Add nextcloud role

roles/nextcloud/README.md

@@ -0,0 +1 @@
+Sets up a nextcloud podman container, including HaRP using podman in podman

roles/nextcloud/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+nextcloud_tag: stable

roles/nextcloud/handlers/main.yaml

@@ -0,0 +1,29 @@
+---
+- name: Unregister AppAPI daemon
+  containers.podman.podman_container_exec:
+    name: nextcloud
+    argv:
+      - /var/www/html/occ
+      - app_api:daemon:unregister
+      - harp
+  register: _nextcloud_appapi_unregister
+  changed_when: _nextcloud_appapi_unregister.rc == 0
+  failed_when: _nextcloud_appapi_unregister.rc not in [0, 1]
+  listen: Restart container service nextcloud-harp
+
+- name: Register AppAPI daemon
+  containers.podman.podman_container_exec:
+    name: nextcloud
+    argv:
+      - /bin/sh
+      - -c
+      - >-
+        /var/www/html/occ app_api:daemon:register
+        --harp
+        --harp_frp_address=harp:8782
+        --harp_shared_key "$(cat /run/secrets/harp-shared-key)"
+        --net host
+        --set-default
+        --
+        harp HaRP docker-install http harp:8780 https://{{ nextcloud_domains[0] }}
+  listen: Restart container service nextcloud-harp

roles/nextcloud/meta/argument_specs.yaml

@@ -0,0 +1,19 @@
+---
+argument_specs:
+  main:
+    description: "Sets up a nextcloud podman container, including HaRP using podman in podman"
+    options:
+      nextcloud_domains:
+        description: A list of domains nextcloud should listen on
+        type: list
+        required: true
+        elements: str
+      nextcloud_admin_pw:
+        description: Password of the initial admin user
+        type: str
+        required: true
+      nextcloud_tag:
+        description: Nextcloud version to use
+        type: str
+        required: false
+        default: stable

roles/nextcloud/tasks/main.yaml

@@ -0,0 +1,64 @@
+---
+- name: Nextcloud service
+  ansible.builtin.import_role:
+    name: service
+  vars:
+    service_name: nextcloud
+    service_container_image: docker.io/library/nextcloud:{{ nextcloud_tag }}
+    service_container_http_port: 80
+    service_domains: "{{ nextcloud_domains }}"
+    service_database_type: postgres
+    service_redis: true
+    service_container_mounts:
+      - type: volume
+        source: data
+        destination: /var/www/html
+    service_container_secrets:
+      - name: adminpw
+        value: "{{ nextcloud_admin_pw }}"
+      - name: harp-shared-key
+    service_container_env:
+      POSTGRES_HOST: postgres
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD_FILE: /run/secrets/postgres
+      REDIS_HOST: redis
+      TRUSTED_PROXIES: 10.0.0.0/8
+      NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud_domains | join(' ') }}"
+      NEXTCLOUD_ADMIN_USER: admin
+      NEXTCLOUD_ADMIN_PASSWORD_FILE: /run/secrets/adminpw
+    service_additional_containers:
+      - name: cron
+        entrypoint: /cron.sh
+      - name: harp
+        add_capabilities:
+          - CAP_SYS_ADMIN
+        image: quay.io/podman/stable:latest
+        user: podman
+        entrypoint: /entrypoint.sh
+        devices:
+          - source: /dev/fuse
+        mounts:
+          - type: template
+            source: containers.conf.j2
+            destination: /etc/containers/containers.conf
+          - type: template
+            source: harp_entrypoint.sh.j2
+            destination: /entrypoint.sh
+            mode: "0755"
+          - type: volume
+            source: harp-certs
+            destination: /certs
+#          - type: volume
+#            source: harp-containers
+#            destination: /home/podman/.local/share/containers
+        env: {}
+        secrets:
+          - name: harp-shared-key
+        publish_ports:
+          - name: harp
+            type: socket
+            container_port: 8780
+    service_vhost_locations:
+      - path: /exapps/*
+        proxy_target_socket: /run/nextcloud-harp-socat.sock

roles/nextcloud/templates/containers.conf.j2

@@ -0,0 +1,9 @@
+[containers]
+ipcns = "host"
+cgroupns = "host"
+cgroups = "disabled"
+log_driver = "k8s-file"
+[engine]
+cgroup_manager = "cgroupfs"
+events_logger = "file"
+runtime = "crun"

roles/nextcloud/templates/harp_entrypoint.sh.j2

@@ -0,0 +1,24 @@
+#!/bin/bash
+# {{ ansible_managed }}
+_term() {
+	echo "Received SIGTERM, stopping all containers"
+	kill "$child"
+}
+
+podman system service -t 0 &
+
+podman run \
+	--rm \
+	-v /run/secrets/harp-shared-key:/run/secrets/harp-shared-key:ro \
+	-e HP_SHARED_KEY_FILE=/run/secrets/harp-shared-key \
+	-e NC_INSTANCE_URL="https://{{ nextcloud_domains[0] }}" \
+	-e HP_TRUSTED_PROXY_IPS="10.0.0.0/8" \
+	-v /tmp/storage-run-1000/podman/podman.sock:/var/run/docker.sock \
+	-v /certs:/certs \
+	--name harp \
+	--network host \
+	ghcr.io/nextcloud/nextcloud-appapi-harp:release &
+
+child=$!
+trap _term SIGTERM
+wait