ansible/roles/nextcloud/tasks/main.yml

192 lines
6.5 KiB
YAML

#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Include MySQL role
include_role:
name: mysql
- name: Install, configure, and start Nextcloud
block:
- name: Install Nextcloud-required packages
apt:
name: "{{ packages }}"
vars:
packages:
- apache2
- libapache2-mod-php7.2
- php7.2
- php7.2-gd
- php7.2-json
- php7.2-mysql
- php7.2-curl
- php7.2-mbstring
- php7.2-intl
- php-imagick
- php7.2-xml
- php7.2-zip
- php7.2-cgi
- php7.2-cli
- python-openssl # Needed for keygen
- name: Copy configuration
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- { src: "php-apache2.ini", dest: "/etc/php/7.2/apache2/php.ini", mode: "0644" }
- { src: "php-cgi.ini", dest: "/etc/php/7.2/cgi/php.ini", mode: "0644" }
- name: Set up MySQL
block:
- name: Create database
mysql_db:
name: nextclouddb
login_user: root
login_password: "{{ mysql_root_password }}"
state: present
- name: Create Nextcloud user
mysql_user:
name: nextcloud
host: localhost
password: "{{ nextcloud_mysql_password }}"
priv: "nextclouddb.*:ALL,GRANT"
login_user: root
login_password: "{{ mysql_root_password }}"
- name: Set up Apache
block:
- name: Disable default configuration
file:
# This is a symlink so who cares
path: "/etc/apache2/sites-enabled/000-default.conf"
state: absent
- name: Create webroot
file:
path: "{{ nextcloud_webroot }}"
mode: "0755"
recurse: yes
state: directory
- name: Check for existing installation
stat:
path: "{{ nextcloud_webroot }}/index.html"
register: stat_webroot_index
- name: Install Nextcloud
block:
- name: Download Nextcloud
get_url:
dest: /var/www/nextcloud.tar.bz2
url: "{{ nextcloud_tarbz2 }}"
- name: Extract Nextcloud
unarchive:
src: /var/www/nextcloud.tar.bz2
remote_src: yes
dest: "{{ nextcloud_webroot }}"
extra_opts: [--strip-components=1]
- name: Create data directory
file:
path: "{{ nextcloud_webroot }}/data"
state: directory
- name: Chown webroot
# Nextcloud docs say Apache needs write access, so it gets write access
file:
path: "{{ nextcloud_webroot }}"
state: directory
recurse: yes
owner: www-data
group: www-data
- name: Cleanup
file:
path: /var/www/nextcloud.tar.bz2
state: absent
when: not stat_webroot_index.stat.exists
- name: Enable Apache configs and modules
shell: "{{ item }}"
loop:
- "a2enmod rewrite"
- "a2enmod ssl"
- name: Register certificates
block:
- name: Set up PKI filesystem hierarchy
file:
path: "{{ item.dir }}"
mode: "{{ item.mode }}"
recurse: yes
owner: root
group: www-data
state: directory
loop:
- { dir: "/etc/pki", mode: "0750" }
- { dir: "/etc/pki/cert", mode: "0750" }
- { dir: "/etc/pki/cert/crt", mode: "0750" }
- { dir: "/etc/pki/cert/csr", mode: "0750" }
- { dir: "/etc/pki/cert/private", mode: "0750" }
- name: Create ACME account key
openssl_privatekey:
path: "/etc/pki/cert/private/account.key"
size: 4096
- name: Create certificate key
openssl_privatekey:
path: "/etc/pki/cert/private/{{ nextcloud_url }}.key"
size: 4096
- name: Create CSR
openssl_csr:
path: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
common_name: "{{ nextcloud_url }}"
privatekey_path: /etc/pki/cert/private/{{ nextcloud_url }}.key
email_address: "rehashedsalt@cock.li"
- name: Create challenge for CSR
acme_certificate:
acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
acme_version: 2
terms_agreed: yes
account_email: "rehashedsalt@cock.li"
account_key: "/etc/pki/cert/private/account.key"
csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
register: com_challenge
- name: Fulfill challenge
block:
- name: Configure insecure virtual host configs
template:
src: apache2-vhost.conf
dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf"
- name: Reload Apache
service:
name: apache2
state: reloaded
- name: Create well-known directory
file:
path: "{{ nextcloud_webroot }}/.well-known/acme-challenge"
mode: "0755"
recurse: yes
state: directory
- name: Copy challenge files
copy:
dest: "{{ nextcloud_webroot }}/{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource'] }}"
content: "{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource_value'] }}"
- name: Create certificate
acme_certificate:
acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
acme_version: 2
account_key: /etc/pki/cert/private/account.key
csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
chain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-intermediate.crt"
data: "{{ com_challenge }}"
- name: Clean up
file:
path: "{{ nextcloud_webroot }}/.well-known"
state: absent
when: com_challenge is changed
- name: Secure Apache
block:
- name: Copy over virtual host configs
template:
src: apache2-vhost-ssl.conf
dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf"
- name: Reload Apache
service:
name: apache2
state: reloaded
enabled: true
become: yes