nextcloud: Deploy Nextcloud w/ Apache+PHP-FPM

The *nextcloud* role installs Nextcloud from the specified release
archive, downloading it to the control machine first if necessary, and
configures Apache and PHP-FPM to serve it.

The `nextcloud.yml` playbook uses the *cert* role to install the X.509
certificate for the Nextcloud server, sets up Apache HTTPD with the
*apache* role, and installs Nextcloud using the *nextcloud* role.

The host *cloud0.pyrocufflink.blue* is the Nextcloud server for
Pyrocufflink.

roles/nextcloud/defaults/main.yml

@@ -0,0 +1,2 @@
+nextcloud_version: 17.0.0
+nextcloud_archive_sha256: 6081421b33ecdb3130b2bfb2293a3f4045aeb0b471ee570e675de3d931a142a6

roles/nextcloud/handlers/main.yml

@@ -0,0 +1,12 @@
+- name: reload httpd
+  service:
+    name: httpd
+    state: reloaded
+- name: upgrade nextcloud
+  become: true
+  become_user: apache
+  command: php /var/www/html/occ upgrade
+- name: update nextcloud .htaccess
+  become: true
+  become_user: apache
+  command: php /var/www/html/occ maintenance:update:htaccess

roles/nextcloud/tasks/main.yml

@@ -0,0 +1,91 @@
+- name: ensure rpmfusion repo is installed
+  package:
+    name: >-
+      https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_version }}.noarch.rpm
+  tags:
+  - install
+
+- name: ensure required packages are installed
+  package:
+    name: '{{ nextcloud_packages }}'
+    state: present
+  tags:
+  - install
+
+- name: ensure nextcloud database user exists
+  become: true
+  become_user: postgres
+  postgresql_user:
+    name: nextcloud
+    password: '{{ nextcloud_db_password }}'
+    state: present
+- name: ensure nextcloud database exists
+  become: true
+  become_user: postgres
+  postgresql_db:
+    name: nextcloud
+    owner: nextcloud
+    state: present
+
+- name: ensure nextcloud installation archive is available
+  become: false
+  delegate_to: localhost
+  get_url:
+    url: '{{ nextcloud_archive_url }}'
+    dest: roles/nextcloud/files/{{ nextcloud_archive_name }}
+    checksum: 'sha256:{{ nextcloud_archive_sha256 }}'
+  tags:
+  - unarchive
+
+- name:  ensure html directory permissions are set
+  file:
+    path: /var/www/html
+    owner: apache
+    group: apache
+    mode: '0755'
+
+- name: ensure nextcloud is installed
+  become: true
+  become_user: apache
+  unarchive:
+    src: '{{ nextcloud_archive_name }}'
+    dest: /var/www/html
+    extra_opts:
+    - --strip-components=1
+  notify:
+  - upgrade nextcloud
+  - update nextcloud .htaccess
+  tags:
+  - install
+  - unarchive
+
+- name: ensure nextcloud data directories exist
+  file:
+    path: /var/www/html/{{ item.name }}
+    owner: apache
+    group: apache
+    mode: '{{ item.mode|d("0755") }}'
+    setype: httpd_sys_rw_content_t
+    state: directory
+  with_items:
+  - name: config
+  - name: custom_apps
+  - name: data
+    mode: '0770'
+
+- name: ensure apache is configured to serve nextcloud
+  template:
+    src: nextcloud.httpd.conf.j2
+    dest: /etc/httpd/conf.d/nextcloud.conf
+    mode: '0644'
+  notify: reload httpd
+
+- name: ensure php-fpm starts at boot
+  service:
+    name: php-fpm
+    enabled: true
+
+- name: ensure php-fpm service is running
+  service:
+    name: php-fpm
+    state: started

roles/nextcloud/templates/nextcloud.httpd.conf.j2

@@ -0,0 +1,16 @@
+RewriteEngine On
+RewriteCond %{HTTPS} !on
+RewriteRule /.* https://%{SERVER_NAME}$0
+
+Header always set \
+	Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+<Directory /var/www/html>
+Require all granted
+AllowOverride All
+Options FollowSymLinks MultiViews
+
+<IfModule mod_dav.c>
+Dav off
+</IfModule>
+</Directory>

roles/nextcloud/vars/main.yml

@@ -0,0 +1,25 @@
+nextcloud_packages:
+- bzip2
+- ffmpeg
+- php
+- php-fpm
+- php-gd
+- php-gmp
+- php-intl
+- php-json
+- php-ldap
+- php-mbstring
+- php-opcache
+- php-pdo
+- php-pecl-apcu
+- php-pecl-imagick
+- php-pecl-zip
+- php-pgsql
+- php-process
+- php-smbclient
+- php-xml
+- python3-psycopg2
+- tar
+nextcloud_archive_name: nextcloud-{{ nextcloud_version }}.tar.bz2
+nextcloud_archive_url: >-
+ https://download.nextcloud.com/server/releases/{{ nextcloud_archive_name }}