1 files changed, 196 insertions, 0 deletions

diff --git a/roles/apps/nextcloud/instance/tasks/main.yml b/roles/apps/nextcloud/instance/tasks/main.yml
new file mode 100644
index 00000000..71a3ee79
--- /dev/null
+++ b/roles/apps/nextcloud/instance/tasks/main.yml
@@ -0,0 +1,196 @@
+---
+- name: prepare storage volume
+  vars:
+    storage_volume: "{{ nextcloud_instances[nextcloud_instance].storage }}"
+  include_role:
+    name: "storage/{{ nextcloud_instances[nextcloud_instance].storage.type }}/volume"
+
+- set_fact:
+    nextcloud_instance_basepath: "{{ storage_volume_mountpoint }}"
+
+- name: create nextcloud app subdirectory
+  file:
+    path: "{{ nextcloud_instance_basepath }}/nextcloud"
+    owner: "{{ nextcloud_app_uid }}"
+    group: "{{ nextcloud_app_gid }}"
+    state: directory
+
+- name: create nextcloud database subdirectory
+  file:
+    path: "{{ nextcloud_instance_basepath }}/{{ nextcloud_instances[nextcloud_instance].database.type }}"
+    owner: "{{ nextcloud_db_uid }}"
+    group: "{{ nextcloud_db_gid }}"
+    state: directory
+
+- name: create nextcloud redis subdirectory
+  file:
+    path: "{{ nextcloud_instance_basepath }}/redis"
+    owner: "{{ nextcloud_redis_uid }}"
+    group: "{{ nextcloud_redis_gid }}"
+    state: directory
+
+
+- name: create auxiliary config directory
+  file:
+    path: "{{ nextcloud_instance_basepath }}/config"
+    state: directory
+
+- name: create apache vhost config
+  template:
+    src: apache-site.conf.j2
+    dest: "{{ nextcloud_instance_basepath }}/config/apache-site.conf"
+
+- name: configure apache to run on port 8080 only
+  copy:
+    content: |
+      Listen 8080
+    dest: "{{ nextcloud_instance_basepath }}/config/ports.conf"
+
+
+- name: create tls directory
+  file:
+    path: "{{ nextcloud_instance_basepath }}/tls"
+    owner: "{{ nextcloud_app_uid }}"
+    group: "{{ nextcloud_app_gid }}"
+    mode: 0500
+    state: directory
+
+- name: generate/install TLS certificates for publishment
+  vars:
+    x509_certificate_name: "nextcloud-{{ nextcloud_instance }}_publish"
+    x509_certificate_hostnames: []
+    x509_certificate_config:
+      ca: "{{ nextcloud_instances[nextcloud_instance].publish.zone.certificate_ca_config }}"
+      cert:
+        common_name: "nextcloud-{{ nextcloud_instance }}.{{ inventory_hostname }}"
+        extended_key_usage:
+        - serverAuth
+        extended_key_usage_critical: yes
+        create_subject_key_identifier: yes
+        not_after: +100w
+    x509_certificate_renewal:
+      install:
+      - dest: "{{ nextcloud_instance_basepath }}/tls/cert.pem"
+        src:
+        - cert
+        owner: "{{ nextcloud_app_uid }}"
+        mode: "0400"
+      - dest: "{{ nextcloud_instance_basepath }}/tls/key.pem"
+        src:
+        - key
+        owner: "{{ nextcloud_app_uid }}"
+        mode: "0400"
+  include_role:
+    name: "x509/{{ nextcloud_instances[nextcloud_instance].publish.zone.certificate_provider }}/cert"
+
+
+- name: build custom image
+  # when: "'custom_image' in nextcloud_instances[nextcloud_instance]"
+  include_tasks: custom-image.yml
+
+- name: install pod manifest
+  vars:
+    kubernetes_standalone_pod:
+      name: "nextcloud-{{ nextcloud_instance }}"
+      spec: "{{ lookup('template', 'pod-spec-with-{{ nextcloud_instances[nextcloud_instance].database.type }}.yml.j2') }}"
+      mode: "0600"
+      config_hash_items:
+      - path: "{{ nextcloud_instance_basepath }}/config/apache-site.conf"
+        properties:
+        - checksum
+      - path: "{{ nextcloud_instance_basepath }}/config/ports.conf"
+        properties:
+        - checksum
+      - path: "{{ nextcloud_instance_basepath }}/build/Dockerfile"
+        properties:
+        - checksum
+  include_role:
+    name: kubernetes/standalone/pod
+
+
+- name: install upgrade helper script
+  template:
+    src: upgrade.sh.j2
+    dest: "{{ nextcloud_instance_basepath }}/upgrade.sh"
+    mode: 0755
+
+
+- name: install systemd timer unit
+  template:
+    src: cron-.timer.j2
+    dest: "/etc/systemd/system/nextcloud-cron-{{ nextcloud_instance }}.timer"
+
+- name: start/enable cron trigger systemd timer
+  systemd:
+    daemon_reload: yes
+    name: "nextcloud-cron-{{ nextcloud_instance }}.timer"
+    state: started
+    enabled: yes
+
+
+- name: configure nginx vhost for publishment
+  vars:
+    nginx_vhost__yaml: |
+      name: "nextcloud-{{ nextcloud_instance }}.{{ inventory_hostname }}"
+      template: generic
+      {% if 'tls' in nextcloud_instances[nextcloud_instance].publish %}
+      tls:
+        {{ nextcloud_instances[nextcloud_instance].publish.tls | to_nice_yaml(indent=2) | indent(2) }}
+      {% endif %}
+      hostnames:
+      {% for hostname in nextcloud_instances[nextcloud_instance].publish.hostnames %}
+      - {{ hostname }}
+      {% endfor %}
+      locations:
+        '/':
+      {% if nextcloud_instances[nextcloud_instance].publish.zone.publisher == inventory_hostname %}
+          proxy_pass: "https://127.0.0.1:{{ nextcloud_instances[nextcloud_instance].port }}"
+      {% else %}
+          proxy_pass: "https://{{ ansible_default_ipv4.address }}:{{ nextcloud_instances[nextcloud_instance].port }}"
+      {% endif %}
+          proxy_redirect:
+          - redirect: "https://$host:8080/"
+            replacement: "https://$host/"
+          proxy_ssl:
+            trusted_certificate: "/etc/ssl/apps-publish-{{ nextcloud_instances[nextcloud_instance].publish.zone.name }}/apps-publish-{{ nextcloud_instances[nextcloud_instance].publish.zone.name }}-ca-crt.pem"
+            verify: "on"
+            name: "nextcloud-{{ nextcloud_instance }}.{{ inventory_hostname }}"
+            protocols: "TLSv1.3"
+          extra_directives: |-
+            client_max_body_size 0;
+            types {
+                text/javascript js mjs;
+            }
+    nginx_vhost: "{{ nginx_vhost__yaml | from_yaml }}"
+  include_role:
+    name: nginx/vhost
+    apply:
+      delegate_to: "{{ nextcloud_instances[nextcloud_instance].publish.zone.publisher }}"
+
+
+# TODO:
+# do this automatically!
+- name: print info for new instance
+  when: "'new' in nextcloud_instances[nextcloud_instance] and nextcloud_instances[nextcloud_instance].new"
+  pause:
+    seconds: 5
+    prompt: |
+      ************* {{ nextcloud_instance }} is a new instance
+      **
+      **  Go to https://{{ nextcloud_instances[nextcloud_instance].publish.hostnames[0] }} and finalize the
+      **  installation. After that run the following commands:
+      **
+      **  $ nextcloud-occ {{ nextcloud_instance }} config:system:set default_phone_region --value='at'
+      **  $ nextcloud-occ {{ nextcloud_instance }} config:system:set memcache.locking --value '\OC\Memcache\Redis'
+      **  $ nextcloud-occ {{ nextcloud_instance }} config:system:set redis host --value '127.0.0.1'
+      **  $ nextcloud-occ {{ nextcloud_instance }} config:system:set redis port --type integer --value 6379
+      **  $ nextcloud-occ {{ nextcloud_instance }} config:system:set redis timeout --type float --value 0.0
+      **  $ nextcloud-occ {{ nextcloud_instance }} config:system:set redis password
+      **  $ nextcloud-occ {{ nextcloud_instance }} config:system:set maintenance_window_start --type integer --value 23
+      **
+      **  in case you want to use an exteranl collabora/code server:
+      **
+      **  $ nextcloud-occ {{ nextcloud_instance }} app:disable richdocumentscode
+      **  $ nextcloud-occ {{ nextcloud_instance }} app:remove richdocumentscode
+      **
+      ****************************************