Post-Tyranny-Tech-Infrastructure/ansible/roles/nextcloud/tasks/oidc.yml

---
# OIDC/SSO integration tasks for Nextcloud with Zitadel

- name: Check if user_oidc app is installed
  shell: docker exec -u www-data nextcloud php occ app:list --output=json
  register: nextcloud_apps
  changed_when: false

- name: Parse installed apps
  set_fact:
    user_oidc_installed: "{{ 'user_oidc' in (nextcloud_apps.stdout | from_json).enabled }}"

- name: Install user_oidc app
  shell: docker exec -u www-data nextcloud php occ app:install user_oidc
  when: not user_oidc_installed
  register: oidc_install
  changed_when: "'installed' in oidc_install.stdout"

- name: Enable user_oidc app
  shell: docker exec -u www-data nextcloud php occ app:enable user_oidc
  when: not user_oidc_installed

- name: Check if OIDC provider is already configured
  shell: docker exec -u www-data nextcloud php occ user_oidc:provider
  register: oidc_providers
  changed_when: false
  failed_when: false

- name: Configure OIDC provider if credentials are available
  shell: |
    docker exec -u www-data nextcloud php occ user_oidc:provider:add \
      --clientid="{{ nextcloud_oidc_client_id }}" \
      --clientsecret="{{ nextcloud_oidc_client_secret }}" \
      --discoveryuri="https://{{ zitadel_domain }}/.well-known/openid-configuration" \
      "Zitadel"
  when:
    - nextcloud_oidc_client_id is defined
    - nextcloud_oidc_client_secret is defined
    - "'Zitadel' not in oidc_providers.stdout"
  register: oidc_config
  changed_when: "'Provider Zitadel has been created' in oidc_config.stdout"

- name: Display OIDC status
  debug:
    msg: |
      {% if nextcloud_oidc_client_id is defined %}
      OIDC SSO fully configured!
      Users can login with Zitadel credentials at: https://{{ nextcloud_domain }}
      {% else %}
      OIDC app installed but not yet configured.
      OIDC credentials will be configured automatically by Zitadel role.
      {% endif %}