nextcloud: Deploy Nextcloud w/ Apache+PHP-FPM

The *nextcloud* role installs Nextcloud from the specified release archive, downloading it to the control machine first if necessary, and configures Apache and PHP-FPM to serve it. The `nextcloud.yml` playbook uses the *cert* role to install the X.509 certificate for the Nextcloud server, sets up Apache HTTPD with the *apache* role, and installs Nextcloud using the *nextcloud* role. The host *cloud0.pyrocufflink.blue* is the Nextcloud server for Pyrocufflink.
2020-01-18 12:17:12 -06:00 · 2020-01-18 12:17:12 -06:00 · b09bf84a3b
parent 2aaf8c5239
commit b09bf84a3b
10 changed files with 183 additions and 0 deletions
--- a/group_vars/nextcloud.yml
+++ b/group_vars/nextcloud.yml
@ -0,0 +1,8 @@
+nextcloud_server_name: nextcloud.pyrocufflink.net
+apache_server_name: '{{ nextcloud_server_name }}'
+pg_hba_extra:
+- type: host
+  database: nextcloud
+  user: nextcloud
+  address: ::1/128
+  method: md5
--- a/7
+++ b/7
@ -65,9 +65,15 @@ koji0.pyrocufflink.blue
 [named-server:children]
 pyrocufflink-dns

+[nextcloud]
+cloud0.pyrocufflink.blue
+
 [ntpd]
 dc0.pyrocufflink.blue

+[postgresql]
+cloud0.pyrocufflink.blue
+
 [public-web]
 web0.pyrocufflink.blue

@ -76,6 +82,7 @@ build0-amd64.pyrocufflink.blue
 burp0.pyrocufflink.blue
 burp1.pyrocufflink.blue
 bw0.pyrocufflink.blue
+cloud0.pyrocufflink.blue
 dc0.pyrocufflink.blue
 dns0.pyrocufflink.blue
 file0.pyrocufflink.blue
--- a/nextcloud.yml
+++ b/nextcloud.yml
@ -0,0 +1,11 @@
+- hosts: nextcloud
+  vars_files:
+  - vault/nextcloud
+  roles:
+  - role: cert
+    cert_src: lego/_.pyrocufflink.net.crt
+    cert_dest: '{{ apache_ssl_certificate }}'
+    cert_key_src: lego/_.pyrocufflink.net.key
+    cert_key_dest: '{{ apache_ssl_certificate_key }}'
+  - apache
+  - nextcloud
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@ -0,0 +1,2 @@
+nextcloud_version: 17.0.0
+nextcloud_archive_sha256: 6081421b33ecdb3130b2bfb2293a3f4045aeb0b471ee570e675de3d931a142a6
--- a/roles/nextcloud/handlers/main.yml
+++ b/roles/nextcloud/handlers/main.yml
@ -0,0 +1,12 @@
+- name: reload httpd
+  service:
+    name: httpd
+    state: reloaded
+- name: upgrade nextcloud
+  become: true
+  become_user: apache
+  command: php /var/www/html/occ upgrade
+- name: update nextcloud .htaccess
+  become: true
+  become_user: apache
+  command: php /var/www/html/occ maintenance:update:htaccess
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@ -0,0 +1,91 @@
+- name: ensure rpmfusion repo is installed
+  package:
+    name: >-
+      https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_version }}.noarch.rpm
+  tags:
+  - install
+
+- name: ensure required packages are installed
+  package:
+    name: '{{ nextcloud_packages }}'
+    state: present
+  tags:
+  - install
+
+- name: ensure nextcloud database user exists
+  become: true
+  become_user: postgres
+  postgresql_user:
+    name: nextcloud
+    password: '{{ nextcloud_db_password }}'
+    state: present
+- name: ensure nextcloud database exists
+  become: true
+  become_user: postgres
+  postgresql_db:
+    name: nextcloud
+    owner: nextcloud
+    state: present
+
+- name: ensure nextcloud installation archive is available
+  become: false
+  delegate_to: localhost
+  get_url:
+    url: '{{ nextcloud_archive_url }}'
+    dest: roles/nextcloud/files/{{ nextcloud_archive_name }}
+    checksum: 'sha256:{{ nextcloud_archive_sha256 }}'
+  tags:
+  - unarchive
+
+- name:  ensure html directory permissions are set
+  file:
+    path: /var/www/html
+    owner: apache
+    group: apache
+    mode: '0755'
+
+- name: ensure nextcloud is installed
+  become: true
+  become_user: apache
+  unarchive:
+    src: '{{ nextcloud_archive_name }}'
+    dest: /var/www/html
+    extra_opts:
+    - --strip-components=1
+  notify:
+  - upgrade nextcloud
+  - update nextcloud .htaccess
+  tags:
+  - install
+  - unarchive
+
+- name: ensure nextcloud data directories exist
+  file:
+    path: /var/www/html/{{ item.name }}
+    owner: apache
+    group: apache
+    mode: '{{ item.mode|d("0755") }}'
+    setype: httpd_sys_rw_content_t
+    state: directory
+  with_items:
+  - name: config
+  - name: custom_apps
+  - name: data
+    mode: '0770'
+
+- name: ensure apache is configured to serve nextcloud
+  template:
+    src: nextcloud.httpd.conf.j2
+    dest: /etc/httpd/conf.d/nextcloud.conf
+    mode: '0644'
+  notify: reload httpd
+
+- name: ensure php-fpm starts at boot
+  service:
+    name: php-fpm
+    enabled: true
+
+- name: ensure php-fpm service is running
+  service:
+    name: php-fpm
+    state: started
--- a/roles/nextcloud/templates/nextcloud.httpd.conf.j2
+++ b/roles/nextcloud/templates/nextcloud.httpd.conf.j2
@ -0,0 +1,16 @@
+RewriteEngine On
+RewriteCond %{HTTPS} !on
+RewriteRule /.* https://%{SERVER_NAME}$0
+
+Header always set \
+	Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+<Directory /var/www/html>
+Require all granted
+AllowOverride All
+Options FollowSymLinks MultiViews
+
+<IfModule mod_dav.c>
+Dav off
+</IfModule>
+</Directory>
--- a/roles/nextcloud/vars/main.yml
+++ b/roles/nextcloud/vars/main.yml
@ -0,0 +1,25 @@
+nextcloud_packages:
+- bzip2
+- ffmpeg
+- php
+- php-fpm
+- php-gd
+- php-gmp
+- php-intl
+- php-json
+- php-ldap
+- php-mbstring
+- php-opcache
+- php-pdo
+- php-pecl-apcu
+- php-pecl-imagick
+- php-pecl-zip
+- php-pgsql
+- php-process
+- php-smbclient
+- php-xml
+- python3-psycopg2
+- tar
+nextcloud_archive_name: nextcloud-{{ nextcloud_version }}.tar.bz2
+nextcloud_archive_url: >-
+ https://download.nextcloud.com/server/releases/{{ nextcloud_archive_name }}
--- a/roles/ssh-hostkeys/files/ssh_known_hosts
+++ b/roles/ssh-hostkeys/files/ssh_known_hosts
@ -13,6 +13,9 @@ burp1.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCoHG7YZ0bQ3vvjmpUI
 bw0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFhC0Lu+6oNiMYQ3bALQ0L4erepswgYalGW/spbd4UJ/t1GaHx1xGKmwrIqJ/+IGULEEHyO9Ldz5PmMTTmdh7Ms=
 bw0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKQJvmcowUDnqJ8wKwreKNsd43g0Az0heAWRmSxG/sl9
 bw0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4C69f0KJe32ZReE9FE7jZwzbPiuBnIop+f4Redo5KtOAHSd6qNpR6+ZCImgdEV+DlxC8UFRa5kqVg6jD4niGQl2p1/07c/G7b/uSKpSp5HvmBKWOiqVVfqnZcHUJC6fhTWaNqvp6zbtV8LbdTE/oStI06qKpCrUsoROHaek2zS0KznGk/UMOIiSS32XZbZKzwTSaL9LPIvugnv7HnkHHWl/IAC5vG7BXSLJLRksjS/4X8CWnYbOJB3wUt8oq1rNfD19LqFnqGUYmp3w8jk7Z6yJUdNKqWMihoV8z4HnqJ9KSGlfGMG/Tx691DXzXRXSQWiPTcZhBl8SET2NV2xEO5
+cloud0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIdqy2vDbPHBHznTnngNoxruf2+zK2mxs+uNctc6TT3GDCLEvaSBaP6a8lp2fIxyuK/KxmROSmSwkNNvzy/reuQ=
+cloud0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJWCsUW0cQuRUqvnRIFfdx6qFaDOHk63x/jVyhbmw8oY
+cloud0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFtfj3I5+gvUHgLn09hYXeOV2s/AHX4ye8NT2lrqI9e5UxGP43XaJbnI16PLVY91HxJ5uRK/bMzdg6M9XuLUG6fHLm4z/tcXGpvib1hc0YNi8Yjr14if0mAjYxKB6PJQf7/JcS5KBW8VJH5SD8nylFLQJuTWdf9vDDWsyB7Xtd/sEp0IG/pVQS4mssvWXakDSMoAQZGBu+TAlh8B5Ih7s+gGoCrOGgGhp8odVLfP2NbiQ/W3C3agDo+K5OyHNMdLoNKq7c3xECibSuZe21zNAuOLgE94K0T8LbHiTKpbLUertVCggCbDuWqbjLLbN7uonykvODPjoxEPZdebEnngj7j9A8TIn+DRrvqvqQGyjB3B7bHOr5K0B4aine4m6zTAFMjY8hU70XkkZFeII4KtNbhZCCH6Nz0e/1AdcdTZcAkXRRmBHIdaT36D8YJs06PBhCDxGEUCUQ09M2060gpy6gdUGE9H4U3iztCWUYS1AloZD73m+RHuyNhSRAiSkb/SM=
 cm0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJu4U5OdSbCXwofCCeejxEv5ia4YgzUYI01aXy1cDp9GcndmmwZl0NHbF815G98YK3O16Kv4nTV4IEUF7JJu0/s=
 cm0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICb5SUiJ3yFQlXlqmxV18ZrfFD1z1/Nov2IJG9Y2snUd
 cm0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC07DmchhYaGlFpawpS2hswPKioVlPkLObalQ3jx/TTENu2sLNcBUzVR6y2H82EnWOjnHDOYwdKPbHjjFtOQTr8wYJlOpw75v2DesUmvn8aPhz8XMKO4M9HuwPvgo6ybc9r+VEQgm3H9LLCDSMojkkO04T0KGuAyUfV2kYnLWzjclyUXgYGNqnmHatEn1WAU8olKkyP+CImvQTctisIF9rJotBNV+f4UO7NvioaieUyBCoWlHBGUMI18m12zaoItaMoV8WHlksXoQek9EWrioC/W51nFusDr1Cwmtwz/20mtiiYn5upUz0MtEc8FFvAk7jlpFPAB1dGZMPyLXaWHKjJ
--- a/vault/nextcloud
+++ b/vault/nextcloud
@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+66373432366362303731363866636266313635656637303139383061396236333030633937373461
+3538616535343334663937663532303764333737653536330a616464346532616433336632313037
+66356437353766336563336139353462653162333035653833656466373639373965333932376165
+3336393133393061330a336661323761316536636262303934363038303239653235653535663236
+63656332656162613935343530316465366462363039663638616561373437666431373261653635
+64346138323065396536333335323931333034346337353337653865663830653539623466333738
+653931666565333264316635663235353537