defaults/main.yml

---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker

# Default variables
# =================

# .. contents:: Sections
#    :local:
#
# .. include:: includes/all.rst
#
# .. Role maintainer note:
# .. The official ownCloud documentation is also written is RST.
# .. https://github.com/owncloud/documentation/tree/master/admin_manual
# .. https://github.com/nextcloud/documentation/tree/master/admin_manual

# .. Packages and installation [[[1
#
# -----------------------------
#   Packages and installation
# -----------------------------

# .. envvar:: owncloud__base_packages
#
# List of base packages required by ownCloud.
owncloud__base_packages:
  - 'owncloud'
  - '{{ [ ("owncloud-deps-php" + ansible_local.php.version) ]
        if (ansible_local|d() and ansible_local.php|d() and
            ansible_local.php.version|d())
        else [] }}'

  ## https://doc.owncloud.org/server/9.0/admin_manual/installation/source_installation.html
  ## https://doc.owncloud.org/server/9.0/admin_manual/configuration_files/collaborative_documents_configuration.html
  ## FIXME: Is it necessary to install all LibreOffice packages? https://github.com/owncloud/documents#known-issues
  ## Upstream documentation does not specify it more clearly. Installing ``libreoffice`` just to be sure.
  - '{{ [ "libreoffice" ] if (owncloud__app_documents_libreoffice_enabled|bool) else [] }}'

  ## Useful for debugging. Refer to `owncloud__base_php_packages` for the PHP packages
  - '{{ [ "smbclient" ] if (owncloud__smb_support|bool) else [] }}'
  - '{{ [ "libsmbclient" ] if (owncloud__smb_support|bool and owncloud__release | version_compare("9.0", ">=")) else [] }}'


# .. envvar:: owncloud__base_php_packages
#
# List of base PHP packages required by ownCloud.
owncloud__base_php_packages:
  - '{{ [ "apcu" ] if (owncloud__apcu_enabled|bool) else [] }}'
  - '{{ [ "mysql" ] if (owncloud__database in [ "mariadb", "mysql" ]) else [] }}'
  - '{{ [ "pgsql" ] if (owncloud__database in [ "postgresql" ]) else [] }}'
  - '{{ [ "redis" ] if (owncloud__redis_enabled | bool) else [] }}'
  - '{{ [ "ldap" ] if (owncloud__ldap_enabled | bool) else [] }}'

  ## Seems to be required at least for PHP7.0 to fix:
  ## PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/redis.so'
  ## - /usr/lib/php/20151012/redis.so: undefined symbol: igbinary_serialize in Unknown on line 0
  - '{{ [ "igbinary" ]
        if (not (ansible_distribution == "Ubuntu" and (ansible_distribution_version|version_compare("15.10", "<"))))
        else [] }}'

  - '{{ [ "libsmbclient" ] if (owncloud__smb_support|bool and owncloud__release | version_compare("8.9.9", "<=")) else [] }}'

  ## Included in normal PHP installations but require it here because it is
  ## used internally by the role:
  - 'json'


# .. envvar:: owncloud__optional_php_packages
#
# List of optional PHP packages for ownCloud.
owncloud__optional_php_packages:
  - 'imagick'


# .. envvar:: owncloud__packages
#
# List of global packages for ownCloud.
# This variable is intended to be used in Ansible’s global inventory.
owncloud__packages: []


# .. envvar:: owncloud__group_packages
#
# List of group packages for ownCloud.
# This variable is intended to be used in a host inventory group of Ansible
# (only one host group is supported).
owncloud__group_packages: []


# .. envvar:: owncloud__host_packages
#
# List of host packages for ownCloud.
# This variable is intended to be used in the inventory of hosts.
owncloud__host_packages: []


# .. envvar:: owncloud__dependent_packages
#
# List of APT packages to install for other Ansible roles, for usage as
# a dependent role.
owncloud__dependent_packages: []


# .. envvar:: owncloud__deploy_state
#
# What is the desired state which this role should achieve? Possible options:
#
# ``present``
#   Default. Ensure that ownCloud is installed and configured as requested.
#
# ``absent``
#   Ensure that owncloud is uninstalled and it's configuration is removed.
#   Not fully supported yet.
#   FIXME: This would remove all packages that are installed by the role!
#   Package lists need to be split.
#
owncloud__deploy_state: 'present'


# .. ownCloud upgrades [[[1
#
# ---------------------
#   ownCloud upgrades
# ---------------------

# .. envvar:: owncloud__auto_database_upgrade_enabled
#
# On each update of ownCloud, a database update must be performed before
# ownCloud can be used again.
# The ownCloud package maintainers have not automated this setup so that even
# security upgrades can not be installed unattended.
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/maintenance/package_upgrade.html#upgrade-quickstart>`__ for details.
#
# When this option is set to ``True``, the role enables a hook script for
# :command:`dpkg` so that when :command:`dpkg` upgrades ownCloud, the database upgrade is
# automatically performed.
#
# Change to ``False`` when you want to do database upgrades manually after upgrading the ownCloud packages.
#
# .. note:: :envvar:`owncloud__auto_database_upgrade_enabled` depends on
#    automatic database upgrades to be enabled.
#
owncloud__auto_database_upgrade_enabled: True


# .. envvar:: owncloud__dpkg_hook_script
#
# File path where the package manager hook script is stored.
owncloud__dpkg_hook_script: '{{
  (ansible_local.root.lib
  if (ansible_local|d() and ansible_local.root|d() and
      ansible_local.root.lib|d())
  else "/usr/local/lib") + "/owncloud_dpkg_hook" }}'


# .. envvar:: owncloud__auto_database_upgrade_migration_test
#
# Whether database schema migration should be simulated before upgrading the production database.
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/maintenance/package_upgrade.html#migration-test>`__ for details.
owncloud__auto_database_upgrade_migration_test: True


# .. envvar:: owncloud__auto_database_upgrade_3party_app_disable
#
# Should third party apps by disabled during/after upgrades? The upstream default as of ownCloud 9.0
# is ``True``.
owncloud__auto_database_upgrade_3party_app_disable: True


# .. envvar:: owncloud__auto_database_upgrade_hook_script_packages_trigger
#
# List of packages for which the package manager hook script should attempt to
# do a database upgrade when :envvar:`owncloud__auto_database_upgrade_enabled`
# is ``True``.
#
# This variable is currently not being used.
# The check if ownCloud needs an upgrade is performed for each
# installed/upgraded package but in an very efficient way.
owncloud__auto_database_upgrade_hook_script_packages_trigger:
  - 'owncloud'


# .. envvar:: owncloud__auto_security_updates_enabled
#
# Whether automatic ownCloud upgrades should be performed by
# ``unattended_upgrades``.
#
# FIXME: Needs more testing before the role maintainers feel confident to enable this by default.
# Refer to: https://github.com/debops/ansible-owncloud/issues/28
owncloud__auto_security_updates_enabled: False


# .. envvar:: owncloud__post_upgrade_hook_role_list
#
# List of script file paths which should be executed after every ownCloud
# update.
# For more information refer to :ref:`owncloud__ref_post_upgrade_hook`.
# This variable is used by this role, controlled by other variables of this
# role.
owncloud__post_upgrade_hook_role_list: []


# .. envvar:: owncloud__post_upgrade_hook_list
#
# List of script file paths which should be executed after every ownCloud
# update.
# For more information refer to :ref:`owncloud__ref_post_upgrade_hook`.
# This variable is intended to be used in Ansible’s global inventory.
owncloud__post_upgrade_hook_list: []


# .. envvar:: owncloud__post_upgrade_hook_group_list
#
# List of script file paths which should be executed after every ownCloud
# update.
# For more information refer to :ref:`owncloud__ref_post_upgrade_hook`.
# This variable is intended to be used in a host inventory group of Ansible
# (only one host group is supported).
owncloud__post_upgrade_hook_group_list: []


# .. envvar:: owncloud__post_upgrade_hook_host_list
#
# List of script file paths which should be executed after every ownCloud
# update.
# For more information refer to :ref:`owncloud__ref_post_upgrade_hook`.
# This variable is intended to be used in the inventory of hosts.
owncloud__post_upgrade_hook_host_list: []


# .. ownCloud source and deployment [[[1
#
# ----------------------------------
#   ownCloud source and deployment
# ----------------------------------

# .. envvar:: owncloud__variant
#
# Which variant of the application should be used?
#
# Supported variants:
#
# * ``owncloud`` (main supported variant and used in production by the role maintainers)
#
# `NextCloud is currently not supported <https://github.com/debops/ansible-owncloud/issues/45>`_.
owncloud__variant: 'owncloud'


# .. envvar:: owncloud__variant_url_map
#
# URL map for :envvar:`owncloud__variant`.
owncloud__variant_url_map:
  owncloud: 'https://owncloud.org/'
  nextcloud: 'https://nextcloud.com/'


# .. envvar:: owncloud__variant_name_map
#
# Name map for :envvar:`owncloud__variant`.
owncloud__variant_name_map:
  owncloud: 'ownCloud'
  nextcloud: 'NextCloud'


# .. envvar:: owncloud__release
#
# Defaults to the latest stable release supported and tested with this role.
# This may not always be the latest stable release.
#
# Supported releases:
#
# * ownCloud ``8.1``
# * ownCloud ``8.2``
# * ownCloud ``9.0`` (main supported version and used in production by the role maintainers)
# * ownCloud ``9.1`` (setup should work but not yet well tested nor used in production by the role maintainers)
#
# Refer to the `ownCloud Maintenance and Release Schedule <https://github.com/owncloud/core/wiki/Maintenance-and-Release-Schedule>`_
# and the `package index <https://download.owncloud.org/download/repositories/>`_ for more details.
owncloud__release: '9.0'


# .. envvar:: owncloud__distribution
#
# Name and version of OS distribution to use for ownCloud packages.
owncloud__distribution: '{{ owncloud__distribution_name + "_" +
                            owncloud__distribution_version }}'


# .. envvar:: owncloud__distribution_name
#
# Name of the OS distribution to use for ownCloud URLs.
owncloud__distribution_name: '{{ ansible_distribution }}'


# .. envvar:: owncloud__distribution_version
#
# Version number of the OS distribution for ownCloud URLs.
owncloud__distribution_version: '{{ (ansible_distribution_major_version + ".0")
                                    if ansible_distribution in [ "Debian" ]
                                    else ansible_distribution_version }}'


# .. envvar:: owncloud__apt_repo_base
#
# Base APT repository URL starting at the authority part.
owncloud__apt_repo_base: 'download.owncloud.org/download/repositories/{{ owncloud__release }}'


# .. envvar:: owncloud__apt_repo_key_id
#
# OpenPGP public key specified by fingerprint which is used to sign the APT
# repository.
owncloud__apt_repo_key_id: 'DDA2C105C4B73A6649AD2BBD47AE7F72479BC94B'


# .. envvar:: owncloud__old_apt_repo_keys
#
# Old or unused OpenPGP public keys specified by fingerprint which where
# previously used to sign the APT repository.
# The keys listed here are ensured to be absent to reduce the risk if one of
# the keys gets compromised.
owncloud__old_apt_repo_keys:
  - 'F9EA4996747310AE79474F44977C43A8BA684223'
  - 'BCECA90325B072AB1245F739AB7C32C35180350A'


# .. envvar:: owncloud__src_remote_dir
#
# File path used to store application sources on the remote system.
# This is currently only used to copy the OpenPGP public key to the remote.
owncloud__src_remote_dir: '{{
  (ansible_local.root.src
  if (ansible_local|d() and ansible_local.root|d() and
      ansible_local.root.src|d())
  else "/usr/local/src") + "/owncloud" }}'


# .. envvar:: owncloud__apt_repo_source
#
# APT ``sources.list`` URL of the ownCloud ``.deb`` repository.
owncloud__apt_repo_source: '{{ "deb http://" + owncloud__apt_repo_base + "/" +
                               owncloud__distribution + "/ /" }}'


# .. envvar:: owncloud__user
#
# User that will be used for the ownCloud instance.
owncloud__user: '{{ ansible_local.nginx.user
                    if (ansible_local|d() and ansible_local.nginx|d() and
                        ansible_local.nginx.user|d())
                    else "www-data" }}'


# .. envvar:: owncloud__group
#
# Group that will be used for the ownCloud instance.
owncloud__group: '{{ owncloud__user }}'


# .. envvar:: owncloud__home
#
# Directory under which ownCloud will be installed.
owncloud__home: '/var/www/owncloud'


# .. envvar:: owncloud__data_path
#
# Path where ownCloud data directory and files are stored.
owncloud__data_path: '{{ owncloud__home }}/data'


# .. envvar:: owncloud__temp_path
#
# Directory which ownCloud will use as temp directory.
#
# In case :file:`/tmp` has limited space (for example is a ramdisk) or is otherwise
# restricted then it is a good idea to change the temp directory that ownCloud
# uses to a path with more space available.
#
# The default (empty string) is to let ownCloud figure out which temp directory
# it should use which probably results in :file:`/tmp/owncloudtemp` unless
# otherwise influenced by environment variables and such.

# See also :envvar:`owncloud__php_temp_path`.
owncloud__temp_path: ''


# .. envvar:: owncloud__deploy_path
#
# Where the ownCloud instance will be deployed (web root).
owncloud__deploy_path: '{{ owncloud__home }}'


# .. In memory caching [[[1
#
# ---------------------
#   In memory caching
# ---------------------
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/caching_configuration.html>`__ for details.

# .. envvar:: owncloud__apcu_enabled
#
# Whether ``APCu`` should be used for local caching.
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/caching_configuration.html#id2>`__ for details.
owncloud__apcu_enabled: True


# .. envvar:: owncloud__redis_enabled
#
# Use Redis for file locking as recommended for small and large installations.
# The default is to auto detect if Redis is enabled on the remote server and in
# that case automatically use it for file locking.
# Note that ownCloud requires version 2.2.5+ of the ``redis`` PHP package. This
# requirement is not meet for Ubuntu trusty (neither in the release repos nor
# in backports) thus Redis will not be enabled automatically by the role.
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/caching_configuration.html#id4>`__ for details.
owncloud__redis_enabled: '{{ ansible_local|d() and ansible_local.redis|d() and
                             ansible_local.redis.enabled|d() | bool and
                             (not (ansible_distribution == "Ubuntu" and ansible_distribution_release == "trusty")) }}'


# .. envvar:: owncloud__redis_host
#
# Redis server to use when :envvar:`owncloud__redis_enabled` is ``True``.
owncloud__redis_host: '{{ ansible_local.redis.host
                          if (ansible_local|d() and ansible_local.redis|d() and
                              ansible_local.redis.host|d())
                          else "localhost" }}'


# .. envvar:: owncloud__redis_port
#
# Network port on which the Redis server is listening on.
owncloud__redis_port: '{{ ansible_local.redis.port
                          if (ansible_local|d() and ansible_local.redis|d() and
                              ansible_local.redis.port|d())
                          else "6379" }}'


# .. envvar:: owncloud__redis_password
#
# Redis server authentication password.
owncloud__redis_password: '{{ ansible_local.redis.password
                              if (ansible_local|d() and ansible_local.redis|d() and
                                  ansible_local.redis.password|d())
                              else omit }}'

# .. Database configuration [[[1
#
# --------------------------
#   Database configuration
# --------------------------

# .. envvar:: owncloud__database
#
# ownCloud recommends MySQL or MariaDB as database. Set to ``False`` to use SQLite.
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_database/linux_database_configuration.html>`__ for details.
# See the :envvar:`owncloud__database_map` for the databases support by this role.
owncloud__database: 'mariadb'


# .. envvar:: owncloud__database_server
#
# FQDN of the database server. It will be configured by
# the debops.mariadb_ or debops.postgresql_ role.
owncloud__database_server: '{{ ansible_local[owncloud__database].server }}'


# .. envvar:: owncloud__database_port
#
# Port database is listening on.
owncloud__database_port: '{{ ansible_local[owncloud__database].port }}'


# .. envvar:: owncloud__database_user
#
# Database user to use for ownCloud.
owncloud__database_user: 'owncloud'


# .. envvar:: owncloud__database_name
#
# Name of the database to use for ownCloud.
owncloud__database_name: 'owncloud'


# .. envvar:: owncloud__database_password_path
#
# Path to database password file.
owncloud__database_password_path: '{{ secret + "/" + owncloud__database + "/"
                                      + ansible_local[owncloud__database].delegate_to
                                      + (("/" + ansible_local[owncloud__database].port)
                                         if (owncloud__database == "postgresql")
                                         else "")
                                      + "/credentials/" + owncloud__database_user + "/password" }}'


# .. envvar:: owncloud__database_password
#
# Database password for ownCloud.
owncloud__database_password: '{{ lookup("password", owncloud__database_password_path + " length=48") }}'


# .. envvar:: owncloud__database_map
#
owncloud__database_map:

  # MySQL/MariaDB database.
  mariadb:
    dbtype: 'mysql'
    dbname: '{{ owncloud__database_name|d(owncloud__user) }}'
    dbuser: '{{ owncloud__database_user|d(owncloud__user) }}'
    dbpass: '{{ owncloud__database_password }}'
    dbhost: '{{ owncloud__database_server|d("localhost") }}'
    dbtableprefix: ''

  # PostgreSQL database on localhost, connection through Unix socket, no default password.
  postgresql:
    dbtype: 'pgsql'
    dbname: '{{ owncloud__database_name|d(owncloud__user) }}'
    dbuser: '{{ owncloud__database_user|d(owncloud__user) }}'
    dbpass: ''
    dbhost: '{{ owncloud__database_server|d("/var/run/postgresql") }}'
    dbtableprefix: ''

  sqlite:
    dbtype: 'sqlite'


# .. ownCloud admin login/password [[[1
#
# ---------------------------------
#   ownCloud admin login/password
# ---------------------------------

# .. envvar:: owncloud__admin_username
#
# Default admin username, in the form 'admin-$USER'.
# Set to ``False`` to disable automatic username and password.
owncloud__admin_username: 'admin-{{ lookup("env","USER") }}'


# .. envvar:: owncloud__admin_password_path
#
# Path to database password file.
owncloud__admin_password_path: '{{ secret + "/credentials/" + ansible_fqdn +
                                  "/owncloud/admin/" + owncloud__admin_username +
                                  "/password" }}'


# .. envvar:: owncloud__password_length
#
# Length of randomly generated admin password.
owncloud__password_length: 20


# .. envvar:: owncloud__admin_password
#
# Default admin password.
# A random password will be generate by default as documented by the debops.secret_ role.
owncloud__admin_password: '{{ lookup("password", owncloud__admin_password_path
                              + " length=" + (owncloud__password_length|string)) }}'


# .. envvar:: owncloud__autosetup
#
# Should Ansible automatically finish the ownCloud setup on
# it's own? Disabled if admin_username is set to ``False``.
owncloud__autosetup: True


# .. envvar:: owncloud__autosetup_url
#
# URL which will be called to finish autosetup of ownCloud 8.0. For newer
# ownCloud versions :command:`occ` will be used which is more reliable because
# it does not depend on the webserver nor network.
owncloud__autosetup_url: 'http://{{ owncloud__fqdn if owncloud__fqdn is string else owncloud__fqdn[0] }}/index.php'


# .. ownCloud configuration [[[1
#
# --------------------------
#   ownCloud configuration
# --------------------------

# .. envvar:: owncloud__fqdn
#
# The Fully Qualified Domain Name to use for the ownCloud instance.
owncloud__fqdn: 'cloud.{{ owncloud__domain }}'


# .. envvar:: owncloud__domain
#
# Domain that will be configured for the ownCloud instance.
owncloud__domain: '{{ ansible_local.core.domain
                      if (ansible_local|d() and ansible_local.core|d() and
                          ansible_local.core.domain|d())
                      else (ansible_domain if ansible_domain else ansible_hostname) }}'


# .. envvar:: owncloud__upload_size
#
# Max upload size set in :program:`nginx` and PHP, with amount as M or G.
# Before you change this be sure to understand
# `Uploading big files > 512MB of the official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_files/big_file_upload_configuration.html>`__.
owncloud__upload_size: '2G'


# .. envvar:: owncloud__cron_minute
#
# At what time cron should execute background jobs
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/developer_manual/app/backgroundjobs.html>`__ for details.
owncloud__cron_minute: '*/15'


# .. envvar:: owncloud__timeout
#
# Timeouts in seconds for application requests.
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_files/big_file_upload_configuration.html>`__ for details.
owncloud__timeout: 3600


# .. envvar:: owncloud__app_user_webfinger_support
#
# Should the ``Webfinger`` application be supported?
# Set this to ``True`` if you are planning to use this app.
owncloud__app_user_webfinger_support: False


# .. ownCloud config.php configuration [[[1
#
# -------------------------------------
#   ownCloud config.php configuration
# -------------------------------------
#
# The dicts of this section ends up in :file:`owncloud/config/debops.config.php` and override the values
# from :file:`owncloud/config/config.php`.
#
# TODO: Note that as of ownCloud 9.0, you can not unset a setting which was
# once set in :file:`debops.config.php` because ownCloud might copies it to
# :file:`config.php`. Possible fix: `occ config:system:set`
#
# For more information refer to :ref:`owncloud__ref_config`.


# .. envvar:: owncloud__role_config
#
# See `ownCloud config.php configuration`_.
# This variable is used by this role, controlled by other variables of this
# role.
owncloud__role_config:

  trusted_domains: '{{ [ owncloud__fqdn ] if owncloud__fqdn is string else owncloud__fqdn }}'

  ## https://github.com/owncloud/core/issues/22257
  ## TODO: Temporary workaround until all package maintainers have caught up.
  ## Edit: Have caught up as of 9.0.2-1.1. Remove this config in a while when
  ## it is expected that all users are running 9.0.2 or later.
  'updatechecker': False

  'memcache.local':
    state: '{{ "present" if (owncloud__apcu_enabled|bool) else "absent" }}'
    value: '\\OC\\Memcache\\APCu'

  'memcache.locking':
    state: '{{ "present" if (owncloud__redis_enabled|bool) else "absent" }}'
    value: '\\OC\\Memcache\\Redis'

  'redis':
    state: '{{ "present" if (owncloud__redis_enabled|bool) else "absent" }}'
    value:
      host: '{{ owncloud__redis_host }}'
      port: '{{ owncloud__redis_port|int }}'
      password: '{{ owncloud__redis_password }}'

  'tempdirectory':
    state: '{{ "present" if (owncloud__temp_path != "") else "absent" }}'
    value: '{{ owncloud__temp_path }}'


# .. envvar:: owncloud__role_recommended_config
#
# See `ownCloud config.php configuration`_.
# This variable is a set of optional settings for ownCloud recommended by the
# maintainers of this role.
# Set:
#
# .. code-block:: yaml
#    :linenos:
#
#    owncloud__role_recommended_config: {}
#
# in your inventory when you want to disable it.
owncloud__role_recommended_config:

  ## The default timezone for logfiles is UTC.
  logtimezone: '{{ ansible_local.timezone if (ansible_local|d() and ansible_local.timezone|d()) else "Etc/UTC" }}'

  ## Loglevel to start logging at. Valid values are: 0 = Debug, 1 = Info,
  ##  2 = Warning, 3 = Error, and 4 = Fatal. The default value is Warning.
  loglevel: 2

  ## ISO 8601 datetime: 2004-02-12T15:19:21+00:00
  logdateformat: 'Y-m-d H:i:s.u'


# .. envvar:: owncloud__config
#
# See `ownCloud config.php configuration`_.
# This variable is intended to be used in Ansible’s global inventory.
# More specific variables can overrule less specific variables.
owncloud__config: {}


# .. envvar:: owncloud__group_config
#
# See `ownCloud config.php configuration`_.
# This variable is intended to be used in a host inventory group of Ansible
# (only one host group is supported).
owncloud__group_config: {}


# .. envvar:: owncloud__host_config
#
# See `ownCloud config.php configuration`_.
# This variable is intended to be used in the inventory of hosts.
owncloud__host_config: {}


# .. ownCloud applications configuration [[[1
#
# ---------------------------------------
#   ownCloud applications configuration
# ---------------------------------------

# Dictionary of ownCloud application settings.
# Check the output of :command:`occ config:list` to see how the settings are called.
# You might need to change a particular setting via the web interface in order
# for it to appear in the output.
#
# Note that the :command:`occ` can also change ownCloud system settings but this should
# be done via `ownCloud config.php configuration`_.
#
# Examples:
#
# .. code-block:: yaml
#    :linenos:
#
#    owncloud__apps_config:
#
#      ## Set the default quota for all users which don’t have more explicit
#      ## quota settings to 100 MB.
#      files:
#        default_quota: '100 MB'
#
#      ## Disable Federated Cloud Sharing:
#      ## * Allow users on this server to send shares to other servers
#      ## * Allow users on this server to receive shares from other servers
#      core:
#        incoming_server2server_share_enabled: 'no'
#        outgoing_server2server_share_enabled: 'no'
#      files_sharing:
#        incoming_server2server_share_enabled: 'no'
#        outgoing_server2server_share_enabled: 'no'
#
#      ## Disable Federation:
#      ## * Add server automatically once a federated share was created successfully
#      federation:
#        autoAddServers: '0'
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/occ_command.html#config-commands-label>`__ for details.

# .. envvar:: owncloud__optional_apps_config
#
# See `ownCloud applications configuration`_.
# Role dictionary of ownCloud application settings.
# This variable is a set of optional settings for ownCloud recommended by the
# maintainers of this role.
owncloud__role_apps_config:
  documents:
    enabled: '{{ "yes" if (owncloud__app_documents_enabled | bool) else "no" }}'
    converter: 'local'


# .. envvar:: owncloud__apps_config
#
# See `ownCloud applications configuration`_.
# Global dictionary of ownCloud application settings.
# This variable is intended to be used in Ansible’s global inventory.
# More specific variables can overrule less specific variables.
owncloud__apps_config: {}


# .. envvar:: owncloud__group_apps_config
#
# See `ownCloud applications configuration`_.
# Group dictionary of ownCloud application settings.
# This variable is intended to be used in a host inventory group of Ansible
# (only one host group is supported).
owncloud__group_apps_config: {}


# .. envvar:: owncloud__host_apps_config
#
# See `ownCloud applications configuration`_.
# Host dictionary of ownCloud application settings.
# This variable is intended to be used in the inventory of hosts.
owncloud__host_apps_config: {}


# .. envvar:: owncloud__dependent_apps_config
#
# See `ownCloud applications configuration`_.
# This variable is intended to be used from other Ansible roles, for usage as
# a dependent role.
owncloud__dependent_apps_config: {}


# .. envvar:: owncloud__app_documents_enabled
#
# Whether the `ownCloud documents application`_ should be enabled.
# Not enabled by default because, as of ownCloud 9.0, the application is not shipped by default.
# Note that this will install LibreOffice plus dependencies on the server.
owncloud__app_documents_enabled: False


# .. envvar:: owncloud__app_documents_libreoffice_enabled
#
# Should LibreOffice be installed on the server so that the documents app can
# work with proprietary document formats such as Microsoft Office?
owncloud__app_documents_libreoffice_enabled: False


# .. External storage [[[1
#
# --------------------
#   External storage
# --------------------

# Refer to the :ref:`owncloud__ref_external_storage` section for more details.

# .. envvar:: owncloud__smb_support
#
# Should SMB/CIFS be support by installing the required system packages and
# enabling the required ownCloud application?
owncloud__smb_support: False


# .. ownCloud raw occ commands [[[1
#
# -----------------------------
#   ownCloud raw occ commands
# -----------------------------

# List of :command:`occ` commands to run.
# It can be used to enable apps, add users and more which can be useful when
# deploying ownCloud.
#
# Examples:
#
# .. code-block:: yaml
#    :linenos:
#
#    owncloud__occ_cmd_list:
#
#      - command: 'app:enable external'
#
#      ## Create an additional admin account.
#      - command: 'user:add --password-from-env --display-name="Administrator" --group="admin" admin'
#        ## Does not work with ownCloud 8.0 or below so don’t run it there.
#        when: '{{ owncloud__release | version_compare("8.1", ">=") }}'
#        env:
#          OC_PASS: "{{ lookup('password', secret + '/credentials/' +
#                       ansible_fqdn + '/owncloud/admin/' + 'admin' +
#                       '/password length=' + owncloud__password_length) }}"
#
#      ## Create an regular user. Note that you probably want to use an existing
#      ## user database like LDAP.
#      - command: 'user:add --password-from-env --display-name="Normal user" user'
#        when: '{{ owncloud__release | version_compare("8.1", ">=") }}'
#        env:
#          OC_PASS: "{{ lookup('password', secret + '/credentials/' +
#                       ansible_fqdn + '/owncloud/users/' + 'user' +
#                       '/password length=' + owncloud__password_length) }}"
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/occ_command.html>`__ for details.

# .. envvar:: owncloud__role_occ_cmd_list
#
# Default list of :command:`occ` commands to run.
# Command present of role to automate certain tasks.
# See `ownCloud raw occ commands`_.
owncloud__role_occ_cmd_list:
  ## Disable the updater because it does not work anyway with the way ownCloud
  ## is setup by this role using packages.
  ## Since ownCloud 9 it is called `updatenotification`.
  - command: 'app:disable updater'
    when: '{{ owncloud__release | version_compare("8.2", "<=") }}'

  - command: 'app:enable user_ldap'
    when: '{{ owncloud__ldap_enabled|bool }}'

  - command: 'app:enable files_external'
    when: '{{ owncloud__smb_support|bool }}'


# .. envvar:: owncloud__occ_cmd_list
#
# See `ownCloud raw occ commands`_.
# This variable is intended to be used in Ansible’s global inventory.
owncloud__occ_cmd_list: []


# .. envvar:: owncloud__group_occ_cmd_list
#
# See `ownCloud raw occ commands`_.
# This variable is intended to be used in a host inventory group of Ansible
# (only one host group is supported).
owncloud__group_occ_cmd_list: []


# .. envvar:: owncloud__host_occ_cmd_list
#
# See `ownCloud raw occ commands`_.
# This variable is intended to be used in the inventory of hosts.
owncloud__host_occ_cmd_list: []


# .. envvar:: owncloud__dependent_occ_cmd_list
#
# See `ownCloud raw occ commands`_.
# This variable is intended to be used from other Ansible roles, for usage as
# a dependent role.
owncloud__dependent_occ_cmd_list: []


# .. envvar:: owncloud__occ_bin_file_path
#
# Where the :command:`occ` wrapper script should be installed.
owncloud__occ_bin_file_path: '{{ (ansible_local.root.bin
                                  if (ansible_local|d() and ansible_local.root|d() and
                                      ansible_local.root.bin|d())
                                  else "/usr/local/bin") + "/occ" }}'


# .. ownCloud user files [[[1
#
# -----------------------
#   ownCloud user files
# -----------------------

# These lists allow you to manage files for ownCloud users, either by
# copying files from the Ansible Controller or providing the contents directly
# in Ansible inventory. You can use all parameters supported by the `Ansible
# copy module`_.
#
# See :ref:`owncloud__ref_owncloud__user_files` for more details.

# .. envvar:: owncloud__user_files
#
# Manage ownCloud user files on all hosts in Ansible’s inventory.
owncloud__user_files: []


# .. envvar:: owncloud__user_files_group
#
# Manage ownCloud user files on hosts in a specific Ansible inventory
# group.
owncloud__user_files_group: []


# .. envvar:: owncloud__user_files_host
#
# Manage ownCloud user files on specific hosts in Ansible’s inventory.
owncloud__user_files_host: []


# .. LDAP authentication [[[1
#
# .. _owncloud__ref_ldap_defaults:
#
# -----------------------
#   LDAP authentication
# -----------------------
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/go.php?to=admin-ldap>`__
# and to the :ref:`owncloud__ref_external_users` section for more details.

# .. envvar:: owncloud__ldap_enabled
#
# Enable LDAP support. ownCloud support multiple LDAP servers but this role
# configures only default one. If you need something more complex you can
# use :envvar:`owncloud__occ_cmd_list`.
owncloud__ldap_enabled: False


# .. envvar:: owncloud_ldap_update_settings
#
# Ensure that the settings listed in :envvar:`owncloud__ldap_conf_map` are
# up-to-date on the remote system.
# Set to ``False`` to only configure LDAP settings in ownCloud when ownCloud
# currently has no LDAP configuration.
owncloud_ldap_update_settings: True


# .. envvar:: owncloud__ldap_create_user
#
# Should the :envvar:`owncloud__ldap_binddn` LDAP user be created if it does not exist?
owncloud__ldap_create_user: True


# .. envvar:: owncloud__ldap_domain
#
# Domain name used to generate base DN.
owncloud__ldap_domain: '{{ owncloud__domain }}'


# .. envvar:: owncloud__ldap_basedn
#
# Base DN
owncloud__ldap_basedn: '{{ "dc=" + owncloud__ldap_domain.split(".") | join(",dc=") }}'


# .. envvar:: owncloud__ldap_binddn
#
# DN to bind as
owncloud__ldap_binddn: '{{ "cn=owncloud," + secret_ldap_services_dn }}'


# .. envvar:: owncloud__ldap_host
#
owncloud__ldap_host: 'ldap.{{ owncloud__domain }}'


# .. envvar:: owncloud__ldap_password_file
#
# .. Maintainer note: LDAP DNs can be set to case-sensitive which is not the default.
# .. Otherwise, owncloud__ldap_* could be converted to lowercase for the file path.
# .. https://stackoverflow.com/questions/29897684/is-ldap-dn-case-insensitive
#
owncloud__ldap_password_file: '{{ secret + "/credentials/" + owncloud__ldap_host + "/slapd/" + owncloud__ldap_basedn + "/" + owncloud__ldap_binddn + ".password" }}'


# .. envvar:: owncloud__ldap_password
#
owncloud__ldap_password: '{{ lookup("password", owncloud__ldap_password_file) }}'


# .. envvar:: owncloud__ldap_method
#
owncloud__ldap_method: 'ssl'


# .. envvar:: owncloud__ldap_port
#
owncloud__ldap_port: '{{ 636 if (owncloud__ldap_method in ["ssl", "tls"]) else 389 }}'


# .. envvar:: owncloud__ldap_user_display_name
#
# The attribute that should be used as display name in ownCloud.
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_user/user_auth_ldap.html#directory-settings>`__ for details.
owncloud__ldap_user_display_name: 'cn'


# .. envvar:: owncloud__ldap_user_filter
#
# Use this to control which LDAP users are listed as ownCloud users on your ownCloud server.
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_user/user_auth_ldap.html#user-filter>`__ for details.
owncloud__ldap_user_filter: '(|(objectclass=inetOrgPerson))'


# .. envvar:: owncloud__ldap_user_filter_objectclass
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_user/user_auth_ldap.html#user-filter>`__ for details.
owncloud__ldap_user_filter_objectclass: 'inetOrgPerson'


# .. envvar:: owncloud__ldap_group_filter
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_user/user_auth_ldap.html#group-filter>`__ for details.
owncloud__ldap_group_filter: '(&(|(objectclass=posixGroup)))'


# .. envvar:: owncloud__ldap_group_filter_groups
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_user/user_auth_ldap.html#group-filter>`__ for details.
owncloud__ldap_group_filter_groups: ''


# .. envvar:: owncloud__ldap_group_filter_objectclass
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_user/user_auth_ldap.html#group-filter>`__ for details.
owncloud__ldap_group_filter_objectclass: 'posixGroup'


# .. envvar:: owncloud__ldap_login_filter
#
# The settings in the Login Filter tab determine which LDAP users can log in to your ownCloud system.
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_user/user_auth_ldap.html#login-filter>`__ for details.
owncloud__ldap_login_filter: '(&(|(objectclass=inetOrgPerson))(uid=%uid))'


# .. envvar:: owncloud__ldap_login_filter_attributes
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_user/user_auth_ldap.html#login-filter>`__ for details.
owncloud__ldap_login_filter_attributes: ''


# .. envvar:: owncloud__ldap_group_assoc_attribute
#
# Attribute which ownCloud uses to match members of the group.
#
# Possible values:
#
# ``memberUid``
#   Useful for OpenLDAP with PosixGroups. Attribute contains only UID of the user.
#
# ``uniqueMember``
#   Attribute contains full DN of the user.
#
# ``member``
#   FIXME
#   Attribute contains full DN of the user.
#
owncloud__ldap_group_assoc_attribute: 'memberUid'


# .. envvar:: owncloud__home_folder_naming_rule
#
# By default, the ownCloud server creates the user directory in your ownCloud data directory and gives it the ownCloud username, .e.g :file:`/var/www/owncloud/data/alice`. You may want to override this setting and name it after an LDAP attribute value. The attribute can also return an absolute path, e. g. :file:`/mnt/storage43/alice`. Leave it empty for default behavior.
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_user/user_auth_ldap.html#special-attributes>`__ for details.
owncloud__home_folder_naming_rule: 'attr:uid'

# .. Advanced settings [[[
#
# ~~~~~~~~~~~~~~~~~~~~~
#   Advanced settings
# ~~~~~~~~~~~~~~~~~~~~~

# .. envvar:: owncloud__ldap_cache_ttl
#
# A cache is introduced to avoid unnecessary LDAP traffic, for example caching usernames so they don’t have to be looked up for every page, and speeding up loading of the Users page. Saving the configuration empties the cache. The time is given in seconds.
#
# Note that almost every PHP request requires a new connection to the LDAP server. If you require fresh PHP requests we recommend defining a minimum lifetime of 15s or so, rather than completely eliminating the cache.
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_user/user_auth_ldap.html#caching>`__ for details.
owncloud__ldap_cache_ttl: '600'

# .. ]]]

# .. Expert settings [[[
#
# ~~~~~~~~~~~~~~~~~~~
#   Expert settings
# ~~~~~~~~~~~~~~~~~~~

# .. envvar:: owncloud__ldap_expert_username_attr
#
# The internal username is the identifier in ownCloud for LDAP users. By
# default it will be created from the UUID attribute. The UUID attribute
# ensures that the username is unique, and that characters do not need to be
# converted. Only these characters are allowed: :regexp:`[a-zA-Z0-9_.@-]`.
# Other characters are replaced with their ASCII equivalents, or are simply
# omitted.
#
# The LDAP backend ensures that there are no duplicate internal usernames in
# ownCloud, i.e. that it is checking all other activated user backends
# (including local ownCloud users). On collisions a random number (between 1000
# and 9999) will be attached to the retrieved value. For example, if ``alice``
# exists, the next username may be ``alice_1337``.
#
# The internal username is the default name for the user home folder in
# ownCloud. It is also a part of remote URLs, for instance for all DAV
# services.
#
# You can override all of this with the Internal Username setting. Leave it
# empty for default behaviour. Changes will affect only newly mapped LDAP
# users.
#
# You will need to add this variable yourself to :envvar:`owncloud__ldap_conf_map`
# right now.
#
# For a Microsoft Windows environment, putting this:
#
# .. code-block:: yaml
#    :linenos:
#
#    owncloud__ldap_expert_username_attr: 'sAMAccountName'
#
# in your inventory might come in handy to use the user names from AD as user names in ownCloud.
owncloud__ldap_expert_username_attr: ''

# .. ]]]

# .. envvar:: owncloud__ldap_conf_map
#
owncloud__ldap_conf_map:
  ldapHost: '{{ "ldaps://" if (owncloud__ldap_method in ["ssl", "tls"]) else "" }}{{ owncloud__ldap_host }}'
  ldapPort: '{{ owncloud__ldap_port }}'
  ldapAgentName: '{{ owncloud__ldap_binddn }}'
  ldapBase: '{{ owncloud__ldap_basedn }}'
  ldapEmailAttribute: 'mail'
  ldapConfigurationActive: '1'
  ldapUserDisplayName: '{{ owncloud__ldap_user_display_name }}'
  ldapUserFilter: '{{ owncloud__ldap_user_filter }}'
  ldapUserFilterObjectclass: '{{ owncloud__ldap_user_filter_objectclass }}'
  ldapLoginFilter: '{{ owncloud__ldap_login_filter }}'
  ldapLoginFilterAttributes: '{{ owncloud__ldap_login_filter_attributes }}'
  ldapGroupFilter: '{{ owncloud__ldap_group_filter }}'
  ldapGroupFilterGroups: '{{ owncloud__ldap_group_filter_groups }}'
  ldapGroupFilterObjectclass: '{{ owncloud__ldap_group_filter_objectclass }}'
  ldapGroupMemberAssocAttr:  '{{ owncloud__ldap_group_assoc_attribute }}'
  homeFolderNamingRule: '{{ owncloud__home_folder_naming_rule }}'
  ldapCacheTTL: '{{ owncloud__ldap_cache_ttl }}'


# .. ownCloud Mail configuration [[[1
#
# -------------------------------
#   ownCloud Mail configuration
# -------------------------------
#
# Refer to the `official ownCloud documentation about config.php <https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/config_sample_php_parameters.html#mail-parameters>`__ and the `official ownCloud documentation about email configuration <https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/email_configuration.html>`__ for details.

# .. envvar:: owncloud__mail_domain
#
owncloud__mail_domain: '{{ owncloud__fqdn if owncloud__fqdn is string else owncloud__fqdn[0] }}'


# .. envvar:: owncloud__mail_from_address
#
# From address that overrides the built-in ``sharing-noreply`` and
# ``lostpassword-noreply`` from addresses.
owncloud__mail_from_address: 'noreply'


# .. envvar:: owncloud__mail_smtpmode
#
# Which mode to use for sending mail.
# Choices are:
#
# * ``sendmail``
# * ``smtp``
# * ``qmail``
# * ``php``
#
owncloud__mail_smtpmode: 'sendmail'


# .. envvar:: owncloud__mail_smtphost
#
# Specify the IP address of your mail server host.
# This may contain multiple hosts separated by a semi-colon. If you need to
# specify the port number append it to the IP address separated by a colon,
# like this: ``127.0.0.1:24``.
#
# This depends on :envvar:`owncloud__mail_smtpmode`.
owncloud__mail_smtphost: 'smtp.{{ owncloud__domain }}'


# .. envvar:: owncloud__mail_smtpport
#
# Port for sending mail. Can also be specified via :envvar:`owncloud__mail_smtphost`.
# This depends on :envvar:`owncloud__mail_smtpmode`.
owncloud__mail_smtpport: '25'


# .. envvar:: owncloud__mail_conf_map
#
# This configuration ends up in :file:`mail.config.php` and override the
# values from :file:`config.php`.
# Set to:
#
# .. code-block:: yaml
#    :linenos:
#
#    owncloud__mail_conf_map: {}
#
# if you want to be able to configure/change this via the admin web interface.
owncloud__mail_conf_map:
  mail_domain: '{{ owncloud__mail_domain }}'
  mail_from_address: '{{ owncloud__mail_from_address  }}'
  mail_smtpmode: '{{ owncloud__mail_smtpmode }}'
  mail_smtphost: '{{ owncloud__mail_smtphost }}'
  mail_smtpport: '{{ owncloud__mail_smtpport }}'


# .. Theming ownCloud [[[1
#
# --------------------
#   Theming ownCloud
# --------------------
#
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/developer_manual/core/theming.html>`__ for details.
# See also `ownCloud Trademark Guidelines <https://owncloud.org/trademarks/>`_.

# .. envvar:: owncloud__theme_active
#
# Name of the theme to activate. Generation of a custom theme can be influenced
# by the following options.
#
# In case you already have a theme you want to use, you can alternatively
# provide the theme under :file:`/var/www/owncloud/themes/$your_theme_name`
# (for example using debops.resources_) and set this variable to
# ``$your_theme_name``. Note that the role maintainers recommend to let the
# role assemble your theme. See the following options.
owncloud__theme_active: 'debops'


# .. envvar:: owncloud__theme_directory_name
#
# Directory name where the custom theme generated by this role will be stored under.
# This variable has the same format as the :envvar:`owncloud__theme_active` option.
# If you don’t want this role to generate a theme for you, you can set this to
# an empty string to disable this feature.
# The generated theme name defaults to ``debops`` to allow enabling it via
# :envvar:`owncloud__theme_active`.
owncloud__theme_directory_name: 'debops'


# .. envvar:: owncloud__theme_title
#
# Title of your ownCloud. This variable is included in the `HTML title tag`_ on
# all pages.
owncloud__theme_title: 'DebOps Cloud'


# .. envvar:: owncloud__theme_name
#
# Name of your ownCloud or software. This is shown when sharing a file/dir as
# link for example.
owncloud__theme_name: 'DebOps Cloud'


# .. envvar:: owncloud__theme_name_html
#
# Name of your ownCloud. HTML code can be used in this variable to create
# hyperlinks for example.
owncloud__theme_name_html: '{{ owncloud__theme_name }}'


# .. envvar:: owncloud__theme_entity_name
#
# Entity string for your ownCloud. For example the name of your company. This
# string is used in the footer and the copyright.
owncloud__theme_entity_name: 'DebOps'


# .. envvar:: owncloud__theme_base_url
#
# Base URL to get more information about your ownCloud. By default,
# :envvar:`owncloud__theme_entity_name` links to this URL on the login page.
# Use an empty string to use the default URL pointing to the ownCloud website.
owncloud__theme_base_url: 'https://github.com/debops/ansible-owncloud'


# .. envvar:: owncloud__theme_slogan
#
# Slogan of your ownCloud. This is shown by default on the bottom of the login page.
# It should not contain ``</br>`` (newline) because at least ownCloud as of
# version ``9.0`` can’t automatically adjust to that.
# Use an empty string to use the default slogan provided by ownCloud.
#
# See under `Apps, Product and Service Names, and Compatibility References <https://owncloud.org/trademarks/>`_
# for more suggestions.
owncloud__theme_slogan: 'Powered by <a href="{{ owncloud__variant_url_map[owncloud__variant] }}">{{ owncloud__variant_name_map[owncloud__variant] }}</a>'


# .. envvar:: owncloud__theme_footer_short
#
# Short version of the footer.
# The value can contain arbitrary PHP and HTML code.
# You will need to take care of quotes yourself.
owncloud__theme_footer_short: |
  'Setup by <a href="' . $this->getBaseUrl() . '" target="_blank\">' . $this->getEntity() . '</a><br/>' .
  '{{ owncloud__theme_slogan }}'


# .. envvar:: owncloud__theme_footer_long
#
# Long version of the footer. See :envvar:`owncloud__theme_footer_short` for details.
# TODO: What exactly is the difference?
owncloud__theme_footer_long: '{{ owncloud__theme_footer_short }}'


# .. envvar:: owncloud__theme_doc_link_to_key
#
# Return statement the ``buildDocLinkToKey`` function which allows you to alter
# the URL used when referring to the documentation.
# The value can contain arbitrary PHP and HTML code.
# You will need to take care of quotes yourself.
# The reason for not going with the ownCloud default is that it seems to point
# to ``8.0`` even for the ``9.0.2`` release. Seems to be a bug.
owncloud__theme_doc_link_to_key: '$this->getDocBaseUrl() . ''/server/{{ owncloud__release }}/go.php?to='' . $key'


# .. envvar:: owncloud__theme_copy_files
#
# Global dictionary of additional files to place in the theme.
# This variable is intended to be used in Ansible’s global inventory.
# More specific variables can overrule less specific variables.
# The key is the target file path in the ownCloud theme directory.
# The ``state`` value allows to make files absent.
# All other options correspond to the options of the `Ansible copy module`_.
#
# To change the logo on the login page you can use:
#
# .. code-block:: yaml
#    :linenos:
#
#    owncloud__theme_copy_files:
#
#      'core/img/logo.svg':
#        ## Prefer SVG: https://github.com/owncloud/core/issues/5676#issuecomment-27649493
#        src: '/src/path/on/your/ansible/controller/logo.svg'
#
#      'core/css/styles.css':
#        content: |
#          /* Use logo from theme. */
#          #header .logo {
#            background-image: url('../img/logo.svg');
#            width: 250px;
#            height: 121px;
#          }
#
# in your inventory.
owncloud__theme_copy_files: {}


# .. envvar:: owncloud__theme_copy_files_host_group
#
# Host group dictionary of additional files to place in the theme.
# This variable is intended to be used in a host inventory group of Ansible
# (only one host group is supported).
# Refer to :envvar:`owncloud__theme_copy_files` for more details.
owncloud__theme_copy_files_host_group: {}


# .. envvar:: owncloud__theme_copy_files_host
#
# Host dictionary of additional files to place in the theme.
# This variable is intended to be used in the inventory of hosts.
# Refer to :envvar:`owncloud__theme_copy_files` for more details.
owncloud__theme_copy_files_host: {}


# .. envvar:: owncloud__theme_conf_map
#
# This configuration ends up in :file:`theme.config.php` and override the
# values from :file:`config.php`.
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/config_sample_php_parameters.html>`__ for details.
owncloud__theme_conf_map:
  theme: '{{ owncloud__theme_active }}'

                                                                   # ]]]
# .. Webserver [[[
#
# -------------
#   Webserver
# -------------

# .. envvar:: owncloud__webserver [[[
#
# Variable containing the used webserver which can be used.
# Refer to :ref:`owncloud__ref_getting_started` for how to switch webservers.
owncloud__webserver: '{{
    ("nginx" if ((["debops_service_owncloud", "debops_service_owncloud_nginx"] | intersect(group_names) | length) > 0) else "") +
    ("apache" if ((["debops_service_owncloud_apache"] | intersect(group_names) | length) > 0) else "")
  }}'

                                                                   # ]]]
# .. envvar:: owncloud__apache_modules [[[
#
# Variable containing the used webserver which can be used.
# Refer to :ref:`owncloud__ref_getting_started` for how to switch webservers.
# TODO: Enable on Debian package scripts to ensure that the PHP module is
# enabled as the name of the module is not deterministic with ``php5`` and
# ``php7.0``.
owncloud__apache_modules: []
                                                                   # ]]]
# .. envvar:: owncloud__nginx_client_body_temp_path [[[
#
# Defines the directory where Nginx will temporary store files holding client
# request bodies.
# Refer to the `the Nginx documentation <https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path>`__ for details.
#
# The default (empty string) is to not change the default of the webserver.
# TODO: Confirm that this variable does what it says.
owncloud__nginx_client_body_temp_path: ''

                                                                   # ]]]
# .. envvar:: owncloud__nginx_access_log_assets [[[
#
# Should the access to assets be logged by :program:`nginx`?
owncloud__nginx_access_log_assets: True
                                                                   # ]]]
                                                                   # ]]]
# PHP [[[

# .. envvar:: owncloud__php_temp_path [[[
#
# Directory which PHP will use as temp directory.
#
# In case :file:`/tmp` has limited space (for example is a ramdisk) or is otherwise
# restricted then it is recommended to change the temp directory which PHP
# uses to a path with more space available.
# This directory is used to cache uploaded files when using Apache.
# See also :envvar:`owncloud__temp_path`.

# Empty string will not change the temp directory of PHP.
owncloud__php_temp_path: ''

                                                                   # ]]]
# .. envvar:: owncloud__php_output_buffering
#
# Output buffering set in PHP, with amount set in megabytes.
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/configuration_files/big_file_upload_configuration.html#configuring-php>`__ for details.
owncloud__php_output_buffering: '0'


# .. envvar:: owncloud__php_max_children
#
# Max children processes to run in php fpm.
# FIXME: Check if default of debops.php_ might be sufficient.
owncloud__php_max_children: '50'

                                                                   # ]]]
# .. Role-dependent configuration [[[1
#
# --------------------------------
#   Role-dependent configuration
# --------------------------------

# .. envvar:: owncloud__apt_preferences__dependent_list
#
# Configuration for the debops.apt_preferences_ role.
#
# .. TODO: Consider moving logic to the debops.php role.
#
owncloud__apt_preferences__dependent_list:

  - package: 'php5-apcu'
    backports: [ 'trusty' ]
    reason: 'ownCloud requires at least APCu version 4.0.6.'
    by_role: 'debops.owncloud'
    state: '{{ owncloud__deploy_state }}'


# .. envvar:: owncloud__apt_preferences__dependent_list_optional
#
# Optional configuration for the debops.apt_preferences_ role.
# Only required when APT preference presets from the
# debops.apt_preferences_ role are used.
owncloud__apt_preferences__dependent_list_optional:

  - package: 'owncloud owncloud*'
    reason: 'Use download.owncloud.org even when foreign sources are disabled by global APT preferences.'
    pin: 'origin "download.owncloud.org"'
    priority: 995
    by_role: 'debops.owncloud'
    state: '{{ owncloud__deploy_state }}'


# .. envvar:: owncloud__apache__dependent_snippets
#
# Apache configuration snippets managed by the debops.apache_ role.
# Disable the :file:`/etc/apache2/conf-enabled/owncloud.conf` which configures
# ownCloud below ``/owncloud``.
owncloud__apache__dependent_snippets:
  'owncloud':
    enabled: False
    type: 'dont-create'


# .. envvar:: owncloud__apache__dependent_vhosts
#
# Apache virtual host managed by the debops.apache_ role.
owncloud__apache__dependent_vhosts:

  - type: 'default'
    name: '{{ owncloud__fqdn }}'
    by_role: 'debops.owncloud'
    filename: 'debops.owncloud'
    root: '{{ owncloud__home }}'
    options: '+FollowSymLinks'
    allow_override: 'All'
    root_directives: |
      <IfModule mod_dav.c>
            Dav off
      </IfModule>

      SetEnv HOME {{ owncloud__home }}
      SetEnv HTTP_HOME {{ owncloud__home }}

      {# Does not work.
      ## Tested with while uploading with:
      ## while true; do df -h /tmp|tail -n 1; sleep 0.1; done
      ## Currently configured in PHP Apache scope: owncloud__php__dependent_configuration
      {% if owncloud__php_temp_path != "" %}
      <IfModule mod_php5.c>
        php_value sys_temp_dir '{{ owncloud__php_temp_path }}'
      </IfModule>
      <IfModule mod_php7.c>
        php_value sys_temp_dir '{{ owncloud__php_temp_path }}'
      </IfModule>
      {% endif %}
      # SetEnv TMPDIR '{{ owncloud__php_temp_path }}'
      #}
    raw_content: |
      <Directory "{{ owncloud__home }}/data/">
          # Just in case the .htaccess gets disabled.
          Require all denied
      </Directory>
      {% if owncloud__data_path != (owncloud__home + "/data") %}
      <Directory {{ owncloud__data_path | quote }}>
          # Just in case someone changes the global Apache defaults and messed
          # with the "Alias" directive ;)
          Require all denied
      </Directory>
      {% endif %}
    http_sec_headers_directive_options: 'set'


# .. envvar:: owncloud__nginx__dependent_servers
#
# :program:`nginx` server configuration managed by the debops.nginx_ role.
owncloud__nginx__dependent_servers:

  ## https://github.com/owncloud/documentation/blob/master/admin_manual/installation/nginx_owncloud_9x.rst
  ## https://github.com/owncloud/documentation/blob/master/admin_manual/installation/nginx_examples.rst
  ## https://doc.owncloud.org/server/9.0/admin_manual/issues/general_troubleshooting.html
  - type: 'default'
    enabled: True
    default: False
    by_role: 'debops.owncloud'
    filename: 'debops.owncloud'
    name: '{{ owncloud__fqdn }}'
    root: '{{ owncloud__deploy_path }}'

    ## https://doc.owncloud.org/server/9.0/admin_manual/issues/general_troubleshooting.html#common-problems-error-messages
    ## DebOps default should be fine.
    # keepalive: '3600'

    robots_tag: [ 'none' ]
    permitted_cross_domain_policies: 'none'

    options: |
      add_header X-Download-Options noopen;

      # Set max upload size.
      client_max_body_size {{ owncloud__upload_size }};
      {% if owncloud__nginx_client_body_temp_path %}
      client_body_temp_path '{{ owncloud__nginx_client_body_temp_path }}';
      {% endif %}
      fastcgi_buffers 64 4K;

      {% if owncloud__app_user_webfinger_support | bool %}
      rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
      rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
      {% endif %}

      # Disable gzip to avoid the removal of the ETag header
      gzip off;

      # Uncomment if your server is build with the ngx_pagespeed module
      # This module is currently not supported.
      #pagespeed off;

      error_page            403             /core/templates/403.php;
      error_page            404             /core/templates/404.php;


      # Avoid to send the security headers twice as ownCloud
      # also adds the X-* HTTP headers.
      fastcgi_param modHeadersAvailable true;

    location_list:
      - pattern: '= /robots.txt'
        options: |
          log_not_found off;

      - pattern: '= /.well-known/carddav'
        options: |
          return 301 $scheme://$host/remote.php/dav;

      - pattern: '= /.well-known/caldav'
        options: |
          return 301 $scheme://$host/remote.php/dav;

      - pattern: '= /'
        options: |
          ## Not used in the Nginx configuration example of ownCloud.
          ## Needed because `security.limit_extensions` defaults to `.php` in DebOps.
          rewrite ^ /index.php;

      - pattern: '/'
        options: |
          rewrite ^ /index.php$uri;

      - pattern: '~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/'
        options: |
          deny all;

      - pattern: '~ ^/(?:\.|autotest|occ|issue|indie|db_|console)'
        options: |
          deny all;

      - pattern: '~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/)'
        options: |
          include fastcgi_params;
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param PATH_INFO $fastcgi_path_info;
          fastcgi_param HTTPS on;
          fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
          fastcgi_param front_controller_active true;

          fastcgi_pass php_owncloud;

          fastcgi_intercept_errors on;

          {% if (ansible_local.nginx.version if (ansible_local|d() and ansible_local.nginx|d() and ansible_local.nginx.version|d()) else "0.0") | version_compare("1.7.11",'>=') %}
          fastcgi_request_buffering off;
          {% endif %}

          fastcgi_read_timeout {{ owncloud__timeout }};

      - pattern: '~ ^/(?:updater|ocs-provider)(?:$|/)'
        options: |
          try_files $uri/ =404;
          index index.php;

      - pattern: '~* \.(?:css|js)$'
        options: |
          # Adding the cache control header for js and css files
          # It needs to be below the PHP block.

          try_files $uri /index.php$uri$is_args$args;
          add_header Cache-Control "public, max-age=7200";

          add_header X-Content-Type-Options nosniff;
          add_header X-Frame-Options "SAMEORIGIN";
          add_header X-XSS-Protection "1; mode=block";
          add_header X-Robots-Tag none;
          add_header X-Download-Options noopen;
          add_header X-Permitted-Cross-Domain-Policies none;

          {% if not (owncloud__nginx_access_log_assets|bool) %}
          access_log off;
          {% endif %}

      - pattern: '~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$'
        options: |
          try_files $uri /index.php$uri$is_args$args;

          {% if not (owncloud__nginx_access_log_assets|bool) %}
          access_log off;
          {% endif %}

    ## Not used so that the exact order of locations from the upstream nginx example can be used.
    # type: 'php'
    # php_upstream: 'php_owncloud'
    # php_limit_except: False
    # php5_location: '^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/)'
    # php_options: |
    #   fastcgi_read_timeout {{ owncloud__timeout }};


# .. envvar:: owncloud__nginx__dependent_upstreams
#
# PHP upstream server configuration managed by the debops.nginx_ role.
owncloud__nginx__dependent_upstreams:

  - name: 'php_owncloud'
    by_role: 'debops.owncloud'
    enabled: True
    state: '{{ owncloud__deploy_state }}'
    type: 'php'
    php_pool: 'owncloud'

  ## Ensure legacy configuration is absent.
  - name: 'php5_owncloud'
    state: 'absent'
    type: 'php5'
    php5: 'owncloud'


# .. envvar:: owncloud__php__dependent_packages
#
# List of PHP packages to install using the debops.php_ role.
owncloud__php__dependent_packages:

  - '{{ owncloud__base_php_packages }}'
  - '{{ owncloud__optional_php_packages }}'
  - '{{ ["libapache2-mod-php"] if (owncloud__webserver == "apache") else [] }}'


# .. envvar:: owncloud__php__dependent_configuration
#
# :file:`php.ini` configuration managed by the debops.php_ role.
owncloud__php__dependent_configuration:

  - filename: '10-owncloud'
    by_role: 'debops.owncloud'
    state: '{{ "present"
               if ((owncloud__apcu_enabled|bool) and (owncloud__release | match("8\.1")))
               else "absent" }}'
    options: |
      ; Workaround for: https://github.com/owncloud/core/issues/17329
      apc.enable_cli = 1

  - filename: 'debops.owncloud'
    path: 'apache2/conf.d/'
    by_role: 'debops.owncloud'
    state: '{{ (owncloud__php_temp_path != "" and owncloud__webserver == "apache") | ternary("present", "absent") }}'
    sections:

      - options: |
          ## TODO: Could not be configured on Apache vhost scope.
          sys_temp_dir = {{ owncloud__php_temp_path | quote }}


# .. envvar:: owncloud__php__dependent_pools
#
# PHP pools managed by the debops.php_ role.
# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/9.0/admin_manual/installation/source_installation.html#php-ini-configuration-notes>`__ for details.
owncloud__php__dependent_pools:
  name: 'owncloud'
  by_role: 'debops.owncloud'
  user: '{{ owncloud__user }}'
  group: '{{ owncloud__group }}'
  pm_max_children: '{{ owncloud__php_max_children }}'

  ## Overwrite DebOps default to ensure that long running syncing jobs don’t
  ## get killed.
  ## https://secure.php.net/manual/en/install.fpm.configuration.php
  request_terminate_timeout: '{{ owncloud__timeout }}'

  ## This is sometimes seen in other peoples ownCloud configuration.
  ## The role maintainers could not yet verify if it is really needed.
  # rlimit_files: '131072'
  # rlimit_core: 'unlimited'

  ## https://github.com/owncloud/core/blob/master/.user.ini
  ## https://github.com/nextcloud/server/blob/master/.user.ini
  php_values:
    ## https://secure.php.net/manual/en/outcontrol.configuration.php#ini.output-buffering
    output_buffering: '{{ owncloud__php_output_buffering }}'

    ## https://secure.php.net/manual/en/info.configuration.php#ini.upload-max-filesize
    upload_max_filesize: '{{ owncloud__upload_size }}'

    ## https://secure.php.net/manual/en/ini.core.php#ini.post-max-size
    post_max_size: '{{ owncloud__upload_size }}'

    ## https://secure.php.net/manual/de/ini.core.php#ini.memory-limit
    ## FIXME: ownCloud and the PHP manual suggest that it should be enabled.
    ## Is that really needed because the process needs to hold the entire file
    ## in memory or does it support "streaming" the file thought itself?
    ## Currently disabled. Enable when required.
    # memory_limit: '{{ owncloud__upload_size }}'

    ## https://secure.php.net/manual/en/info.configuration.php#ini.max-input-time
    max_input_time: '{{ owncloud__timeout }}'

    ## Refer to: https://secure.php.net/manual/en/info.configuration.php#ini.max-execution-time
    max_execution_time: '{{ owncloud__timeout }}'

  environment:
    # HOSTNAME: '$HOSTNAME'
    # TMP: '/tmp'
    # TMPDIR: '/tmp'
    # TEMP: '/tmp'

    ## Fixes warning (ownCloud 8.1): "The test with getenv('PATH') only returns an empty response"
    PATH: '/usr/local/bin:/usr/bin:/bin'


# .. envvar:: owncloud__unattended_upgrades__dependent_origins
#
# List of origin patterns managed by the debops.unattended_upgrades_ role.
owncloud__unattended_upgrades__dependent_origins:

  - origin: 'site=download.owncloud.org'
    by_role: 'debops.owncloud'
    state: '{{ "present" if (owncloud__auto_security_updates_enabled | bool) else "absent" }}'