Default variables

Packages and installation

owncloud__base_packages

List of base packages required by ownCloud.

owncloud__base_packages:
  - '{{ ["owncloud-complete-files"]
        if (owncloud__variant == "owncloud")
        else [] }}'
  - '{{ ["curl", "unzip"]
        if (owncloud__variant == "nextcloud")
        else [] }}'

  # There are no Debian packages for Nextcloud yet unfortunately.

  ## https://doc.owncloud.org/server/10.3/admin_manual/installation/source_installation.html
  ## FIXME: Collaborative document editing in ownCloud is now done with Collabora Online.
  ## FIXME: Is it necessary to install all LibreOffice packages? https://github.com/owncloud/documents#known-issues
  ## Upstream documentation does not specify it more clearly. Installing ``libreoffice`` just to be sure.
  - '{{ ["libreoffice"] if (owncloud__app_documents_libreoffice_enabled | bool) else [] }}'

  ## Useful for debugging. Refer to `owncloud__base_php_packages` for the PHP packages
  - '{{ ["smbclient"] if (owncloud__smb_support | bool) else [] }}'
  - '{{ ["libsmbclient"] if (owncloud__smb_support | bool and owncloud__release is version_compare("9.0", ">=")) else [] }}'
owncloud__required_php_packages

List of PHP packages required by Nextcloud. Refer to the official Nextcloud documentation for details.

owncloud__required_php_packages:
  # Included in base install:
  # - 'ctype'

  # - 'dom'

  - 'iconv'
  - 'gd'
  - 'json'

  - 'xml'
  # Included in the `xml` Debian package:
  # - 'SimpleXML'
  # - 'XMLWriter'

  # - 'posix'
  # - 'zlib'

  - 'bcmath'
  - 'gmp'

List of PHP packages recommended by Nextcloud. Refer to the official Nextcloud documentation for details.

owncloud__recommended_php_packages:
  - 'curl'
  - 'bz2'
  - 'mcrypt'

  # Recommended/Optional: SFTP storage
  - 'gmp'
owncloud__base_php_packages

List of base PHP packages required by ownCloud.

owncloud__base_php_packages:
  - '{{ owncloud__required_php_packages
        if (owncloud__variant == "nextcloud")
        else [] }}'

  - 'mbstring'
  - 'zip'
  - '{{ ["php-xml", "php-apcu", "php7.4-mysql", "php7.4-redis"] if (owncloud__variant != "nextcloud") else [] }}'

  ## Required for the "OpenOTP Two Factor Authentication" (twofactor_rcdevsopenotp) as of NC 14.
  - 'ldap'
  - 'soap'

  - '{{ ["apcu"] if (owncloud__apcu_enabled | bool) else [] }}'
  - '{{ ["mysql"] if (owncloud__database in ["mariadb", "mysql"]) else [] }}'
  - '{{ ["pgsql"] if (owncloud__database in ["postgresql"]) else [] }}'
  - '{{ ["redis"] if (owncloud__redis_enabled | bool) else [] }}'

  ## Seems to be required at least for PHP7.0 to fix:
  ## PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/redis.so'
  ## - /usr/lib/php/20151012/redis.so: undefined symbol: igbinary_serialize in Unknown on line 0
  - '{{ ["igbinary"]
        if (not (ansible_distribution == "Ubuntu" and (ansible_distribution_version is version_compare("15.10", "<"))))
        else [] }}'

  - '{{ ["libsmbclient"] if (owncloud__smb_support | bool and owncloud__release is version_compare("8.9.9", "<=")) else [] }}'

  ## Included in normal PHP installations but require it here because it is
  ## used internally by the role:
  - 'json'
owncloud__optional_php_packages

List of recommended/optional PHP packages for ownCloud.

owncloud__optional_php_packages:
  - '{{ owncloud__recommended_php_packages
        if (owncloud__variant == "nextcloud")
        else [] }}'
  - 'intl'
  - 'imagick'
owncloud__packages

List of global packages for ownCloud. This variable is intended to be used in Ansible’s global inventory.

owncloud__packages: []
owncloud__group_packages

List of group packages for ownCloud. This variable is intended to be used in a host inventory group of Ansible (only one host group is supported).

owncloud__group_packages: []
owncloud__host_packages

List of host packages for ownCloud. This variable is intended to be used in the inventory of hosts.

owncloud__host_packages: []
owncloud__dependent_packages

List of APT packages to install for other Ansible roles, for usage as a dependent role.

owncloud__dependent_packages: []
owncloud__deploy_state

What is the desired state which this role should achieve? Possible options:

present

Default. Ensure that ownCloud is installed and configured as requested.

absent

Ensure that owncloud is uninstalled and it's configuration is removed. Not fully supported yet. FIXME: This would remove all packages that are installed by the role! Package lists need to be split.

owncloud__deploy_state: 'present'

Nextcloud user account

owncloud__system_user

Name of the system account which will perform archive verification using the OpenPGP signature.

owncloud__system_user: 'nextcloud'
owncloud__system_group

Name of the primary system group of the Nextcloud account.

owncloud__system_group: 'nextcloud'
owncloud__system_home

Path to the home directory of the Nextcloud account.

owncloud__system_home: '{{ (ansible_local.fhs.home | d("/var/local"))
                           + "/" + owncloud__system_user }}'
owncloud__comment

The GECOS string set for the Nextcloud account.

owncloud__comment: 'Nextcloud Application Manager'
owncloud__shell

The default shell of the Nextcloud account.

owncloud__shell: '/usr/sbin/nologin'

Base directory paths

owncloud__src

Base path to the directory with application archives, their hash signatures and OpenPGP signatures.

owncloud__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
                   + "/" + owncloud__system_user }}'

Nextcloud installation

owncloud__upstream_key_fingerprint

The OpenPGP key fingerprint for the key by which the Nextcloud release tarballs are signed.

owncloud__upstream_key_fingerprint: '2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A'
owncloud__keyserver

URL of the OpenPGP keyserver used to obtain OpenPGP keys.

owncloud__keyserver: '{{ ansible_local.keyring.keyserver | d("hkp://keyserver.ubuntu.com") }}'

ownCloud upgrades

Warning

Auto upgrading is deprecated. If you want this, add support for https://github.com/nextcloud/docker to this Ansible role.

ownCloud source and deployment

owncloud__variant

Which variant of the application should be used?

Supported variants:

  • owncloud (legacy variant, not recommended for new deployments, not well tested)

  • nextcloud (Main supported variant in the future. Currently supported on Debian stretch, refer to issue 45 for details)

owncloud__variant: '{{ ansible_local.owncloud.variant | d("nextcloud") }}'
owncloud__variant_download_url_map

URL map for owncloud__variant. Used to download the software.

owncloud__variant_download_url_map:
  nextcloud: 'https://download.nextcloud.com/server/releases'
owncloud__variant_url_map

Homepage URL map for owncloud__variant. Used when referring to the software.

owncloud__variant_url_map:
  owncloud: 'https://owncloud.org/'
  nextcloud: 'https://nextcloud.com/'
owncloud__variant_name_map

Name map for owncloud__variant. Used when referring to the software.

owncloud__variant_name_map:
  owncloud: 'ownCloud'
  nextcloud: 'Nextcloud'
owncloud__release

Defaults to the latest stable release supported and tested with this role. This may not always be the latest stable release.

Supported releases:

  • Nextcloud 24.0

Upcoming:

  • Nextcloud 25.0 (Implemented based on documentation changes but untested).

Unsupported:

  • ownCloud 10.4 (Not supported in the latest version of DebOps due to lack of maintainers. Use DebOps v2.2.x if you need it and consider becoming a maintainer.)

For Nextcloud refer to the Nextcloud Maintenance and Release Schedule. and the Nextcloud Server Changelog.

For ownCloud refer to the ownCloud Maintenance and Release Schedule and the package index for more details.

owncloud__release: '{{ "10"
                       if (owncloud__variant == "owncloud")
                       else "24.0" }}'
owncloud__distribution

Name and version of OS distribution to use for ownCloud packages.

owncloud__distribution: '{{ owncloud__distribution_name + "_" +
                            owncloud__distribution_version }}'
owncloud__distribution_name

Name of the OS distribution to use for ownCloud URLs.

owncloud__distribution_name: '{{ ansible_distribution }}'
owncloud__distribution_version

Version number of the OS distribution for ownCloud URLs.

owncloud__distribution_version: '{{ ansible_distribution_major_version }}'
owncloud__apt_repo_base

Base APT repository URL starting at the authority part.

owncloud__apt_repo_base: 'download.opensuse.org/repositories/isv:/ownCloud:/server:/{{ owncloud__release }}'
owncloud__apt_repo_key_id

OpenPGP public key specified by fingerprint which is used to sign the APT repository.

owncloud__apt_repo_key_id: '1B07204CD71B690D409F57D24ABE1AC7557BEFF9'
owncloud__old_apt_repo_keys

Old or unused OpenPGP public keys specified by fingerprint which where previously used to sign the APT repository. The keys listed here are ensured to be absent to reduce the risk if one of the keys gets compromised.

owncloud__old_apt_repo_keys:
  - 'F9EA4996747310AE79474F44977C43A8BA684223'
  - 'BCECA90325B072AB1245F739AB7C32C35180350A'
owncloud__src_remote_dir

File path used to store application sources on the remote system. This is currently only used to copy the OpenPGP public key to the remote.

owncloud__src_remote_dir: '{{
  (ansible_local.fhs.src | d("/usr/local/src"))
  + "/owncloud" }}'
owncloud__apt_repo_source

APT sources.list URL of the ownCloud .deb repository.

owncloud__apt_repo_source: '{{ "deb https://" + owncloud__apt_repo_base + "/" +
                               owncloud__distribution + "/ /" }}'
owncloud__app_user

User that will be used for the ownCloud instance.

owncloud__app_user: '{{ ansible_local.nginx.user | d("www-data") }}'
owncloud__app_group

Group that will be used for the ownCloud instance.

owncloud__app_group: '{{ owncloud__app_user }}'
owncloud__app_home

Directory under which ownCloud will be installed.

owncloud__app_home: '{{ "/var/www/owncloud"
                        if (owncloud__variant == "owncloud")
                        else ((ansible_local.nginx.www
                              if (ansible_local.nginx.www | d())
                              else "/srv/www") + "/" + owncloud__system_user) }}'
owncloud__data_path

Path where ownCloud data directory and files are stored.

owncloud__data_path: '{{ owncloud__app_home }}/data'
owncloud__temp_path

Directory which ownCloud will use as temp directory.

In case /tmp has limited space (for example is a ramdisk) or is otherwise restricted then it is a good idea to change the temp directory that ownCloud uses to a path with more space available.

The default (empty string) is to let ownCloud figure out which temp directory it should use which probably results in /tmp/owncloudtemp unless otherwise influenced by environment variables and such.

See also owncloud__php_temp_path.

owncloud__temp_path: ''
owncloud__deploy_path

Where the ownCloud instance will be deployed (web root).

owncloud__deploy_path: '{{ owncloud__app_home }}'
owncloud__deploy_path_mode

Octal permissions for ownCloud web root.

owncloud__deploy_path_mode: '0750'

In memory caching

Refer to the official ownCloud documentation for details.

owncloud__apcu_enabled

Whether APCu should be used for local caching. Refer to the official ownCloud documentation for details.

owncloud__apcu_enabled: True
owncloud__redis_enabled

Use Redis for file locking as recommended for small and large installations. The default is to auto detect if Redis is enabled on the remote server and in that case automatically use it for file locking. Note that ownCloud requires version 2.2.5+ of the redis PHP package. This requirement is not meet for Ubuntu trusty (neither in the release repos nor in backports) thus Redis will not be enabled automatically by the role. Refer to the official ownCloud documentation for details.

owncloud__redis_enabled: '{{ ansible_local.redis_server.installed | d() | bool and
                             (not (ansible_distribution == "Ubuntu" and ansible_distribution_release == "trusty")) }}'
owncloud__redis_host

Redis server to use when owncloud__redis_enabled is True.

owncloud__redis_host: '{{ ansible_local.redis_server.host | d("localhost") }}'
owncloud__redis_port

Network port on which the Redis server is listening on.

owncloud__redis_port: '{{ ansible_local.redis_server.port | d("6379") }}'
owncloud__redis_password

Redis server authentication password.

owncloud__redis_password: '{{ ansible_local.redis_server.password | d(omit) }}'

Database configuration

owncloud__database

ownCloud recommends MySQL or MariaDB as database management system. Set to False to use SQLite. Refer to the official ownCloud documentation for details. See the owncloud__database_map for the databases support by this role.

owncloud__database: 'mariadb'
owncloud__database_server

FQDN of the database server. It will be configured by the debops.mariadb or debops.postgresql role.

owncloud__database_server: '{{ ansible_local[owncloud__database].server }}'
owncloud__database_port

Port database is listening on.

owncloud__database_port: '{{ ansible_local[owncloud__database].port }}'
owncloud__database_user

Database user to use for ownCloud.

owncloud__database_user: '{{ owncloud__variant }}'
owncloud__database_name

Name of the database to use for ownCloud.

owncloud__database_name: '{{ owncloud__variant }}'
owncloud__database_password_path

Path to database password file.

owncloud__database_password_path: '{{ secret + "/" + owncloud__database + "/"
                                      + ansible_local[owncloud__database].delegate_to
                                      + (("/" + ansible_local[owncloud__database].port)
                                         if (owncloud__database == "postgresql")
                                         else "")
                                      + "/credentials/" + owncloud__database_user + "/password" }}'
owncloud__database_password

Database password for ownCloud.

owncloud__database_password: '{{ lookup("password", owncloud__database_password_path + " length=48") }}'
owncloud__database_map
owncloud__database_map:

  # MySQL/MariaDB database.
  mariadb:
    dbtype: 'mysql'
    dbname: '{{ owncloud__database_name | d(owncloud__app_user) }}'
    dbuser: '{{ owncloud__database_user | d(owncloud__app_user) }}'
    dbpass: '{{ owncloud__database_password }}'
    dbhost: '{{ owncloud__database_server | d("localhost") }}'
    dbtableprefix: ''

  # PostgreSQL database on localhost, connection through Unix socket, no default password.
  postgresql:
    dbtype: 'pgsql'
    dbname: '{{ owncloud__database_name | d(owncloud__app_user) }}'
    dbuser: '{{ owncloud__database_user | d(owncloud__app_user) }}'
    dbpass: '{{ owncloud__database_password }}'
    dbhost: '{{ owncloud__database_server | d("/var/run/postgresql") }}'
    dbtableprefix: ''

  sqlite:
    dbtype: 'sqlite'

ownCloud admin login/password

owncloud__admin_username

Default admin username, in the form 'admin-$USER'. Set to False to disable automatic username and password.

owncloud__admin_username: 'admin-{{ lookup("env", "USER") }}'
owncloud__admin_password_path

Path to database password file.

owncloud__admin_password_path: '{{ secret + "/credentials/" + inventory_hostname +
                                  "/owncloud/admin/" + owncloud__admin_username +
                                  "/password" }}'
owncloud__password_length

Length of randomly generated admin password.

owncloud__password_length: 20
owncloud__admin_password

Default admin password. A random password will be generate by default as documented by the debops.secret role.

owncloud__admin_password: '{{ lookup("password", owncloud__admin_password_path
                              + " length=" + (owncloud__password_length | string)) }}'
owncloud__autosetup

Should Ansible automatically finish the ownCloud setup on it's own? If this feature is disabled, some of the installation tasks will have to be performed manually by the ownCloud/Nextcloud administrator.

owncloud__autosetup: True
owncloud__autosetup_url

URL which will be called to finish autosetup of ownCloud 8.0. For newer ownCloud versions occ will be used which is more reliable because it does not depend on the webserver nor network.

owncloud__autosetup_url: 'http://{{ owncloud__fqdn if owncloud__fqdn is string else owncloud__fqdn[0] }}/index.php'

ownCloud configuration

owncloud__fqdn

The Fully Qualified Domain Name to use for the ownCloud instance.

owncloud__fqdn: 'cloud.{{ owncloud__domain }}'
owncloud__domain

Domain that will be configured for the ownCloud instance.

owncloud__domain: '{{ ansible_domain }}'
owncloud__upload_size

Max upload size set in nginx and PHP, with amount as M or G. Before you change this be sure to understand Uploading big files > 512MB of the official ownCloud documentation.

owncloud__upload_size: '2G'
owncloud__cron_minute

At what time cron should execute background jobs Refer to the official ownCloud documentation for details.

owncloud__cron_minute: '*/15'
owncloud__timeout

Timeouts in seconds for application requests.

Refer to the official ownCloud documentation for details.

owncloud__timeout: 3600
owncloud__app_user_webfinger_support

Should the Webfinger application be supported? Set this to True if you are planning to use this app.

owncloud__app_user_webfinger_support: False

ownCloud config.php configuration

The dicts of this section ends up in owncloud/config/debops.config.php and override the values from owncloud/config/config.php.

TODO: Note that as of ownCloud 9.0, you can not unset a setting which was once set in debops.config.php because ownCloud might copies it to config.php. Possible fix: occ config:system:set

For more information refer to owncloud__config.

owncloud__role_config

See ownCloud config.php configuration. This variable is used internally, controlled by other variables of this role.

owncloud__role_config:

  trusted_domains: '{{ [owncloud__fqdn] if owncloud__fqdn is string else owncloud__fqdn }}'

  ## https://github.com/owncloud/core/issues/22257
  ## TODO: Temporary workaround until all package maintainers have caught up.
  ## Edit: Have caught up as of 9.0.2-1.1. Remove this config in a while when
  ## it is expected that all users are running 9.0.2 or later.
  'updatechecker': '{{ True if (owncloud__variant in ["nextcloud"]) else False }}'

  'memcache.local':
    state: '{{ "present" if (owncloud__apcu_enabled | bool or owncloud__redis_enabled | bool) else "absent" }}'
    value: '{{ "\\OC\\Memcache\\Redis" if (owncloud__redis_enabled | bool) else "\\OC\\Memcache\\APCu" }}'

  'memcache.locking':
    state: '{{ "present" if (owncloud__redis_enabled | bool) else "absent" }}'
    value: '\\OC\\Memcache\\Redis'

  'redis':
    state: '{{ "present" if (owncloud__redis_enabled | bool) else "absent" }}'
    value:
      host: '{{ owncloud__redis_host }}'
      port: '{{ owncloud__redis_port | int }}'
      password: '{{ owncloud__redis_password }}'

  'tempdirectory':
    state: '{{ "present" if (owncloud__temp_path | d()) else "absent" }}'
    value: '{{ owncloud__temp_path }}'
owncloud__release_channel

The channel for tracking Nextcloud upstream releases. Refer to the official Nextcloud documentation for details.

owncloud__release_channel: '{{ "stable"
                               if (owncloud__variant == "nextcloud" and
                                   owncloud__release is version("17.0", ">="))
                               else "production" }}'

See ownCloud config.php configuration. This variable is a set of optional settings for ownCloud recommended by the maintainers of this role. Set:

1owncloud__role_recommended_config: {}

in your inventory when you want to disable it.

owncloud__role_recommended_config:

  ## The default timezone for logfiles is UTC.
  logtimezone: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'

  ## Loglevel to start logging at. Valid values are: 0 = Debug, 1 = Info,
  ##  2 = Warning, 3 = Error, and 4 = Fatal. The default value is Warning.
  loglevel: 2

  ## ISO 8601 datetime: 2004-02-12T15:19:21+00:00
  logdateformat: 'Y-m-d H:i:s.u'

  ## Release channel
  'updater.release.channel': '{{ owncloud__release_channel }}'
owncloud__config

See ownCloud config.php configuration. This variable is intended to be used in Ansible’s global inventory. More specific variables can overrule less specific variables.

owncloud__config: {}
owncloud__group_config

See ownCloud config.php configuration. This variable is intended to be used in a host inventory group of Ansible (only one host group is supported).

owncloud__group_config: {}
owncloud__host_config

See ownCloud config.php configuration. This variable is intended to be used in the inventory of hosts.

owncloud__host_config: {}
owncloud__combined_config

See ownCloud config.php configuration. Variable which combines all of the other Owncloud configuration and is used in the configuration template.

owncloud__combined_config: '{{ owncloud__role_config
                               | combine(owncloud__role_recommended_config,
                                         owncloud__config,
                                         owncloud__group_config,
                                         owncloud__host_config) }}'

ownCloud applications configuration

Dictionary of ownCloud application settings. Check the output of occ config:list to see how the settings are called. You might need to change a particular setting via the web interface in order for it to appear in the output.

Note that occ can also change ownCloud system settings but this should be done via ownCloud config.php configuration.

Examples:

 1owncloud__apps_config:
 2
 3  ## Set the default quota for all users which don’t have more explicit
 4  ## quota settings to 100 MB.
 5  files:
 6    default_quota: '100 MB'
 7
 8  ## Disable Federated Cloud Sharing:
 9  ## * Allow users on this server to send shares to other servers
10  ## * Allow users on this server to receive shares from other servers
11  core:
12    incoming_server2server_share_enabled: 'no'
13    outgoing_server2server_share_enabled: 'no'
14  files_sharing:
15    incoming_server2server_share_enabled: 'no'
16    outgoing_server2server_share_enabled: 'no'
17
18  ## Disable Federation:
19  ## * Add server automatically once a federated share was created successfully
20  federation:
21    autoAddServers: '0'

Refer to the official ownCloud documentation for details.

owncloud__optional_apps_config

See ownCloud applications configuration. Role dictionary of ownCloud application settings. This variable is a set of optional settings for ownCloud recommended by the maintainers of this role.

owncloud__role_apps_config:
  documents:
    enabled: '{{ "yes" if (owncloud__app_documents_enabled | bool) else "no" }}'
    converter: 'local'

  password_policy:
    ## Default is 6 as of Nextcloud 11 which is not state of the art.
    ## Default is 8 as of Nextcloud 12+.
    ## https://github.com/nextcloud/password_policy/blob/master/lib/PasswordPolicyConfig.php
    minLength: 8
owncloud__apps_config

See ownCloud applications configuration. Global dictionary of ownCloud application settings. This variable is intended to be used in Ansible’s global inventory. More specific variables can overrule less specific variables.

owncloud__apps_config: {}
owncloud__group_apps_config

See ownCloud applications configuration. Group dictionary of ownCloud application settings. This variable is intended to be used in a host inventory group of Ansible (only one host group is supported).

owncloud__group_apps_config: {}
owncloud__host_apps_config

See ownCloud applications configuration. Host dictionary of ownCloud application settings. This variable is intended to be used in the inventory of hosts.

owncloud__host_apps_config: {}
owncloud__dependent_apps_config

See ownCloud applications configuration. This variable is intended to be used from other Ansible roles, for usage as a dependent role.

owncloud__dependent_apps_config: {}
owncloud__apps_config_combined

See ownCloud applications configuration. Variable which combines all of the apps variables and is used in the configuration template.

owncloud__apps_config_combined: '{{ owncloud__dependent_apps_config
                                    | combine(owncloud__role_apps_config,
                                              owncloud__apps_config,
                                              owncloud__group_apps_config,
                                              owncloud__host_apps_config) }}'
owncloud__app_documents_enabled

Whether the ownCloud documents application should be enabled. Not enabled by default because, as of ownCloud 9.0, the application is not shipped by default. Note that this will install LibreOffice plus dependencies on the server.

owncloud__app_documents_enabled: False
owncloud__app_documents_libreoffice_enabled

Should LibreOffice be installed on the server so that the documents app can work with proprietary document formats such as Microsoft Office?

owncloud__app_documents_libreoffice_enabled: False

External storage

Refer to the External storage section for more details.

owncloud__smb_support

Should SMB/CIFS be support by installing the required system packages and enabling the required ownCloud application?

owncloud__smb_support: False

ownCloud raw occ commands

List of occ commands to run. It can be used to enable apps, add users and more which can be useful when deploying ownCloud.

Examples:

 1owncloud__occ_cmd_list:
 2
 3  - command: 'app:enable external'
 4
 5  - command: 'app:install calendar'
 6    when: '{{ owncloud__variant in ["nextcloud"] and owncloud__release is version_compare("13.0", ">=") }}'
 7  - command: 'app:enable calendar'
 8
 9  ## Create an additional admin account.
10  - command: 'user:add --password-from-env --display-name="Administrator" --group="admin" admin'
11    env:
12      OC_PASS: "{{ lookup('password', secret + '/credentials/' +
13                   inventory_hostname + '/owncloud/admin/' + 'admin' +
14                   '/password length=' + owncloud__password_length) }}"
15
16  ## Create an regular user. Note that you probably want to use an existing
17  ## user database like LDAP.
18  - command: 'user:add --password-from-env --display-name="Normal user" user'
19    when: '{{ owncloud__release is version_compare("8.1", ">=") }}'
20    env:
21      OC_PASS: "{{ lookup('password', secret + '/credentials/' +
22                   inventory_hostname + '/owncloud/users/' + 'user' +
23                   '/password length=' + owncloud__password_length) }}"

Refer to the official ownCloud documentation for details.

owncloud__role_occ_cmd_list

Default list of occ commands to run. Command present of role to automate certain tasks. See ownCloud raw occ commands.

owncloud__role_occ_cmd_list:
  ## Disable the updater because it does not work anyway with the way ownCloud
  ## is setup by this role using packages.
  ## Since ownCloud 9 it is called `updatenotification`.
  - command: 'app:disable updater'
    when: '{{ owncloud__release is version_compare("8.2", "<=") }}'  # noqa jinja[spacing]

  - command: 'app:enable user_ldap'
    when: '{{ owncloud__ldap_enabled | bool }}'  # noqa jinja[spacing]

  - command: 'app:enable files_external'
    when: '{{ owncloud__smb_support | bool }}'  # noqa jinja[spacing]
owncloud__occ_cmd_list

See ownCloud raw occ commands. This variable is intended to be used in Ansible’s global inventory.

owncloud__occ_cmd_list: []
owncloud__group_occ_cmd_list

See ownCloud raw occ commands. This variable is intended to be used in a host inventory group of Ansible (only one host group is supported).

owncloud__group_occ_cmd_list: []
owncloud__host_occ_cmd_list

See ownCloud raw occ commands. This variable is intended to be used in the inventory of hosts.

owncloud__host_occ_cmd_list: []
owncloud__dependent_occ_cmd_list

See ownCloud raw occ commands. This variable is intended to be used from other Ansible roles, for usage as a dependent role.

owncloud__dependent_occ_cmd_list: []
owncloud__occ_bin_file_path

Where the occ wrapper script should be installed.

owncloud__occ_bin_file_path: '{{ (ansible_local.fhs.bin | d("/usr/local/bin"))
                                 + "/occ" }}'

ownCloud user files

These lists allow you to manage files for ownCloud users, either by copying files from the Ansible Controller or providing the contents directly in Ansible inventory. You can use all parameters supported by the Ansible ansible.builtin.copy module.

See owncloud__user_files for more details.

owncloud__user_files

Manage ownCloud user files on all hosts in Ansible’s inventory.

owncloud__user_files: []
owncloud__user_files_group

Manage ownCloud user files on hosts in a specific Ansible inventory group.

owncloud__user_files_group: []
owncloud__user_files_host

Manage ownCloud user files on specific hosts in Ansible’s inventory.

owncloud__user_files_host: []

LDAP authentication

Refer to the official ownCloud documentation and to the External users section for more details.

owncloud__ldap_enabled

Enable LDAP support. ownCloud support multiple LDAP servers but this role configures only default one. If you need something more complex you can use owncloud__occ_cmd_list.

owncloud__ldap_enabled: '{{ True
                            if (ansible_local | d() and ansible_local.ldap | d() and
                                (ansible_local.ldap.enabled | d()) | bool)
                            else False }}'
owncloud_ldap_update_settings

Ensure that the settings listed in owncloud__ldap_combined_config are up-to-date on the remote system. Set to False to only configure LDAP settings in ownCloud when ownCloud currently has no LDAP configuration.

owncloud_ldap_update_settings: True
owncloud__ldap_base_dn

The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list. If this variable is empty, automated Nextcloud LDAP configuration will not be performed.

owncloud__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
owncloud__ldap_base_groups_dn

The base Distinguished Name where Nextcloud will look for groups.

owncloud__ldap_base_groups_dn: '{{ owncloud__ldap_base_dn | join(",") }}'
owncloud__ldap_base_users_dn

The base Distinguished Name where Nextcloud will look for users.

owncloud__ldap_base_users_dn: '{{ owncloud__ldap_base_dn | join(",") }}'
owncloud__ldap_device_dn

The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the Nextcloud service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.

owncloud__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
owncloud__ldap_self_rdn

The Relative Distinguished Name of the account LDAP object used by the Nextcloud service to access the LDAP directory.

owncloud__ldap_self_rdn: 'uid=nextcloud'
owncloud__ldap_self_object_classes

List of the LDAP object classes which will be used to create the LDAP object used by the Nextcloud service to access the LDAP directory.

owncloud__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
owncloud__ldap_self_attributes

YAML dictionary that defines the attributes of the LDAP object used by the Nextcloud service to access the LDAP directory.

owncloud__ldap_self_attributes:
  uid: '{{ owncloud__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ owncloud__ldap_bindpw }}'
  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
  description: 'Account used by the "Nextcloud" service to access the LDAP directory'
owncloud__ldap_binddn

The Distinguished Name of the account LDAP object used by the Nextcloud service to bind to the LDAP directory.

owncloud__ldap_binddn: '{{ ([owncloud__ldap_self_rdn] + owncloud__ldap_device_dn) | join(",") }}'
owncloud__ldap_bindpw

The password stored in the account LDAP object used by the Nextcloud service to bind to the LDAP directory.

owncloud__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
                                   + owncloud__ldap_binddn | to_uuid + ".password length=32 "
                                   + "chars=ascii_letters,digits,!@_#$%^&*"))
                           if owncloud__ldap_enabled | bool
                           else "" }}'
owncloud__ldap_uri

List of LDAP URIs that point to the directory servers which should be used by Nextcloud.

owncloud__ldap_uri: '{{ ansible_local.ldap.uri | d([]) }}'
owncloud__ldap_primary_server

The primary LDAP server URI to use.

owncloud__ldap_primary_server: '{{ owncloud__ldap_uri | first }}'
owncloud__ldap_method

The LDAP connection method to use, either tls (recommended), ssl or plain (discouraged).

owncloud__ldap_method: 'tls'
owncloud__ldap_port

The TCP port to use for LDAP connections.

owncloud__ldap_port: '{{ 636 if (owncloud__ldap_method in ["ssl"]) else 389 }}'
owncloud__ldap_user_display_name

The attribute that should be used as display name in ownCloud. Refer to the official ownCloud documentation for details.

owncloud__ldap_user_display_name: 'cn'
owncloud__ldap_user_filter

Use this to control which LDAP users are listed as ownCloud users on your ownCloud server. Refer to the official ownCloud documentation for details.

owncloud__ldap_user_filter: '(|
                               (objectclass=inetOrgPerson)
                             )'
owncloud__ldap_user_filter_objectclass

Refer to the official ownCloud documentation for details.

owncloud__ldap_user_filter_objectclass: 'inetOrgPerson'
owncloud__ldap_group_filter

Refer to the official ownCloud documentation for details.

owncloud__ldap_group_filter: '(&
                                (objectClass=groupOfNames)
                                (nextcloudEnabled=true)
                              )'
owncloud__ldap_group_filter_groups

Refer to the official ownCloud documentation for details.

owncloud__ldap_group_filter_groups: ''
owncloud__ldap_group_filter_objectclass

Refer to the official ownCloud documentation for details.

owncloud__ldap_group_filter_objectclass: 'posixGroup'
owncloud__ldap_login_filter

The settings in the Login Filter tab determine which LDAP users can log in to your ownCloud system. With the default filter, users can log in using their usernames from the uid attribute, as well as their e-mail addresses defined using the mail attribute. In either case, users need to have access to the Nextcloud service defined by the authorizedService attribute.

The entryUUID attribute search is required to perform password modify extended operations.

owncloud__ldap_login_filter: '(&
                                (objectclass=inetOrgPerson)
                                (|
                                  (uid=%uid)
                                  (|
                                    (mail=%uid)
                                    (entryUUID=%uid)
                                  )
                                )
                                (|
                                  (authorizedService=all)
                                  (authorizedService=nextcloud)
                                  (authorizedService=owncloud)
                                  (authorizedService=web:public)
                                )
                              )'
owncloud__ldap_login_filter_attributes

Refer to the official ownCloud documentation for details.

owncloud__ldap_login_filter_attributes: ''
owncloud__ldap_group_assoc_attribute

Attribute which ownCloud uses to match members of the group.

Possible values:

memberUid

Useful for OpenLDAP with PosixGroups. Attribute contains only UID of the user.

uniqueMember

Attribute contains full DN of the user.

member

FIXME Attribute contains full DN of the user.

owncloud__ldap_group_assoc_attribute: 'member'
owncloud__home_folder_naming_rule

By default, the ownCloud server creates the user directory in your ownCloud data directory and gives it the ownCloud username, .e.g /var/www/owncloud/data/alice. You may want to override this setting and name it after an LDAP attribute value. The attribute can also return an absolute path, e. g. /mnt/storage43/alice. Leave it empty for default behavior. Refer to the official ownCloud documentation for details.

owncloud__home_folder_naming_rule: 'attr:uid'

Advanced settings

owncloud__ldap_cache_ttl

A cache is introduced to avoid unnecessary LDAP traffic, for example caching usernames so they don’t have to be looked up for every page, and speeding up loading of the Users page. Saving the configuration empties the cache. The time is given in seconds.

Note that almost every PHP request requires a new connection to the LDAP server. If you require fresh PHP requests we recommend defining a minimum lifetime of 15s or so, rather than completely eliminating the cache.

Refer to the official ownCloud documentation for details.

owncloud__ldap_cache_ttl: '600'

Expert settings

owncloud__ldap_expert_username_attr

The internal username is the identifier in ownCloud for LDAP users. By default it will be created from the UUID attribute. The UUID attribute ensures that the username is unique, and that characters do not need to be converted. Only these characters are allowed: [a-zA-Z0-9_.@-]. Other characters are replaced with their ASCII equivalents, or are simply omitted.

The LDAP backend ensures that there are no duplicate internal usernames in ownCloud, i.e. that it is checking all other activated user backends (including local ownCloud users). On collisions a random number (between 1000 and 9999) will be attached to the retrieved value. For example, if alice exists, the next username may be alice_1337.

The internal username is the default name for the user home folder in ownCloud. It is also a part of remote URLs, for instance for all DAV services.

You can override all of this with the Internal Username setting. Leave it empty for default behaviour. Changes will affect only newly mapped LDAP users.

For a Microsoft Windows environment, putting this:

1owncloud__ldap_expert_username_attr: 'sAMAccountName'

in your inventory might come in handy to use the user names from AD as user names in ownCloud.

owncloud__ldap_expert_username_attr: ''
owncloud__ldap_config_id

The configuration database configID to use for the LDAP configuration managed by the role.

owncloud__ldap_config_id: '{{ ansible_local.owncloud.ldap_config_id
                              if (ansible_local.owncloud.ldap_config_id | d())
                              else (owncloud__register_ldap_config_id.stdout
                                    if (owncloud__register_ldap_config_id | d() and
                                        owncloud__register_ldap_config_id.stdout | d())
                                    else "") }}'
owncloud__ldap_quota_attribute

Set the LDAP attribute value to be read by Owncloud/Nextcloud in order to get the user quota. Any quota set in LDAP overrides quotas set on the Nextcloud user management page. Refer to the official ownCloud documentation for details.

owncloud__ldap_quota_attribute: 'nextcloudQuota'
owncloud__ldap_quota_default

User default LDAP quota. Use human-readable values, e.g. "2 GB". Refer to the official ownCloud documentation for details.

owncloud__ldap_quota_default: '10 GB'
owncloud__ldap_default_config

The LDAP configuration options defined by default. See owncloud__ldap_config for more details.

owncloud__ldap_default_config:

  - name: 'ldapHost'
    value: '{{ owncloud__ldap_primary_server }}'

  - name: 'ldapPort'
    value: '{{ owncloud__ldap_port }}'

  - name: 'ldapAgentName'
    value: '{{ owncloud__ldap_binddn }}'

  - name: 'ldapAgentPassword'
    value: '{{ owncloud__ldap_bindpw }}'

  - name: 'ldapBase'
    value: '{{ owncloud__ldap_base_dn | join(",") }}'

  - name: 'ldapBaseGroups'
    value: '{{ owncloud__ldap_base_groups_dn }}'

  - name: 'ldapBaseUsers'
    value: '{{ owncloud__ldap_base_users_dn }}'

  - name: 'ldapEmailAttribute'
    value: 'mail'

  - name: 'ldapExpertUsernameAttr'
    value: '{{ owncloud__ldap_expert_username_attr }}'

  - name: 'ldapConfigurationActive'
    value: '1'

  - name: 'ldapUserDisplayName'
    value: '{{ owncloud__ldap_user_display_name }}'

  - name: 'ldapUserFilter'
    value: '{{ owncloud__ldap_user_filter }}'

  - name: 'ldapUserFilterObjectclass'
    value: '{{ owncloud__ldap_user_filter_objectclass }}'

  - name: 'ldapLoginFilter'
    value: '{{ owncloud__ldap_login_filter }}'

  - name: 'ldapLoginFilterAttributes'
    value: '{{ owncloud__ldap_login_filter_attributes }}'

  - name: 'ldapGroupFilter'
    value: '{{ owncloud__ldap_group_filter }}'

  - name: 'ldapGroupFilterGroups'
    value: '{{ owncloud__ldap_group_filter_groups }}'

  - name: 'ldapGroupFilterObjectclass'
    value: '{{ owncloud__ldap_group_filter_objectclass }}'

  - name: 'ldapGroupMemberAssocAttr'
    value: '{{ owncloud__ldap_group_assoc_attribute }}'

  - name: 'homeFolderNamingRule'
    value: '{{ owncloud__home_folder_naming_rule }}'

  - name: 'ldapCacheTTL'
    value: '{{ owncloud__ldap_cache_ttl }}'

  - name: 'ldapTLS'
    value: '{{ "1" if (owncloud__ldap_method == "tls") else "0" }}'

  - name: 'ldapQuotaAttribute'
    value: '{{ owncloud__ldap_quota_attribute }}'

  - name: 'ldapQuotaDefault'
    value: '{{ owncloud__ldap_quota_default }}'

  - name: 'hasMemberOfFilterSupport'
    value: '1'

  - name: 'turnOnPasswordChange'
    value: '1'

  - name: 'ldapDefaultPPolicyDN'
    value: '{{ (["cn=Default Password Policy", "ou=Password Policies"]
                + owncloud__ldap_base_dn) | join(",") }}'
owncloud__ldap_config

List of custom LDAP configuration options defined for all hosts in the Ansible inventory. See owncloud__ldap_config for more details.

owncloud__ldap_config: []
owncloud__group_ldap_config

List of custom LDAP configuration options defined on hosts in a specific Ansible inventory group.

owncloud__group_ldap_config: []
owncloud__host_ldap_config

List of custom LDAP configuration options defined on specific hosts in the Ansible inventory.

owncloud__host_ldap_config: []
owncloud__ldap_combined_config

The variable that combines default and user LDAP configuration and is used in the role tasks and templates.

owncloud__ldap_combined_config: '{{ owncloud__ldap_default_config
                                    + owncloud__ldap_config
                                    + owncloud__group_ldap_config
                                    + owncloud__host_ldap_config }}'

ownCloud Mail configuration

Refer to the official ownCloud documentation about config.php and the official ownCloud documentation about email configuration for details.

owncloud__mail_domain
owncloud__mail_domain: '{{ owncloud__fqdn if owncloud__fqdn is string else owncloud__fqdn[0] }}'
owncloud__mail_from_address

From address that overrides the built-in sharing-noreply and lostpassword-noreply from addresses.

owncloud__mail_from_address: 'noreply'
owncloud__mail_smtpmode

Which mode to use for sending mail. Choices are:

  • sendmail

  • smtp

  • qmail

  • php

owncloud__mail_smtpmode: 'sendmail'
owncloud__mail_smtphost

Specify the IP address of your mail server host. This may contain multiple hosts separated by a semi-colon. If you need to specify the port number append it to the IP address separated by a colon, like this: 127.0.0.1:24.

This depends on owncloud__mail_smtpmode.

owncloud__mail_smtphost: 'smtp.{{ owncloud__domain }}'
owncloud__mail_smtpport

Port for sending mail. Can also be specified via owncloud__mail_smtphost. This depends on owncloud__mail_smtpmode.

owncloud__mail_smtpport: '25'
owncloud__mail_conf_map

This configuration ends up in mail.config.php and override the values from config.php. Set to:

1owncloud__mail_conf_map: {}

if you want to be able to configure/change this via the admin web interface.

owncloud__mail_conf_map:
  mail_domain: '{{ owncloud__mail_domain }}'
  mail_from_address: '{{ owncloud__mail_from_address }}'
  mail_smtpmode: '{{ owncloud__mail_smtpmode }}'
  mail_smtphost: '{{ owncloud__mail_smtphost }}'
  mail_smtpport: '{{ owncloud__mail_smtpport }}'

Theming ownCloud

Refer to the official ownCloud documentation for details. See also ownCloud Trademark Guidelines.

owncloud__theme_active

Name of the theme to activate. Generation of a custom theme can be influenced by the following options.

In case you already have a theme you want to use, you can alternatively provide the theme under /var/www/owncloud/themes/$your_theme_name (for example using debops.resources) and set this variable to $your_theme_name. Note that the role maintainers recommend to let the role assemble your theme. See the following options.

owncloud__theme_active: '{{ "debops"
                            if (owncloud__variant in ["owncloud"])
                            else "" }}'
owncloud__theme_directory_name

Directory name where the custom theme generated by this role will be stored under. This variable has the same format as the owncloud__theme_active option. If you don’t want this role to generate a theme for you, you can set this to an empty string to disable this feature. The generated theme name defaults to debops to allow enabling it via owncloud__theme_active.

owncloud__theme_directory_name: '{{ "debops"
                                    if (owncloud__variant in ["owncloud"])
                                    else "" }}'
owncloud__theme_title

Title of your ownCloud. This variable is included in the HTML title tag on all pages.

owncloud__theme_title: 'DebOps Cloud'
owncloud__theme_name

Name of your ownCloud or software. This is shown when sharing a file/dir as link for example.

owncloud__theme_name: 'DebOps Cloud'
owncloud__theme_name_html

Name of your ownCloud. HTML code can be used in this variable to create hyperlinks for example.

owncloud__theme_name_html: '{{ owncloud__theme_name }}'
owncloud__theme_entity_name

Entity string for your ownCloud. For example the name of your company. This string is used in the footer and the copyright.

owncloud__theme_entity_name: 'DebOps'
owncloud__theme_base_url

Base URL to get more information about your ownCloud. By default, owncloud__theme_entity_name links to this URL on the login page. Use an empty string to use the default URL pointing to the ownCloud website.

owncloud__theme_base_url: 'https://github.com/debops/ansible-owncloud'
owncloud__theme_slogan

Slogan of your ownCloud. This is shown by default on the bottom of the login page. It should not contain </br> (newline) because at least ownCloud as of version 9.0 can’t automatically adjust to that. Use an empty string to use the default slogan provided by ownCloud.

See the ownCloud Trademark Guidelines section on 'Apps, Product and Service Names, and Compatibility References' for more suggestions.

owncloud__theme_slogan: 'Powered by <a href="{{ owncloud__variant_url_map[owncloud__variant] }}">{{ owncloud__variant_name_map[owncloud__variant] }}</a>'

Short version of the footer. The value can contain arbitrary PHP and HTML code. You will need to take care of quotes yourself.

owncloud__theme_footer_short: |
  'Setup by <a href="' . $this->getBaseUrl() . '" target="_blank\">' . $this->getEntity() . '</a><br/>' .
  '{{ owncloud__theme_slogan }}'

Long version of the footer. See owncloud__theme_footer_short for details. TODO: What exactly is the difference?

owncloud__theme_footer_long: '{{ owncloud__theme_footer_short }}'

Return statement the buildDocLinkToKey function which allows you to alter the URL used when referring to the documentation. The value can contain arbitrary PHP and HTML code. You will need to take care of quotes yourself. The reason for not going with the ownCloud default is that it seems to point to 8.0 even for the 9.0.2 release. Seems to be a bug.

owncloud__theme_doc_link_to_key: '$this->getDocBaseUrl() . ''/server/{{ owncloud__release }}/go.php?to='' . $key'
owncloud__theme_copy_files

Global dictionary of additional files to place in the theme. This variable is intended to be used in Ansible’s global inventory. More specific variables can overrule less specific variables. The key is the target file path in the ownCloud theme directory. The state value allows to make files absent. All other options correspond to the options of the Ansible ansible.builtin.copy module.

To change the logo on the login page you can use:

 1owncloud__theme_copy_files:
 2
 3  'core/img/logo.svg':
 4    ## Prefer SVG: https://github.com/owncloud/core/issues/5676#issuecomment-27649493
 5    src: '/src/path/on/your/ansible/controller/logo.svg'
 6
 7  'core/css/styles.css':
 8    content: |
 9      /* Use logo from theme. */
10      #header .logo {
11        background-image: url('../img/logo.svg');
12        width: 250px;
13        height: 121px;
14      }

in your inventory.

owncloud__theme_copy_files: {}
owncloud__theme_copy_files_host_group

Host group dictionary of additional files to place in the theme. This variable is intended to be used in a host inventory group of Ansible (only one host group is supported). Refer to owncloud__theme_copy_files for more details.

owncloud__theme_copy_files_host_group: {}
owncloud__theme_copy_files_host

Host dictionary of additional files to place in the theme. This variable is intended to be used in the inventory of hosts. Refer to owncloud__theme_copy_files for more details.

owncloud__theme_copy_files_host: {}
owncloud__theme_conf_map

This configuration ends up in theme.config.php and override the values from config.php. Refer to the official ownCloud documentation for details.

owncloud__theme_conf_map:
  theme: '{{ owncloud__theme_active }}'

Webserver

owncloud__http_psk_subpath_enabled

Whether the application should be deployed on a random subpath that acts as a protection of the web app/API from people not knowing this PSK. For a discussion in which scenarios this can make sense, refer to RFC: Support subpath/subdir hosting for additional security.

Warning

This breaks the /.well-known URIs intentionally.

Hint for migration: Nextcloud is able to auto detect the webroot that it is being accessed. This means that it can be accessed by subpath and without, with the same Nginx config. This allows soft migration of all users to the subpath and then disabling / when all are migrated. The role does not support generating such a Webserver config but it is easy to run the role without and with subpath enabled and than merging the rendered Nginx site configuration.

owncloud__http_psk_subpath_enabled: False
owncloud__http_psk_subpath

PSK used as subpath that acts as the first layer of defense in a security in depth concept if enabled.

owncloud__http_psk_subpath: '{{ lookup("password", secret + "/credentials/" +
                                  inventory_hostname + "/owncloud/config/subpath chars=ascii_letters,digits length=10")
                                if owncloud__http_psk_subpath_enabled | bool
                                else "" }}'
owncloud__http_psk_subpath_begin_slash

slash at the begin plus Subpath. Used to simplify the webserver config below.

owncloud__http_psk_subpath_begin_slash: '{{ ("/" + owncloud__http_psk_subpath)
                                          if owncloud__http_psk_subpath_enabled | bool
                                          else "" }}'
owncloud__http_psk_subpath_end_slash

Subpath plus a slash at the end. Used to simplify the webserver config below.

owncloud__http_psk_subpath_end_slash: '{{ (owncloud__http_psk_subpath + "/")
                                          if owncloud__http_psk_subpath_enabled | bool
                                          else "" }}'
owncloud__webserver

Variable containing the webserver which should be used. Refer to Getting started for how to switch webservers.

owncloud__webserver: '{{ ansible_local.owncloud.webserver
                         | d("apache"
                             if (ansible_local.apache.enabled | d() | bool)
                             else ("nginx"
                                   if (ansible_local.nginx.enabled | d() | bool)
                                   else "no-webserver-detected")) }}'
owncloud__apache_modules

Variable containing the used webserver which can be used. Refer to Getting started for how to switch webservers. TODO: Enable on Debian package scripts to ensure that the PHP module is enabled as the name of the module is not deterministic with php5 and php7.0.

owncloud__apache_modules: []
owncloud__nginx_client_body_temp_path

Defines the directory where Nginx will temporary store files holding client request bodies. Refer to the the Nginx documentation for details.

The default (empty string) is to not change the default of the webserver. TODO: Confirm that this variable does what it says.

owncloud__nginx_client_body_temp_path: ''
owncloud__nginx_access_log_assets

Should the access to assets be logged by nginx?

owncloud__nginx_access_log_assets: True

PHP

owncloud__php_temp_path

Directory which PHP will use as temp directory.

In case /tmp has limited space (for example is a ramdisk) or is otherwise restricted then it is recommended to change the temp directory which PHP uses to a path with more space available. This directory is used to cache uploaded files when using Apache. See also owncloud__temp_path.

Empty string will not change the temp directory of PHP.

owncloud__php_temp_path: ''
owncloud__php_output_buffering

Output buffering set in PHP, with amount set in megabytes. Refer to the official ownCloud documentation for details.

owncloud__php_output_buffering: '0'
owncloud__php_max_children

Max children processes to run in php fpm. FIXME: Check if default of debops.php might be sufficient.

owncloud__php_max_children: '50'

Role-dependent configuration

owncloud__apt_preferences__dependent_list

Configuration for the debops.apt_preferences role.

owncloud__apt_preferences__dependent_list:

  - package: 'php5-apcu'
    backports: [ 'trusty' ]
    reason: 'ownCloud requires at least APCu version 4.0.6.'
    by_role: 'debops.owncloud'
    state: '{{ owncloud__deploy_state }}'
owncloud__apt_preferences__dependent_list_optional

Optional configuration for the debops.apt_preferences role. Only required when APT preference presets from the debops.apt_preferences role are used.

owncloud__apt_preferences__dependent_list_optional:

  - package: 'owncloud owncloud*'
    reason: 'Use download.owncloud.org even when foreign sources are disabled by global APT preferences.'
    pin: 'origin "download.owncloud.org"'
    priority: 995
    by_role: 'debops.owncloud'
    state: '{{ "present"
               if (owncloud__variant in ["owncloud"] and
                   owncloud__deploy_state == "present")
               else "absent" }}'
owncloud__keyring__dependent_apt_keys

APT key configuration for the debops.keyring Ansible role.

owncloud__keyring__dependent_apt_keys:

  - id: '{{ owncloud__apt_repo_key_id }}'
    state: '{{ "present" if (owncloud__variant in ["owncloud"]) else "absent" }}'

    # Old or unused OpenPGP public keys specified by fingerprint which where
    # previously used to sign the APT repository.
    # The keys listed here are ensured to be absent to reduce the risk if one of
    # the keys gets compromised.
  - id: 'F9EA4996747310AE79474F44977C43A8BA684223'
    state: 'absent'

  - id: 'BCECA90325B072AB1245F739AB7C32C35180350A'
    state: 'absent'
owncloud__keyring__dependent_gpg_keys

GPG key configuration for the debops.keyring Ansible role.

owncloud__keyring__dependent_gpg_keys:

  - user: '{{ owncloud__system_user }}'
    group: '{{ owncloud__system_group }}'
    home: '{{ owncloud__system_home }}'
    id: '{{ owncloud__upstream_key_fingerprint }}'
    state: '{{ "present" if (owncloud__variant in ["nextcloud"]) else "absent" }}'
owncloud__ldap__dependent_tasks

Configuration for the debops.ldap Ansible role.

owncloud__ldap__dependent_tasks:

  - name: 'Create Nextcloud account for {{ owncloud__ldap_device_dn | join(",") }}'
    dn: '{{ owncloud__ldap_binddn }}'
    objectClass: '{{ owncloud__ldap_self_object_classes }}'
    attributes: '{{ owncloud__ldap_self_attributes }}'
    no_log: '{{ debops__no_log | d(True) }}'
    state: '{{ "present" if owncloud__ldap_device_dn | d() else "ignore" }}'

  - name: 'Enable password management by {{ owncloud__ldap_binddn }}'
    dn: '{{ (["cn=Password Reset Agent", "ou=Roles"] + owncloud__ldap_base_dn) | join(",") }}'
    attributes:
      roleOccupant: '{{ owncloud__ldap_binddn }}'
    state: '{{ "present" if owncloud__ldap_device_dn | d() else "ignore" }}'
owncloud__mariadb__dependent_databases

Configuration of the database managed by the debops.mariadb role.

owncloud__mariadb__dependent_databases:

  - database: '{{ owncloud__database_map[owncloud__database].dbname }}'
    state: '{{ "present" if (owncloud__deploy_state != "purged") else "absent" }}'
owncloud__mariadb__dependent_users

Configuration of the database user managed by the debops.mariadb role.

owncloud__mariadb__dependent_users:

  - database: '{{ owncloud__database_map[owncloud__database].dbname }}'
    user: '{{ owncloud__database_map[owncloud__database].dbuser }}'
    password: '{{ owncloud__database_map[owncloud__database].dbpass }}'
owncloud__postgresql__dependent_roles

Configuration of the database roles managed by the debops.postgresql role.

owncloud__postgresql__dependent_roles:

  - name: '{{ owncloud__database_name }}'  # Separate role is needed when owncloud__database_name != owncloud__database_user
  - name: '{{ owncloud__database_user }}'  # Password is not passed directly - it will be read from the file
owncloud__postgresql__dependent_groups

Configuration of the database groups managed by the debops.postgresql role.

owncloud__postgresql__dependent_groups:

  - roles: [ '{{ owncloud__database_user }}' ]
    groups: [ '{{ owncloud__database_name }}' ]
    database: '{{ owncloud__database_name }}'
    state: '{{ "present" if (owncloud__deploy_state != "purged") else "absent" }}'
owncloud__postgresql__dependent_databases

Configuration of the database managed by the debops.postgresql role.

owncloud__postgresql__dependent_databases:

  - name: '{{ owncloud__database_name }}'
    owner: '{{ owncloud__database_user }}'
owncloud__logrotate__dependent_config

Configuration of the logrotate rule managed by the debops.logrotate role. ownCloud as of Version 9.0 does not do log rotate by default. This could be enabled by log_rotate_size. logrotate is the default in DebOps.

owncloud__logrotate__dependent_config:

  - filename: '{{ owncloud__variant }}'
    log: '{{ owncloud__data_path + "/" + owncloud__variant + ".log" }}'
    state: '{{ "present" if (owncloud__deploy_state == "present") else "absent" }}'
    options: |
      rotate 12
      weekly
      missingok
      notifempty
      compress
      su {{ owncloud__app_user }} {{ owncloud__app_group }}
      delaycompress
owncloud__apache__dependent_snippets

Apache configuration snippets managed by the debops.apache role. Disable the /etc/apache2/conf-enabled/owncloud.conf which configures ownCloud below /owncloud.

owncloud__apache__dependent_snippets:
  'owncloud':
    enabled: False
    type: 'dont-create'
owncloud__apache__dependent_vhosts

Apache virtual host managed by the debops.apache role.

owncloud__apache__dependent_vhosts:

  - type: 'default'
    name: '{{ owncloud__fqdn }}'
    by_role: 'debops.owncloud'
    filename: 'debops.owncloud'
    root: '{{ owncloud__app_home }}'
    options: '+FollowSymLinks'
    allow_override: 'All'
    root_directives: |  # noqa jinja[spacing]
      <IfModule mod_dav.c>
            Dav off
      </IfModule>

      SetEnv HOME {{ owncloud__app_home }}
      SetEnv HTTP_HOME {{ owncloud__app_home }}

      {# Does not work.
      ## Tested while uploading with:
      ## while true; do df -h /tmp|tail -n 1; sleep 0.1; done
      ## Currently configured in PHP Apache scope: owncloud__php__dependent_configuration
      {% if owncloud__php_temp_path | d() %}
      <IfModule mod_php5.c>
        php_value sys_temp_dir '{{ owncloud__php_temp_path }}'
      </IfModule>
      <IfModule mod_php7.c>
        php_value sys_temp_dir '{{ owncloud__php_temp_path }}'
      </IfModule>
      {% endif %}
      # SetEnv TMPDIR '{{ owncloud__php_temp_path }}'
      #}
    raw_content: |
      <Directory "{{ owncloud__app_home }}/data/">
          # Just in case the .htaccess gets disabled.
          Require all denied
      </Directory>
      {% if owncloud__data_path != (owncloud__app_home + "/data") %}
      <Directory {{ owncloud__data_path | quote }}>
          # Just in case someone changes the global Apache defaults and messed
          # with the "Alias" directive ;)
          Require all denied
      </Directory>
      {% endif %}
    http_sec_headers_directive_options: 'set'
owncloud__nginx__dependent_maps

nginx maps managed by the debops.nginx role.

owncloud__nginx__dependent_maps:

  - name: 'asset_immutable'
    map: '$arg_v $asset_immutable'
    mapping: '"" "";'
    default: 'immutable'
owncloud__nginx_options

Nginx main config block for the application.

owncloud__nginx_options: |-
  add_header X-Download-Options noopen;

  # Remove X-Powered-By, which is an information leak
  fastcgi_hide_header X-Powered-By;

  # Specify how to handle directories -- specifying `/index.php$request_uri`
  # here as the fallback means that Nginx always exhibits the desired behaviour
  # when a client requests a path that corresponds to a directory that exists
  # on the server. In particular, if that directory contains an index.php file,
  # that file is correctly served; if it doesn't, then the request is passed to
  # the front-end controller. This consistent behaviour means that we don't need
  # to specify custom rules for certain paths (e.g. images and other assets,
  # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
  # `try_files $uri $uri/ /index.php$request_uri`
  # always provides the desired behaviour.
  index index.php index.html /index.php$request_uri;

  # Set max upload size and increase upload timeout:
  client_max_body_size {{ owncloud__upload_size }};
  client_body_timeout 300s;
  {% if owncloud__nginx_client_body_temp_path %}
  client_body_temp_path '{{ owncloud__nginx_client_body_temp_path }}';
  {% endif %}
  fastcgi_buffers 64 4K;

  {% if owncloud__app_user_webfinger_support | bool %}
  rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
  rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
  {% endif %}

  {% if owncloud__variant == "nextcloud" %}
  # Enable gzip but do not remove ETag headers
  gzip on;
  gzip_vary on;
  gzip_comp_level 4;
  gzip_min_length 256;
  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
  {% else %}
  # Disable gzip to avoid the removal of the ETag header
  gzip off;
  {% endif %}

  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;

  # The settings allows you to optimize the HTTP2 bandwitdth.
  # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
  # for tuning hints
  # TODO(ypid): Nginx will be able to autotune this value when the patch gets accepted.
  # DebOps will drop this manual tuning based on Nextcloud recommendation
  # when the Nginx release is available in Debian oldstable.
  client_body_buffer_size 512k;

  {% if not (owncloud__variant == "nextcloud" and
             owncloud__release is version("18.0", ">=")) %}
  error_page            403             /core/templates/403.php;
  error_page            404             /core/templates/404.php;
  {% endif %}

  # Default Cache-Control policy
  expires 1m;


  # Avoid to send the security headers twice as ownCloud
  # also adds the X-* HTTP headers.
  fastcgi_param modHeadersAvailable true;
owncloud__nginx__dependent_servers

nginx server configuration managed by the debops.nginx role.

owncloud__nginx__dependent_servers:

  ## https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html
  ## Corresponds to 5527a8c1ffc18d614e51ab18b61daccbbb047af9
  ## from https://github.com/nextcloud/documentation.git
  - type: 'default'
    enabled: True
    by_role: 'debops.owncloud'
    filename: 'debops.owncloud'
    name: '{{ owncloud__fqdn }}'
    root: '{{ owncloud__deploy_path }}'
    webroot_create: False
    deny_hidden: False
    favicon: False

    ## Nextcloud has its own maintenance page
    maintenance: '{{ False if (owncloud__variant == "nextcloud") else True }}'

    ## https://docs.nextcloud.com/server/17/admin_manual/issues/general_troubleshooting.html#common-problems-error-messages
    ## DebOps default should be fine.
    # keepalive: '3600'

    robots_tag: [ 'none' ]
    permitted_cross_domain_policies: 'none'
    frame_options: '{{ omit if (owncloud__variant == "nextcloud" and
                                owncloud__release is version("17.0", "<"))
                            else "SAMEORIGIN" }}'

    options: |
      {% if not (owncloud__http_psk_subpath_enabled | bool) %}
      {{ owncloud__nginx_options }}
      {% endif %}

    location_list:
      - pattern: '/'
        options: |-
          deny all;
        enabled: '{{ owncloud__http_psk_subpath_enabled | bool }}'

      - pattern: '= /{{ owncloud__http_psk_subpath }}'
        options: |
          # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
          if ( $http_user_agent ~ ^DavClnt ) {
              return 302 /{{ owncloud__http_psk_subpath_end_slash }}remote.php/webdav/$is_args$args;
          }

          # Not used in the Nginx configuration example of Nextcloud/ownCloud.
          # Needed because `security.limit_extensions` defaults to `.php` in DebOps.
          rewrite ^ /{{ owncloud__http_psk_subpath_end_slash }}index.php;

      - pattern: '= /robots.txt'
        options: |
          allow all;
          log_not_found off;
        enabled: '{{ not (owncloud__http_psk_subpath_enabled | bool) }}'

      - pattern: '^~ /.well-known'
        options: |
          # Make a regex exception for `/.well-known` so that clients can still
          # access it despite the existence of the regex rule
          # `location ~ /(\.|autotest|...)` which would otherwise handle requests
          # for `/.well-known`.

          location = /.well-known/carddav     { return 301 /remote.php/dav/; }
          location = /.well-known/caldav      { return 301 /remote.php/dav/; }
          # Anything else is dynamically handled by Nextcloud
          location ^~ /.well-known            { return 301 /index.php$uri; }

          try_files $uri $uri/ =404;
        enabled: '{{ not (owncloud__http_psk_subpath_enabled | bool) }}'

      - pattern: '~ ^/{{ owncloud__http_psk_subpath_end_slash }}(?:build|tests|config|lib|3rdparty|templates|data)\/'
        options: |
          return 404;

      - pattern: '~ ^/{{ owncloud__http_psk_subpath_end_slash }}(?:\.|autotest|occ|issue|indie|db_|console)'
        options: |
          return 404;

      - pattern: '~ ^/{{ owncloud__http_psk_subpath_end_slash }}.*\.php(?:$|/)'
        options: |  # noqa jinja[spacing]
          # Ensure this block, which passes PHP files to the PHP process, is above the blocks
          # which handle static assets (as seen below). If this block is not declared first,
          # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
          # to the URI, resulting in a HTTP 500 error response.

          # Required for legacy support
          # https://github.com/nextcloud/documentation/pull/2197#issuecomment-721432337
          rewrite ^/{{ owncloud__http_psk_subpath_end_slash }}(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;

          # (/.*|): The "or empty" regex alternative is needed for custom
          # subpath because otherwise the whole regex would not match and would
          # not update ${fastcgi_script_name}.
          fastcgi_split_path_info ^{{ owncloud__http_psk_subpath_begin_slash }}(.+?\.php)(/.*|)$;
          set $path_info $fastcgi_path_info;
          {% if owncloud__http_psk_subpath_enabled | bool %}
          set $script_name "{{ owncloud__http_psk_subpath_begin_slash }}${fastcgi_script_name}";
          {% endif %}

          try_files $fastcgi_script_name =404;

          include fastcgi_params;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          {% if owncloud__http_psk_subpath_enabled | bool %}
          fastcgi_param SCRIPT_NAME $script_name;
          {% endif %}
          fastcgi_param PATH_INFO $path_info;
          fastcgi_param HTTPS on;

          fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
          fastcgi_param front_controller_active true;     # Enable pretty urls
          fastcgi_pass php_owncloud;

          fastcgi_intercept_errors on;
          {% if (ansible_local.nginx.version | d("0.0")) is version_compare("1.7.11", '>=') %}
          fastcgi_request_buffering off;
          {% endif %}

          fastcgi_read_timeout {{ owncloud__timeout }};

      - pattern: '~ {{ owncloud__http_psk_subpath_begin_slash }}(/.*\.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite))$'
        options: |
          try_files {{ "$1" if (owncloud__http_psk_subpath_enabled | bool) else "$uri" }} /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;
          add_header Cache-Control "public, max-age=15778463, $asset_immutable";

          {% if not (owncloud__nginx_access_log_assets | bool) %}
          access_log off;
          {% endif %}

          location ~ \.wasm$ {
              default_type application/wasm;
          }

      - pattern: '~ {{ owncloud__http_psk_subpath_begin_slash }}(/.*\.woff2?)$'
        options: |
          try_files {{ "$1" if (owncloud__http_psk_subpath_enabled | bool) else "$uri" }} /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;
          expires 7d;         # Cache-Control policy borrowed from `.htaccess`

          {% if not (owncloud__nginx_access_log_assets | bool) %}
          access_log off;
          {% endif %}

      - pattern: '^~ /{{ owncloud__http_psk_subpath }}'
        options: |
          {{ owncloud__nginx_options }}
        enabled: '{{ owncloud__http_psk_subpath_enabled | bool }}'

      - pattern: '/{{ owncloud__http_psk_subpath_end_slash }}remote'
        options: |
          # Rule borrowed from `.htaccess`
          return 301 /{{ owncloud__http_psk_subpath_end_slash }}remote.php$request_uri;

      - pattern: '/{{ owncloud__http_psk_subpath_end_slash }}'
        options: |
          try_files $uri $uri/ /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;

    ## Not used so that the exact order of locations from the upstream nginx
    ## example can be used.
    # type: 'php'
owncloud__nginx__dependent_upstreams

PHP upstream server configuration managed by the debops.nginx role.

owncloud__nginx__dependent_upstreams:

  - name: 'php_owncloud'
    by_role: 'debops.owncloud'
    enabled: True
    state: '{{ owncloud__deploy_state }}'
    type: 'php'
    php_pool: 'owncloud'
owncloud__php__dependent_packages

List of PHP packages to install using the debops.php role.

owncloud__php__dependent_packages:

  - '{{ owncloud__base_php_packages }}'
  - '{{ owncloud__optional_php_packages }}'
  - '{{ ["libapache2-mod-php"] if (owncloud__webserver == "apache") else [] }}'
owncloud__php__dependent_configuration

php.ini configuration managed by the debops.php role.

owncloud__php__dependent_configuration:

  - filename: '10-owncloud'
    by_role: 'debops.owncloud'
    state: '{{ "present" if (((owncloud__apcu_enabled | bool) and (owncloud__release is match("8\.1"))) or
            ((owncloud__variant in ["nextcloud"]) and
            (owncloud__release is version_compare("21.0", ">="))))
            else "absent" }}'
    options: |
      ; Workaround for: https://github.com/owncloud/core/issues/17329
      apc.enable_cli = 1

  - filename: '30-owncloud-opcache'
    by_role: 'debops.owncloud'
    state: '{{ "present"
               if (owncloud__variant in ["nextcloud"] and owncloud__release is version_compare("12.0", ">="))
               else "absent" }}'
    options: |
      ; https://docs.nextcloud.com/server/25/admin_manual/installation/server_tuning.html#enable-php-opcache
      ; https://github.com/nextcloud/docker/blob/master/25/fpm/Dockerfile

      [opcache]

      opcache.enable=1
      opcache.enable_cli=1
      opcache.interned_strings_buffer=16
      opcache.max_accelerated_files=10000
      opcache.memory_consumption=128
      opcache.save_comments=1
      opcache.revalidate_freq=60

  - filename: 'debops.owncloud'
    path: 'apache2/conf.d/'
    by_role: 'debops.owncloud'
    state: '{{ (owncloud__php_temp_path | d() and owncloud__webserver == "apache") | ternary("present", "absent") }}'
    sections:

      - options: |
          ## TODO: Could not be configured on Apache vhost scope.
          sys_temp_dir = {{ owncloud__php_temp_path | quote }}
owncloud__php__dependent_pools

PHP pools managed by the debops.php role. Refer to the official ownCloud documentation for details.

owncloud__php__dependent_pools:
  name: 'owncloud'
  by_role: 'debops.owncloud'
  user: '{{ owncloud__app_user }}'
  group: '{{ owncloud__app_group }}'
  pm_max_children: '{{ owncloud__php_max_children }}'

  ## Overwrite DebOps default to ensure that long running syncing jobs don’t
  ## get killed.
  ## https://secure.php.net/manual/en/install.fpm.configuration.php
  request_terminate_timeout: '{{ owncloud__timeout }}'

  ## This is sometimes seen in other peoples ownCloud configuration.
  ## The role maintainers could not yet verify if it is really needed.
  # rlimit_files: '131072'
  # rlimit_core: 'unlimited'

  ## https://github.com/owncloud/core/blob/master/.user.ini
  ## https://github.com/nextcloud/server/blob/master/.user.ini
  php_values:
    ## https://secure.php.net/manual/en/outcontrol.configuration.php#ini.output-buffering
    output_buffering: '{{ owncloud__php_output_buffering }}'

    ## https://secure.php.net/manual/en/info.configuration.php#ini.upload-max-filesize
    upload_max_filesize: '{{ owncloud__upload_size }}'

    ## https://secure.php.net/manual/en/ini.core.php#ini.post-max-size
    post_max_size: '{{ owncloud__upload_size }}'

    ## https://secure.php.net/manual/de/ini.core.php#ini.memory-limit
    ## Nextcloud now warns with a PHP memory limit lower than 512MB
    memory_limit: '{{ owncloud__upload_size }}'

    ## https://secure.php.net/manual/en/info.configuration.php#ini.max-input-time
    max_input_time: '{{ owncloud__timeout }}'

    ## Refer to: https://secure.php.net/manual/en/info.configuration.php#ini.max-execution-time
    max_execution_time: '{{ owncloud__timeout }}'

  environment:
    # HOSTNAME: '$HOSTNAME'
    # TMP: '/tmp'
    # TMPDIR: '/tmp'
    # TEMP: '/tmp'

    ## Fixes warning (ownCloud 8.1): "The test with getenv('PATH') only returns an empty response"
    PATH: '/usr/local/bin:/usr/bin:/bin'
owncloud__unattended_upgrades__dependent_origins

List of origin patterns managed by the debops.unattended_upgrades role.

owncloud__unattended_upgrades__dependent_origins:

  - origin: 'site=download.owncloud.org'
    by_role: 'debops.owncloud'
    state: 'absent'