Upgrade Nextcloud setup to use compose files

- Integrated MariaDB role into Dockerbox configuration - Moved proxy role to the end to avoid early endpoint activation - Temporarily disabled select roles for future re-evaluation - Introduced flush_handlers task for early MariaDB restart - Moved a few Nextcloud tasks to handlers - Configured Nextcloud to utilize the host's MariaDB instance - Enhanced overall code linting quality
Add Vagrant cache option for dhparams.pem
2024-04-21 21:45:33 -04:00 · 2024-03-26 21:51:39 -04:00 · 2024-03-04 23:42:40 -05:00 · 2023-12-09 13:16:46 -05:00 · 2023-12-09 13:04:07 -05:00 · 2023-11-18 17:37:27 -05:00
16 changed files with 265 additions and 216 deletions
--- a/README.md
+++ b/README.md
@@ -1,41 +1,76 @@
-# Project Moxie
+# Homelab
-Project Moxie is a personal IT homelab project written in Ansible and executed by Jenkins. It is a growing collection of infrastructure as code (IaC) I write out of curiosity and for reference purposes, keeping a handful of beneficial projects managed and secured.
+This project is my personal IT homelab initiative for self-hosting and
 exploring Free and Open Source Software (FOSS) infrastructure. As a technology
 enthusiast and professional, this project is primarily a practical tool for
 hosting services. It serves as a playground for engaging with systems
 technology in functional, intriguing, and gratifying ways. Self-hosting
 empowers individuals to govern their digital space, ensuring that their online
 environments reflect personal ethics rather than centralized entities' opaque
 policies.
 Built on Debian Stable, this project utilizes Ansible and Vagrant, providing
 relatively easy-to-use reproducible ephemeral environments to test
 infrastructure automation before pushing to live systems.
 ## Quick Start
 To configure a local virtual machine for testing, follow these simple steps.
 ### Prerequisites
 Vagrant and VirtualBox are used to develop Project Moxie. You will need to install these before continuing.
 ### Installation
 1. Clone this repository
   ```
-   git clone https://github.com/krislamo/moxie
+   git clone https://git.krislamo.org/kris/homelab
   ```
   Optionally clone from the GitHub mirror instead:
   ```
   git clone https://github.com/krislamo/homelab
   ```
 2. Set the `PLAYBOOK` environmental variable to a development playbook name in the `dev/` directory
-   The following `PLAYBOOK` names are available: `dockerbox`, `hypervisor`, `minecraft`, `bitwarden`, `nextcloud`, `nginx`
+   To list available options in the `dev/` directory and choose a suitable PLAYBOOK, run:
-
+   ```
   ls dev/*.yml | xargs -n 1 basename -s .yml
   ```
   Export the `PLAYBOOK` variable
   ```
   export PLAYBOOK=dockerbox
   ```
-3. Bring the Vagrant box up
+3. Clean up any previous provision and build the VM
   ```
-   vagrant up
+   make clean && make
   ```
-#### Copyright and License
+## Vagrant Settings
-Copyright (C) 2020-2021  Kris Lamoureux
+The Vagrantfile configures the environment based on settings from `.vagrant.yml`,
 with default values including:
 - PLAYBOOK: `default`
   - Runs a `default` playbook that does nothing.
   - You can set this by an environmental variable with the same name.
 - VAGRANT_BOX: `debian/bookworm64`
   - Current Debian Stable codename
 - VAGRANT_CPUS: `2`
   - Threads or cores per node, depending on CPU architecture
 - VAGRANT_MEM: `2048`
   - Specifies the amount of memory (in MB) allocated
 - SSH_FORWARD: `false`
   - Enable this if you need to forward SSH agents to the Vagrant machine
 ## Copyright and License
 Copyright (C) 2019-2023  Kris Lamoureux
 [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)
 This program is free software: you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free Software
 Foundation, version 3 of the License.
-This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+This program is distributed in the hope that it will be useful, but WITHOUT ANY
 WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+You should have received a copy of the GNU General Public License along with
-
+this program. If not, see <https://www.gnu.org/licenses/>.
 You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
--- a/dev/dockerbox.yml
+++ b/dev/dockerbox.yml
@@ -6,8 +6,7 @@
  roles:
    - base
    - docker
    - mariadb
    - traefik
    - nextcloud
-    - jenkins
+    - proxy
    - prometheus
    - nginx
--- a/dev/host_vars/dockerbox.yml
+++ b/dev/host_vars/dockerbox.yml
@@ -2,44 +2,47 @@
 allow_reboot: false
 manage_network: false
 # Import my GPG key for git signature verification
 root_gpgkeys:
  - name: kris@lamoureux.io
    id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
 # proxy
 proxy:
  servers:
    - domain: cloud.local.krislamo.org
      proxy_pass: http://127.0.0.1:8000
 # docker
 docker_official: true # docker's apt repos
 docker_users:
  - vagrant
 docker_compose_env_nolog: false # dev only setting
 docker_compose_deploy:
  # Traefik
  - name: traefik
    url: https://github.com/krislamo/traefik
    version: d62bd06b37ecf0993962b0449a9d708373f9e381
    enabled: true
    accept_newhostkey: true # Consider verifying manually instead
    trusted_keys:
      - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
    env:
      DASHBOARD: true
  # Nextcloud
  - name: nextcloud
    url: https://github.com/krislamo/nextcloud
    version: 0abc5cc6ba64ed94b7ddc6fd934f0fd62b8a6d11
    env:
      DATA: ./data
 # traefik
-traefik_version: latest
+traefik:
-traefik_dashboard: true
+  ENABLE: true
 traefik_domain: traefik.local.krislamo.org
 traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 traefik_web_entry: 0.0.0.0:80
 traefik_websecure_entry: 0.0.0.0:443
 #traefik_acme_email: realemail@example.com # Let's Encrypt settings
 #traefik_production: true
 #traefik_http_only: true # if behind reverse-proxy
 # nextcloud
-nextcloud_version: stable
+nextcloud:
-nextcloud_admin: admin
+  DOMAIN: cloud.local.krislamo.org
-nextcloud_pass: password
+  DB_PASSWD: password
-nextcloud_domain: cloud.local.krislamo.org
+  ADMIN_PASSWD: password
 nextcloud_dbversion: latest
 nextcloud_dbpass: password
 # jenkins
 jenkins_version: lts
 jenkins_domain: jenkins.local.krislamo.org
 # prometheus (includes grafana)
 prom_version: latest
 prom_domain: prom.local.krislamo.org
 grafana_version: latest
 grafana_domain: grafana.local.krislamo.org
 prom_targets: "['10.0.2.15:9100']"
 # nginx
 nginx_domain: nginx.local.krislamo.org
 nginx_name: staticsite
 nginx_repo_url: https://git.krislamo.org/kris/example-website/
 nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 nginx_version: latest
--- a/forward-ssh.sh
+++ b/forward-ssh.sh
@@ -1,11 +1,28 @@
 #!/bin/bash
 # Finds the SSH private key under ./.vagrant and connects to
-# the Vagrant box, port forwarding localhost ports: 8443, 80, 443
+# the Vagrant box, port forwarding localhost ports: 8443, 443, 80, 22
 #
 # Download the latest script:
 # https://git.krislamo.org/kris/homelab/raw/branch/main/forward-ssh.sh
 #
 # Copyright (C) 2023  Kris Lamoureux
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 # Root check
 if [ "$EUID" -ne 0 ]; then
-  echo "[ERROR]: Please run script as root"
+  echo "[ERROR]: Please run this script as root"
  exit 1
 fi
@@ -24,8 +41,8 @@ function ssh_connect {
      printf "[INFO]: Starting new vagrant SSH tunnel on PID "
      sudo -u "$USER" ssh -fNT -i "$PRIVATE_KEY" \
        -L 22:localhost:22 \
-        -L 80:localhost:80 \
+        -L 80:"$HOST_IP":80 \
-        -L 443:localhost:443 \
+        -L 443:"$HOST_IP":443 \
        -L 8443:localhost:8443 \
        -o UserKnownHostsFile=/dev/null \
        -o StrictHostKeyChecking=no \
@@ -34,28 +51,45 @@ function ssh_connect {
      pgrep -f "$MATCH_PATTERN"
      ;;
    *)
-      echo "[INFO]: Delined to start a new vagrant SSH tunnel"
+      echo "[INFO]: Declined to start a new vagrant SSH tunnel"
      exit 0
      ;;
  esac
 }
 # Check for valid PRIVATE_KEY location
-PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null)"
+PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null | sort)"
-if ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
+
 # Single vagrant machine or multiple
 if [ "$(echo "$PRIVATE_KEY" | wc -l)" -gt 1 ]; then
  while IFS= read -r KEYFILE; do
    if ! ssh-keygen -l -f "$KEYFILE" &>/dev/null; then
      echo "[ERROR]: The SSH key '$KEYFILE' is not valid. Are your virtual machines running?"
      exit 1
    fi
    echo "[CHECK]: Valid key at $KEYFILE"
  done < <(echo "$PRIVATE_KEY")
  PRIVATE_KEY="$(echo "$PRIVATE_KEY" | grep -m1 "${1:-default}")"
 elif ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
  echo "[ERROR]: The SSH key '$PRIVATE_KEY' is not valid. Is your virtual machine running?"
  exit 1
 else
  echo "[CHECK]: Valid key at $PRIVATE_KEY"
 fi
 echo "[CHECK]: Valid key at $PRIVATE_KEY"
 # Grab first IP or use whatever HOST_IP_FIELD is set to and check that the guest is up
-HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" 2>/dev/null)"
+HOST_IP="$(sudo -u "$SUDO_USER" vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" "${1:-default}" 2>/dev/null)"
 if [ -z "$HOST_IP" ]; then
  echo "[ERROR]: Failed to find ${1:-default}'s IP"
  exit 1
 fi
 HOST_IP="${HOST_IP::-1}" # trim
 if ! ping -c 1 "$HOST_IP" &>/dev/null; then
  echo "[ERROR]: Cannot ping the host IP '$HOST_IP'"
  exit 1
 fi
-echo "[CHECK]: Host at $HOST_IP is up"
+echo "[CHECK]: Host at $HOST_IP (${1:-default}) is up"
 # Pattern for matching processes running
 MATCH_PATTERN="ssh -fNT -i ${PRIVATE_KEY}.*vagrant@"
--- a/roles/bitwarden/handlers/main.yml
+++ b/roles/bitwarden/handlers/main.yml
@@ -5,7 +5,12 @@
  listen: rebuild_bitwarden
 - name: Rebuild Bitwarden
-  ansible.builtin.shell: "{{ bitwarden_root }}/bitwarden.sh rebuild"
+  ansible.builtin.command: "{{ bitwarden_root }}/bitwarden.sh rebuild"
  listen: rebuild_bitwarden
 - name: Reload systemd manager configuration
  ansible.builtin.systemd:
    daemon_reload: true
  listen: rebuild_bitwarden
 - name: Start Bitwarden after rebuild
@@ -14,3 +19,10 @@
    state: started
    enabled: true
  listen: rebuild_bitwarden
 - name: Create Bitwarden's initial log file
  ansible.builtin.file:
    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
    state: touch
    mode: "644"
  listen: touch_bitwarden
--- a/roles/bitwarden/tasks/main.yml
+++ b/roles/bitwarden/tasks/main.yml
@@ -7,6 +7,7 @@
  ansible.builtin.file:
    path: "{{ bitwarden_root }}"
    state: directory
    mode: "755"
 - name: Download Bitwarden script
  ansible.builtin.get_url:
@@ -22,7 +23,7 @@
    mode: u+x
 - name: Run Bitwarden installation script
-  ansible.builtin.shell: "{{ bitwarden_root }}/bw_wrapper"
+  ansible.builtin.command: "{{ bitwarden_root }}/bw_wrapper"
  args:
    creates: "{{ bitwarden_root }}/bwdata/config.yml"
@@ -30,6 +31,7 @@
  ansible.builtin.template:
    src: compose.override.yml.j2
    dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
    mode: "644"
  when: bitwarden_override | default(true)
  notify: rebuild_bitwarden
@@ -76,6 +78,7 @@
  ansible.builtin.template:
    src: bitwarden.service.j2
    dest: "/etc/systemd/system/{{ bitwarden_name }}.service"
    mode: "644"
  register: bitwarden_systemd
  notify: rebuild_bitwarden
@@ -83,22 +86,12 @@
  ansible.builtin.file:
    path: "{{ bitwarden_logs_identity }}"
    state: directory
-  register: bitwarden_logs
+    mode: "755"
-
+  notify: touch_bitwarden
 - name: Create Bitwarden's initial log file
  ansible.builtin.file:
    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
    state: touch
  when: bitwarden_logs.changed
 - name: Install Bitwarden's Fail2ban jail
  ansible.builtin.template:
    src: fail2ban-jail.conf.j2
    dest: /etc/fail2ban/jail.d/bitwarden.conf
    mode: "640"
  notify: restart_fail2ban
 - name: Reload systemd manager configuration
  ansible.builtin.systemd:
    daemon_reload: true
  when: bitwarden_systemd.changed
  notify: rebuild_bitwarden
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -21,6 +21,7 @@
 - name: Create git's .ssh directory
  ansible.builtin.file:
    path: /home/git/.ssh
    mode: "700"
    state: directory
 - name: Generate git's SSH keys
@@ -40,6 +41,7 @@
 - name: Create git's authorized_keys file
  ansible.builtin.file:
    path: /home/git/.ssh/authorized_keys
    mode: "600"
    state: touch
  when: not git_authkeys.stat.exists
@@ -53,21 +55,24 @@
  ansible.builtin.template:
    src: gitea.sh.j2
    dest: /usr/local/bin/gitea
-    mode: 0755
+    mode: "755"
 - name: Create Gitea's logging directory
  ansible.builtin.file:
    name: /var/log/gitea
    state: directory
    mode: "755"
 - name: Install Gitea's Fail2ban filter
  ansible.builtin.template:
    src: fail2ban-filter.conf.j2
    dest: /etc/fail2ban/filter.d/gitea.conf
    mode: "644"
  notify: restart_fail2ban
 - name: Install Gitea's Fail2ban jail
  ansible.builtin.template:
    src: fail2ban-jail.conf.j2
    dest: /etc/fail2ban/jail.d/gitea.conf
    mode: "640"
  notify: restart_fail2ban
--- a/roles/mariadb/handlers/main.yml
+++ b/roles/mariadb/handlers/main.yml
@@ -6,7 +6,7 @@
  listen: restart_mariadb
 - name: Set MariaDB as restarted
-  set_fact:
+  ansible.builtin.set_fact:
    mariadb_restarted: true
  when: not mariadb_restarted
  listen: restart_mariadb
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -4,7 +4,7 @@
    state: present
 - name: Set MariaDB restarted fact
-  set_fact:
+  ansible.builtin.set_fact:
    mariadb_restarted: false
 - name: Regather facts for the potentially new docker0 interface
@@ -17,6 +17,10 @@
    line: "bind-address            = {{ ansible_facts.docker0.ipv4.address }}"
  notify: restart_mariadb
 - name: Flush handlers to ensure MariaDB restarts immediately
  ansible.builtin.meta: flush_handlers
  tags: restart_mariadb
 - name: Allow database connections from Docker
  community.general.ufw:
    rule: allow
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@@ -1,11 +1 @@
-# container names
+nextcloud_name: nextcloud
 nextcloud_container: nextcloud
 nextcloud_dbcontainer: "{{ nextcloud_container }}-db"
 # database settings
 nextcloud_dbname: "{{ nextcloud_container }}"
 nextcloud_dbuser: "{{ nextcloud_dbname }}"
 # host mounts
 nextcloud_root: "/opt/{{ nextcloud_container }}/public_html"
 nextcloud_dbroot: "/opt/{{ nextcloud_container }}/database"
--- a/roles/nextcloud/handlers/main.yml
+++ b/roles/nextcloud/handlers/main.yml
@@ -0,0 +1,25 @@
 - name: Set Nextcloud's Trusted Proxy
  ansible.builtin.command: >
    docker exec --user www-data "{{ nextcloud_name }}"
      php occ config:system:set trusted_proxies 0 --value="{{ traefik_name }}"
  register: nextcloud_trusted_proxy
  changed_when: "nextcloud_trusted_proxy.stdout == 'System config value trusted_proxies => 0 set to string ' ~ traefik_name"
  listen: install_nextcloud
 - name: Set Nextcloud's Trusted Domain
  ansible.builtin.command: >
    docker exec --user www-data "{{ nextcloud_name }}"
      php occ config:system:set trusted_domains 0 --value="{{ nextcloud.DOMAIN }}"
  register: nextcloud_trusted_domains
  changed_when: "nextcloud_trusted_domains.stdout == 'System config value trusted_domains => 0 set to string ' ~ nextcloud.DOMAIN"
  listen: install_nextcloud
 - name: Preform Nextcloud database maintenance
  ansible.builtin.command: >
    docker exec --user www-data "{{ nextcloud_name }}" {{ item }}
  loop:
    - "php occ maintenance:mode --on"
    - "php occ db:add-missing-indices"
    - "php occ db:convert-filecache-bigint"
    - "php occ maintenance:mode --off"
  listen: install_nextcloud
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -1,109 +1,62 @@
- name: Create Nextcloud network
+- name: Install MySQL module for Ansible
-  community.general.docker_network:
+  ansible.builtin.apt:
-    name: "{{ nextcloud_container }}"
+    name: python3-pymysql
    state: present
- name: Start Nextcloud's database container
+- name: Create Nextcloud database
-  community.general.docker_container:
+  community.mysql.mysql_db:
-    name: "{{ nextcloud_dbcontainer }}"
+    name: "{{ nextcloud.DB_NAME | default('nextcloud') }}"
-    image: mariadb:{{ nextcloud_dbversion }}
+    state: present
    login_unix_socket: /var/run/mysqld/mysqld.sock
 - name: Create Nextcloud database user
  community.mysql.mysql_user:
    name: "{{ nextcloud.DB_USER | default('nextcloud') }}"
    password: "{{ nextcloud.DB_PASSWD }}"
    host: '%'
    state: present
    priv: "{{ nextcloud.DB_NAME | default('nextcloud') }}.*:ALL"
    login_unix_socket: /var/run/mysqld/mysqld.sock
 - name: Start Nextcloud service and enable on boot
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ nextcloud_name }}"
    state: started
-    restart_policy: always
+    enabled: true
-    volumes: "{{ nextcloud_dbroot }}:/var/lib/mysql"
+  when: nextcloud.ENABLE | default('false')
    networks_cli_compatible: true
    networks:
      - name: "{{ nextcloud_container }}"
    env:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "{{ nextcloud_dbname }}"
      MYSQL_USER: "{{ nextcloud_dbuser }}"
      MYSQL_PASSWORD: "{{ nextcloud_dbpass }}"
 - name: Start Nextcloud container
  community.general.docker_container:
    name: "{{ nextcloud_container }}"
    image: nextcloud:{{ nextcloud_version }}
    state: started
    restart_policy: always
    volumes: "{{ nextcloud_root }}:/var/www/html"
    networks_cli_compatible: true
    networks:
      - name: "{{ nextcloud_container }}"
      - name: traefik
    env:
      PHP_MEMORY_LIMIT: 1024M
    labels:
      traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
      traefik.http.routers.nextcloud.entrypoints: websecure
      traefik.http.routers.nextcloud.tls.certresolver: letsencrypt
      traefik.http.routers.nextcloud.middlewares: "securehttps@file,nextcloud-webdav"
      traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
      traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/"
      traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: "true"
      traefik.docker.network: traefik
      traefik.enable: "true"
 - name: Grab Nextcloud database container information
  community.general.docker_container_info:
    name: "{{ nextcloud_dbcontainer }}"
  register: nextcloud_dbinfo
 - name: Grab Nextcloud container information
  community.general.docker_container_info:
-    name: "{{ nextcloud_container }}"
+    name: "{{ nextcloud_name }}"
  register: nextcloud_info
 - name: Wait for Nextcloud to become available
  ansible.builtin.wait_for:
    host: "{{ nextcloud_info.container.NetworkSettings.Networks.traefik.IPAddress }}"
    delay: 10
    port: 80
 - name: Check Nextcloud status
-  ansible.builtin.command: "docker exec --user www-data {{ nextcloud_container }}
+  ansible.builtin.command: >
-            php occ status"
+    docker exec --user www-data "{{ nextcloud_name }}" php occ status
  register: nextcloud_status
-  args:
+  changed_when: false
    removes: "{{ nextcloud_root }}/config/CAN_INSTALL"
 - name: Wait for Nextcloud database to become available
  ansible.builtin.wait_for:
    host: "{{ nextcloud_dbinfo.container.NetworkSettings.Networks.nextcloud.IPAddress }}"
    port: 3306
 - name: Install Nextcloud
-  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
+  ansible.builtin.command: >
    docker exec --user www-data {{ nextcloud_name }}
      php occ maintenance:install
        --database "mysql"
-              --database-host "{{ nextcloud_dbcontainer }}"
+        --database-host "{{ nextcloud.DB_HOST | default('host.docker.internal') }}"
-              --database-name "{{ nextcloud_dbname }}"
+        --database-name "{{ nextcloud.DB_NAME | default('nextcloud') }}"
-              --database-user "{{ nextcloud_dbuser }}"
+        --database-user "{{ nextcloud.DB_USER | default('nextcloud') }}"
-              --database-pass "{{ nextcloud_dbpass }}"
+        --database-pass "{{ nextcloud.DB_PASSWD }}"
-              --admin-user "{{ nextcloud_admin }}"
+        --admin-user "{{ nextcloud.ADMIN_USER | default('admin') }}"
-              --admin-pass "{{ nextcloud_pass }}"'
+        --admin-pass "{{ nextcloud.ADMIN_PASSWD }}"
  register: nextcloud_install
-  when:
+  when: nextcloud_status.stderr[:26] == "Nextcloud is not installed"
-    - nextcloud_status.stdout[:26] == "Nextcloud is not installed"
+  changed_when: nextcloud_install.stdout == "Nextcloud was successfully installed"
-    - nextcloud_domain is defined
+  notify: install_nextcloud
 - name: Set Nextcloud's Trusted Proxy
  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
            php occ config:system:set trusted_proxies 0
              --value="{{ traefik_name }}"'
  when: nextcloud_install.changed
 - name: Set Nextcloud's Trusted Domain
  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
            php occ config:system:set trusted_domains 0
              --value="{{ nextcloud_domain }}"'
  when: nextcloud_install.changed
 - name: Preform Nextcloud database maintenance
  ansible.builtin.command: "docker exec --user www-data {{ nextcloud_container }} {{ item }}"
  loop:
    - "php occ maintenance:mode --on"
    - "php occ db:add-missing-indices"
    - "php occ db:convert-filecache-bigint"
    - "php occ maintenance:mode --off"
  when: nextcloud_install.changed
 - name: Install Nextcloud background jobs cron
  ansible.builtin.cron:
@@ -111,8 +64,3 @@
    minute: "*/5"
    job: "/usr/bin/docker exec -u www-data nextcloud /usr/local/bin/php -f /var/www/html/cron.php"
    user: root
 - name: Remove Nextcloud's CAN_INSTALL file
  ansible.builtin.file:
    path: "{{ nextcloud_root }}/config/CAN_INSTALL"
    state: absent
--- a/roles/proxy/defaults/main.yml
+++ b/roles/proxy/defaults/main.yml
@@ -0,0 +1 @@
 cached_dhparams_pem: /vagrant/scratch/dhparams.pem
--- a/roles/proxy/handlers/main.yml
+++ b/roles/proxy/handlers/main.yml
@@ -1,3 +1,13 @@
 - name: Enable nginx sites configuration
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
    state: link
    mode: "400"
  loop: "{{ nginx_sites.results }}"
  when: item.changed
  listen: reload_nginx
 - name: Reload nginx
  ansible.builtin.service:
    name: nginx
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -10,6 +10,19 @@
    state: started
    enabled: true
 - name: Check for cached dhparams.pem file
  ansible.builtin.stat:
    path: "{{ cached_dhparams_pem }}"
  register: dhparams_file
 - name: Copy cached dhparams.pem to /etc/ssl/
  ansible.builtin.copy:
    src: "{{ cached_dhparams_pem }}"
    dest: /etc/ssl/dhparams.pem
    mode: "600"
    remote_src: true
  when: dhparams_file.stat.exists
 - name: Generate DH Parameters
  community.crypto.openssl_dhparam:
    path: /etc/ssl/dhparams.pem
@@ -19,28 +32,18 @@
  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
-    mode: 0644
+    mode: "644"
  notify: reload_nginx
 - name: Install nginx sites configuration
  ansible.builtin.template:
    src: server-nginx.conf.j2
    dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
-    mode: 0400
+    mode: "400"
  loop: "{{ proxy.servers }}"
  notify: reload_nginx
  register: nginx_sites
 - name: Enable nginx sites configuration
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
    state: link
    mode: 0400
  loop: "{{ nginx_sites.results }}"
  when: item.changed
  notify: reload_nginx
 - name: Generate self-signed certificate
  ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
          -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
@@ -61,14 +64,14 @@
  ansible.builtin.template:
    src: cloudflare.ini.j2
    dest: /root/.cloudflare.ini
-    mode: 0400
+    mode: "400"
  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 - name: Create nginx post renewal hook directory
  ansible.builtin.file:
    path: /etc/letsencrypt/renewal-hooks/post
    state: directory
-    mode: 0500
+    mode: "500"
  when: proxy.production is defined and proxy.production
 - name: Install nginx post renewal hook
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -21,20 +21,6 @@
  loop: "{{ traefik_external }}"
  when: traefik_external is defined
 - name: Install Traefik's docker-compose file
  ansible.builtin.template:
    src: docker-compose.yml.j2
    dest: "{{ traefik_root }}/docker-compose.yml"
    mode: 0400
  notify: restart_traefik
 - name: Install Traefik's docker-compose variables
  ansible.builtin.template:
    src: compose-env.j2
    dest: "{{ traefik_root }}/.env"
    mode: 0400
  notify: restart_traefik
 - name: Install static Traefik configuration
  ansible.builtin.template:
    src: traefik.yml.j2
@@ -42,8 +28,9 @@
    mode: 0400
  notify: restart_traefik
- name: Start and enable Traefik service
+- name: Start Traefik service and enable on boot
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ traefik_name }}"
    state: started
    enabled: true
  when: traefik.ENABLED | default('false')
Author	SHA1	Message	Date
Kris Lamoureux	533dd40722	Upgrade Nextcloud setup to use compose files - Integrated MariaDB role into Dockerbox configuration - Moved proxy role to the end to avoid early endpoint activation - Temporarily disabled select roles for future re-evaluation - Introduced flush_handlers task for early MariaDB restart - Moved a few Nextcloud tasks to handlers - Configured Nextcloud to utilize the host's MariaDB instance - Enhanced overall code linting quality	2024-04-21 21:45:33 -04:00
Kris Lamoureux	6fbd3c53bb	Add Vagrant cache option for dhparams.pem	2024-03-26 21:51:39 -04:00
Kris Lamoureux	01e8e22c01	Prevent running 'vagrant ssh' as root Resolve possible issues with 'vagrant ssh' when executed as root	2024-03-04 23:42:40 -05:00
Kris Lamoureux	a31bf233dc	Slight message tweaks in forward-ssh.sh script	2023-12-09 13:16:46 -05:00
Kris Lamoureux	60fafed9cd	Update forward-ssh.sh script for Swarm support - Address limitations in Swarm with loopback binding - Ensure compatibility with localhost DNS wildcard A record - Enable port forwarding on 80 and 443 using VM IP for Swarm compatibility - Retain 8443:localhost:8443 for non-Swarm setups	2023-12-09 13:04:07 -05:00
Kris Lamoureux	2c00858590	Update README.md	2023-11-18 17:37:27 -05:00
Kris Lamoureux	be80681485	Add multi-machine support to forward-ssh.sh - Detects multiple private keys - Adds validation for all discovered keys - Defaults to "default" machine, with override via the first parameter	2023-11-05 21:37:33 -05:00
Kris Lamoureux	a2e60972c7	Comply with linting on proxy setup	2023-11-05 21:34:19 -05:00
Kris Lamoureux	598359854f	Update proxy role to comply with linting	2023-11-03 00:47:06 -04:00
Kris Lamoureux	ef812c1877	Add copyright notice on forward-ssh.sh	2023-11-03 00:12:12 -04:00
		`@@ -0,0 +1 @@`
							`cached_dhparams_pem: /vagrant/scratch/dhparams.pem`