lmn-client/roles/nextcloud/tasks/main.yml

## Install and configure nextcloud

- name: install apache, php- and db-packages
  apt:
    name:
      - apache2
      - mariadb-server
      - python3-pymysql
      - php-apcu
      - php-fpm
      - php-curl
      - php-gd
      - php-imagick
      - php-intl
      - php-json
      - php-ldap
      - php-mbstring
      - php-mysql
      - php-xml
      - php-zip
    state: latest

- name: disable apache modules
  apache2_module:
    state: absent
    name: "{{ item }}"
  with_items:
    - mpm_prefork
    - mpm_worker
  notify: "restart apache2"

- name: enable apache modules
  apache2_module:
    name: "{{ item }}"
  with_items:
    - proxy_fcgi
    - mpm_event
    - rewrite
    - headers
    - ssl
    - http2
  notify: "restart apache2"

- name: find php version
  shell: ls /etc/php/ | sort | tail -1
  register: php_ver
  changed_when: False

- name: enable php-fpm conf
  command: a2enconf php{{ php_ver.stdout }}-fpm
  args:
    creates: /etc/apache2/conf-enabled/php{{ php_ver.stdout }}-fpm.conf
  notify: "restart apache2"

- name: tune php-fpm
  replace:
    dest: /etc/php/{{ php_ver.stdout }}/fpm/pool.d/www.conf
    regexp: "{{ item.regex }}"
    replace: "{{ item.replace }}"
  with_items:
    - { regex: "^pm.max_children = .*$", replace: "pm.max_children = 120" }
    - { regex: "^pm.start_servers = .*$", replace: "pm.start_servers = 12" }
    - { regex: "^pm.min_spare_servers = .*$", replace: "pm.min_spare_servers = 6" }
    - { regex: "^pm.max_spare_servers = .*$", replace: "pm.max_spare_servers = 18" }
  notify: "restart php-fpm"

- name: increase php memory limit
  replace:
    dest: "/etc/php/{{ php_ver.stdout }}/fpm/php.ini"
    regexp: "^memory_limit = .*"
    replace: "memory_limit = 512M"
  notify: "restart apache2"

- name: provide nextcloud site
  copy:
    src: nextcloud.conf
    dest: /etc/apache2/sites-available/nextcloud.conf
  notify: "restart apache2"

- name: provide kerberos SSO config
  copy:
    src: krb5-nextcloud.conf
    dest: /etc/apache2/sites-available/krb5-nextcloud.conf
  when: "'kerberize' in role_names"
  notify: "restart apache2"

- name: enable nextcloud site
  command: a2ensite nextcloud.conf
  args:
    creates: /etc/apache2/sites-enabled/nextcloud.conf
  notify: "restart apache2"

- name: enable kerberos access to nextcloud site
  command: a2ensite krb5-nextcloud.conf
  args:
    creates: /etc/apache2/sites-enabled/krb5-nextcloud.conf
  notify: "restart apache2"
  when: "'kerberize' in role_names"

- name: enable https
  shell: 'grep -q "VirtualHost .*:443" * || a2ensite default-ssl.conf'
  args:
    chdir: /etc/apache2/sites-enabled/
    creates: default-ssl.conf
  notify: "restart apache2"
  register: cmd_result
  changed_when: cmd_result.stdout != '' and cmd_result.stdout is not search('skipped')

- name: make sure data directory exists
  file:
    path: "{{ data_dir }}"
    state: directory
    owner: www-data
    group: www-data


## install nextcloud:
- name: check if we are installing
  stat: path="{{ nc_dir }}"
  register: nextcloud

- name: create database with name 'nextcloud'
  mysql_db:
    login_unix_socket: /var/run/mysqld/mysqld.sock
    name: nextcloud
    state: present
  when: not nextcloud.stat.exists

- name: create database user 'nextcloud'
  mysql_user:
    login_unix_socket: /var/run/mysqld/mysqld.sock
    name: nextcloud
    password: "{{ db_nextcloud_pwd }}"
    priv: 'nextcloud.*:ALL'
    state: present
  when: not nextcloud.stat.exists

- name: unpack nextcloud archive
  unarchive:
    src: nextcloud.tar.bz2
    dest: "{{ www_root }}"
    owner: www-data
    group: www-data
  when: not nextcloud.stat.exists

- name: initialize nextcloud
  command:
    cmd: >
      sudo -u www-data php ./occ maintenance:install
      --database "mysql"
      --database-name "nextcloud"
      --database-user "nextcloud"
      --database-pass "{{ db_nextcloud_pwd }}"
      --admin-user "nc-admin"
      --admin-pass "{{ nc_admin_pwd }}"
      --data-dir "{{ data_dir }}"
  args:
    chdir: "{{ nc_dir }}"
  no_log: True
  when: not nextcloud.stat.exists

- name: dump nc-admin password
  shell: echo -n "{{ nc_admin_pwd }}" > "{{ nc_admin_pwd_file }}" ; chmod 0600 "{{ nc_admin_pwd_file }}"
  no_log: True
  when: not nextcloud.stat.exists

- name: enable APCu memcache
  command: sudo -u www-data php ./occ config:system:set memcache.local --value='\OC\Memcache\APCu'
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  when: not nextcloud.stat.exists

- name: allow access from LAN
  command: sudo -u www-data php ./occ config:system:set trusted_domains 1 --value='192.168.*.*'
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  when: not nextcloud.stat.exists


## app installations:
- name: check if calendar app is installed
  stat: path="{{ nc_dir }}/apps/calendar"
  register: calendar

- name: install calendar app
  command: sudo -u www-data php ./occ app:install calendar
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  when: not calendar.stat.exists

- name: check if notes app is installed
  stat: path="{{ nc_dir }}/apps/notes"
  register: notes

- name: install notes app
  command: sudo -u www-data php ./occ app:install notes
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  when: not notes.stat.exists

## nextcloudcron
- name: provide nextcloudcron.service and .timer
  copy:
    src: "{{ item }}"
    dest: "/etc/systemd/system/{{ item }}"
  with_items:
    - nextcloudcron.service
    - nextcloudcron.timer
  register: nextcloudcron
  notify: "enable nextcloudcron.service"

- name: switch to systemd timer
  command: sudo -u www-data php ./occ background:cron
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  when: nextcloudcron.changed


## ToDo kerberox integration:
# sudo -u www-data php ./occ app:enable user_ldap
# sudo -u www-data php ./occ app:install user_saml

# sudo -u www-data php ./occ ldap