Move content from htaccess file to site config. Separate krb5 config.

roles/nextcloud/files/htaccess

@@ -1,8 +0,0 @@
-<IfModule mod_rewrite.c>
-  RewriteEngine on
-  RewriteRule ^\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
-  RewriteRule ^\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
-  RewriteRule ^\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
-  RewriteRule ^\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L]
-  RewriteRule ^\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L]
-</IfModule>

roles/nextcloud/files/krb5-nextcloud.conf

@@ -1,5 +1,3 @@
-Alias /nextcloud "/var/www/nextcloud/"
-
 <Location "/nextcloud/index.php/apps/user_saml/saml/login" >
   AuthType             GSSAPI
   AuthName             "Login to NextCloud"
@@ -11,25 +9,3 @@ Alias /nextcloud "/var/www/nextcloud/"
   GssapiBasicAuth      On
   require              valid-user
 </Location>
-
-<Directory /var/www/nextcloud/>
-  Require all granted
-  Options FollowSymlinks MultiViews
-  AllowOverride All
-
-  <IfModule mod_dav.c>
-    Dav off
-  </IfModule>
-
-  SetEnv HOME /var/www/nextcloud
-  SetEnv HTTP_HOME /var/www/nextcloud
-
-</Directory>
-
-<Directory /var/www/html>
-  AllowOverride FileInfo
-</Directory>
-
-<IfModule mod_headers.c>
-  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
-</IfModule>

roles/nextcloud/files/nextcloud.conf

@@ -1,6 +1,6 @@
-Alias /nextcloud "/var/www/nextcloud/"
+Alias /nextcloud "/var/www/nextcloud"
 
-<Directory /var/www/nextcloud/>
+<Directory /var/www/nextcloud>
   Require all granted
   Options FollowSymlinks MultiViews
   AllowOverride All
@@ -11,11 +11,17 @@ Alias /nextcloud "/var/www/nextcloud/"
 
   SetEnv HOME /var/www/nextcloud
   SetEnv HTTP_HOME /var/www/nextcloud
-
 </Directory>
 
 <Directory /var/www/html>
-  AllowOverride FileInfo
+  <IfModule mod_rewrite.c>
+    RewriteEngine on
+    RewriteRule ^\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
+    RewriteRule ^\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
+    RewriteRule ^\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
+    RewriteRule ^\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L]
+    RewriteRule ^\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L]
+  </IfModule> 
 </Directory>
 
 <IfModule mod_headers.c>

roles/nextcloud/tasks/main.yml

@@ -75,16 +75,13 @@
   copy:
     src: nextcloud.conf
     dest: /etc/apache2/sites-available/nextcloud.conf
+  notify: "restart apache2"
 
-- name: provide htaccess file
+- name: provide kerberos SSO config
   copy:
-    src: htaccess
-    dest: /var/www/html/.htaccess
-
-- name: enable https
-  command: a2ensite default-ssl.conf
-  args:
-    creates: /etc/apache2/sites-enabled/default-ssl.conf
+    src: krb5-nextcloud.conf
+    dest: /etc/apache2/sites-available/krb5-nextcloud.conf
+  when: "'kerberize' in role_names"
   notify: "restart apache2"
 
 - name: enable nextcloud site
@@ -93,6 +90,19 @@
     creates: /etc/apache2/sites-enabled/nextcloud.conf
   notify: "restart apache2"
 
+- name: enable kerberos access to nextcloud site
+  command: a2ensite krb5-nextcloud.conf
+  args:
+    creates: /etc/apache2/sites-enabled/krb5-nextcloud.conf
+  notify: "restart apache2"
+  when: "'kerberize' in role_names"
+
+- name: enable https
+  command: a2ensite default-ssl.conf
+  args:
+    creates: /etc/apache2/sites-enabled/default-ssl.conf
+  notify: "restart apache2"
+
 - name: make sure data directory exists
   file:
     path: "{{ data_dir }}"