infrastructure/op_guide/nextcloud/README.md

# How to setup NextCloud

## First setup

It's complicated.

First, create a service user `nextcloud` and a database `nextcloud` it owns. Also create a Garage access key and bucket `nextcloud` it is allowed to use.

Fill in the following Consul keys with actual values:

```
secrets/nextcloud/db_user
secrets/nextcloud/db_pass
secrets/nextcloud/garage_access_key
secrets/nextcloud/garage_secret_key
```

Create the following Consul keys with empty values:

```
secrets/nextcloud/instance_id
secrets/nextcloud/password_salt
secrets/nextcloud/secret
```

Start the nextcloud.hcl nomad service. Enter the container and call `occ maintenance:install` with the correct database parameters as user `www-data`.
A possibility: call the admin user `nextcloud` and give it the same password as the `nextcloud` service user.

Cat the newly generated `config.php` file and copy the instance id, password salt, and secret from there to Consul
(they were generated by the install script and we want to keep them).

Restart the Nextcloud Nomad server.

You should now be able to log in to Nextcloud using the admin user (`nextcloud` if you called it that).

Go to the apps settings and enable desired apps.

## Configure LDAP login

LDAP login has to be configured from the admin interface. First, enable the LDAP authentification application.

Go to settings > LDAP/AD integration. Enter the following parameters:

- ldap server: `bottin2.service.2.cluster.deuxfleurs.fr`
- bind user: `cn=nextcloud,ou=services,ou=users,dc=deuxfleurs,dc=fr`
- bind password: password of the nextcloud service user
- base DN for users: `ou=users,dc=deuxfleurs,dc=fr`
- check "manually enter LDAP filters"
- in the users tab, edit LDAP query and set it to `(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))`
- in the login attributes tab, edit LDAP query and set it to `(&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))(|(|(mailPrimaryAddress=%uid)(mail=%uid))(|(cn=%uid))))`
- in the groups tab, edit the LDAP query and set it to `(|(objectclass=groupOfNames))`
- in the advanced tab, enter the "directory setting" section and check/modify the following:
  - user display name field: `displayname`
  - base user tree: `ou=users,dc=deuxfleurs,dc=fr`
  - user search attribute: `cn`
  - groupe display name field: `displayname`
  - **base group tree**: `ou=groups,dc=deuxfleurs,dc=fr`
  - group search attribute: `cn`

That should be it. Go to the login attributes tab and enter a username (which should have been added to the nextcloud group) to check that nextcloud is able to find it and allows it for login.
Add garage and nextcloud configuration 2020-07-05 20:54:47 +00:00			`# How to setup NextCloud`

			`## First setup`

			`It's complicated.`

			First, create a service user `nextcloud` and a database `nextcloud` it owns. Also create a Garage access key and bucket `nextcloud` it is allowed to use.

			`Fill in the following Consul keys with actual values:`

			```
			`secrets/nextcloud/db_user`
			`secrets/nextcloud/db_pass`
			`secrets/nextcloud/garage_access_key`
			`secrets/nextcloud/garage_secret_key`
			```

			`Create the following Consul keys with empty values:`

			```
			`secrets/nextcloud/instance_id`
			`secrets/nextcloud/password_salt`
			`secrets/nextcloud/secret`
			```

			Start the nextcloud.hcl nomad service. Enter the container and call `occ maintenance:install` with the correct database parameters as user `www-data`.
			A possibility: call the admin user `nextcloud` and give it the same password as the `nextcloud` service user.

			Cat the newly generated `config.php` file and copy the instance id, password salt, and secret from there to Consul
			`(they were generated by the install script and we want to keep them).`

			`Restart the Nextcloud Nomad server.`

			You should now be able to log in to Nextcloud using the admin user (`nextcloud` if you called it that).

			`Go to the apps settings and enable desired apps.`

			`## Configure LDAP login`

			`LDAP login has to be configured from the admin interface. First, enable the LDAP authentification application.`

			`Go to settings > LDAP/AD integration. Enter the following parameters:`

			- ldap server: `bottin2.service.2.cluster.deuxfleurs.fr`
			- bind user: `cn=nextcloud,ou=services,ou=users,dc=deuxfleurs,dc=fr`
			`- bind password: password of the nextcloud service user`
			- base DN for users: `ou=users,dc=deuxfleurs,dc=fr`
			`- check "manually enter LDAP filters"`
			- in the users tab, edit LDAP query and set it to `(&(\|(objectclass=inetOrgPerson))(\|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))`
			- in the login attributes tab, edit LDAP query and set it to `(&(&(\|(objectclass=inetOrgPerson))(\|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))(\|(\|(mailPrimaryAddress=%uid)(mail=%uid))(\|(cn=%uid))))`
			- in the groups tab, edit the LDAP query and set it to `(\|(objectclass=groupOfNames))`
			`- in the advanced tab, enter the "directory setting" section and check/modify the following:`
			- user display name field: `displayname`
			- base user tree: `ou=users,dc=deuxfleurs,dc=fr`
			- user search attribute: `cn`
			- groupe display name field: `displayname`
			- base group tree: `ou=groups,dc=deuxfleurs,dc=fr`
			- group search attribute: `cn`

			`That should be it. Go to the login attributes tab and enter a username (which should have been added to the nextcloud group) to check that nextcloud is able to find it and allows it for login.`