ansible-infra/templates/chaosknoten/configs/cloud/config.php.j2

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'oc9uqhr7buka',
  'passwordsalt' => 'SK2vmQeTEHrkkwx9K+hC1WX33lPJDs',
  'secret' => '3dBt5THD2ehg0yWdVDAvMmsY8yLtrfk/gE560lkMqYqgh6lu',
  'trusted_domains' => 
  array (
    0 => 'cloud.hamburg.ccc.de',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '25.0.9.2',
  'overwrite.cli.url' => 'https://cloud.hamburg.ccc.de',
  'dbname' => 'nextcloud',
  'dbhost' => 'database',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'TdBLMQQeKbz1zab3sySUsGxo3',
  'installed' => true,
  // Some Nextcloud options that might make sense here
  'allow_user_to_change_display_name' => false,
  'lost_password_link' => 'disabled',
  // URL of provider. All other URLs are auto-discovered from .well-known
  'oidc_login_provider_url' => 'https://id.ccchh.net/realms/ccchh',
  // Client ID and secret registered with the provider
  'oidc_login_client_id' => 'cloud',
  'oidc_login_client_secret' => '{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/kc-client-secret", create=false, missing="error") }}',
  // Automatically redirect the login page to the provider
  'oidc_login_auto_redirect' => true,
  // Redirect to this page after logging out the user
  //'oidc_login_logout_url' => 'https://openid.example.com/thankyou',
  // If set to true the user will be redirected to the
  // logout endpoint of the OIDC provider after logout
  // in Nextcloud. After successfull logout the OIDC
  // provider will redirect back to 'oidc_login_logout_url' (MUST be set).
  'oidc_login_end_session_redirect' => true,
  // Quota to assign if no quota is specified in the OIDC response (bytes)
  //
  // NOTE: If you want to allow NextCloud to manage quotas, omit this option. Do not set it to
  // zero or -1 or ''.
  'oidc_login_default_quota' => '1000000000',
  // Login button text
  'oidc_login_button_text' => 'Log in via id.ccchh.net',
  // Hide the NextCloud password change form.
  'oidc_login_hide_password_form' => false,
  // Use ID Token instead of UserInfo
  'oidc_login_use_id_token' => false,
  'oidc_login_attributes' => array (
        'id' => 'preferred_username',
        'name' => 'name',
        'mail' => 'email',
        'quota' => 'ownCloudQuota',
        'home' => 'homeDirectory',
        'ldap_uid' => 'uid',
        'groups' => 'ownCloudGroups',
        'login_filter' => 'realm_access_roles',
        'photoURL' => 'picture',
        'is_admin' => 'ownCloudAdmin',
  ),
  // Default group to add users to (optional, defaults to nothing)
  //'oidc_login_default_group' => 'oidc',
  'oidc_login_filter_allowed_values' => null,
  // Set OpenID Connect scope
  'oidc_login_scope' => 'openid profile',
  // The `id` attribute in `oidc_login_attributes` must return the
  // "Internal Username" (see expert settings in LDAP integration)
  'oidc_login_proxy_ldap' => false,
  // Fallback to direct login if login from OIDC fails
  // Note that no error message will be displayed if enabled
  'oidc_login_disable_registration' => false,
  //'oidc_login_redir_fallback' => false,
  // If you get your groups from the oidc_login_attributes, you might want
  // to create them if they are not already existing, Default is `false`.
  'oidc_create_groups' => true,
  // Enable use of WebDAV via OIDC bearer token.
  'oidc_login_webdav_enabled' => true,
  // Enable authentication with user/password for DAV clients that do not
  // support token authentication (e.g. DAVx⁵)
  'oidc_login_password_authentication' => false,
);