diff --git a/roles/owncloud/defaults/main.json b/roles/owncloud/defaults/main.json index 94f4742..1101e12 100644 --- a/roles/owncloud/defaults/main.json +++ b/roles/owncloud/defaults/main.json @@ -1,16 +1,18 @@ { - "cfg_owncloud_defaults": { - "user": "owncloud", - "directory": "/opt/owncloud", - "version": "7.2.0", - "platform": "linux-amd64", - "domain": "owncloud.example.org", - "authentication": { - "kind": "internal" - }, - "public_share": { - "password_necessity": "writable", - "password_policy_active": true - } - } + "var_owncloud_user": "owncloud", + "var_owncloud_directory": "/opt/owncloud", + "var_owncloud_version": "5.0.0", + "var_owncloud_platform": "linux-amd64", + "var_owncloud_domain": "owncloud.example.org", + "var_owncloud_admin_password": "REPLACE_ME", + "var_owncloud_authentication_kind": "internal", + "var_owncloud_authentication_data_authelia_url_base": "https://authelia.example.org", + "var_owncloud_authentication_data_authelia_web_client_id": "owncloud_web", + "var_owncloud_authentication_data_authelia_web_client_secret": "REPLACE_ME", + "var_owncloud_authentication_data_authelia_android_client_id": "owncloud_android", + "var_owncloud_authentication_data_authelia_android_client_secret": "REPLACE_ME", + "var_owncloud_authentication_data_authelia_ios_client_id": "owncloud_ios", + "var_owncloud_authentication_data_authelia_ios_client_secret": "REPLACE_ME", + "var_owncloud_public_share_password_necessity": "writable", + "var_owncloud_public_share_password_policy_active": true } diff --git a/roles/owncloud/info.md b/roles/owncloud/info.md index 962bd4f..b74ee6d 100644 --- a/roles/owncloud/info.md +++ b/roles/owncloud/info.md @@ -7,25 +7,13 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi - [ownCloud-Dokumentation | How to install ownCloud Infinite Scale Tech Preview in three easy steps](https://owncloud.com/news/howto-install-owncloud-infinite-scale-tech-preview/) - [ownCloud-Dokumentation | oCIS](https://owncloud.dev/ocis/) -- [ownCloud-Dokumentation | Upgrading](https://doc.owncloud.com/ocis/next/migration/upgrading-ocis.html) -- [ownCloud-Dokumentation | env var types](https://doc.owncloud.com/ocis/next/deployment/services/envvar-types-description.html) -- [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html) - [ownCloud-Dokumentation | Service | Proxy](https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html) +- [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html) - [ownCloud-Dokumentation | Service | Sharing](https://doc.owncloud.com/ocis/next/deployment/services/s-list/sharing.html) - [GitHub | ocis](https://github.com/owncloud/ocis/) - [ownCloud-Foren | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222) -## Bemerkungen - -- die `.ocis/config/ocis.yaml` wird erzeugt auf Grundlage der `.env` -- wenn man sich plötzlich nicht mehr über OIDC anmelden kann, kann das daran lieget, dass `.ocis/idm/ldap.crt` abgelaufen ist — siehe dazu [diesen Thread](https://central.owncloud.org/t/certificate-error-after-upgrade-to-5-0-0-from-4-0-6/47824/7); man könnte auch `OCIS_LDAP_INSECURE` auf `true` setzen, aber naja… - - ## ToDo - Download prüfen -- `csp.yaml` einsetzen -- prüfen ob folgende `.env`-Variablen gebraucht werden: - - `PROXY_OIDC_ISSUER` - - `PROXY_OIDC_SKIP_USER_INFO` diff --git a/roles/owncloud/tasks/main.json b/roles/owncloud/tasks/main.json index 4bfed90..0a6e356 100644 --- a/roles/owncloud/tasks/main.json +++ b/roles/owncloud/tasks/main.json @@ -1,70 +1,39 @@ [ - { - "name": "show vars", - "when": "switch_show_vars", - "ansible.builtin.debug": { - "var": "vars.cfg_owncloud" - } - }, { "name": "user", "become": true, "ansible.builtin.user": { - "name": "{{cfg_owncloud.user}}", + "name": "{{var_owncloud_user}}", "create_home": true, - "home": "{{cfg_owncloud.directory}}" + "home": "{{var_owncloud_directory}}" } }, { "name": "download", "become": true, - "become_user": "{{cfg_owncloud.user}}", + "become_user": "{{var_owncloud_user}}", "ansible.builtin.get_url": { - "url": "https://download.owncloud.com/ocis/ocis/stable/{{cfg_owncloud.version}}/ocis-{{cfg_owncloud.version}}-{{cfg_owncloud.platform}}", - "dest": "{{cfg_owncloud.directory}}/ocis", + "url": "https://download.owncloud.com/ocis/ocis/stable/{{var_owncloud_version}}/ocis-{{var_owncloud_version}}-{{var_owncloud_platform}}", + "dest": "{{var_owncloud_directory}}/ocis", "mode": "u+rx" } }, - { - "name": "directories", - "become": true, - "become_user": "{{cfg_owncloud.user}}", - "loop": [ - "log" - ], - "ansible.builtin.file": { - "state": "directory", - "recurse": true, - "path": "{{cfg_owncloud.directory}}/{{item}}" - } - }, - { - "name": "csp", - "become": true, - "become_user": "{{cfg_owncloud.user}}", - "ansible.builtin.template": { - "src": "csp.yaml.j2", - "mode": "644", - "dest": "{{cfg_owncloud.directory}}/csp.yaml" - } - }, - { - "name": "env", - "become": true, - "become_user": "{{cfg_owncloud.user}}", - "ansible.builtin.template": { - "src": "env.j2", - "mode": "644", - "dest": "{{cfg_owncloud.directory}}/.env" - } - }, { "name": "setup", "become": true, - "become_user": "{{cfg_owncloud.user}}", + "become_user": "{{var_owncloud_user}}", "ansible.builtin.shell": { - "chdir": "{{cfg_owncloud.directory}}", - "cmd": "rm -f {{cfg_owncloud.directory}}/.ocis/config/ocis.yaml && ./ocis init --insecure no --admin-password={{cfg_owncloud.admin_password}}" + "chdir": "{{var_owncloud_directory}}", + "cmd": "rm -f {{var_owncloud_directory}}/.ocis/config/ocis.yaml && ./ocis init --insecure no --admin-password={{var_owncloud_admin_password}}" + } + }, + { + "name": "configuration", + "become": true, + "become_user": "{{var_owncloud_user}}", + "ansible.builtin.template": { + "src": "env.j2", + "dest": "{{var_owncloud_directory}}/.env" } }, { diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index 6511309..1c53400 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -1,61 +1,44 @@ -## web client -WEB_LOG_LEVEL=info -WEB_LOG_FILE={{cfg_owncloud.directory}}/log/web -WEB_LOG_PRETTY=true -WEB_LOG_COLOR=true -{% if cfg_owncloud.authentication.kind == 'internal' %} -{% endif %} -{% if cfg_owncloud.authentication.kind == 'authelia' %} -WEB_OIDC_AUTHORITY={{cfg_owncloud.authentication.data.url_base}} -WEB_OIDC_CLIENT_ID={{cfg_owncloud.authentication.data.web.client_id}} -WEB_OIDC_RESPONSE_TYPE=code -WEB_OIDC_SCOPE=openid profile email groups -WEB_OPTION_LOGIN_URL={{cfg_owncloud.authentication.data.url_base}} -WEB_OPTION_LOGOUT_URL={{cfg_owncloud.authentication.data.url_base}} -WEB_UI_THEME_SERVER={{cfg_owncloud.domain}} -WEB_UI_CONFIG_SERVER={{cfg_owncloud.domain}} +OCIS_URL="https://{{var_owncloud_domain}}" +OCIS_INSECURE="false" + +PROXY_TLS="false" + +{% if var_owncloud_authentication_kind == 'internal' %} +PROXY_AUTOPROVISION_ACCOUNTS="false" {% endif %} -## other clients -PROXY_LOG_LEVEL=info -PROXY_LOG_FILE={{cfg_owncloud.directory}}/log/proxy -PROXY_LOG_PRETTY=true -PROXY_LOG_COLOR=true -PROXY_CSP_CONFIG_FILE_LOCATION={{cfg_owncloud.directory}}/csp.yaml -PROXY_TLS=false -{% if cfg_owncloud.authentication.kind == 'internal' %} -PROXY_AUTOPROVISION_ACCOUNTS=false -{% endif %} -{% if cfg_owncloud.authentication.kind == 'authelia' %} -PROXY_OIDC_ISSUER={{cfg_owncloud.authentication.data.url_base}} -PROXY_OIDC_REWRITE_WELLKNOWN=true -PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none -PROXY_OIDC_SKIP_USER_INFO=false -PROXY_AUTOPROVISION_ACCOUNTS=true -PROXY_AUTOPROVISION_CLAIM_USERNAME=preferred_username -PROXY_AUTOPROVISION_CLAIM_EMAIL=email -PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME=name -PROXY_AUTOPROVISION_CLAIM_GROUPS=groups -PROXY_USER_OIDC_CLAIM=preferred_username -PROXY_USER_CS3_CLAIM=username +{% if var_owncloud_authentication_kind == 'authelia' %} +OCIS_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}" +OCIS_OIDC_ISSUER="{{var_owncloud_authentication_data_authelia_url_base}}" + +PROXY_AUTOPROVISION_ACCOUNTS="true" +PROXY_OIDC_REWRITE_WELLKNOWN="true" +PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD="none" +PROXY_OIDC_INSECURE="false" +PROXY_USER_OIDC_CLAIM="name" +PROXY_USER_CS3_CLAIM="username" + +WEB_OIDC_AUTHORITY="{{var_owncloud_authentication_data_authelia_url_base}}" +WEB_OIDC_METADATA_URL="{{var_owncloud_authentication_data_authelia_url_base}}/.well-known/openid-configuration" +WEB_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}" +WEB_OIDC_SCOPE="openid profile email groups" {% endif %} -## sharing -{% if cfg_owncloud.public_share.password_necessity == 'nothing' %} -OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false -OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=false +{% if var_owncloud_public_share_password_necessity == 'nothing' %} +OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false" +OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="false" {% endif %} -{% if cfg_owncloud.public_share.password_necessity == 'writable' %} -OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false -OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true +{% if var_owncloud_public_share_password_necessity == 'writable' %} +OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false" +OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true" {% endif %} -{% if cfg_owncloud.public_share.password_necessity == 'all' %} -OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=true -OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true +{% if var_owncloud_public_share_password_necessity == 'all' %} +OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="true" +OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true" {% endif %} -{% if cfg_owncloud.public_share.password_policy_active %} -OCIS_SHARING_PASSWORD_POLICY_DISABLED=false + +{% if var_owncloud_public_share_password_policy_active %} +OCIS_SHARING_PASSWORD_POLICY_DISABLED="false" {% else %} -OCIS_SHARING_PASSWORD_POLICY_DISABLED=true +OCIS_SHARING_PASSWORD_POLICY_DISABLED="true" {% endif %} - diff --git a/roles/owncloud/templates/systemd_unit.j2 b/roles/owncloud/templates/systemd_unit.j2 index 8db49d4..7e43971 100644 --- a/roles/owncloud/templates/systemd_unit.j2 +++ b/roles/owncloud/templates/systemd_unit.j2 @@ -3,12 +3,12 @@ Description=ownCloud After=network.target [Service] -WorkingDirectory={{cfg_owncloud.directory}} -EnvironmentFile={{cfg_owncloud.directory}}/.env -ExecStart={{cfg_owncloud.directory}}/ocis server +WorkingDirectory={{var_owncloud_directory}} +EnvironmentFile={{var_owncloud_directory}}/.env +ExecStart={{var_owncloud_directory}}/ocis server Type=simple Restart=always -User={{cfg_owncloud.user}} +User={{var_owncloud_user}} [Install] WantedBy=default.target diff --git a/roles/owncloud/vardef.json b/roles/owncloud/vardef.json new file mode 100644 index 0000000..6641a03 --- /dev/null +++ b/roles/owncloud/vardef.json @@ -0,0 +1,75 @@ +{ + "user": { + "type": "string", + "mandatory": false + }, + "directory": { + "type": "string", + "mandatory": false + }, + "version": { + "type": "string", + "mandatory": false + }, + "platform": { + "type": "string", + "mandatory": false + }, + "domain": { + "type": "string", + "mandatory": false + }, + "admin_password": { + "type": "string", + "mandatory": true + }, + "authentication_kind": { + "type": "string", + "mandatory": false, + "options": [ + "internal", + "authelia" + ] + }, + "authentication_data_authelia_url_base": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_web_client_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_web_client_secret": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_android_client_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_android_client_secret": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_ios_client_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_ios_client_secret": { + "type": "string", + "mandatory": false + }, + "public_share_password_necessity": { + "type": "string", + "mandatory": false, + "options": [ + "nothing", + "writable", + "all" + ] + }, + "public_share_password_policy_active": { + "type": "boolean", + "mandatory": false + } +}