feat(nextcloud): enable OIDC login #199
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Essentially the same as #186 but for authentik
github-actions
bot
added
area/kubernetes
--- kubernetes/apps/default/nextcloud/app Kustomization: flux-system/nextcloud HelmRelease: default/nextcloud
+++ kubernetes/apps/default/nextcloud/app Kustomization: flux-system/nextcloud HelmRelease: default/nextcloud
@@ -102,18 +102,56 @@
'10.0.0.0/8',
),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
'default_phone_region' => 'DE',
'auth.bruteforce.protection.enabled' => true,
);
+ sso.config.php: |-
+ <?php
+ $CONFIG = array(
+ 'allow_user_to_change_display_name' => false,
+ 'lost_password_link' => 'disabled',
+ 'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'),
+ 'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'),
+ 'oidc_login_provider_url' => 'https://identity.18b.haus/application/o/nextcloud/',
+ 'oidc_login_end_session_redirect' => true,
+ 'oidc_login_logout_url' => 'https://identity.18b.haus/application/o/nextcloud/end-session/',
+ 'oidc_login_default_quota' => '1000000000',
+ 'oidc_login_hide_password_form' => true,
+ 'oidc_login_disable_registration' => false,
+ 'oidc_login_webdav_enabled' => true,
+ 'oidc_login_attributes' => array(
+ 'id' => 'sub',
+ 'name' => 'name',
+ 'mail' => 'email',
+ 'groups' => 'groups',
+ 'quota' => 'quota',
+ 'is_admin' => 'is_admin',
+ ),
+ 'oidc_login_scope' => 'openid profile email nextcloud',
+ 'oidc_login_default_group' => 'oidc',
+ 'oidc_create_groups' => true,
+ 'oidc_login_auto_redirect' => true, // bypass via /login?noredir=1
+ );
existingSecret:
enabled: true
passwordKey: ADMIN_PASS
secretName: nextcloud-secret
tokenKey: TOKEN
usernameKey: ADMIN_USER
+ extraEnv:
+ - name: OIDC_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_ID
+ name: nextcloud-secret
+ - name: OIDC_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_SECRET
+ name: nextcloud-secret
extraInitContainers:
- envFrom:
- secretRef:
name: nextcloud-secret
image: ghcr.io/onedr0p/postgres-init:16.1
name: init-db |
--- HelmRelease: default/nextcloud ConfigMap: default/nextcloud-config
+++ HelmRelease: default/nextcloud ConfigMap: default/nextcloud-config
@@ -15,12 +15,39 @@
'127.0.0.1',
'10.0.0.0/8',
),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
'default_phone_region' => 'DE',
'auth.bruteforce.protection.enabled' => true,
+ );
+ sso.config.php: |-
+ <?php
+ $CONFIG = array(
+ 'allow_user_to_change_display_name' => false,
+ 'lost_password_link' => 'disabled',
+ 'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'),
+ 'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'),
+ 'oidc_login_provider_url' => 'https://identity.18b.haus/application/o/nextcloud/',
+ 'oidc_login_end_session_redirect' => true,
+ 'oidc_login_logout_url' => 'https://identity.18b.haus/application/o/nextcloud/end-session/',
+ 'oidc_login_default_quota' => '1000000000',
+ 'oidc_login_hide_password_form' => true,
+ 'oidc_login_disable_registration' => false,
+ 'oidc_login_webdav_enabled' => true,
+ 'oidc_login_attributes' => array(
+ 'id' => 'sub',
+ 'name' => 'name',
+ 'mail' => 'email',
+ 'groups' => 'groups',
+ 'quota' => 'quota',
+ 'is_admin' => 'is_admin',
+ ),
+ 'oidc_login_scope' => 'openid profile email nextcloud',
+ 'oidc_login_default_group' => 'oidc',
+ 'oidc_create_groups' => true,
+ 'oidc_login_auto_redirect' => true, // bypass via /login?noredir=1
);
.htaccess: |-
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>
--- HelmRelease: default/nextcloud Deployment: default/nextcloud
+++ HelmRelease: default/nextcloud Deployment: default/nextcloud
@@ -24,13 +24,13 @@
labels:
app.kubernetes.io/name: nextcloud
app.kubernetes.io/instance: nextcloud
app.kubernetes.io/component: app
nextcloud-redis-client: 'true'
annotations:
- nextcloud-config-hash: 23cd7edd27c6e4ae0f33ef8294bebc7890c28f5d5049a0df36d838564b296f51
+ nextcloud-config-hash: b721a5f0def86526f9b094fc060fee1f4e3ff8e01c68b8740c7447bd11aed85c
php-config-hash: b42c4841da13ab0c6d450941f1d15997c7ee914e8f09152d25ac1af57d0ccc8c
nginx-config-hash: 18dd8f905a93ed27f032e9ae68084222ed7e5926f7144cda17b979780f4da54b
spec:
containers:
- name: nextcloud
image: public.ecr.aws/docker/library/nextcloud:28.0.1-fpm-alpine
@@ -78,12 +78,22 @@
value: '6379'
- name: REDIS_HOST_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-secret
key: REDIS_PASSWORD
+ - name: OIDC_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_ID
+ name: nextcloud-secret
+ - name: OIDC_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_SECRET
+ name: nextcloud-secret
resources:
limits:
memory: 1Gi
requests:
cpu: 200m
memory: 300Mi
@@ -114,12 +124,15 @@
- name: nextcloud-main
mountPath: /var/www/html/themes
subPath: themes
- name: nextcloud-config
mountPath: /var/www/html/config/local.config.php
subPath: local.config.php
+ - name: nextcloud-config
+ mountPath: /var/www/html/config/sso.config.php
+ subPath: sso.config.php
- name: nextcloud-config
mountPath: /var/www/html/config/.htaccess
subPath: .htaccess
- name: nextcloud-config
mountPath: /var/www/html/config/apache-pretty-urls.config.php
subPath: apache-pretty-urls.config.php
@@ -267,12 +280,22 @@
value: '6379'
- name: REDIS_HOST_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-secret
key: REDIS_PASSWORD
+ - name: OIDC_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_ID
+ name: nextcloud-secret
+ - name: OIDC_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_SECRET
+ name: nextcloud-secret
resources: {}
securityContext:
runAsGroup: 82
volumeMounts:
- name: nextcloud-main
mountPath: /var/www/
@@ -295,12 +318,15 @@
- name: nextcloud-main
mountPath: /var/www/html/themes
subPath: themes
- name: nextcloud-config
mountPath: /var/www/html/config/local.config.php
subPath: local.config.php
+ - name: nextcloud-config
+ mountPath: /var/www/html/config/sso.config.php
+ subPath: sso.config.php
- name: nextcloud-config
mountPath: /var/www/html/config/.htaccess
subPath: .htaccess
- name: nextcloud-config
mountPath: /var/www/html/config/apache-pretty-urls.config.php
subPath: apache-pretty-urls.config.php |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Essentially the same as #186 but for authentik