# Nextcloud

## Prerequisite

### Create database

- Create the password with `openssl rand -base64 32`
  - Save this value in secrets.yaml in `postgresql.password.nextcloud`
  - Access infra server to create nextcloud_db with `podman exec -it postgresql psql -U postgres`

```SQL
CREATE USER nextcloud WITH PASSWORD 'postgresql.password.nextcloud';
CREATE DATABASE nextcloud_db;
ALTER DATABASE nextcloud_db OWNER TO nextcloud;
```

### Create oidc secret and hash

- Create the secret with `openssl rand -base64 32`
- access to auth vm
  - `podman exec -it authelia sh`
  - `authelia crypto hash generate pbkdf2 --password 'nextcloud.oidc.secret'`
- Save this value in secrets.yaml in `nextcloud.oidc.secret` and `nextcloud.oidc.hash`

### Create admin password

- Create the secret with `openssl rand -base64 32`
- Save this value in secrets.yaml in `nextcloud.admin-local.password`

### Add postgresql dump backup list

- [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)

```yaml
- name: Set connected services list
  ansible.builtin.set_fact:
    connected_services:
      - ...
      - "nextcloud"
```

## Configuration

### Access

- https://nextcloud.ilnmors.com
  - login with admin-local

### Disable and enable apps

- Profile: Apps: Your apps: Disable
  - Photo
  - dashboard

- Profile: Apps: Search
  - OpenID Connect user backend
  - Calendar
  - Contacts
  - Deck
  - Tasks
  - Mail
  - Nextcloud Office

### OIDC configuration

```bash
podman exec -u www-data nextcloud php occ user_oidc:provider Authelia --clientid="nextcloud" --clientsecret="nextcloud.oidc.secret" --discoveryuri="https://authelia.ilnmors.com/.well-known/openid-configuration"

podman exec -u www-data nextcloud sh -c "cat > /var/www/html/config/user_oidc.config.php << 'EOF'
<?php
\$CONFIG = [
  'user_oidc' => [
    'default_token_endpoint_auth_method' => 'client_secret_post',
    'auto_provision' => true,
    'soft_auto_provision' => true,
    'disable_account_creation' => false,
  ],
];
EOF"

podman exec -u www-data nextcloud php occ config:system:get user_oidc

podman exec -u www-data nextcloud sh -c "cat > /var/www/html/config/local_remote.config.php <<'EOF'
<?php
\$CONFIG = [
  'allow_local_remote_servers' => true,
];
EOF"
podman exec -u www-data nextcloud php occ config:system:get allow_local_remote_servers
```

### Account configuration

- Profile: Accounts:
  - allocate admin group for admin users
  - manage groups and quota in Nextcloud UI
  - OIDC users may have UUID-like account names
  - use Display name for human-readable user management
  - keep `admin-local` as a break-glass local administrator account