Automated Nextcloud installation

README.md

@@ -10,6 +10,7 @@ and services operated by Free I.T. Athens (FRITA).
 3. Go to
     - [Traefik Dashboard](https://traefik.local.freeitathens.org:8443/dashboard/#/)
     - [WordPress](https://www.local.freeitathens.org)
+    - [Nextcloud](https://cloud.local.freeitathens.org)
 4. Click through the HTTPS security warning
 
 ## Production

Vagrantfile

@@ -24,11 +24,19 @@ Vagrant.configure("2") do |config|
   config.vm.define :frita do |frita| #
   end
 
-  # Disable Machine Name Prefix
+  # Set libvirt settings
   config.vm.provider :libvirt do |libvirt|
+    libvirt.cpus = 2
+    libvirt.memory = 4096
     libvirt.default_prefix = ""
   end
 
+  # Set VirtualBox settings
+  config.vm.provider "virtualbox" do |vbox|
+    vbox.cpus = 2
+    vbox.memory = 4096
+  end
+
   # Provision with Ansible
   config.vm.provision "ansible" do |ansible|
     ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles"

dev/vars/webserver.yml

@@ -1,9 +1,12 @@
 ###############
 ### Secrets ###
 ###############
+# These are sample public passwords not encrypted in Ansible Vault, unlike production
 secret:
-  WORDPRESS_DB_PASSWORD: WPpa55w0rd!
   TRAEFIK_DREAMHOST_APIKEY: DHap1pa55w0rd!
+  WORDPRESS_DB_PASSWORD: WPpa55w0rd!
+  NEXTCLOUD_MYSQL_PASSWORD: NCdbpa55w0rd!
+  NEXTCLOUD_ADMIN_PASSWORD: NCadm1npa55w0rd!
 
 ##############
 ### Docker ###
@@ -17,6 +20,8 @@ docker_users:
 databases:
   - name: wordpress
     pass: "{{ secret.WORDPRESS_DB_PASSWORD }}"
+  - name: nextcloud
+    pass: "{{ secret.NEXTCLOUD_MYSQL_PASSWORD }}"
 
 #######################
 ### Webserver Stack ###
@@ -34,7 +39,7 @@ webserver:
   TRAEFIK_DEBUG: true
   TRAEFIK_ACME_PROVIDER: dreamhost
   TRAEFIK_ACME_CASERVER: https://localhost/directory
-  TRAEFIK_ACME_EMAIL: frita@example.org
+  TRAEFIK_ACME_EMAIL: admin@example.org
   TRAEFIK_DREAMHOST_APIKEY: "{{ secret.TRAEFIK_DREAMHOST_APIKEY }}"
 
   #################
@@ -45,4 +50,18 @@ webserver:
   #WORDPRESS_DB_HOST: host.docker.internal
   #WORDPRESS_DB_NAME: wordpress
   #WORDPRESS_DB_USER: wordpress
+  #WORDPRESS_WEB_ENABLED: true
   WORDPRESS_DB_PASSWORD: "{{ secret.WORDPRESS_DB_PASSWORD }}"
+
+  #################
+  ### Nextcloud ###
+  #################
+  #NEXTCLOUD_VERSION: stable
+  #NEXTCLOUD_DOMAIN: cloud.local.freeitathens.org
+  #NEXTCLOUD_MYSQL_HOST: host.docker.internal
+  #NEXTCLOUD_MYSQL_DATABASE: nextcloud
+  #NEXTCLOUD_MYSQL_USER: nextcloud
+  #NEXTCLOUD_WEB_ENABLED: true
+  #NEXTCLOUD_ADMIN: admin
+  NEXTCLOUD_ADMIN_PASSWORD: "{{ secret.NEXTCLOUD_ADMIN_PASSWORD }}"
+  NEXTCLOUD_MYSQL_PASSWORD: "{{ secret.NEXTCLOUD_MYSQL_PASSWORD }}"

roles/common/tasks/main.yml

@@ -5,7 +5,7 @@
     mode: 0700
 
 - name: Install useful software
-  apt:
+  ansible.builtin.apt:
     name: "{{ packages }}"
     state: present
     update_cache: true

roles/webserver/defaults/main.yml

@@ -1,4 +1,5 @@
 webserver_root: "{{ docker_compose_root }}/webserver"
+nextcloud_autoinstall: true
 mariadb_trust:
   - "172.16.0.0/12"
   - "192.168.0.0/16"

roles/webserver/files/docker-compose.yml

@@ -2,6 +2,7 @@ version: '3.5'
 
 volumes:
   wordpress:
+  nextcloud:
 
 networks:
   traefik:
@@ -26,7 +27,7 @@ services:
       - --certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_ACME_EMAIL}
       - --certificatesresolvers.letsencrypt.acme.storage=/etc/letsencrypt/acme.json
       - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=${TRAEFIK_ACME_PROVIDER}
+      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=${TRAEFIK_ACME_PROVIDER:-manual}
       - --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0
       - --certificatesresolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-staging-v02.api.letsencrypt.org/directory}
     environment:
@@ -78,3 +79,32 @@ services:
       - traefik
     extra_hosts:
       - host.docker.internal:host-gateway
+
+  nextcloud:
+    image: nextcloud:${NEXTCLOUD_VERSION:-stable}
+    restart: always
+    environment:
+      MYSQL_HOST: ${NEXTCLOUD_MYSQL_HOST:-host.docker.internal:3306}
+      MYSQL_DATABASE: ${NEXTCLOUD_MYSQL_DATABASE-nextcloud}
+      MYSQL_USER: ${NEXTCLOUD_MYSQL_USER:-nextcloud}
+      MYSQL_PASSWORD: ${NEXTCLOUD_MYSQL_PASSWORD}
+    labels:
+      traefik.http.routers.nextcloud.rule: "Host(`${NEXTCLOUD_DOMAIN:-cloud.local.freeitathens.org}`)"
+      traefik.http.routers.nextcloud.entrypoints: websecure
+      traefik.http.routers.nextcloud.tls: true
+      traefik.http.routers.nextcloud.tls.certresolver: letsencrypt
+      traefik.http.routers.nextcloud.tls.domains[0].main: ${TRAEFIK_ACME_DOMAIN_MAIN:-local.freeitathens.org}
+      traefik.http.routers.nextcloud.tls.domains[0].sans: "${TRAEFIK_ACME_DOMAIN_SANS:-*.local.freeitathens.org}"
+      traefik.http.services.nextcloud.loadbalancer.server.port: 80
+      traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
+      traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://$${1}/remote.php/dav/"
+      traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: true
+      traefik.http.routers.nextcloud.middlewares: nextcloud-webdav
+      traefik.docker.network: traefik
+      traefik.enable: ${NEXTCLOUD_WEB_ENABLED:-true}
+    volumes:
+      - nextcloud:/var/www/html
+    networks:
+      - traefik
+    extra_hosts:
+      - host.docker.internal:host-gateway

roles/webserver/handlers/main.yml

@@ -1,11 +1,36 @@
+- name: Restart MariaDB
+  ansible.builtin.service:
+    name: mariadb
+    state: restarted
+  listen: restart_mariadb
+
 - name: Compose up on webserver stack
   ansible.builtin.command: "docker-compose up -d"
   args:
     chdir: "{{ webserver_root }}"
   listen: composeup_webserver
 
-- name: Restart MariaDB
+- name: Grab Nextcloud container information
-  ansible.builtin.service:
+  community.docker.docker_container_info:
-    name: mariadb
+    name: "{{ webserver_root | basename }}_nextcloud_1"
-    state: restarted
+  listen: composeup_webserver
-  listen: restart_mariadb
+  register: nextcloud_info
+
+- name: Wait for Nextcloud to become available
+  ansible.builtin.wait_for:
+    host: "{{ nextcloud_info.container.NetworkSettings.Networks.traefik.IPAddress }}"
+    port: 80
+  listen: composeup_webserver
+
+- name: Check Nextcloud status
+  ansible.builtin.command: "docker exec --user www-data {{ webserver_root | basename }}_nextcloud_1
+            php occ status"
+  listen: composeup_webserver
+  register: nextcloud_status
+
+- name: Import Nextcloud installation handlers
+  ansible.builtin.import_tasks: nextcloud.yml
+  listen: composeup_webserver
+  when:
+    - nextcloud_status.stderr[:26] == "Nextcloud is not installed"
+    - nextcloud_autoinstall

roles/webserver/handlers/nextcloud.yml

@@ -0,0 +1,35 @@
+- name: Install Nextcloud
+  ansible.builtin.command: 'docker exec --user www-data {{ webserver_root | basename }}_nextcloud_1
+            php occ maintenance:install
+              --database "mysql"
+              --database-host "{{ webserver.NEXTCLOUD_MYSQL_HOST | default("host.docker.internal") }}"
+              --database-name "{{ webserver.NEXTCLOUD_MYSQL_DATABASE | default("nextcloud") }}"
+              --database-user "{{ webserver.NEXTCLOUD_MYSQL_USER | default("nextcloud") }}"
+              --database-pass "{{ webserver.NEXTCLOUD_MYSQL_PASSWORD }}"
+              --admin-user "{{ webserver.NEXTCLOUD_ADMIN | default("admin") }}"
+              --admin-pass "{{ webserver.NEXTCLOUD_ADMIN_PASSWORD }}"'
+  register: nextcloud_install
+  listen: composeup_webserver
+
+- name: Set Nextcloud's Trusted Domain
+  ansible.builtin.command: 'docker exec --user www-data {{ webserver_root | basename }}_nextcloud_1
+            php occ config:system:set trusted_domains 0
+              --value="{{ webserver.NEXTCLOUD_DOMAIN | default("cloud.local.freeitathens.org") }}"'
+  listen: composeup_webserver
+  when: nextcloud_install.changed
+
+- name: Set Nextcloud's Trusted Proxy
+  ansible.builtin.command: 'docker exec --user www-data {{ webserver_root | basename }}_nextcloud_1
+            php occ config:system:set trusted_proxies 0 --value="traefik"'
+  listen: composeup_webserver
+  when: nextcloud_install.changed
+
+- name: Preform Nextcloud database maintenance
+  ansible.builtin.command: "docker exec --user www-data {{ webserver_root | basename }}_nextcloud_1 {{ item }}"
+  loop:
+    - "php occ maintenance:mode --on"
+    - "php occ db:add-missing-indices"
+    - "php occ db:convert-filecache-bigint"
+    - "php occ maintenance:mode --off"
+  listen: composeup_webserver
+  when: "'  - needsDbUpgrade: true' in nextcloud_status.stdout_lines"