testing

README.md

@@ -10,6 +10,7 @@ and services operated by Free I.T. Athens (FRITA).
 3. Go to
     - [Traefik Dashboard](https://traefik.local.freeitathens.org:8443/dashboard/#/)
     - [WordPress](https://www.local.freeitathens.org)
+    - [Nextcloud](https://cloud.local.freeitathens.org)
 4. Click through the HTTPS security warning
 
 ## Production

Vagrantfile

@@ -24,11 +24,19 @@ Vagrant.configure("2") do |config|
   config.vm.define :frita do |frita| #
   end
 
-  # Disable Machine Name Prefix
+  # Set libvirt settings
   config.vm.provider :libvirt do |libvirt|
+    libvirt.cpus = 2
+    libvirt.memory = 4096
     libvirt.default_prefix = ""
   end
 
+  # Set VirtualBox settings
+  config.vm.provider "virtualbox" do |vbox|
+    vbox.cpus = 2
+    vbox.memory = 4096
+  end
+
   # Provision with Ansible
   config.vm.provision "ansible" do |ansible|
     ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles"

dev/vars/webserver.yml

@@ -1,9 +1,12 @@
 ###############
 ### Secrets ###
 ###############
+# These are sample public passwords not encrypted in Ansible Vault, unlike production
 secret:
-  WORDPRESS_DB_PASSWORD: WPpa55w0rd!
   TRAEFIK_DREAMHOST_APIKEY: DHap1pa55w0rd!
+  WORDPRESS_DB_PASSWORD: WPpa55w0rd!
+  NEXTCLOUD_MYSQL_PASSWORD: NCdbpa55w0rd!
+  NEXTCLOUD_ADMIN_PASSWORD: NCadm1npa55w0rd!
 
 ##############
 ### Docker ###
@@ -17,6 +20,8 @@ docker_users:
 databases:
   - name: wordpress
     pass: "{{ secret.WORDPRESS_DB_PASSWORD }}"
+  - name: nextcloud
+    pass: "{{ secret.NEXTCLOUD_MYSQL_PASSWORD }}"
 
 #######################
 ### Webserver Stack ###
@@ -34,7 +39,7 @@ webserver:
   TRAEFIK_DEBUG: true
   TRAEFIK_ACME_PROVIDER: dreamhost
   TRAEFIK_ACME_CASERVER: https://localhost/directory
-  TRAEFIK_ACME_EMAIL: frita@example.org
+  TRAEFIK_ACME_EMAIL: admin@example.org
   TRAEFIK_DREAMHOST_APIKEY: "{{ secret.TRAEFIK_DREAMHOST_APIKEY }}"
 
   #################
@@ -45,4 +50,18 @@ webserver:
   #WORDPRESS_DB_HOST: host.docker.internal
   #WORDPRESS_DB_NAME: wordpress
   #WORDPRESS_DB_USER: wordpress
+  #WORDPRESS_WEB_ENABLED: true
   WORDPRESS_DB_PASSWORD: "{{ secret.WORDPRESS_DB_PASSWORD }}"
+
+  #################
+  ### Nextcloud ###
+  #################
+  #NEXTCLOUD_VERSION: stable
+  #NEXTCLOUD_DOMAIN: cloud.local.freeitathens.org
+  #NEXTCLOUD_MYSQL_HOST: host.docker.internal
+  #NEXTCLOUD_MYSQL_DATABASE: nextcloud
+  #NEXTCLOUD_MYSQL_USER: nextcloud
+  #NEXTCLOUD_WEB_ENABLED: true
+  #NEXTCLOUD_ADMIN: admin
+  NEXTCLOUD_ADMIN_PASSWORD: "{{ secret.NEXTCLOUD_ADMIN_PASSWORD }}"
+  NEXTCLOUD_MYSQL_PASSWORD: "{{ secret.NEXTCLOUD_MYSQL_PASSWORD }}"

roles/common/defaults/main.yml

@@ -1,2 +1,2 @@
 packages:
-  - dnsutils
+  - dnsutils

roles/common/tasks/main.yml

@@ -5,7 +5,7 @@
     mode: 0700
 
 - name: Install useful software
-  apt:
+  ansible.builtin.apt:
     name: "{{ packages }}"
     state: present
     update_cache: true

roles/nextcloud/tasks/main.yml

@@ -1,140 +0,0 @@
-# Copyright (C) 2019-2020  Free I.T. Athens
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-- name: Install MySQL Support for Python
-  apt:
-    name: python-pymysql
-    state: present
-
-- name: Create Database
-  mysql_db:
-    name: "{{ nc_db_name }}"
-    state: present
-    login_unix_socket: /var/run/mysqld/mysqld.sock
-
-- name: Create Database User
-  mysql_user:
-    name: "{{ nc_db_user }}"
-    password: "{{ nc_db_pass }}"
-    priv: "{{ nc_db_name }}.*:ALL,GRANT"
-    state: present
-    login_unix_socket: /var/run/mysqld/mysqld.sock
-
-- name: Install PHP Modules
-  apt:
-    name: [
-            # Required
-            'php-ctype', 'php-curl', 'php-dom',
-            'php-gd', 'php-iconv', 'php-json', 'php-xml',
-            'php-mbstring', 'php-posix', 'php-simplexml',
-            'php-xmlreader', 'php-xmlwriter', 'php-zip',
-
-            # Database Connectors
-            'php-pgsql',
-
-            # Recommended Packages
-            'php-fileinfo', 'php-bz2', 'php-intl',
-
-            # Enhanced Performance
-            'php-redis', 'redis-server',
-
-            # Preview Generation
-            'php-imagick'
-          ]
-    state: present
-  notify: Reload Apache2
-
-- name: Create Public HTML Directory
-  file:
-    path: "{{ nc_dir }}/public_html"
-    state: directory
-
-- name: Create Nextcloud Directories
-  file:
-    path: "{{ nc_dir }}/public_html/data"
-    state: directory
-    owner: www-data
-    group: www-data
-
-- name: Create Logs Directory
-  file:
-    path: "{{ nc_dir }}/logs"
-    state: directory
-
-- name: Download Nextcloud
-  get_url:
-    url: "https://download.nextcloud.com/server/releases/\
-          nextcloud-{{ nc_version }}.tar.bz2"
-    dest: /tmp/nextcloud-{{ nc_version }}.tar.bz2
-    checksum: sha256:{{ nc_sha256_hash }}
-
-- name: Extract Nextcloud
-  unarchive:
-    src: /tmp/nextcloud-{{ nc_version }}.tar.bz2
-    dest: "{{ nc_dir }}/public_html"
-    owner: www-data
-    group: www-data
-    extra_opts: [--strip-components=1]
-    remote_src: yes
-
-- name: Install Nextcloud
-  command: |
-    php occ maintenance:install --database mysql \
-    --database-name {{ nc_db_name }} --database-host {{ nc_db_host }} \
-    --database-user {{ nc_db_user }} --database-pass {{ nc_db_pass }} \
-    --admin-user {{ nc_admin }} --admin-pass {{ nc_admin_pass }} \
-    --data-dir {{ nc_dir }}/public_html/data
-  become_user: www-data
-  register: nextcloud_install
-  args:
-    chdir: "{{ nc_dir }}/public_html"
-    creates: "{{ nc_dir }}/public_html/config/config.php"
-
-- name: Add Missing Database Indexes
-  command: php occ db:add-missing-indices
-  become_user: www-data
-  register: nextcloud_db_update
-  args:
-    chdir: "{{ nc_dir }}/public_html"
-  when: nextcloud_install.changed
-
-- name: Convert Database Columns to BIGINT
-  command: php occ db:convert-filecache-bigint
-  become_user: www-data
-  args:
-    chdir: "{{ nc_dir }}/public_html"
-  when: nextcloud_db_update.changed
-
-- name: Add Domain Name to Trusted Domains
-  command: |
-    php occ config:system:set trusted_domains 0 --value={{ nc_domain }}
-  become_user: www-data
-  args:
-    chdir: "{{ nc_dir }}/public_html"
-  when: nextcloud_install.changed
-
-- name: "Enable Apache2 Module: rewrite"
-  apache2_module: name=rewrite state=present
-
-- name: Apply Apache Configuration
-  template:
-    src: nextcloud.conf.j2
-    dest: /etc/apache2/sites-available/{{ nc_domain }}.conf
-  notify: Reload Apache2
-
-- name: Enable Apache Website
-  shell: a2ensite {{ nc_domain }}
-  args:
-    creates: /etc/apache2/sites-enabled/{{ nc_domain }}.conf
-  notify: Reload Apache2

roles/nextcloud/templates/nextcloud.conf.j2

@@ -1,27 +0,0 @@
-<VirtualHost *:80>
-  ServerName {{ nc_domain }}
-
-  ServerAdmin {{ nc_admin_email }}
-  DocumentRoot {{ nc_dir }}/public_html
-
-  <Directory {{ nc_dir }}/public_html>
-
-    Options +FollowSymLinks
-    AllowOverride All
-
-    <IfModule mod_dav.c>
-      Dav off
-    </IfModule>
-
-    SetEnv HOME {{ nc_dir }}/public_html
-    SetEnv HTTP_HOME {{ nc_dir }}/public_html
-
-    # Nextcloud recommends 512MB
-    php_value memory_limit 512M
-  </Directory>
-
-  ErrorLog {{ nc_dir }}/logs/error.log
-  CustomLog {{ nc_dir }}/logs/access.log combined
-</VirtualHost>
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

roles/webserver/defaults/main.yml

@@ -1,4 +1,5 @@
 webserver_root: "{{ docker_compose_root }}/webserver"
+nextcloud_autoinstall: true
 mariadb_trust:
   - "172.16.0.0/12"
   - "192.168.0.0/16"

roles/webserver/files/docker-compose.yml

@@ -2,10 +2,14 @@ version: '3.5'
 
 volumes:
   wordpress:
+  nextcloud:
+  postgres:
 
 networks:
   traefik:
     name: traefik
+  postgres:
+    name: postgres
 
 services:
   traefik:
@@ -26,7 +30,7 @@ services:
       - --certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_ACME_EMAIL}
       - --certificatesresolvers.letsencrypt.acme.storage=/etc/letsencrypt/acme.json
       - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=${TRAEFIK_ACME_PROVIDER}
+      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=${TRAEFIK_ACME_PROVIDER:-manual}
       - --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0
       - --certificatesresolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-staging-v02.api.letsencrypt.org/directory}
     environment:
@@ -78,3 +82,65 @@ services:
       - traefik
     extra_hosts:
       - host.docker.internal:host-gateway
+
+  nextcloud:
+    image: nextcloud:${NEXTCLOUD_VERSION:-stable}
+    restart: always
+    environment:
+      MYSQL_HOST: ${NEXTCLOUD_MYSQL_HOST:-host.docker.internal:3306}
+      MYSQL_DATABASE: ${NEXTCLOUD_MYSQL_DATABASE-nextcloud}
+      MYSQL_USER: ${NEXTCLOUD_MYSQL_USER:-nextcloud}
+      MYSQL_PASSWORD: ${NEXTCLOUD_MYSQL_PASSWORD}
+    labels:
+      traefik.http.routers.nextcloud.rule: "Host(`${NEXTCLOUD_DOMAIN:-cloud.local.freeitathens.org}`)"
+      traefik.http.routers.nextcloud.entrypoints: websecure
+      traefik.http.routers.nextcloud.tls: true
+      traefik.http.routers.nextcloud.tls.certresolver: letsencrypt
+      traefik.http.routers.nextcloud.tls.domains[0].main: ${TRAEFIK_ACME_DOMAIN_MAIN:-local.freeitathens.org}
+      traefik.http.routers.nextcloud.tls.domains[0].sans: "${TRAEFIK_ACME_DOMAIN_SANS:-*.local.freeitathens.org}"
+      traefik.http.services.nextcloud.loadbalancer.server.port: 80
+      traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
+      traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://$${1}/remote.php/dav/"
+      traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: true
+      traefik.http.routers.nextcloud.middlewares: nextcloud-webdav
+      traefik.docker.network: traefik
+      traefik.enable: ${NEXTCLOUD_WEB_ENABLED:-true}
+    volumes:
+      - nextcloud:/var/www/html
+    networks:
+      - traefik
+    extra_hosts:
+      - host.docker.internal:host-gateway
+
+  timetrex:
+    image: freeitathens/timetrex:${TIMETREX_VERSION:-latest}
+    restart: always
+    environment:
+      POSTGRES_PASSWORD: password
+      POSTGRES_HOST: postgres
+    links:
+      - postgres
+    labels:
+      traefik.http.routers.timetrex.rule: "Host(`${TIMETREX_DOMAIN:-time.local.freeitathens.org}`)"
+      traefik.http.routers.timetrex.entrypoints: websecure
+      traefik.http.routers.timetrex.tls: true
+      traefik.http.routers.timetrex.tls.certresolver: letsencrypt
+      traefik.http.routers.timetrex.tls.domains[0].main: ${TRAEFIK_ACME_DOMAIN_MAIN:-local.freeitathens.org}
+      traefik.http.routers.timetrex.tls.domains[0].sans: "${TRAEFIK_ACME_DOMAIN_SANS:-*.local.freeitathens.org}"
+      traefik.http.services.timetrex.loadbalancer.server.port: 80
+      traefik.docker.network: traefik
+      traefik.enable: ${NEXTCLOUD_WEB_ENABLED:-true}
+    networks:
+      - postgres
+      - traefik
+
+  postgres:
+    image: postgres:13-bullseye
+    volumes:
+      - postgres:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: timetrex
+      POSTGRES_USER: timetrex
+      POSTGRES_PASSWORD: password
+    networks:
+      - postgres

roles/webserver/handlers/main.yml

@@ -1,11 +1,36 @@
+- name: Restart MariaDB
+  ansible.builtin.service:
+    name: mariadb
+    state: restarted
+  listen: restart_mariadb
+
 - name: Compose up on webserver stack
   ansible.builtin.command: "docker-compose up -d"
   args:
     chdir: "{{ webserver_root }}"
   listen: composeup_webserver
 
-- name: Restart MariaDB
-  ansible.builtin.service:
-    name: mariadb
-    state: restarted
-  listen: restart_mariadb
+- name: Grab Nextcloud container information
+  community.docker.docker_container_info:
+    name: "{{ webserver_root | basename }}_nextcloud_1"
+  listen: composeup_webserver
+  register: nextcloud_info
+
+- name: Wait for Nextcloud to become available
+  ansible.builtin.wait_for:
+    host: "{{ nextcloud_info.container.NetworkSettings.Networks.traefik.IPAddress }}"
+    port: 80
+  listen: composeup_webserver
+
+- name: Check Nextcloud status
+  ansible.builtin.command: "docker exec --user www-data {{ webserver_root | basename }}_nextcloud_1
+            php occ status"
+  listen: composeup_webserver
+  register: nextcloud_status
+
+- name: Import Nextcloud installation handlers
+  ansible.builtin.import_tasks: nextcloud.yml
+  listen: composeup_webserver
+  when:
+    - nextcloud_status.stderr[:26] == "Nextcloud is not installed"
+    - nextcloud_autoinstall

roles/webserver/handlers/nextcloud.yml

@@ -0,0 +1,35 @@
+- name: Install Nextcloud
+  ansible.builtin.command: 'docker exec --user www-data {{ webserver_root | basename }}_nextcloud_1
+            php occ maintenance:install
+              --database "mysql"
+              --database-host "{{ webserver.NEXTCLOUD_MYSQL_HOST | default("host.docker.internal") }}"
+              --database-name "{{ webserver.NEXTCLOUD_MYSQL_DATABASE | default("nextcloud") }}"
+              --database-user "{{ webserver.NEXTCLOUD_MYSQL_USER | default("nextcloud") }}"
+              --database-pass "{{ webserver.NEXTCLOUD_MYSQL_PASSWORD }}"
+              --admin-user "{{ webserver.NEXTCLOUD_ADMIN | default("admin") }}"
+              --admin-pass "{{ webserver.NEXTCLOUD_ADMIN_PASSWORD }}"'
+  register: nextcloud_install
+  listen: composeup_webserver
+
+- name: Set Nextcloud's Trusted Domain
+  ansible.builtin.command: 'docker exec --user www-data {{ webserver_root | basename }}_nextcloud_1
+            php occ config:system:set trusted_domains 0
+              --value="{{ webserver.NEXTCLOUD_DOMAIN | default("cloud.local.freeitathens.org") }}"'
+  listen: composeup_webserver
+  when: nextcloud_install.changed
+
+- name: Set Nextcloud's Trusted Proxy
+  ansible.builtin.command: 'docker exec --user www-data {{ webserver_root | basename }}_nextcloud_1
+            php occ config:system:set trusted_proxies 0 --value="traefik"'
+  listen: composeup_webserver
+  when: nextcloud_install.changed
+
+- name: Preform Nextcloud database maintenance
+  ansible.builtin.command: "docker exec --user www-data {{ webserver_root | basename }}_nextcloud_1 {{ item }}"
+  loop:
+    - "php occ maintenance:mode --on"
+    - "php occ db:add-missing-indices"
+    - "php occ db:convert-filecache-bigint"
+    - "php occ maintenance:mode --off"
+  listen: composeup_webserver
+  when: "'  - needsDbUpgrade: true' in nextcloud_status.stdout_lines"