From a6fea170a426fa242924eb61af668fed68577f36 Mon Sep 17 00:00:00 2001
From: phil <phil@systemausfall.org>
Date: Sat, 26 Jun 2021 02:32:29 +0200
Subject: [PATCH] =?UTF-8?q?Fixes=20f=C3=BCr=20zentrale=20Verwaltung?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 defaults/main.yml       |  1 +
 handlers/main.yml       |  2 +-
 tasks/database.yml      |  2 +-
 tasks/fixes.yml         |  4 ++--
 tasks/gateway.yml       |  9 ++++++++-
 tasks/main.yml          |  1 +
 tasks/nextcloud.yml     |  2 +-
 tasks/version.yml       |  4 +++-
 templates/nginx_site.j2 | 33 ++++++++++++++++++++++++++++++---
 vars/main.yml           | 15 ++++++++++++++-
 10 files changed, 62 insertions(+), 11 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 9e731a4..2cd74c0 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,6 +4,7 @@ mysql_socket: /var/run/mysqld/mysqld.sock
 nextcloud_admin_pw: admin
 nextcloud_admin_user: systemausfall.org
 nextcloud_admin_pw: admin
+nextcloud_db_password: "{{ lookup('password', '/tmp/{{ instance.domain }}_db_pwd length=42 chars=ascii_letters,digits') }}"
 nextcloud_dl_url: https://download.nextcloud.com/server/releases
 nextcloud_install_path: "/data/nextcloud/{{ instance.domain }}"
 nextcloud_config_file: "{{ nextcloud_install_path }}/config/config.php"
diff --git a/handlers/main.yml b/handlers/main.yml
index 4bef115..1ec7331 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,7 +13,7 @@
   service:
     name: nginx
     state: reloaded
-  delegate_to: "{{ nextcloud_gateway }}"
+  delegate_to: "{{ gateway_host }}"
 
 - name: restart phpfpm
   service:
diff --git a/tasks/database.yml b/tasks/database.yml
index b6c5b0a..1c4e06d 100644
--- a/tasks/database.yml
+++ b/tasks/database.yml
@@ -12,7 +12,7 @@
   mysql_user:
     name: "{{ instance.database }}"
     host: "{{ inventory_hostname }}"
-    password: "{{ lookup('password', '/tmp/nc_db_password chars=ascii_letters') }}"
+    password: "{{ nextcloud_db_password }}"
     priv: "{{ instance.database }}.*:ALL"
     state: present
     login_unix_socket: "{{ mysql_socket }}"
diff --git a/tasks/fixes.yml b/tasks/fixes.yml
index 257bf56..2e237bb 100644
--- a/tasks/fixes.yml
+++ b/tasks/fixes.yml
@@ -1,8 +1,8 @@
 ---
-- name: "fixes: {{ instance.domain }} https://github.com/nextcloud/files_pdfviewer/issues/381"
+- name: "fixes: {{ instance.domain }}: https://github.com/nextcloud/files_pdfviewer/issues/381"
   get_url:
     url: https://raw.githubusercontent.com/nextcloud/files_pdfviewer/6d81ffbb65c3758bece144e0aff07b4a0ad20eef/js/files_pdfviewer-main.js
     dest: "{{ nextcloud_install_path }}/apps/files_pdfviewer/js/files_pdfviewer-main.js"
     owner: "{{ instance.user }}"
     group: "{{ instance.user }}"
-  when: nc_installed_version >= "21.0.2"
+  when: nc_installed_version.stdout >= "21.0.2"
diff --git a/tasks/gateway.yml b/tasks/gateway.yml
index 5f7e5ec..4cf71ce 100644
--- a/tasks/gateway.yml
+++ b/tasks/gateway.yml
@@ -4,7 +4,14 @@
     path: /etc/dehydrated/domains.txt
     insertafter: "^# nextcloud"
     line: "{{ instance.domain }}"
-   # when: dehydrated_installiert
+  delegate_to: "{{ gateway_host }}"
+
+- name: "gateway: {{ instance.domain }}: Alias zur Zertifikatsliste hinzufügen"
+  lineinfile:
+    path: /etc/dehydrated/domains.txt
+    insertafter: "^# nextcloud"
+    line: "{{ instance.alias }}"
+  when: instance.alias is defined
   delegate_to: "{{ gateway_host }}"
 
 - name: "gateway: {{ instance.domain }}: Zertifikat erstellen"
diff --git a/tasks/main.yml b/tasks/main.yml
index db83423..43396a0 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
 - import_tasks: version.yml
   tags: version
+
 - import_tasks: packages.yml
 - import_tasks: gateway.yml
 - import_tasks: database.yml
diff --git a/tasks/nextcloud.yml b/tasks/nextcloud.yml
index 44b8cdb..1767aef 100644
--- a/tasks/nextcloud.yml
+++ b/tasks/nextcloud.yml
@@ -20,7 +20,7 @@
   command: >
     php "{{ nextcloud_install_path }}"/occ maintenance:install --database "mysql"
     --database-name "{{ instance.database }}" --database-user "{{ instance.database }}"
-    --database-pass "{{ lookup('password', '/tmp/nc_db_password chars=ascii_letters') }}" --database-host "{{ database_host }}"
+    --database-pass "{{ nextcloud_db_password }}" --database-host "{{ database_host }}"
     --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_pw }}"
   become: true
   become_user: "{{ instance.user }}"
diff --git a/tasks/version.yml b/tasks/version.yml
index d6cbaa0..36a4158 100644
--- a/tasks/version.yml
+++ b/tasks/version.yml
@@ -3,12 +3,14 @@
   stat:
     path: "{{ nextcloud_install_path }}/version.php"
   register: nc_is_installed
+  changed_when: false
 
 - name: "version: {{ instance.domain }}: Prüfe NC-Version"
   shell:
-    cmd: occ -V | cut -d ' ' -f2
+    cmd: ./occ -V | cut -d ' ' -f2
     chdir: "{{ nextcloud_install_path }}"
   become: true
   become_user: "{{ instance.user }}"
   register: nc_installed_version
   when: nc_is_installed.stat.exists
+  changed_when: false
diff --git a/templates/nginx_site.j2 b/templates/nginx_site.j2
index 8e436da..70eb84a 100644
--- a/templates/nginx_site.j2
+++ b/templates/nginx_site.j2
@@ -1,13 +1,18 @@
 server {
         listen 80;
-        server_name {{ instance.domain }};
+{% if instance.alias is defined %}
+	server_name {{ instance.domain }};
+	server_name {{ instance.alias }};
+{% else %}
+	server_name {{ instance.domain }};
+{% endif %}
         include snippets/letsencrypt.conf;
         location / { return 301 https://$http_host$request_uri; }
 }
 
 server {
+	listen 443 ssl http2;
         server_name {{ instance.domain }};
-        listen 443 ssl http2;
         ssl_certificate /var/lib/dehydrated/certs/{{ instance.domain }}/fullchain.pem;
         ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.domain }}/privkey.pem;
         include /etc/nginx/proxy_params;
@@ -23,4 +28,26 @@ server {
         location ~ \.* {
                 proxy_pass http://{{ inventory_hostname }}:80;
         }
-}
\ No newline at end of file
+}
+
+{% if instance.alias is defined %}
+server {
+	listen 443 ssl http2;
+        server_name {{ instance.alias }};
+        ssl_certificate /var/lib/dehydrated/certs/{{ instance.alias }}/fullchain.pem;
+        ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.alias }}/privkey.pem;
+        include /etc/nginx/proxy_params;
+        add_header Referrer-Policy $referrerpolicy;
+        add_header Strict-Transport-Security $sts;
+        add_header X-Content-Type-Options $xcontentoptions;
+        add_header X-XSS-Protection $xxssprotection;
+
+        location ~ /.well-known/(carddav|caldav) {
+                return 301 $scheme://$host/remote.php/dav;
+        }
+
+        location ~ \.* {
+                proxy_pass http://{{ inventory_hostname }}:80;
+        }
+}
+{% endif %}
\ No newline at end of file
diff --git a/vars/main.yml b/vars/main.yml
index b52587a..906b162 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,2 +1,15 @@
 ---
-# vars file for nextcloud
\ No newline at end of file
+instances:
+  - domain: cloud.eine-welt-mv.de
+    user: ewlnmv
+    database: nc_ewlnmv
+  - domain: cloud.karo.ag
+    user: karoag
+    database: nc_karoag
+  - domain: nextcloud.bufas.net
+    user: bufas
+    database: nc_bufas
+  - domain: nextcloud.systemausfall.org
+    alias: speicher.roko.li
+    user: nextcloud
+    database: nc_nextcloud