# We do not want to run the generate-all phase multiple times, so its execution has to be followed somehow.
# This is done by creating a file on the host side and both the task that executes generate-all
# and both the cronjob checks its existance.
#
# Multiple vaiables are also defined and the corresponding default values are also set.
# These values are based on the [upstream readme](https://github.com/nextcloud/previewgenerator) and also on experience.
# Feel free to change anything.
#
# Once installed, the playbook needs to be called with the adjust-nextcloud-config tag.
# This tag sets up the variables and calls the generate-all script, that will also create the file---signalling
# its finished state---on the host.
# *** As this may take a long time, be sure to only call it when you have time to leave it running!!! ***
# The playbook calls generate-all asynchronously, but it will timeout after about 27h.
# On 60GBs, most if images, it took about 10 minutes to finish.
# If it takes more time, you may want to start it from the host by calling
# ```sh
# /usr/bin/env docker exec mash-nextcloud-server php /var/www/html/occ preview:generate-all
# ```
#
# If the nextcloud_preview_enabled value is set back to false, the host side files are cleaned up
# and also the cron job is changed, not to call prevew generation again however, the database and generated
# previews are kept intact.
nextcloud_preview_enabled: false
nextcloud_preview_folder_name: "preview-generator"
nextcloud_preview_docker_folder: "/{{ nextcloud_preview_folder_name }}"
nextcloud_preview_host_folder: "{{ nextcloud_customized_container_src_path }}/{{ nextcloud_preview_folder_name }}"
nextcloud_preview_first_run_finished_filename: "finished-first-run.keepit"
nextcloud_preview_squareSizes: "\"64 256 1024 2048\""
nextcloud_preview_widthSizes: "\"64 256 1024 2048\""
nextcloud_preview_heightSizes: "\"64 256 1024 2048\""
nextcloud_preview_preview_max_x: 2048
nextcloud_preview_preview_max_y: 2048
nextcloud_preview_system_jpeg_quality: 60
nextcloud_preview_app_jpeg_quality: "60"
# nextcloud_container_image_customizations_enabled controls whether a customized Nextcloud image will be built.
#
# We toggle this variable to `true` when certain features which require a custom build are enabled.
# Feel free to toggle this to `true` yourself and specify build steps in `nextcloud_container_image_customizations_dockerfile_body_custom`.
#
# See:
# - `roles/nextcloud-server/templates/customizations/Dockerfile.j2`
# - `nextcloud_container_image_customizations_dockerfile_body_custom`
# - `nextcloud_container_image_customized`
# - `nextcloud_container_image_final`
nextcloud_container_image_customizations_enabled: |
{{
(
nextcloud_container_image_customizations_php_imagick_installation_enabled
or
nextcloud_container_image_customizations_samba_enabled
or
nextcloud_container_image_customizations_packages_to_install | length > 0
)
}}
# SVG support for imagick can be setup like this:
# https://docs.nextcloud.com/server/24/admin_manual/configuration_server/theming.html?highlight=libmagickcore%20q16%20extra#theming-of-icons
# However, using Imagick may have a negative effect on security, that is the reason
# behind not installing it by default. See:
# https://github.com/nextcloud/server/issues/13099
# Tread wisely!
nextcloud_container_image_customizations_php_imagick_installation_enabled: false
nextcloud_container_image_customizations_php_imagick_installation_packages: ['libmagickcore-6.q16-6-extra']
# Samba (SMB) support for Windows fileshares can be setup using the toggle below, which
# installs the smbclient package per the example here https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/smb/apache/Dockerfile
# Also see ../../templates/customizations/Dockerfile.j2
nextcloud_container_image_customizations_samba_enabled: false
nextcloud_container_image_customizations_samba_packages: ['procps', 'smbclient']
# A list of packages to install in the customized Nextcloud container image.
# To add your own, use `nextcloud_container_image_customizations_packages_to_install_custom`
nextcloud_container_image_customizations_packages_to_install: "{{ (nextcloud_container_image_customizations_packages_to_install_auto + nextcloud_container_image_customizations_packages_to_install_custom) | unique }}"
nextcloud_container_image_customizations_packages_to_install_auto: |
{{
(nextcloud_container_image_customizations_php_imageick_installation_packages if nextcloud_container_image_customizations_php_imagick_installation_enabled else [])
+
(nextcloud_container_image_customizations_samba_packages if nextcloud_container_image_customizations_samba_enabled else [])
}}
nextcloud_container_image_customizations_packages_to_install_custom: []
# nextcloud_container_image_customizations_dockerfile_body_custom contains your custom Dockerfile steps
# for building your customized Nextcloud image based on the original (upstream) image (`nextcloud_container_image`).
# A `FROM ...` clause is included automatically so you don't have to.
#
# Example:
# nextcloud_container_image_customizations_dockerfile_body_custom: |
# RUN echo 'This is a custom step for building the customized container image for Nextcloud.'
# RUN echo 'You can override nextcloud_container_image_customizations_dockerfile_body_custom to add your own steps.'
# RUN echo 'You do NOT need to include a FROM clause yourself.'
nextcloud_container_image_customizations_dockerfile_body_custom: ''
nextcloud_container_image: "{{ nextcloud_container_image_registry_prefix }}nextcloud:{{ nextcloud_container_image_tag }}"
nextcloud_container_image_tag: "{{ nextcloud_version }}-apache"
nextcloud_container_image_force_pull: "{{ nextcloud_container_image.endswith(':latest') }}"
nextcloud_container_image_registry_prefix: docker.io/
# nextcloud_container_image_customized is the name of the locally built Nextcloud image
# which adds various customizations on top of the original (upstream) Nextcloud image.
# This image will be based on the upstream `nextcloud_container_image` image, only if `nextcloud_container_image_customizations_enabled: true`.
nextcloud_container_image_customized: "localhost/nextcloud:{{ nextcloud_container_image_tag }}-customized"
# nextcloud_container_image_final holds the name of the Nextcloud image to run depending on whether or not customizations are enabled.
nextcloud_container_image_final: "{{ nextcloud_container_image_customized if nextcloud_container_image_customizations_enabled else nextcloud_container_image }}"
# A list of extra arguments to pass to the container
nextcloud_container_extra_arguments: []
# Controls whether the nextcloud-apache container's memory usage
# is limited and to what extent.
#
# When set, these options are passed to `docker run`
# as `--memory=..` and `--memory-swap=..` respectively.
#
# Expected value format is `[integer][unit]`. E.g. 100M, 1G
#
# If `nextcloud_container_memory_swap_limit` is set,
# it represents the total memory that can be used (memory + swap),
# so it must always be at least as large as `nextcloud_container_memory_limit`.
# To disable swapping, make it the same as `nextcloud_container_memory_limit`.
nextcloud_container_memory_limit: ""
nextcloud_container_memory_swap_limit: ""
# Controls whether the nextcloud-apache container exposes its HTTP port (tcp/80 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:37150"), or empty string to not expose.
nextcloud_container_http_host_bind_port: ""
# nextcloud_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `nextcloud_container_labels_additional_labels`.
nextcloud_container_labels_traefik_enabled: true
nextcloud_container_labels_traefik_docker_network: ''
nextcloud_container_labels_traefik_hostname: "{{ nextcloud_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/nextcloud`).
nextcloud_container_labels_traefik_path_prefix: "{{ nextcloud_path_prefix }}"
# Controls whether `/.well-known/{carddav,caldav}` will be redirected to `/remote.php/dav/`
nextcloud_container_labels_traefik_dav_redirect_regex_enabled: true
nextcloud_container_labels_traefik_rule: "Host(`{{ nextcloud_container_labels_traefik_hostname }}`){% if nextcloud_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ nextcloud_container_labels_traefik_path_prefix | quote }}`){% endif %}"
nextcloud_container_labels_traefik_priority: 0
nextcloud_container_labels_traefik_entrypoints: web-secure
nextcloud_container_labels_traefik_tls: "{{ nextcloud_container_labels_traefik_entrypoints != 'web' }}"
nextcloud_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls which additional headers to attach to all HTTP requests.
# To add your own custom request headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom`
nextcloud_container_labels_traefik_additional_request_headers: "{{ nextcloud_container_labels_traefik_additional_request_headers_auto | combine(nextcloud_container_labels_traefik_additional_request_headers_custom) }}"
nextcloud_container_labels_traefik_additional_request_headers_auto: |
{{
{}
| combine ({'Front-End-Https': 'on'} if nextcloud_scheme == 'https' else {})
}}
nextcloud_container_labels_traefik_additional_request_headers_custom: {}
# Controls which additional headers to attach to all HTTP responses.
# To add your own custom response headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom`
nextcloud_container_labels_traefik_additional_response_headers: "{{ nextcloud_container_labels_traefik_additional_response_headers_auto | combine(nextcloud_container_labels_traefik_additional_response_headers_custom) }}"
nextcloud_container_labels_traefik_additional_response_headers_auto: |
{{
{}
| combine ({'X-XSS-Protection': nextcloud_http_header_xss_protection} if nextcloud_http_header_xss_protection else {})
| combine ({'X-Frame-Options': nextcloud_http_header_frame_options} if nextcloud_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': nextcloud_http_header_content_type_options} if nextcloud_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': nextcloud_http_header_content_security_policy} if nextcloud_http_header_content_security_policy else {})
| combine ({'Permission-Policy': nextcloud_http_header_content_permission_policy} if nextcloud_http_header_content_permission_policy else {})
| combine ({'Strict-Transport-Security': nextcloud_http_header_strict_transport_security} if nextcloud_http_header_strict_transport_security and nextcloud_container_labels_traefik_tls else {})
}}
nextcloud_container_labels_traefik_additional_response_headers_custom: {}
# A list of middlewares to add to the service.
# Add your own via the `nextcloud_container_labels_traefik_http_middlewares_custom` variable.
nextcloud_container_labels_traefik_http_middlewares: "{{ nextcloud_container_labels_traefik_http_middlewares_default + nextcloud_container_labels_traefik_http_middlewares_auto + nextcloud_container_labels_traefik_http_middlewares_custom }}"
nextcloud_container_labels_traefik_http_middlewares_default: |
{{
([{
'priority': 1000,
'name': (nextcloud_identifier + '-slashless-redirect'),
'type': 'redirectregex',
'config': {
'regex': '^(' + nextcloud_container_labels_traefik_path_prefix | quote + ')$',
'replacement': '${1}/',
},
}] if nextcloud_container_labels_traefik_path_prefix != '/' else [])
+
([{
'priority': 2000,
'name': (nextcloud_identifier + '-dav-redirectregex'),
'type': 'redirectregex',
'config': {
'permanent': 'true',
'regex': ('^' + nextcloud_scheme + '://' + nextcloud_hostname | quote + '/.well-known/(?:card|cal)dav$'),
'replacement': (nextcloud_scheme + '://' + nextcloud_hostname + '/remote.php/dav/'),
},
}] if nextcloud_container_labels_traefik_dav_redirect_regex_enabled else [])
+
([{
'priority': 3000,
'name': (nextcloud_identifier + '-strip-prefix'),
'type': 'stripprefix',
'config': {
'prefixes': nextcloud_container_labels_traefik_path_prefix,
},
}] if nextcloud_container_labels_traefik_path_prefix != '/' else [])
+
([{
'priority': 4000,
'name': (nextcloud_identifier + '-add-request-headers'),
'type': 'headers',
'config_key_prefix': 'customrequestheaders.',
'config': nextcloud_container_labels_traefik_additional_request_headers,
}] if nextcloud_container_labels_traefik_additional_request_headers.keys() | length > 0 else [])
+
([{
'priority': 5000,
'name': (nextcloud_identifier + '-add-response-headers'),
'type': 'headers',
'config_key_prefix': 'customresponseheaders.',
'config': nextcloud_container_labels_traefik_additional_response_headers,
}] if nextcloud_container_labels_traefik_additional_response_headers.keys() | length > 0 else [])
}}
nextcloud_container_labels_traefik_http_middlewares_auto: []
nextcloud_container_labels_traefik_http_middlewares_custom: []
# nextcloud_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# nextcloud_container_labels_additional_labels: |
# my.label=1
# another.label="here"
nextcloud_container_labels_additional_labels: ''
# nextcloud_container_additional_environment_variables contains a multiline string with additional environment variables to pass to the container.
#
# Example:
# nextcloud_container_additional_environment_variables: |
# VAR=1
# ANOTHER=value
nextcloud_container_additional_environment_variables: ''
# A list of additional "mounts" to be mounted in the container.
# Contains definition objects like this:
# nextcloud_container_additional_mounts:
# - "type=bind|volume|tmpfs,source=/outside,target=/inside,readonly,bind-propagation=slave"
nextcloud_container_additional_mounts: []
nextcloud_container_network: "{{ nextcloud_identifier }}"
# A list of additional container networks that the container would be connected to.
# The playbook does not create these networks, so make sure they already exist.
nextcloud_container_additional_networks: "{{ nextcloud_container_additional_networks_auto + nextcloud_container_additional_networks_custom }}"
nextcloud_container_additional_networks_auto: []
nextcloud_container_additional_networks_custom: []
nextcloud_database_type: postgres
nextcloud_database_hostname: ''
nextcloud_database_port: 5432
nextcloud_database_name: nextcloud
nextcloud_database_username: ''
nextcloud_database_password: ''
# A list of configuration parameters for Nextcloud.
# To define your own, we advise editing `nextcloud_config_additional_parameters`.
nextcloud_config_parameters: "{{ nextcloud_config_default_parameters + nextcloud_config_additional_parameters }}"
# Default configuration parameters to apply to Nextcloud.
# To add your own additional parameters, use `nextcloud_config_additional_parameters`.
# To get rid of these defaults, redefine `nextcloud_config_default_parameters` or `nextcloud_config_parameters`.
nextcloud_config_default_parameters:
- key: overwriteprotocol
value: "https"
type: string
- key: overwrite.cli.url
value: "{{ nextcloud_url }}"
type: string
- key: overwritewebroot
value: "{{ nextcloud_path_prefix }}"
type: string
- key: htaccess.RewriteBase
value: "{{ nextcloud_path_prefix }}"
type: string
# Add your custom Nextcloud configuration parameters here.
#
# Example:
# nextcloud_config_additional_parameters:
# - key: mail_smtphost
# value: smtp.example.com
# type: string
nextcloud_config_additional_parameters: []
# nextcloud_cron_schedule contains a systemd OnCalendar definition which controls how often `cron.timer` runs
# The default value means 'every 15 minutes'.
# Learn more here: https://man.archlinux.org/man/systemd.time.7
nextcloud_cron_schedule: '*:0/15:0'
# Specifies the value of the `X-XSS-Protection` header
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
#
# Learn more about it is here:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# - https://portswigger.net/web-security/cross-site-scripting/reflected
nextcloud_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
nextcloud_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
nextcloud_http_header_content_type_options: nosniff
# Specifies the value of the `Content-Security-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
nextcloud_http_header_content_security_policy: frame-ancestors 'self'
# Specifies the value of the `Permission-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
nextcloud_http_header_content_permission_policy: "{{ 'interest-cohort=()' if nextcloud_floc_optout_enabled else '' }}"
# Specifies the value of the `Strict-Transport-Security` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
nextcloud_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if nextcloud_hsts_preload_enabled else '' }}"
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
#
# Learn more about what it is here:
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
# - https://amifloced.org/
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
# See: `nextcloud_content_permission_policy`
nextcloud_floc_optout_enabled: true
# Controls if HSTS preloading is enabled
#
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
# indicates a willingness to be "preloaded" into browsers:
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
# For more information visit:
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# - https://hstspreload.org/#opt-in
# See: `nextcloud_http_header_strict_transport_security`
nextcloud_hsts_preload_enabled: false
# Collabora Online integration.
# See the `collabora-online` role.
nextcloud_collabora_app_wopi_url: ''
nextcloud_collabora_app_wopi_allowlist: '10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16'
# Redis intergration.
nextcloud_redis_hostname: ''
nextcloud_redis_port: 6379