nextcloud: refactor role:

 - determine appropriate setup procedure depending on whether nextcloud is already installed or not, installed version and current role version
 - use ansible local fact file to store nextcloud installed version
 - use temporary extraction directory and replace the old copy with the new one instead of unpacking directly into the documentroot
 - installation is now idempotent
 - ensure correct/restrictive permissions are set
 - nextcloud: move apache configuration steps to separate file, add automatic virtualhost configuration for nextcloud, group previous CSP settings in vhost configuration file
 - reorder setup procedure (setup apache last)
 - enable additional php modules https://docs.nextcloud.com/server/16/admin_manual/installation/source_installation.html#apache-web-server-configuration
 - Note: 'become' is not a valid attribute for a TaskInclude, use include - https://docs.ansible.com/ansible/latest/modules/include_module.html
 - reload apache instead of restarting when possible
 - fix Module did not set no_log for update_password (mysql_user)
 - update documentation, add screenshots
 - use ansible-vault to manage secret variables by default
 - templatize nextcloud domain name/install directory/full URL
 - make app enable/disable task idempotent - nextcloud/server#19514, nextcloud/server#17789
 - require manual configuration of nextcloud FQDN
 - update calendar app to 2.0.2
 - https://docs.nextcloud.com/server/16/admin_manual/maintenance/manual_upgrade.html
 - update doc
 - add php-mysql requirement
 - update role metadata, depends on lamp role
 - upgrade nextcloud to 19.0.0, upgrade all nextcloud apps
 - add fine-grained ansible tags
 - upgrade: copy config.php from the old installation to the new, fix permissions
 - apache: integration Unset system-wide Content-Security-Policy header since Nextcloud provides its own CSP
 - add nextcloud_https_mode config variable (selfsigned/letsencrypt/none)
 - add tasks to generate self-signed certificates
 - automatically install applications using occ app:install command, remove app-related variables and ansible tasks
 - upgrade all applications during setup
 - enable APCu memcache https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html
 - gallery app replaced with photos app
 - update doc
 - fix upgrade mechanism/only copy old config.pho when nextcloud_action == 'upgrade'
 - remove old installation directory at the end of upgrades

note on upgrades: 'Exception: Updates between multiple major versions and downgrades are unsupported.'
note on config.php file ownership/permissions: occ has to be executed with the user that owns the file config/config.php either www-data must OWN config.php (rw group access is not enough), or we have to run occ as root - the first option is probably closer to least-privilege principle
note on data directory permissions: Your data directory is readable by other users Please change the permissions to 0770 so that the directory cannot be listed by other users. An unhandled exception has been thrown: Exception: Environment not properly prepared

playbooks/xsrv/host_vars/my.example.org/my.example.org.yml

@@ -2,6 +2,7 @@
 ### configuration variables for my.example.org
 ### vault_* variables are stored encrypted in my.example.org.vault.yml
 
+
 # administrator/sudo account username/password
 ansible_user: "{{ vault_ansible_user }}"
 ansible_become_pass: "{{ vault_ansible_become_pass }}"
@@ -13,6 +14,7 @@ xsrv_admin_password: "{{ vault_xsrv_admin_password }}"
 
 ##### NEXTCLOUD #####
 # see roles/nextcloud/defaults/main.yml
+nextcloud_fqdn: "cloud.CHANGEME.org"
 nextcloud_user: "{{ xsrv_admin_username }}"
 nextcloud_password: "{{ xsrv_admin_password }}"
 

roles/nextcloud/README.md

@@ -7,18 +7,26 @@ Basic functionality includes uploading, viewing, editing, downloading and sharin
 
 Default installed applications include:
 
-- [Contacts](https://apps.nextcloud.com/apps/contacts): Edit, view, share address books and synchronize them across devices (CardDav)
 - [Calendar](https://apps.nextcloud.com/apps/calendar): Manage calendar events with search, alarms, invitation management, contacts integration, sharing and synchronization across devices (CalDAV/ICS)
+- [Contacts](https://apps.nextcloud.com/apps/contacts):E dit, view, share address books and synchronize them across devices (CardDav)
 - [Tasks](https://apps.nextcloud.com/apps/tasks): Task/todo-list management (supports due dates, reminders, priorities, comments, tasks sharing, sub-tasks), and synchronize them across devices (CalDAV)
 - [Music](https://apps.nextcloud.com/apps/music): Play audio files directly from teh file list or in a library view (supports playlists, search, ampache and more)
+- [Photos](https://github.com/nextcloud/photos): Media gallery with previews for all media types
 - [Notes](https://apps.nextcloud.com/apps/notes): Note taking app with markdown support, notes are saved as files in your Nextcloud so you can view and edit them from anywhere.
-- [Gallery](https://github.com/nextcloud/gallery): Media gallery with previews for all media types
 - Viewers and editors for common file types (PDF, text, video...)
 - Federation between Nextcloud instances (seamless access to other instances files/shares)
 - Remote file storage access (FTP, SFTP, Samba/CIFS, local directory/drive...).
 
 Nextcloud is an alternative to services such as Dropbox, Google Drive/Agenda... See the [comparison page](https://nextcloud.com/compare/).
 
+[![](https://i.imgur.com/kQyXV9S.png)](https://i.imgur.com/nCXJMus.png)
+[![](https://i.imgur.com/lXroRsI.png)](https://i.imgur.com/XlDrlS4.png)
+[![](https://i.imgur.com/cCg6HgB.png)](https://i.imgur.com/iuWdvKG.png)
+[![](https://i.imgur.com/URs7XH5.png)](https://i.imgur.com/V6CR3we.png)
+[![](https://i.imgur.com/0ALCk1W.png)](https://i.imgur.com/qRYPBdU.png)
+[![](https://i.imgur.com/PPVIb6V.png)](https://i.imgur.com/1YaT357.png)
+[![](https://i.imgur.com/Co3DHUr.png)](https://i.imgur.com/Tu1lVHo.png)
+[![](https://i.imgur.com/TJTvqtd.png)](https://i.imgur.com/ztI0rJz.png)
 
 Requirements
 ------------
@@ -35,7 +43,7 @@ See [defaults/main.yml](defaults/main.yml)
 Dependencies
 ------------
 
-The [`lamp`](https://gitlab.com/nodiscc/ansible-xsrv-lamp) role
+The [`lamp`](../lamp/README.md) role (webserver + self-signed or Let's Encrypt certificates generation)
 
 
 Example Playbook
@@ -47,6 +55,13 @@ Example Playbook
     - common
     - lamp
     - nextcloud
+  vars:
+    nextcloud_fqdn: "cloud.CHANGEME.org"
+    nextcloud_user: "CHANGEME"
+
+# ansible-vault edit host_vars/my.example.org/my.example.org.vault.yml
+vault_nextcloud_password: "CHANGEME"
+vault_nextcloud_db_password: "CHANGEME"
 ```
 
 
@@ -78,7 +93,7 @@ Other:
 
 ### Backups
 
-See the included [rsnapshot configuration](templates/etc_rsnapshot.d_nextcloud.conf.j2) for the [backup](https://gitlab.com/nodiscc/ansible-xsrv-backup) role.
+See the included [rsnapshot configuration](templates/etc_rsnapshot.d_nextcloud.conf.j2) for the [backup](../backup/README.md) role.
 
 To restore a backup:
 
@@ -94,10 +109,10 @@ rm -rv /var/nextcloud/data
 
 # Reinstall nextcloud by running the playbook/nextcloud role, then
 # Restore the database
-mysql -u root -p nextcloud < /var/backups/xsrv/daily.0/localhost/var/backups/mysql/nextcloud/nextcloud.sql
+mysql -u root -p nextcloud < /var/backups/rsnapshot/daily.0/localhost/var/backups/mysql/nextcloud/nextcloud.sql
 
 # Restore the data directory
-rsync -avP --delete /var/backups/xsrv/daily.0/localhost/var/nextcloud/data /var/nextcloud/
+rsync -avP --delete /var/backups/rsnapshot/daily.0/localhost/var/nextcloud/data /var/nextcloud/
 
 # Rescan files
 sudo -u www-data /usr/bin/php /var/www/my.example.org/nextcloud/occ files:scan

roles/nextcloud/defaults/main.yml

@@ -3,11 +3,21 @@
 ##### NEXTCLOUD #####
 
 # Nextcloud admin username/password
-# nextcloud_user: "CHANGEME"
-# nextcloud_password: "CHANGEME"
+nextcloud_user: "{{ vault_nextcloud_user }}" # CHANGEME
+nextcloud_password: "{{ vault_nextcloud_password }}" # CHANGEME
 
 # Fully Qualified Domain Name for the nextcloud instance
-nextcloud_fqdn: "{{ inventory_hostname }}"
+# nextcloud_fqdn: "cloud.CHANGEME.org"
+# Nextcloud installation directory (must be under a valid documentroot)
+nextcloud_install_dir: "/var/www/{{ nextcloud_fqdn }}"
+# full public URL of your tt-rss installation (update this if you changed the install location to a subdirectory)
+nextcloud_full_url: "https://{{ nextcloud_fqdn }}/"
+
+# HTTPS and SSL/TLS certificate mode for the nextcloud webserver virtualhost
+# letsencrypt: acquire a certificate from Let's Encrypt (nextcloud_fqdn must be piblicly resolvable, port tcp/80 must be reachable from the Internet)
+# selfsigned: generate a self-signed certificate (will generate warning in bowsers and clients)
+# none: disable HTTPS entirely (not recommended)
+nextcloud_https_mode: selfsigned
 
 # nextcloud data storage directory
 nextcloud_data_dir: "/var/nextcloud/data"
@@ -17,26 +27,14 @@ nextcloud_db_name: "nextcloud"
 nextcloud_db_user: "nextcloud"
 nextcloud_db_table_prefix: "oc_"
 nextcloud_db_host: "localhost"
-nextcloud_db_password: "{{ lookup('password', 'secrets/' + inventory_hostname + '.nextcloud_db_password length=18') }}"
-
-# Nextcloud installation directory (must be under a valid documentroot)
-nextcloud_install_dir: "/var/www/{{ nextcloud_fqdn }}/nextcloud"
+nextcloud_db_password: "{{ vault_nextcloud_db_password }}" # CHANGEME
 
-# Nextcloud and applications versions
-# https://github.com/nextcloud/server/releases.atom, remove leading v
-nextcloud_version: '17.0.2'
-# https://github.com/nextcloud/calendar/releases.atom
-nextcloud_calendar_version: 'v2.0.0'
-# https://github.com/nextcloud/contacts/releases.atom
-nextcloud_contacts_version: 'v3.1.7'
-# https://github.com/nextcloud/tasks/releases.atom
-nextcloud_tasks_version: '0.11.3'
-# https://github.com/owncloud/music/releases.atom, remove leading v
-nextcloud_music_version: '0.12.1'
-# https://github.com/nextcloud/notes/releases.atom
-nextcloud_notes_version: 3.1.1
+# nextcloud version to install
+nextcloud_version: "19.0.0"
 
 # Nextcloud applications to enable or disable
+# state: enable/disable
+# app: nextcloud app name
 nextcloud_apps:
   - { state: "disable", app: "encryption" }
   - { state: "disable", app: "files_antivirus" }
@@ -58,7 +56,7 @@ nextcloud_apps:
   - { state: "enable", app: "files_trashbin" }
   - { state: "enable", app: "files_videoplayer" }
   - { state: "enable", app: "firstrunwizard" }
-  - { state: "enable", app: "gallery" }
+  - { state: "enable", app: "photos" }
   - { state: "enable", app: "music" }
   - { state: "enable", app: "notifications" }
   - { state: "enable", app: "systemtags" }

roles/nextcloud/meta/main.yml

@@ -27,3 +27,6 @@ galaxy_info:
     - webdav
     - drive
     - web
+
+dependencies:
+  - lamp

roles/nextcloud/tasks/apache.yml

@@ -0,0 +1,30 @@
+---
+
+- name: enable apache2 modules
+  command: a2enmod {{ item }}
+  with_items:
+    - 'rewrite'
+    - 'headers'
+    - 'env'
+    - 'dir'
+    - 'mime'
+  args:
+    creates: "/etc/apache2/mods-enabled/{{ item }}.load"
+  notify: reload apache
+
+- name: check that nextcloud_https_mode is one of none/selfsigned/letsencrypt
+  assert:
+    that: nextcloud_https_mode in ['none', 'selfsigned', 'letsencrypt']
+    fail_msg: "Unsupported nextcloud_https_mode: {{ nextcloud_https_mode }}"
+
+- name: copy apache2 virtualhost configuration
+  template:
+    src: etc_apache2_sites-available_nextcloud.conf.j2
+    dest: /etc/apache2/sites-available/nextcloud.conf
+  notify: reload apache
+
+- name: enable apache2 virtualhost
+  command: a2ensite nextcloud
+  args:
+    creates: "/etc/apache2/sites-enabled/nextcloud.conf"
+  notify: restart apache

roles/nextcloud/tasks/main.yml

@@ -4,3 +4,14 @@
   become: yes
   tags:
     - nextcloud
+
+- include: ssl-selfsigned.yml
+  become: yes
+  tags:
+    - nextcloud
+  when: nextcloud_https_mode == 'selfsigned'
+
+- include: apache.yml
+  become: yes
+  tags:
+    - nextcloud