joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
rick-infra/host_vars/arch-vps/main.yml
Joakim 89b43180fc Refactor Nextcloud configuration to use OCC script approach and add email/OIDC support 
Major architectural changes:
- Replace config file templating with unified OCC command script
- Remove custom_apps mount overlay that caused Caddy serving issues
- Implement script-based configuration for idempotency and clarity

Configuration improvements:
- Add email/SMTP support with master switch (nextcloud_email_enabled)
- Add OIDC/SSO integration with Authentik support
- Add apps installation (user_oidc, calendar, contacts)
- Enable group provisioning and quota management from OIDC
- Set nextcloud_oidc_unique_uid to false per Authentik docs

Files removed:
- nextcloud.config.php.j2 (replaced by OCC commands)
- redis.config.php.j2 (replaced by OCC commands)
- optimization.yml (merged into configure.yml)

Files added:
- configure-nextcloud.sh.j2 (single source of truth for config)
- configure.yml (deploys and runs configuration script)

Documentation:
- Add comprehensive OIDC setup guide with Authentik integration
- Document custom scope mapping and group provisioning
- Add email configuration examples for common providers
- Update vault variables documentation
- Explain two-phase deployment approach

Host configuration:
- Change admin user from 'admin' to 'joakim'
- Add admin email configuration
2025-12-21 14:54:44 +01:00

88 lines
2.9 KiB
YAML
Raw Permalink Blame History

---
# =================================================================
# Production Configuration for arch-vps (jnss.me)
# =================================================================
# =================================================================
# TLS Configuration - Production Setup
# =================================================================
caddy_tls_enabled: true
caddy_domain: "jnss.me"
caddy_tls_email: "{{ vault_caddy_tls_email }}"
# DNS Challenge Configuration (Cloudflare)
caddy_dns_provider: "cloudflare"
cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
# Production Let's Encrypt CA
caddy_acme_ca: "https://acme-v02.api.letsencrypt.org/directory"
# =================================================================
# API Service Registration Configuration
# =================================================================
# Services now self-register using Caddy's admin API
caddy_api_enabled: true
caddy_server_name: "main"
# =================================================================
# Authentik Configuration
# =================================================================
authentik_domain: "auth.jnss.me"
# Database configuration
authentik_db_name: "authentik"
authentik_db_user: "authentik"
authentik_db_password: "{{ vault_authentik_db_password }}"
# Cache configuration
authentik_valkey_db: 1
# Core configuration
authentik_secret_key: "{{ vault_authentik_secret_key }}"
authentik_default_admin_email: "admin@jnss.me"
authentik_default_admin_password: "{{ vault_authentik_admin_password }}"
# Service configuration
authentik_service_enabled: true
authentik_service_state: "started"
# Infrastructure socket configuration
postgresql_unix_socket_enabled: true
postgresql_listen_addresses: "" # Socket-only mode (no TCP)
valkey_unix_socket_enabled: true
# =================================================================
# Nextcloud Configuration
# =================================================================
nextcloud_domain: "cloud.jnss.me"
# Database configuration
nextcloud_db_name: "nextcloud"
nextcloud_db_user: "nextcloud"
nextcloud_db_password: "{{ vault_nextcloud_db_password }}"
# Cache configuration
nextcloud_valkey_db: 2 # Authentik uses 1
# Admin configuration
nextcloud_admin_user: "joakim"
nextcloud_admin_email: "joakim@jnss.me"
nextcloud_admin_password: "{{ vault_nextcloud_admin_password }}"
# Service configuration
nextcloud_service_enabled: true
nextcloud_service_state: "started"
# =================================================================
# Gitea Configuration
# =================================================================
gitea_http_domain: "git.jnss.me"
gitea_ssh_domain: "jnss.me"
# =================================================================
# Security & Logging
# =================================================================
caddy_log_level: "INFO"
caddy_log_format: "json"
caddy_systemd_security: true
Reference in New Issue View Git Blame Copy Permalink