#!/usr/bin/ansible-playbook # vim:ft=ansible: --- - name: Include MySQL role include_role: name: mysql - name: Install, configure, and start Nextcloud block: - name: Install Nextcloud-required packages apt: name: "{{ packages }}" vars: packages: - apache2 - libapache2-mod-php7.2 - php7.2 - php7.2-gd - php7.2-json - php7.2-mysql - php7.2-curl - php7.2-mbstring - php7.2-intl - php-imagick - php7.2-xml - php7.2-zip - php7.2-cgi - php7.2-cli - python-openssl # Needed for keygen - name: Copy configuration copy: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: "{{ item.mode }}" loop: - { src: "php-apache2.ini", dest: "/etc/php/7.2/apache2/php.ini", mode: "0644" } - { src: "php-cgi.ini", dest: "/etc/php/7.2/cgi/php.ini", mode: "0644" } - name: Set up MySQL block: - name: Create database mysql_db: name: nextclouddb login_user: root login_password: "{{ mysql_root_password }}" state: present - name: Create Nextcloud user mysql_user: name: nextcloud host: localhost password: "{{ nextcloud_mysql_password }}" priv: "nextclouddb.*:ALL,GRANT" login_user: root login_password: "{{ mysql_root_password }}" - name: Set up Apache block: - name: Disable default configuration file: # This is a symlink so who cares path: "/etc/apache2/sites-enabled/000-default.conf" state: absent - name: Create webroot file: path: "{{ nextcloud_webroot }}" mode: "0755" recurse: yes state: directory - name: Check for existing installation stat: path: "{{ nextcloud_webroot }}/index.html" register: stat_webroot_index - name: Install Nextcloud block: - name: Download Nextcloud get_url: dest: /var/www/nextcloud.tar.bz2 url: "{{ nextcloud_tarbz2 }}" - name: Extract Nextcloud unarchive: src: /var/www/nextcloud.tar.bz2 remote_src: yes dest: "{{ nextcloud_webroot }}" extra_opts: [--strip-components=1] - name: Create data directory file: path: "/var/nextcloud" state: directory mode: 0700 owner: www-data group: www-data - name: Chown webroot # Nextcloud docs say Apache needs write access, so it gets write access file: path: "{{ nextcloud_webroot }}" state: directory recurse: yes owner: www-data group: www-data - name: Cleanup file: path: /var/www/nextcloud.tar.bz2 state: absent when: not stat_webroot_index.stat.exists - name: Enable Apache configs and modules shell: "{{ item }}" loop: - "a2enmod rewrite" - "a2enmod ssl" - name: Register certificates block: - name: Set up PKI filesystem hierarchy file: path: "{{ item.dir }}" mode: "{{ item.mode }}" recurse: yes owner: root group: www-data state: directory loop: - { dir: "/etc/pki", mode: "0750" } - { dir: "/etc/pki/cert", mode: "0750" } - { dir: "/etc/pki/cert/crt", mode: "0750" } - { dir: "/etc/pki/cert/csr", mode: "0750" } - { dir: "/etc/pki/cert/private", mode: "0750" } - name: Create ACME account key openssl_privatekey: path: "/etc/pki/cert/private/account.key" - name: Create certificate key openssl_privatekey: path: "/etc/pki/cert/private/{{ nextcloud_url }}.key" - name: Create CSR openssl_csr: path: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr" common_name: "{{ nextcloud_url }}" privatekey_path: /etc/pki/cert/private/{{ nextcloud_url }}.key email_address: "rehashedsalt@cock.li" - name: Create challenge for CSR acme_certificate: acme_directory: "{{ acme_directory }}" acme_version: 2 terms_agreed: yes account_email: "rehashedsalt@cock.li" account_key: "/etc/pki/cert/private/account.key" csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr" dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt" fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt" register: com_challenge - name: Fulfill challenge block: - name: Configure insecure virtual host configs template: src: apache2-vhost.conf dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf" - name: Reload Apache service: name: apache2 state: reloaded - name: Create well-known directory file: path: "{{ nextcloud_webroot }}/.well-known/acme-challenge" mode: "0755" recurse: yes state: directory - name: Copy challenge files copy: dest: "{{ nextcloud_webroot }}/{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource'] }}" content: "{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource_value'] }}" - name: Create certificate acme_certificate: acme_directory: "{{ acme_directory }}" acme_version: 2 account_key: /etc/pki/cert/private/account.key csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr" dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt" fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt" chain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-intermediate.crt" data: "{{ com_challenge }}" - name: Clean up file: path: "{{ nextcloud_webroot }}/.well-known" state: absent when: com_challenge is changed - name: Secure Apache block: - name: Copy over virtual host configs template: src: apache2-vhost-ssl.conf dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf" - name: Reload Apache service: name: apache2 state: reloaded enabled: true become: yes