Upgrade Nextcloud setup to use compose files

- Integrated MariaDB role into Dockerbox configuration
- Moved proxy role to the end to avoid early endpoint activation
- Temporarily disabled select roles for future re-evaluation
- Introduced flush_handlers task for early MariaDB restart
- Moved a few Nextcloud tasks to handlers
- Configured Nextcloud to utilize the host's MariaDB instance
- Enhanced overall code linting quality

.github/workflows/vagrant.yml

@@ -3,9 +3,8 @@ name: homelab-ci
 on:
   push:
     branches:
-      - github_actions
+      - main
-      # - main
+      - testing
-      # - testing
 
 jobs:
   homelab-ci:

.gitignore

@@ -1,5 +1,4 @@
-.ansible*
-/environments/
 .playbook
 .vagrant*
 .vscode
+/environments/

dev/host_vars/dockerbox.yml

@@ -4,12 +4,8 @@ manage_network: false
 
 # Import my GPG key for git signature verification
 root_gpgkeys:
-  - name: kris@lamoureux.io
-    id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96
-  # Older key, but still in use
   - name: kris@lamoureux.io
     id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
-    server: keyserver.ubuntu.com
 
 # proxy
 proxy:
@@ -37,7 +33,7 @@ docker_compose_deploy:
   # Nextcloud
   - name: nextcloud
     url: https://github.com/krislamo/nextcloud
-    version: fe6d349749f178e91ae7ff726d557f48ebf84356
+    version: 0abc5cc6ba64ed94b7ddc6fd934f0fd62b8a6d11
     env:
       DATA: ./data
 

playbooks/docker.yml

@@ -4,5 +4,4 @@
   roles:
     - base
     - jenkins
-    - proxy
     - docker

playbooks/dockerbox.yml

@@ -3,9 +3,9 @@
   become: true
   roles:
     - base
-    - jenkins
     - docker
-    - mariadb
     - traefik
     - nextcloud
-    - proxy
+    - jenkins
+    - prometheus
+    - nginx

roles/base/tasks/samba.yml

@@ -26,7 +26,7 @@
   ansible.builtin.template:
     src: smb.conf.j2
     dest: /etc/samba/smb.conf
-    mode: "644"
+    mode: "700"
   notify: restart_samba
 
 - name: Start smbd and enable on boot

roles/base/tasks/system.yml

@@ -80,10 +80,8 @@
     state: present
     uid: "{{ item.value.uid }}"
     group: "{{ item.value.gid }}"
-    groups: "{{ item.value.groups | default([]) }}"
     shell: "{{ item.value.shell | default('/bin/bash') }}"
     create_home: "{{ item.value.home | default(false) }}"
-    home: "{{ item.value.homedir | default('/home/' + item.key) }}"
     system: "{{ item.value.system | default(false) }}"
   loop: "{{ users | dict2items }}"
   loop_control:

roles/base/tasks/wireguard.yml

@@ -18,28 +18,6 @@
     src: /etc/wireguard/privatekey
   register: wgkey
 
-- name: Check if WireGuard preshared key file exists
-  ansible.builtin.stat:
-    path: /etc/wireguard/presharedkey-{{ item.name }}
-  loop: "{{ wireguard.peers }}"
-  loop_control:
-    label: "{{ item.name }}"
-  register: presharedkey_files
-
-- name: Grab WireGuard preshared key for configuration
-  ansible.builtin.slurp:
-    src: /etc/wireguard/presharedkey-{{ item.item.name }}
-  register: wgshared
-  loop: "{{ presharedkey_files.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"
-  when: item.stat.exists
-
-- name: Grab WireGuard private key for configuration
-  ansible.builtin.slurp:
-    src: /etc/wireguard/privatekey
-  register: wgkey
-
 - name: Install WireGuard configuration
   ansible.builtin.template:
     src: wireguard.j2

roles/base/templates/wireguard.j2

@@ -1,6 +1,4 @@
-# {{ ansible_managed }}
+[Interface]
-
-[Interface] # {{ ansible_hostname }}
 PrivateKey = {{ wgkey['content'] | b64decode | trim }}
 Address = {{ wireguard.address }}
 {% if wireguard.listenport is defined %}
@@ -8,26 +6,8 @@ ListenPort = {{ wireguard.listenport }}
 {% endif %}
 
 {% for peer in wireguard.peers %}
-{% if peer.name is defined %}
-[Peer] # {{ peer.name }}
-{% else %}
 [Peer]
-{% endif %}
 PublicKey = {{ peer.publickey }}
-{% if peer.presharedkey is defined %}
-PresharedKey = {{ peer.presharedkey }}
-{% else %}
-{% set preshared_key = (
-    wgshared.results
-    | selectattr('item.item.name', 'equalto', peer.name)
-    | first
-  ).content
-  | default(none)
-%}
-{% if preshared_key is not none %}
-PresharedKey = {{ preshared_key | b64decode | trim }}
-{% endif %}
-{% endif %}
 {% if peer.endpoint is defined %}
 Endpoint = {{ peer.endpoint }}
 {% endif %}

roles/docker/tasks/main.yml

@@ -24,21 +24,15 @@
 
 - name: Install/uninstall Docker from Debian repositories
   ansible.builtin.apt:
-    name: ["docker.io", "docker-compose", "containerd", "runc"]
+    name: ['docker.io', 'docker-compose', 'containerd', 'runc']
     state: "{{ 'absent' if docker_official else 'present' }}"
     autoremove: true
     update_cache: true
 
 - name: Install/uninstall Docker from Docker repositories
   ansible.builtin.apt:
-    name:
+    name: ['docker-ce', 'docker-ce-cli', 'containerd.io',
-      [
+           'docker-buildx-plugin', 'docker-compose-plugin']
-        "docker-ce",
-        "docker-ce-cli",
-        "containerd.io",
-        "docker-buildx-plugin",
-        "docker-compose-plugin",
-      ]
     state: "{{ 'present' if docker_official else 'absent' }}"
     autoremove: true
     update_cache: true
@@ -141,6 +135,14 @@
     label: "{{ item.name }}"
   when: docker_compose_deploy is defined and item.env is defined
 
+- name: Add users to docker group
+  ansible.builtin.user:
+    name: "{{ item }}"
+    groups: docker
+    append: true
+  loop: "{{ docker_users }}"
+  when: docker_users is defined
+
 - name: Start Docker and enable on boot
   ansible.builtin.service:
     name: docker

roles/jellyfin/templates/docker-compose.yml.j2

@@ -15,7 +15,7 @@ services:
     networks:
       - traefik
     labels:
-      - "traefik.http.routers.{{ jellyfin_router }}.rule=Host({{ jellyfin_domains }})"
+      - "traefik.http.routers.{{ jellyfin_router }}.rule=Host(`{{ jellyfin_domain }}`)"
 {% if traefik_http_only %}
       - "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web"
 {% else %}

roles/proxy/tasks/main.yml

@@ -45,11 +45,10 @@
   register: nginx_sites
 
 - name: Generate self-signed certificate
-  ansible.builtin.command:
+  ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
-    'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
+          -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
-    -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
+          -keyout /etc/ssl/private/nginx-selfsigned.key \
-    -keyout /etc/ssl/private/nginx-selfsigned.key \
+          -out    /etc/ssl/certs/nginx-selfsigned.crt'
-    -out    /etc/ssl/certs/nginx-selfsigned.crt'
   args:
     creates: /etc/ssl/certs/nginx-selfsigned.crt
   when: proxy.production is not defined or not proxy.production
@@ -57,22 +56,15 @@
 
 - name: Install LE's certbot
   ansible.builtin.apt:
-    name: ["certbot", "python3-certbot-dns-cloudflare"]
+    name: ['certbot', 'python3-certbot-dns-cloudflare']
     state: present
   when: proxy.production is defined and proxy.production
 
-- name: Grab Cloudflare API token for configuration
-  ansible.builtin.slurp:
-    src: /root/.cloudflare-api
-  register: cfapi
-  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
-
 - name: Install Cloudflare API token
   ansible.builtin.template:
     src: cloudflare.ini.j2
     dest: /root/.cloudflare.ini
     mode: "400"
-  diff: false
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 
 - name: Create nginx post renewal hook directory
@@ -86,19 +78,19 @@
   ansible.builtin.copy:
     src: reload-nginx.sh
     dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
-    mode: "0755"
+    mode: '0755'
   when: proxy.production is defined and proxy.production
 
 - name: Run Cloudflare DNS-01 challenges on wildcard domains
   ansible.builtin.shell: '/usr/bin/certbot certonly \
-    --non-interactive \
+            --non-interactive \
-    --agree-tos \
+            --agree-tos \
-    --email "{{ proxy.dns_cloudflare.email }}" \
+            --email "{{ proxy.dns_cloudflare.email }}" \
-    --dns-cloudflare \
+            --dns-cloudflare \
-    --dns-cloudflare-credentials /root/.cloudflare.ini \
+            --dns-cloudflare-credentials /root/.cloudflare.ini \
-    -d "*.{{ item }}" \
+            -d "*.{{ item }}" \
-    -d "{{ item }}" \
+            -d "{{ item }}" \
-    {{ proxy.dns_cloudflare.opts | default("") }}'
+            {{ proxy.dns_cloudflare.opts | default("") }}'
   args:
     creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"

roles/proxy/templates/cloudflare.ini.j2

@@ -1,2 +1,2 @@
 # Cloudflare API token used by Certbot
-dns_cloudflare_api_token = {{ cfapi['content'] | b64decode | trim }}
+dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}

roles/proxy/templates/server-nginx.conf.j2

@@ -28,20 +28,14 @@ server {
   ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
   ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
 {% endif %}
+{% if item.hsts is defined %}
+  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
+{% endif %}
 {% if item.client_max_body_size is defined %}
   client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
   location / {
-{% if item.hsts is defined %}
+{% if item.restrict is defined and item.restrict  %}
-    add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
-{% endif %}
-{% if item.allowedips is defined %}
-{% for ip in item.allowedips %}
-    allow {{ ip }};
-{% endfor %}
-    deny all;
-{% endif %}
-{% if item.restrict is defined and item.restrict %}
     auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
     auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
     proxy_set_header Authorization "";
@@ -49,7 +43,6 @@ server {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
     proxy_pass {{ item.proxy_pass }};
 {% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
     proxy_ssl_verify off;