From c78cff820093d93865e74437e11b6d16e3c94919 Mon Sep 17 00:00:00 2001
From: "Andreas B. Mundt" <andi@debian.org>
Date: Mon, 16 Mar 2020 19:43:42 +0100
Subject: [PATCH] Move kerberos integration to the end of tasks.

---
 roles/nextcloud/files/krb5-nextcloud.conf |  2 +-
 roles/nextcloud/tasks/main.yml            | 70 +++++++++++++++++------
 2 files changed, 55 insertions(+), 17 deletions(-)

diff --git a/roles/nextcloud/files/krb5-nextcloud.conf b/roles/nextcloud/files/krb5-nextcloud.conf
index 9ccb2ab..89415e9 100644
--- a/roles/nextcloud/files/krb5-nextcloud.conf
+++ b/roles/nextcloud/files/krb5-nextcloud.conf
@@ -7,5 +7,5 @@
   GssapiUseSessions    On
   GssapiNegotiateOnce  On
   GssapiBasicAuth      On
-  require              valid-user
+  Require              valid-user
 </Location>
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index e620a54..61d43de 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -101,26 +101,12 @@
     dest: /etc/apache2/sites-available/nextcloud.conf
   notify: "restart apache2"
 
-- name: provide kerberos SSO config
-  copy:
-    src: krb5-nextcloud.conf
-    dest: /etc/apache2/sites-available/krb5-nextcloud.conf
-  when: "'kerberize' in role_names"
-  notify: "restart apache2"
-
 - name: enable nextcloud site
   command: a2ensite nextcloud.conf
   args:
     creates: /etc/apache2/sites-enabled/nextcloud.conf
   notify: "restart apache2"
 
-- name: enable kerberos access to nextcloud site
-  command: a2ensite krb5-nextcloud.conf
-  args:
-    creates: /etc/apache2/sites-enabled/krb5-nextcloud.conf
-  notify: "restart apache2"
-  when: "'kerberize' in role_names"
-
 - name: enable https
   shell: 'grep -q "VirtualHost .*:443" * || a2ensite default-ssl.conf'
   args:
@@ -293,10 +279,62 @@
   command: "firewall-offline-cmd --add-service=https"
   when: run_in_installer|default(false)|bool
 
+#################################################################
+## kerberox integration:
+
+- name: install libapache2-mod-auth-gssapi
+  apt:
+    name: libapache2-mod-auth-gssapi
+    state: latest
+  when: "'kerberize' in role_names"
+  notify: "restart apache2"
+
+- name: copy keytab for www-data
+  copy:
+    src: /etc/krb5.keytab
+    dest: /etc/krb5.keytab.http
+    group: www-data
+    mode: "0640"
+    remote_src: yes
+    force: no
+  when: "'kerberize' in role_names"
+  notify: "restart apache2"
+
+- name: provide kerberos SSO config
+  copy:
+    src: krb5-nextcloud.conf
+    dest: /etc/apache2/sites-available/krb5-nextcloud.conf
+  when: "'kerberize' in role_names"
+  notify: "restart apache2"
+
+- name: enable kerberos access to nextcloud site
+  command: a2ensite krb5-nextcloud.conf
+  args:
+    creates: /etc/apache2/sites-enabled/krb5-nextcloud.conf
+  notify: "restart apache2"
+  when: "'kerberize' in role_names"
+
+- name: allow https in firewalld
+  firewalld:
+    zone: internal
+    service: https
+    permanent: Yes
+    immediate: Yes
+    state: enabled
+  when: not run_in_installer|default(false)|bool and 'kerberize' in role_names
+
+- name: allow https in firewalld, offline
+  command: "firewall-offline-cmd --add-service=https --zone=internal"
+  when: run_in_installer|default(false)|bool and 'kerberize' in role_names
+
+- name: allow access from kerberized LAN
+  command: sudo -u www-data php ./occ config:system:set trusted_domains 2 --value='{{ ansible_hostname }}.{{ ansible_domain }}'
+  args:
+    chdir: "{{ nc_dir }}"
+    warn: False
+  when: not nextcloud.stat.exists and 'kerberize' in role_names
 
 
-## ToDo kerberox integration:
 # sudo -u www-data php ./occ app:enable user_ldap
 # sudo -u www-data php ./occ app:install user_saml
-
 # sudo -u www-data php ./occ ldap