# Nextcloud Role - Required Vault Variables This role requires the following encrypted variables to be defined in your vault file (typically `host_vars//vault.yml`). ## Required Variables Add these to your encrypted vault file: ```yaml # Nextcloud database password vault_nextcloud_db_password: "CHANGE_ME_secure_database_password" # Nextcloud admin account password vault_nextcloud_admin_password: "CHANGE_ME_secure_admin_password" # Valkey/Redis password (shared infrastructure) vault_valkey_password: "CHANGE_ME_secure_valkey_password" ``` ## Creating/Editing Vault File ### First Time Setup ```bash # Create encrypted vault file ansible-vault create host_vars/arch-vps/vault.yml # Add the variables above, then save and exit ``` ### Edit Existing Vault ```bash # Edit encrypted vault file ansible-vault edit host_vars/arch-vps/vault.yml # Add the Nextcloud variables, then save and exit ``` ### Password Generation Generate secure passwords: ```bash # Generate 32-character passwords openssl rand -base64 32 # Or using pwgen pwgen -s 32 1 ``` ## Example Vault File Your `host_vars/arch-vps/vault.yml` should include: ```yaml --- # Caddy TLS vault_caddy_tls_email: "admin@jnss.me" vault_cloudflare_api_token: "your-cloudflare-token" # Authentik vault_authentik_db_password: "authentik-db-password" vault_authentik_secret_key: "authentik-secret-key" vault_authentik_admin_password: "authentik-admin-password" # Nextcloud (ADD THESE) vault_nextcloud_db_password: "generated-password-1" vault_nextcloud_admin_password: "generated-password-2" # Valkey (shared infrastructure) vault_valkey_password: "valkey-password" ``` ## Deployment When deploying, you'll need to provide the vault password: ```bash # Deploy with vault password prompt ansible-playbook -i inventory/hosts.yml site.yml --tags nextcloud --ask-vault-pass # Or use a password file ansible-playbook -i inventory/hosts.yml site.yml --tags nextcloud --vault-password-file ~/.vault_pass ``` ## Security Notes - **Never commit unencrypted vault files** to git - Use strong, randomly generated passwords (at least 32 characters) - Each service should have unique database passwords - Store vault password securely (password manager, encrypted file, etc.) - Consider using `ansible-vault rekey` to change vault password periodically ## Verification Check that variables are properly encrypted: ```bash # View encrypted file (should show encrypted content) cat host_vars/arch-vps/vault.yml # Decrypt and view (requires password) ansible-vault view host_vars/arch-vps/vault.yml ```