defaults/main.yml

---

nextcloud_enabled: true

nextcloud_identifier: nextcloud

nextcloud_scheme: https

# The fully-qualified name of your Nextcloud server (e.g. `nextcloud.example.com`)
nextcloud_hostname: ''

nextcloud_path_prefix: /

nextcloud_version: 27.1.4

nextcloud_uid: ''
nextcloud_gid: ''

nextcloud_systemd_required_services_list: "{{ nextcloud_systemd_required_services_list_default + nextcloud_systemd_required_services_list_auto + nextcloud_systemd_required_services_list_custom }}"
nextcloud_systemd_required_services_list_default: ['docker.service']
nextcloud_systemd_required_services_list_auto: []
nextcloud_systemd_required_services_list_custom: []

nextcloud_base_path: "{{ nextcloud_base_path }}/nextcloud"
nextcloud_config_path: "{{ nextcloud_base_path }}/config"
nextcloud_data_path: "{{ nextcloud_base_path }}/data"
nextcloud_redis_session_ini_path: "{{ nextcloud_base_path }}/redis-session.ini"
nextcloud_customized_container_src_path: "{{ nextcloud_base_path }}/customized-container-src"

# SVG support for imagick can be setup like this:
# https://docs.nextcloud.com/server/24/admin_manual/configuration_server/theming.html?highlight=libmagickcore%20q16%20extra#theming-of-icons
# However, using Imagick may have a negative effect on security, that is the reason
# behind not installing it by default. See:
# https://github.com/nextcloud/server/issues/13099
# Tread wisely!
nextcloud_container_image_customizations_php_imageick_installation_enabled: false
nextcloud_container_image_customizations_php_imageick_installation_package: "libmagickcore-6.q16-6-extra"

# Preview generator setup
#
# Enable the variable nextcloud_preview_enabled and you are good to go.
#
# Some important aspects of usage:
# - the preview generator has two stages [according to their readme](https://github.com/nextcloud/previewgenerator)
#   - a generate-all phase, which has to be executed only a single time
#   - a pre-generate phase, that should be run in a cronjob.
#     That runs quite fast if the generate-all phase finishd.
# We do not want to run the generate-all phase multiple times, so its execution has to be followed somehow.
# This is done by creating a file on the host side and both the task that executes generate-all
# and both the cronjob checks its existance.
#
# Multiple vaiables are also defined and the corresponding default values are also set.
# These values are based on the [upstream readme](https://github.com/nextcloud/previewgenerator) and also on experience.
# Feel free to change anything.
#
# Once installed, the playbook needs to be called with the adjust-nextcloud-config tag.
# This tag sets up the variables and calls the generate-all script, that will also create the file---signalling
# its finished state---on the host.
# *** As this may take a long time, be sure to only call it when you have time to leave it running!!! ***
# The playbook calls generate-all asynchronously, but it will timeout after about 27h.
# On 60GBs, most if images, it took about 10 minutes to finish.
# If it takes more time, you may want to start it from the host by calling
# ```sh
# /usr/bin/env docker exec mash-nextcloud-server php /var/www/html/occ preview:generate-all
# ```
#
# If the nextcloud_preview_enabled value is set back to false, the host side files are cleaned up
# and also the cron job is changed, not to call prevew generation again however, the database and generated
# previews are kept intact.
nextcloud_preview_enabled: false
nextcloud_preview_folder_name: "preview-generator"
nextcloud_preview_docker_folder: "/{{ nextcloud_preview_folder_name }}"
nextcloud_preview_host_folder: "{{ nextcloud_customized_container_src_path }}/{{ nextcloud_preview_folder_name }}"
nextcloud_preview_first_run_finished_filename: "finished-first-run.keepit"
nextcloud_preview_squareSizes: "\"64 256 1024 2048\""
nextcloud_preview_widthSizes: "\"64 256 1024 2048\""
nextcloud_preview_heightSizes: "\"64 256 1024 2048\""
nextcloud_preview_preview_max_x: 2048
nextcloud_preview_preview_max_y: 2048
nextcloud_preview_system_jpeg_quality: 60
nextcloud_preview_app_jpeg_quality: "60"

# nextcloud_container_image_customizations_enabled controls whether a customized Nextcloud image will be built.
#
# We toggle this variable to `true` when certain features which require a custom build are enabled.
# Feel free to toggle this to `true` yourself and specify build steps in `nextcloud_container_image_customizations_dockerfile_body_custom`.
#
# See:
# - `roles/nextcloud-server/templates/customizations/Dockerfile.j2`
# - `nextcloud_container_image_customizations_dockerfile_body_custom`
# - `nextcloud_container_image_customized`
# - `nextcloud_container_image_final`
nextcloud_container_image_customizations_enabled: "{{ nextcloud_container_image_customizations_php_imageick_installation_enabled }}"

# nextcloud_container_image_customizations_dockerfile_body_custom contains your custom Dockerfile steps
# for building your customized Nextcloud image based on the original (upstream) image (`nextcloud_container_image`).
# A `FROM ...` clause is included automatically so you don't have to.
#
# Example:
# nextcloud_container_image_customizations_dockerfile_body_custom: |
#  RUN echo 'This is a custom step for building the customized container image for Nextcloud.'
#  RUN echo 'You can override nextcloud_container_image_customizations_dockerfile_body_custom to add your own steps.'
#  RUN echo 'You do NOT need to include a FROM clause yourself.'
nextcloud_container_image_customizations_dockerfile_body_custom: ''

nextcloud_container_image: "{{ nextcloud_container_image_registry_prefix }}nextcloud:{{ nextcloud_container_image_tag }}"
nextcloud_container_image_tag: "{{ nextcloud_version }}-apache"
nextcloud_container_image_force_pull: "{{ nextcloud_container_image.endswith(':latest') }}"
nextcloud_container_image_registry_prefix: docker.io/

# nextcloud_container_image_customized is the name of the locally built Nextcloud image
# which adds various customizations on top of the original (upstream) Nextcloud image.
# This image will be based on the upstream `nextcloud_container_image` image, only if `nextcloud_container_image_customizations_enabled: true`.
nextcloud_container_image_customized: "localhost/nextcloud:{{ nextcloud_container_image_tag }}-customized"

# nextcloud_container_image_final holds the name of the Nextcloud image to run depending on whether or not customizations are enabled.
nextcloud_container_image_final: "{{ nextcloud_container_image_customized if nextcloud_container_image_customizations_enabled else nextcloud_container_image }} "

# A list of extra arguments to pass to the container
nextcloud_container_extra_arguments: []

# Controls whether the nextcloud-apache container's memory usage
# is limited and to what extent.
#
# When set, these options are passed to `docker run`
# as `--memory=..` and `--memory-swap=..` respectively.
#
# Expected value format is `[integer][unit]`. E.g. 100M, 1G
#
# If `nextcloud_container_memory_swap_limit` is set,
# it represents the total memory that can be used (memory + swap),
# so it must always be at least as large as `nextcloud_container_memory_limit`.
# To disable swapping, make it the same as `nextcloud_container_memory_limit`.
nextcloud_container_memory_limit: ""
nextcloud_container_memory_swap_limit: ""

# Controls whether the nextcloud-apache container exposes its HTTP port (tcp/80 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:37150"), or empty string to not expose.
nextcloud_container_http_host_bind_port: ""

# nextcloud_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `nextcloud_container_labels_additional_labels`.
nextcloud_container_labels_traefik_enabled: true
nextcloud_container_labels_traefik_docker_network: ''
nextcloud_container_labels_traefik_hostname: "{{ nextcloud_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/nextcloud`).
nextcloud_container_labels_traefik_path_prefix: "{{ nextcloud_path_prefix }}"
# Controls whether `/.well-known/{carddav,caldav}` will be redirected to `/remote.php/dav/`
nextcloud_container_labels_traefik_dav_redirect_regex_enabled: true
nextcloud_container_labels_traefik_rule: "Host(`{{ nextcloud_container_labels_traefik_hostname }}`){% if nextcloud_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ nextcloud_container_labels_traefik_path_prefix | quote }}`){% endif %}"
nextcloud_container_labels_traefik_priority: 0
nextcloud_container_labels_traefik_entrypoints: web-secure
nextcloud_container_labels_traefik_tls: "{{ nextcloud_container_labels_traefik_entrypoints != 'web' }}"
nextcloud_container_labels_traefik_tls_certResolver: default  # noqa var-naming

# Controls which additional headers to attach to all HTTP requests.
# To add your own custom request headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom`
nextcloud_container_labels_traefik_additional_request_headers: "{{ nextcloud_container_labels_traefik_additional_request_headers_auto | combine(nextcloud_container_labels_traefik_additional_request_headers_custom) }}"
nextcloud_container_labels_traefik_additional_request_headers_auto: |
  {{
    {}
    | combine ({'Front-End-Https': 'on'} if nextcloud_scheme == 'https' else {})
  }}
nextcloud_container_labels_traefik_additional_request_headers_custom: {}

# Controls which additional headers to attach to all HTTP responses.
# To add your own custom response headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom`
nextcloud_container_labels_traefik_additional_response_headers: "{{ nextcloud_container_labels_traefik_additional_response_headers_auto | combine(nextcloud_container_labels_traefik_additional_response_headers_custom) }}"
nextcloud_container_labels_traefik_additional_response_headers_auto: |
  {{
    {}
    | combine ({'X-XSS-Protection': nextcloud_http_header_xss_protection} if nextcloud_http_header_xss_protection else {})
    | combine ({'X-Frame-Options': nextcloud_http_header_frame_options} if nextcloud_http_header_frame_options else {})
    | combine ({'X-Content-Type-Options': nextcloud_http_header_content_type_options} if nextcloud_http_header_content_type_options else {})
    | combine ({'Content-Security-Policy': nextcloud_http_header_content_security_policy} if nextcloud_http_header_content_security_policy else {})
    | combine ({'Permission-Policy': nextcloud_http_header_content_permission_policy} if nextcloud_http_header_content_permission_policy else {})
    | combine ({'Strict-Transport-Security': nextcloud_http_header_strict_transport_security} if nextcloud_http_header_strict_transport_security and nextcloud_container_labels_traefik_tls else {})
  }}
nextcloud_container_labels_traefik_additional_response_headers_custom: {}

# A list of middlewares to add to the service.
# Add your own via the `nextcloud_container_labels_traefik_http_middlewares_custom` variable.
nextcloud_container_labels_traefik_http_middlewares: "{{ nextcloud_container_labels_traefik_http_middlewares_default + nextcloud_container_labels_traefik_http_middlewares_auto + nextcloud_container_labels_traefik_http_middlewares_custom }}"

nextcloud_container_labels_traefik_http_middlewares_default: |
  {{
    ([{
      'priority': 1000,
      'name': (nextcloud_identifier + '-slashless-redirect'),
      'type': 'redirectregex',
      'config': {
        'regex': '^(' + nextcloud_container_labels_traefik_path_prefix | quote + ')$',
        'replacement': '${1}/',
      },
    }] if nextcloud_container_labels_traefik_path_prefix != '/' else [])

    +

    ([{
      'priority': 2000,
      'name': (nextcloud_identifier + '-dav-redirectregex'),
      'type': 'redirectregex',
      'config': {
        'permanent': 'true',
        'regex': ('^' + nextcloud_scheme + '://' + nextcloud_hostname | quote + '/.well-known/(?:card|cal)dav$'),
        'replacement': (nextcloud_scheme + '://' + nextcloud_hostname + '/remote.php/dav/'),
      },
    }] if nextcloud_container_labels_traefik_dav_redirect_regex_enabled else [])

    +

    ([{
      'priority': 3000,
      'name': (nextcloud_identifier + '-strip-prefix'),
      'type': 'stripprefix',
      'config': {
        'prefixes': nextcloud_container_labels_traefik_path_prefix,
      },
    }] if nextcloud_container_labels_traefik_path_prefix != '/' else [])

    +

    ([{
      'priority': 4000,
      'name': (nextcloud_identifier + '-add-request-headers'),
      'type': 'headers',
      'config_key_prefix': 'customrequestheaders.',
      'config': nextcloud_container_labels_traefik_additional_request_headers,
    }] if nextcloud_container_labels_traefik_additional_request_headers.keys() | length > 0 else [])

    +

    ([{
      'priority': 5000,
      'name': (nextcloud_identifier + '-add-response-headers'),
      'type': 'headers',
      'config_key_prefix': 'customresponseheaders.',
      'config': nextcloud_container_labels_traefik_additional_response_headers,
    }] if nextcloud_container_labels_traefik_additional_response_headers.keys() | length > 0 else [])
  }}

nextcloud_container_labels_traefik_http_middlewares_auto: []
nextcloud_container_labels_traefik_http_middlewares_custom: []

# nextcloud_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `roles/custom/nextcloud/templates/labels.j2` for details.
#
# Example:
# nextcloud_container_labels_additional_labels: |
#   my.label=1
#   another.label="here"
nextcloud_container_labels_additional_labels: ''

# nextcloud_container_additional_environment_variables contains a multiline string with additional environment variables to pass to the container.
#
# Example:
# nextcloud_container_additional_environment_variables: |
#   VAR=1
#   ANOTHER=value
nextcloud_container_additional_environment_variables: ''

# A list of additional "mounts" to be mounted in the container.
# Contains definition objects like this:
# nextcloud_container_additional_mounts:
# - "type=bind|volume|tmpfs,source=/outside,target=/inside,readonly,bind-propagation=slave"
nextcloud_container_additional_mounts: []

nextcloud_container_network: "{{ nextcloud_identifier }}"

# A list of additional container networks that the container would be connected to.
# The playbook does not create these networks, so make sure they already exist.
nextcloud_container_additional_networks: "{{ nextcloud_container_additional_networks_auto + nextcloud_container_additional_networks_custom }}"
nextcloud_container_additional_networks_auto: []
nextcloud_container_additional_networks_custom: []

nextcloud_database_type: postgres
nextcloud_database_hostname: ''
nextcloud_database_port: 5432
nextcloud_database_name: nextcloud
nextcloud_database_username: ''
nextcloud_database_password: ''

# A list of configuration parameters for Nextcloud.
# To define your own, we advise editing `nextcloud_config_additional_parameters`.
nextcloud_config_parameters: "{{ nextcloud_config_default_parameters + nextcloud_config_additional_parameters }}"

# Default configuration parameters to apply to Nextcloud.
# To add your own additional parameters, use `nextcloud_config_additional_parameters`.
# To get rid of these defaults, redefine `nextcloud_config_default_parameters` or `nextcloud_config_parameters`.
nextcloud_config_default_parameters:
  - key: overwriteprotocol
    value: "https"
    type: string
  - key: overwrite.cli.url
    value: "{{ nextcloud_url }}"
    type: string
  - key: overwritewebroot
    value: "{{ nextcloud_path_prefix }}"
    type: string
  - key: htaccess.RewriteBase
    value: "{{ nextcloud_path_prefix }}"
    type: string

# Add your custom Nextcloud configuration parameters here.
#
# Example:
# nextcloud_config_additional_parameters:
#   - key: mail_smtphost
#     value: smtp.example.com
#     type: string
nextcloud_config_additional_parameters: []

# nextcloud_cron_schedule contains a systemd OnCalendar definition which controls how often `cron.timer` runs
# The default value means 'every 15 minutes'.
# Learn more here: https://man.archlinux.org/man/systemd.time.7
nextcloud_cron_schedule: '*:0/15:0'

# Specifies the value of the `X-XSS-Protection` header
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
#
# Learn more about it is here:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# - https://portswigger.net/web-security/cross-site-scripting/reflected
nextcloud_http_header_xss_protection: "1; mode=block"

# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
nextcloud_http_header_frame_options: SAMEORIGIN

# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
nextcloud_http_header_content_type_options: nosniff

# Specifies the value of the `Content-Security-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
nextcloud_http_header_content_security_policy: frame-ancestors 'self'

# Specifies the value of the `Permission-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
nextcloud_http_header_content_permission_policy: "{{ 'interest-cohort=()' if nextcloud_floc_optout_enabled else '' }}"

# Specifies the value of the `Strict-Transport-Security` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
nextcloud_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if nextcloud_hsts_preload_enabled else '' }}"

# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
#
# Learn more about what it is here:
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
# - https://amifloced.org/
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
# See: `nextcloud_content_permission_policy`
nextcloud_floc_optout_enabled: true

# Controls if HSTS preloading is enabled
#
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
# indicates a willingness to be "preloaded" into browsers:
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
# For more information visit:
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# - https://hstspreload.org/#opt-in
# See: `nextcloud_http_header_strict_transport_security`
nextcloud_hsts_preload_enabled: false

# Collabora Online integration.
# See the `collabora-online` role.
nextcloud_collabora_app_wopi_url: ''
nextcloud_collabora_app_wopi_allowlist: '10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16'

# Redis intergration.
nextcloud_redis_hostname: ''
nextcloud_redis_port: 6379