9 files changed, 294 insertions, 69 deletions

diff --git a/dan/ele-media.yml b/dan/ele-media.yml
index 0232ec3a..c0746e27 100644
--- a/dan/ele-media.yml
+++ b/dan/ele-media.yml
@@ -6,7 +6,7 @@
   - role: sshd
   - role: zsh
   - role: admin-user
-  - role: docker
-  - role: acmetool/base
+#  - role: acmetool/base
   - role: mysql
+  - role: docker
   - role: elevate/media
diff --git a/dan/host_vars/ele-media.yml b/dan/host_vars/ele-media.yml
index 1fa4fc1f..dbdafead 100644
--- a/dan/host_vars/ele-media.yml
+++ b/dan/host_vars/ele-media.yml
@@ -1,9 +1,14 @@
 $ANSIBLE_VAULT;1.2;AES256;dan
-30663237323334376561303332396535346330303539656235633362316637313866623130663466
-3936313461393937626366353437303836316462363936390a613065613535366361306365636337
-30666263316566343766663465376339323332313031346331333035343861613431666539393062
-3366386366326466320a363364623762353634383064643036653466383639336434613135346330
-34326163366133343236313134643363366563303138363565306337303937633431633236333934
-35383337386138303464633434366164313765303466353330643036663434366466333135323865
-62613539313631363031336337393566646566386134343033633337646366663634343063353161
-35383766623965613462
+31316230393666623739333361346439316430613266613632363530646235363462363231303139
+3566383530636261663664623230313735366165636266610a383435386233396665346339373736
+66343431386433386565663939323739633437353538353362663062366434616237346366353833
+6462366637303038310a323236363064313765353835623730346632336461623432353639316332
+63613736646430313131393362643839663136333038323432656530326239393234326561396663
+30643538383933623464363733303566343637363566666331366132313861393439323164636436
+65316235613532373533633730643638396364306563353663306539626437373461663738656664
+36383734346461333130393165656130626631336134343837633036333533343266333564653134
+36356438333236396637326362663139656332376332636331303438633261643439316432303461
+63343965333664336264366363343065303865373431303862366234336631326463363165373134
+35643963663163646330623733633230653239383765306238393035636562386631623539336362
+34303532366264343866343835636430383334613035396464323130623161383833313562356230
+3535
diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml
index 4b509097..0adac6a7 100644
--- a/inventory/host_vars/ele-media.yml
+++ b/inventory/host_vars/ele-media.yml
@@ -12,6 +12,13 @@ install:
   disks:
     primary: /dev/disk/by-id/ata-Samsung_SSD_840_Series_S14GNEACC92243K
 
+
+admin_user_host:
+- "{{ equinox_user }}"
+
+ssh_allowusers_host: "{{ admin_user_host | map(attribute='name') | list }}"
+
+
 mysql_root_password: "{{ vault_ele_media.mysql_root_password }}"
 
 docker_lvm:
@@ -19,3 +26,29 @@ docker_lvm:
   lv: docker
   size: 20G
   fs: ext4
+
+
+nextcloud_hostnames:
+  - media.elevate.at
+  - elevate-media.spreadspace.org
+
+nextcloud_db:
+  db: nextcloud
+  user: nextcloud
+  password: "{{ vault_ele_media.nextcloud_db.password }}"
+
+nextcloud_admin:
+  username: admin
+  password: "{{ vault_ele_media.nextcloud_admin.password }}"
+
+nextcloud_lvm:
+  system:
+    vg: "{{ host_name }}"
+    lv: nextcloud
+    size: 20G
+    fs: ext4
+  data:
+    vg: "{{ host_name }}"
+    lv: ncdata
+    size: 150G
+    fs: ext4
diff --git a/roles/elevate/media/defaults/main.yml b/roles/elevate/media/defaults/main.yml
index a2c9c807..344d0aba 100644
--- a/roles/elevate/media/defaults/main.yml
+++ b/roles/elevate/media/defaults/main.yml
@@ -1,4 +1,16 @@
 ---
+nextcloud_version: 15
+
 nextcloud_hostnames:
-  - media.elevate.at
-  - elevate-media.spreadspace.org
+  - wolke.example.com
+
+nextcloud_db:
+  db: nextcloud
+  user: nextcloud
+  password: changeme
+
+nextcloud_admin:
+  user: admin
+  password: changeme
+
+nextcloud_lvm: {}
diff --git a/roles/elevate/media/filter_plugins/nextcloud.py b/roles/elevate/media/filter_plugins/nextcloud.py
new file mode 100644
index 00000000..a1bcd63b
--- /dev/null
+++ b/roles/elevate/media/filter_plugins/nextcloud.py
@@ -0,0 +1,38 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible import errors
+
+
+def mountpoint_exists(data, mountpoint):
+    try:
+        for entry in data:
+            if entry['mount_point'] == mountpoint:
+                return True
+
+        return False
+    except Exception as e:
+        raise errors.AnsibleFilterError("mountpoint_exists(): %s" % str(e))
+
+
+def get_id_of_mountpoint(data, mountpoint):
+    try:
+        for entry in data:
+            if entry['mount_point'] == mountpoint:
+                return entry['mount_id']
+
+        raise KeyError
+    except Exception as e:
+        raise errors.AnsibleFilterError("get_id_of_mountpoint(): %s" % str(e))
+
+
+class FilterModule(object):
+
+    ''' extract values from nextcloud '''
+    filter_map = {
+        'nextcloud_mountpoint_exists': mountpoint_exists,
+        'nextcloud_get_id_of_mountpoint': get_id_of_mountpoint,
+    }
+
+    def filters(self):
+        return self.filter_map
diff --git a/roles/elevate/media/tasks/nextcloud-config.yml b/roles/elevate/media/tasks/nextcloud-config.yml
new file mode 100644
index 00000000..1ce80860
--- /dev/null
+++ b/roles/elevate/media/tasks/nextcloud-config.yml
@@ -0,0 +1,52 @@
+---
+  # TODO: fix idempotence
+- name: set up permission for external storage
+  command: docker exec -u root nextcloud.service bash -c "chown root:www-data /srv/external && chmod 02775 /srv/external"
+  changed_when: false
+
+
+  ## TODO: this is idempotent but flagging change would be nice
+- name: set up permission for external storage
+  command: docker exec -u www-data nextcloud.service /var/www/html/occ app:enable files_external
+  changed_when: false
+
+
+- name: check if elevate group exists in nextcloud (1/2)
+  command: docker exec -u www-data nextcloud.service /var/www/html/occ group:list -n --output=json
+  register: nextcloud_group_list
+  changed_when: false
+
+- name: check if elevate group exists in nextcloud (2/2)
+  set_fact:
+    nextcloud_group_list: "{{ nextcloud_group_list.stdout | from_json }}"
+
+- name: create group elevate group in nextcloud
+  command: docker exec -u www-data nextcloud.service /var/www/html/occ group:add -n elevate
+  when: '"elevate" not in nextcloud_group_list'
+
+
+- name: check if external storage is configured in nextcloud (1/2)
+  command: docker exec -u www-data nextcloud.service /var/www/html/occ files_external:list -n --output=json
+  register: nextcloud_files_external_list
+  changed_when: false
+
+- name: check if external storage is configured in nextcloud (2/2)
+  set_fact:
+    nextcloud_files_external_list: "{{ nextcloud_files_external_list.stdout | from_json }}"
+
+- debug:
+    var: nextcloud_files_external_list
+
+- name: configure external storage in nextcloud
+  command: docker exec -u www-data nextcloud.service /var/www/html/occ files_external:create -n --output=json --config="datadir=/srv/external" Fileserver local null::null
+  when: not (nextcloud_files_external_list | nextcloud_mountpoint_exists('/Fileserver'))
+
+  ## TODO: this is idempotent but flagging change would be nice
+- name: set up permission for external storage
+  command: docker exec -u www-data nextcloud.service /var/www/html/occ files_external:applicable -n --output=json 1 --add-group=elevate
+  changed_when: false
+
+
+### add this until tests have been done
+## 'overwriteprotocol' => 'http',   ->  /srv/nextcloud/config/nextcloud/config.php
+#
diff --git a/roles/elevate/media/tasks/nextcloud-lvm.yml b/roles/elevate/media/tasks/nextcloud-lvm.yml
new file mode 100644
index 00000000..d24326d3
--- /dev/null
+++ b/roles/elevate/media/tasks/nextcloud-lvm.yml
@@ -0,0 +1,42 @@
+---
+- name: prepare nextcloud system disk as LVM
+  when: nextcloud_lvm.system is defined
+  block:
+  - name: create logical volume
+    lvol:
+      vg: "{{ nextcloud_lvm.system.vg }}"
+      lv: "{{ nextcloud_lvm.system.lv }}"
+      size: "{{ nextcloud_lvm.system.size }}"
+
+  - name: create filesystem
+    filesystem:
+      fstype: "{{ nextcloud_lvm.system.fs }}"
+      dev: "/dev/mapper/{{ nextcloud_lvm.system.vg | replace('-', '--') }}-{{ nextcloud_lvm.system.lv | replace('-', '--') }}"
+
+  - name: mount filesytem
+    mount:
+      src: "/dev/mapper/{{ nextcloud_lvm.system.vg | replace('-', '--') }}-{{ nextcloud_lvm.system.lv | replace('-', '--') }}"
+      path: /srv/nextcloud
+      fstype: "{{ nextcloud_lvm.system.fs }}"
+      state: mounted
+
+- name: prepare nextcloud data disk as LVM
+  when: nextcloud_lvm.data is defined
+  block:
+  - name: create logical volume
+    lvol:
+      vg: "{{ nextcloud_lvm.data.vg }}"
+      lv: "{{ nextcloud_lvm.data.lv }}"
+      size: "{{ nextcloud_lvm.data.size }}"
+
+  - name: create filesystem
+    filesystem:
+      fstype: "{{ nextcloud_lvm.data.fs }}"
+      dev: "/dev/mapper/{{ nextcloud_lvm.data.vg | replace('-', '--') }}-{{ nextcloud_lvm.data.lv | replace('-', '--') }}"
+
+  - name: mount filesytem
+    mount:
+      src: "/dev/mapper/{{ nextcloud_lvm.data.vg | replace('-', '--') }}-{{ nextcloud_lvm.data.lv | replace('-', '--') }}"
+      path: /srv/ncdata
+      fstype: "{{ nextcloud_lvm.data.fs }}"
+      state: mounted
diff --git a/roles/elevate/media/tasks/nextcloud.yml b/roles/elevate/media/tasks/nextcloud.yml
index 6a3faf73..d827a28a 100644
--- a/roles/elevate/media/tasks/nextcloud.yml
+++ b/roles/elevate/media/tasks/nextcloud.yml
@@ -1,4 +1,7 @@
 ---
+- name: preare nextcloud disks
+  import_tasks: nextcloud-lvm.yml
+
 - name: create nextcloud config directory
   file:
     path: /srv/nextcloud/config/
@@ -9,61 +12,85 @@
     src: nextcloud-fpm.conf.j2
     dest: /srv/nextcloud/config/nextcloud-fpm.conf
 
-##### TODO: implement the following steps
 
-### install
-#
-# docker run --rm --network host --name nextcloud  \
-#     -e NEXTCLOUD_UPDATE=1 -e NEXTCLOUD_TRUSTED_DOMAINS="media.elevate.at elevate-media.spreadspace.org 89.106.211.61" \
-#     -e MYSQL_DATABASE="nextcloud" -e MYSQL_HOST="127.0.0.1:3306" -e MYSQL_USER="nextcloud" -e MYSQL_PASSWORD="testtest" \
-#     -e NEXTCLOUD_ADMIN_USER="admin" -e NEXTCLOUD_ADMIN_PASSWORD="test" \
-#     -v /srv/nextcloud/config/nextcloud-fpm.conf:/usr/local/etc/php-fpm.d/zzzzz.conf \
-#     -v /srv/nextcloud/config/nextcloud:/var/www/html/config \
-#     -v /srv/data/nextcloud:/var/www/html/data \
-#     -v /srv/data/share:/srv/external \
-#     -v /srv/nextcloud/www:/var/www/html nextcloud:15-fpm /bin/true
-#
-#
-## for now we only support http (not needed when nginx and network config is fixed)
-##
-## 'overwriteprotocol' => 'http',   ->  /srv/nextcloud/config/nextcloud/config.php
-##
-#
-### run
-#
-# docker run --rm -d --network host --name nextcloud  \
-#     -v /srv/nextcloud/config/nextcloud-fpm.conf:/usr/local/etc/php-fpm.d/zzzzz.conf \
-#     -v /srv/nextcloud/config/nextcloud:/var/www/html/config \
-#     -v /srv/data/nextcloud:/var/www/html/data \
-#     -v /srv/data/share:/srv/external \
-#     -v /srv/nextcloud/www:/var/www/html nextcloud:15-fpm
-#
-#
-### post -install
-#
-# docker exec -u root -it nextcloud bash -c "chown root:www-data /srv/external && chmod 02775 /srv/external"
-#
-## this is idempotent
-# docker exec -u www-data -it nextcloud /var/www/html/occ app:enable files_external
-#
-## docker exec -u www-data -it nextcloud /var/www/html/occ group:list -n --output=json
-# docker exec -u www-data -it nextcloud /var/www/html/occ group:add -n Elevate
-#
-## docker exec -u www-data -it nextcloud /var/www/html/occ files_external:list --output=json
-# docker exec -u www-data -it nextcloud /var/www/html/occ files_external:create -n --output=json --config="datadir=/srv/external" Fileserver local null::null
-#
-## this is idempotent
-# docker exec -u www-data -it nextcloud /var/www/html/occ files_external:applicable -n --output=json 1 --add-group=Elevate
-#
-#
-#
-##### not need to implement this...
-#
-### purge
-#
-# docker stop nextcloud
-# rm -rf /srv/nextcloud/config/nextcloud
-# rm -rf /srv/data/nextcloud
-# rm -rf /srv/nextcloud/www
-# echo "drop database nextcloud;" | mysql --defaults-extra-file=/etc/mysql/debian.cnf
-#
+- name: create nextcloud database
+  mysql_db:
+    login_user: root
+    login_password: "{{ mysql_root_password }}"
+    db: "{{ nextcloud_db.db }}"
+    encoding: utf8mb4
+    collation: utf8mb4_general_ci
+    state: present
+
+- name: create nextcloud database user
+  mysql_user:
+    login_user: root
+    login_password: "{{ mysql_root_password }}"
+    name: "{{ nextcloud_db.user }}"
+    password: "{{ nextcloud_db.password }}"
+    priv: "{{ nextcloud_db.db }}.*:SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES"
+    state: present
+
+
+- name: check if nextcloud is already configured
+  stat:
+    path: /srv/nextcloud/config/nextcloud/config.php
+  register: nextcloud_config_file
+
+- name: running nextcloud installer
+  when: not nextcloud_config_file.stat.exists
+  docker_container:
+    name: nextcloud
+    image: nextcloud:{{ nextcloud_version }}-fpm
+    command: /bin/true
+    network_mode: host
+    detach: no
+    auto_remove: yes
+    volumes:
+      - /srv/nextcloud/www:/var/www/html
+      - /srv/nextcloud/config/nextcloud-fpm.conf:/usr/local/etc/php-fpm.d/zzzzz.conf
+      - /srv/nextcloud/config/nextcloud:/var/www/html/config
+      - /srv/ncdata/nextcloud:/var/www/html/data
+      - /srv/ncdata/share:/srv/external
+    env:
+      NEXTCLOUD_UPDATE: '1'
+      NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud_hostnames | join(' ') }} 89.106.211.61" ## TODO remove ip when tests are done
+      MYSQL_DATABASE: "{{ nextcloud_db.db }}"
+      MYSQL_HOST: "127.0.0.1:3306"
+      MYSQL_USER: "{{ nextcloud_db.user }}"
+      MYSQL_PASSWORD: "{{ nextcloud_db.password }}"
+      NEXTCLOUD_ADMIN_USER: "{{ nextcloud_admin.username }}"
+      NEXTCLOUD_ADMIN_PASSWORD: "{{ nextcloud_admin.password }}"
+
+
+- name: install nextcloud service unit
+  template:
+    src: nextcloud.service.j2
+    dest: /etc/systemd/system/nextcloud.service
+  register: nextcloud_service
+
+- name: make sure nextcloud is started and enabled
+  systemd:
+    name: nextcloud.service
+    state: "{% if nextcloud_service.changed %}restarted{% else %}started{% endif %}"
+    enabled: yes
+    daemon_reload: yes
+
+- name: basic nextcloud config
+  import_tasks: nextcloud-config.yml
+
+- name: install nextcloud cron systemd units
+  with_items:
+    - service
+    - timer
+  template:
+    src: "nextcloud-cron.{{ item }}.j2"
+    dest: "/etc/systemd/system/nextcloud-cron.{{ item }}"
+
+- name: make sure nextcloud cron is started and enabled
+  systemd:
+    name: nextcloud-cron.timer
+    state: started
+    enabled: yes
+    daemon_reload: yes
+
diff --git a/roles/elevate/media/templates/nextcloud.service.j2 b/roles/elevate/media/templates/nextcloud.service.j2
new file mode 100644
index 00000000..4eacf476
--- /dev/null
+++ b/roles/elevate/media/templates/nextcloud.service.j2
@@ -0,0 +1,16 @@
+[Unit]
+Description=Nextcloud
+After=docker.service
+Requires=docker.service
+
+[Service]
+ExecStart=/usr/bin/systemd-docker --cgroups name=systemd run --rm --network host --name %n -v /srv/nextcloud/config/nextcloud-fpm.conf:/usr/local/etc/php-fpm.d/zzzzz.conf -v /srv/nextcloud/config/nextcloud:/var/www/html/config -v /srv/ncdata/nextcloud:/var/www/html/data -v /srv/ncdata/share:/srv/external -v /srv/nextcloud/www:/var/www/html nextcloud:{{ nextcloud_version }}-fpm
+Restart=always
+RestartSec=10
+Type=notify
+NotifyAccess=all
+TimeoutStartSec=30
+TimeoutStopSec=5
+
+[Install]
+WantedBy=multi-user.target