Add disfunctional Nextcloud role

ec2.yml

@@ -4,8 +4,14 @@
 - hosts: ec2
   roles:
     - common
+    - user
+- hosts: tag_role_nextcloud
+  vars:
+    acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
+    acme_version: 2
+    website_url: "nc.assburgers.club"
+  roles:
+    - nextcloud
 - hosts: tag_role_cockpit
   roles:
-    - user
-    - ansiblehost
     - cockpit

roles/nextcloud/meta/main.yml

@@ -0,0 +1,2 @@
+---
+allow_duplicates: no

roles/nextcloud/tasks/main.yml

@@ -0,0 +1,78 @@
+#!/usr/bin/ansible-playbook
+# vim:ft=ansible:
+---
+- name: Install, configure, and start Nextcloud
+  block:
+  - name: Install Nextcloud-required packages
+    apt:
+      name: "{{ packages }}"
+    vars:
+      packages:
+      - apache2
+      - mariadb-server
+      - libapache2-mod-php
+      - php7.2
+      - php7.2-xml
+      - php7.2-curl
+      - php7.2-gd
+      - php7.2-cgi
+      - php7.2-cli
+      - php7.2-zip
+      - php7.2-mysql
+      - php7.2-mbstring
+      - python-openssl # Needed for keygen
+      - python3-openssl
+  - name: Copy configuration
+    block:
+      - name: php-apache2
+        copy:
+          src: php-apache2.ini
+          dest: /etc/php/7.2/apache2/php.ini
+          mode: 644
+      - name: php-cgi
+        copy:
+          src: php-cgi.ini
+          dest: /etc/php/7.2/cgi/php.ini
+          mode: 644
+  - name: Register certificates
+    block:
+      - name: Set up our filesystem heirarchy
+        file:
+          path: "{{ item.dir }}"
+          mode: "{{ item.mode }}"
+          recurse: yes
+          state: directory
+        loop:
+          - { dir: "/etc/pki", mode: "0600" }
+          - { dir: "/etc/pki/cert", mode: "0600" }
+          - { dir: "/etc/pki/cert/csr", mode: "0600" }
+          - { dir: "/etc/pki/cert/fullchain", mode: "0600" }
+          - { dir: "/etc/pki/cert/private", mode: "0600" }
+          - { dir: "/etc/pki/cert/challenge/{{ website_url }}", mode: "0600" }
+      - name: Create ACME account key
+        openssl_privatekey:
+          path: "/etc/pki/cert/private/account.key"
+          size: 4096
+      - name: Register ACME account
+        acme_account:
+          account_key: "/etc/pki/cert/private/account.key"
+          acme_directory: "{{ acme_directory }}"
+          acme_version: "{{ acme_version }}"
+          terms_agreed: yes
+      - name: Create CSR
+        openssl_csr:
+          path: "/etc/pki/cert/csr/{{ website_url }}.csr"
+          common_name: "{{ website_url }}"
+          privatekey_path: /etc/pki/cert/private/account.key
+          email_address: "rehashedsalt@cock.li"
+      - name: Register LE cert
+        acme_certificate:
+          acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
+          acme_version: 2
+          terms_agreed: yes
+          account_email: "rehashedsalt@cock.li"
+          account_key: /etc/pki/cert/private/account.key
+          csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
+          dest: "/etc/pki/cert/{{ website_url }}.crt"
+          fullchain_dest: "/etc/pki/cert/fullchain/{{ website_url }}.crt"
+  become: true

roles/user/tasks/main.yml

@@ -21,71 +21,57 @@
     groups: sudo
     append: yes
   become: yes
-- name: Authorize dsk-cstm-0 for user salt
+- name: Bootstrap user
-  authorized_key:
+  block:
-    user: salt
+  - name: Authorize dsk-cstm-0 for user salt
-    state: present
+    authorized_key:
-    manage_dir: yes
+      user: salt
-    key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc03Q21k7rDuIbZ91dIMOSAM7EpT75YFzOoYL6CfHLZbRDsYTVgUSHYL9lfgGiW9CYL9Gp8QT9eLzIdfgn4e8OMMuoW1jayM9nj6iY3tmWlinuzs535j04Us/aY1Gka+f0qf/vJfRAwO0VN92xmLxW4pQMD/r5DKQ3yppvohnAAPeOhoFeLbEPiBgb1ktNxtQF9GdIOdDIEE+dV0UA07dJskTdJGG9Zbff7VEcQXknhaLdclye+BHlNkRv+MvFu4jPnBNttPiM4TSBgOD88U68M6MsYBJ+2e+7cTiO2DWy9bTtAnhWHD468fdS3S9h62l2lsrGBa5dRpc8RCpPXFo/ Salt@tungsten-qemu"
+      state: present
-  become: yes
+      manage_dir: yes
-  become_user: salt
+      key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc03Q21k7rDuIbZ91dIMOSAM7EpT75YFzOoYL6CfHLZbRDsYTVgUSHYL9lfgGiW9CYL9Gp8QT9eLzIdfgn4e8OMMuoW1jayM9nj6iY3tmWlinuzs535j04Us/aY1Gka+f0qf/vJfRAwO0VN92xmLxW4pQMD/r5DKQ3yppvohnAAPeOhoFeLbEPiBgb1ktNxtQF9GdIOdDIEE+dV0UA07dJskTdJGG9Zbff7VEcQXknhaLdclye+BHlNkRv+MvFu4jPnBNttPiM4TSBgOD88U68M6MsYBJ+2e+7cTiO2DWy9bTtAnhWHD468fdS3S9h62l2lsrGBa5dRpc8RCpPXFo/ Salt@tungsten-qemu"
-- name: Authorize lap-th-e560-0 for user salt
+  - name: Authorize lap-th-e560-0 for user salt
-  authorized_key:
+    authorized_key:
-    user: salt
+      user: salt
-    state: present
+      state: present
-    manage_dir: yes
+      manage_dir: yes
-    key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyOzdOFNONNhr++/2L3iSN04JsLwYHkapslDMEImI0x4chvdfdA9OkEOZHP5EoMUG6uWL3xZZdQ9Egp931oHDc4W5ylPQ1VtqQ2vcyffCfBTOEaUeEgw2tHBDngMqBgTajMSFvTbaC7JNSIdcGP1KTCCYZ3f8DPjVmG8FAKq1kDnCyI4sXHQswi/AbIBrOsWSW+qjrQdD/jU7T2LPQbU9FB+afinDizhGXUzkmbRkOD5z/YsyrWDfaKhGS4EwJpZbEwT7ocnCaQSa74xYLwUlBONhg3u2wq00mrh7vc2WbeGB7VoCsojPIj5r6KoCKzRBVog2HLQ4W7QqfSW/nXR21 salt@iridium"
+      key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyOzdOFNONNhr++/2L3iSN04JsLwYHkapslDMEImI0x4chvdfdA9OkEOZHP5EoMUG6uWL3xZZdQ9Egp931oHDc4W5ylPQ1VtqQ2vcyffCfBTOEaUeEgw2tHBDngMqBgTajMSFvTbaC7JNSIdcGP1KTCCYZ3f8DPjVmG8FAKq1kDnCyI4sXHQswi/AbIBrOsWSW+qjrQdD/jU7T2LPQbU9FB+afinDizhGXUzkmbRkOD5z/YsyrWDfaKhGS4EwJpZbEwT7ocnCaQSa74xYLwUlBONhg3u2wq00mrh7vc2WbeGB7VoCsojPIj5r6KoCKzRBVog2HLQ4W7QqfSW/nXR21 salt@iridium"
-  become: yes
+  - name: Check for dotfile initialization
-  become_user: salt
+    stat: path=$HOME/.dotfiles
-- name: Check for dotfile initialization
+    register: p
-  stat: path=$HOME/.dotfiles
+  - name: Configure git SSH substitute for GitHub
-  register: p
+    git_config:
-  become: yes
+      name: url."https://github.com/".insteadOf
-  become_user: salt
+      value: "git@github.com:"
-- name: Configure git SSH substitute for GitHub
+      scope: global
-  git_config:
+    when: not p.stat.exists
-    name: url."https://github.com/".insteadOf
+  - name: Configure git SSH substitute for GitLab
-    value: "git@github.com:"
+    git_config:
-    scope: global
+      name: url."https://gitlab.com/".insteadOf
-  when: not p.stat.exists
+      value: "git@gitlab.com:"
-  become: yes
+      scope: global
-  become_user: salt
+    when: not p.stat.exists
-- name: Configure git SSH substitute for GitLab
+  - name: Clone bootstrap script
-  git_config:
+    git:
-    name: url."https://gitlab.com/".insteadOf
+      accept_hostkey: yes
-    value: "git@gitlab.com:"
+      repo: git@gitlab.com:rehashedsalt/bootstrap
-    scope: global
+      dest: $HOME/bootstrap
-  when: not p.stat.exists
+      depth: 1
-  become: yes
+      force: yes
-  become_user: salt
+    when: not p.stat.exists
-- name: Clone bootstrap script
+  - name: Execute bootstrap script
-  git:
+    shell: cd && ~/bootstrap/build-home.sh
-    accept_hostkey: yes
+    when: not p.stat.exists
-    repo: git@gitlab.com:rehashedsalt/bootstrap
+  - name: Disable untracked files on dotfiles
-    dest: $HOME/bootstrap
+    git_config:
-    depth: 1
+      name: status.showUntrackedFiles
-    force: yes
+      value: "no"
-  when: not p.stat.exists
+      scope: local
-  become: yes
+      repo: ~/.dotfiles
-  become_user: salt
+    when: not p.stat.exists
-- name: Execute bootstrap script
+  - name: Remove bootstrap script directory
-  shell: cd && ~/bootstrap/build-home.sh
+    file:
-  when: not p.stat.exists
+      path: ~/bootstrap
-  become: yes
+      state: absent
-  become_user: salt
+    when: not p.stat.exists
-- name: Disable untracked files on dotfiles
-  git_config:
-    name: status.showUntrackedFiles
-    value: "no"
-    scope: local
-    repo: ~/.dotfiles
-  when: not p.stat.exists
-  become: yes
-  become_user: salt
-- name: Remove bootstrap script directory
-  file:
-    path: ~/bootstrap
-    state: absent
-  when: not p.stat.exists
   become: yes
   become_user: salt