Default variables
Sections
Packages and installation
- owncloud__base_packages
List of base packages required by ownCloud.
owncloud__base_packages:
- '{{ ["owncloud-complete-files"]
if (owncloud__variant == "owncloud")
else [] }}'
- '{{ ["curl", "unzip"]
if (owncloud__variant == "nextcloud")
else [] }}'
# There are no Debian packages for Nextcloud yet unfortunately.
## https://doc.owncloud.org/server/10.3/admin_manual/installation/source_installation.html
## FIXME: Collaborative document editing in ownCloud is now done with Collabora Online.
## FIXME: Is it necessary to install all LibreOffice packages? https://github.com/owncloud/documents#known-issues
## Upstream documentation does not specify it more clearly. Installing ``libreoffice`` just to be sure.
- '{{ ["libreoffice"] if (owncloud__app_documents_libreoffice_enabled | bool) else [] }}'
## Useful for debugging. Refer to `owncloud__base_php_packages` for the PHP packages
- '{{ ["smbclient"] if (owncloud__smb_support | bool) else [] }}'
- '{{ ["libsmbclient"] if (owncloud__smb_support | bool and owncloud__release is version_compare("9.0", ">=")) else [] }}'
- owncloud__required_php_packages
List of PHP packages required by Nextcloud. Refer to the official Nextcloud documentation for details.
owncloud__required_php_packages:
# Included in base install:
# - 'ctype'
# - 'dom'
- 'iconv'
- 'gd'
- 'json'
- 'xml'
# Included in the `xml` Debian package:
# - 'SimpleXML'
# - 'XMLWriter'
# - 'posix'
# - 'zlib'
- 'bcmath'
- 'gmp'
- owncloud__recommended_php_packages
List of PHP packages recommended by Nextcloud. Refer to the official Nextcloud documentation for details.
owncloud__recommended_php_packages:
- 'curl'
- 'bz2'
- 'mcrypt'
# Recommended/Optional: SFTP storage
- 'gmp'
- owncloud__base_php_packages
List of base PHP packages required by ownCloud.
owncloud__base_php_packages:
- '{{ owncloud__required_php_packages
if (owncloud__variant == "nextcloud")
else [] }}'
- 'mbstring'
- 'zip'
- '{{ ["php-xml", "php-apcu", "php7.4-mysql", "php7.4-redis"] if (owncloud__variant != "nextcloud") else [] }}'
## Required for the "OpenOTP Two Factor Authentication" (twofactor_rcdevsopenotp) as of NC 14.
- 'ldap'
- 'soap'
- '{{ ["apcu"] if (owncloud__apcu_enabled | bool) else [] }}'
- '{{ ["mysql"] if (owncloud__database in ["mariadb", "mysql"]) else [] }}'
- '{{ ["pgsql"] if (owncloud__database in ["postgresql"]) else [] }}'
- '{{ ["redis"] if (owncloud__redis_enabled | bool) else [] }}'
## Seems to be required at least for PHP7.0 to fix:
## PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/redis.so'
## - /usr/lib/php/20151012/redis.so: undefined symbol: igbinary_serialize in Unknown on line 0
- '{{ ["igbinary"]
if (not (ansible_distribution == "Ubuntu" and (ansible_distribution_version is version_compare("15.10", "<"))))
else [] }}'
- '{{ ["libsmbclient"] if (owncloud__smb_support | bool and owncloud__release is version_compare("8.9.9", "<=")) else [] }}'
## Included in normal PHP installations but require it here because it is
## used internally by the role:
- 'json'
- owncloud__optional_php_packages
List of recommended/optional PHP packages for ownCloud.
owncloud__optional_php_packages:
- '{{ owncloud__recommended_php_packages
if (owncloud__variant == "nextcloud")
else [] }}'
- 'intl'
- 'imagick'
- owncloud__packages
List of global packages for ownCloud. This variable is intended to be used in Ansible’s global inventory.
owncloud__packages: []
- owncloud__group_packages
List of group packages for ownCloud. This variable is intended to be used in a host inventory group of Ansible (only one host group is supported).
owncloud__group_packages: []
- owncloud__host_packages
List of host packages for ownCloud. This variable is intended to be used in the inventory of hosts.
owncloud__host_packages: []
- owncloud__dependent_packages
List of APT packages to install for other Ansible roles, for usage as a dependent role.
owncloud__dependent_packages: []
- owncloud__deploy_state
What is the desired state which this role should achieve? Possible options:
present
Default. Ensure that ownCloud is installed and configured as requested.
absent
Ensure that owncloud is uninstalled and it's configuration is removed. Not fully supported yet. FIXME: This would remove all packages that are installed by the role! Package lists need to be split.
owncloud__deploy_state: 'present'
Nextcloud user account
- owncloud__system_user
Name of the system account which will perform archive verification using the OpenPGP signature.
owncloud__system_user: 'nextcloud'
- owncloud__system_group
Name of the primary system group of the Nextcloud account.
owncloud__system_group: 'nextcloud'
- owncloud__system_home
Path to the home directory of the Nextcloud account.
owncloud__system_home: '{{ (ansible_local.fhs.home | d("/var/local"))
+ "/" + owncloud__system_user }}'
- owncloud__comment
The GECOS string set for the Nextcloud account.
owncloud__comment: 'Nextcloud Application Manager'
- owncloud__shell
The default shell of the Nextcloud account.
owncloud__shell: '/usr/sbin/nologin'
Base directory paths
- owncloud__src
Base path to the directory with application archives, their hash signatures and OpenPGP signatures.
owncloud__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+ "/" + owncloud__system_user }}'
Nextcloud installation
- owncloud__upstream_key_fingerprint
The OpenPGP key fingerprint for the key by which the Nextcloud release tarballs are signed.
owncloud__upstream_key_fingerprint: '2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A'
- owncloud__keyserver
URL of the OpenPGP keyserver used to obtain OpenPGP keys.
owncloud__keyserver: '{{ ansible_local.keyring.keyserver | d("hkp://keyserver.ubuntu.com") }}'
ownCloud upgrades
Warning
Auto upgrading is deprecated. If you want this, add support for https://github.com/nextcloud/docker to this Ansible role.
ownCloud source and deployment
- owncloud__variant
Which variant of the application should be used?
Supported variants:
owncloud
(legacy variant, not recommended for new deployments, not well tested)nextcloud
(Main supported variant in the future. Currently supported on Debian stretch, refer to issue 45 for details)
owncloud__variant: '{{ ansible_local.owncloud.variant | d("nextcloud") }}'
- owncloud__variant_download_url_map
URL map for owncloud__variant
.
Used to download the software.
owncloud__variant_download_url_map:
nextcloud: 'https://download.nextcloud.com/server/releases'
- owncloud__variant_url_map
Homepage URL map for owncloud__variant
.
Used when referring to the software.
owncloud__variant_url_map:
owncloud: 'https://owncloud.org/'
nextcloud: 'https://nextcloud.com/'
- owncloud__variant_name_map
Name map for owncloud__variant
.
Used when referring to the software.
owncloud__variant_name_map:
owncloud: 'ownCloud'
nextcloud: 'Nextcloud'
- owncloud__release
Defaults to the latest stable release supported and tested with this role. This may not always be the latest stable release.
Supported releases:
Nextcloud
24.0
Upcoming:
Nextcloud
25.0
(Implemented based on documentation changes but untested).
Unsupported:
ownCloud
10.4
(Not supported in the latest version of DebOps due to lack of maintainers. Use DebOps v2.2.x if you need it and consider becoming a maintainer.)
For Nextcloud refer to the Nextcloud Maintenance and Release Schedule. and the Nextcloud Server Changelog.
For ownCloud refer to the ownCloud Maintenance and Release Schedule and the package index for more details.
owncloud__release: '{{ "10"
if (owncloud__variant == "owncloud")
else "24.0" }}'
- owncloud__distribution
Name and version of OS distribution to use for ownCloud packages.
owncloud__distribution: '{{ owncloud__distribution_name + "_" +
owncloud__distribution_version }}'
- owncloud__distribution_name
Name of the OS distribution to use for ownCloud URLs.
owncloud__distribution_name: '{{ ansible_distribution }}'
- owncloud__distribution_version
Version number of the OS distribution for ownCloud URLs.
owncloud__distribution_version: '{{ ansible_distribution_major_version }}'
- owncloud__apt_repo_base
Base APT repository URL starting at the authority part.
owncloud__apt_repo_base: 'download.opensuse.org/repositories/isv:/ownCloud:/server:/{{ owncloud__release }}'
- owncloud__apt_repo_key_id
OpenPGP public key specified by fingerprint which is used to sign the APT repository.
owncloud__apt_repo_key_id: '1B07204CD71B690D409F57D24ABE1AC7557BEFF9'
- owncloud__old_apt_repo_keys
Old or unused OpenPGP public keys specified by fingerprint which where previously used to sign the APT repository. The keys listed here are ensured to be absent to reduce the risk if one of the keys gets compromised.
owncloud__old_apt_repo_keys:
- 'F9EA4996747310AE79474F44977C43A8BA684223'
- 'BCECA90325B072AB1245F739AB7C32C35180350A'
- owncloud__src_remote_dir
File path used to store application sources on the remote system. This is currently only used to copy the OpenPGP public key to the remote.
owncloud__src_remote_dir: '{{
(ansible_local.fhs.src | d("/usr/local/src"))
+ "/owncloud" }}'
- owncloud__apt_repo_source
APT sources.list
URL of the ownCloud .deb
repository.
owncloud__apt_repo_source: '{{ "deb https://" + owncloud__apt_repo_base + "/" +
owncloud__distribution + "/ /" }}'
- owncloud__app_user
User that will be used for the ownCloud instance.
owncloud__app_user: '{{ ansible_local.nginx.user | d("www-data") }}'
- owncloud__app_group
Group that will be used for the ownCloud instance.
owncloud__app_group: '{{ owncloud__app_user }}'
- owncloud__app_home
Directory under which ownCloud will be installed.
owncloud__app_home: '{{ "/var/www/owncloud"
if (owncloud__variant == "owncloud")
else ((ansible_local.nginx.www
if (ansible_local.nginx.www | d())
else "/srv/www") + "/" + owncloud__system_user) }}'
- owncloud__data_path
Path where ownCloud data directory and files are stored.
owncloud__data_path: '{{ owncloud__app_home }}/data'
- owncloud__temp_path
Directory which ownCloud will use as temp directory.
In case /tmp
has limited space (for example is a ramdisk) or is otherwise
restricted then it is a good idea to change the temp directory that ownCloud
uses to a path with more space available.
The default (empty string) is to let ownCloud figure out which temp directory
it should use which probably results in /tmp/owncloudtemp
unless
otherwise influenced by environment variables and such.
See also owncloud__php_temp_path
.
owncloud__temp_path: ''
- owncloud__deploy_path
Where the ownCloud instance will be deployed (web root).
owncloud__deploy_path: '{{ owncloud__app_home }}'
- owncloud__deploy_path_mode
Octal permissions for ownCloud web root.
owncloud__deploy_path_mode: '0750'
In memory caching
Refer to the official ownCloud documentation for details.
- owncloud__apcu_enabled
Whether APCu
should be used for local caching.
Refer to the official ownCloud documentation for details.
owncloud__apcu_enabled: True
- owncloud__redis_enabled
Use Redis for file locking as recommended for small and large installations.
The default is to auto detect if Redis is enabled on the remote server and in
that case automatically use it for file locking.
Note that ownCloud requires version 2.2.5+ of the redis
PHP package. This
requirement is not meet for Ubuntu trusty (neither in the release repos nor
in backports) thus Redis will not be enabled automatically by the role.
Refer to the official ownCloud documentation for details.
owncloud__redis_enabled: '{{ ansible_local.redis_server.installed | d() | bool and
(not (ansible_distribution == "Ubuntu" and ansible_distribution_release == "trusty")) }}'
- owncloud__redis_host
Redis server to use when owncloud__redis_enabled
is True
.
owncloud__redis_host: '{{ ansible_local.redis_server.host | d("localhost") }}'
- owncloud__redis_port
Network port on which the Redis server is listening on.
owncloud__redis_port: '{{ ansible_local.redis_server.port | d("6379") }}'
- owncloud__redis_password
Redis server authentication password.
owncloud__redis_password: '{{ ansible_local.redis_server.password | d(omit) }}'
Database configuration
- owncloud__database
ownCloud recommends MySQL or MariaDB as database management system.
Set to False
to use SQLite.
Refer to the official ownCloud documentation for details.
See the owncloud__database_map
for the databases support by this role.
owncloud__database: 'mariadb'
- owncloud__database_server
FQDN of the database server. It will be configured by the debops.mariadb or debops.postgresql role.
owncloud__database_server: '{{ ansible_local[owncloud__database].server }}'
- owncloud__database_port
Port database is listening on.
owncloud__database_port: '{{ ansible_local[owncloud__database].port }}'
- owncloud__database_user
Database user to use for ownCloud.
owncloud__database_user: '{{ owncloud__variant }}'
- owncloud__database_name
Name of the database to use for ownCloud.
owncloud__database_name: '{{ owncloud__variant }}'
- owncloud__database_password_path
Path to database password file.
owncloud__database_password_path: '{{ secret + "/" + owncloud__database + "/"
+ ansible_local[owncloud__database].delegate_to
+ (("/" + ansible_local[owncloud__database].port)
if (owncloud__database == "postgresql")
else "")
+ "/credentials/" + owncloud__database_user + "/password" }}'
- owncloud__database_password
Database password for ownCloud.
owncloud__database_password: '{{ lookup("password", owncloud__database_password_path + " length=48") }}'
- owncloud__database_map
owncloud__database_map:
# MySQL/MariaDB database.
mariadb:
dbtype: 'mysql'
dbname: '{{ owncloud__database_name | d(owncloud__app_user) }}'
dbuser: '{{ owncloud__database_user | d(owncloud__app_user) }}'
dbpass: '{{ owncloud__database_password }}'
dbhost: '{{ owncloud__database_server | d("localhost") }}'
dbtableprefix: ''
# PostgreSQL database on localhost, connection through Unix socket, no default password.
postgresql:
dbtype: 'pgsql'
dbname: '{{ owncloud__database_name | d(owncloud__app_user) }}'
dbuser: '{{ owncloud__database_user | d(owncloud__app_user) }}'
dbpass: '{{ owncloud__database_password }}'
dbhost: '{{ owncloud__database_server | d("/var/run/postgresql") }}'
dbtableprefix: ''
sqlite:
dbtype: 'sqlite'
ownCloud admin login/password
- owncloud__admin_username
Default admin username, in the form 'admin-$USER'.
Set to False
to disable automatic username and password.
owncloud__admin_username: 'admin-{{ lookup("env", "USER") }}'
- owncloud__admin_password_path
Path to database password file.
owncloud__admin_password_path: '{{ secret + "/credentials/" + inventory_hostname +
"/owncloud/admin/" + owncloud__admin_username +
"/password" }}'
- owncloud__password_length
Length of randomly generated admin password.
owncloud__password_length: 20
- owncloud__admin_password
Default admin password. A random password will be generate by default as documented by the debops.secret role.
owncloud__admin_password: '{{ lookup("password", owncloud__admin_password_path
+ " length=" + (owncloud__password_length | string)) }}'
- owncloud__autosetup
Should Ansible automatically finish the ownCloud setup on it's own? If this feature is disabled, some of the installation tasks will have to be performed manually by the ownCloud/Nextcloud administrator.
owncloud__autosetup: True
- owncloud__autosetup_url
URL which will be called to finish autosetup of ownCloud 8.0. For newer ownCloud versions occ will be used which is more reliable because it does not depend on the webserver nor network.
owncloud__autosetup_url: 'http://{{ owncloud__fqdn if owncloud__fqdn is string else owncloud__fqdn[0] }}/index.php'
ownCloud configuration
- owncloud__fqdn
The Fully Qualified Domain Name to use for the ownCloud instance.
owncloud__fqdn: 'cloud.{{ owncloud__domain }}'
- owncloud__domain
Domain that will be configured for the ownCloud instance.
owncloud__domain: '{{ ansible_domain }}'
- owncloud__upload_size
Max upload size set in nginx and PHP, with amount as M or G. Before you change this be sure to understand Uploading big files > 512MB of the official ownCloud documentation.
owncloud__upload_size: '2G'
- owncloud__cron_minute
At what time cron should execute background jobs Refer to the official ownCloud documentation for details.
owncloud__cron_minute: '*/15'
- owncloud__timeout
Timeouts in seconds for application requests.
Refer to the official ownCloud documentation for details.
owncloud__timeout: 3600
- owncloud__app_user_webfinger_support
Should the Webfinger
application be supported?
Set this to True
if you are planning to use this app.
owncloud__app_user_webfinger_support: False
ownCloud config.php configuration
The dicts of this section ends up in owncloud/config/debops.config.php
and override the values
from owncloud/config/config.php
.
TODO: Note that as of ownCloud 9.0, you can not unset a setting which was
once set in debops.config.php
because ownCloud might copies it to
config.php
. Possible fix: occ config:system:set
For more information refer to owncloud__config.
- owncloud__role_config
See ownCloud config.php configuration. This variable is used internally, controlled by other variables of this role.
owncloud__role_config:
trusted_domains: '{{ [owncloud__fqdn] if owncloud__fqdn is string else owncloud__fqdn }}'
## https://github.com/owncloud/core/issues/22257
## TODO: Temporary workaround until all package maintainers have caught up.
## Edit: Have caught up as of 9.0.2-1.1. Remove this config in a while when
## it is expected that all users are running 9.0.2 or later.
'updatechecker': '{{ True if (owncloud__variant in ["nextcloud"]) else False }}'
'memcache.local':
state: '{{ "present" if (owncloud__apcu_enabled | bool or owncloud__redis_enabled | bool) else "absent" }}'
value: '{{ "\\OC\\Memcache\\Redis" if (owncloud__redis_enabled | bool) else "\\OC\\Memcache\\APCu" }}'
'memcache.locking':
state: '{{ "present" if (owncloud__redis_enabled | bool) else "absent" }}'
value: '\\OC\\Memcache\\Redis'
'redis':
state: '{{ "present" if (owncloud__redis_enabled | bool) else "absent" }}'
value:
host: '{{ owncloud__redis_host }}'
port: '{{ owncloud__redis_port | int }}'
password: '{{ owncloud__redis_password }}'
'tempdirectory':
state: '{{ "present" if (owncloud__temp_path | d()) else "absent" }}'
value: '{{ owncloud__temp_path }}'
- owncloud__release_channel
The channel for tracking Nextcloud upstream releases. Refer to the official Nextcloud documentation for details.
owncloud__release_channel: '{{ "stable"
if (owncloud__variant == "nextcloud" and
owncloud__release is version("17.0", ">="))
else "production" }}'
- owncloud__role_recommended_config
See ownCloud config.php configuration. This variable is a set of optional settings for ownCloud recommended by the maintainers of this role. Set:
1owncloud__role_recommended_config: {}
in your inventory when you want to disable it.
owncloud__role_recommended_config:
## The default timezone for logfiles is UTC.
logtimezone: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'
## Loglevel to start logging at. Valid values are: 0 = Debug, 1 = Info,
## 2 = Warning, 3 = Error, and 4 = Fatal. The default value is Warning.
loglevel: 2
## ISO 8601 datetime: 2004-02-12T15:19:21+00:00
logdateformat: 'Y-m-d H:i:s.u'
## Release channel
'updater.release.channel': '{{ owncloud__release_channel }}'
- owncloud__config
See ownCloud config.php configuration. This variable is intended to be used in Ansible’s global inventory. More specific variables can overrule less specific variables.
owncloud__config: {}
- owncloud__group_config
See ownCloud config.php configuration. This variable is intended to be used in a host inventory group of Ansible (only one host group is supported).
owncloud__group_config: {}
- owncloud__host_config
See ownCloud config.php configuration. This variable is intended to be used in the inventory of hosts.
owncloud__host_config: {}
- owncloud__combined_config
See ownCloud config.php configuration. Variable which combines all of the other Owncloud configuration and is used in the configuration template.
owncloud__combined_config: '{{ owncloud__role_config
| combine(owncloud__role_recommended_config,
owncloud__config,
owncloud__group_config,
owncloud__host_config) }}'
ownCloud applications configuration
Dictionary of ownCloud application settings. Check the output of occ config:list to see how the settings are called. You might need to change a particular setting via the web interface in order for it to appear in the output.
Note that occ can also change ownCloud system settings but this should be done via ownCloud config.php configuration.
Examples:
1owncloud__apps_config:
2
3 ## Set the default quota for all users which don’t have more explicit
4 ## quota settings to 100 MB.
5 files:
6 default_quota: '100 MB'
7
8 ## Disable Federated Cloud Sharing:
9 ## * Allow users on this server to send shares to other servers
10 ## * Allow users on this server to receive shares from other servers
11 core:
12 incoming_server2server_share_enabled: 'no'
13 outgoing_server2server_share_enabled: 'no'
14 files_sharing:
15 incoming_server2server_share_enabled: 'no'
16 outgoing_server2server_share_enabled: 'no'
17
18 ## Disable Federation:
19 ## * Add server automatically once a federated share was created successfully
20 federation:
21 autoAddServers: '0'
Refer to the official ownCloud documentation for details.
- owncloud__optional_apps_config
See ownCloud applications configuration. Role dictionary of ownCloud application settings. This variable is a set of optional settings for ownCloud recommended by the maintainers of this role.
owncloud__role_apps_config:
documents:
enabled: '{{ "yes" if (owncloud__app_documents_enabled | bool) else "no" }}'
converter: 'local'
password_policy:
## Default is 6 as of Nextcloud 11 which is not state of the art.
## Default is 8 as of Nextcloud 12+.
## https://github.com/nextcloud/password_policy/blob/master/lib/PasswordPolicyConfig.php
minLength: 8
- owncloud__apps_config
See ownCloud applications configuration. Global dictionary of ownCloud application settings. This variable is intended to be used in Ansible’s global inventory. More specific variables can overrule less specific variables.
owncloud__apps_config: {}
- owncloud__group_apps_config
See ownCloud applications configuration. Group dictionary of ownCloud application settings. This variable is intended to be used in a host inventory group of Ansible (only one host group is supported).
owncloud__group_apps_config: {}
- owncloud__host_apps_config
See ownCloud applications configuration. Host dictionary of ownCloud application settings. This variable is intended to be used in the inventory of hosts.
owncloud__host_apps_config: {}
- owncloud__dependent_apps_config
See ownCloud applications configuration. This variable is intended to be used from other Ansible roles, for usage as a dependent role.
owncloud__dependent_apps_config: {}
- owncloud__apps_config_combined
See ownCloud applications configuration. Variable which combines all of the apps variables and is used in the configuration template.
owncloud__apps_config_combined: '{{ owncloud__dependent_apps_config
| combine(owncloud__role_apps_config,
owncloud__apps_config,
owncloud__group_apps_config,
owncloud__host_apps_config) }}'
- owncloud__app_documents_enabled
Whether the ownCloud documents application should be enabled. Not enabled by default because, as of ownCloud 9.0, the application is not shipped by default. Note that this will install LibreOffice plus dependencies on the server.
owncloud__app_documents_enabled: False
- owncloud__app_documents_libreoffice_enabled
Should LibreOffice be installed on the server so that the documents app can work with proprietary document formats such as Microsoft Office?
owncloud__app_documents_libreoffice_enabled: False
External storage
Refer to the External storage section for more details.
- owncloud__smb_support
Should SMB/CIFS be support by installing the required system packages and enabling the required ownCloud application?
owncloud__smb_support: False
ownCloud raw occ commands
List of occ commands to run. It can be used to enable apps, add users and more which can be useful when deploying ownCloud.
Examples:
1owncloud__occ_cmd_list:
2
3 - command: 'app:enable external'
4
5 - command: 'app:install calendar'
6 when: '{{ owncloud__variant in ["nextcloud"] and owncloud__release is version_compare("13.0", ">=") }}'
7 - command: 'app:enable calendar'
8
9 ## Create an additional admin account.
10 - command: 'user:add --password-from-env --display-name="Administrator" --group="admin" admin'
11 env:
12 OC_PASS: "{{ lookup('password', secret + '/credentials/' +
13 inventory_hostname + '/owncloud/admin/' + 'admin' +
14 '/password length=' + owncloud__password_length) }}"
15
16 ## Create an regular user. Note that you probably want to use an existing
17 ## user database like LDAP.
18 - command: 'user:add --password-from-env --display-name="Normal user" user'
19 when: '{{ owncloud__release is version_compare("8.1", ">=") }}'
20 env:
21 OC_PASS: "{{ lookup('password', secret + '/credentials/' +
22 inventory_hostname + '/owncloud/users/' + 'user' +
23 '/password length=' + owncloud__password_length) }}"
Refer to the official ownCloud documentation for details.
- owncloud__role_occ_cmd_list
Default list of occ commands to run. Command present of role to automate certain tasks. See ownCloud raw occ commands.
owncloud__role_occ_cmd_list:
## Disable the updater because it does not work anyway with the way ownCloud
## is setup by this role using packages.
## Since ownCloud 9 it is called `updatenotification`.
- command: 'app:disable updater'
when: '{{ owncloud__release is version_compare("8.2", "<=") }}' # noqa jinja[spacing]
- command: 'app:enable user_ldap'
when: '{{ owncloud__ldap_enabled | bool }}' # noqa jinja[spacing]
- command: 'app:enable files_external'
when: '{{ owncloud__smb_support | bool }}' # noqa jinja[spacing]
- owncloud__occ_cmd_list
See ownCloud raw occ commands. This variable is intended to be used in Ansible’s global inventory.
owncloud__occ_cmd_list: []
- owncloud__group_occ_cmd_list
See ownCloud raw occ commands. This variable is intended to be used in a host inventory group of Ansible (only one host group is supported).
owncloud__group_occ_cmd_list: []
- owncloud__host_occ_cmd_list
See ownCloud raw occ commands. This variable is intended to be used in the inventory of hosts.
owncloud__host_occ_cmd_list: []
- owncloud__dependent_occ_cmd_list
See ownCloud raw occ commands. This variable is intended to be used from other Ansible roles, for usage as a dependent role.
owncloud__dependent_occ_cmd_list: []
- owncloud__occ_bin_file_path
Where the occ wrapper script should be installed.
owncloud__occ_bin_file_path: '{{ (ansible_local.fhs.bin | d("/usr/local/bin"))
+ "/occ" }}'
ownCloud user files
These lists allow you to manage files for ownCloud users, either by copying files from the Ansible Controller or providing the contents directly in Ansible inventory. You can use all parameters supported by the Ansible ansible.builtin.copy module.
See owncloud__user_files for more details.
- owncloud__user_files
Manage ownCloud user files on all hosts in Ansible’s inventory.
owncloud__user_files: []
- owncloud__user_files_group
Manage ownCloud user files on hosts in a specific Ansible inventory group.
owncloud__user_files_group: []
- owncloud__user_files_host
Manage ownCloud user files on specific hosts in Ansible’s inventory.
owncloud__user_files_host: []
LDAP authentication
Refer to the official ownCloud documentation and to the External users section for more details.
- owncloud__ldap_enabled
Enable LDAP support. ownCloud support multiple LDAP servers but this role
configures only default one. If you need something more complex you can
use owncloud__occ_cmd_list
.
owncloud__ldap_enabled: '{{ True
if (ansible_local | d() and ansible_local.ldap | d() and
(ansible_local.ldap.enabled | d()) | bool)
else False }}'
- owncloud_ldap_update_settings
Ensure that the settings listed in owncloud__ldap_combined_config
are up-to-date on the remote system.
Set to False
to only configure LDAP settings in ownCloud when ownCloud
currently has no LDAP configuration.
owncloud_ldap_update_settings: True
- owncloud__ldap_base_dn
The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list. If this variable is empty, automated Nextcloud LDAP configuration will not be performed.
owncloud__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
- owncloud__ldap_base_groups_dn
The base Distinguished Name where Nextcloud will look for groups.
owncloud__ldap_base_groups_dn: '{{ owncloud__ldap_base_dn | join(",") }}'
- owncloud__ldap_base_users_dn
The base Distinguished Name where Nextcloud will look for users.
owncloud__ldap_base_users_dn: '{{ owncloud__ldap_base_dn | join(",") }}'
- owncloud__ldap_device_dn
The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the Nextcloud service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.
owncloud__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
- owncloud__ldap_self_rdn
The Relative Distinguished Name of the account LDAP object used by the Nextcloud service to access the LDAP directory.
owncloud__ldap_self_rdn: 'uid=nextcloud'
- owncloud__ldap_self_object_classes
List of the LDAP object classes which will be used to create the LDAP object used by the Nextcloud service to access the LDAP directory.
owncloud__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
- owncloud__ldap_self_attributes
YAML dictionary that defines the attributes of the LDAP object used by the Nextcloud service to access the LDAP directory.
owncloud__ldap_self_attributes:
uid: '{{ owncloud__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ owncloud__ldap_bindpw }}'
host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
description: 'Account used by the "Nextcloud" service to access the LDAP directory'
- owncloud__ldap_binddn
The Distinguished Name of the account LDAP object used by the Nextcloud service to bind to the LDAP directory.
owncloud__ldap_binddn: '{{ ([owncloud__ldap_self_rdn] + owncloud__ldap_device_dn) | join(",") }}'
- owncloud__ldap_bindpw
The password stored in the account LDAP object used by the Nextcloud service to bind to the LDAP directory.
owncloud__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+ owncloud__ldap_binddn | to_uuid + ".password length=32 "
+ "chars=ascii_letters,digits,!@_#$%^&*"))
if owncloud__ldap_enabled | bool
else "" }}'
- owncloud__ldap_uri
List of LDAP URIs that point to the directory servers which should be used by Nextcloud.
owncloud__ldap_uri: '{{ ansible_local.ldap.uri | d([]) }}'
- owncloud__ldap_primary_server
The primary LDAP server URI to use.
owncloud__ldap_primary_server: '{{ owncloud__ldap_uri | first }}'
- owncloud__ldap_method
The LDAP connection method to use, either tls
(recommended), ssl
or
plain
(discouraged).
owncloud__ldap_method: 'tls'
- owncloud__ldap_port
The TCP port to use for LDAP connections.
owncloud__ldap_port: '{{ 636 if (owncloud__ldap_method in ["ssl"]) else 389 }}'
- owncloud__ldap_user_display_name
The attribute that should be used as display name in ownCloud. Refer to the official ownCloud documentation for details.
owncloud__ldap_user_display_name: 'cn'
- owncloud__ldap_user_filter
Use this to control which LDAP users are listed as ownCloud users on your ownCloud server. Refer to the official ownCloud documentation for details.
owncloud__ldap_user_filter: '(|
(objectclass=inetOrgPerson)
)'
- owncloud__ldap_user_filter_objectclass
Refer to the official ownCloud documentation for details.
owncloud__ldap_user_filter_objectclass: 'inetOrgPerson'
- owncloud__ldap_group_filter
Refer to the official ownCloud documentation for details.
owncloud__ldap_group_filter: '(&
(objectClass=groupOfNames)
(nextcloudEnabled=true)
)'
- owncloud__ldap_group_filter_groups
Refer to the official ownCloud documentation for details.
owncloud__ldap_group_filter_groups: ''
- owncloud__ldap_group_filter_objectclass
Refer to the official ownCloud documentation for details.
owncloud__ldap_group_filter_objectclass: 'posixGroup'
- owncloud__ldap_login_filter
The settings in the Login Filter tab determine which LDAP users can log in to
your ownCloud system. With the default filter, users can log in using their
usernames from the uid
attribute, as well as their e-mail addresses
defined using the mail
attribute. In either case, users need to have
access to the Nextcloud service defined by the authorizedService
attribute.
The entryUUID
attribute search is required to perform password modify
extended operations.
owncloud__ldap_login_filter: '(&
(objectclass=inetOrgPerson)
(|
(uid=%uid)
(|
(mail=%uid)
(entryUUID=%uid)
)
)
(|
(authorizedService=all)
(authorizedService=nextcloud)
(authorizedService=owncloud)
(authorizedService=web:public)
)
)'
- owncloud__ldap_login_filter_attributes
Refer to the official ownCloud documentation for details.
owncloud__ldap_login_filter_attributes: ''
- owncloud__ldap_group_assoc_attribute
Attribute which ownCloud uses to match members of the group.
Possible values:
memberUid
Useful for OpenLDAP with PosixGroups. Attribute contains only UID of the user.
uniqueMember
Attribute contains full DN of the user.
member
FIXME Attribute contains full DN of the user.
owncloud__ldap_group_assoc_attribute: 'member'
- owncloud__home_folder_naming_rule
By default, the ownCloud server creates the user directory in your ownCloud data directory and gives it the ownCloud username, .e.g /var/www/owncloud/data/alice
. You may want to override this setting and name it after an LDAP attribute value. The attribute can also return an absolute path, e. g. /mnt/storage43/alice
. Leave it empty for default behavior.
Refer to the official ownCloud documentation for details.
owncloud__home_folder_naming_rule: 'attr:uid'
Advanced settings
- owncloud__ldap_cache_ttl
A cache is introduced to avoid unnecessary LDAP traffic, for example caching usernames so they don’t have to be looked up for every page, and speeding up loading of the Users page. Saving the configuration empties the cache. The time is given in seconds.
Note that almost every PHP request requires a new connection to the LDAP server. If you require fresh PHP requests we recommend defining a minimum lifetime of 15s or so, rather than completely eliminating the cache.
Refer to the official ownCloud documentation for details.
owncloud__ldap_cache_ttl: '600'
Expert settings
- owncloud__ldap_expert_username_attr
The internal username is the identifier in ownCloud for LDAP users. By
default it will be created from the UUID attribute. The UUID attribute
ensures that the username is unique, and that characters do not need to be
converted. Only these characters are allowed: [a-zA-Z0-9_.@-]
.
Other characters are replaced with their ASCII equivalents, or are simply
omitted.
The LDAP backend ensures that there are no duplicate internal usernames in
ownCloud, i.e. that it is checking all other activated user backends
(including local ownCloud users). On collisions a random number (between 1000
and 9999) will be attached to the retrieved value. For example, if alice
exists, the next username may be alice_1337
.
The internal username is the default name for the user home folder in ownCloud. It is also a part of remote URLs, for instance for all DAV services.
You can override all of this with the Internal Username setting. Leave it empty for default behaviour. Changes will affect only newly mapped LDAP users.
For a Microsoft Windows environment, putting this:
1owncloud__ldap_expert_username_attr: 'sAMAccountName'
in your inventory might come in handy to use the user names from AD as user names in ownCloud.
owncloud__ldap_expert_username_attr: ''
- owncloud__ldap_config_id
The configuration database configID to use for the LDAP configuration managed by the role.
owncloud__ldap_config_id: '{{ ansible_local.owncloud.ldap_config_id
if (ansible_local.owncloud.ldap_config_id | d())
else (owncloud__register_ldap_config_id.stdout
if (owncloud__register_ldap_config_id | d() and
owncloud__register_ldap_config_id.stdout | d())
else "") }}'
- owncloud__ldap_quota_attribute
Set the LDAP attribute value to be read by Owncloud/Nextcloud in order to get the user quota. Any quota set in LDAP overrides quotas set on the Nextcloud user management page. Refer to the official ownCloud documentation for details.
owncloud__ldap_quota_attribute: 'nextcloudQuota'
- owncloud__ldap_quota_default
User default LDAP quota. Use human-readable values, e.g. "2 GB". Refer to the official ownCloud documentation for details.
owncloud__ldap_quota_default: '10 GB'
- owncloud__ldap_default_config
The LDAP configuration options defined by default. See owncloud__ldap_config for more details.
owncloud__ldap_default_config:
- name: 'ldapHost'
value: '{{ owncloud__ldap_primary_server }}'
- name: 'ldapPort'
value: '{{ owncloud__ldap_port }}'
- name: 'ldapAgentName'
value: '{{ owncloud__ldap_binddn }}'
- name: 'ldapAgentPassword'
value: '{{ owncloud__ldap_bindpw }}'
- name: 'ldapBase'
value: '{{ owncloud__ldap_base_dn | join(",") }}'
- name: 'ldapBaseGroups'
value: '{{ owncloud__ldap_base_groups_dn }}'
- name: 'ldapBaseUsers'
value: '{{ owncloud__ldap_base_users_dn }}'
- name: 'ldapEmailAttribute'
value: 'mail'
- name: 'ldapExpertUsernameAttr'
value: '{{ owncloud__ldap_expert_username_attr }}'
- name: 'ldapConfigurationActive'
value: '1'
- name: 'ldapUserDisplayName'
value: '{{ owncloud__ldap_user_display_name }}'
- name: 'ldapUserFilter'
value: '{{ owncloud__ldap_user_filter }}'
- name: 'ldapUserFilterObjectclass'
value: '{{ owncloud__ldap_user_filter_objectclass }}'
- name: 'ldapLoginFilter'
value: '{{ owncloud__ldap_login_filter }}'
- name: 'ldapLoginFilterAttributes'
value: '{{ owncloud__ldap_login_filter_attributes }}'
- name: 'ldapGroupFilter'
value: '{{ owncloud__ldap_group_filter }}'
- name: 'ldapGroupFilterGroups'
value: '{{ owncloud__ldap_group_filter_groups }}'
- name: 'ldapGroupFilterObjectclass'
value: '{{ owncloud__ldap_group_filter_objectclass }}'
- name: 'ldapGroupMemberAssocAttr'
value: '{{ owncloud__ldap_group_assoc_attribute }}'
- name: 'homeFolderNamingRule'
value: '{{ owncloud__home_folder_naming_rule }}'
- name: 'ldapCacheTTL'
value: '{{ owncloud__ldap_cache_ttl }}'
- name: 'ldapTLS'
value: '{{ "1" if (owncloud__ldap_method == "tls") else "0" }}'
- name: 'ldapQuotaAttribute'
value: '{{ owncloud__ldap_quota_attribute }}'
- name: 'ldapQuotaDefault'
value: '{{ owncloud__ldap_quota_default }}'
- name: 'hasMemberOfFilterSupport'
value: '1'
- name: 'turnOnPasswordChange'
value: '1'
- name: 'ldapDefaultPPolicyDN'
value: '{{ (["cn=Default Password Policy", "ou=Password Policies"]
+ owncloud__ldap_base_dn) | join(",") }}'
- owncloud__ldap_config
List of custom LDAP configuration options defined for all hosts in the Ansible inventory. See owncloud__ldap_config for more details.
owncloud__ldap_config: []
- owncloud__group_ldap_config
List of custom LDAP configuration options defined on hosts in a specific Ansible inventory group.
owncloud__group_ldap_config: []
- owncloud__host_ldap_config
List of custom LDAP configuration options defined on specific hosts in the Ansible inventory.
owncloud__host_ldap_config: []
- owncloud__ldap_combined_config
The variable that combines default and user LDAP configuration and is used in the role tasks and templates.
owncloud__ldap_combined_config: '{{ owncloud__ldap_default_config
+ owncloud__ldap_config
+ owncloud__group_ldap_config
+ owncloud__host_ldap_config }}'
ownCloud Mail configuration
Refer to the official ownCloud documentation about config.php and the official ownCloud documentation about email configuration for details.
- owncloud__mail_domain
owncloud__mail_domain: '{{ owncloud__fqdn if owncloud__fqdn is string else owncloud__fqdn[0] }}'
- owncloud__mail_from_address
From address that overrides the built-in sharing-noreply
and
lostpassword-noreply
from addresses.
owncloud__mail_from_address: 'noreply'
- owncloud__mail_smtpmode
Which mode to use for sending mail. Choices are:
sendmail
smtp
qmail
php
owncloud__mail_smtpmode: 'sendmail'
- owncloud__mail_smtphost
Specify the IP address of your mail server host.
This may contain multiple hosts separated by a semi-colon. If you need to
specify the port number append it to the IP address separated by a colon,
like this: 127.0.0.1:24
.
This depends on owncloud__mail_smtpmode
.
owncloud__mail_smtphost: 'smtp.{{ owncloud__domain }}'
- owncloud__mail_smtpport
Port for sending mail. Can also be specified via owncloud__mail_smtphost
.
This depends on owncloud__mail_smtpmode
.
owncloud__mail_smtpport: '25'
- owncloud__mail_conf_map
This configuration ends up in mail.config.php
and override the
values from config.php
.
Set to:
1owncloud__mail_conf_map: {}
if you want to be able to configure/change this via the admin web interface.
owncloud__mail_conf_map:
mail_domain: '{{ owncloud__mail_domain }}'
mail_from_address: '{{ owncloud__mail_from_address }}'
mail_smtpmode: '{{ owncloud__mail_smtpmode }}'
mail_smtphost: '{{ owncloud__mail_smtphost }}'
mail_smtpport: '{{ owncloud__mail_smtpport }}'
Theming ownCloud
Refer to the official ownCloud documentation for details. See also ownCloud Trademark Guidelines.
- owncloud__theme_active
Name of the theme to activate. Generation of a custom theme can be influenced by the following options.
In case you already have a theme you want to use, you can alternatively
provide the theme under /var/www/owncloud/themes/$your_theme_name
(for example using debops.resources) and set this variable to
$your_theme_name
. Note that the role maintainers recommend to let the
role assemble your theme. See the following options.
owncloud__theme_active: '{{ "debops"
if (owncloud__variant in ["owncloud"])
else "" }}'
- owncloud__theme_directory_name
Directory name where the custom theme generated by this role will be stored under.
This variable has the same format as the owncloud__theme_active
option.
If you don’t want this role to generate a theme for you, you can set this to
an empty string to disable this feature.
The generated theme name defaults to debops
to allow enabling it via
owncloud__theme_active
.
owncloud__theme_directory_name: '{{ "debops"
if (owncloud__variant in ["owncloud"])
else "" }}'
- owncloud__theme_title
Title of your ownCloud. This variable is included in the HTML title tag on all pages.
owncloud__theme_title: 'DebOps Cloud'
- owncloud__theme_name
Name of your ownCloud or software. This is shown when sharing a file/dir as link for example.
owncloud__theme_name: 'DebOps Cloud'
- owncloud__theme_name_html
Name of your ownCloud. HTML code can be used in this variable to create hyperlinks for example.
owncloud__theme_name_html: '{{ owncloud__theme_name }}'
- owncloud__theme_entity_name
Entity string for your ownCloud. For example the name of your company. This string is used in the footer and the copyright.
owncloud__theme_entity_name: 'DebOps'
- owncloud__theme_base_url
Base URL to get more information about your ownCloud. By default,
owncloud__theme_entity_name
links to this URL on the login page.
Use an empty string to use the default URL pointing to the ownCloud website.
owncloud__theme_base_url: 'https://github.com/debops/ansible-owncloud'
- owncloud__theme_slogan
Slogan of your ownCloud. This is shown by default on the bottom of the login page.
It should not contain </br>
(newline) because at least ownCloud as of
version 9.0
can’t automatically adjust to that.
Use an empty string to use the default slogan provided by ownCloud.
See the ownCloud Trademark Guidelines section on 'Apps, Product and Service Names, and Compatibility References' for more suggestions.
owncloud__theme_slogan: 'Powered by <a href="{{ owncloud__variant_url_map[owncloud__variant] }}">{{ owncloud__variant_name_map[owncloud__variant] }}</a>'
Short version of the footer. The value can contain arbitrary PHP and HTML code. You will need to take care of quotes yourself.
owncloud__theme_footer_short: |
'Setup by <a href="' . $this->getBaseUrl() . '" target="_blank\">' . $this->getEntity() . '</a><br/>' .
'{{ owncloud__theme_slogan }}'
Long version of the footer. See owncloud__theme_footer_short
for details.
TODO: What exactly is the difference?
owncloud__theme_footer_long: '{{ owncloud__theme_footer_short }}'
- owncloud__theme_doc_link_to_key
Return statement the buildDocLinkToKey
function which allows you to alter
the URL used when referring to the documentation.
The value can contain arbitrary PHP and HTML code.
You will need to take care of quotes yourself.
The reason for not going with the ownCloud default is that it seems to point
to 8.0
even for the 9.0.2
release. Seems to be a bug.
owncloud__theme_doc_link_to_key: '$this->getDocBaseUrl() . ''/server/{{ owncloud__release }}/go.php?to='' . $key'
- owncloud__theme_copy_files
Global dictionary of additional files to place in the theme.
This variable is intended to be used in Ansible’s global inventory.
More specific variables can overrule less specific variables.
The key is the target file path in the ownCloud theme directory.
The state
value allows to make files absent.
All other options correspond to the options of the
Ansible ansible.builtin.copy module.
To change the logo on the login page you can use:
1owncloud__theme_copy_files:
2
3 'core/img/logo.svg':
4 ## Prefer SVG: https://github.com/owncloud/core/issues/5676#issuecomment-27649493
5 src: '/src/path/on/your/ansible/controller/logo.svg'
6
7 'core/css/styles.css':
8 content: |
9 /* Use logo from theme. */
10 #header .logo {
11 background-image: url('../img/logo.svg');
12 width: 250px;
13 height: 121px;
14 }
in your inventory.
owncloud__theme_copy_files: {}
- owncloud__theme_copy_files_host_group
Host group dictionary of additional files to place in the theme.
This variable is intended to be used in a host inventory group of Ansible
(only one host group is supported).
Refer to owncloud__theme_copy_files
for more details.
owncloud__theme_copy_files_host_group: {}
- owncloud__theme_copy_files_host
Host dictionary of additional files to place in the theme.
This variable is intended to be used in the inventory of hosts.
Refer to owncloud__theme_copy_files
for more details.
owncloud__theme_copy_files_host: {}
- owncloud__theme_conf_map
This configuration ends up in theme.config.php
and override the
values from config.php
.
Refer to the official ownCloud documentation for details.
owncloud__theme_conf_map:
theme: '{{ owncloud__theme_active }}'
Webserver
- owncloud__http_psk_subpath_enabled
Whether the application should be deployed on a random subpath that acts as a protection of the web app/API from people not knowing this PSK. For a discussion in which scenarios this can make sense, refer to RFC: Support subpath/subdir hosting for additional security.
Warning
This breaks the /.well-known
URIs intentionally.
Hint for migration: Nextcloud is able to auto detect the webroot that it is
being accessed. This means that it can be accessed by subpath and without, with
the same Nginx config. This allows soft migration of all users to the subpath
and then disabling /
when all are migrated.
The role does not support generating such a Webserver config but it is easy
to run the role without and with subpath enabled and than merging the
rendered Nginx site configuration.
owncloud__http_psk_subpath_enabled: False
- owncloud__http_psk_subpath
PSK used as subpath that acts as the first layer of defense in a security in depth concept if enabled.
owncloud__http_psk_subpath: '{{ lookup("password", secret + "/credentials/" +
inventory_hostname + "/owncloud/config/subpath chars=ascii_letters,digits length=10")
if owncloud__http_psk_subpath_enabled | bool
else "" }}'
- owncloud__http_psk_subpath_begin_slash
slash at the begin plus Subpath. Used to simplify the webserver config below.
owncloud__http_psk_subpath_begin_slash: '{{ ("/" + owncloud__http_psk_subpath)
if owncloud__http_psk_subpath_enabled | bool
else "" }}'
- owncloud__http_psk_subpath_end_slash
Subpath plus a slash at the end. Used to simplify the webserver config below.
owncloud__http_psk_subpath_end_slash: '{{ (owncloud__http_psk_subpath + "/")
if owncloud__http_psk_subpath_enabled | bool
else "" }}'
- owncloud__webserver
Variable containing the webserver which should be used. Refer to Getting started for how to switch webservers.
owncloud__webserver: '{{ ansible_local.owncloud.webserver
| d("apache"
if (ansible_local.apache.enabled | d() | bool)
else ("nginx"
if (ansible_local.nginx.enabled | d() | bool)
else "no-webserver-detected")) }}'
- owncloud__apache_modules
Variable containing the used webserver which can be used.
Refer to Getting started for how to switch webservers.
TODO: Enable on Debian package scripts to ensure that the PHP module is
enabled as the name of the module is not deterministic with php5
and
php7.0
.
owncloud__apache_modules: []
- owncloud__nginx_client_body_temp_path
Defines the directory where Nginx will temporary store files holding client request bodies. Refer to the the Nginx documentation for details.
The default (empty string) is to not change the default of the webserver. TODO: Confirm that this variable does what it says.
owncloud__nginx_client_body_temp_path: ''
- owncloud__nginx_access_log_assets
Should the access to assets be logged by nginx?
owncloud__nginx_access_log_assets: True
PHP
- owncloud__php_temp_path
Directory which PHP will use as temp directory.
In case /tmp
has limited space (for example is a ramdisk) or is otherwise
restricted then it is recommended to change the temp directory which PHP
uses to a path with more space available.
This directory is used to cache uploaded files when using Apache.
See also owncloud__temp_path
.
Empty string will not change the temp directory of PHP.
owncloud__php_temp_path: ''
- owncloud__php_output_buffering
Output buffering set in PHP, with amount set in megabytes. Refer to the official ownCloud documentation for details.
owncloud__php_output_buffering: '0'
- owncloud__php_max_children
Max children processes to run in php fpm. FIXME: Check if default of debops.php might be sufficient.
owncloud__php_max_children: '50'
Role-dependent configuration
- owncloud__apt_preferences__dependent_list
Configuration for the debops.apt_preferences role.
owncloud__apt_preferences__dependent_list:
- package: 'php5-apcu'
backports: [ 'trusty' ]
reason: 'ownCloud requires at least APCu version 4.0.6.'
by_role: 'debops.owncloud'
state: '{{ owncloud__deploy_state }}'
- owncloud__apt_preferences__dependent_list_optional
Optional configuration for the debops.apt_preferences role. Only required when APT preference presets from the debops.apt_preferences role are used.
owncloud__apt_preferences__dependent_list_optional:
- package: 'owncloud owncloud*'
reason: 'Use download.owncloud.org even when foreign sources are disabled by global APT preferences.'
pin: 'origin "download.owncloud.org"'
priority: 995
by_role: 'debops.owncloud'
state: '{{ "present"
if (owncloud__variant in ["owncloud"] and
owncloud__deploy_state == "present")
else "absent" }}'
- owncloud__keyring__dependent_apt_keys
APT key configuration for the debops.keyring Ansible role.
owncloud__keyring__dependent_apt_keys:
- id: '{{ owncloud__apt_repo_key_id }}'
state: '{{ "present" if (owncloud__variant in ["owncloud"]) else "absent" }}'
# Old or unused OpenPGP public keys specified by fingerprint which where
# previously used to sign the APT repository.
# The keys listed here are ensured to be absent to reduce the risk if one of
# the keys gets compromised.
- id: 'F9EA4996747310AE79474F44977C43A8BA684223'
state: 'absent'
- id: 'BCECA90325B072AB1245F739AB7C32C35180350A'
state: 'absent'
- owncloud__keyring__dependent_gpg_keys
GPG key configuration for the debops.keyring Ansible role.
owncloud__keyring__dependent_gpg_keys:
- user: '{{ owncloud__system_user }}'
group: '{{ owncloud__system_group }}'
home: '{{ owncloud__system_home }}'
id: '{{ owncloud__upstream_key_fingerprint }}'
state: '{{ "present" if (owncloud__variant in ["nextcloud"]) else "absent" }}'
- owncloud__ldap__dependent_tasks
Configuration for the debops.ldap Ansible role.
owncloud__ldap__dependent_tasks:
- name: 'Create Nextcloud account for {{ owncloud__ldap_device_dn | join(",") }}'
dn: '{{ owncloud__ldap_binddn }}'
objectClass: '{{ owncloud__ldap_self_object_classes }}'
attributes: '{{ owncloud__ldap_self_attributes }}'
no_log: '{{ debops__no_log | d(True) }}'
state: '{{ "present" if owncloud__ldap_device_dn | d() else "ignore" }}'
- name: 'Enable password management by {{ owncloud__ldap_binddn }}'
dn: '{{ (["cn=Password Reset Agent", "ou=Roles"] + owncloud__ldap_base_dn) | join(",") }}'
attributes:
roleOccupant: '{{ owncloud__ldap_binddn }}'
state: '{{ "present" if owncloud__ldap_device_dn | d() else "ignore" }}'
- owncloud__mariadb__dependent_databases
Configuration of the database managed by the debops.mariadb role.
owncloud__mariadb__dependent_databases:
- database: '{{ owncloud__database_map[owncloud__database].dbname }}'
state: '{{ "present" if (owncloud__deploy_state != "purged") else "absent" }}'
- owncloud__mariadb__dependent_users
Configuration of the database user managed by the debops.mariadb role.
owncloud__mariadb__dependent_users:
- database: '{{ owncloud__database_map[owncloud__database].dbname }}'
user: '{{ owncloud__database_map[owncloud__database].dbuser }}'
password: '{{ owncloud__database_map[owncloud__database].dbpass }}'
- owncloud__postgresql__dependent_roles
Configuration of the database roles managed by the debops.postgresql role.
owncloud__postgresql__dependent_roles:
- name: '{{ owncloud__database_name }}' # Separate role is needed when owncloud__database_name != owncloud__database_user
- name: '{{ owncloud__database_user }}' # Password is not passed directly - it will be read from the file
- owncloud__postgresql__dependent_groups
Configuration of the database groups managed by the debops.postgresql role.
owncloud__postgresql__dependent_groups:
- roles: [ '{{ owncloud__database_user }}' ]
groups: [ '{{ owncloud__database_name }}' ]
database: '{{ owncloud__database_name }}'
state: '{{ "present" if (owncloud__deploy_state != "purged") else "absent" }}'
- owncloud__postgresql__dependent_databases
Configuration of the database managed by the debops.postgresql role.
owncloud__postgresql__dependent_databases:
- name: '{{ owncloud__database_name }}'
owner: '{{ owncloud__database_user }}'
- owncloud__logrotate__dependent_config
Configuration of the logrotate rule managed by the debops.logrotate role.
ownCloud as of Version 9.0 does not do log rotate by default. This could
be enabled by log_rotate_size
. logrotate
is the default in DebOps.
owncloud__logrotate__dependent_config:
- filename: '{{ owncloud__variant }}'
log: '{{ owncloud__data_path + "/" + owncloud__variant + ".log" }}'
state: '{{ "present" if (owncloud__deploy_state == "present") else "absent" }}'
options: |
rotate 12
weekly
missingok
notifempty
compress
su {{ owncloud__app_user }} {{ owncloud__app_group }}
delaycompress
- owncloud__apache__dependent_snippets
Apache configuration snippets managed by the debops.apache role.
Disable the /etc/apache2/conf-enabled/owncloud.conf
which configures
ownCloud below /owncloud
.
owncloud__apache__dependent_snippets:
'owncloud':
enabled: False
type: 'dont-create'
- owncloud__apache__dependent_vhosts
Apache virtual host managed by the debops.apache role.
owncloud__apache__dependent_vhosts:
- type: 'default'
name: '{{ owncloud__fqdn }}'
by_role: 'debops.owncloud'
filename: 'debops.owncloud'
root: '{{ owncloud__app_home }}'
options: '+FollowSymLinks'
allow_override: 'All'
root_directives: | # noqa jinja[spacing]
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME {{ owncloud__app_home }}
SetEnv HTTP_HOME {{ owncloud__app_home }}
{# Does not work.
## Tested while uploading with:
## while true; do df -h /tmp|tail -n 1; sleep 0.1; done
## Currently configured in PHP Apache scope: owncloud__php__dependent_configuration
{% if owncloud__php_temp_path | d() %}
<IfModule mod_php5.c>
php_value sys_temp_dir '{{ owncloud__php_temp_path }}'
</IfModule>
<IfModule mod_php7.c>
php_value sys_temp_dir '{{ owncloud__php_temp_path }}'
</IfModule>
{% endif %}
# SetEnv TMPDIR '{{ owncloud__php_temp_path }}'
#}
raw_content: |
<Directory "{{ owncloud__app_home }}/data/">
# Just in case the .htaccess gets disabled.
Require all denied
</Directory>
{% if owncloud__data_path != (owncloud__app_home + "/data") %}
<Directory {{ owncloud__data_path | quote }}>
# Just in case someone changes the global Apache defaults and messed
# with the "Alias" directive ;)
Require all denied
</Directory>
{% endif %}
http_sec_headers_directive_options: 'set'
- owncloud__nginx__dependent_maps
nginx maps managed by the debops.nginx role.
owncloud__nginx__dependent_maps:
- name: 'asset_immutable'
map: '$arg_v $asset_immutable'
mapping: '"" "";'
default: 'immutable'
- owncloud__nginx_options
Nginx main config block for the application.
owncloud__nginx_options: |-
add_header X-Download-Options noopen;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Set max upload size and increase upload timeout:
client_max_body_size {{ owncloud__upload_size }};
client_body_timeout 300s;
{% if owncloud__nginx_client_body_temp_path %}
client_body_temp_path '{{ owncloud__nginx_client_body_temp_path }}';
{% endif %}
fastcgi_buffers 64 4K;
{% if owncloud__app_user_webfinger_support | bool %}
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
{% endif %}
{% if owncloud__variant == "nextcloud" %}
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
{% else %}
# Disable gzip to avoid the removal of the ETag header
gzip off;
{% endif %}
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
# The settings allows you to optimize the HTTP2 bandwitdth.
# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
# for tuning hints
# TODO(ypid): Nginx will be able to autotune this value when the patch gets accepted.
# DebOps will drop this manual tuning based on Nextcloud recommendation
# when the Nginx release is available in Debian oldstable.
client_body_buffer_size 512k;
{% if not (owncloud__variant == "nextcloud" and
owncloud__release is version("18.0", ">=")) %}
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
{% endif %}
# Default Cache-Control policy
expires 1m;
# Avoid to send the security headers twice as ownCloud
# also adds the X-* HTTP headers.
fastcgi_param modHeadersAvailable true;
- owncloud__nginx__dependent_servers
nginx server configuration managed by the debops.nginx role.
owncloud__nginx__dependent_servers:
## https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html
## Corresponds to 5527a8c1ffc18d614e51ab18b61daccbbb047af9
## from https://github.com/nextcloud/documentation.git
- type: 'default'
enabled: True
by_role: 'debops.owncloud'
filename: 'debops.owncloud'
name: '{{ owncloud__fqdn }}'
root: '{{ owncloud__deploy_path }}'
webroot_create: False
deny_hidden: False
favicon: False
## Nextcloud has its own maintenance page
maintenance: '{{ False if (owncloud__variant == "nextcloud") else True }}'
## https://docs.nextcloud.com/server/17/admin_manual/issues/general_troubleshooting.html#common-problems-error-messages
## DebOps default should be fine.
# keepalive: '3600'
robots_tag: [ 'none' ]
permitted_cross_domain_policies: 'none'
frame_options: '{{ omit if (owncloud__variant == "nextcloud" and
owncloud__release is version("17.0", "<"))
else "SAMEORIGIN" }}'
options: |
{% if not (owncloud__http_psk_subpath_enabled | bool) %}
{{ owncloud__nginx_options }}
{% endif %}
location_list:
- pattern: '/'
options: |-
deny all;
enabled: '{{ owncloud__http_psk_subpath_enabled | bool }}'
- pattern: '= /{{ owncloud__http_psk_subpath }}'
options: |
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /{{ owncloud__http_psk_subpath_end_slash }}remote.php/webdav/$is_args$args;
}
# Not used in the Nginx configuration example of Nextcloud/ownCloud.
# Needed because `security.limit_extensions` defaults to `.php` in DebOps.
rewrite ^ /{{ owncloud__http_psk_subpath_end_slash }}index.php;
- pattern: '= /robots.txt'
options: |
allow all;
log_not_found off;
enabled: '{{ not (owncloud__http_psk_subpath_enabled | bool) }}'
- pattern: '^~ /.well-known'
options: |
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
# Anything else is dynamically handled by Nextcloud
location ^~ /.well-known { return 301 /index.php$uri; }
try_files $uri $uri/ =404;
enabled: '{{ not (owncloud__http_psk_subpath_enabled | bool) }}'
- pattern: '~ ^/{{ owncloud__http_psk_subpath_end_slash }}(?:build|tests|config|lib|3rdparty|templates|data)\/'
options: |
return 404;
- pattern: '~ ^/{{ owncloud__http_psk_subpath_end_slash }}(?:\.|autotest|occ|issue|indie|db_|console)'
options: |
return 404;
- pattern: '~ ^/{{ owncloud__http_psk_subpath_end_slash }}.*\.php(?:$|/)'
options: | # noqa jinja[spacing]
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
# Required for legacy support
# https://github.com/nextcloud/documentation/pull/2197#issuecomment-721432337
rewrite ^/{{ owncloud__http_psk_subpath_end_slash }}(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;
# (/.*|): The "or empty" regex alternative is needed for custom
# subpath because otherwise the whole regex would not match and would
# not update ${fastcgi_script_name}.
fastcgi_split_path_info ^{{ owncloud__http_psk_subpath_begin_slash }}(.+?\.php)(/.*|)$;
set $path_info $fastcgi_path_info;
{% if owncloud__http_psk_subpath_enabled | bool %}
set $script_name "{{ owncloud__http_psk_subpath_begin_slash }}${fastcgi_script_name}";
{% endif %}
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
{% if owncloud__http_psk_subpath_enabled | bool %}
fastcgi_param SCRIPT_NAME $script_name;
{% endif %}
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php_owncloud;
fastcgi_intercept_errors on;
{% if (ansible_local.nginx.version | d("0.0")) is version_compare("1.7.11", '>=') %}
fastcgi_request_buffering off;
{% endif %}
fastcgi_read_timeout {{ owncloud__timeout }};
- pattern: '~ {{ owncloud__http_psk_subpath_begin_slash }}(/.*\.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite))$'
options: |
try_files {{ "$1" if (owncloud__http_psk_subpath_enabled | bool) else "$uri" }} /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;
add_header Cache-Control "public, max-age=15778463, $asset_immutable";
{% if not (owncloud__nginx_access_log_assets | bool) %}
access_log off;
{% endif %}
location ~ \.wasm$ {
default_type application/wasm;
}
- pattern: '~ {{ owncloud__http_psk_subpath_begin_slash }}(/.*\.woff2?)$'
options: |
try_files {{ "$1" if (owncloud__http_psk_subpath_enabled | bool) else "$uri" }} /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
{% if not (owncloud__nginx_access_log_assets | bool) %}
access_log off;
{% endif %}
- pattern: '^~ /{{ owncloud__http_psk_subpath }}'
options: |
{{ owncloud__nginx_options }}
enabled: '{{ owncloud__http_psk_subpath_enabled | bool }}'
- pattern: '/{{ owncloud__http_psk_subpath_end_slash }}remote'
options: |
# Rule borrowed from `.htaccess`
return 301 /{{ owncloud__http_psk_subpath_end_slash }}remote.php$request_uri;
- pattern: '/{{ owncloud__http_psk_subpath_end_slash }}'
options: |
try_files $uri $uri/ /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;
## Not used so that the exact order of locations from the upstream nginx
## example can be used.
# type: 'php'
- owncloud__nginx__dependent_upstreams
PHP upstream server configuration managed by the debops.nginx role.
owncloud__nginx__dependent_upstreams:
- name: 'php_owncloud'
by_role: 'debops.owncloud'
enabled: True
state: '{{ owncloud__deploy_state }}'
type: 'php'
php_pool: 'owncloud'
- owncloud__php__dependent_packages
List of PHP packages to install using the debops.php role.
owncloud__php__dependent_packages:
- '{{ owncloud__base_php_packages }}'
- '{{ owncloud__optional_php_packages }}'
- '{{ ["libapache2-mod-php"] if (owncloud__webserver == "apache") else [] }}'
- owncloud__php__dependent_configuration
php.ini
configuration managed by the debops.php role.
owncloud__php__dependent_configuration:
- filename: '10-owncloud'
by_role: 'debops.owncloud'
state: '{{ "present" if (((owncloud__apcu_enabled | bool) and (owncloud__release is match("8\.1"))) or
((owncloud__variant in ["nextcloud"]) and
(owncloud__release is version_compare("21.0", ">="))))
else "absent" }}'
options: |
; Workaround for: https://github.com/owncloud/core/issues/17329
apc.enable_cli = 1
- filename: '30-owncloud-opcache'
by_role: 'debops.owncloud'
state: '{{ "present"
if (owncloud__variant in ["nextcloud"] and owncloud__release is version_compare("12.0", ">="))
else "absent" }}'
options: |
; https://docs.nextcloud.com/server/25/admin_manual/installation/server_tuning.html#enable-php-opcache
; https://github.com/nextcloud/docker/blob/master/25/fpm/Dockerfile
[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=60
- filename: 'debops.owncloud'
path: 'apache2/conf.d/'
by_role: 'debops.owncloud'
state: '{{ (owncloud__php_temp_path | d() and owncloud__webserver == "apache") | ternary("present", "absent") }}'
sections:
- options: |
## TODO: Could not be configured on Apache vhost scope.
sys_temp_dir = {{ owncloud__php_temp_path | quote }}
- owncloud__php__dependent_pools
PHP pools managed by the debops.php role. Refer to the official ownCloud documentation for details.
owncloud__php__dependent_pools:
name: 'owncloud'
by_role: 'debops.owncloud'
user: '{{ owncloud__app_user }}'
group: '{{ owncloud__app_group }}'
pm_max_children: '{{ owncloud__php_max_children }}'
## Overwrite DebOps default to ensure that long running syncing jobs don’t
## get killed.
## https://secure.php.net/manual/en/install.fpm.configuration.php
request_terminate_timeout: '{{ owncloud__timeout }}'
## This is sometimes seen in other peoples ownCloud configuration.
## The role maintainers could not yet verify if it is really needed.
# rlimit_files: '131072'
# rlimit_core: 'unlimited'
## https://github.com/owncloud/core/blob/master/.user.ini
## https://github.com/nextcloud/server/blob/master/.user.ini
php_values:
## https://secure.php.net/manual/en/outcontrol.configuration.php#ini.output-buffering
output_buffering: '{{ owncloud__php_output_buffering }}'
## https://secure.php.net/manual/en/info.configuration.php#ini.upload-max-filesize
upload_max_filesize: '{{ owncloud__upload_size }}'
## https://secure.php.net/manual/en/ini.core.php#ini.post-max-size
post_max_size: '{{ owncloud__upload_size }}'
## https://secure.php.net/manual/de/ini.core.php#ini.memory-limit
## Nextcloud now warns with a PHP memory limit lower than 512MB
memory_limit: '{{ owncloud__upload_size }}'
## https://secure.php.net/manual/en/info.configuration.php#ini.max-input-time
max_input_time: '{{ owncloud__timeout }}'
## Refer to: https://secure.php.net/manual/en/info.configuration.php#ini.max-execution-time
max_execution_time: '{{ owncloud__timeout }}'
environment:
# HOSTNAME: '$HOSTNAME'
# TMP: '/tmp'
# TMPDIR: '/tmp'
# TEMP: '/tmp'
## Fixes warning (ownCloud 8.1): "The test with getenv('PATH') only returns an empty response"
PATH: '/usr/local/bin:/usr/bin:/bin'
- owncloud__unattended_upgrades__dependent_origins
List of origin patterns managed by the debops.unattended_upgrades role.
owncloud__unattended_upgrades__dependent_origins:
- origin: 'site=download.owncloud.org'
by_role: 'debops.owncloud'
state: 'absent'