10 files changed, 360 insertions, 251 deletions

diff --git a/group_vars/all.yml b/group_vars/all.yml
index ca98ea6..ee658c1 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -35,6 +35,16 @@ __global_services:
 
 # roles overrides
 
+nextcloud__db_password: "{{ lookup(
+  'ansible.builtin.password',
+  'secrets/files/passwords/' + inventory_hostname + '_nextcloud__db.txt',
+  )}}"
+nextcloud__admin_password: "{{ lookup(
+  'ansible.builtin.password',
+  'secrets/files/passwords/' + inventory_hostname + '_nextcloud__admin.txt',
+  )}}"
+nextcloud__admin_email: contact@rgoncalves.se
+
 httpd__log_format: forwarded
 
 wireguard_domain_controller: "{{ __global_domain_controller }}"
@@ -82,3 +92,13 @@ sshd_keys__users: "[
       {{ user.username }},
     {% endfor %}
   ]"
+
+nextcloud__users: "[
+    {% for user in __users %}
+    {{ {
+        'username': user.username,
+        'fullname': user.firstname + ' ' + user.lastname,
+        'email': user.email,
+    } }},
+    {% endfor %}
+  ]"
diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml
index f1835cf..2dc20c7 100644
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@@ -5,7 +5,104 @@ nextcloud__package_dependencies:
   - php-pgsql-8.1.27
   - php-pdo_pgsql-8.1.27
 
-nextcloud__user: nextcloud
-nextcloud__group: nextcloud
+nextcloud__db_name: nextcloud
+nextcloud__db_user: nextcloud
+nextcloud__db_host: 127.0.0.1
+nextcloud__db_password: "{{ lookup('ansible.builtin.password', '/dev/null') }}"
+
+nextcloud__admin_name: admin
+nextcloud__admin_password: "{{ lookup(
+  'ansible.builtin.password', '/dev/null'
+  ) }}"
+
+nextcloud__chroot_dir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+nextcloud__chroot_data_dir: /nextcloud/data
+
+nextcloud__data_dir: "{{ httpd_pre__chroot_dir }}{{ nextcloud__chroot_data_dir }}"
+
+nextcloud__owned_directories:
+  - apps
+  - data
+  - updater
 
 nextcloud__php_service_name: php81_fpm
+nextcloud__php_configuration_file: /etc/php-8.1.ini
+nextcloud__php_fpm_configuration_file: /etc/php-fpm.ini
+
+nextcloud__occ_system_settings:
+  - option: trusted_domains
+    value: "1 --value={{ nextcloud__domain_name }}"
+  - option: skeletondirectory
+    value: ""
+
+nextcloud__disabled_apps:
+  - firstrunwizard
+  - sharebymail
+
+nextcloud__enabled_apps:
+  - encryption
+
+nextcloud__php_fpm_settings:
+  # PHP
+  - section: www
+    option: clear_env
+    value: 0
+
+nextcloud__php_settings:
+  # PHP
+  - section: PHP
+    option: post_max_size
+    value: 513M
+  - section: PHP
+    option: upload_max_filesize
+    value: 513M
+  - section: PHP
+    option: allow_url_fopen
+    value: 1
+  - section: PHP
+    option: memory_limit
+    value: 513M
+  # opcache
+  - section: opcache
+    option: opcache.enable
+    value: 1
+  - section: opcache
+    option: opcache_enable_cli
+    value: 1
+  - section: opcache
+    option: opcache.memory_consumption
+    value: 512
+  - section: opcache
+    option: opcache.interned_strings_buffer
+    value: 8
+  - section: opcache
+    option: opcache.max_accelerated_files
+    value: 10000
+  - section: opcache
+    option: opcache.revalidate_freq
+    value: 1
+  - section: opcache
+    option: opcache.save_comments
+    value: 1
+  # modules
+  - section: zip
+    option: extension
+    value: zip.so
+  - section: gd
+    option: extension
+    value: gd.so
+  - section: pgsql
+    option: extension
+    value: pgsql.so
+  - section: pdo_pgsql
+    option: extension
+    value: pdo_pgsql.so
+  - section: curl
+    option: extension
+    value: curl.so
+  - section: intl
+    option: extension
+    value: intl.so
+  - section: opcache
+    option: extension
+    value: opcache.so
diff --git a/roles/nextcloud/meta/main.yml b/roles/nextcloud/meta/main.yml
index 246fc09..0ad3396 100644
--- a/roles/nextcloud/meta/main.yml
+++ b/roles/nextcloud/meta/main.yml
@@ -2,6 +2,8 @@
 
 dependencies:
   - role: httpd_pre
+  - role: redis
+  - role: postgresql
 
 argument_specs:
   main:
@@ -18,7 +20,71 @@ argument_specs:
         required: true
         description: Package name to be installed
 
+      nextcloud__package_dependencies:
+        type: list
+        elements: str
+        required: true
+        description: Extra packages
+
       nextcloud__domain_name:
         type: str
         required: true
         description: Domain name
+
+      nextcloud__db_name:
+        type: str
+        required: true
+
+      nextcloud__db_password:
+        type: str
+        required: true
+
+      nextcloud__db_user:
+        type: str
+        required: true
+
+      nextcloud__db_host:
+        type: str
+        required: true
+
+      nextcloud__data_dir:
+        type: str
+        required: true
+
+      nextcloud__owned_directories:
+        type: str
+        required: true
+
+      nextcloud__admin_password:
+        type: str
+        required: true
+
+      nextcloud__admin_name:
+        type: str
+        required: true
+
+      nextcloud__admin_email:
+        type: str
+        required: true
+
+      nextcloud__php_service_name:
+        type: str
+        required: true
+
+      nextcloud__php_configuration_file:
+        type: str
+        required: true
+
+      nextcloud__php_settings:
+        type: list
+        elements: dict
+        options:
+          section:
+            type: str
+            required: true
+          option:
+            type: str
+            required: true
+          value:
+            type: str
+            required: true
diff --git a/roles/nextcloud/occ.yml b/roles/nextcloud/occ.yml
new file mode 100644
index 0000000..04c9539
--- /dev/null
+++ b/roles/nextcloud/occ.yml
@@ -0,0 +1,80 @@
+---
+
+- name: maintenance:install nextcloud
+  ansible.builtin.command:
+    argv:
+      - php
+      - occ
+      - maintenance:install
+      - --database=pgsql
+      - "--database-name={{ nextcloud__db_name }}"
+      - "--database-port={{ postgresql__port }}"
+      - "--database-user={{ nextcloud__db_user }}"
+      - "--database-pass={{ nextcloud__db_password }}"
+      - "--database-host={{ nextcloud__db_host }}"
+      - "--admin-email={{ nextcloud__admin_email }}"
+      - "--admin-user={{ nextcloud__admin_name }}"
+      - "--admin-pass={{ nextcloud__admin_password }}"
+    chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+    creates: "{{ nextcloud__data_dir }}/appdata_*"
+  register: nextcloud__result_maintenance_install
+  failed_when:
+    - nextcloud__result_maintenance_install.rc != 0
+    - '"is not defined" is not in nextcloud__result_maintenance_install.stderr'
+  changed_when:
+    - '"is not defined" is not in nextcloud__result_maintenance_install.stderr'
+
+- name: set system settings
+  ansible.builtin.command:
+    cmd: "php occ config:system:set {{ item.option }} {{ item.value }}"
+    chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+  loop: "{{ nextcloud__occ_system_settings }}"
+
+- name: disable applications
+  ansible.builtin.command:
+    cmd: "php occ app:enable {{ item }}"
+    chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+  loop: "{{ nextcloud__disabled_apps }}"
+  register: nextcloud__result_disable_applications
+  changed_when:
+    - "'already disabled' not in nextcloud__result_disable_applications.stdout"
+
+- name: enable applications
+  ansible.builtin.command:
+    cmd: "php occ app:enable {{ item }}"
+    chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+  loop: "{{ nextcloud__enabled_apps }}"
+  register: nextcloud__result_enable_applications
+  changed_when:
+    - "'already enabled' not in nextcloud__result_enable_applications.stdout"
+
+- name: enable encryption
+  ansible.builtin.command:
+    cmd: php occ encryption:enable
+    chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+  register: nextcloud__result_enable_encryption
+  changed_when:
+    - "'already enabled' not in nextcloud__result_enable_encryption.stdout"
+
+- name: create application users
+  ansible.builtin.command:
+    argv:
+      - php
+      - occ
+      - user:add
+      - --password-from-env
+      - "--display-name={{ item.fullname }}"
+      - "{{ item.username }}"
+    chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+  environment:
+    OC_PASS: "{{ lookup(
+      'ansible.builtin.password',
+      'secrets/files/passwords/' + inventory_hostname + '_nextcloud__user_' + item.username + '.txt',
+        )}}"
+  loop: "{{ nextcloud__users }}"
+  register: nextcloud__result_create_application_users
+  failed_when:
+    - nextcloud__result_create_application_users.rc == 1
+    - '"already exists" not in nextcloud__result_create_application_users.stdout'
+  changed_when:
+    - '"already exists" not in nextcloud__result_create_application_users.stdout'
diff --git a/roles/nextcloud/tasks/database.yml b/roles/nextcloud/tasks/database.yml
new file mode 100644
index 0000000..601ee9d
--- /dev/null
+++ b/roles/nextcloud/tasks/database.yml
@@ -0,0 +1,18 @@
+---
+
+- name: create nextcloud database
+  community.postgresql.postgresql_db:
+    name: "{{ nextcloud__db_name }}"
+    encoding: UTF-8
+
+- name: create nextcloud database user
+  community.postgresql.postgresql_user:
+    db: "{{ nextcloud__db_name }}"
+    name: "{{ nextcloud__db_user }}"
+    password: "{{ nextcloud__db_password }}"
+
+- name: add nextcloud db user permissions
+  community.postgresql.postgresql_schema:
+    db: "{{ nextcloud__db_name }}"
+    name: "{{ nextcloud__db_user }}"
+    owner: "{{ nextcloud__db_user }}"
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index bb744e7..2a1a0bc 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -20,10 +20,60 @@
     name: "{{ nextcloud__package_dependencies }}"
     state: present
 
-- name: start and enable php-service
+- name: chown directories to www user
+  file:
+    path: "{{ httpd_pre__chroot_dir }}/nextcloud/{{ item }}"
+    owner: "{{ httpd_pre__user }}"
+    group: "{{ httpd_pre__group }}"
+    recurse: true
+  loop: "{{ nextcloud__owned_directories }}"
+
+- name: create .ocdata file
+  ansible.builtin.file:
+    path: "{{ nextcloud__data_dir }}/.ocdata"
+    owner: "{{ httpd_pre__user }}"
+    group: "{{ httpd_pre__group }}"
+    mode: "0600"
+    state: touch
+
+- name: generate datadirectory workaround configuration
+  ansible.builtin.template:
+    src: datadirectory.config.php.j2
+    dest: "{{ nextcloud__chroot_dir }}/config/datadirectory.config.php"
+    owner: "{{ httpd_pre__user }}"
+    group: "{{ httpd_pre__group }}"
+    mode: "0644"
+
+- name: import php tasks
+  ansible.builtin.import_tasks:
+    file: database.yml
+
+- name: import database tasks
+  ansible.builtin.import_tasks:
+    file: database.yml
+  become: true
+  become_user: "{{ postgresql__user }}"
+
+- name: import occ tasks
+  ansible.builtin.import_tasks:
+    file: occ.yml
+  become: true
+  become_user: "{{ httpd_pre__user }}"
+  become_method: su
+  become_flags: -s /bin/sh
+
+- name: enable nextcloud background jobs
+  ansible.builtin.cron:
+    name: nextcloud background jobs
+    minute: "*/5"
+    job: "php  -f {{ nextcloud__chroot_dir }}/cron.php"
+    user: "{{ httpd_pre__user }}"
+
+
+- name: start and enable php-fpm service
   ansible.builtin.service:
     name: "{{ nextcloud__php_service_name }}"
-    state: started
+    state: restarted
     enabled: true
 
 - name: generate nextcloud httpd configuration
@@ -33,48 +83,3 @@
     owner: 0
     group: 0
     mode: "0644"
-
-# - name: generate nextcloud php config
-#   template:
-#     src: etc-php-7.3.ini.j2
-#     dest: /etc/php-7.3.ini
-#     owner: "www"
-#     group: "www"
-#     mode: "0644"
-
-# - name: generate nextcloud custom config
-#   template:
-#     src: var-www-nextcloud-config-custom.config.php.j2
-#     dest: /var/www/nextcloud/config/custom.config.php
-#     owner: "www"
-#     group: "www"
-#     mode: "0644"
-
-# - name: copy configuration for domain name and tls in chroot
-#   shell: |
-#     mkdir -p /var/www/etc/ssl
-#     install -m 444 -o root -g bin /etc/resolv.conf /var/www/etc
-#     install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf /var/www/etc/ssl/
-
-# - name: enable cron job for nextcloud indexing and housekeeping
-#   cron:
-#     name: "nextcloud indexing"
-#     minute: "*/5"
-#     job: "php -f /var/www/nextcloud/cron.php"
-#     user: www
-
-# - name: ensure directories are chown to www
-#   file:
-#     path: "/var/www/nextcloud/{{ item }}"
-#     owner: "www"
-#     group: "www"
-#     recurse: true
-#   loop:
-#     - "apps"
-#     - "updater"
-# 
-# - name: ensure php-fpm is restarted and enabled
-#   service:
-#     name: php73_fpm
-#     state: restarted
-#     enabled: true
diff --git a/roles/nextcloud/tasks/php.yml b/roles/nextcloud/tasks/php.yml
new file mode 100644
index 0000000..9721e8f
--- /dev/null
+++ b/roles/nextcloud/tasks/php.yml
@@ -0,0 +1,17 @@
+---
+
+- name: apply php settings
+  community.general.ini_file:
+    path: "{{ nextcloud__php_configuration_file }}"
+    section: "{{ item.section }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  loop: "{{ nextcloud__php_settings }}"
+
+- name: apply php-fpm settings
+  community.general.ini_file:
+    path: "{{ nextcloud__php_fpm_configuration_file }}"
+    section: "{{ item.section }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  loop: "{{ nextcloud__php_fpm_settings }}"
diff --git a/roles/nextcloud/templates/datadirectory.config.php.j2 b/roles/nextcloud/templates/datadirectory.config.php.j2
new file mode 100644
index 0000000..d5af69a
--- /dev/null
+++ b/roles/nextcloud/templates/datadirectory.config.php.j2
@@ -0,0 +1,8 @@
+<?php
+
+if (\OC::$CLI) {
+        $CONFIG['datadirectory'] = '{{ nextcloud__data_dir }}';
+} else {
+        $CONFIG['datadirectory'] = '{{ nextcloud__chroot_data_dir }}';
+}
+
diff --git a/roles/nextcloud/templates/etc-php-7.3.ini.j2 b/roles/nextcloud/templates/etc-php-7.3.ini.j2
deleted file mode 100644
index 0e79971..0000000
--- a/roles/nextcloud/templates/etc-php-7.3.ini.j2
+++ /dev/null
@@ -1,198 +0,0 @@
-[PHP]
-auto_append_file=
-auto_globals_jit=On
-auto_prepend_file=
-default_charset="UTF-8"
-default_mimetype="text/html"
-disable_classes=
-disable_functions=
-display_errors=Off
-display_startup_errors=Off
-doc_root=
-enable_dl=Off
-engine=On
-error_reporting=E_ALL & ~E_DEPRECATED & ~E_STRICT
-expose_php=On
-extension_dir="/usr/local/lib/php-7.3/modules"
-html_errors=On
-ignore_repeated_errors=Off
-ignore_repeated_source=Off
-implicit_flush=Off
-include_path=".:/pear/lib:/var/www/pear/lib"
-log_errors=On
-log_errors_max_len=1024
-max_execution_time=30
-output_buffering=4096
-precision=14
-register_argc_argv=Off
-report_memleaks=On
-request_order="GP"
-serialize_precision=-1
-short_open_tag=Off
-unserialize_callback_func=
-user_dir=
-variables_order="GPCS"
-zend.enable_gc=On
-zlib.output_compression=Off
-
-allow_url_fopen=On
-allow_url_include=Off
-default_socket_timeout=60
-file_uploads=On
-max_file_uploads=20
-
-memory_limit={{ nextcloud_php_memory_limit }}
-max_input_time={{ nextcloud_php_max_inputtime }}
-post_max_size={{ nextcloud_php_upload_maxsize }}
-upload_max_filesize={{ nextcloud_php_upload_maxsize }}
-
-pm=dynamic
-pm.maxchildren=120
-pm.start_servers=12
-pm.min_spare_servers=6
-pm.max_spare_servers=18
-
-extension=curl
-extension=gd
-extension=intl
-extension=pdo_pgsql
-extension=zip
-
-[CLI Server]
-cli_server.color=On
-
-[Date]
-date.timezone=UTC
-
-[iconv]
-
-[imap]
-
-[intl]
-
-[sqlite3]
-
-[Pcre]
-
-[Pdo]
-
-[Pdo_mysql]
-pdo_mysql.default_socket=
-
-[Phar]
-
-[mail function]
-SMTP=localhost
-smtp_port=25
-mail.add_x_header=Off
-
-[ODBC]
-odbc.allow_persistent=On
-odbc.check_persistent=On
-odbc.max_persistent=-1
-odbc.max_links=-1
-odbc.defaultlrl=4096
-odbc.defaultbinmode=1
-
-[Interbase]
-ibase.allow_persistent=1
-ibase.max_persistent=-1
-ibase.max_links=-1
-ibase.timestampformat="%Y-%m-%d %H:%M:%S"
-ibase.dateformat="%Y-%m-%d"
-ibase.timeformat="%H:%M:%S"
-
-[MySQLi]
-mysqli.max_persistent=-1
-mysqli.allow_persistent=On
-mysqli.max_links=-1
-mysqli.default_port=3306
-mysqli.default_socket=
-mysqli.default_host=
-mysqli.default_user=
-mysqli.default_pw=
-mysqli.reconnect=Off
-
-[mysqlnd]
-mysqlnd.collect_statistics=On
-mysqlnd.collect_memory_statistics=Off
-
-[OCI8]
-
-[PostgreSQL]
-pgsql.allow_persistent=On
-pgsql.auto_reset_persistent=Off
-pgsql.max_persistent=-1
-pgsql.max_links=-1
-pgsql.ignore_notice=0
-pgsql.log_notice=0
-
-[bcmath]
-bcmath.scale=0
-
-[browscap]
-
-[Session]
-session.save_handler=files
-session.use_strict_mode=0
-session.use_cookies=1
-session.use_only_cookies=1
-session.name=PHPSESSID
-session.auto_start=0
-session.cookie_lifetime=0
-session.cookie_path=/
-session.cookie_domain=
-session.cookie_httponly=
-session.cookie_samesite=
-session.serialize_handler=php
-session.gc_probability=1
-session.gc_divisor=1000
-session.gc_maxlifetime=1440
-session.referer_check=
-session.cache_limiter=nocache
-session.cache_expire=180
-session.use_trans_sid=0
-session.sid_length=26
-session.trans_sid_tags="a=href,area=href,frame=src,form="
-session.sid_bits_per_character=5
-
-[Assertion]
-zend.assertions=-1
-
-[COM]
-
-[mbstring]
-
-[gd]
-
-[exif]
-
-[Tidy]
-
-tidy.clean_output=Off
-
-[soap]
-soap.wsdl_cache_enabled=1
-soap.wsdl_cache_dir="/tmp"
-soap.wsdl_cache_ttl=86400
-soap.wsdl_cache_limit=5
-
-[sysvshm]
-
-[ldap]
-ldap.max_links=-1
-
-[dba]
-
-[opcache]
-opcache.enable=1
-opcache.enable_cli=1
-opcache.memory_consumption=128
-opcache.interned_strings_buffer=8
-opcache.max_accelerated_files=10000
-opcache.revalidate_freq=1
-opcache.save_comments=1
-
-[curl]
-
-[openssl]
diff --git a/roles/nextcloud/templates/var-www-nextcloud-config-custom.config.php.j2 b/roles/nextcloud/templates/var-www-nextcloud-config-custom.config.php.j2
deleted file mode 100644
index 15df079..0000000
--- a/roles/nextcloud/templates/var-www-nextcloud-config-custom.config.php.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-<?php
-$CONFIG = array (
-	'datadirectory' => ((php_sapi_name() == 'cli') ? '/var/www' : '') . '/nextcloud/data',
-);