testing

- Integrated MariaDB role into Dockerbox configuration
- Moved proxy role to the end to avoid early endpoint activation
- Temporarily disabled select roles for future re-evaluation
- Introduced flush_handlers task for early MariaDB restart
- Moved a few Nextcloud tasks to handlers
- Configured Nextcloud to utilize the host's MariaDB instance
- Enhanced overall code linting quality

.github/workflows/vagrant.yml

@@ -8,11 +8,17 @@ on:
 
 jobs:
   homelab-ci:
-    runs-on: macos-latest
+    runs-on: macos-13
 
     steps:
       - uses: actions/checkout@v3
 
+      - name: Setup tmate session
+        uses: mxschmitt/action-tmate@v3
+        with:
+          detached: true
+          limit-access-to-actor: true
+
       - name: Cache Vagrant boxes
         uses: actions/cache@v3
         with:
@@ -21,19 +27,23 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-vagrant-
 
+      - name: Install Tools
+        run: brew install nmap tree
+
+      - name: Install VirtualBox
+        run: brew install --cask virtualbox
+
+      - name: Install Vagrant
+        run: brew install --cask vagrant
+
       - name: Install Ansible
-        run: brew install ansible@7
+        run: brew install ansible
 
       - name: Software Versions
         run: |
-          printf "VirtualBox "
+          printf "VirtualBox "; vboxmanage --version
-          vboxmanage --version
           vagrant --version
-          export PATH="/usr/local/opt/ansible@7/bin:$PATH"
           ansible --version
 
       - name: Vagrant Up with Dockerbox Playbook
-        run: |
+        run: ./scripts/github-vagrant.sh
-          export PATH="/usr/local/opt/ansible@7/bin:$PATH"
-          PLAYBOOK=dockerbox vagrant up
-          vagrant ssh -c "docker ps"

Vagrantfile

@@ -36,6 +36,7 @@ Vagrant.configure("2") do |config|
   config.vm.provider :virtualbox do |vbox|
     vbox.cpus   = VAGRANT_CPUS
     vbox.memory = VAGRANT_MEM
+    vbox.gui    = true
   end
 
   # Provision with Ansible
@@ -43,6 +44,6 @@ Vagrant.configure("2") do |config|
     ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles"
     ansible.compatibility_mode = "2.0"
     ansible.playbook = "dev/" + PLAYBOOK + ".yml"
-    ansible.raw_arguments = ["--diff"]
+    ansible.raw_arguments = ["--diff", "-vvvv"]
   end
 end

dev/dockerbox.yml

@@ -6,8 +6,7 @@
   roles:
     - base
     - docker
+    - mariadb
     - traefik
     - nextcloud
-    - jenkins
+    - proxy
-    - prometheus
-    - nginx

dev/host_vars/dockerbox.yml

@@ -2,44 +2,47 @@
 allow_reboot: false
 manage_network: false
 
+# Import my GPG key for git signature verification
+root_gpgkeys:
+  - name: kris@lamoureux.io
+    id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+
+# proxy
+proxy:
+  servers:
+    - domain: cloud.local.krislamo.org
+      proxy_pass: http://127.0.0.1:8000
+
 # docker
+docker_official: true # docker's apt repos
 docker_users:
   - vagrant
 
+docker_compose_env_nolog: false # dev only setting
+docker_compose_deploy:
+  # Traefik
+  - name: traefik
+    url: https://github.com/krislamo/traefik
+    version: d62bd06b37ecf0993962b0449a9d708373f9e381
+    enabled: true
+    accept_newhostkey: true # Consider verifying manually instead
+    trusted_keys:
+      - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+    env:
+      DASHBOARD: true
+  # Nextcloud
+  - name: nextcloud
+    url: https://github.com/krislamo/nextcloud
+    version: fe6d349749f178e91ae7ff726d557f48ebf84356
+    env:
+      DATA: ./data
+
 # traefik
-traefik_version: latest
+traefik:
-traefik_dashboard: true
+  ENABLE: true
-traefik_domain: traefik.local.krislamo.org
-traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
-traefik_web_entry: 0.0.0.0:80
-traefik_websecure_entry: 0.0.0.0:443
-#traefik_acme_email: realemail@example.com # Let's Encrypt settings
-#traefik_production: true
-#traefik_http_only: true # if behind reverse-proxy
 
 # nextcloud
-nextcloud_version: stable
+nextcloud:
-nextcloud_admin: admin
+  DOMAIN: cloud.local.krislamo.org
-nextcloud_pass: password
+  DB_PASSWD: password
-nextcloud_domain: cloud.local.krislamo.org
+  ADMIN_PASSWD: password
-
-nextcloud_dbversion: latest
-nextcloud_dbpass: password
-
-# jenkins
-jenkins_version: lts
-jenkins_domain: jenkins.local.krislamo.org
-
-# prometheus (includes grafana)
-prom_version: latest
-prom_domain: prom.local.krislamo.org
-grafana_version: latest
-grafana_domain: grafana.local.krislamo.org
-prom_targets: "['10.0.2.15:9100']"
-
-# nginx
-nginx_domain: nginx.local.krislamo.org
-nginx_name: staticsite
-nginx_repo_url: https://git.krislamo.org/kris/example-website/
-nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
-nginx_version: latest

roles/mariadb/tasks/main.yml

@@ -17,6 +17,10 @@
     line: "bind-address            = {{ ansible_facts.docker0.ipv4.address }}"
   notify: restart_mariadb
 
+- name: Flush handlers to ensure MariaDB restarts immediately
+  ansible.builtin.meta: flush_handlers
+  tags: restart_mariadb
+
 - name: Allow database connections from Docker
   community.general.ufw:
     rule: allow

roles/nextcloud/defaults/main.yml

@@ -1,11 +1 @@
-# container names
+nextcloud_name: nextcloud
-nextcloud_container: nextcloud
-nextcloud_dbcontainer: "{{ nextcloud_container }}-db"
-
-# database settings
-nextcloud_dbname: "{{ nextcloud_container }}"
-nextcloud_dbuser: "{{ nextcloud_dbname }}"
-
-# host mounts
-nextcloud_root: "/opt/{{ nextcloud_container }}/public_html"
-nextcloud_dbroot: "/opt/{{ nextcloud_container }}/database"

roles/nextcloud/handlers/main.yml

@@ -0,0 +1,25 @@
+- name: Set Nextcloud's Trusted Proxy
+  ansible.builtin.command: >
+    docker exec --user www-data "{{ nextcloud_name }}"
+      php occ config:system:set trusted_proxies 0 --value="{{ traefik_name }}"
+  register: nextcloud_trusted_proxy
+  changed_when: "nextcloud_trusted_proxy.stdout == 'System config value trusted_proxies => 0 set to string ' ~ traefik_name"
+  listen: install_nextcloud
+
+- name: Set Nextcloud's Trusted Domain
+  ansible.builtin.command: >
+    docker exec --user www-data "{{ nextcloud_name }}"
+      php occ config:system:set trusted_domains 0 --value="{{ nextcloud.DOMAIN }}"
+  register: nextcloud_trusted_domains
+  changed_when: "nextcloud_trusted_domains.stdout == 'System config value trusted_domains => 0 set to string ' ~ nextcloud.DOMAIN"
+  listen: install_nextcloud
+
+- name: Preform Nextcloud database maintenance
+  ansible.builtin.command: >
+    docker exec --user www-data "{{ nextcloud_name }}" {{ item }}
+  loop:
+    - "php occ maintenance:mode --on"
+    - "php occ db:add-missing-indices"
+    - "php occ db:convert-filecache-bigint"
+    - "php occ maintenance:mode --off"
+  listen: install_nextcloud

roles/nextcloud/tasks/main.yml

@@ -1,109 +1,62 @@
-- name: Create Nextcloud network
+- name: Install MySQL module for Ansible
-  community.general.docker_network:
+  ansible.builtin.apt:
-    name: "{{ nextcloud_container }}"
+    name: python3-pymysql
+    state: present
 
-- name: Start Nextcloud's database container
+- name: Create Nextcloud database
-  community.general.docker_container:
+  community.mysql.mysql_db:
-    name: "{{ nextcloud_dbcontainer }}"
+    name: "{{ nextcloud.DB_NAME | default('nextcloud') }}"
-    image: mariadb:{{ nextcloud_dbversion }}
+    state: present
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+
+- name: Create Nextcloud database user
+  community.mysql.mysql_user:
+    name: "{{ nextcloud.DB_USER | default('nextcloud') }}"
+    password: "{{ nextcloud.DB_PASSWD }}"
+    host: '%'
+    state: present
+    priv: "{{ nextcloud.DB_NAME | default('nextcloud') }}.*:ALL"
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+
+- name: Start Nextcloud service and enable on boot
+  ansible.builtin.service:
+    name: "{{ docker_compose_service }}@{{ nextcloud_name }}"
     state: started
-    restart_policy: always
+    enabled: true
-    volumes: "{{ nextcloud_dbroot }}:/var/lib/mysql"
+  when: nextcloud.ENABLE | default('false')
-    networks_cli_compatible: true
-    networks:
-      - name: "{{ nextcloud_container }}"
-    env:
-      MYSQL_RANDOM_ROOT_PASSWORD: "true"
-      MYSQL_DATABASE: "{{ nextcloud_dbname }}"
-      MYSQL_USER: "{{ nextcloud_dbuser }}"
-      MYSQL_PASSWORD: "{{ nextcloud_dbpass }}"
-
-- name: Start Nextcloud container
-  community.general.docker_container:
-    name: "{{ nextcloud_container }}"
-    image: nextcloud:{{ nextcloud_version }}
-    state: started
-    restart_policy: always
-    volumes: "{{ nextcloud_root }}:/var/www/html"
-    networks_cli_compatible: true
-    networks:
-      - name: "{{ nextcloud_container }}"
-      - name: traefik
-    env:
-      PHP_MEMORY_LIMIT: 1024M
-    labels:
-      traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
-      traefik.http.routers.nextcloud.entrypoints: websecure
-      traefik.http.routers.nextcloud.tls.certresolver: letsencrypt
-      traefik.http.routers.nextcloud.middlewares: "securehttps@file,nextcloud-webdav"
-      traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
-      traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/"
-      traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: "true"
-      traefik.docker.network: traefik
-      traefik.enable: "true"
-
-- name: Grab Nextcloud database container information
-  community.general.docker_container_info:
-    name: "{{ nextcloud_dbcontainer }}"
-  register: nextcloud_dbinfo
 
 - name: Grab Nextcloud container information
   community.general.docker_container_info:
-    name: "{{ nextcloud_container }}"
+    name: "{{ nextcloud_name }}"
   register: nextcloud_info
 
 - name: Wait for Nextcloud to become available
   ansible.builtin.wait_for:
     host: "{{ nextcloud_info.container.NetworkSettings.Networks.traefik.IPAddress }}"
+    delay: 10
     port: 80
 
 - name: Check Nextcloud status
-  ansible.builtin.command: "docker exec --user www-data {{ nextcloud_container }}
+  ansible.builtin.command: >
-            php occ status"
+    docker exec --user www-data "{{ nextcloud_name }}" php occ status
   register: nextcloud_status
-  args:
+  changed_when: false
-    removes: "{{ nextcloud_root }}/config/CAN_INSTALL"
-
-- name: Wait for Nextcloud database to become available
-  ansible.builtin.wait_for:
-    host: "{{ nextcloud_dbinfo.container.NetworkSettings.Networks.nextcloud.IPAddress }}"
-    port: 3306
 
 - name: Install Nextcloud
-  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
+  ansible.builtin.command: >
+    docker exec --user www-data {{ nextcloud_name }}
       php occ maintenance:install
         --database "mysql"
-              --database-host "{{ nextcloud_dbcontainer }}"
+        --database-host "{{ nextcloud.DB_HOST | default('host.docker.internal') }}"
-              --database-name "{{ nextcloud_dbname }}"
+        --database-name "{{ nextcloud.DB_NAME | default('nextcloud') }}"
-              --database-user "{{ nextcloud_dbuser }}"
+        --database-user "{{ nextcloud.DB_USER | default('nextcloud') }}"
-              --database-pass "{{ nextcloud_dbpass }}"
+        --database-pass "{{ nextcloud.DB_PASSWD }}"
-              --admin-user "{{ nextcloud_admin }}"
+        --admin-user "{{ nextcloud.ADMIN_USER | default('admin') }}"
-              --admin-pass "{{ nextcloud_pass }}"'
+        --admin-pass "{{ nextcloud.ADMIN_PASSWD }}"
   register: nextcloud_install
-  when:
+  when: nextcloud_status.stderr[:26] == "Nextcloud is not installed"
-    - nextcloud_status.stdout[:26] == "Nextcloud is not installed"
+  changed_when: nextcloud_install.stdout == "Nextcloud was successfully installed"
-    - nextcloud_domain is defined
+  notify: install_nextcloud
-
-- name: Set Nextcloud's Trusted Proxy
-  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
-            php occ config:system:set trusted_proxies 0
-              --value="{{ traefik_name }}"'
-  when: nextcloud_install.changed
-
-- name: Set Nextcloud's Trusted Domain
-  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
-            php occ config:system:set trusted_domains 0
-              --value="{{ nextcloud_domain }}"'
-  when: nextcloud_install.changed
-
-- name: Preform Nextcloud database maintenance
-  ansible.builtin.command: "docker exec --user www-data {{ nextcloud_container }} {{ item }}"
-  loop:
-    - "php occ maintenance:mode --on"
-    - "php occ db:add-missing-indices"
-    - "php occ db:convert-filecache-bigint"
-    - "php occ maintenance:mode --off"
-  when: nextcloud_install.changed
 
 - name: Install Nextcloud background jobs cron
   ansible.builtin.cron:
@@ -111,8 +64,3 @@
     minute: "*/5"
     job: "/usr/bin/docker exec -u www-data nextcloud /usr/local/bin/php -f /var/www/html/cron.php"
     user: root
-
-- name: Remove Nextcloud's CAN_INSTALL file
-  ansible.builtin.file:
-    path: "{{ nextcloud_root }}/config/CAN_INSTALL"
-    state: absent

roles/proxy/defaults/main.yml

@@ -0,0 +1 @@
+cached_dhparams_pem: /vagrant/scratch/dhparams.pem

roles/proxy/tasks/main.yml

@@ -10,6 +10,19 @@
     state: started
     enabled: true
 
+- name: Check for cached dhparams.pem file
+  ansible.builtin.stat:
+    path: "{{ cached_dhparams_pem }}"
+  register: dhparams_file
+
+- name: Copy cached dhparams.pem to /etc/ssl/
+  ansible.builtin.copy:
+    src: "{{ cached_dhparams_pem }}"
+    dest: /etc/ssl/dhparams.pem
+    mode: "600"
+    remote_src: true
+  when: dhparams_file.stat.exists
+
 - name: Generate DH Parameters
   community.crypto.openssl_dhparam:
     path: /etc/ssl/dhparams.pem

roles/traefik/tasks/main.yml

@@ -21,20 +21,6 @@
   loop: "{{ traefik_external }}"
   when: traefik_external is defined
 
-- name: Install Traefik's docker-compose file
-  ansible.builtin.template:
-    src: docker-compose.yml.j2
-    dest: "{{ traefik_root }}/docker-compose.yml"
-    mode: 0400
-  notify: restart_traefik
-
-- name: Install Traefik's docker-compose variables
-  ansible.builtin.template:
-    src: compose-env.j2
-    dest: "{{ traefik_root }}/.env"
-    mode: 0400
-  notify: restart_traefik
-
 - name: Install static Traefik configuration
   ansible.builtin.template:
     src: traefik.yml.j2
@@ -42,8 +28,9 @@
     mode: 0400
   notify: restart_traefik
 
-- name: Start and enable Traefik service
+- name: Start Traefik service and enable on boot
   ansible.builtin.service:
     name: "{{ docker_compose_service }}@{{ traefik_name }}"
     state: started
     enabled: true
+  when: traefik.ENABLED | default('false')

scripts/github-vagrant.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Defaults
+TIMEOUT=600
+ELAPSED=0
+INITIAL_SLEEP=60
+SLEEP_DURATION=30
+SSH_AVAILABLE=0
+DEBUG_ID="[homelab-ci]"
+
+# Run Vagrant Up in the background
+PLAYBOOK=dockerbox vagrant up &
+VAGRANT_UP_PID=$!
+
+# Initial delay
+echo "$DEBUG_ID Waiting for VM to start..."
+sleep $INITIAL_SLEEP
+
+# Loop until timeout or breaks
+while [[ $ELAPSED -lt $TIMEOUT ]]; do
+	VAGRANT_SSH_CONFIG=$(mktemp)
+	vagrant ssh-config > "$VAGRANT_SSH_CONFIG"
+	echo "$DEBUG_ID SSH config at $VAGRANT_SSH_CONFIG"
+	cat "$VAGRANT_SSH_CONFIG"
+	echo "$DEBUG_ID Vagrant status"
+	vagrant status
+
+	# SSH attempt
+	set -x
+	ssh -vvv -F "$VAGRANT_SSH_CONFIG" default 'cat /etc/os-release' && set +x; break \
+	|| echo "$DEBUG_ID SSH connection failed, retrying in $SLEEP_DURATION seconds..."
+	set +x
+
+	# Sleep and start again
+	sleep $SLEEP_DURATION
+	((ELAPSED+=SLEEP_DURATION))
+done
+
+# Success?
+if [[ $SSH_AVAILABLE -ne 1 ]]; then
+	echo "$DEBUG_ID Timeout reached without successful SSH connection."
+fi
+
+# Ensure the Vagrant up process completes
+wait $VAGRANT_UP_PID