nextcloud: use WebAuthN instead of native support

The native support allows for passwordless login, but we'd rather prompt for password before verifying with WebAuthN device as second factor. status-im/infra-office#9 (comment) Signed-off-by: Jakub Sokołowski <[email protected]>
status-im · Mar 25, 2022 · 5afbc3b · 5afbc3b
1 parent e2a2b1f
commit 5afbc3b
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/ansible/group_vars/nextcloud.yml b/ansible/group_vars/nextcloud.yml
@@ -24,10 +24,13 @@ nextcloud_enabled_apps:
   - sociallogin
   - spreed
   - twofactor_totp
-  - twofactor_u2f
+  - twofactor_webauthn
 nextcloud_disabled_apps:
   - tasks
   - integration_whiteboard
+  - twofactor_u2f
+# This allows for passwordless login.
+nextcloud_webauthn_native_enaled: false
 # OAuth
 nextcloud_oauth_enabled: true
 nextcloud_oauth_name: 'Keycloak'

diff --git a/ansible/roles/nextcloud/defaults/main.yml b/ansible/roles/nextcloud/defaults/main.yml
@@ -28,6 +28,7 @@ nextcloud_admin_password: 'changeMeIfYouCare'
 # Apps
 nextcloud_enabled_apps: []
 nextcloud_disabled_apps: []
+nextcloud_webauthn_native_enaled: true
 # Oauth
 nextcloud_oauth_enabled: false
 #nextcloud_oauth_name: 'Keycloak'

diff --git a/ansible/roles/nextcloud/templates/config.php.j2 b/ansible/roles/nextcloud/templates/config.php.j2
@@ -4,7 +4,7 @@ $CONFIG = [
   'version' => '23.0.0.10',
   'installed' => true,
   /* AUTH */
-  'auth.webauthn.enabled' => true,
+  'auth.webauthn.enabled' => {{ nextcloud_webauthn_native_enaled | to_json }},
   /* ENCRYPTION */
   /* WARNING: All three have to be present and the same */
   'instanceid' => '{{ nextcloud_instance_id | mandatory }}',