From 61c0724801bf9ea2d96bd729ea504801b9987c02 Mon Sep 17 00:00:00 2001 From: uumas Date: Thu, 12 Mar 2026 00:45:25 +0200 Subject: [PATCH] Add nextcloud role --- roles/nextcloud/README.md | 1 + roles/nextcloud/defaults/main.yaml | 2 + roles/nextcloud/handlers/main.yaml | 29 +++++++++ roles/nextcloud/meta/argument_specs.yaml | 19 ++++++ roles/nextcloud/tasks/main.yaml | 64 +++++++++++++++++++ roles/nextcloud/templates/containers.conf.j2 | 9 +++ .../nextcloud/templates/harp_entrypoint.sh.j2 | 24 +++++++ 7 files changed, 148 insertions(+) create mode 100644 roles/nextcloud/README.md create mode 100644 roles/nextcloud/defaults/main.yaml create mode 100644 roles/nextcloud/handlers/main.yaml create mode 100644 roles/nextcloud/meta/argument_specs.yaml create mode 100644 roles/nextcloud/tasks/main.yaml create mode 100644 roles/nextcloud/templates/containers.conf.j2 create mode 100644 roles/nextcloud/templates/harp_entrypoint.sh.j2 diff --git a/roles/nextcloud/README.md b/roles/nextcloud/README.md new file mode 100644 index 0000000..af9bd41 --- /dev/null +++ b/roles/nextcloud/README.md @@ -0,0 +1 @@ +Sets up a nextcloud podman container, including HaRP using podman in podman diff --git a/roles/nextcloud/defaults/main.yaml b/roles/nextcloud/defaults/main.yaml new file mode 100644 index 0000000..79fa7a2 --- /dev/null +++ b/roles/nextcloud/defaults/main.yaml @@ -0,0 +1,2 @@ +--- +nextcloud_tag: stable diff --git a/roles/nextcloud/handlers/main.yaml b/roles/nextcloud/handlers/main.yaml new file mode 100644 index 0000000..f6a9161 --- /dev/null +++ b/roles/nextcloud/handlers/main.yaml @@ -0,0 +1,29 @@ +--- +- name: Unregister AppAPI daemon + containers.podman.podman_container_exec: + name: nextcloud + argv: + - /var/www/html/occ + - app_api:daemon:unregister + - harp + register: _nextcloud_appapi_unregister + changed_when: _nextcloud_appapi_unregister.rc == 0 + failed_when: _nextcloud_appapi_unregister.rc not in [0, 1] + listen: Restart container service nextcloud-harp + +- name: Register AppAPI daemon + containers.podman.podman_container_exec: + name: nextcloud + argv: + - /bin/sh + - -c + - >- + /var/www/html/occ app_api:daemon:register + --harp + --harp_frp_address=harp:8782 + --harp_shared_key "$(cat /run/secrets/harp-shared-key)" + --net host + --set-default + -- + harp HaRP docker-install http harp:8780 https://{{ nextcloud_domains[0] }} + listen: Restart container service nextcloud-harp diff --git a/roles/nextcloud/meta/argument_specs.yaml b/roles/nextcloud/meta/argument_specs.yaml new file mode 100644 index 0000000..2ee1504 --- /dev/null +++ b/roles/nextcloud/meta/argument_specs.yaml @@ -0,0 +1,19 @@ +--- +argument_specs: + main: + description: "Sets up a nextcloud podman container, including HaRP using podman in podman" + options: + nextcloud_domains: + description: A list of domains nextcloud should listen on + type: list + required: true + elements: str + nextcloud_admin_pw: + description: Password of the initial admin user + type: str + required: true + nextcloud_tag: + description: Nextcloud version to use + type: str + required: false + default: stable diff --git a/roles/nextcloud/tasks/main.yaml b/roles/nextcloud/tasks/main.yaml new file mode 100644 index 0000000..a4f1d21 --- /dev/null +++ b/roles/nextcloud/tasks/main.yaml @@ -0,0 +1,64 @@ +--- +- name: Nextcloud service + ansible.builtin.import_role: + name: service + vars: + service_name: nextcloud + service_container_image: docker.io/library/nextcloud:{{ nextcloud_tag }} + service_container_http_port: 80 + service_domains: "{{ nextcloud_domains }}" + service_database_type: postgres + service_redis: true + service_container_mounts: + - type: volume + source: data + destination: /var/www/html + service_container_secrets: + - name: adminpw + value: "{{ nextcloud_admin_pw }}" + - name: harp-shared-key + service_container_env: + POSTGRES_HOST: postgres + POSTGRES_DB: nextcloud + POSTGRES_USER: nextcloud + POSTGRES_PASSWORD_FILE: /run/secrets/postgres + REDIS_HOST: redis + TRUSTED_PROXIES: 10.0.0.0/8 + NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud_domains | join(' ') }}" + NEXTCLOUD_ADMIN_USER: admin + NEXTCLOUD_ADMIN_PASSWORD_FILE: /run/secrets/adminpw + service_additional_containers: + - name: cron + entrypoint: /cron.sh + - name: harp + add_capabilities: + - CAP_SYS_ADMIN + image: quay.io/podman/stable:latest + user: podman + entrypoint: /entrypoint.sh + devices: + - source: /dev/fuse + mounts: + - type: template + source: containers.conf.j2 + destination: /etc/containers/containers.conf + - type: template + source: harp_entrypoint.sh.j2 + destination: /entrypoint.sh + mode: "0755" + - type: volume + source: harp-certs + destination: /certs +# - type: volume +# source: harp-containers +# destination: /home/podman/.local/share/containers + env: {} + secrets: + - name: harp-shared-key + publish_ports: + - name: harp + type: socket + container_port: 8780 + service_vhost_locations: + - path: /exapps/* + proxy_target_socket: /run/nextcloud-harp-socat.sock diff --git a/roles/nextcloud/templates/containers.conf.j2 b/roles/nextcloud/templates/containers.conf.j2 new file mode 100644 index 0000000..38f859a --- /dev/null +++ b/roles/nextcloud/templates/containers.conf.j2 @@ -0,0 +1,9 @@ +[containers] +ipcns = "host" +cgroupns = "host" +cgroups = "disabled" +log_driver = "k8s-file" +[engine] +cgroup_manager = "cgroupfs" +events_logger = "file" +runtime = "crun" diff --git a/roles/nextcloud/templates/harp_entrypoint.sh.j2 b/roles/nextcloud/templates/harp_entrypoint.sh.j2 new file mode 100644 index 0000000..97701d3 --- /dev/null +++ b/roles/nextcloud/templates/harp_entrypoint.sh.j2 @@ -0,0 +1,24 @@ +#!/bin/bash +# {{ ansible_managed }} +_term() { + echo "Received SIGTERM, stopping all containers" + kill "$child" +} + +podman system service -t 0 & + +podman run \ + --rm \ + -v /run/secrets/harp-shared-key:/run/secrets/harp-shared-key:ro \ + -e HP_SHARED_KEY_FILE=/run/secrets/harp-shared-key \ + -e NC_INSTANCE_URL="https://{{ nextcloud_domains[0] }}" \ + -e HP_TRUSTED_PROXY_IPS="10.0.0.0/8" \ + -v /tmp/storage-run-1000/podman/podman.sock:/var/run/docker.sock \ + -v /certs:/certs \ + --name harp \ + --network host \ + ghcr.io/nextcloud/nextcloud-appapi-harp:release & + +child=$! +trap _term SIGTERM +wait