Update role name

README.md

@@ -9,13 +9,12 @@ This role configures a web server on your host for Nextcloud
 ## Role configuration
 * `domain_name` (default: localdomain) - Your domain for web server configuration. i.e. `example.com` if you would like your Nextcloud instance to be reachable at nextcloud.example.com
 * `nextcloud_subdomain` (default: nextcloud) - The subdomain at which you'd like to access your Nextcloud instance
-* `nextcloud_ssl` (default: false) - Whether or not you'd like to enable SSL. This will not create certificates, you will need to configure [certbot](https://certbot.eff.org/instructions) or other certificates manually.
-* `nextcloud_apache2_virtualhost` (default: false) - Enable this if you would like to use a virtual host configuration rather than directory-based. See the [Nextcloud documentation](https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html#apache-web-server-configuration) for more information.
+* `nextcloud_ssl` (default: true) - Whether or not you'd like to enable SSL. This will not create certificates, you will need to configure [certbot](https://certbot.eff.org/instructions) or other certificates manually.
+* `nextcloud_ssl_certificate_path` (default: /etc/ssl/certs/ssl-cert-snakeoil.pem) - The path to your SSL certificate
+* `nextcloud_ssl_key_path` (default: /etc/ssl/private/ssl-cert-snakeoil.key) - The path to your SSL certificate key
 * `nextcloud_apache2_fcgi` (default: false) - Enable this if you are using `mod_fcgi` rather than the standard `mod_php`. This will enable the `mod_setenvif` PHP module.
 * `nextcloud_apache2_config_path` (default: /etc/apache2/sites-available/nextcloud.conf) - The path to your Nextcloud Apache2 site configuration.
 
 ### Experimental options
 * `nextcloud_nginx` (default: false) - Configure an nginx web server rather than Apache2. **nginx is not officially supported by Nextcloud**
 * `nextcloud_nginx_config_path` (default: /etc/nginx/nginx.conf) - The path to your Nextcloud nginx configuration.
-* `nextcloud_nginx_ssl_certificate_path` (default: /etc/ssl/nginx/nextcloud.localdomain.crt) - The path to your SSL certificate
-* `nextcloud_nginx_ssl_key_path` (default: /etc/ssl/nginx/nextcloud.localdomain.key) - The path to your SSL certificate key

defaults/main.yaml

@@ -3,18 +3,22 @@
 # Your domain name for web server configuration
 domain_name: 'localdomain'
 
+# The major version of Nextcloud to install
+nextcloud_version: 23
+
 # The subdomain at which you'd like Nextcloud to be accessible at
 nextcloud_subdomain: nextcloud
 
 nextcloud_www_path: '/var/www/nextcloud/'
 
-nextcloud_ssl: false
+nextcloud_ssl: true
+nextcloud_ssl_certificate_path: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+nextcloud_ssl_key_path: "/etc/ssl/private/ssl-cert-snakeoil.key"
+nextcloud_hsts: true
+nextcloud_hsts_preload: false
 
 # Apache configuration
 
-# Configure with virtualhost rather than directory-based Apache site
-nextcloud_apache2_virtualhost: false
-
 # If using mod_fcgi rather than the standard mod_php, we should also enable mod_setenvif
 nextcloud_apache2_fcgi: false
 
@@ -25,5 +29,3 @@ nextcloud_apache2_config_path: '/etc/apache2/sites-available/nextcloud.conf'
 # Configure with nginx rather than Apache
 nextcloud_nginx: false
 nextcloud_nginx_config_path: "/etc/nginx/nginx.conf"
-nextcloud_nginx_ssl_certificate_path: "/etc/ssl/nginx/{{ nextcloud_subdomain }}.{{ domain_name }}.crt"
-nextcloud_nginx_ssl_key_path: "/etc/ssl/nginx/{{ nextcloud_subdomain }}.{{ domain_name }}.key"

handlers/main.yaml

@@ -1,7 +1,4 @@
 ---
-- name: Enable Nextcloud site
-  ansible.builtin.command: a2ensite nextcloud.conf
-
 - name: Restart Apache
   ansible.builtin.systemd:
     name: httpd

meta/main.yaml

@@ -1,5 +1,6 @@
 ---
 galaxy_info:
+  role_name: nextcloud
   author: Corbin Bartsch
   description: Configure a Debian host for Nextcloud installation
   license: MIT

tasks/apache2_modules.yaml

@@ -1,9 +1,11 @@
 ---
 - name: Enable Apache2 modules
   community.general.apache2_module:
-    name: rewrite
+    name: "{{ item }}"
     state: present
   with_items:
+    - alias
+    - proxy
     - rewrite
     - headers
     - env
@@ -11,3 +13,9 @@
     - mime
   notify:
     - Restart Apache
+
+- name: Enable Apache2 module SSL
+  community.general.apache2_module:
+    name: ssl
+    state: present
+  when: nextcloud_ssl

tasks/apache2_site.yaml

@@ -0,0 +1,4 @@
+---
+- name: Enable Nextcloud site
+  ansible.builtin.command: a2ensite nextcloud.conf
+  when: not nextcloud_nginx and not nextcloud_ssl

tasks/apache2_template.yaml

@@ -1,20 +1,19 @@
 ---
-- name: Write directory-based nextcloud.conf file
+- name: Write Apache2 SSL nextcloud.conf file
   ansible.builtin.template:
-    src: apache2_directory_nextcloud.conf.j2
+    src: apache2_ssl_nextcloud.conf.j2
     dest: "{{ nextcloud_apache2_config_path }}"
     mode: '0644'
   become: true
-  when: not nextcloud_apache2_virtualhost
-  notify:
-    - Enable Nextcloud site
+  when: nextcloud_ssl
+  notify: Enable Nextcloud site
 
-- name: Write virtualhost nextcloud.conf file
+- name: Write Apache2 nextcloud.conf file
   ansible.builtin.template:
-    src: apache2_virtualhost_nextcloud.conf.j2
+    src: apache2_nextcloud.conf.j2
     dest: "{{ nextcloud_apache2_config_path }}"
     mode: '0644'
   become: true
-  when: nextcloud_apache2_virtualhost
+  when: not nextcloud_ssl
   notify:
     - Enable Nextcloud site

tasks/install_nextcloud.yaml

@@ -0,0 +1,15 @@
+---
+- name: Download latest Nextcloud {{ nextcloud_version }} tar.bz2 archive
+  ansible.builtin.unarchive:
+    src: "https://download.nextcloud.com/server/releases/latest-{{ nextcloud_version }}.tar.bz2"
+    dest: "{{ nextcloud_www_path }}"
+    extra_opts:
+      - --transform
+      - s/^nextcloud\///
+
+- name: Change ownership of Nextcloud directories
+  ansible.builtin.file:
+    path: "{{ nextcloud_www_path }}"
+    owner: www-data
+    group: www-data
+    recurse: true

tasks/main.yaml

@@ -10,13 +10,13 @@
   include_tasks: apache2_modules.yaml
   when: not nextcloud_nginx
 
+- name: Enable Apache2 site
+  include_tasks: apache2_site.yaml
+  when: not nextcloud_nginx
+
 - name: Create nginx config
   include_tasks: nginx_template.yaml
   when: nextcloud_nginx
 
-- name: Change ownership of Nextcloud directories
-  ansible.builtin.file:
-    path: "{{ nextcloud_www_path }}"
-    owner: www-data
-    group: www-data
-    recurse: true
+- name: Install Nextcloud files
+  include_tasks: install_nextcloud.yaml

tasks/nginx_template.yaml

@@ -1,7 +1,7 @@
 ---
 - name: Write nginx.conf file
   ansible.builtin.template:
-    src: nginx.conf
+    src: nginx.conf.j2
     dest: "{{ nextcloud_nginx_config_path }}"
     mode: '0644'
   become: true

tasks/packages.yaml

@@ -5,12 +5,24 @@
     state: present
   when: not nextcloud_nginx
 
+- name: Remove nginx package
+  ansible.builtin.package:
+    name: nginx
+    state: absent
+  when: not nextcloud_nginx
+
 - name: Ensure nginx package is installed
   ansible.builtin.package:
     name: nginx
     state: present
   when: nextcloud_nginx
 
+- name: Remove Apache2 package
+  ansible.builtin.package:
+    name: apache2
+    state: absent
+  when: nextcloud_nginx
+
 - name: Ensure PHP package is installed
   ansible.builtin.package:
     name: php

templates/apache2_directory_nextcloud.conf.j2

@@ -1,13 +0,0 @@
-# {{ ansible_managed }}
-
-Alias /nextcloud "{{ nextcloud_www_path }}"
-
-<Directory {{ nextcloud_www_path }}>
-  Require all granted
-  AllowOverride All
-  Options FollowSymLinks MultiViews
-
-  <IfModule mod_dav.c>
-    Dav off
-  </IfModule>
-</Directory>

templates/apache2_nextcloud.conf.j2

@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+
+<VirtualHost *:80>
+	DocumentRoot {{ nextcloud_www_path }}
+	ServerName {{ ansible_hostname }}.{{ domain_name }}
+	
+	<Directory {{ nextcloud_www_path }}>
+		Require all granted
+		AllowOverride All
+		Options FollowSymLinks MultiViews
+		
+		<IfModule mod_dav.c>
+			Dav off
+		</IfModule>
+	</Directory>
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

templates/apache2_ssl_nextcloud.conf.j2

@@ -0,0 +1,43 @@
+# {{ ansible_managed }}
+
+<IfModule mod_ssl.c>
+	<VirtualHost *:80>
+		ServerName {{ nextcloud_subdomain }}.{{ domain_name }}
+		Redirect permanent / https://{{ nextcloud_subdomain }}.{{ domain_name }}/
+	</VirtualHost>
+
+	<VirtualHost *:443>
+	 	ServerName {{ nextcloud_subdomain }}.{{ domain_name }}
+
+		DocumentRoot {{ nextcloud_www_path }}
+
+		ErrorLog ${APACHE_LOG_DIR}/error.log
+		CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+		SSLEngine on
+		SSLCertificateFile {{ nextcloud_ssl_certificate_path }}
+		SSLCertificateKeyFile {{ nextcloud_ssl_key_path }}
+	
+	 	<Directory {{ nextcloud_www_path }}>
+	 		Require all granted
+	 		AllowOverride All
+	 		Options FollowSymLinks MultiViews
+	
+	 		<IfModule mod_dav.c>
+	 			Dav off
+	 		</IfModule>
+	 	</Directory>
+		
+		<FilesMatch "\.php$">
+			SSLOptions +StdEnvVars
+		</FilesMatch>
+
+{% if nextcloud_hsts %}
+		<IfModule mod_headers.c>
+			Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains{% if nextcloud_hsts_preload %}; preload{% endif %}"
+		</IfModule>
+{% endif %}
+	</VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

templates/apache2_virtualhost_nextcloud.conf.j2

@@ -1,16 +0,0 @@
-# {{ ansible_managed }}
-
-<VirtualHost *:80>
-  DocumentRoot {{ nextcloud_www_path }}
-  ServerName {{ ansible_hostname }}.{{ domain_name }}
-
-  <Directory {{ nextcloud_www_path }}>
-    Require all granted
-    AllowOverride All
-    Options FollowSymLinks MultiViews
-
-    <IfModule mod_dav.c>
-      Dav off
-    </IfModule>
-  </Directory>
-</VirtualHost>

templates/config.php.j2

@@ -0,0 +1,28 @@
+<?php
+$CONFIG = array (
+  'instanceid' => '',
+  'passwordsalt' => '',
+  'secret' => '',
+  'trusted_domains' => 
+  array (
+    0 => '{{ nextcloud_subdomain }}.{{ domain_name }}',
+  ),
+  'datadirectory' => '{{ nextcloud_data_directory }}',
+  'dbtype' => '{{ nextcloud_db_type }}',
+  'version' => '23.0.3.2',
+  'overwrite.cli.url' => 'http://{{ nextcloud_subdomain }}.{{ domain_name }}',
+  'dbname' => 'nextcloud',
+  'dbhost' => '{{ nextcloud_db_host }}:{{ nextcloud_db_port }}',
+  'dbport' => '',
+  'dbtableprefix' => 'oc_',
+  'dbuser' => '{{ nextcloud_db_user }}',
+  'dbpassword' => '{{ nextcloud_db_pass }}',
+  'installed' => true,
+  'twofactor_enforced' => 'true',
+  'twofactor_enforced_groups' => 
+  array (
+  ),
+  'twofactor_enforced_excluded_groups' => 
+  array (
+  ),
+);

templates/nginx.conf.j2

@@ -31,8 +31,8 @@ server {
 
     # Use Mozilla's guidelines for SSL/TLS settings
     # https://mozilla.github.io/server-side-tls/ssl-config-generator/
-    ssl_certificate     {{ nextcloud_nginx_ssl_certificate_path }};
-    ssl_certificate_key {{ nextclodu_nginx_ssl_key_path }};
+    ssl_certificate     {{ nextcloud_ssl_certificate_path }};
+    ssl_certificate_key {{ nextcloud_ssl_key_path }};
 
     # HSTS settings
     # WARNING: Only add the preload option once you read about