playbooks/install-nextcloud-sso.yml

---
- name: Install nextcloud release 24
  hosts: grpnc
  remote_user: root


  # use this command line: ansible-playbook -v -i hosts install-nextcloud.yml -u root
  # Execute ansible-playbook playbookfile.yml -i hosts --vault-password-file .vault-password

  vars:
    ansible_python_interpreter: /usr/bin/python3
    nextcloud_fqdn: "nc.{{ domain }}"
    # Yes, this is different from the other playbooks. For a reason...
    nextcloud_client_id: "{{ nextcloud_server_url }}/apps/user_saml/saml/metadata"
    nextcloud_client_name: "client-nextcloud-{{ ansible_fqdn }}"
    keycloak_server_url: https://ad.{{ domain }}
    nextcloud_server_url: https://nc.{{ domain }}
    realm: "{{ realm }}"

  tasks:
    - name: Show sensible tip for output
      ansible.builtin.debug:
        msg: Readable debug output  export ANSIBLE_STDOUT_CALLBACK=debug

    - name: Read global vars
      ansible.builtin.include_vars: global-vars.yml

    - name: Read encrypted content
      ansible.builtin.include_vars: encrypted-vars.yml

    - name: Check if server is Ubuntu 20.04
      ansible.builtin.fail:
        msg: "'Unsupported platform! This playbook is for Ubuntu 20.04!"
      when: not (ansible_distribution == 'Ubuntu' and ansible_distribution_version == '20.04')

    - name: Extra update apt cache
      ansible.builtin.apt:
        update_cache: true

    # Install all needed software in one go.
    - name: Install all needed packages
      ansible.builtin.apt:
        name: "{{ item }}"
      loop:
        - postgresql
        - autopostgresqlbackup
        - nginx
        - jq
        - unzip
        - mlocate
        - php7.4-fpm
        - php7.4-pgsql
        - php7.4-pgsql
        - php-common
        - php7.4-cli
        - php7.4-common
        - php7.4-opcache
        - php7.4-readline
        - php7.4-mbstring
        - php7.4-xml
        - php7.4-gd
        - php7.4-curl
        - php7.4-ldap
        - php7.4-zip
        - php7.4-intl
        - php7.4-gmp
        - php7.4-bcmath
        - php-redis
        - php-imagick
        - redis
        - postgresql-contrib
        - python3-psycopg2
        - python3-lxml
        - libxml2-utils
        - xmlstarlet

    - name: Set timezone to Europe/Amsterdam
      community.general.timezone:
        name: Europe/Amsterdam

    # Setup Postgresql database
    - name: Setup nextcloud Postgresql database user
      become: true
      become_user: postgres
      community.postgresql.postgresql_user:
        name: nextcloud
        password: 'nextcloud'
        # priv: "CONNECT"

    - name: Setup nextcloud Postgresql database
      become: true
      become_user: postgres
      community.postgresql.postgresql_db:
        name: nextcloud
        template: 'template0'
        owner: nextcloud
        state: present

    - name: Make SSL dir for nginx
      ansible.builtin.file:
        path: /etc/nginx/ssl
        state: directory
        mode: '0755'

    - name: Copy SSL key and cert to nginx ssl dir
      ansible.builtin.copy:
        src: "files/{{ item }}"
        dest: "/etc/nginx/ssl/{{ item }}"
        owner: root
        group: root
        mode: '0600'
      loop:
        - _wildcard.{{ domain }}.pem
        - _wildcard.{{ domain }}-key.pem

    - name: Set fact for ssl cert
      ansible.builtin.set_fact:
        tls_crt: "/etc/nginx/ssl/_wildcard.{{ domain }}.pem"

    - name: Set fact for ssl key
      ansible.builtin.set_fact:
        tls_key: "/etc/nginx/ssl/_wildcard.{{ domain }}-key.pem"

    - name: Generate and copy nginx config for standalone instance
      ansible.builtin.template:
        src: nextcloud-nginx.j2
        dest: /etc/nginx/sites-enabled/default
        force: true
        mode: '0644'

    - name: Overwrite php-fpm www.conf
      ansible.builtin.copy:
        src: files/nextcloud-php-fpm.conf
        dest: /etc/php/7.4/fpm/pool.d/www.conf
        mode: '0644'

    - name: Overwrite php.ini
      ansible.builtin.copy:
        src: files/nextcloud-php.ini
        dest: /etc/php/7.4/fpm/php.ini
        mode: '0644'

    - name: Download nextcloud
      ansible.builtin.get_url:
        url: https://download.nextcloud.com/server/releases/latest-24.zip
        dest: "/root/latest-24.zip"
        mode: '0644'

    - name: Unpack nextcloud
      ansible.builtin.unarchive:
        src: /root/latest-24.zip
        dest: /var/www/html
        remote_src: true
        mode: '0644'

    - name: Change owner to www-data in nextcloud dir
      ansible.builtin.file:
        path: /var/www/html/nextcloud
        state: directory
        owner: www-data
        group: www-data
        recurse: true

    - name: Start and enable nginx
      ansible.builtin.systemd_service:
        name: nginx
        state: restarted
        enabled: true

    - name: Start and enable php-fpm
      ansible.builtin.systemd_service:
        name: php7.4-fpm
        enabled: true
        state: restarted

    - name: Start and enable redis
      ansible.builtin.systemd_service:
        name: redis
        state: started
        enabled: true

    - name: Create nextcloud data directory /var/lib/nextcloud
      ansible.builtin.file:
        path: /var/lib/nextcloud
        state: directory
        owner: www-data
        group: www-data
        mode: '0755'

    # Retrieve some saml info from our Keycloak server
    # We can create a SAML client at the Keycloak side.  And use REST to
    # configure at the CMDBuild side.

    ####################################################
    # Create a SAML client at the Keycloak side.
    ####################################################

    # Generate a key on the nextcloud server
    - name: Generate key on nextcloud server
      ansible.builtin.command:
        cmd: /usr/bin/openssl req -x509 -sha256 -newkey rsa:2048 -keyout sp.key -out sp.crt -days 3650 -nodes -subj '/CN={{ domain }}'
        chdir: /tmp
      register: my_output
      changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

    # Start getting auth token
    # Retrieve token url needed.  Returns JSON payload with var token-service.
    - name: Retrieve token url from server
      ansible.builtin.uri:
        url: "{{ keycloak_server_url }}/realms/master"
        validate_certs: false
      register: tokenurl

    - name: Show token-service
      ansible.builtin.debug:
        var: tokenurl.json["token-service"]

    - name: Store url for easier retrieval
      ansible.builtin.set_fact:
        token_url: "{{ tokenurl.json[\"token-service\"] }}"

    # Call info endpoint
    - name: "Retrieve endpoint info for our realm {{ realm }}"
      ansible.builtin.uri:
        url: "{{ keycloak_server_url }}/realms/{{ realm }}/.well-known/openid-configuration"
        validate_certs: false
      register: endpointinfo

    - name: Show endpoint info
      ansible.builtin.debug:
        var: endpointinfo

    - name: Store authorization_endpoint for faster retrieval
      ansible.builtin.set_fact:
        authorization_endpoint: "{{ endpointinfo.json[\"authorization_endpoint\"] }}"

    # "authorization_endpoint": "https://ad.{{ domain }}/realms/ONESTEIN.LAN/protocol/openid-connect/auth",
    - name: Show authorization endpoint
      ansible.builtin.debug:
        var: authorization_endpoint

    - name: Store token_endpoint for faster retrieval
      ansible.builtin.set_fact:
        token_endpoint: "{{ endpointinfo.json[\"token_endpoint\"] }}"

    - name: Show token endpoint
      ansible.builtin.debug:
        var: token_endpoint

    - name: Store userinfo_endpoint for faster retrieval
      ansible.builtin.set_fact:
        userinfo_endpoint: "{{ endpointinfo.json[\"userinfo_endpoint\"] }}"

    - name: Show userinfo endpoint
      ansible.builtin.debug:
        var: userinfo_endpoint

    # Get authentication token from token-service url
    - name: Retrieve authentication token from token-service url
      ansible.builtin.uri:
        url: "{{ tokenurl.json[\"token-service\"] }}/token"
        method: POST
        body_format: form-urlencoded
        validate_certs: false
        body:
          realm: master
          client_id: admin-cli
          username: "{{ kc_adminid }}"
          password: "{{ kc_adminpw }}"
          grant_type: password
      register: authtoken

    - name: Show authtoken
      ansible.builtin.debug:
        var: authtoken

    - name: Show access token
      ansible.builtin.debug:
        var: authtoken.json["access_token"]

    - name: Store access token into variable for easier retrieval
      ansible.builtin.set_fact:
        auth_token: "{{ authtoken.json[\"access_token\"] }}"

    - name: Show auth_token
      ansible.builtin.debug:
        var: auth_token

    # Retrieve IDP metadata descriptor and copy the 509 formatted certificate
    # https://ad.{{ domain }}/realms/ONESTEIN.LAN/protocol/saml/descriptor
    - name: Retrieve IDP metadata descriptor to use the 509 formatted certificate
      ansible.builtin.uri:
        url: "{{ keycloak_server_url }}/realms/{{ realm }}/protocol/saml/descriptor"
#       headers:
#         Accept: "application/json"
#         Authorization: "Bearer {{ auth_token }}"
        method: get
        validate_certs: false
        return_content: true
      register: idp_metadata

    - name: Show idp metadata
      ansible.builtin.debug:
        var: idp_metadata

# Please do not go down this road and stay sane...
#   - xml:
#       xmlstring: "{{ idp_metadata.content }}"
#       xpath: /listResponse/instance
#       xpath: /md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate
#       content: attribute
#     register: instance_attributes

    # We are going to save the XML metadate for shell processing
    - name: Save IDP XML metadata to file for processing
      ansible.builtin.copy:
        content: "{{  idp_metadata.content }}"
        dest: /tmp/idp.xml
        mode: '0600'

    # We are going to use a shell command to retrieve the value for X509Certificate
    - name: Run xmlstarlet to retrieve X509Certificate
      ansible.builtin.command:
        cmd: /usr/bin/xmlstarlet sel -t -v //ds:X509Certificate /tmp/idp.xml
      register: xmlstarlet
      changed_when: xmlstarlet.rc != 0 # <- Uses the return code to define when the task has changed.

    - name: Show xmlstarlet
      ansible.builtin.debug:
        var: xmlstarlet

    - name: Store output in certificate variable
      ansible.builtin.set_fact:
        idp_crt: "{{ xmlstarlet.stdout }}"

    - name: Remove first line from tmp files
      ansible.builtin.lineinfile:
        path: "/tmp/{{ item }}"
        regexp: '^-----(BEGIN|END).*-----$'
        state: absent
      loop:
        - sp.crt
        - sp.key

    - name: Retrieve remote ssl cert
      ansible.builtin.command:
        cmd: set -o pipefail && cat  /tmp/sp.crt  |  tr -d '\n'
      register: sp_crt
      changed_when: sp_crt.rc != 0 # <- Uses the return code to define when the task has changed.

    - name: Show sp_cert
      ansible.builtin.debug:
        var: sp_crt

    - name: Retrieve remote ssl key
      ansible.builtin.command:
        cmd: set -o pipefail && cat  /tmp/sp.key  |  tr -d '\n'
      register: sp_key
      changed_when: sp_key.rc != 0 # <- Uses the return code to define when the task has changed.

    - name: Show sp_key
      ansible.builtin.debug:
        var: sp_key

    # Retrieve current list of clients of our type
    # So, this works in curl:
    # curl -k -v -H "Accept: application/json" -H "Authorization: Bearer ${access_token}" "https://ad.{{ domain }}:8443/admin/realms/master/clients" | jq .
    - name: Retrieve current list of clients and search for already existing "{{ nextcloud_client_id }} "
      ansible.builtin.uri:
        url: "{{ keycloak_server_url }}/admin/realms/{{ realm }}/clients?clientId={{ nextcloud_client_id }}"
        headers:
          Accept: "application/json"
          Authorization: "Bearer {{ auth_token }}"
        method: get
        validate_certs: false
      register: existingclient

    - name: Returned json
      ansible.builtin.debug:
        var: existingclient

#   - name: Copy currently existing client definition to backup file in JSON format.
#     copy:
#      content: "{{ existingclient }}"
#      dest: /tmp/nextcloud-original-client-backup.json

    - name: Find ID in returned json
      ansible.builtin.debug:
        var: existingclient.json[0].id

    - name: If it already exists then delete client id  "{{ nextcloud_client_id }}".
      # Example: "id": "ba973624-2d00-488f-8d18-154224c63f8f"
      ansible.builtin.uri:
        url: "{{ keycloak_server_url }}/admin/realms/{{ realm }}/clients/{{ existingclient.json[0].id }}"
        headers:
          Accept: "application/json"
          Authorization: "Bearer {{ auth_token }}"
        method: DELETE
        validate_certs: false
        status_code: 204
      when: existingclient.json[0].id is defined
      register: deleteclient

    - name: Show deleteclient
      ansible.builtin.debug:
        var: deleteclient

    - name: Convert Ninja template to variable
      ansible.builtin.set_fact:
        jsonbody: "{{ lookup('template', 'nextcloud-keycloak-sso.json.j2') }}"

    - name: Show jsonbody
      ansible.builtin.debug:
        var: jsonbody

    - name: For debugging store json var in local file
      ansible.builtin.copy:
        content: "{{ jsonbody }}"
        dest: /tmp/nextcloud-new-client-backup.json
        mode: '0600'

   # Generate the json payload to upload
    - name: Upload JSON template file to create new Client ID on Keycloak server
      ansible.builtin.uri:
        url: "{{ keycloak_server_url }}/admin/realms/{{ realm }}/clients"
        headers:
          Accept: "application/json"
          Authorization: "Bearer {{ auth_token }}" # .json[\"access_token\"]  }}"
        method: POST
        validate_certs: false
        body_format: json
        body: "{{ jsonbody }}"
        status_code: 201
      register: createclientresult

    # Good news! Result contains location of new client id in location
    # Example: "location": "https://ad.{{ domain }}:8443/admin/realms/ONESTEIN.LAN/clients/e01a87cf-537c-441e-b6ee-17f4cd07d92c"
    - name: If all went well we now have a locaton of the newly created Client ID
      ansible.builtin.debug:
        var: createclientresult.location

    ##########################################################################
    # Start of Nexctcloud OCC commands block
    ##########################################################################
    - name: Put a lot of nextcloud OCC commands together in one Ansbible block because they are all become user www-data
      become: true
      become_user: www-data
      become_method: ansible.builtin.sudo
      block:

        - name: "Check if we need to run occ maintenance:install command"
          ansible.builtin.command:
            cmd: php occ list
            chdir: /var/www/html/nextcloud
          register: occ_list
          changed_when: occ_list.rc != 0 # <- Uses the return code to define when the task has changed.

        - name: Installing nextcloud from the command line if first time.
          ansible.builtin.command:
            cmd: "php occ maintenance:install --database pgsql --database-name nextcloud \
                  --database-host 127.0.0.1 --database-port 5432 --database-user nextcloud \
                  --database-pass 'nextcloud' --admin-user admin --admin-pass admin \
                  --admin-email root@localhost.local --data-dir /var/lib/nextcloud"
            chdir: /var/www/html/nextcloud
          when: '"maintenance:install" in occ_list.stdout'
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        - name: Configuring/adding trusted domain nc.{{ domain }}
          ansible.builtin.command:
            cmd: php occ config:system:set trusted_domains 1 --value='nc.{{ domain }}'
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        - name: Enable already installed but default disabled Nextcloud External Storage support
          ansible.builtin.command:
            cmd: php occ app:enable files_external
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        - name: Retrieve list of currently installed apps
          ansible.builtin.command:
            cmd: php occ app:list
            chdir: /var/www/html/nextcloud
          register: app_list
          changed_when: app_list.rc != 0 # <- Uses the return code to define when the task has changed.

        - name: Install and enable all the Nextcloud apps we like
          ansible.builtin.command:
            cmd: php occ app:install "{{ item }}"
            chdir: /var/www/html/nextcloud
          loop:
            - deck
            - user_saml
          # When combining conditionals with a loop, the when: statement is processed separately for each item.
          # This is tested and works.
          when: 'item not in app_list.stdout'
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.


        # Now start configuring Saml SSO connection to keycloak
        # https://www.muehlencord.de/wordpress/2019/12/14/nextcloud-sso-using-keycloak/
        #
        # Thhis could be useful: https://janikvonrotz.ch/2020/04/21/configure-saml-authentication-for-nextcloud-with-keycloack/
        #
        # In case you lose connection to your nextcloud account, you can try to connect login
        # to http://nextcloud.my.domain/login?direct=1 to login with your admin account again.
        #
        # Make sure some settings are in place
        # occ config:list
        # "user_saml": {
        #       "installed_version": "5.0.2",
        #       "types": "authentication",
        #       "enabled": "yes",
        #       "type": "saml",
        #       "general-require_provisioned_account": "1",
        #       "general-allow_multiple_user_back_ends": "0"

        # If 0 then autocreate users, if 1, then not...
        - name: Configure Only allow authentication if an account exists on some other backend (e.g. LDAP).
          ansible.builtin.command:
            cmd: php occ config:app:set user_saml general-require_provisioned_account --value="0"
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        # Disable this setting (means set it to 1) once Keycloak connection works.
        - name: Configure Allow the use of multiple user back-ends (e.g. LDAP)
          ansible.builtin.command:
            # Yes, I know, a zero to switch it on is weird.
            cmd: php occ config:app:set user_saml general-allow_multiple_user_back_ends --value="1"
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        # Add a new identity provider

        # Start to setup a new identity provider with the following settings

        #  sudo -u www-data php occ saml:config:get
        - name: Dump current saml config to see changes
          ansible.builtin.command:
            cmd: php occ  saml:config:get
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        ##########################################################################
        # After some thought I decided to claim/overwrite saml_user config set 1 !
        ##########################################################################
        # This means we start with deleting entry 1
        - name: Deleting original first saml configuration entry !!!
          ansible.builtin.command:
            cmd: php occ  saml:config:delete 1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        #    Attribute to map the UID to :  username
        #    Displayname : any name you like : e.g. Keycloak
        #    Name id format : unspecififed
        #    X.509 certificate of the service provider : leave empty for the moment
        #    Private key of the service provider : leave also empty for now
        #    Identifier of the IdP entry : https://keycloak.my.domain/auth/realms/<yourrealm>
        #    URL, Target of the IdP where the SP will send the Authentication Request Message : https://keycloak.my.domain/auth/realms/<yourrealm>/protocol/saml
        #    URL Location of the IdP where the SP will send SLO Request : https://keycloak.my.domain/auth/realms/<yourrealm>/protocol/saml
        #    Public X.509 certificate of the IdP : leave empty
        #
        #    saml:config:set
        #    [--general-idp0_display_name GENERAL-IDP0_DISPLAY_NAME]
        #    [--general-uid_mapping GENERAL-UID_MAPPING]
        #    [--idp-entityId IDP-ENTITYID]
        #    [--idp-singleLogoutService.responseUrl IDP-SINGLELOGOUTSERVICE.RESPONSEURL]
        #    [--idp-singleLogoutService.url IDP-SINGLELOGOUTSERVICE.URL]
        #    [--idp-singleSignOnService.url IDP-SINGLESIGNONSERVICE.URL]
        #    [--idp-x509cert IDP-X509CERT]
        #    [--security-authnRequestsSigned SECURITY-AUTHNREQUESTSSIGNED]
        #    [--security-general SECURITY-GENERAL]
        #    [--security-logoutRequestSigned SECURITY-LOGOUTREQUESTSIGNED]
        #    [--security-logoutResponseSigned SECURITY-LOGOUTRESPONSESIGNED]
        #    [--security-lowercaseUrlencoding SECURITY-LOWERCASEURLENCODING]
        #    [--security-nameIdEncrypted SECURITY-NAMEIDENCRYPTED]
        #    [--security-offer SECURITY-OFFER]
        #    [--security-required SECURITY-REQUIRED]
        #    [--security-signatureAlgorithm SECURITY-SIGNATUREALGORITHM]
        #    [--security-signMetadata SECURITY-SIGNMETADATA]
        #    [--security-sloWebServerDecode SECURITY-SLOWEBSERVERDECODE]
        #    [--security-wantAssertionsEncrypted SECURITY-WANTASSERTIONSENCRYPTED]
        #    [--security-wantAssertionsSigned SECURITY-WANTASSERTIONSSIGNED]
        #    [--security-wantMessagesSigned SECURITY-WANTMESSAGESSIGNED]
        #    [--security-wantNameId SECURITY-WANTNAMEID]
        #    [--security-wantNameIdEncrypted SECURITY-WANTNAMEIDENCRYPTED]
        #    [--security-wantXMLValidation SECURITY-WANTXMLVALIDATION]
        #    [--saml-attribute-mapping-displayName_mapping SAML-ATTRIBUTE-MAPPING-DISPLAYNAME_MAPPING]
        #    [--saml-attribute-mapping-email_mapping SAML-ATTRIBUTE-MAPPING-EMAIL_MAPPING]
        #    [--saml-attribute-mapping-group_mapping SAML-ATTRIBUTE-MAPPING-GROUP_MAPPING]
        #    [--saml-attribute-mapping-home_mapping SAML-ATTRIBUTE-MAPPING-HOME_MAPPING]
        #    [--saml-attribute-mapping-quota_mapping SAML-ATTRIBUTE-MAPPING-QUOTA_MAPPING]
        #    [--sp-x509cert SP-X509CERT]
        #    [--sp-name-id-format SP-NAME-ID-FORMAT]
        #    [--sp-privateKey SP-PRIVATEKEY]
        #    [--output [OUTPUT]] [--] <providerId>
        #
        #  sudo -u www-data php occ saml:config:get
        #  - 1:
        #    - general-uid_mapping: username
        #    - general-idp0_display_name: Keycloak
        #    - sp-x509cert:
        #    - sp-privateKey:
        #    - idp-entityId: https://ad.{{ domain }}/auth/realms/ONESTEIN.LAN
        #    - idp-singleSignOnService.url: https://ad.{{ domain }}/auth/realms/ONESTEIN.LAN/protocol/saml
        #    - idp-singleLogoutService.url: https://ad.{{ domain }}/auth/realms/ONESTEIN.LAN/protocol/saml
        #

        #    - general-idp0_display_name: Keycloak
        #    PLEASE NOTE: No '--value'  to set the value!
        - name: Saml configuration set general-idp0_display_name
          ansible.builtin.command:
            cmd: php occ  saml:config:set --general-idp0_display_name  "Keycloak"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        #    - general-uid_mapping: username
        #    PLEASE NOTE: No '--value'  to set the value!
        - name: Saml configuration set general-uid_mapping
          ansible.builtin.command:
            cmd: php occ  saml:config:set --general-uid_mapping "username"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        # Add mapping of email adres
        # saml-attribute-mapping-email_mapping: email
        - name: Saml configuration set saml-attribute-mapping-email_mapping
          ansible.builtin.command:
            cmd: php occ  saml:config:set --saml-attribute-mapping-email_mapping "email"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        #    - idp-entityId: https://ad.{{ domain }}/realms/ONESTEIN.LAN
        #    https://nextcloud.yourdomain.com/index.php/apps/user_saml/metadata  ?
        #    What is an Entity ID: https://spaces.at.internet2.edu/display/federation/saml-metadata-entityid
        - name: Saml configuration set idp-entityId
          ansible.builtin.command:
  #         cmd: php occ  saml:config:set  --idp-entityId  "{{ nextcloud_server_url }}/index.php/apps/user_saml/metadata" 1
            cmd: php occ  saml:config:set  --idp-entityId  "{{ keycloak_server_url }}/realms/{{ realm }}" 1
  #         cmd: php occ  saml:config:set  --idp-entityId  "{{ nextcloud_client_id }}" 1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        #    - idp-singleSignOnService.url: https://ad.{{ domain }}/realms/ONESTEIN.LAN/protocol/saml
        # --idp-singleSignOnService.url
        - name: Saml configuration set general-uid_mapping
          ansible.builtin.command:
            cmd: php occ  saml:config:set --idp-singleSignOnService.url "{{ keycloak_server_url }}/realms/{{ realm }}/protocol/saml"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        #    - idp-singleLogoutService.url: https://ad.{{ domain }}/realms/ONESTEIN.LAN/protocol/saml
        # --idp-singleLogoutService.url
        - name: Saml configuration set general-uid_mapping
          ansible.builtin.command:
            cmd: php occ  saml:config:set --idp-singleLogoutService.url  "{{ keycloak_server_url }}/realms/{{ realm }}/protocol/saml"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        # - security-authnRequestsSigned: 1
        - name: Saml configuration set  security-authnRequestsSigned
          ansible.builtin.command:
            cmd: php occ  saml:config:set --security-authnRequestsSigned  "1"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        # - security-logoutRequestSigned: 1
        - name: Saml configuration set security-logoutRequestSigned
          ansible.builtin.command:
            cmd: php occ  saml:config:set --security-logoutRequestSigned  "1"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        # - security-logoutResponseSigned: 1
        - name: Saml configuration set  security-logoutResponseSigned
          ansible.builtin.command:
            cmd: php occ  saml:config:set --security-logoutResponseSigned  "1"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        # - security-wantMessagesSigned: 1
        - name: Saml configuration set security-wantMessagesSigned
          ansible.builtin.command:
            cmd: php occ  saml:config:set --security-wantMessagesSigned  "1"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        # - security-wantAssertionsSigned: 1
  #     - name: Saml configuration set  security-wantAssertionsSigned
  #       shell:
  #         cmd: php occ  saml:config:set --security-wantAssertionsSigned  "1"   1
  #         chdir: /var/www/html/nextcloud


        # sp_certs_not_found_and_required, idp_cert_or_fingerprint_not_found_and_required
        #    [--sp-x509cert SP-X509CERT]
        #    [--sp-privateKey SP-PRIVATEKEY]
        - name: Saml configuration set  sp-x509cert
          ansible.builtin.command:
            cmd: php occ  saml:config:set --sp-x509cert   "{{ sp_crt.stdout }}"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        - name: Saml configuration set sp-privateKey
          ansible.builtin.command:
            cmd: php occ  saml:config:set --sp-privateKey   "{{ sp_key.stdout }}"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.

        #    [--idp-x509cert IDP-X509CERT]
        - name: Saml configuration set  idp-x509cert
          ansible.builtin.command:
            cmd: php occ  saml:config:set --idp-x509cert   "{{ idp_crt }}"   1
            chdir: /var/www/html/nextcloud
          register: my_output # <- Registers the command output.
          changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.


        - name: Dump current saml config to see changes
          ansible.builtin.command:
            cmd: php occ  saml:config:get
            chdir: /var/www/html/nextcloud
          register: ncconfig
          changed_when: ncconfig.rc != 0 # <- Uses the return code to define when the task has changed.

      ##########################################################################
      # Closing of Nexctcloud OCC commands block
      ##########################################################################

    ##########################################################################
    # End of Nexctcloud OCC commands block
    ##########################################################################

    - name: Dump nextcloud config
      ansible.builtin.debug:
        var: ncconfig

    - name: Post-install message IT IS IMPORTANT TO READ THIS
      ansible.builtin.debug:
        msg: |
          ********************************************************************************************************
          * Nextcloud is installed in /var/www/html/nextcloud.
          * Here you can also find the database config in /var/www/html/nextcloud/config/config.php
          * Nextcloud data is stored in /var/lib/nextcloud.
          * Default login after installation is admin/admin
          * SSO login can be curcumvented by adding '?direct=1' to the url.
          * If all went well, a visit to "{{ nextcloud_server_url }}" will redirect you to
          * "{{ nextcloud_server_url }}"/apps/user_saml/saml/selectUserBackEnd?redirectUrl=.
          * The SSO option is called 'Keycloak'.
          ********************************************************************************************************