Autoconfigure admin password; Fix MariaDB encryption problem

.gitignore

@@ -4,3 +4,4 @@ terraform.tfstate*
 .infracost
 privkey.pem
 inventory.ini
+roles/nextcloud/files/adminpass

Makefile

@@ -11,9 +11,9 @@ setup:
 	$(eval INSTANCE  := $(shell terraform output instance_id | sed -e 's/"//g'))
 	$(eval PUBLIC_IP := $(shell terraform output public_ip   | sed -e 's/"//g'))
 	chmod 600 privkey.pem
-	timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE) "/bin/true"; do sleep 0.5; done'
 
 ansible: setup
+	timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE) "/bin/true"; do sleep 0.5; done'
 	$(SSH) $(INSTANCE) "which -a ansible || (sudo apt-get update && sudo apt-get -y install ansible)"
 	sed \
 		-e 's/{{INSTANCE}}/$(INSTANCE)/' \

nextcloud.tf

@@ -179,6 +179,23 @@ module "records" {
   depends_on = [module.zone]
 }
 
+## generate admin password
+
+resource "random_password" "admin" {
+  length  = 20
+  special = true
+  lower   = true
+  upper   = true
+  number  = true
+}
+
+resource "local_file" "adminpass" {
+  content  = random_password.admin.result
+  filename = "roles/nextcloud/files/adminpass"
+}
+
+## outputs
+
 output "instance_id" {
   value = aws_instance.nextcloud.id
 }
@@ -189,3 +206,4 @@ output "nameservers" {
   value = module.zone.route53_zone_name_servers
 }
 
+

roles/nextcloud/files/nginx.conf

@@ -10,9 +10,9 @@ events { worker_connections 1024; }
 
 http {
 
-    upstream backend {
-      server app;
-    }
+#    upstream backend {
+#      server nextcloud;
+#    }
 
     server {
         listen 80;
@@ -75,11 +75,12 @@ http {
         gunzip          on;
 
         location @nextcloud {
-            proxy_pass http://backend;
+            proxy_pass http://nextcloud;
         }
 
         location / {
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
             proxy_set_header Host            $host;
             proxy_set_header X-Real-IP       $remote_addr;
 

roles/nextcloud/tasks/main.yaml

@@ -80,10 +80,40 @@
 
 # ---
 
+#- name: adminpass file
+#  copy:
+#    src: files/adminpass
+#    dest: /tmp/adminpass
+#
+#- name: create docker secrets
+#  shell: docker secret create nextcloud_admin_password - < /tmp/adminpass
+#
+#- name: create other docker secrets
+#  shell: "echo '{item.value}' | docker secret create {item.key} -"
+#  with_items:
+#    - key: nextcloud_admin_user
+#      value: b4rry
+#    - key: mysql_user
+#      value: nextcloud
+#    - key: mysql_host
+#      value: db
+#    - key: mysql_db
+#      value: nextcloud
+#    - key: mysql_root_password
+#      value: s00p3rs3krit
+
 - name: nextcloud docker-compose
-  copy:
-    src: files/docker-compose.yaml
+  template:
+    src: templates/docker-compose.yaml
     dest: /srv/nextcloud/docker-compose.yaml
+  vars:
+    nextcloud_admin_password: "{{ lookup('file', 'files/adminpass') }}"
+    nextcloud_admin_user: b4rry
+    mysql_host: nextcloud_db
+    mysql_db: nextcloud
+    mysql_user: nextcloud
+    mysql_password: s00p3rs3krit
+    mysql_root_password: s00p3rs3krit
   register: dockercompose
 
 - name: nextcloud nginx.conf

roles/nextcloud/templates/docker-compose.yaml

@@ -2,39 +2,39 @@
 
 version: '2'
 
-volumes:
-  nextcloud:
-  db:
-
 services:
   db:
     container_name: nextcloud_db
     image: mariadb
     restart: unless-stopped
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb_read_only_compressed=OFF
     volumes:
-      - db:/var/lib/mysql
+      - /srv/nextcloud/db:/var/lib/mysql
     environment:
-      - MYSQL_ROOT_PASSWORD=s00p3rs3krit
-      - MYSQL_PASSWORD=s00p3rs3krit
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
+      - "MYSQL_ROOT_PASSWORD={{mysql_root_password}}"
+      - "MYSQL_USER={{mysql_user}}"
+      - "MYSQL_PASSWORD={{mysql_password}}"
+      - "MYSQL_DATABASE={{mysql_db}}"
 
   app:
     container_name: nextcloud
     image: nextcloud
     restart: unless-stopped
-    ports:
-      - 8080:80
-    links:
-      - db
     volumes:
-      - nextcloud:/var/www/html
+      - /srv/nextcloud/www:/var/www/html
     environment:
-      - MYSQL_PASSWORD=s00p3rs3krit
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
-      - MYSQL_HOST=db
+      - "NEXTCLOUD_ADMIN_USER={{nextcloud_admin_user}}"
+      - "NEXTCLOUD_ADMIN_PASSWORD={{nextcloud_admin_password | replace("$","$$") }}"
+      - "MYSQL_DATABASE={{mysql_db}}"
+      - "MYSQL_PASSWORD={{mysql_password}}"
+      - "MYSQL_USER={{mysql_user}}"
+      - "MYSQL_HOST={{mysql_host}}"
+      - "TRUSTED_PROXIES=172.0.0.0/8"
+      - "NEXTCLOUD_TRUSTED_DOMAINS=cloud.stoopid.club nextcloud"
+      - "NEXTCLOUD_UPDATE=1"
+#    entrypoint: sh -c "sleep 5; /entrypoint.sh php-fpm"
+    depends_on:
+      - db
 
   web:
     container_name: nginx
@@ -43,8 +43,6 @@ services:
     ports:
       - "80:80"
       - "443:443"
-    links:
-      - app
     volumes:
       - /srv/nextcloud/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
       - /srv/nextcloud/nginx/conf.d:/etc/nginx/conf.d:ro