Update nextcloud app to use separate proxy and fpm services

Add support for deploying assets alongside compose apps
Actually standardize vars files using yaml suffix
2021-04-30 20:20:22 -04:00 · 2021-04-29 19:08:05 -04:00 · 2021-04-29 19:08:05 -04:00 · 2021-04-29 19:08:05 -04:00 · 2021-04-29 19:08:05 -04:00 · 2021-04-29 19:08:05 -04:00
11 changed files with 200 additions and 5 deletions
--- a/playbooks/configure-mgmt.yml
+++ b/playbooks/configure-mgmt.yml
@ -24,9 +24,9 @@
 - name: Configure local accounts
  hosts: all
  vars_files:
-    - vars/accounts.yml
-    - vars/secrets/passwords.yml
-    - vars/sshkeys.yml
+    - vars/accounts.yaml
+    - vars/secrets/passwords.yaml
+    - vars/sshkeys.yaml
  tasks:
    - name: Create omni group
      become: true
--- a/playbooks/deploy-compose.yml
+++ b/playbooks/deploy-compose.yml
@ -46,6 +46,16 @@
        group: "{{ omni_compose_apps[_runtime_application].account.name }}"
        mode: 0750

+    - name: Create datastore assets
+      become: true
+      template:
+        src: "{{ item.src }}"
+        dest: "{{ omni_datastore_mount }}{{ omni_compose_apps[_runtime_application].datastore }}/{{ item.name }}"
+        owner: "{{ omni_compose_apps[_runtime_application].account.name }}"
+        group: "{{ omni_compose_apps[_runtime_application].account.name }}"
+        mode: "{{ item.permissions | default(0644) }}"
+      loop: "{{ omni_compose_apps[_runtime_application].assets | default([]) }}"
+

 - name: Configure docker stack
  hosts: jupiter
--- a/playbooks/provision-common.yml
+++ b/playbooks/provision-common.yml
@ -5,7 +5,7 @@
 - name: Configure system settings
  hosts: all
  vars_files:
-    - vars/packages.yml
+    - vars/packages.yaml
  pre_tasks:
    - import_tasks: tasks/centos-8-kernelplus.yml
  tasks:
--- a/resources/docker-compose/nextcloud.yaml.j2
+++ b/resources/docker-compose/nextcloud.yaml.j2
@ -0,0 +1,110 @@
+---
+version: "{{ omni_compose_version | string }}"
+
+
+networks:
+  nextcloud:
+    name: nextcloud
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ omni_compose_apps.nextcloud.networks.main }}
+
+
+volumes:
+  database:
+    name: datastore{{ omni_compose_apps.nextcloud.datastore }}/database
+    driver: glusterfs
+  data:
+    name: datastore/{{ omni_compose_apps.nextcloud.datastore }}/userdata
+    driver: glusterfs
+  config:
+    name: datastore{{ omni_compose_apps.nextcloud.datastore }}/config
+    driver: glusterfs
+  proxy:
+    name: datastore{{ omni_compose_apps.nextcloud.datastore }}/proxy
+    driver: glusterfs
+
+
+services:
+  database:
+    image: mariadb:{{ omni_compose_apps.nextcloud.versions.database | default(omni_compose_apps.nextcloud.versions.default) }}
+    hostname: nextcloud-database
+    networks:
+      - nextcloud
+    volumes:
+      - type: volume
+        source: database
+        target: /var/lib/mysql
+        read_only: false
+    environment:
+      MYSQL_ROOT_PASSWORD: {{ omni_compose_app_secrets.nextcloud.database_password }}
+      MYSQL_DATABASE: nextcloud
+    deploy:
+      replicas: 1
+
+  cache:
+    image: redis:{{ omni_compose_apps.nextcloud.versions.cache | default(omni_compose_apps.nextcloud.versions.default) }}
+    hostname: nextcloud-cache
+    networks:
+      - nextcloud
+    deploy:
+      replicas: 1
+
+  proxy:
+    image: nginx:{{ omni_compose_apps.nextcloud.versions.proxy | default(omni_compose_apps.nextcloud.versions.default) }}
+    hostname: nextcloud-proxy
+    networks:
+      - nextcloud
+    depends_on:
+      - server
+    ports:
+      - published: {{ omni_compose_apps.nextcloud.published.ports.80 }}
+        target: 80
+        protocol: tcp
+        mode: ingress
+    volumes:
+      - type: volume
+        source: config
+        target: /usr/share/nginx/nextcloud
+        read_only: true
+      - type: volume
+        source: proxy
+        target: /etc/nginx/conf.d
+        read_only: true
+    deploy:
+      replicas: 1
+
+  server:
+    image: nextcloud:{{ omni_compose_apps.nextcloud.versions.server | default(omni_compose_apps.nextcloud.versions.default) }}
+    hostname: nextcloud-server
+    user: "{{ omni_compose_apps.nextcloud.account.uid }}"
+    networks:
+      - nextcloud
+    depends_on:
+      - database
+      - cache
+    volumes:
+      - type: volume
+        source: data
+        target: /data
+        read_only: false
+      - type: volume
+        source: config
+        target: /var/www/html
+        read_only: false
+    environment:
+      NEXTCLOUD_DATA_DIR: /data/
+      NEXTCLOUD_ADMIN_USER: admin
+      NEXTCLOUD_ADMIN_PASSWORD: {{ omni_compose_app_secrets.nextcloud.admin_password }}
+      NEXTCLOUD_TRUSTED_DOMAINS: localhost {{ inventory_hostname }} {{ omni_compose_apps.nextcloud.published.host }}
+      MYSQL_DATABASE: nextcloud
+      MYSQL_USER: root
+      MYSQL_PASSWORD: {{ omni_compose_app_secrets.nextcloud.database_password }}
+      MYSQL_HOST: database
+      REDIS_HOST: cache
+      PHP_MEMORY_LIMIT: "4G"
+      PHP_UPLOAD_LIMIT: "4G"
+    deploy:
+      replicas: 1
--- a/resources/nginx/nextcloud-proxy.conf
+++ b/resources/nginx/nextcloud-proxy.conf
@ -0,0 +1,50 @@
+server {
+        listen 80;
+        root /usr/share/nginx/nextcloud;
+        index index.php index.html index.htm;
+
+        location / {
+            try_files $uri $uri/ =404;
+        }
+
+        location ~ [^/]\.php(/|$) {
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+            if (!-f $document_root$fastcgi_script_name) {
+                return 404;
+            }
+
+            # Mitigate https://httpoxy.org/ vulnerabilities
+            fastcgi_param HTTP_PROXY "";
+
+            fastcgi_pass server:9000;
+            fastcgi_index index.php;
+
+            fastcgi_param   QUERY_STRING            $query_string;
+            fastcgi_param   REQUEST_METHOD          $request_method;
+            fastcgi_param   CONTENT_TYPE            $content_type;
+            fastcgi_param   CONTENT_LENGTH          $content_length;
+
+            fastcgi_param   SCRIPT_FILENAME         /var/www/html$fastcgi_script_name;
+            fastcgi_param   SCRIPT_NAME             $fastcgi_script_name;
+            fastcgi_param   PATH_INFO               $fastcgi_path_info;
+            fastcgi_param   PATH_TRANSLATED         /var/www/html$fastcgi_path_info;
+            fastcgi_param   REQUEST_URI             $request_uri;
+            fastcgi_param   DOCUMENT_URI            $document_uri;
+            fastcgi_param   DOCUMENT_ROOT           /var/www/html/;
+            fastcgi_param   SERVER_PROTOCOL         $server_protocol;
+
+            fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
+            fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;
+
+            fastcgi_param   REMOTE_ADDR             $remote_addr;
+            fastcgi_param   REMOTE_PORT             $remote_port;
+            fastcgi_param   SERVER_ADDR             $server_addr;
+            fastcgi_param   SERVER_PORT             $server_port;
+            fastcgi_param   SERVER_NAME             $server_name;
+
+            fastcgi_param   HTTPS                   $https;
+
+            # PHP only, required if PHP was built with --enable-force-cgi-redirect
+            fastcgi_param   REDIRECT_STATUS         200;
+      }
+}
--- a/vars/accounts.yaml
+++ b/vars/accounts.yaml
@ -77,3 +77,8 @@ omni_users:
    uid: 1291
    targets: [datastore]
    svc: true
+
+  - name: mech_nextcloud
+    uid: 1290
+    targets: [datastore]
+    svc: true
--- a/vars/applications.yaml
+++ b/vars/applications.yaml
@ -109,3 +109,23 @@ omni_compose_apps:
      default: 1.1.2
      database: "10"
      cache: "6.2"
+
+  nextcloud:
+    datastore: /appdata/nextcloud
+    account:
+      name: mech_nextcloud
+      uid: 1290
+    published:
+      host: wsd.enp.one
+      ports:
+        80: 8082
+    networks:
+      main: 192.168.107.0/24
+    versions:
+      proxy: latest
+      server: 21.0.1-fpm
+      database: "10"
+      cache: "6.2"
+    assets:
+      - src: nginx/nextcloud-proxy.conf
+        name: proxy/nextcloud.conf
--- a/vars/packages.yaml
+++ b/vars/packages.yaml
--- a/vars/secrets
+++ b/vars/secrets
@ -1 +1 @@
-Subproject commit 0248a5772ab9f35ce8cdf43dfe5926d59636baee
+Subproject commit 140d4a2a5a5cc57b091745d0b4ee26847817a70f
--- a/vars/sshkeys.yaml
+++ b/vars/sshkeys.yaml
--- a/vars/targets.yaml
+++ b/vars/targets.yaml
Author	SHA1	Message	Date
Ethan Paul	1490774f4a	Update nextcloud app to use separate proxy and fpm services	2021-04-30 20:20:22 -04:00
Ethan Paul	a7012abf28	Add support for deploying assets alongside compose apps	2021-04-29 19:08:05 -04:00
Ethan Paul	9ab3a40364	Actually standardize vars files using yaml suffix	2021-04-29 19:08:05 -04:00
Ethan Paul	746399c1de	Add service account for nextcloud app	2021-04-29 19:08:05 -04:00
Ethan Paul	eb9d35ee56	Update secrets submodule	2021-04-29 19:08:05 -04:00
Ethan Paul	1f9c4df494	Add nextcloud app config	2021-04-29 19:08:05 -04:00
Ethan Paul	bb4fb4c48f	Add compose file for nextcloud app	2021-04-29 19:08:04 -04:00