nextcloud: enforce OIDC-only config

2026-01-07 00:03:57 -03:00 · 2026-01-07 00:03:57 -03:00 · 16dc0e16f1
commit 16dc0e16f1
parent 9d9aa5b64b
1 changed files with 19 additions and 0 deletions
--- a/services/nextcloud/deployment.yaml
+++ b/services/nextcloud/deployment.yaml
@ -65,6 +65,14 @@ spec:
              fi
              installed="$(su -s /bin/sh www-data -c "php /var/www/html/occ status" 2>/dev/null | awk '/installed:/{print $3}' || true)"
              if [ "${installed}" = "true" ]; then
+                configure_oidc() {
+                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_provider_url --value='https://sso.bstein.dev/realms/atlas'"
+                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_client_id --value='${OIDC_CLIENT_ID}'"
+                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_client_secret --value='${OIDC_CLIENT_SECRET}'"
+                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_auto_redirect --type=boolean --value=true"
+                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_hide_password_form --type=boolean --value=true"
+                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_disable_registration --type=boolean --value=true"
+                }
                ensure_mime_defaults() {
                  cfg_dir="/var/www/html/resources/config"
                  mkdir -p "${cfg_dir}"
@ -92,6 +100,7 @@ spec:
                install_app oidc_login https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.2.2/oidc_login.tar.gz
                install_app external https://github.com/nextcloud-releases/external/releases/download/v5.4.1/external-v5.4.1.tar.gz
                install_app mail https://github.com/nextcloud-releases/mail/releases/download/v3.7.24/mail-stable3.7.tar.gz
+                configure_oidc
              fi
          env:
            - name: POSTGRES_HOST
@ -121,6 +130,16 @@ spec:
                secretKeyRef:
                  name: nextcloud-admin
                  key: admin-password
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: nextcloud-oidc
+                  key: client-id
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: nextcloud-oidc
+                  key: client-secret
          volumeMounts:
            - name: nextcloud-data
              mountPath: /var/www/html