roles/service/nextcloud/tasks

[root/pub/somesible.git] / roles / service / nextcloud / tasks / main.yml

#####################################
### someone"s ansible provisioner ###
#####################################
# Part of: https://git.somenet.org/root/pub/somesible.git
# 2017-2026 by someone <someone@somenet.org>
#
---
#- name: create postgres-db and user
#  include_role:
#    name: util/postgres-db-usr
#  vars:
#    pg_data:
#      db_server_delegate: "{{nextcloud_db_server_delegate}}"
#      dbname: "{{nextcloud_db_name}}"
#      pw: "{{nextcloud_db_pw}}"
#  when: nextcloud_db_create | default('True')


- name: include vars_nginx_vhost_custom
  include_vars:
    file: "{{item}}"
    name: vars_nginx_vhost_custom
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/{{nextcloud_domain}}-vars_nginx_vhost_custom.yml"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/{{nextcloud_domain}}-vars_nginx_vhost_custom.yml"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/{{nextcloud_domain}}-vars_nginx_vhost_custom.yml"
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vars_nginx_vhost_custom.yml"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vars_nginx_vhost_custom.yml"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vars_nginx_vhost_custom.yml"
    - "default/vars_nginx_vhost_custom.yml"


- name: configure vhost
  include_role:
    name: server/nginx/vhost-unified
  vars:
    vhost_type: "custom+php"
    vhost_name: "{{nextcloud_domain}}"
    vhost_php_custom: ["bzip2", "php8.4-apcu", "php8.4-bcmath", "php8.4-pgsql", "php8.4-curl", "php8.4-gd", "php8.4-gmp", "php8.4-intl", "php-imagick", "php8.4-mbstring", "php8.4-xml", "php8.4-zip", "php8.4-ldap"]
    vhost_dotfile_protection: False
    vhost_custom:
      vhost_custom_pre_server: "{{vars_nginx_vhost_custom.vhost_custom_pre_server}}"
      vhost_custom: "{{vars_nginx_vhost_custom.vhost_custom}}"


- name: set up data-dir
  file:
    path: "{{nextcloud_data_dir_path}}"
    state: directory
    mode: 0750
    owner: "www-data"
    group: "www-data"


- name: set up log-dir
  file:
    path: "/var/log/nextcloud/"
    state: directory
    mode: 0750
    owner: "www-data"
    group: "adm"


- name: nextcloud logrotate config
  copy:
    src: "{{item}}"
    dest: "/etc/logrotate.d/nextcloud"
    mode: 0644
    owner: "root"
    group: "root"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nextcloud.logrotate"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nextcloud.logrotate"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nextcloud.logrotate"
    - "default/nextcloud.logrotate"


- name: download nextcloud release and check checksums
  get_url:
    url: "{{nextcloud_download_url}}"
    dest: "/var/www/{{nextcloud_domain}}-nextcloud.tar.bz2"
    mode: 0640
    owner: "www-data"
    group: "www-data"
    checksum: "{{nextcloud_download_checksum}}"
    timeout: 30
  tags: "online"
  register: download


- name: set up new webroot-dir
  file:
    path: "/var/www/{{nextcloud_domain}}.tmp"
    state: directory
    mode: 0750
    owner: "www-data"
    group: "www-data"
  when: download is defined and download.changed


- name: extract downloaded nextcloud files
  unarchive:
    src: "/var/www/{{nextcloud_domain}}-nextcloud.tar.bz2"
    dest: "/var/www/{{nextcloud_domain}}.tmp"
    remote_src: yes
    mode: "u=rwX,g=rX,o-rwx"
    owner: "www-data"
    group: "www-data"
    extra_opts:
      - '--strip-components=1'
      - '--show-stored-names'
  when: download is defined and download.changed


- name: use existing config file
  command: "mv /var/www/{{nextcloud_domain}}/config/config.php /var/www/{{nextcloud_domain}}.tmp/config/"
  args:
    removes: "/var/www/{{nextcloud_domain}}/config/config.php"
  when: download is defined and download.changed


- name: remove old files
  file:
    path: "/var/www/{{nextcloud_domain}}"
    state: absent
  when: download is defined and download.changed


- name: move newly extracted files to destination
  command: "mv /var/www/{{nextcloud_domain}}.tmp /var/www/{{nextcloud_domain}}"
  args:
    creates: "/var/www/{{nextcloud_domain}}"
  when: download is defined and download.changed


- name: remove possibly left over files
  file:
    path: "/var/www/{{nextcloud_domain}}.tmp"
    state: absent
  when: download is defined and download.changed


- name: install nextcloud
  become: true
  become_user: "www-data"
  command: >
    php occ maintenance:install
    --database=pgsql
    --database-host="{{nextcloud_db_host}}"
    --database-name="{{nextcloud_db_name}}"
    --database-user="{{nextcloud_db_name}}"
    --database-pass="{{nextcloud_db_pw}}"
    --admin-user="{{nextcloud_admin_user}}"
    --admin-pass="{{nextcloud_admin_pw}}"
    --data-dir="{{nextcloud_data_dir_path}}/data"
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
    creates: "/var/www/{{nextcloud_domain}}/config/config.php"
  when: download is defined and download.changed


- name: write-unlock config
  become: true
  become_user: "www-data"
  lineinfile:
    path: "/var/www/{{nextcloud_domain}}/config/config.php"
    state: absent
    regexp: 'config_is_read_only'
  changed_when: False


- name: finish nextcloud upgrade by running occ upgrade
  become: true
  become_user: "www-data"
  shell: 'php --define apc.enable_cli=1 occ upgrade'
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
  register: script_res
  changed_when: "'Nextcloud is already latest version' not in script_res.stdout"


- name: finish nextcloud upgrade by running occ upgrade
  become: true
  become_user: "www-data"
  shell: 'php --define apc.enable_cli=1 occ maintenance:repair --include-expensive'
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
  register: script_res
  when: script_res.changed


- name: ensure trusted domains are set
  become: true
  become_user: "www-data"
  shell: 'echo "prev-$(php --define apc.enable_cli=1 occ config:system:get trusted_domains {{ item.0 }})-"; php --define apc.enable_cli=1 occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"'
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
  register: script_res
#  changed_when: "'prev-{{item.1}}-' not in script_res.stdout"
  changed_when: False
  with_indexed_items:
    - 'localhost'
    - "{{nextcloud_domain}}"


- name: "install/update/enable apps"
  become: true
  become_user: "www-data"
  shell: 'php --define apc.enable_cli=1 occ app:install -- "{{ item }}"; php --define apc.enable_cli=1 occ app:update -- "{{ item }}"; php --define apc.enable_cli=1 occ app:enable -- "{{ item }}"; true'
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
  with_items:
    - "{{nextcloud_installed_apps[nextcloud_domain] | default(nextcloud_default_installed_apps)}}"
  tags: "online"


- name: finish nextcloud upgrade by running occ db:add-missing-columns
  become: true
  become_user: "www-data"
  shell: 'php --define apc.enable_cli=1 occ db:add-missing-columns'
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
  register: script_res
  changed_when: "'Adding' in script_res.stdout"


- name: finish nextcloud upgrade by running occ db:add-missing-indices
  become: true
  become_user: "www-data"
  shell: 'php --define apc.enable_cli=1 occ db:add-missing-indices'
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
  register: script_res
  changed_when: "'Adding' in script_res.stdout"


- name: finish nextcloud upgrade by running occ db:add-missing-primary-keys
  become: true
  become_user: "www-data"
  shell: 'php --define apc.enable_cli=1 occ db:add-missing-primary-keys'
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
  register: script_res
  changed_when: "'Adding' in script_res.stdout"


- name: finish nextcloud upgrade by running occ maintenance:repair --include-expensive
  become: true
  become_user: "www-data"
  shell: 'php --define apc.enable_cli=1 occ maintenance:repair --include-expensive'
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
  register: script_res
  changed_when: "'Adding' in script_res.stdout"


  # Failcloud expects an unsafe config-key behavior
  # Therefore  we must use
  #   shell: 'echo "prev-$(php occ config:system:get {{ item.key }})-"; php occ config:system:set $(echo -n "{{ item.key }}" ) --value "{{ item.value }}"'
  # instead of
  #   shell: 'echo "prev-$(php occ config:system:get {{ item.key }})-"; php occ config:system:set "{{ item.key }}"--value "{{ item.value }}"'
- name: apply config options
  become: true
  become_user: "www-data"
  shell: 'echo "prev-$(php --define apc.enable_cli=1 occ config:system:get {{ item.key }})-"; php --define apc.enable_cli=1 occ config:system:set $(echo -n "{{ item.key }}" ) --value "{{ item.value }}"'
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
  register: script_res
#  changed_when: "'prev-{{item.value}}-' not in script_res.stdout"
  changed_when: False
  with_items:
    - "{{nextcloud_config_options[nextcloud_domain]|default(nextcloud_default_config_options)}}"


- name: finish nextcloud upgrade by running occ upgrade again
  become: true
  become_user: "www-data"
  shell: 'php --define apc.enable_cli=1 occ upgrade'
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
  register: script_res
  changed_when: "'Nextcloud is already latest version' not in script_res.stdout"


- name: write-lock config
  become: true
  become_user: "www-data"
  shell: 'php --define apc.enable_cli=1 occ config:system:set config_is_read_only --value true'
  args:
    chdir: "/var/www/{{nextcloud_domain}}"
  changed_when: False


- name: copy nextcloud-cron@.service to /etc/systemd/system/
  copy:
    src: "{{item}}"
    dest: "/etc/systemd/system/nextcloud-cron@.service"
    mode: 0644
    owner: "root"
    group: "root"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nextcloud-cron@.service"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nextcloud-cron@.service"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nextcloud-cron@.service"
    - "default/nextcloud-cron@.service"


- name: copy nextcloud-cron@.timer to /etc/systemd/system/
  copy:
    src: "{{item}}"
    dest: "/etc/systemd/system/nextcloud-cron@.timer"
    mode: 0644
    owner: "root"
    group: "root"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nextcloud-cron@.timer"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nextcloud-cron@.timer"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nextcloud-cron@.timer"
    - "default/nextcloud-cron@.timer"


- name: copy fail2ban.filter.d.nextcloud.conf to /etc/fail2ban/filter.d/
  copy:
    src: "{{item}}"
    dest: "/etc/fail2ban/filter.d/nextcloud.conf"
    mode: 0644
    owner: "root"
    group: "root"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/fail2ban.filter.d.nextcloud.conf"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/fail2ban.filter.d.nextcloud.conf"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/fail2ban.filter.d.nextcloud.conf"
    - "default/fail2ban.filter.d.nextcloud.conf"
  notify: reload fail2ban.service


- name: copy fail2ban.jail.d.nextcloud.conf to /etc/fail2ban/jail.d/
  copy:
    src: "{{item}}"
    dest: "/etc/fail2ban/jail.d/nextcloud.conf"
    mode: 0644
    owner: "root"
    group: "root"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/fail2ban.jail.d.nextcloud.conf"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/fail2ban.jail.d.nextcloud.conf"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/fail2ban.jail.d.nextcloud.conf"
    - "default/fail2ban.jail.d.nextcloud.conf"
  notify: reload fail2ban.service


- name: reload, enable and start nextcloud-cron@.timer.
  include_role: name="base/systemd/enable-and-start"
  vars:
    service_name: "nextcloud-cron@{{nextcloud_domain}}.timer"