Introduce Nextcloud role and deploy Cloud on Chaosknoten

Co-authored-by: Max <max@mlem.cloud>

playbooks/roles/nextcloud/README.md

@@ -0,0 +1,11 @@
+# Role `nextcloud`
+
+A role for deploying Nextcloud.
+
+Note: PostgreSQL upgrades need manual migration steps.
+
+## Links & Resources
+
+- <https://github.com/nextcloud/docker>
+- <https://docs.nextcloud.com/server/latest/admin_manual/index.html>
+- <https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/apache>

playbooks/roles/nextcloud/defaults/main.yaml

@@ -0,0 +1,5 @@
+nextcloud__nginx_version_spec: ""
+nextcloud__certbot_version_spec: ""
+nextcloud__extra_configuration: ""
+nextcloud__use_custom_new_user_skeleton: false
+nextcloud__custom_new_user_skeleton_directory: ""

playbooks/roles/nextcloud/files/supervisord.conf

@@ -0,0 +1,22 @@
+[supervisord]
+nodaemon=true
+logfile=/var/log/supervisord/supervisord.log
+pidfile=/var/run/supervisord/supervisord.pid
+childlogdir=/var/log/supervisord/
+logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
+logfile_backups=10                              ; number of backed up logfiles
+loglevel=error
+
+[program:apache2]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=apache2-foreground
+
+[program:cron]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=/cron.sh

playbooks/roles/nextcloud/meta/argument_specs.yaml

@@ -0,0 +1,63 @@
+argument_specs:
+  main:
+    options:
+      nextcloud__version:
+        description: The version label to use for the Nextcloud Docker image.
+        type: str
+        required: true
+      nextcloud__postgres_version:
+        description: The version label to use for the PostgreSQL Docker image.
+        type: str
+        required: true
+      nextcloud__nginx_version_spec:
+        description: The version spec. to pass to nginx to use for the nginx version spec.
+        type: str
+        required: false
+        default: ""
+      nextcloud__certbot_version_spec:
+        description: The version spec. to pass to certbot to use for the certbot version spec.
+        type: str
+        required: false
+        default: ""
+      nextcloud__fqdn:
+        description: The FQDN to use for Nextcloud.
+        type: str
+        required: true
+      nextcloud__data_dir:
+        description: The directory where to store the Nextcloud data.
+        type: str
+        required: true
+      nextcloud__admin_password:
+        description: The password to use for the Admin user.
+        type: str
+        required: true
+      nextcloud__extra_configuration:
+        description: Additional nextcloud configuration.
+        type: str
+        required: false
+        default: ""
+      nextcloud__use_custom_new_user_skeleton:
+        description: >-
+          Enable to make use of the given custom new user skeleton directory.
+        type: bool
+        required: false
+        default: false
+      nextcloud__custom_new_user_skeleton_directory:
+        description: >-
+          Path of to a custom new user skeleton directory to be used by this
+          role via ansible.builtin.copy.
+        type: str
+        required: false
+        default: ""
+      nextcloud__postgres_password:
+        description: The password to use for the nextcloud PostgreSQL user.
+        type: str
+        required: true
+      nextcloud__proxy_protocol_reverse_proxy_ip:
+        description: The IP of the reverse proxy to do proxy protocol with.
+        type: str
+        required: true
+      nextcloud__certbot_acme_account_email_address:
+        description: The E-Mail address to pass to certbot to use for the ACME account.
+        type: str
+        required: true

playbooks/roles/nextcloud/meta/main.yaml

@@ -0,0 +1,18 @@
+---
+dependencies:
+  - role: certbot
+    vars:
+      certbot__version_spec: "{{ nextcloud__certbot_version_spec }}"
+      certbot__acme_account_email_address: "{{ nextcloud__certbot_acme_account_email_address }}"
+      certbot__certificate_domains:
+        - "{{ nextcloud__fqdn }}"
+  - role: nginx
+    vars:
+      nginx__version_spec: "{{ nextcloud__nginx_version_spec }}"
+      nginx__configurations: 
+        - name: "{{ nextcloud__fqdn }}"
+          content: "{{ lookup('ansible.builtin.template', 'nginx_nextcloud.conf.j2') }}"
+  - role: docker_compose
+    vars:
+      docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'compose.yaml.j2') }}"
+      docker_compose__configuration_files: []

playbooks/roles/nextcloud/tasks/main.yaml

@@ -1,9 +1,58 @@
 ---
-- name: Nextcloud config
+- name: wait for existence of config directory
+  ansible.builtin.wait_for:
+    path: /ansible_docker_compose/nextcloud_var_www_html/config
+    state: present
   become: true
+
+- name: extra Nextcloud configuration
   ansible.builtin.copy:
-    content: "{{ nextcloud__config_php }}"
-    dest: "/data/docker/volumes/nextcloud/config/config.php"
+    content: "{{ nextcloud__extra_configuration }}"
+    dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_extra_config.config.php
     mode: "0644"
     owner: www-data
     group: www-data
+  become: true
+
+- name: fail, if nextcloud__use_custom_new_user_skeleton is set, but nextcloud__custom_new_user_skeleton_directory isn't
+  ansible.builtin.fail:
+    msg: If you set nextcloud__use_custom_new_user_skeleton, you also need to set nextcloud__custom_new_user_skeleton_directory.
+  when: nextcloud__use_custom_new_user_skeleton and nextcloud__custom_new_user_skeleton_directory == ""
+
+- name: ensure custom new user skeleton
+  when: nextcloud__use_custom_new_user_skeleton
+  block:
+    - name: ensure `rsync` package is installed
+      ansible.builtin.apt:
+        name: rsync
+        state: present
+      become: true
+
+    - name: ensure custom new user skeleton directory
+      ansible.posix.synchronize:
+        src: "{{ nextcloud__custom_new_user_skeleton_directory }}"
+        dest: /ansible_docker_compose/custom_new_user_skeleton
+        delete: true
+        recursive: true
+        use_ssh_args: true
+      become: true
+
+    - name: ensure custom new user skeleton config
+      ansible.builtin.copy:
+        content: |
+          <?php
+          $CONFIG = array (
+              'skeletondirectory' => '/custom_new_user_skeleton'
+          );
+        dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
+        mode: "0644"
+        owner: www-data
+        group: www-data
+      become: true
+
+- name: ensure absence of custom new user skeleton config
+  ansible.builtin.file:
+    path: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
+    state: absent
+  become: true
+  when: not nextcloud__use_custom_new_user_skeleton

playbooks/roles/nextcloud/templates/compose.yaml.j2

@@ -0,0 +1,83 @@
+---
+version: "3.6"
+
+services:
+  nextcloud:
+    build:
+      context: .
+      # Use the following example for adding cron:
+      # https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/apache
+      dockerfile_inline: |
+        FROM nextcloud:{{ nextcloud__version }}
+
+        RUN apt-get update && apt-get install -y \
+            supervisor \
+          && rm -rf /var/lib/apt/lists/* \
+          && mkdir /var/log/supervisord /var/run/supervisord
+
+        RUN cat <<EOF > /supervisord.conf
+{% filter indent(width=8) %}
+        {{ lookup('ansible.builtin.file', 'supervisord.conf') }}
+{% endfilter %}
+        EOF
+
+        ENV NEXTCLOUD_UPDATE=1
+
+        CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+    restart: unless-stopped
+    ports:
+      - "8080:80"
+    # This is a hotfix until we have a new mail setup and this also really
+    # doesn't belong into this role, but whatever, it works for now and it's not
+    # like anyone else really uses this role (or would be bothered by this
+    # really).
+    extra_hosts:
+      - "send-only-mailserver.ccchh.net:185.161.129.132"
+    depends_on:
+      - db
+      - redis
+    networks:
+      - nextcloud
+    volumes:
+{% if nextcloud__use_custom_new_user_skeleton %}
+      - "./custom_new_user_skeleton:/custom_new_user_skeleton"
+{% endif %}
+      - "./nextcloud_var_www_html:/var/www/html"
+      - "{{ nextcloud__data_dir }}:/var/www/html/data"
+    environment:
+      POSTGRES_HOST: db
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
+      NEXTCLOUD_ADMIN_USER: admin
+      NEXTCLOUD_ADMIN_PASSWORD: "{{ nextcloud__admin_password }}"
+      REDIS_HOST: redis
+      NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud__fqdn }}"
+      # See here: https://github.com/nextcloud/docker#using-the-apache-image-behind-a-reverse-proxy-and-auto-configure-server-host-and-protocol
+      APACHE_DISABLE_REWRITE_IP: 1
+      TRUSTED_PROXIES: 127.0.0.1
+      OVERWRITECLIURL: "https://{{ nextcloud__fqdn }}/"
+      OVERWRITEHOST: "{{ nextcloud__fqdn }}"
+      OVERWRITEPROTOCOL: "https"
+    
+  db:
+    image: postgres:{{ nextcloud__postgres_version }}
+    restart: unless-stopped
+    networks:
+      - nextcloud
+    volumes:
+      - "./database:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
+
+  redis:
+    image: redis:alpine
+    restart: unless-stopped
+    networks:
+      - nextcloud
+
+networks:
+  nextcloud:
+    external: false

playbooks/roles/nextcloud/templates/nginx_nextcloud.conf.j2

@@ -0,0 +1,61 @@
+# also see here:
+# - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
+# - https://nginx.org/en/docs/http/ngx_http_realip_module.html
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from {{ nextcloud__proxy_protocol_reverse_proxy_ip }};
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    # This should work, but isn't needed for now.
+    # # Still listen for https on 443 as usual.
+    # listen 443 ssl http2;
+    # #listen [::]:443 ssl http2;
+
+    server_name {{ nextcloud__fqdn }};
+
+    ssl_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ nextcloud__fqdn }}/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/chain.pem;
+
+    # replace with the IP address of your resolver
+    resolver 1.1.1.1;
+
+    # allow uploads of any size
+    client_max_body_size 0;
+
+    location /.well-known/carddav {
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location /.well-known/caldav {
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        # This is https in any case.
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        add_header Front-End-Https on;
+        proxy_pass http://127.0.0.1:8080;
+    }
+}