move roles, files and templates dirs out of playbook dir into root dir

Because of how Ansible local relative search paths work, the global
"files" and "templates" directories need to be next to the playbooks.
However its not intuitive to look into the "playbooks" directory to find
the files and templates for a host.
Therefore move them out of the "playbooks" directory into the root
directory and add symlinks so everything still works.

Similarly for local roles, they also need to be next to the playbooks.
So for a nicer structure, move the "roles" directory out into the root
directory as well and add a symlink so everything still works.

Also see:
https://docs.ansible.com/ansible/latest/playbook_guide/playbook_pathing.html#resolving-local-relative-paths
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_reuse_roles.html#storing-and-finding-roles

roles/nextcloud/README.md

@@ -0,0 +1,11 @@
+# Role `nextcloud`
+
+A role for deploying Nextcloud.
+
+Note: PostgreSQL upgrades need manual migration steps.
+
+## Links & Resources
+
+- <https://github.com/nextcloud/docker>
+- <https://docs.nextcloud.com/server/latest/admin_manual/index.html>
+- <https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/apache>

roles/nextcloud/defaults/main.yaml

@@ -0,0 +1,5 @@
+nextcloud__nginx_version_spec: ""
+nextcloud__certbot_version_spec: ""
+nextcloud__extra_configuration: ""
+nextcloud__use_custom_new_user_skeleton: false
+nextcloud__custom_new_user_skeleton_directory: ""

roles/nextcloud/files/supervisord.conf

@@ -0,0 +1,22 @@
+[supervisord]
+nodaemon=true
+logfile=/var/log/supervisord/supervisord.log
+pidfile=/var/run/supervisord/supervisord.pid
+childlogdir=/var/log/supervisord/
+logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
+logfile_backups=10                              ; number of backed up logfiles
+loglevel=error
+
+[program:apache2]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=apache2-foreground
+
+[program:cron]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=/cron.sh

roles/nextcloud/meta/argument_specs.yaml

@@ -0,0 +1,63 @@
+argument_specs:
+  main:
+    options:
+      nextcloud__version:
+        description: The version label to use for the Nextcloud Docker image.
+        type: str
+        required: true
+      nextcloud__postgres_version:
+        description: The version label to use for the PostgreSQL Docker image.
+        type: str
+        required: true
+      nextcloud__nginx_version_spec:
+        description: The version spec. to pass to nginx to use for the nginx version spec.
+        type: str
+        required: false
+        default: ""
+      nextcloud__certbot_version_spec:
+        description: The version spec. to pass to certbot to use for the certbot version spec.
+        type: str
+        required: false
+        default: ""
+      nextcloud__fqdn:
+        description: The FQDN to use for Nextcloud.
+        type: str
+        required: true
+      nextcloud__data_dir:
+        description: The directory where to store the Nextcloud data.
+        type: str
+        required: true
+      nextcloud__admin_password:
+        description: The password to use for the Admin user.
+        type: str
+        required: true
+      nextcloud__extra_configuration:
+        description: Additional nextcloud configuration.
+        type: str
+        required: false
+        default: ""
+      nextcloud__use_custom_new_user_skeleton:
+        description: >-
+          Enable to make use of the given custom new user skeleton directory.
+        type: bool
+        required: false
+        default: false
+      nextcloud__custom_new_user_skeleton_directory:
+        description: >-
+          Path of to a custom new user skeleton directory to be used by this
+          role via ansible.builtin.copy.
+        type: str
+        required: false
+        default: ""
+      nextcloud__postgres_password:
+        description: The password to use for the nextcloud PostgreSQL user.
+        type: str
+        required: true
+      nextcloud__proxy_protocol_reverse_proxy_ip:
+        description: The IP of the reverse proxy to do proxy protocol with.
+        type: str
+        required: true
+      nextcloud__certbot_acme_account_email_address:
+        description: The E-Mail address to pass to certbot to use for the ACME account.
+        type: str
+        required: true

roles/nextcloud/meta/main.yaml

@@ -0,0 +1,20 @@
+---
+dependencies:
+  - role: certbot
+    vars:
+      certbot__version_spec: "{{ nextcloud__certbot_version_spec }}"
+      certbot__acme_account_email_address: "{{ nextcloud__certbot_acme_account_email_address }}"
+      certbot__certificate_domains:
+        - "{{ nextcloud__fqdn }}"
+      certbot__new_cert_commands:
+        - "systemctl reload nginx.service"
+  - role: nginx
+    vars:
+      nginx__version_spec: "{{ nextcloud__nginx_version_spec }}"
+      nginx__configurations:
+        - name: "{{ nextcloud__fqdn }}"
+          content: "{{ lookup('ansible.builtin.template', 'nginx_nextcloud.conf.j2') }}"
+  - role: docker_compose
+    vars:
+      docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'compose.yaml.j2') }}"
+      docker_compose__configuration_files: [ ]

roles/nextcloud/tasks/main.yaml

@@ -0,0 +1,58 @@
+---
+- name: wait for existence of config directory
+  ansible.builtin.wait_for:
+    path: /ansible_docker_compose/nextcloud_var_www_html/config
+    state: present
+  become: true
+
+- name: extra Nextcloud configuration
+  ansible.builtin.copy:
+    content: "{{ nextcloud__extra_configuration }}"
+    dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_extra_config.config.php
+    mode: "0644"
+    owner: www-data
+    group: www-data
+  become: true
+
+- name: fail, if nextcloud__use_custom_new_user_skeleton is set, but nextcloud__custom_new_user_skeleton_directory isn't
+  ansible.builtin.fail:
+    msg: If you set nextcloud__use_custom_new_user_skeleton, you also need to set nextcloud__custom_new_user_skeleton_directory.
+  when: nextcloud__use_custom_new_user_skeleton and nextcloud__custom_new_user_skeleton_directory == ""
+
+- name: ensure custom new user skeleton
+  when: nextcloud__use_custom_new_user_skeleton
+  block:
+    - name: ensure `rsync` package is installed
+      ansible.builtin.apt:
+        name: rsync
+        state: present
+      become: true
+
+    - name: ensure custom new user skeleton directory
+      ansible.posix.synchronize:
+        src: "{{ nextcloud__custom_new_user_skeleton_directory }}"
+        dest: /ansible_docker_compose/custom_new_user_skeleton
+        delete: true
+        recursive: true
+        use_ssh_args: true
+      become: true
+
+    - name: ensure custom new user skeleton config
+      ansible.builtin.copy:
+        content: |
+          <?php
+          $CONFIG = array (
+              'skeletondirectory' => '/custom_new_user_skeleton'
+          );
+        dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
+        mode: "0644"
+        owner: www-data
+        group: www-data
+      become: true
+
+- name: ensure absence of custom new user skeleton config
+  ansible.builtin.file:
+    path: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
+    state: absent
+  become: true
+  when: not nextcloud__use_custom_new_user_skeleton

roles/nextcloud/templates/compose.yaml.j2

@@ -0,0 +1,58 @@
+---
+services:
+  nextcloud:
+    image: git.hamburg.ccc.de/ccchh/oci-images/nextcloud:{{ nextcloud__version }}
+    pull_policy: always
+    restart: unless-stopped
+    ports:
+      - "8080:80"
+    depends_on:
+      - db
+      - redis
+    networks:
+      - nextcloud
+    volumes:
+{% if nextcloud__use_custom_new_user_skeleton %}
+      - "./custom_new_user_skeleton:/custom_new_user_skeleton"
+{% endif %}
+      - "./nextcloud_var_www_html:/var/www/html"
+      - "{{ nextcloud__data_dir }}:/var/www/html/data"
+    environment:
+      POSTGRES_HOST: db
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
+      NEXTCLOUD_ADMIN_USER: admin
+      NEXTCLOUD_ADMIN_PASSWORD: "{{ nextcloud__admin_password }}"
+      REDIS_HOST: redis
+      NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud__fqdn }}"
+      # See here: https://github.com/nextcloud/docker#using-the-apache-image-behind-a-reverse-proxy-and-auto-configure-server-host-and-protocol
+      APACHE_DISABLE_REWRITE_IP: 1
+      TRUSTED_PROXIES: 127.0.0.1
+      OVERWRITECLIURL: "https://{{ nextcloud__fqdn }}/"
+      OVERWRITEHOST: "{{ nextcloud__fqdn }}"
+      OVERWRITEPROTOCOL: "https"
+    
+  db:
+    image: postgres:{{ nextcloud__postgres_version }}
+    restart: unless-stopped
+    #ports:
+    #  - 127.0.0.1:5432:5432
+    networks:
+      - nextcloud
+    volumes:
+      - "./database:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
+
+  redis:
+    image: redis:alpine
+    restart: unless-stopped
+    networks:
+      - nextcloud
+
+networks:
+  nextcloud:
+    external: false

roles/nextcloud/templates/nginx_nextcloud.conf.j2

@@ -0,0 +1,61 @@
+# also see here:
+# - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
+# - https://nginx.org/en/docs/http/ngx_http_realip_module.html
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from {{ nextcloud__proxy_protocol_reverse_proxy_ip }};
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    # This should work, but isn't needed for now.
+    # # Still listen for https on 443 as usual.
+    # listen 443 ssl http2;
+    # #listen [::]:443 ssl http2;
+
+    server_name {{ nextcloud__fqdn }};
+
+    ssl_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ nextcloud__fqdn }}/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/chain.pem;
+
+    # replace with the IP address of your resolver
+    resolver 1.1.1.1;
+
+    # allow uploads of any size
+    client_max_body_size 0;
+
+    location /.well-known/carddav {
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location /.well-known/caldav {
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        # This is https in any case.
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        add_header Front-End-Https on;
+        proxy_pass http://127.0.0.1:8080;
+    }
+}