Nextcloud Ansible Role

This Ansible role helps you install Nextcloud easily. The file structure is organized like this:

/var/www
└── nextcloud.local
    ├── current -> /var/www/nextcloud.local/releases/20.0.7
    │   └── nextcloud
    │       └── config
    │           └── config.php -> /var/www/shared/config.php
    ├── data
    │   ├── admin
    │   ├── appdata_somerandomshit
    │   ├── files_external
    │   ├── index.html
    │   └── nextcloud.log
    ├── releases
    │   ├── 20.0.5
    │   ├── 20.0.6
    │   └── 20.0.7
    └── shared
        └── config.php

Currently, this role only works with MySQL as the database. It also uses Redis for caching and file locking.

Requirements

To run Nextcloud, you need PHP, a web server, and a database management system (DBMS). It's recommended to use these Ansible roles:

• geerlingguy/mysql
• geerlingguy/php
• geerlingguy/nginx

Using these roles is a good choice because they are well-maintained. However, other roles can be used too.

In a production setup, you will also need a TLS certificate, which you can get from acme.sh.

Role Variables

nextcloud_version

Specifies the version of Nextcloud to install. Default: "29.0.1"

nextcloud_domain

The domain name for your Nextcloud. Default: ""

nextcloud_php_user

The user who owns all Nextcloud files. Usually set to www-data. Default: "{{ php_fpm_pool_user | default('www-data') }}"

nextcloud_php_version

The major version of PHP to use. Default: "{{ php_default_version_debian | default('8.2') }}"

nextcloud_php_bin_path

Where the PHP executable is located. Default: /usr/bin/php

nextcloud_keep_releases

Duration to keep old releases. Default: "60d"

nextcloud_admin_user

The default admin user created during installation. After installation, you can create another admin user and remove this one. Default: ""

nextcloud_admin_password

The password for nextcloud_admin_user. It's highly recommended to secure this with ansible-vault. Default: ""

nextcloud_config_template

A template for Nextcloud's config.php. Default: "config.php.j2"

nextcloud_instanceid

A unique identifier for your Nextcloud instance. Generate a random one. Default: ""

nextcloud_passwordsalt

Salt used for hashing passwords. It's strongly recommended to secure this with ansible-vault. Default: ""

nextcloud_secret

A secret used by Nextcloud for encryption and other purposes. Losing this will corrupt your data, so secure it with ansible-vault. Default: ""

nextcloud_dbhost

The host for the database connection. Default: "localhost"

nextcloud_dbname

The name of the Nextcloud database. Default: "nextcloud"

nextcloud_dbuser

The user Nextcloud will use to access the database. Default: "nextcloud"

nextcloud_dbpassword

Password for nextcloud_dbuser. Also recommended to secure this with ansible-vault. Default: ""

nextcloud_deploy_to

Main folder for your Nextcloud installation. Default: "/var/www/{{ nextcloud_domain }}"

nextcloud_datadirectory

Where user files are stored. Default: "{{ nextcloud_deploy_to }}/data"

nextcloud_php_packages

Additional PHP packages needed by Nextcloud. Default:

- php-pear
- php{{ nextcloud_php_version }}-bcmath
- php{{ nextcloud_php_version }}-bz2
- php{{ nextcloud_php_version }}-curl
- php{{ nextcloud_php_version }}-gd
- php{{ nextcloud_php_version }}-gmp
- php{{ nextcloud_php_version }}-imagick
- php{{ nextcloud_php_version }}-intl
- php{{ nextcloud_php_version }}-json
- php{{ nextcloud_php_version }}-mbstring
- php{{ nextcloud_php_version }}-mysql
- php{{ nextcloud_php_version }}-redis
- php{{ nextcloud_php_version }}-xml
- php{{ nextcloud_php_version }}-zip

nextcloud_packages

Additional packages needed by Nextcloud. Default:

- redis-server
- redis-tools
- unzip

nextcloud_apps

List of applications to install and enable. Default: []

nextcloud_no_log

Set to true to hide sensitive information during the deployment. Default: true

Working Example

Here is an example of what your playbook.yml should look like:

- name: Configure Nextcloud servers
  become: true
  hosts: nextcloud
  vars_files:
    - vault_vars/nextcloud.yml
  roles:
    - {role: acme_sh, tags: ['acme_sh']}  # Use any method to get TLS certificates
    - {role: nginx, tags: ['nginx']}
    - {role: mysql, tags: ['mysql']}
    - {role: php, tags: ['php']}
    - {role: percona, tags: ['percona']}
    - {role: nextcloud, tags: ['nextcloud']}
  pre_tasks:
    - name: Install Sury key
      apt_key:
        url: "https://packages.sury.org/php/apt.gpg"
        state: present
    - name: Add Sury repositories
      apt_repository:
        repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
        state: present
        update_cache: true
        filename: sury
    - name: Copy specific Nginx config files
      copy:
        src: "{{ item }}"
        dest: /etc/nginx/
        owner: root
        mode: 0644
      with_fileglob:
        - nginx/*.conf
    - name: Copy /etc/nginx/dh4096.pem
      copy:
        src: nginx/dh4096.pem
        dest: /etc/nginx/dh4096.pem
        owner: www-data
        mode: 0400

In your vault_vars/nextcloud.yml, include:

mysql_root_password_vault: vaultmeplease
nextcloud_dbpassword_vault: vaultmeplease
nextcloud_passwordsalt_vault: vaultmeplease
nextcloud_secret_vault: vaultmeplease
nextcloud_instanceid_vault: vaultmeplease
nextcloud_admin_user_vault: admin
nextcloud_admin_password_vault: vaultmeplease

And your group variables in group_vars/nextcloud.yml:

# Nextcloud
nextcloud_domain: "yourdomain.com"
nextcloud_admin_user: "{{ nextcloud_admin_user_vault }}"
nextcloud_admin_password: "{{ nextcloud_admin_password_vault }}"
nextcloud_instanceid: "{{ nextcloud_instanceid_vault }}"
nextcloud_passwordsalt: "{{ nextcloud_passwordsalt_vault }}"
nextcloud_secret: "{{ nextcloud_secret_vault }}"
nextcloud_dbpassword: "{{ nextcloud_dbpassword_vault }}"
nextcloud_apps: [calendar]

# MySQL
mysql_root_password: "{{ mysql_root_password_vault }}"
mysql_bind_address: 127.0.0.1
mysql_packages:
  - mariadb-client
  - mariadb-server
  - python-mysqldb
mysql_databases:
  - name: nextcloud
    encoding: utf8mb4
    collation: utf8mb4_general_ci
mysql_users:
  - name: nextcloud
    host: "localhost"
    password: "{{ nextcloud_dbpassword }}"
    priv: "nextcloud.*:ALL"
    state: present

# Nginx
nginx_remove_default_vhost: true
nginx_service_enabled: true
nginx_service_state: started
nginx_listen_ipv6: false
nginx_vhosts:
  - listen: {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:443 ssl http2 default_server
    server_name: "{{ nextcloud_domain }}"
    state: "present"
    root: "/var/www/{{ nextcloud_domain }}/current/nextcloud"
    index: index.php
    extra_parameters: |
      add_header Referrer-Policy "no-referrer" always;
      ...

Developer Documentation

For more info, check out the developer documentation.

License

This project is licensed under the GPLv3.