+ 19 - 0

@@ -0,0 +1,19 @@
+# Development
+## Ubuntu Host Requirements
+sudo apt install vagrant ansible virtualbox
+ansible-galaxy collection install ansible.posix
+ansible-galaxy collection install community.crypto
+ansible-galaxy collection install community.general
+## Deploy
+vagrant up

+ 11 - 0

@@ -0,0 +1,11 @@

+ 159 - 0

@@ -0,0 +1,159 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  config.vm.boot_timeout = 360
+  config.vm.provider "virtualbox" do |vb|
+    vb.memory = "2048"
+    vb.cpus = "1"
+  end
+  #LoadBalancer
+  config.vm.define "loadbalancer" do |loadbalancer|
+ = 'ubuntu/focal64'
+    loadbalancer.vm.hostname = "loadbalancer"
+ :private_network, ip: ""
+    loadbalancer.vm.provision "shell", inline: "apt-get install -y haproxy"
+    #Provision the loadbalancer with Ansible
+    loadbalancer.vm.provision "ansible" do |ansible|
+       ansible.compatibility_mode = "2.0"
+       ansible.playbook="provisioning/ansible/haproxy.yml"
+       ansible.become = true
+       ansible.extra_vars = {
+         ansible_python_interpreter: "/usr/bin/python3",
+         ssl_name: "nextcloud.test",
+         network_allowed: "",
+         haproxy_backend_servers:
+           { name: 'web', ip: '' },
+       }
+    end
+  end
+  #Redis Server 
+  config.vm.define "redis" do |redis| 
+    redis.vm.hostname = "redis"
+ = "centos/7"
+ "private_network", ip: ""
+    redis.vm.provision "shell", inline: "yum install -y python3 dnf epel-release"
+    #Provision the webserver with Ansible
+    redis.vm.provision "ansible" do |ansible|
+       ansible.compatibility_mode = "2.0"
+       ansible.playbook="provisioning/ansible/redis.yml"
+       ansible.become = true
+       ansible.extra_vars = { 
+         ansible_python_interpreter: "/usr/bin/python2",
+         #redis_bind_interface: "", #bug Centos
+       }
+    end 
+  end
+  #Database Server 
+  config.vm.define "db" do |db| 
+    db.vm.hostname = "mariadb"
+ = "centos/7"
+ "private_network", ip: ""
+    db.vm.provision "shell", inline: "yum install -y python3 dnf"
+    #Provision the webserver with Ansible
+    db.vm.provision "ansible" do |ansible|
+       ansible.compatibility_mode = "2.0"
+       ansible.playbook="provisioning/ansible/mariadb.yml"
+       ansible.become = true
+       ansible.extra_vars = { 
+         ansible_python_interpreter: "/usr/bin/python2",
+         app_bind_address: ""
+       }
+    end
+  end
+  #Web Server 
+  config.vm.define "web" do |web|
+    web.vm.hostname = "nextcloud"
+ = "centos/7"
+ "private_network", ip: ""
+    # Creating a Shared Directory between host and guest VM 
+    #web.vm.synced_folder "/apps/shared", "/shared"
+    #Provision the webserver for nextcloud role ansible
+    web.vm.provision "shell", path: "provisioning/install/"
+    #Provision the webserver with Ansible
+    web.vm.provision "ansible" do |ansible|
+       ansible.compatibility_mode = "2.0"
+       ansible.playbook = "provisioning/ansible/nextcloud.yml"
+       ansible.become = true
+       ansible.extra_vars = {
+         ansible_python_interpreter: "/usr/bin/python2",
+         db_host: "",
+         use_redis_server: "true",
+         redis_host: "",
+         debug_speed: "false",
+       }
+       #ansible.inventory_path = "provisioning/apache.inventory"
+       #ansible.verbose = "vvvv"
+    end
+  end
+  #Prometheus
+  config.vm.define "prometheus" do |prometheus|
+ = 'centos/7'
+    prometheus.vm.hostname = "prometheus"
+ :private_network, ip: ""
+    prometheus.vm.provision "shell", path: "provisioning/install/"
+    #Provision prometheus-grafana with Ansible
+    prometheus.vm.provision "ansible" do |ansible|
+       ansible.compatibility_mode = "2.0"
+       ansible.playbook="provisioning/ansible/prometheus.yml"
+       ansible.become = true
+       ansible.extra_vars = {
+         ansible_python_interpreter: "/usr/bin/python2",
+       }
+    end
+  end
+  #Node Exporter
+  config.vm.define "node" do |node|
+ = 'centos/7'
+    node.vm.hostname = "nodexporter"
+ :private_network, ip: ""
+    node.vm.provision "shell", path: "provisioning/install/"
+    #Provision prometheus-grafana with Ansible
+    node.vm.provision "ansible" do |ansible|
+       ansible.compatibility_mode = "2.0"
+       ansible.playbook="provisioning/ansible/node_exporter.yml"
+       ansible.become = true
+       ansible.extra_vars = { 
+         ansible_python_interpreter: "/usr/bin/python2",
+       }
+    end 
+  end
+  #Grafana
+  config.vm.define "grafana" do |grafana|
+ = 'centos/7'
+    grafana.vm.hostname = "grafana"
+ :private_network, ip: ""
+    grafana.vm.provision "shell", path: "provisioning/install/"
+    #Provision prometheus-grafana with Ansible
+    grafana.vm.provision "ansible" do |ansible|
+       ansible.compatibility_mode = "2.0"
+       ansible.playbook="provisioning/ansible/grafana.yml"
+       ansible.become = true
+       ansible.extra_vars = { 
+         ansible_python_interpreter: "/usr/bin/python2",
+       }
+    end 
+  end 
+  config.vm.box_check_update = false 

+ 14 - 0

@@ -0,0 +1,14 @@
+- name: apply grafana role
+  hosts: all
+  #  vars:
+  #    ansible_python_interpreter: /usr/bin/python3
+  #    ansible_user: vagrant
+  #    ansible_password: vagrant
+  #  pre_tasks:
+  #    - name: define ansible_python_interpreter group // linux distribution
+  #      set_fact:
+  #        ansible_python_interpreter: /usr/bin/python2
+  #      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
+  roles:
+    - { role: grafana }

+ 18 - 0

@@ -0,0 +1,18 @@
+- name: apply haproxy role
+  hosts: all
+  #  vars:
+  #    ansible_python_interpreter: /usr/bin/python3
+  #    ansible_user: vagrant
+  #    ansible_password: vagrant
+  #    ssl_name: "nextcloud.test"
+  #    network_allowed: ""
+  #    haproxy_backend_servers:
+  #      { name: 'web', ip: '' }
+  #  pre_tasks:
+  #    - name: define ansible_python_interpreter group // linux distribution
+  #      set_fact:
+  #        ansible_python_interpreter: /usr/bin/python2
+  #      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
+  roles:
+    - { role: haproxy }

+ 15 - 0

@@ -0,0 +1,15 @@
+- name: apply mariadb configuration
+  hosts: all
+  #vars:
+  #  ansible_python_interpreter: /usr/bin/python3
+  #  ansible_user: vagrant
+  #  ansible_password: vagrant
+  #  app_bind_address:
+  #pre_tasks:
+  #  - name: define ansible_python_interpreter group // linux distribution
+  #    set_fact:
+  #      ansible_python_interpreter: /usr/bin/python2
+  #    when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
+  roles:
+    - { role: mariadb }

+ 19 - 0

@@ -0,0 +1,19 @@
+- name: apply nextcloud role
+  collections:
+    - community.general
+    - ansible.posix
+  hosts: all
+  #  vars:
+  #    ansible_python_interpreter: /usr/bin/python3
+  #    ansible_user: vagrant
+  #    ansible_password: vagrant
+  #    db_host:
+  #    debug_speed: false
+  #  pre_tasks:
+  #    - name: define ansible_python_interpreter group // linux distribution
+  #      set_fact:
+  #        ansible_python_interpreter: /usr/bin/python2
+  #      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
+  roles:
+    - { role: nextcloud }

+ 14 - 0

@@ -0,0 +1,14 @@
+- name: apply node_exporter role
+  hosts: all
+  #  vars:
+  #    ansible_python_interpreter: /usr/bin/python3
+  #    ansible_user: vagrant
+  #    ansible_password: vagrant
+  #  pre_tasks:
+  #    - name: define ansible_python_interpreter group // linux distribution
+  #      set_fact:
+  #        ansible_python_interpreter: /usr/bin/python2
+  #      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
+  roles:
+    - { role: node_exporter }

+ 14 - 0

@@ -0,0 +1,14 @@
+- name: apply prometheus role
+  hosts: all
+  #  vars:
+  #    ansible_python_interpreter: /usr/bin/python3
+  #    ansible_user: vagrant
+  #    ansible_password: vagrant
+  #  pre_tasks:
+  #    - name: define ansible_python_interpreter group // linux distribution
+  #      set_fact:
+  #        ansible_python_interpreter: /usr/bin/python2
+  #      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
+  roles:
+    - { role: prometheus }

+ 14 - 0

@@ -0,0 +1,14 @@
+- name: apply redis role
+  hosts: all
+  #  vars:
+  #    ansible_python_interpreter: /usr/bin/python3
+  #    ansible_user: vagrant
+  #    ansible_password: vagrant
+  #  pre_tasks:
+  #    - name: define ansible_python_interpreter group // linux distribution
+  #      set_fact:
+  #        ansible_python_interpreter: /usr/bin/python2
+  #      when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
+  roles:
+    - { role: redis }

+ 5 - 0

@@ -0,0 +1,5 @@
+grafana_version: "6.2.2-1"
+grafana_tarball: "grafana-{{ grafana_version }}.x86_64"
+grafana_url: ""
+grafana_skip_install: false

+ 5 - 0

@@ -0,0 +1,5 @@
+- name: "Restart the Grafana service."
+  service:
+    name: grafana-server
+    state: restarted
+  listen: event_restart_grafana

+ 21 - 0

@@ -0,0 +1,21 @@
+- include_tasks: "setup/{{ ansible_os_family }}.yml"
+- name: "Grafana configuration file copy"
+  template:
+    src: "grafana.conf.j2"
+    dest: /etc/grafana/grafana.ini
+  notify: event_restart_grafana
+- name: "Grafana server started"
+  service:
+    name: grafana-server
+    enabled: true
+    state: started
+- name: "Check if Grafana is accessible."
+  uri:
+    url:
+    method: GET
+    status_code: 200

+ 35 - 0

@@ -0,0 +1,35 @@
+- name: Install grafana
+  yum:
+    name: "{{ grafana_url }}/{{ grafana_tarball }}.rpm"
+    state: latest
+#- name: Download grafana archive
+#  get_url:
+#    url:  "{{ grafana_url }}/{{ grafana_tarball }}.tar.gz"
+#    dest: /tmp/{{ grafana_tarball }}.tar.gz
+#    #checksum: "sha256:{{ grafana_url }}/{{ grafana_tarball }}.tar.gz.sha256"
+#  register: _download_archive
+#  until: _download_archive is succeeded
+#  retries: 5
+#  delay: 2
+#  when: not grafana_skip_install
+#- name: unpack grafana binaries
+#  unarchive:
+#    src: "/tmp/{{ grafana_tarball }}.tar.gz"
+#    dest: "/tmp"
+#    creates: "/tmp/grafana-{{ grafana_version }}/bin/grafana-cli"
+#    remote_src: true
+#  when: not grafana_skip_install
+#- name: Copy grafana files to bin
+#  copy:
+#    src: "/tmp/grafana-{{ grafana_version }}/"
+#    dest: "/etc/grafana"
+#    owner: root
+#    group: root
+#    remote_src: yes
+#    mode: 0750
+#  when: not grafana_skip_install

+ 3 - 0

@@ -0,0 +1,3 @@
+- include_tasks: "{{ ansible_facts['distribution'] }}.yml"

+ 462 - 0

@@ -0,0 +1,462 @@
+##################### Grafana Configuration Example #####################
+# Everything has defaults so you only need to uncomment things you want to
+# change
+# possible values : production, development
+;app_mode = production
+# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
+;instance_name = ${HOSTNAME}
+#################################### Paths ####################################
+# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
+;data = /var/lib/grafana
+# Temporary files in `data` directory older than given duration will be removed
+;temp_data_lifetime = 24h
+# Directory where grafana can store logs
+;logs = /var/log/grafana
+# Directory where grafana will automatically scan and look for plugins
+;plugins = /var/lib/grafana/plugins
+# folder that contains provisioning config files that grafana will apply on startup and while running.
+;provisioning = conf/provisioning
+#################################### Server ####################################
+# Protocol (http, https, socket)
+;protocol = http
+# The ip address to bind to, empty will bind to all interfaces
+;http_addr =
+# The http port  to use
+;http_port = 3000
+# The public facing domain name used to access grafana from a browser
+;domain = localhost
+# Redirect to correct domain if host header does not match domain
+# Prevents DNS rebinding attacks
+;enforce_domain = false
+# The full public facing url you use in browser, used for redirects and emails
+# If you use reverse proxy and sub path specify full url (with sub path)
+;root_url = http://localhost:3000
+# Log web requests
+;router_logging = false
+# the path relative working path
+;static_root_path = public
+# enable gzip
+;enable_gzip = false
+# https certs & key file
+;cert_file =
+;cert_key =
+# Unix socket path
+;socket =
+#################################### Database ####################################
+# You can configure the database connection by specifying type, host, name, user and password
+# as separate properties or as on string using the url properties.
+# Either "mysql", "postgres" or "sqlite3", it's your choice
+;type = sqlite3
+;host =
+;name = grafana
+;user = root
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+;password =
+# Use either URL or the previous fields to configure the database
+# Example: mysql://user:secret@host:port/database
+;url =
+# For "postgres" only, either "disable", "require" or "verify-full"
+;ssl_mode = disable
+# For "sqlite3" only, path relative to data_path setting
+;path = grafana.db
+# Max idle conn setting default is 2
+;max_idle_conn = 2
+# Max conn setting default is 0 (mean not set)
+;max_open_conn =
+# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
+;conn_max_lifetime = 14400
+# Set to true to log the sql calls and execution times.
+log_queries =
+#################################### Session ####################################
+# Either "memory", "file", "redis", "mysql", "postgres", default is "file"
+;provider = file
+# Provider config options
+# memory: not have any config yet
+# file: session dir path, is relative to grafana data_path
+# redis: config like redis server e.g. `addr=,pool_size=100,db=grafana`
+# mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(`
+# postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable
+;provider_config = sessions
+# Session cookie name
+;cookie_name = grafana_sess
+# If you use session in https only, default is false
+;cookie_secure = false
+# Session life time, default is 86400
+;session_life_time = 86400
+#################################### Data proxy ###########################
+# This enables data proxy logging, default is false
+;logging = false
+#################################### Analytics ####################################
+# Server reporting, sends usage counters to every 24 hours.
+# No ip addresses are being tracked, only simple counters to track
+# running instances, dashboard and error counts. It is very helpful to us.
+# Change this option to false to disable reporting.
+;reporting_enabled = true
+# Set to false to disable all checks to
+# for new vesions (grafana itself and plugins), check is used
+# in some UI views to notify that grafana or plugin update exists
+# This option does not cause any auto updates, nor send any information
+# only a GET request to to get latest versions
+;check_for_updates = true
+# Google Analytics universal tracking code, only enabled if you specify an id here
+;google_analytics_ua_id =
+#################################### Security ####################################
+# default admin user, created on startup
+;admin_user = admin
+# default admin password, can be changed before first start of grafana,  or in profile settings
+;admin_password = admin
+# used for signing
+;secret_key = SW2YcwTIb9zpOOhoPsMm
+# Auto-login remember days
+;login_remember_days = 7
+;cookie_username = grafana_user
+;cookie_remember_name = grafana_remember
+# disable gravatar profile images
+;disable_gravatar = false
+# data source proxy whitelist (ip_or_domain:port separated by spaces)
+;data_source_proxy_whitelist =
+# disable protection against brute force login attempts
+;disable_brute_force_login_protection = false
+#################################### Snapshots ###########################
+# snapshot sharing options
+;external_enabled = true
+;external_snapshot_url =
+;external_snapshot_name = Publish to
+# remove expired snapshot
+;snapshot_remove_expired = true
+#################################### Dashboards History ##################
+# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
+;versions_to_keep = 20
+#################################### Users ###############################
+# disable user signup / registration
+;allow_sign_up = true
+# Allow non admin users to create organizations
+;allow_org_create = true
+# Set to true to automatically assign new users to the default organization (id 1)
+;auto_assign_org = true
+# Default role new users will be automatically assigned (if disabled above is set to true)
+;auto_assign_org_role = Viewer
+# Background text for the user field on the login page
+;login_hint = email or username
+# Default UI theme ("dark" or "light")
+;default_theme = dark
+# External user management, these options affect the organization users view
+;external_manage_link_url =
+;external_manage_link_name =
+;external_manage_info =
+# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
+;viewers_can_edit = false
+# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
+;disable_login_form = false
+# Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
+;disable_signout_menu = false
+# URL to redirect the user to after sign out
+;signout_redirect_url =
+#################################### Anonymous Auth ##########################
+# enable anonymous access
+;enabled = false
+# specify organization name that should be used for unauthenticated users
+;org_name = Main Org.
+# specify role for unauthenticated users
+;org_role = Viewer
+#################################### Github Auth ##########################
+;enabled = false
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email,read:org
+;auth_url =
+;token_url =
+;api_url =
+;team_ids =
+;allowed_organizations =
+#################################### Google Auth ##########################
+;enabled = false
+;allow_sign_up = true
+;client_id = some_client_id
+;client_secret = some_client_secret
+;scopes =
+;auth_url =
+;token_url =
+;api_url =
+;allowed_domains =
+#################################### Generic OAuth ##########################
+;enabled = false
+;name = OAuth
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email,read:org
+;auth_url =
+;token_url =
+;api_url =
+;team_ids =
+;allowed_organizations =
+;tls_skip_verify_insecure = false
+;tls_client_cert =
+;tls_client_key =
+;tls_client_ca =
+#################################### Auth ####################
+;enabled = false
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email
+;allowed_organizations =
+#################################### Auth Proxy ##########################
+;enabled = false
+;header_name = X-WEBAUTH-USER
+;header_property = username
+;auto_sign_up = true
+;ldap_sync_ttl = 60
+;whitelist =,
+#################################### Basic Auth ##########################
+;enabled = true
+#################################### Auth LDAP ##########################
+;enabled = false
+;config_file = /etc/grafana/ldap.toml
+;allow_sign_up = true
+#################################### SMTP / Emailing ##########################
+;enabled = false
+;host = localhost:25
+;user =
+# If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
+;password =
+;cert_file =
+;key_file =
+;skip_verify = false
+;from_address = admin@grafana.localhost
+;from_name = Grafana
+# EHLO identity in SMTP dialog (defaults to instance_name)
+;ehlo_identity =
+;welcome_email_on_sign_up = false
+#################################### Logging ##########################
+# Either "console", "file", "syslog". Default is console and  file
+# Use space to separate multiple modes, e.g. "console file"
+;mode = console file
+# Either "debug", "info", "warn", "error", "critical", default is "info"
+;level = info
+# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
+;filters =
+# For "console" mode only
+;level =
+# log line format, valid options are text, console and json
+;format = console
+# For "file" mode only
+;level =
+# log line format, valid options are text, console and json
+;format = text
+# This enables automated log rotate(switch of following options), default is true
+;log_rotate = true
+# Max line number of single file, default is 1000000
+;max_lines = 1000000
+# Max size shift of single file, default is 28 means 1 << 28, 256MB
+;max_size_shift = 28
+# Segment log daily, default is true
+;daily_rotate = true
+# Expired days of log file(delete after max days), default is 7
+;max_days = 7
+;level =
+# log line format, valid options are text, console and json
+;format = text
+# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
+;network =
+;address =
+# Syslog facility. user, daemon and local0 through local7 are valid.
+;facility =
+# Syslog tag. By default, the process' argv[0] is used.
+;tag =
+#################################### Alerting ############################
+# Disable alerting engine & UI features
+;enabled = true
+# Makes it possible to turn off alert rule execution but alerting UI is visible
+;execute_alerts = true
+#################################### Explore #############################
+# Enable the Explore section
+;enabled = false
+#################################### Internal Grafana Metrics ##########################
+# Metrics available at HTTP API Url /metrics
+# Disable / Enable internal metrics
+;enabled           = true
+# Publish interval
+;interval_seconds  = 10
+# Send internal metrics to Graphite
+# Enable by setting the address setting (ex localhost:2003)
+;address =
+;prefix = prod.grafana.%(instance_name)s.
+#################################### Distributed tracing ############
+# Enable by setting the address sending traces to jaeger (ex localhost:6831)
+;address = localhost:6831
+# Tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
+;always_included_tag = tag1:value1
+# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
+;sampler_type = const
+# jaeger samplerconfig param
+# for "const" sampler, 0 or 1 for always false/true respectively
+# for "probabilistic" sampler, a probability between 0 and 1
+# for "rateLimiting" sampler, the number of spans per second
+# for "remote" sampler, param is the same as for "probabilistic"
+# and indicates the initial sampling rate before the actual one
+# is received from the mothership
+;sampler_param = 1
+#################################### integration  ##########################
+# Url used to to import dashboards directly from
+;url =
+#################################### External image storage ##########################
+# Used for uploading images to public servers so they can be included in slack/email messages.
+# you can choose between (s3, webdav, gcs, azure_blob, local)
+;provider =
+;bucket =
+;region =
+;path =
+;access_key =
+;secret_key =
+;url =
+;public_url =
+;username =
+;password =
+;key_file =
+;bucket =
+;path =
+;account_name =
+;account_key =
+;container_name =
+# does not require any configuration

+ 18 - 0

@@ -0,0 +1,18 @@
+# Frontend settings.
+frontend_mode: 'http'
+ssl_name: 'nextcloud.test'
+ssl_crt_path: '/etc/ssl/private'
+ssl_self: true
+# Backend settings.
+backend_mode: 'http'
+backend_balance_method: 'roundrobin' # leastconn | roundrobin
+# Specific nextcloud settings.
+nc_settings: true
+network_allowed: ''
+# List of backend servers.
+  - { name: 'web', ip: '' }

+ 3 - 0

@@ -0,0 +1,3 @@
+- name: restart haproxy
+  service: name=haproxy state=restarted

+ 67 - 0

@@ -0,0 +1,67 @@
+- name: Get HAProxy version.
+  command: haproxy -v
+  register: haproxy_version_result
+  changed_when: false
+  check_mode: false
+- name: Set HAProxy version.
+  set_fact:
+    haproxy_version: '{{ haproxy_version_result.stdout_lines[0] | regex_replace("^HA-Proxy version ([0-9]\.[0-9]).*$", "\1") }}'
+- name: Ensure HAProxy is started and enabled on boot.
+  service: name=haproxy state=started enabled=yes
+- name: Create private key (RSA, 4096 bits)
+  community.crypto.openssl_privatekey:
+    path: "{{ ssl_crt_path }}/{{ ssl_name }}.key"
+  when: ssl_self
+- name: Create certificate signing request (CSR) for self-signed certificate
+  community.crypto.openssl_csr_pipe:
+    privatekey_path: "{{ ssl_crt_path }}/{{ ssl_name }}.key"
+    country_name: BE
+    locality_name: Louvain-la-Neuve
+    common_name: "{{ ssl_name }}"
+    organization_name: UCLouvain
+    organizational_unit_name: ELIC
+  register: csr
+  when: ssl_self
+- name: Generate a Self Signed OpenSSL certificate
+  community.crypto.x509_certificate:
+    path: "{{ ssl_crt_path }}/{{ ssl_name }}.crt"
+    csr_content: "{{ csr.csr }}"
+    privatekey_path: "{{ ssl_crt_path }}/{{ ssl_name }}.key"
+    provider: selfsigned
+  when: ssl_self
+- name: Merge KEY and CRT to generate PEM
+  shell: "cat {{ ssl_crt_path }}/{{ ssl_name }}.key {{ ssl_crt_path }}/{{ ssl_name }}.crt >> {{ ssl_crt_path }}/{{ ssl_name }}.pem"
+  when: ssl_self
+- name: Generate DH Parameters with a different size (2048 bits)
+  community.crypto.openssl_dhparam:
+    path: /etc/haproxy/dhparams.pem
+    size: 2048
+- name: Add ssl dhparam file
+  lineinfile:
+    path: /etc/haproxy/haproxy.cfg
+    insertafter: "^.*ssl-default-bind-options.*"
+    line: "\tssl-dh-param-file /etc/haproxy/dhparams.pem"
+    firstmatch: yes
+    state: present 
+- name: Copy HAProxy configuration in place
+  set_fact:
+    cfg_content: "{{ lookup('template', '{{ role_path }}/templates/haproxy.cfg.j2') }}"
+- name: Merge HAProxy config file
+  blockinfile:
+    dest: "/etc/haproxy/haproxy.cfg"
+    content: '{{ cfg_content }}'
+    state: present
+- name: HAProxy restart
+  service: name=haproxy state=restarted

+ 41 - 0

@@ -0,0 +1,41 @@
+frontend http_frontend
+  mode {{ frontend_mode }}
+	bind *:80
+	bind *:443 ssl crt  {{ ssl_crt_path }}/{{ ssl_name }}.pem alpn h2,http/1.1
+{% if nc_settings is sameas true %}
+	maxconn 20000
+	acl url_discovery_dav path /.well-known/caldav /.well-known/carddav
+	acl url_discovery_inf path /.well-known/webfinger /.well-known/nodeinfo
+	http-request redirect location /remote.php/dav/ code 301 if url_discovery_dav
+	http-request redirect location /index.php%[capture.req.uri] code 301 if url_discovery_inf
+	http-response set-header Strict-Transport-Security max-age=63072000
+{% endif %}
+	option forwardfor
+	option http-server-close
+{% if network_allowed != '' %}
+	#Only allow some services to be available internally
+	acl network_allowed src {{ network_allowed }}
+{% endif %}
+	redirect scheme https code 301 if !{ ssl_fc }
+	default_backend http_servers
+backend http_servers
+	mode {{ backend_mode }}
+	balance {{ backend_balance_method }}
+{% if nc_settings is sameas true %}
+	option httpchk HEAD /
+	cookie SERVERID insert indirect nocache
+	http-check expect rstatus [2-3][0-9][0-9]
+	http-response set-header X-Frame-Options SAMEORIGIN
+	http-response set-header X-XSS-Protection 1;mode=block
+	http-response set-header X-Content-Type-Options nosniff
+	default-server check maxconn 5000
+{% endif %}
+{% if haproxy_backend_servers != '' %}
+	server {{ }} {{ haproxy_backend_servers.ip }}
+{% endif %}

+ 42 - 0

@@ -0,0 +1,42 @@
+# defaults file for mariadb
+mariadb_version: "10.4"
+mysql_user_name: admin
+mysql_user_password: pedro
+mysql_root_username: root
+mysql_root_password: pedro
+# Set this to `true` to forcibly update the root password.
+#mysql_root_password_update: false
+#mysql_user_password_update: false
+# Allow remote root login
+disable_remote_root_login: true
+# Specify address to listen
+mariadb_bind_address: ''
+mariadb_port: 3306
+# Add mariabd databases
+# default create nothing
+  - name: nextcloudb
+    collation: utf8_general_ci
+    encoding: utf8
+    state: present
+    target: omit
+# Add mariabd users
+# default create nothing
+  - name: web
+    password: secret
+    #host: (replaced with global vars when calling role)
+    priv: 'nextcloudb.*:ALL,GRANT'
+    encrypted: false
+# Specify slow query log
+mariadb_slow_query_log_enabled: false
+mariadb_slow_query_time: "2"

+ 6 - 0

@@ -0,0 +1,6 @@
+# handlers file for ansible-role-mariadb
+- name: Restart mariadb
+  service:
+    name: "{{ mariadb_service }}"
+    state: restarted

+ 67 - 0

@@ -0,0 +1,67 @@
+#- name: Ensure default user is present.
+#  mysql_user:
+#    name: "{{ mysql_user_name }}"
+#    host: 'localhost'
+#    password: "{{ mysql_user_password }}"
+#    priv: '*.*:ALL,GRANT'
+#    state: present
+#  when: mysql_user_name != mysql_root_username
+## Has to be after the password assignment, for idempotency.
+#- name: Copy user-my.cnf file with password credentials.
+#  template:
+#    src: "user-my.cnf.j2"
+#    dest: "/root/.my.cnf"
+#    owner: "{{ mysql_user_name }}"
+#    mode: 0600
+#  when: mysql_user_name != mysql_root_username
+- name: Disallow root login remotely
+  command: 'mysql -NBe "{{ item }}"'
+  with_items:
+    - DELETE FROM mysql.user WHERE User='{{ mysql_root_username }}' AND Host NOT IN ('localhost', '', '::1')
+  changed_when: false
+- name: Get list of hosts for the root user.
+  command: mysql -NBe
+    "SELECT Host
+    FROM mysql.user
+    WHERE User = '{{ mysql_root_username }}'
+    ORDER BY (Host='localhost') ASC"
+  register: mysql_root_hosts
+  changed_when: false
+  check_mode: false
+# Set root password for MySQL
+- name: Update MySQL root password for localhost root account
+  shell: >
+    mysql -NBe
+    'SET PASSWORD FOR "{{ mysql_root_username }}"@"{{ item }}" = PASSWORD("{{ mysql_root_password }}"); FLUSH PRIVILEGES;'
+  with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
+# Has to be after the root password assignment, for idempotency.
+- name: Copy .my.cnf file with root password credentials.
+  template:
+    src: "root-my.cnf.j2"
+    dest: "/root/.my.cnf"
+    owner: root
+    group: root
+    mode: 0600
+- name: Get list of hosts for the anonymous user.
+  command: mysql -NBe "SELECT Host FROM mysql.user WHERE User = ''"
+  register: mysql_anonymous_hosts
+  changed_when: false
+  check_mode: false
+- name: Remove anonymous MySQL users.
+  mysql_user:
+    name: ""
+    host: "{{ item }}"
+    state: absent
+  with_items: "{{ mysql_anonymous_hosts.stdout_lines|default([]) }}"
+  no_log: true
+- name: Remove MySQL test database.
+  mysql_db: "name='test' state=absent"

+ 31 - 0

@@ -0,0 +1,31 @@
+- name: Update MySQL root password for localhost root account (5.7.x).
+  shell: >
+    mysql -u root -NBe
+    "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('{{ mysql_root_password }}'); FLUSH PRIVILEGES;"
+  register: result
+  ignore_errors: true
+- name: Disallow root login remotely
+  command: 'mysql -NBe "{{ item }}" -p"{{ mysql_root_password }}"'
+  with_items:
+    - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '', '::1')
+  changed_when: false
+  when: (disable_remote_root_login|bool) and (result is succeeded)
+- name: Remove anonymous MySQL users
+  mysql_user:
+    name: ''
+    host_all: yes
+    login_user: root
+    login_password: "{{ mysql_root_password }}"
+    state: absent
+    login_unix_socket: "{{ mariadb_socket }}"
+- name: Remove MySQL test database
+  mysql_db:
+    name: test
+    login_user: root
+    login_password: "{{ mysql_root_password }}"
+    state: absent
+    login_unix_socket: "{{ mariadb_socket }}"

+ 16 - 0

@@ -0,0 +1,16 @@
+- name: Get MySQL version.
+  command: 'mysql --version'
+  register: mysql_cli_version
+  changed_when: false
+  check_mode: false
+- name: setup Mariadb config file
+  template:
+    src: server.j2
+    dest: "{{ mariadb_config_file }}"
+    owner: "{{ mariadb_config_file_owner }}"
+    group: "{{ mariadb_config_file_group }}"
+    mode: 0644
+  notify: 
+  - Restart mariadb

+ 11 - 0

@@ -0,0 +1,11 @@
+- name: Ensure Mariadb database are present
+  mysql_db:
+    name: "{{ }}"
+    collation: "{{ item.collation | default('utf8_general_ci') }}"
+    encoding: "{{ item.encoding | default('utf8') }}"
+    state: "{{ item.state | default('present') }}"
+    target: "{{ | default(omit) }}"
+    login_unix_socket: "{{ mariadb_socket }}"
+  with_items: "{{ mariadb_database }}"

+ 15 - 0

@@ -0,0 +1,15 @@
+- name: Ensure Mariadb users are present.
+  mysql_user:
+    name: "{{ }}"
+    #host: "{{ | default('localhost') }}"
+    host: "{{ app_bind_address | default('localhost') }}"
+    password: "{{ item.password }}"
+    priv: "{{ item.priv | default('*.*:USAGE') }}"
+    state: "{{ item.state | default('present') }}"
+    append_privs: "{{ item.append_privs | default('no') }}"
+    encrypted: "{{ item.encrypted | default('no') }}"
+    login_unix_socket: "{{ mariadb_socket }}"
+  with_items: "{{ mariadb_user }}"
+  no_log: true

+ 20 - 0

@@ -0,0 +1,20 @@
+# tasks file for ansible-role-mariadb
+- name: Include OS specific variables.
+  include_vars: "{{ ansible_os_family }}.yml"
+- name: Install Mariadb
+  include_tasks: "setup/{{ ansible_os_family }}.yml"
+- name: Ensure Mariadb configfile is present
+  include_tasks: "config/template.yml"
+- name: Ensure Mariadb is secure
+  include_tasks: "config/secure-installation.yml"
+- name: Ensure Mariadb databases are present
+  include_tasks: "database/databases.yml"
+- name: Ensure Mariadb users are present
+  include_tasks: "database/users.yml"

+ 17 - 0

@@ -0,0 +1,17 @@
+# Install mariadb
+- name: Add MariaDB Repository for {{ ansible_distribution }}
+  template:
+    src: mariadb-server.repo.j2
+    dest: /etc/yum.repos.d/mariadb-server.repo
+- name: Install all the {{ ansible_distribution }} mariadb packages
+  dnf:
+    name: "{{ mariadb_packages }}"
+    state: present
+- name: Mariadb service
+  service:
+    name: "{{ mariadb_service }}"
+    state: started
+    enabled: yes

+ 13 - 0

@@ -0,0 +1,13 @@
+# Install mariadb
+- name: Install all the Suse mariadb packages
+  zypper:
+    name: "{{ mariadb_packages }}"
+    state: present
+- name: Mariadb service
+  service:
+    name: "{{ mariadb_service }}"
+    state: started
+    enabled: yes

+ 33 - 0

@@ -0,0 +1,33 @@
+# These groups are read by MariaDB server.
+# Use it for options that only the server (but not clients) should see
+# this is read by the standalone daemon and embedded servers
+bind-address = {{ mariadb_bind_address }}
+port = {{ mariadb_port }}
+{% if mariadb_slow_query_log_enabled == true %}
+slow_query_log = 1
+long_query_time = {{ mariadb_slow_query_time }}
+{% endif %}
+default-storage-engine = innodb
+# Galera-related settings
+wsrep_provider = {{ galera_wsrep_provider }}
+wsrep_cluster_address = "gcomm://{% for host in groups['galera_cluster'] %}{{ hostvars[host]['ansible_default_ipv4']['address'] }},{% endfor %}"
+wsrep_node_name = {{ ansible_hostname }}
+wsrep_cluster_name = {{ galera_cluster_name }}
+wsrep_node_address = {{ ansible_default_ipv4.address }}
+binlog_format = row
+default_storage_engine = InnoDB
+innodb_autoinc_lock_mode = 2
+wsrep_on = ON

+ 9 - 0

@@ -0,0 +1,9 @@
+name = MariaDB
+baseurl = "{{ mariadb_version}}/{{ ansible_distribution|lower|regex_replace('redhat', 'rhel')|regex_replace('oraclelinux', 'centos') }}{{ ansible_distribution_major_version }}-amd64"
+{% if ansible_distribution_file_variety == "RedHat" and ansible_distribution_major_version == "8" %}
+{% endif %}

+ 5 - 0

@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+user="{{ mysql_root_username }}"
+password="{{ mysql_root_password }}"

+ 22 - 0

@@ -0,0 +1,22 @@
+# These groups are read by MariaDB server.
+# Use it for options that only the server (but not clients) should see
+# See the examples of server my.cnf files in /usr/share/mysql/
+# this is read by the standalone daemon and embedded servers
+bind-address = {{ mariadb_bind_address }}
+port = {{ mariadb_port }}
+{% if mariadb_slow_query_log_enabled == true %}
+slow_query_log = 1
+long_query_time = {{ mariadb_slow_query_time }}
+{% endif %}

+ 5 - 0

@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+user="{{ mysql_user_name }}"
+password="{{ mysql_user_password }}"

+ 12 - 0

@@ -0,0 +1,12 @@
+  - mariadb
+  - mariadb-server
+  - mariadb-libs
+  - MySQL-python
+  - perl-DBD-MySQL
+mariadb_service: mariadb
+mariadb_config_file: /etc/my.cnf.d/server.cnf
+mariadb_socket: /var/lib/mysql/mysql.sock
+mariadb_config_file_owner: root
+mariadb_config_file_group: root

+ 9 - 0

@@ -0,0 +1,9 @@
+  - mariadb
+  - python3-PyMySQL
+mariadb_service: mariadb
+mariadb_config_file: /etc/my.cnf.d/server.cnf
+mariadb_socket: /run/mysql/mysql.sock
+mariadb_config_file_owner: root
+mariadb_config_file_group: root

+ 83 - 0

@@ -0,0 +1,83 @@
+# defaults file for nextcloud
+NEXTCLOUD_VERSION: 24.0.5 # overload from the role
+GPG_FINGERPRINT: "28806A878AE423A28372792ED75899B9A724937A"
+php_version: 8.1
+add_php_fpm: true
+nc_pm: "ondemand"
+nc_pm_max_children: 80
+nc_pm_start_servers: 2
+nc_pm_min_spare_servers: 1
+nc_pm_max_spare_servers: 3
+use_redis_server: false    # overload from the role
+redis_host: ""    # overload from the role
+nextcloud_trusted_domain: "nextcloud.test"
+nextcloud_ipv6: false
+debug_speed: false       # overload from the role
+nextcloud_instance_name: "{{ nextcloud_trusted_domain }}"
+nextcloud_install_websrv: true
+nextcloud_websrv: "apache2"  # "apache2" | "nginx"
+nextcloud_disable_websrv_default_site: false
+nextcloud_websrv_template: "templates/{{ nextcloud_websrv }}_nc.j2"
+nc_data_dir: "/srv/data"
+nc_admin_name: "pedro"
+nc_admin_pwd: "pedro"
+nc_loglevel: 2
+nc_log_rotate_size: 10485760
+nc_background_cron: true
+nc_cron_period: 10 # every <nc_cron_period> min
+## Custom nextcloud settings
+  - { name: 'default_phone_region', value: 'BE' }  # set a country code using ISO 3166-1
+  - { name: 'open_basedir', value: '/dev/urandom' }
+  - { name: 'mysql.utf8mb4', value: 'true' }
+  - { name: '', value: 'production' }  # production | stable | daily | beta
+  - { name: 'mail_smtpmode', value: 'smtp' }
+  - { name: 'mail_domain', value: '' }
+  - { name: 'mail_smtphost', value: '' }
+  - { name: 'mail_smtpauthtype', value: 'LOGIN' }
+  - { name: 'overwrite.cli.url', value: 'https://{{ nextcloud_trusted_domain }}' }
+  - { name: 'overwritehost', value: 'nextcloud.test' }
+  - { name: 'overwriteprotocol', value: 'https' }
+#php /var/www/html/occ config:system:set share_folder --value="/Shared"
+db_host: "" # overload from the role
+nc_db_name: "nextcloudb"
+nc_db_user: "web"
+nc_db_password: "secret"
+# [APPS]
+  - twofactor_totp
+  - deck
+  - tasks
+  - calendar
+  - contacts
+  - apporder
+nc_collabora: false

+ 4 - 0

@@ -0,0 +1,4 @@
+$CONFIG = array (
+  'memcache.local' => '\OC\Memcache\APCu',

+ 15 - 0

@@ -0,0 +1,15 @@
+$CONFIG = array (
+  'apps_paths' => array (
+      0 => array (
+              'path'     => OC::$SERVERROOT.'/apps',
+              'url'      => '/apps',
+              'writable' => false,
+      ),
+      1 => array (
+              'path'     => OC::$SERVERROOT.'/custom_apps',
+              'url'      => '/custom_apps',
+              'writable' => true,
+      ),
+  ),

+ 12 - 0

@@ -0,0 +1,12 @@
+# This file was generated by Ansible
+# Do NOT modify this file by hand!
+# Nextcloud mysql.cnf
+binlog_format = MIXED


+ 182 - 0

@@ -0,0 +1,182 @@
+        "_comment" : "This file was generated by Ansible, Do NOT modify this file by hand!",
+        "3gp": ["video/3gpp"],
+        "7z": ["application/x-7z-compressed"],
+        "accdb": ["application/msaccess"],
+        "ai": ["application/illustrator"],
+        "apk": ["application/"],
+        "arw": ["image/x-dcraw"],
+        "avi": ["video/x-msvideo"],
+        "bash": ["text/x-shellscript"],
+        "blend": ["application/x-blender"],
+        "bin": ["application/x-bin"],
+        "bmp": ["image/bmp"],
+        "bpg": ["image/bpg"],
+        "bz2": ["application/x-bzip2"],
+        "cb7": ["application/x-cbr"],
+        "cba": ["application/x-cbr"],
+        "cbr": ["application/x-cbr"],
+        "cbt": ["application/x-cbr"],
+        "cbtc": ["application/x-cbr"],
+        "cbz": ["application/x-cbr"],
+        "cc": ["text/x-c"],
+        "cdr": ["application/coreldraw"],
+        "class": ["application/java"],
+        "cnf": ["text/plain"],
+        "conf": ["text/plain"],
+        "cpp": ["text/x-c++src"],
+        "cr2": ["image/x-dcraw"],
+        "css": ["text/css"],
+        "csv": ["text/csv"],
+        "cvbdl": ["application/x-cbr"],
+        "c": ["text/x-c"],
+        "c++": ["text/x-c++src"],
+        "dcr": ["image/x-dcraw"],
+        "deb": ["application/x-deb"],
+        "dng": ["image/x-dcraw"],
+        "doc": ["application/msword"],
+        "docm": ["application/"],
+        "docx": ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"],
+        "dot": ["application/msword"],
+        "dotx": ["application/vnd.openxmlformats-officedocument.wordprocessingml.template"],
+        "dv": ["video/dv"],
+        "eot": ["application/"],
+        "epub": ["application/epub+zip"],
+        "eps": ["application/postscript"],
+        "erf": ["image/x-dcraw"],
+        "exe": ["application/x-ms-dos-executable"],
+        "fb2": ["application/x-fictionbook+xml", "text/plain"],
+        "flac": ["audio/flac"],
+        "flv": ["video/x-flv"],
+        "gif": ["image/gif"],
+        "gz": ["application/x-gzip"],
+        "gzip": ["application/x-gzip"],
+        "h": ["text/x-h"],
+        "hh": ["text/x-h"],
+        "hpp": ["text/x-h"],
+        "html": ["text/html", "text/plain"],
+        "htm": ["text/html", "text/plain"],
+        "ical": ["text/calendar"],
+        "ics": ["text/calendar"],
+        "iiq": ["image/x-dcraw"],
+        "impress": ["text/impress"],
+        "java": ["text/x-java-source"],
+        "jpeg": ["image/jpeg"],
+        "jpg": ["image/jpeg"],
+        "jps": ["image/jpeg"],
+        "js": ["application/javascript", "text/plain"],
+        "json": ["application/json", "text/plain"],
+        "k25": ["image/x-dcraw"],
+        "kdc": ["image/x-dcraw"],
+        "key": ["application/x-iwork-keynote-sffkey"],
+        "keynote": ["application/x-iwork-keynote-sffkey"],
+        "kra": ["application/x-krita"],
+        "lwp": ["application/vnd.lotus-wordpro"],
+        "m2t": ["video/mp2t"],
+        "m4a": ["audio/mp4"],
+        "m4b": ["audio/m4b"],
+        "m4v": ["video/mp4"],
+        "markdown": ["text/markdown"],
+        "mdown": ["text/markdown"],
+        "md": ["text/markdown"],
+        "mdb": ["application/msaccess"],
+        "mdwn": ["text/markdown"],
+        "mkd": ["text/markdown"],
+        "mef": ["image/x-dcraw"],
+        "mkv": ["video/x-matroska"],
+        "mobi": ["application/x-mobipocket-ebook"],
+        "mov": ["video/quicktime"],
+        "mp3": ["audio/mpeg"],
+        "mp4": ["video/mp4"],
+        "mpeg": ["video/mpeg"],
+        "mpg": ["video/mpeg"],
+        "mpo": ["image/jpeg"],
+        "msi": ["application/x-msi"],
+        "mts": ["video/MP2T"],
+        "mt2s": ["video/MP2T"],
+        "nef": ["image/x-dcraw"],
+        "numbers": ["application/x-iwork-numbers-sffnumbers"],
+        "odf": ["application/vnd.oasis.opendocument.formula"],
+        "odg": ["application/"],
+        "odp": ["application/vnd.oasis.opendocument.presentation"],
+        "ods": ["application/vnd.oasis.opendocument.spreadsheet"],
+        "odt": ["application/vnd.oasis.opendocument.text"],
+        "oga": ["audio/ogg"],
+        "ogg": ["audio/ogg"],
+        "ogv": ["video/ogg"],
+        "one": ["application/msonenote"],
+        "opus": ["audio/ogg"],
+        "orf": ["image/x-dcraw"],
+        "otf": ["application/font-sfnt"],
+        "pad": ["application/x-ownpad"],
+        "calc": ["application/x-ownpad"],
+        "pages": ["application/x-iwork-pages-sffpages"],
+        "pdf": ["application/pdf"],
+        "pfb": ["application/x-font"],
+        "pef": ["image/x-dcraw"],
+        "php": ["application/x-php"],
+        "pl": ["application/x-perl"],
+        "png": ["image/png"],
+        "pot": ["application/"],
+        "potm": ["application/"],
+        "potx": ["application/vnd.openxmlformats-officedocument.presentationml.template"],
+        "ppa": ["application/"],
+        "ppam": ["application/"],
+        "pps": ["application/"],
+        "ppsm": ["application/"],
+        "ppsx": ["application/vnd.openxmlformats-officedocument.presentationml.slideshow"],
+        "ppt": ["application/"],
+        "pptm": ["application/"],
+        "pptx": ["application/vnd.openxmlformats-officedocument.presentationml.presentation"],
+        "ps": ["application/postscript"],
+        "psd": ["application/x-photoshop"],
+        "py": ["text/x-python"],
+        "raf": ["image/x-dcraw"],
+        "rar": ["application/x-rar-compressed"],
+        "reveal": ["text/reveal"],
+        "rss": ["application/rss+xml"],
+        "rtf": ["text/rtf"],
+        "rw2": ["image/x-dcraw"],
+        "sgf": ["application/sgf"],
+        "sh-lib": ["text/x-shellscript"],
+        "sh": ["text/x-shellscript"],
+        "srf": ["image/x-dcraw"],
+        "sr2": ["image/x-dcraw"],
+        "svg": ["image/svg+xml", "text/plain"],
+        "swf": ["application/x-shockwave-flash", "application/octet-stream"],
+        "tar": ["application/x-tar"],
+        "tar.bz2": ["application/x-bzip2"],
+        "tar.gz": ["application/x-compressed"],
+        "tbz2": ["application/x-bzip2"],
+        "tex": ["application/x-tex"],
+        "tgz": ["application/x-compressed"],
+        "tiff": ["image/tiff"],
+        "tif": ["image/tiff"],
+        "ttf": ["application/font-sfnt"],
+        "txt": ["text/plain"],
+        "vcard": ["text/vcard"],
+        "vcf": ["text/vcard"],
+        "vob": ["video/dvd"],
+        "vsd": ["application/vnd.visio"],
+        "wav": ["audio/wav"],
+        "webm": ["video/webm"],
+        "woff": ["application/font-woff"],
+        "wpd": ["application/vnd.wordperfect"],
+        "wmv": ["video/x-ms-wmv"],
+        "xcf": ["application/x-gimp"],
+        "xla": ["application/"],
+        "xlam": ["application/"],
+        "xls": ["application/"],
+        "xlsb": ["application/"],
+        "xlsm": ["application/"],
+        "xlsx": ["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"],
+        "xlt": ["application/"],
+        "xltm": ["application/"],
+        "xltx": ["application/vnd.openxmlformats-officedocument.spreadsheetml.template"],
+        "xml": ["application/xml", "text/plain"],
+        "xrf": ["image/x-dcraw"],
+        "yaml": ["application/yaml", "text/plain"],
+        "yml": ["application/yaml", "text/plain"],
+        "zip": ["application/zip"]

+ 41 - 0

@@ -0,0 +1,41 @@
+# handlers file for nextcloud
+- name: restart mysql
+  ansible.builtin.service:
+    name: "{{ mysql_daemon }}"
+    state: restarted
+- name: start http
+  ansible.builtin.service:
+    name: "{{ http_service_name }}"
+    state: started
+- name: restart http
+  ansible.builtin.service:
+    name: "{{ http_service_name }}"
+    state: restarted
+- name: reload http
+  ansible.builtin.service:
+    name: "{{ http_service_name }}"
+    state: reloaded
+- name: start php-fpm
+  ansible.builtin.service:
+    name: php{{ php_ver }}-fpm
+    state: started
+- name: reload php-fpm
+  ansible.builtin.service:
+    name: php{{ php_ver }}-fpm
+    state: reloaded
+- name: start redis
+  ansible.builtin.service:
+    name: redis-server
+    state: started
+- name: restart redis
+  ansible.builtin.service:
+    name: redis-server
+    state: restarted

+ 56 - 0

@@ -0,0 +1,56 @@
+# tasks file for nextcloud
+- name: Main... Check Nextcloud debug speed
+  set_fact:
+    debug_speed_check: "{{ debug_speed }}"
+# include os specific tasks
+- include_tasks: "prep_os/{{ ansible_os_family }}.yml"
+# install required packages
+- include_tasks: "prep_php/{{ ansible_os_family }}.yml"
+- name: Main... Check if a mysql/mariadb database is available
+  shell: mysql --host={{ db_host }} --user={{ nc_db_user }} --password={{ nc_db_password }} -e 'SHOW DATABASES;' | grep -cx {{ nc_db_name }}
+  register: dbstatus
+  failed_when: "dbstatus.stdout|int != 1"
+  no_log: true
+- name: Main... Check Nextcloud installed
+  stat:
+    path: "{{ http_webroot }}/nextcloud/index.php"
+  register: nc_nextcloud_installed
+- name: Main... Download and Install Nextcloud
+  include_tasks: "nc_download.yml"
+  when: (nc_nextcloud_installed.stat.isreg is undefined) or (not nc_nextcloud_installed.stat.isreg)
+- name: Main... Check Nextcloud is installed
+  shell: grep installed {{ http_webroot }}/nextcloud/config/config.php | grep true | wc -l
+  register: nc_installation_configured
+- name: Main... Install nextcloud
+  include_tasks: nc_install.yml
+  when: nc_installation_configured.stdout|int == 0
+- name: Main... Check Selinux
+  include_tasks: "selinux.yml"
+  when:
+    - (ansible_os_family == "RedHat")
+    - (ansible_selinux.status == "enabled")
+- name: Main... Setup nextcloud
+  include_tasks: nc_setup.yml
+- name: Main... Restart {{ http_service_name }} service
+  service:
+    name: "{{ http_service_name }}"
+    state: restarted
+- name: Main... First run Cron
+  become_user: "{{ nextcloud_websrv_user }}"
+  become: true
+  shell: "{{ php_bin }} -f cron.php"
+  args:
+    chdir: "{{ http_webroot }}/nextcloud"

+ 65 - 0

@@ -0,0 +1,65 @@
+- name: Download... Download Nextcloud archive
+  get_url:
+    url:  "{{ NEXTCLOUD_URL }}"
+    dest: /tmp/{{ NEXTCLOUD_TARBALL }}
+    checksum: "sha256:{{ NEXTCLOUD_URL }}.sha256"
+- name: Download... Download generic GPG key
+  get_url:
+    url: "{{ NEXTCLOUD_GPG }}"
+    dest: /tmp/nextcloud.asc
+- name: Download... Download Nextcloud release GPG key
+  get_url:
+    url: "{{ NEXTCLOUD_URL }}.asc"
+    dest: /tmp/{{ NEXTCLOUD_TARBALL }}.asc
+- name: Download... Import Nextcloud GPG key
+  shell: gpg --import /tmp/nextcloud.asc
+- name: Download... See Nextcloud GPG stored
+  set_fact:
+   correct_gpg: "{{ GPG_FINGERPRINT }}"
+- name: Download... Verify Nextcloud GPG
+  shell: gpg --verify /tmp/{{ NEXTCLOUD_TARBALL }}.asc /tmp/{{ NEXTCLOUD_TARBALL }} 2>&1 | tail -n 1 | cut -d ':' -f2 | tr -d ' '
+  register: nc_fingerprint
+  failed_when: (nc_fingerprint.stdout|string not in correct_gpg)
+- name: Download... Extract Nextcloud
+  unarchive:
+    src: /tmp/{{ NEXTCLOUD_TARBALL }}
+    dest: "{{ http_webroot }}"
+    remote_src: true
+    creates: "{{ http_webroot }}/nextcloud/occ"
+- name: Download... Ensure Nextcloud files are 0640
+  shell: find {{ http_webroot }}/nextcloud -type f -exec chmod -c 0640 {} \;
+  register: nc_installation_chmod_result
+  changed_when: "nc_installation_chmod_result.stdout != \"\""
+- name: Download... Setting stronger directory ownership
+  file:
+    path: "{{ http_webroot }}/nextcloud/"
+    recurse: true
+    owner: "{{ nextcloud_websrv_user }}"
+    group: "{{ nextcloud_websrv_group }}"
+    state: directory
+- name: Download... Ensure Nextcloud .htaccess and .user.ini are 0644 
+  file:
+    path: "{{ item }}"
+    mode: u=rw,g=r,o=r
+  with_items:
+    - "{{ http_webroot }}/nextcloud/.htaccess"
+    - "{{ http_webroot }}/nextcloud/.user.ini"
+- name: Download... Remove Nextcloud tmp files
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - "/tmp/{{ NEXTCLOUD_TARBALL }}.asc"
+    - "/tmp/{{ NEXTCLOUD_TARBALL }}"
+    - "/tmp/nextcloud.asc"

+ 35 - 0

@@ -0,0 +1,35 @@
+# Run command line installation.
+# the web server must be running by now in order to launch the installation
+- name: Install... Removing possibly old or incomplete config.php
+  file:
+    path: "{{ http_webroot }}/nextcloud/config/config.php"
+    state: absent
+- name: Install... Create data directory
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ nextcloud_websrv_user }}"
+    group: "{{ nextcloud_websrv_group }}"
+    mode: 0770
+  with_items:
+    - "{{ nc_data_dir }}"
+    - "{{ http_webroot }}/nextcloud/custom_apps"
+- name: Install... First setup Nextcloud
+  become_user: "{{ nextcloud_websrv_user }}"
+  become: true
+  shell: "{{ php_bin }} occ maintenance:install --database=mysql --database-host={{ db_host }} --database-name={{ nc_db_name }} --database-user={{ nc_db_user }} --database-pass={{ nc_db_password }} --admin-user={{ nc_admin_name }} --admin-pass={{ nc_admin_pwd }} --data-dir={{ nc_data_dir }}"
+  args:
+    chdir: "{{ http_webroot }}/nextcloud"
+    creates: "{{ http_webroot }}/nextcloud/config/config.php"
+  register: setup_nc
+- name: Install... Removing possibly sample config
+  file:
+    path: "{{ http_webroot }}/nextcloud/config/config.sample.php"
+    state: absent

+ 184 - 0

@@ -0,0 +1,184 @@
+- name: Setup... Set APCU config for Nextcloud
+  copy:
+    dest: "{{ http_webroot }}/nextcloud/config/apcu.config.php"
+    src: files/apcu.config.php
+    owner: "{{ nextcloud_websrv_user }}"
+    group: "{{ nextcloud_websrv_group }}"
+    mode: 0640
+- name: Setup... Set custom_apps config for Nextcloud
+  copy:
+    dest: "{{ http_webroot }}/nextcloud/config/apps.config.php"
+    src: files/apps.config.php
+    owner: "{{ nextcloud_websrv_user }}"
+    group: "{{ nextcloud_websrv_group }}"
+    mode: 0640
+- name: Setup... Set Trusted Domains
+  become_user: "{{ nextcloud_websrv_user }}"
+  become: true
+  shell: "{{ php_bin }} occ config:system:set trusted_domains 0 --value={{ nextcloud_trusted_domain }}"
+  args:
+    chdir: "{{ http_webroot }}/nextcloud"
+- name: Setup... Check disabled apps list
+  shell: "{{ php_bin }} occ app:list --no-warnings | grep -A30 'Disabled' | grep -v 'Disabled' | cut -d'-' -f2 | cut -d':' -f1 | grep -v 'encryption'"
+  args:
+    chdir: "{{ http_webroot }}/nextcloud"
+  become_user: "{{ nextcloud_websrv_user }}"
+  become: true
+  register: nc_apps_list
+  failed_when: nc_apps_list.rc >= 2
+- name: Setup... Enable all disabled apps
+  become_user: "{{ nextcloud_websrv_user }}"
+  become: true
+  shell: "{{ php_bin }} occ app:enable {{ item }}"
+  args:
+    chdir: "{{ http_webroot }}/nextcloud"
+  with_items: "{{ nc_apps_list.stdout_lines }}"
+  when: nc_apps_list.rc == 0
+- name: Setup... Applying default settings
+  become_user: "{{ nextcloud_websrv_user }}"
+  become: true
+  shell: "{{ php_bin }} occ {{ item }}"
+  args:
+    chdir: "{{ http_webroot }}/nextcloud"
+  loop:
+    - "config:system:set loglevel --value='{{ nc_loglevel }}'"
+    - "config:system:set log_type --value=file"
+    - "config:system:set logfile --value='{{ nc_data_dir }}/nextcloud.log'"
+    - "config:system:set log_rotate_size --value='{{ nc_log_rotate_size }}'"
+    - "config:app:set admin_audit logfile --value='{{ nc_data_dir }}/audit.log'"
+    - "config:system:set log.condition apps 0 --value='admin_audit'"
+  loop_control:
+    pause: 2
+- name: Setup... Applying preview settings
+  become_user: "{{ nextcloud_websrv_user }}"
+  become: true
+  shell: "{{ php_bin }} occ {{ item }}"
+  args:
+    chdir: "{{ http_webroot }}/nextcloud"
+  loop:
+    - "config:system:set preview_max_x --value='2048'"
+    - "config:system:set preview_max_y --value='2048'"
+    - "config:app:set preview jpeg_quality --value='60'"
+    - "config:system:set jpeg_quality --value='60'"
+    - "config:system:delete enabledPreviewProviders"
+    - "config:system:set enabledPreviewProviders 1 --value='OC\\Preview\\Image'"
+    - "config:system:set enabledPreviewProviders 2 --value='OC\\Preview\\MarkDown'"
+    - "config:system:set enabledPreviewProviders 3 --value='OC\\Preview\\MP3'"
+    - "config:system:set enabledPreviewProviders 4 --value='OC\\Preview\\TXT'"
+    - "config:system:set enabledPreviewProviders 5 --value='OC\\Preview\\OpenDocument'"
+    - "config:system:set enabledPreviewProviders 6 --value='OC\\Preview\\Movie'"
+    - "config:system:set enable_previews --value=true --type=boolean"
+  loop_control:
+    pause: 2
+- name: Setup... Applying other settings
+  become_user: "{{ nextcloud_websrv_user }}"
+  become: true
+  shell: "{{ php_bin }} occ {{ item }}"
+  args:
+    chdir: "{{ http_webroot }}/nextcloud"
+  loop:
+    - "config:system:set upgrade.disable-web --type=bool --value=true"
+    - "config:system:set trashbin_retention_obligation --value='auto, 30'"
+    - "config:system:set versions_retention_obligation --value='auto, 30'"
+    - "config:system:set activity_expire_days --value='30'"
+    - "config:system:set simpleSignUpLink.shown --type=bool --value=false"
+    #- "config:system:set share_folder --value='/Shared'"
+  loop_control:
+    pause: 2
+- name: Setup... Set Nextcloud system settings in config.php
+  become_user: "{{ nextcloud_websrv_user }}"
+  become: true
+  shell: "{{ php_bin }} occ config:system:set {{ }} --value={{ item.value }}"
+  args:
+    chdir: "{{ http_webroot }}/nextcloud"
+  with_items:
+    - "{{ nextcloud_config_settings }}"
+- name: Setup... Set Redis Server
+  template:
+    dest: "{{ http_webroot }}/nextcloud/config/redis.config.php" 
+    src: redis.config.php.j2
+    owner: "{{ nextcloud_websrv_user }}"
+    group: "{{ nextcloud_websrv_group }}"
+    mode: 0640
+  when: (use_redis_server | bool)
+- name: Setup... Install Nextcloud Apps
+  become_user: "{{ nextcloud_websrv_user }}"
+  become: true
+  shell: "{{ php_bin }} occ app:install {{ item }}"
+  args:
+    chdir: "{{ http_webroot }}/nextcloud"
+  with_items: "{{ nextcloud_apps }}"
+  register: nc_apps_installed
+  failed_when: nc_apps_installed.rc >= 2
+- name: Setup... Configure Cron
+  cron:
+    name: "Nextcloud Cronjob"
+    minute: "*/{{ nc_cron_period }}"
+    user: "{{ nextcloud_websrv_user }}"
+    job: "{{ php_bin }} -f {{ http_webroot }}/nextcloud/cron.php"
+    cron_file: "nextcloud"
+  when: (nc_background_cron | bool)
+- name: Setup... Set Cron method to Crontab
+  become_user: "{{ nextcloud_websrv_user }}"
+  become: true
+  shell: "{{ php_bin }} occ background:cron"
+  args:
+    chdir: "{{ http_webroot }}/nextcloud"
+  when: (nc_background_cron | bool)
+      ###- name: Setup... "[NC] Set Custom Mimetype"
+      ###  ansible.builtin.copy:
+      ###    dest: "{{ nextcloud_webroot }}/config/mimetypemapping.json"
+      ###    src: files/nextcloud_custom_mimetypemapping.json
+      ###    mode: 0640
+      ###
+- name: Setup... Collabora settings ownership
+  file:
+    path: "{{ item }}"
+    recurse: true
+    owner: cool
+    group: cool
+  with_items:
+    - /opt/cool/systemplate/etc/hosts
+    - /opt/cool/systemplate/etc/resolv.conf
+    - /etc/coolwsd
+  when: nc_collabora
+- name: Setup... Ensure Nextcloud directories are 0750
+  shell: find {{ http_webroot }}/nextcloud -type d -exec chmod -c 0750 {} \;
+  register: nc_installation_chmod_result
+  changed_when: "nc_installation_chmod_result.stdout != \"\""
+- name: Setup... Ensure Nextcloud files are 0640
+  shell: find {{ http_webroot }}/nextcloud -type f -exec chmod -c 0640 {} \;
+  register: nc_installation_chmod_result
+  changed_when: "nc_installation_chmod_result.stdout != \"\""
+      ###- name: Setup... "[NC] Setting stronger directory ownership"
+      ###  ansible.builtin.file:
+      ###    path: "{{ nextcloud_webroot }}/{{ item }}/"
+      ###    recurse: true
+      ###    owner: "{{ nextcloud_websrv_user }}"
+      ###    group: "{{ nextcloud_websrv_group }}"
+      ###    state: directory
+      ###  with_items:
+      ###    - apps
+      ###    - custom_apps
+      ###    - config
+      ###    - themes
+      ###    - updater

+# CentOS related tasks
+#- name: Prep OS... Create tmp directory
+#  file:
+#    path: "{{ item }}"
+#    state: directory
+#    owner: "{{ ansible_user }}"
+#    mode: 0770
+#  with_items:
+#    - "/tmp/ansible_{{ ansible_user }}"
+#- name: Prep OS... Set remote tmp
+#  set_fact:
+#    ansible_remote_tmp: "/tmp/ansible_{{ ansible_user }}"
+- name: Prep OS... add rpmfusion-free-release centos{{ ansible_distribution_major_version|int }} repo
+  dnf:
+    name:{{ ansible_distribution_major_version|int }}.noarch.rpm
+    disable_gpg_check: yes
+    validate_certs: no
+    state: latest
+  when: not debug_speed_check
+- name: Prep OS... import key from Collabora centos{{ ansible_distribution_major_version|int }} repo
+  ansible.builtin.rpm_key:
+    state: present
+    key:{{ ansible_distribution_major_version|int }}/repodata/repomd.xml.key
+  when: nc_collabora
+- name: Prep OS... add Collabora repos centos{{ ansible_distribution_major_version|int }} repo
+  ansible.builtin.yum_repository:
+    name: collabora
+    description: Collabora Online CODE repo
+    baseurl:{{ ansible_distribution_major_version|int }}
+  when: nc_collabora
+- name: Prep OS... install Collabora packages
+  dnf:
+    name:
+      - coolwsd
+      - CODE-brand
+      - inotify-tools 
+      - psmisc 
+      - perl
+    state: latest
+  when: nc_collabora
+- name: Prep OS... update os
+  dnf:
+    name: '*'
+    update_cache: true
+    state: latest
+  when: not debug_speed_check
+- name: Prep OS... install needed packages
+  dnf:
+    name:
+      - libreoffice
+      - ffmpeg
+      - mariadb
+    state: latest
+    enablerepo: epel
+  when: not debug_speed_check
+- name: Prep OS... Ensure Apache is installed on {{ ansible_facts['distribution'] }}
+  dnf:
+    name: httpd
+    state: present
+  when: nextcloud_websrv in ["apache", "apache2"]
+- name: Prep OS... Set http env on {{ ansible_facts['distribution'] }}
+  set_fact:
+    http_service_name: httpd
+    http_webroot: /var/www/html
+    nextcloud_websrv_user: apache
+    nextcloud_websrv_group: apache
+  when: nextcloud_websrv in ["apache", "apache2"]
+- name: Prep OS... Generate Nextcloud configuration for apache
+  template:
+    dest: /etc/httpd/conf.d/nextcloud.conf
+    src: nextcloud_apache2.j2
+    mode: 0640
+  when: nextcloud_websrv in ["apache", "apache2"]
+- name: Prep OS... Allow http to listen on tcp port 8000
+  seport:
+    ports: 8000
+    proto: tcp
+    setype: http_port_t
+    state: present
+    #- name: Prep OS... semanage port
+    #  command: semanage port -m -t http_port_t -p tcp {{ item }}
+    #  loop:
+    #    - "8000"
+- name: Prep OS... Start {{ http_service_name }} service
+  service:
+    name: "{{ http_service_name }}"
+    state: started

@@ -0,0 +1,3 @@
+- include_tasks: "{{ ansible_facts['distribution'] }}.yml"

+ 57 - 0

@@ -0,0 +1,57 @@
+# Suse related tasks
+- name: add rpmfusion-free-release {{ ansible_distribution_major_version|int }} repo
+  dnf:
+    name:{{ ansible_distribution_major_version|int }}.noarch.rpm
+    disable_gpg_check: yes
+    validate_certs: no
+    state: latest
+  when: not {{ debug_speed_check }}
+- name: update os
+  dnf:
+    name: '*'
+    update_cache: true
+    state: latest
+  when: not {{ debug_speed_check }}
+- name: install needed packages
+  dnf:
+    name:
+      - epel-release
+      - yum-utils
+      - curl
+      - bash-completion
+      - mlocate
+      - bzip2
+      - wget
+      - libreoffice
+      - ffmpeg
+      - mariadb
+    state: latest
+    enablerepo: epel
+  when: not {{ debug_speed_check }}
+- name: Ensure Apache is installed on {{ ansible_facts['distribution'] }}
+  dnf:
+    name: httpd
+    state: present
+  when: nextcloud_websrv in ["apache", "apache2"]
+  notify: start http
+- name: Set http env on {{ ansible_facts['distribution'] }}
+  set_fact:
+    http_service_name: httpd
+    http_webroot: /var/www/html
+    nextcloud_websrv_user: apache
+    nextcloud_websrv_group: apache
+  when: nextcloud_websrv in ["apache", "apache2"]
+- name: Generate Nextcloud configuration for apache
+  template:
+    dest: /etc/httpd/conf.d/nextcloud.conf
+    src: nextcloud_apache2.j2
+    mode: 0640
+  when: nextcloud_websrv in ["apache", "apache2"]
+  notify: restart http

@@ -0,0 +1,117 @@
+- name: Prep php... add php Remi repo
+  dnf:
+    name:{{ ansible_distribution_major_version|int }}.rpm
+    state: latest
+    disable_gpg_check: yes
+    validate_certs: no
+  when: not debug_speed_check
+- name: Prep php... disable all the php repositories
+  shell: yum-config-manager --disable 'remi-php*'
+  when: not debug_speed_check
+- name: Prep php... enable the repo php{{ php_version | replace(".","") }}
+  shell: yum-config-manager --enable remi-php{{ php_version | replace(".","") }}
+  when: not debug_speed_check
+- name: Prep php... update os
+  dnf:
+    name: '*'
+    update_cache: true
+    state: latest
+  when: not debug_speed_check
+- name: Prep php... install needed packages
+  dnf:
+    name:
+      - php{{ php_version | replace(".","") }}-php 
+      - php{{ php_version | replace(".","") }}-php-pecl-apcu 
+      - php{{ php_version | replace(".","") }}-php-bcmath 
+      - php{{ php_version | replace(".","") }}-php-dom 
+      - php{{ php_version | replace(".","") }}-php-gmp 
+      - php{{ php_version | replace(".","") }}-php-pecl-imagick 
+      - php{{ php_version | replace(".","") }}-php-ldap 
+      - php{{ php_version | replace(".","") }}-php-openssl 
+      - php{{ php_version | replace(".","") }}-php-gd 
+      - php{{ php_version | replace(".","") }}-php-json 
+      - php{{ php_version | replace(".","") }}-php-mysql 
+      - php{{ php_version | replace(".","") }}-php-curl 
+      - php{{ php_version | replace(".","") }}-php-mbstring 
+      - php{{ php_version | replace(".","") }}-php-intl 
+      - php{{ php_version | replace(".","") }}-php-exif 
+      - php{{ php_version | replace(".","") }}-php-zip 
+      - php{{ php_version | replace(".","") }}-php-zlib 
+      - php{{ php_version | replace(".","") }}-php-fileinfo 
+      - php{{ php_version | replace(".","") }}-php-pcntl 
+      - php{{ php_version | replace(".","") }}-php-posix 
+      - php{{ php_version | replace(".","") }}-php-xmlreader 
+      - php{{ php_version | replace(".","") }}-php-xmlwriter 
+      - php{{ php_version | replace(".","") }}-php-ctype 
+      - php{{ php_version | replace(".","") }}-php-bz2 
+      - php{{ php_version | replace(".","") }}-php-ftp
+      - php{{ php_version | replace(".","") }}-php-smbclient 
+      - php{{ php_version | replace(".","") }}-php-memcached 
+      - php{{ php_version | replace(".","") }}-php-redis 
+      - php{{ php_version | replace(".","") }}-php-phar 
+      - php{{ php_version | replace(".","") }}-php-opcache
+    state: latest
+  when: not debug_speed_check
+- name: Prep php... Set php env for {{ ansible_facts['distribution'] }}
+  set_fact: 
+    php_bin: "php{{ php_version | replace('.','') }}"
+    php_dir: "/etc/opt/remi/php{{ php_version | replace('.','') }}/php.d"
+    #php_pkg_apcu: "{{ php_config_ref[php_ver|replace('.','_')].php_pkg_apcu | d(php_config_ref.defaults.php_pkg_apcu) }}"
+    #php_pkg_spe: "{{ php_config_ref[php_ver|replace('.','_')].php_pkg_spe | d(php_config_ref.defaults.php_pkg_spe) }}"
+    #php_socket: "{{ php_config_ref[php_ver|replace('.','_')].php_socket | d(php_config_ref.defaults.php_socket) }}"
+- name: Prep php... Read Nextcloud configuration for PHP
+  set_fact:
+    php_content: "{{ lookup('template', '{{ role_path }}/templates/php_nc_ini.j2') }}"
+- name: Prep php... Integration Nextcloud configuration for PHP
+  blockinfile:
+    dest: /etc/opt/remi/php{{ php_version | replace(".","") }}/php.ini
+    content: '{{ php_content }}'
+    state: present
+- name: Prep php... Read APCU configuration for PHP 
+  set_fact:
+    php_content: "{{ lookup('template', '{{ role_path }}/templates/apcu_nc_ini.j2') }}"
+- name: Prep php... Integration APCU configuration for PHP 
+  blockinfile:
+    dest: /etc/opt/remi/php{{ php_version | replace(".","") }}/php.d/40-apcu.ini
+    content: '{{ php_content }}'
+    state: present
+- name: Prep php... Read OPCACHE configuration for PHP 
+  set_fact:
+    php_content: "{{ lookup('template', '{{ role_path }}/templates/opcache_nc_ini.j2') }}"
+- name: Prep php... Integration OPCACHE configuration for PHP 
+  blockinfile:
+    dest: /etc/opt/remi/php{{ php_version | replace(".","") }}/php.d/10-opcache.ini
+    content: '{{ php_content }}'
+    state: present
+- name: Prep php... Install PHP-FPM
+  dnf:
+    name:
+      - php{{ php_version | replace(".","") }}-php-fpm
+    state: latest
+  when: add_php_fpm
+- name: Prep php... Configure PHP-FPM
+  lineinfile:
+    dest: /etc/opt/remi/php{{ php_version | replace(".","") }}/php-fpm.d/www.conf
+    regexp: "^{{ | regex_escape() }}.*"
+    line: "{{ item.value }}"
+  with_items:
+    - { property: 'pm = dynamic', value: 'pm = {{ nc_pm }}' }
+    - { property: 'pm.max_children =', value: 'pm.max_children = {{ nc_pm_max_children }}' }
+    - { property: 'pm.start_servers =', value: 'pm.start_servers = {{ nc_pm_start_servers }}' }
+    - { property: 'pm.min_spare_servers =', value: 'pm.min_spare_servers = {{ nc_pm_min_spare_servers }}' }
+    - { property: 'pm.max_spare_servers =', value: 'pm.max_spare_servers = {{ nc_pm_max_spare_servers }}' }
+  when: add_php_fpm

@@ -0,0 +1,5 @@
+# install required packages
+- include_tasks: "{{ ansible_facts['distribution'] }}.yml"

+ 76 - 0

@@ -0,0 +1,76 @@
+- name: add php{{ php_version | replace(".","") }} repo
+  dnf:
+    name:{{ ansible_distribution_major_version|int }}.rpm
+    state: latest
+- name: update os
+  dnf:
+    name: '*'
+    update_cache: true
+    state: latest
+- name: install needed packages
+  dnf:
+    name:
+      - php{{ php_version | replace(".","") }}-php 
+      - php{{ php_version | replace(".","") }}-php-pecl-apcu 
+      - php{{ php_version | replace(".","") }}-php-bcmath 
+      - php{{ php_version | replace(".","") }}-php-dom 
+      - php{{ php_version | replace(".","") }}-php-gmp 
+      - php{{ php_version | replace(".","") }}-php-pecl-imagick 
+      - php{{ php_version | replace(".","") }}-php-ldap 
+      - php{{ php_version | replace(".","") }}-php-openssl 
+      - php{{ php_version | replace(".","") }}-php-gd 
+      - php{{ php_version | replace(".","") }}-php-json 
+      - php{{ php_version | replace(".","") }}-php-mysql 
+      - php{{ php_version | replace(".","") }}-php-curl 
+      - php{{ php_version | replace(".","") }}-php-mbstring 
+      - php{{ php_version | replace(".","") }}-php-intl 
+      - php{{ php_version | replace(".","") }}-php-exif 
+      - php{{ php_version | replace(".","") }}-php-zip 
+      - php{{ php_version | replace(".","") }}-php-zlib 
+      - php{{ php_version | replace(".","") }}-php-fileinfo 
+      - php{{ php_version | replace(".","") }}-php-pcntl 
+      - php{{ php_version | replace(".","") }}-php-posix 
+      - php{{ php_version | replace(".","") }}-php-xmlreader 
+      - php{{ php_version | replace(".","") }}-php-xmlwriter 
+      - php{{ php_version | replace(".","") }}-php-ctype 
+      - php{{ php_version | replace(".","") }}-php-bz2 
+      - php{{ php_version | replace(".","") }}-php-ftp
+      - php{{ php_version | replace(".","") }}-php-smbclient 
+      - php{{ php_version | replace(".","") }}-php-memcached 
+      - php{{ php_version | replace(".","") }}-php-redis 
+      - php{{ php_version | replace(".","") }}-php-phar 
+      - php{{ php_version | replace(".","") }}-php-opcache
+    state: latest
+- name: Set php env for {{ ansible_facts['distribution'] }}
+  set_fact: 
+    php_bin: "php{{ php_version | replace('.','') }}"
+    php_dir: "/etc/opt/remi/php{{ php_version | replace('.','') }}/php.d/nextcloud.ini"
+    #php_pkg_apcu: "{{ php_config_ref[php_ver|replace('.','_')].php_pkg_apcu | d(php_config_ref.defaults.php_pkg_apcu) }}"
+    #php_pkg_spe: "{{ php_config_ref[php_ver|replace('.','_')].php_pkg_spe | d(php_config_ref.defaults.php_pkg_spe) }}"
+    #php_socket: "{{ php_config_ref[php_ver|replace('.','_')].php_socket | d(php_config_ref.defaults.php_socket) }}"
+- name: Add Nextcloud configuration for PHP
+  template:
+    dest: /etc/opt/remi/php{{ php_version | replace(".","") }}/php.d/nextcloud.ini
+    src: php_nc_ini.j2
+    mode: '0640'
+  notify: restart http
+- name: Generate Nextcloud configuration for APCU
+  lineinfile:
+    path: /etc/opt/remi/php{{ php_version | replace(".","") }}/php.d/40-apcu.ini
+    regexp: '^apc.shm_size(.*)'
+    line:   'apc.shm_size = {{ APC_SHM_SIZE }}'
+    backup: true
+  notify: restart http
+- name: Generate Nextcloud configuration for OPCACHE
+  ansible.builtin.template:
+    dest: /etc/opt/remi/php{{ php_version | replace(".","") }}/php.d/10-opcache.ini
+    src: opcache_nc_ini.j2
+    mode: 0640
+  notify: restart http

@@ -0,0 +1,51 @@
+- name: Selinux... selinux targets
+  sefcontext:
+    target: "{{ item }}"
+    setype: httpd_sys_rw_content_t
+    state: present
+  register: filecontext
+  with_items:
+    - '{{ nc_data_dir }}(/.*)?'
+    - '{{ http_webroot }}/nextcloud/config(/.*)?'
+    - '{{ http_webroot }}/nextcloud/apps(/.*)?'
+    - '{{ http_webroot }}/nextcloud/custom_apps(/.*)?'
+    - '{{ http_webroot }}/nextcloud/assets(/.*)?'
+    - '{{ http_webroot }}/nextcloud/.htaccess'
+    - '{{ http_webroot }}/nextcloud/.user.ini'
+    - '{{ http_webroot }}/nextcloud/3rdparty/aws/aws-sdk-php/src/data/logs(/.*)?'
+- name: Selinux... enable seboolean settings
+  seboolean:
+    name: "{{ item }}"
+    state: yes
+    persistent: yes
+  with_items:
+    - httpd_can_sendmail
+    - httpd_unified
+    - httpd_graceful_shutdown
+    - httpd_can_network_relay
+    - httpd_can_network_connect
+    - httpd_can_network_connect_db
+    - daemons_enable_cluster_mode
+    #- httpd_execmem
+      ###- name: Selinux... enable seboolean settings
+      ###  command: semodule -i {{ role_path }}/files/{{ item }}
+      ###  loop:
+      ###    - httpd-to-php-fpm.pp
+      ###    - httpd-to-redis-socket.pp
+      ###    - httpd-to-upload-tmp.pp
+- name: Selinux... Run restore context to reload selinux
+  shell: restorecon -R -v {{ }}
+  when: filecontext.results[item.index] is changed
+  with_items:
+    - { index: 0, target: '{{ nc_data_dir }}/' }
+    - { index: 1, target: '{{ http_webroot }}/nextcloud/' }
+- name: Selinux... Restart {{ http_service_name }} service
+  service:
+    name: "{{ http_service_name }}" 
+    state: restarted

@@ -0,0 +1,19 @@
+- name: Ensure Apache is installed on {{ ansible_facts['distribution'] }}
+  dnf:
+    name: httpd
+    state: present
+  when: nextcloud_websrv in ["apache", "apache2"]
+  notify: start http
+- name: Set nextcloud webroot on {{ ansible_facts['distribution'] }}
+  set_fact:
+    nextcloud_webroot: /var/www/html/nextcloud/
+- name: Generate Nextcloud configuration for apache
+  template:
+    dest: /etc/httpd/conf.d/nextcloud.conf
+    src: nextcloud_apache2.j2
+    mode: 0640
+  when: nextcloud_websrv in ["apache", "apache2"]
+  notify: restart http

@@ -0,0 +1,116 @@
+- name: "[mySQL] - Service is installed."
+  ansible.builtin.package:
+    name: "{{ 'default-' if ((ansible_distribution|lower) == 'debian' and nextcloud_db_backend == 'mysql') else '' }}{{ nextcloud_db_backend }}-server"
+    state: present
+  register: nc_mysql_db_install
+- name: "[mySQL] - Check if MySQL packages were installed."
+  ansible.builtin.set_fact:
+    mysql_install_packages: "{{ nc_mysql_db_install is defined and nc_mysql_db_install.changed }}"
+- name: "[mySQL] - Get MySQL version."
+  ansible.builtin.command: 'mysql --version'
+  register: mysql_cli_version
+  changed_when: false
+  check_mode: false
+- name: "[mySQL] - Packages are installed."
+  ansible.builtin.package:
+    name: "{{ nc_mysql_deps }}"
+    state: present
+  vars:
+    nc_mysql_deps:
+      - "php{{ php_ver }}-mysql"
+      - "python3-pymysql"
+- name: "[mySQL] - Ensure MySQL is started and enabled on boot."
+  ansible.builtin.service:
+    name: "{{ mysql_daemon }}"
+    state: started
+    enabled: "{{ nextcloud_db_enabled_on_startup }}"
+  register: mysql_service_configuration
+- name: "[mySQL] - Get list of hosts for the root user."
+  ansible.builtin.command: mysql -NBe
+    "SELECT Host
+    FROM mysql.user
+    WHERE User = 'root'
+    ORDER BY (Host='localhost') ASC"
+  register: mysql_root_hosts
+  changed_when: false
+  check_mode: false
+  when: mysql_install_packages | bool or nextcloud_mysql_root_pwd_update
+# Note: We do not use mysql_user for this operation, as it doesn't always update
+# the root password correctly. See:
+- name: "[mySQL] - Update MySQL root password for localhost root account (5.7.x)."
+ >
+    mysql -u root -NBe
+    'ALTER USER "root"@"{{ item }}"
+    IDENTIFIED WITH mysql_native_password BY "{{ nextcloud_mysql_root_pwd }}"; FLUSH PRIVILEGES;'
+  with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
+  when: >
+    ((mysql_install_packages | bool) or nextcloud_mysql_root_pwd_update)
+    and ('5.7.' in mysql_cli_version.stdout or '8.0.' in mysql_cli_version.stdout)
+- name: "[mySQL] - Update MySQL root password for localhost root account (< 5.7.x)."
+ >
+    mysql -NBe
+    'SET PASSWORD FOR "root"@"{{ item }}" = PASSWORD("{{ nextcloud_mysql_root_pwd }}"); FLUSH PRIVILEGES;'
+  with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
+  when: >
+    ((mysql_install_packages | bool) or nextcloud_mysql_root_pwd_update)
+    and ('5.7.' not in mysql_cli_version.stdout and '8.0.' not in mysql_cli_version.stdout)
+- name: "[mySQL] - Copy .my.cnf file with root password credentials."
+  ansible.builtin.template:
+    src: "root-my.cnf.j2"
+    dest: "/root/.my.cnf"
+    owner: root
+    group: root
+    mode: 0600
+  when: mysql_install_packages | bool or nextcloud_mysql_root_pwd_update
+- name: "[mySQL] - Get list of hosts for the anonymous user."
+  ansible.builtin.command: mysql -NBe 'SELECT Host FROM mysql.user WHERE User = ""'
+  register: mysql_anonymous_hosts
+  changed_when: false
+  check_mode: false
+- name: "[mySQL] - Remove anonymous MySQL users."
+  mysql_user:
+    name: ""
+    host: "{{ item }}"
+    state: absent
+  with_items: "{{ mysql_anonymous_hosts.stdout_lines|default([]) }}"
+- name: "[mySQL] - Remove MySQL test database."
+  mysql_db:
+    name: 'test'
+    state: absent
+- name: "[mySQL] - Set mysql config option for Nextcloud"
+  ansible.builtin.copy:
+    dest: /etc/mysql/conf.d/nextcloud.cnf
+    src: files/mysql_nextcloud.cnf
+    mode: 0600
+  notify: restart mysql
+- name: "[mySQL] - Add Database {{ nextcloud_db_name }}."
+  mysql_db:
+    name: "{{ nextcloud_db_name }}"
+    login_user: root
+    login_password: "{{ nextcloud_mysql_root_pwd }}"
+    config_file: "{{ mysql_credential_file[(ansible_os_family|lower)] | default(omit) }}"
+    state: present
+- name: "[mySQL] - Configure the database user."
+  mysql_user:
+    name: "{{ nextcloud_db_admin }}"
+    password: "{{ nextcloud_db_pwd }}"
+    priv: "{{ nextcloud_db_name }}.*:ALL"
+    login_user: root
+    login_password: "{{ nextcloud_mysql_root_pwd }}"
+    config_file: "{{ mysql_credential_file[(ansible_os_family|lower)] | default(omit) }}"
+    state: present

@@ -0,0 +1,28 @@
+- name: "[PostgreSQL] - PostgreSQL packages are installed"
+  ansible.builtin.package:
+    name: "{{ pg_deps }}"
+    state: "present"
+  vars:
+    pg_deps:
+      - "postgresql"
+      - "php{{ php_ver }}-pgsql"
+      - "python3-psycopg2"
+- name: "[PostgreSQL] - nextcloud role is created."
+    name: "{{ nextcloud_db_admin }}"
+    password: "{{ nextcloud_db_pwd }}"
+    encrypted: true
+    state: present
+    role_attr_flags: CREATEDB
+  become_user: postgres
+  become: true
+- name: "[PostgreSQL] - nextcloud database is created."
+  postgresql_db:
+    name: "{{ nextcloud_db_name }}"
+    state: present
+    owner: "{{ nextcloud_db_admin }}"
+  become_user: postgres
+  become: true

@@ -0,0 +1,69 @@
+- name: "[APACHE] -  enable APC for php CLI"
+  ansible.builtin.lineinfile:
+    dest: "{{ php_dir }}/cli/php.ini"
+    line: "apc.enable_cli = 1"
+    insertbefore: "^; End:$"
+    state: present
+    # validate: "/usr/sbin/{{ php_bin }} -t #%s"
+- name: "[APACHE] -  enable PHP OPcache for php.ini"
+  ansible.builtin.lineinfile:
+    dest: "{{ php_dir }}/apache2/php.ini"
+    state: present
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    backrefs: true
+  with_items:
+    - {regexp: 'opcache.enable=0', line: 'opcache.enable=1'}
+    - {regexp: 'opcache.enable_cli', line: 'opcache.enable_cli=1'}
+    - {regexp: 'opcache.interned_strings_buffer', line: 'opcache.interned_strings_buffer=8'}
+    - {regexp: 'opcache.max_accelerated_files', line: 'opcache.max_accelerated_files=10000'}
+    - {regexp: 'opcache.memory_consumption', line: 'opcache.memory_consumption=128'}
+    - {regexp: 'opcache.save_comments', line: 'opcache.save_comments=1'}
+    - {regexp: 'opcache.revalidate_freq', line: 'opcache.revalidate_freq=1'}
+    - {regexp: 'memory_limit', line: 'memory_limit={{ php_memory_limit }}'}
+    # validate: "/usr/sbin/{{ php_bin }} -t #%s"
+  notify: reload http
+- name: "[APACHE] -  Required Apache2 modules are enabled"
+  apache2_module:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - rewrite
+    - headers
+    - env
+    - dir
+    - mime
+  notify: restart http
+- name: "[APACHE] -  Ssl Apache2 module is enabled"
+  apache2_module:
+    state: present
+    name: "{{ item }}"
+  with_items:
+    - ssl
+  when: (nextcloud_install_tls | bool)
+  notify: restart http
+- name: "[APACHE] -  generate Nextcloud configuration for apache"
+  ansible.builtin.template:
+    dest: /etc/apache2/sites-available/nc_{{ nextcloud_instance_name }}.conf
+    src: "{{ nextcloud_websrv_template }}"
+    mode: 0640
+  notify: reload http
+- name: "[APACHE] -  Enable Nextcloud site in apache conf"
+  ansible.builtin.file:
+    path: /etc/apache2/sites-enabled/nc_{{ nextcloud_instance_name }}.conf
+    src: /etc/apache2/sites-available/nc_{{ nextcloud_instance_name }}.conf
+    state: link
+  notify: reload http
+- name: "[APACHE] -  Disable apache default site"
+  ansible.builtin.file:
+    path: /etc/apache2/sites-enabled/000-default.conf
+    state: absent
+  when: nextcloud_disable_websrv_default_site | bool
+  notify: reload http

@@ -0,0 +1,90 @@
+- name: "[NGINX] -  remove some commented line in php-fpm conf"
+  ansible.builtin.lineinfile:
+    dest: "{{ php_dir }}/fpm/pool.d/www.conf"
+    regexp: '^\;env'
+    state: absent
+    # validate: "/usr/sbin/{{ php_bin }} -t #%s"
+  notify: reload php-fpm
+- name: "[NGINX] -  Add path variable to php-fpm"
+  ansible.builtin.blockinfile:
+    dest: "{{ php_dir }}/fpm/pool.d/www.conf"
+    insertafter: '^; Default Value: clean env$'
+    marker: "; {mark} ANSIBLE MANAGED BLOCK"
+    block: |
+      env[HOSTNAME] = $HOSTNAME
+      env[PATH] = $PATH
+      env[TMP] = /tmp
+      env[TMPDIR] = /tmp
+      env[TEMP] = /tmp
+  notify: reload php-fpm
+- name: "[NGINX] -  enable APC for php CLI"
+  ansible.builtin.lineinfile:
+    dest: "{{ php_dir }}/cli/php.ini"
+    line: "apc.enable_cli = 1"
+    insertbefore: "^; End:$"
+    state: present
+    # validate: "/usr/sbin/{{ php_bin }} -t #%s"
+  notify: reload php-fpm
+- name: "[NGINX] -  enable PHP OPcache for php.ini"
+  ansible.builtin.lineinfile:
+    dest: "{{ php_dir }}/fpm/php.ini"
+    state: present
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    backrefs: true
+  with_items:
+    - { regexp: 'opcache.enable=0', line: 'opcache.enable=1' }
+    - { regexp: 'opcache.enable_cli', line: 'opcache.enable_cli=1' }
+    - { regexp: 'opcache.interned_strings_buffer', line: 'opcache.interned_strings_buffer=8' }
+    - { regexp: 'opcache.max_accelerated_files', line: 'opcache.max_accelerated_files=10000' }
+    - { regexp: 'opcache.memory_consumption', line: 'opcache.memory_consumption=128' }
+    - { regexp: 'opcache.save_comments', line: 'opcache.save_comments=1' }
+    - { regexp: 'opcache.revalidate_freq', line: 'opcache.revalidate_freq=1' }
+    - { regexp: 'memory_limit', line: 'memory_limit={{ php_memory_limit }}'}
+    # validate: "/usr/sbin/{{ php_bin }} -t #%s"
+  notify: reload php-fpm
+- name: "[NGINX] -  Public Diffie-Hellman Parameter are generated. This might take a while."
+  ansible.builtin.command: "openssl dhparam -out {{ nextcloud_tls_dhparam }} 2048"
+  args:
+    creates: "{{ nextcloud_tls_dhparam }}"
+- name: "[NGINX] -  php handler configuration is present."
+  ansible.builtin.template:
+    dest: /etc/nginx/sites-available/php_handler.cnf
+    src: templates/nginx_php_handler.j2
+    mode: 0640
+  notify: reload http
+- name: "[NGINX] -  php handler is enabled"
+  ansible.builtin.file:
+    path: /etc/nginx/sites-enabled/php_handler
+    src: /etc/nginx/sites-available/php_handler.cnf
+    state: link
+  notify: reload http
+- name: "[NGINX] -  generate Nextcloud configuration for nginx"
+  ansible.builtin.template:
+    dest: /etc/nginx/sites-available/nc_{{ nextcloud_instance_name }}.cnf
+    src: "{{ nextcloud_websrv_template }}"
+    mode: 0640
+  notify: reload http
+- name: "[NGINX] -  Enable Nextcloud in nginx conf"
+  ansible.builtin.file:
+    path: /etc/nginx/sites-enabled/nc_{{ nextcloud_instance_name }}
+    src: /etc/nginx/sites-available/nc_{{ nextcloud_instance_name }}.cnf
+    state: link
+  notify: reload http
+- name: "[NGINX] -  Disable nginx default site"
+  ansible.builtin.file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  when: nextcloud_disable_websrv_default_site | bool
+  notify: reload http

@@ -0,0 +1,67 @@
+- name: parse the item values
+  ansible.builtin.set_fact:
+    nc_app_name: "{{ item.key }}"
+    nc_app_cfg: "{{ item.value }}"
+- name: "Install and enable Nextcloud Apps"
+  block:
+    - name: "[ App {{ nc_app_name }} ] - Download Archive in apps folder."
+      ansible.builtin.unarchive:
+        copy: false
+        src: "{{ nc_app_cfg }}"
+        dest: "{{ nextcloud_webroot }}/apps/"
+        owner: "{{ nextcloud_websrv_user }}"
+        group: "{{ nextcloud_websrv_group }}"
+        creates: "{{ nextcloud_webroot }}/apps/{{ nc_app_name }}"
+      when: nc_app_cfg is not none
+    - name: "[ App {{ nc_app_name }} ] - enable the application."
+      become_user: "{{ nextcloud_websrv_user }}"
+      become_flags: "{{ ansible_become_flags | default(omit) }}"
+      become: true
+      ansible.builtin.command: php occ app:enable "{{ nc_app_name }}"
+      args:
+        chdir: "{{ nextcloud_webroot }}"
+      when: nc_app_cfg is not none
+  when: nc_app_cfg is string
+- name: "Install Apps"
+  block:
+    - name: verify the app's yaml declaration
+      ansible.builtin.assert:
+        that:
+          - (nc_app_cfg.source is defined) and (nc_app_cfg.source is string)
+        msg: "{{ nc_app_name }} is not well declared."
+    - name: "[ App {{ nc_app_name }} ] - Download Archive in apps folder."
+      ansible.builtin.unarchive:
+        copy: false
+        src: "{{ nc_app_cfg.source }}"
+        dest: "{{ nextcloud_webroot }}/apps/"
+        owner: "{{ nextcloud_websrv_user }}"
+        group: "{{ nextcloud_websrv_group }}"
+        creates: "{{ nextcloud_webroot }}/apps/{{ nc_app_name }}"
+      when: nc_app_cfg.source is not none
+    - name: "[ App {{ nc_app_name }} ] - enable the application."
+      become_user: "{{ nextcloud_websrv_user }}"
+      become_flags: "{{ ansible_become_flags | default(omit) }}"
+      become: true
+      ansible.builtin.command: php occ app:enable "{{ nc_app_name }}"
+      args:
+        chdir: "{{ nextcloud_webroot }}"
+      when: nc_app_cfg.source is not none
+    - name: "[ App {{ nc_app_name }} ] - Configure the application "
+      become_user: "{{ nextcloud_websrv_user }}"
+      become_flags: "{{ ansible_become_flags | default(omit) }}"
+      become: true
+      ansible.builtin.command: php occ config:app:set {{ nc_app_name }} {{ item_cfg.key }} --value="{{ item_cfg.value }}"
+      args:
+        chdir: "{{ nextcloud_webroot }}"
+      with_dict: "{{ nc_app_cfg.conf | default({}) }}"
+      loop_control:
+        loop_var: item_cfg
+      when: nc_app_cfg.conf is defined
+  when: (nc_app_cfg is mapping)

@@ -0,0 +1,51 @@
+- name: "[INSTALL] -  Required and recommended packages are installed."
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - "{{ nextcloud_websrv }}"
+    - imagemagick
+    - smbclient
+    - "php{{ php_ver }}-gd"
+    - "php{{ php_ver }}-ldap"
+    - "php{{ php_ver }}-imap"
+    - "php{{ php_ver }}-curl"
+    - "php{{ php_ver }}-intl"
+  notify:
+    - start http
+- name: "[INSTALL] - php-json is installed (PHP < 8)"
+  ansible.builtin.package:
+    name: "php{{ php_ver }}-json"
+    state: present
+  when: php_ver is version("8", "<")
+- name: "[INSTALL] -  Apache Required package is installed."
+  ansible.builtin.package:
+    name: "libapache2-mod-php{{ php_ver }}"
+    state: present
+  when: nextcloud_websrv == "apache2"
+  notify:
+    - start http
+- name: "[INSTALL] -  NGINX Required package is installed."
+  ansible.builtin.package:
+    name: "php{{ php_ver }}-fpm"
+    state: present
+  when: nextcloud_websrv == "nginx"
+  notify:
+    - start http
+    - start php-fpm
+- name: "[INSTALL] -  PHP extra Packages are installed."
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - "{{ php_pkg_spe }}"
+- name: "[INSTALL] -  APCu is installed."
+  ansible.builtin.package:
+    name: "{{ php_pkg_apcu }}"
+    state: present

@@ -0,0 +1,52 @@
+# additional setup and fixes for OS dependent environment
+- name: "[ENV] controls nextcloud_trusted_domain type"
+    msg: "New versions require nextcloud_trusted_domain to be declared as a list."
+  when: nextcloud_trusted_domain is string
+- name: "[ENV] - ca-certificate are up to date"
+  # needed for downloading from as the site use letsencrypt certificates
+  # letsencrypt may not be trusted on older OS
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+    update_cache: true
+    cache_valid_time: 86400
+  loop:
+    - acl
+    - ca-certificates
+  when: ansible_os_family in [ "Debian" ]
+  # fix for debian not using sudo :
+  # finding out if sudo is installed or not
+- name: "[ENV] - Debian only : checking sudo."
+  ansible.builtin.command: "dpkg -l sudo"
+  changed_when: false
+  register: nc_sudo_installed_result
+  failed_when: false
+  when: ansible_distribution == "Debian"
+- name: "[ENV] - Checking su"
+  block:
+    - name: "[ENV] - rolling back to su."
+      ansible.builtin.set_fact:
+        ansible_become_method: "su"
+    - name: "[ENV] - force su to use /bin/sh as shell"
+      ansible.builtin.set_fact:
+        ansible_become_flags: '-s /bin/sh'
+  when:
+    - nc_sudo_installed_result.rc is defined
+    - nc_sudo_installed_result.rc != 0
+- name: "[ENV] - Generate database user password."
+  ansible.builtin.set_fact:
+    nextcloud_db_pwd: "{{ lookup( 'ansible.builtin.password', 'nextcloud_instances/'+ nextcloud_instance_name +'/db_admin.pwd' ) }}"
+  when: nextcloud_db_pwd is not defined
+- name: "[ENV] - Generate database root password."
+  ansible.builtin.set_fact:
+    nextcloud_mysql_root_pwd: "{{ lookup( 'ansible.builtin.password', 'nextcloud_instances/'+ nextcloud_instance_name +'/db_root.pwd' ) }}"
+  when:
+    - nextcloud_db_backend in ["mysql", "mariadb"]
+    - nextcloud_mysql_root_pwd is not defined

@@ -0,0 +1,23 @@
+- name: define certificate path
+  ansible.builtin.set_fact:
+    nextcloud_tls_cert_file: "{{ nextcloud_tls_cert }}"
+- name: define key path
+  ansible.builtin.set_fact:
+    nextcloud_tls_cert_key_file: "{{ nextcloud_tls_cert_key }}"
+- name: define certificate chain  path
+  ansible.builtin.set_fact:
+    nextcloud_tls_cert_chain_file: "{{ nextcloud_tls_cert_chain }}"
+  when: nextcloud_tls_cert_chain is defined
+# - name: "[INSTALLED TLS] - check TLS certificate permissions"
+#   ansible.builtin.file:
+#     path: "{{ nextcloud_tls_cert_file }}"
+#     mode: 0644
+#     group: "{{ nextcloud_websrv_group }}"
+# - name: "[INSTALLED TLS] - check TLS key permissions"
+#   ansible.builtin.file:
+#     path: "{{ nextcloud_tls_cert_key_file }}"
+#     mode: 0640
+#     group: "{{ nextcloud_websrv_group }}"

@@ -0,0 +1,39 @@
+- name: define private certificate path
+  ansible.builtin.set_fact:
+    nextcloud_tls_cert_file: "/etc/ssl/{{ nextcloud_instance_name }}.crt"
+- name: define private key path
+  ansible.builtin.set_fact:
+    nextcloud_tls_cert_key_file: "/etc/ssl/{{ nextcloud_instance_name }}.key"
+- name: "[selfsigned TLS] - create self-signed SSL cert"
+  ansible.builtin.command: >
+    openssl req -new -nodes -x509
+    -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=${hostname --fqdn}"
+    -days 365
+    -keyout {{ nextcloud_tls_cert_key_file }}
+    -out {{ nextcloud_tls_cert_file }}
+    -extensions v3_ca
+  args:
+    creates: "{{ nextcloud_tls_cert_key_file }}"
+- name: "[selfsigned TLS] - check TLS certificate permissions"
+  ansible.builtin.file:
+    path: "{{ nextcloud_tls_cert_file }}"
+    mode: 0644
+    group: "{{ nextcloud_websrv_group }}"
+- name: "[selfsigned TLS] - check TLS key permissions"
+  ansible.builtin.file:
+    path: "{{ nextcloud_tls_cert_key_file }}"
+    mode: 0640
+    group: "{{ nextcloud_websrv_group }}"
+#   cd /etc/haproxy
+#   mkdir nextcloud.test
+#   cd nextcloud.test/
+#   openssl genrsa -out nextcloud.test.key 2048
+#   openssl req -new -key nextcloud.test.key -out nextcloud.test.csr
+#   openssl x509 -req -days 365 -in nextcloud.test.csr -signkey nextcloud.test.key -out nextcloud.test.crt
+#   bash -c 'cat nextcloud.test.key nextcloud.test.crt >> nextcloud.test.pem'
+#   cd /etc/haproxy
+#   openssl dhparam -out /etc/haproxy/dhparams.pem 2048

@@ -0,0 +1,31 @@
+- name: define signed certificate path
+  ansible.builtin.set_fact:
+    nextcloud_tls_cert_file: "{{ nextcloud_tls_cert | default(\"/etc/ssl/\" + nextcloud_instance_name + \".crt\") }}"
+- name: define signed certificate's key path
+  ansible.builtin.set_fact:
+    nextcloud_tls_cert_key_file: "{{ nextcloud_tls_cert_key | default(\"/etc/ssl/\" + nextcloud_instance_name + \".key\") }}"
+- name: "[SIGNED TLS] - Certificate is on the host"
+  ansible.builtin.copy:
+    dest: "{{ nextcloud_tls_cert_file }}"
+    src: "{{ nextcloud_tls_src_cert }}"
+    mode: 0640
+- name: "[SIGNED TLS] - Key is on the host"
+  ansible.builtin.copy:
+    dest: "{{ nextcloud_tls_cert_key_file }}"
+    src: "{{ nextcloud_tls_src_cert_key }}"
+    mode: 0640
+- name: "[SIGNED TLS] - check TLS certificate permissions"
+  ansible.builtin.file:
+    path: "{{ nextcloud_tls_cert_file }}"
+    mode: 0644
+    group: "{{ nextcloud_websrv_group }}"
+- name: "[SIGNED TLS] - check TLS key permissions"
+  ansible.builtin.file:
+    path: "{{ nextcloud_tls_cert_key_file }}"
+    mode: 0640
+    group: "{{ nextcloud_websrv_group }}"

@@ -0,0 +1,103 @@
+# This file was generated by Ansible for {{ansible_fqdn}}
+# Do NOT modify this file by hand!
+{% if nextcloud_install_tls and nextcloud_tls_enforce %}
+{% for domain in nextcloud_trusted_domain %}
+<VirtualHost *:80>
+  ServerName {{ domain }}
+  Redirect permanent / https://{{ domain | ansible.utils.ipwrap }}/
+{% endfor %}
+{% else %}
+<VirtualHost *:80>
+  ServerName {{ nextcloud_trusted_domain[0] }}
+{% for index in range(1, nextcloud_trusted_domain|length) %}
+  ServerAlias {{ nextcloud_trusted_domain[index]}}
+{% endfor %}
+  DocumentRoot {{ nextcloud_webroot }}
+  {% if (nextcloud_max_upload_size_in_bytes|int) <= 2147483647-%}
+  LimitRequestBody {{ nextcloud_max_upload_size_in_bytes }}
+  {% endif -%}
+  <Directory {{ nextcloud_webroot }}>
+    Allow from all
+    Satisfy Any
+    Options +FollowSymlinks
+    AllowOverride All
+   <IfModule mod_dav.c>
+    Dav off
+   </IfModule>
+   SetEnv HOME {{ nextcloud_webroot }}
+   SetEnv HTTP_HOME {{ nextcloud_webroot }}
+  </Directory>
+{% endif %}
+{% if nextcloud_install_tls %}
+<VirtualHost *:443>
+  ServerName {{ nextcloud_trusted_domain[0] }}
+{% for index in range(1, nextcloud_trusted_domain|length) %}
+  ServerAlias {{ nextcloud_trusted_domain[index]}}
+{% endfor %}
+  DocumentRoot {{ nextcloud_webroot }}
+  {% if (nextcloud_max_upload_size_in_bytes|int) <= 2147483647-%}
+  LimitRequestBody {{ nextcloud_max_upload_size_in_bytes }}
+  {% endif -%}
+  SSLEngine on
+  SSLCertificateFile      {{ nextcloud_tls_cert_file }}
+  SSLCertificateKeyFile   {{ nextcloud_tls_cert_key_file }}
+{% if nextcloud_tls_cert_chain_file is defined %}
+  SSLCertificateChainFile {{ nextcloud_tls_cert_chain_file }}
+{% endif %}
+  # enable HTTP/2, if available
+  Protocols h2 http/1.1
+{% if nextcloud_hsts is string %}
+  <IfModule mod_headers.c>
+    Header always set Strict-Transport-Security "{{ nextcloud_hsts }}"
+  </IfModule>
+{% endif %}
+  <Directory {{ nextcloud_webroot }}>
+    Allow from all
+    Satisfy Any
+    Options +FollowSymlinks
+    AllowOverride All
+   <IfModule mod_dav.c>
+    Dav off
+   </IfModule>
+   SetEnv HOME {{ nextcloud_webroot }}
+   SetEnv HTTP_HOME {{ nextcloud_webroot }}
+  </Directory>
+{% endif %}
+{% if nextcloud_install_tls %}
+{% if nextcloud_mozilla_modern_ssl_profile %}
+# modern configuration, tweak to your needs
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
+{% else %}
+# intermediate configuration, tweak to your needs
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+{% endif %}
+SSLHonorCipherOrder     off
+# SSLSessionTickets       off
+SSLCompression          off
+# OCSP stapling
+SSLUseStapling          on
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+SSLStaplingCache        shmcb:/var/run/ocsp(128000)
+{% endif %}

@@ -0,0 +1,4 @@
+apc.shm_size={{ APC_SHM_SIZE }}

+ 26 - 0

@@ -0,0 +1,26 @@
+Listen 8000
+<VirtualHost *:8000>
+    # Nextcloud dir
+    DocumentRoot {{ http_webroot }}/nextcloud/
+    <Directory {{ http_webroot }}>/nextcloud/>
+        Options Indexes FollowSymLinks
+        Require all granted
+        AllowOverride All
+        Options FollowSymLinks MultiViews
+        <IfModule mod_dav.c>
+            Dav off
+        </IfModule>
+    </Directory>
+    # Deny access to .ht files
+    <Files ".ht*">
+        Require all denied
+    </Files>
+    # Fix zero file sizes 
+    # See
+    SetEnv proxy-sendcl 1
+    # See
+    LimitRequestBody 0

@@ -0,0 +1,207 @@
+# This file was generated by Ansible for {{ansible_fqdn}}
+# Do NOT modify this file by hand!
+{% if nextcloud_install_tls and nextcloud_tls_enforce %}
+server {
+    listen 80;
+{% if nextcloud_ipv6 %}
+    listen [::]:80;
+{% endif %}
+    server_name {{ nextcloud_trusted_domain | ansible.utils.ipwrap | join(' ') }};
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+    # Enforce HTTPS
+    return 301 https://$server_name$request_uri;
+{% endif %}
+server {
+    server_name {{ nextcloud_trusted_domain | ansible.utils.ipwrap | join(' ') }};
+{% if not nextcloud_install_tls or not nextcloud_tls_enforce %}
+    listen 80;
+{% if nextcloud_ipv6 %}
+    listen [::]:80;
+{% endif %}
+{% endif %}
+{% if nextcloud_install_tls %}
+    listen 443 ssl http2;
+{% if nextcloud_ipv6 %}
+    listen [::]:443 ssl http2;
+{% endif %}
+    ssl_certificate {{ nextcloud_tls_cert_file }};
+    ssl_certificate_key {{ nextcloud_tls_cert_key_file }};
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:{{ nextcloud_tls_session_cache_size }};
+    # ssl_session_tickets off;
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+    ssl_dhparam {{ nextcloud_tls_dhparam }};
+    # Use Mozilla's guidelines for SSL/TLS settings
+    #
+{% if nextcloud_mozilla_modern_ssl_profile %}
+    # modern configuration. tweak to your needs.
+    ssl_protocols TLSv1.3;
+{% else %}
+    # intermediate configuration. tweak to your needs.
+    ssl_protocols TLSv1.2 TLSv1.3;
+{% endif %}
+    ssl_prefer_server_ciphers off;
+    # HSTS settings
+    # WARNING: Only add the preload option once you read about
+    # the consequences in This option
+    # will add the domain to a hardcoded list that is shipped
+    # in all major browsers and getting removed from this list
+    # could take several months.
+{% if nextcloud_hsts is string %}
+    add_header Strict-Transport-Security "{{ nextcloud_hsts }}";
+{% endif %}
+{% endif %}
+    # set max upload size and increase upload timeout:
+    client_max_body_size {{ nextcloud_max_upload_size }};
+    client_body_timeout 300s;
+    fastcgi_buffers 64 4K;
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/ application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+    # Pagespeed is not supported by Nextcloud, so if your server is built
+    # with the `ngx_pagespeed` module, uncomment this line to disable it.
+    # pagespeed off;
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+    # Path to the root of your installation
+    root {{ nextcloud_webroot }};
+    # Specify how to handle directories -- specifying `/index.php$request_uri`
+    # here as the fallback means that Nginx always exhibits the desired behaviour
+    # when a client requests a path that corresponds to a directory that exists
+    # on the server. In particular, if that directory contains an index.php file,
+    # that file is correctly served; if it doesn't, then the request is passed to
+    # the front-end controller. This consistent behaviour means that we don't need
+    # to specify custom rules for certain paths (e.g. images and other assets,
+    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+    # `try_files $uri $uri/ /index.php$request_uri`
+    # always provides the desired behaviour.
+    index index.php index.html /index.php$request_uri;
+    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+    location = / {
+        if ( $http_user_agent ~ ^DavClnt ) {
+            return 302 /remote.php/webdav/$is_args$args;
+        }
+    }
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+    # Make a regex exception for `/.well-known` so that clients can still
+    # access it despite the existence of the regex rule
+    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+    # for `/.well-known`.
+    location ^~ /.well-known {
+        # The rules in this block are an adaptation of the rules
+        # in `.htaccess` that concern `/.well-known`.
+        location = /.well-known/carddav { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+        # Let Nextcloud's API for `/.well-known` URIs handle all other
+        # requests by passing them to the front-end controller.
+        return 301 /index.php$request_uri;
+    }
+    # Rules borrowed from `.htaccess` to hide certain paths from clients
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+    # which handle static assets (as seen below). If this block is not declared first,
+    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+    # to the URI, resulting in a HTTP 500 error response.
+    location ~ \.php(?:$|/) {
+        # Required for legacy support
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+        try_files $fastcgi_script_name =404;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_param HTTPS on;
+        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+        fastcgi_param front_controller_active true;     # Enable pretty urls
+        fastcgi_pass php-handler;
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+    }
+    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite)$ {
+        try_files $uri /index.php$request_uri;
+        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+        location ~ \.wasm$ {
+            default_type application/wasm;
+        }
+    }
+    location ~ \.woff2?$ {
+        try_files $uri /index.php$request_uri;
+        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+    # Rule borrowed from `.htaccess`
+    location /remote {
+        return 301 /remote.php$request_uri;
+    }
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
+    }

@@ -0,0 +1,9 @@
+# This file was generated by Ansible for {{ansible_fqdn}}
+# Do NOT modify this file by hand!
+upstream php-handler {
+    # server;
+    server unix:{{ php_socket }};

+ 13 - 0

@@ -0,0 +1,13 @@
+opcache.memory_consumption={{ OPCACHE_MEM_SIZE }}

+ 11 - 0

@@ -0,0 +1,11 @@
+memory_limit = {{ PHP_MEMORY_LIMIT }}
+upload_max_filesize = {{ PHP_UPLOAD_LIMIT }}
+post_max_size = {{ PHP_POST_LIMIT }}
+max_file_uploads = {{ PHP_MAX_FILE }}
+max_execution_time = {{ PHP_MAX_TIME }}
+max_input_time = {{ PHP_MAX_TIME }}
+session.gc_maxlifetime = {{ PHP_MAX_TIME }}
+output_buffering = Off

@@ -0,0 +1,9 @@
+$CONFIG = array (
+  'memcache.distributed' => '\OC\Memcache\Redis',
+  'memcache.locking' => '\OC\Memcache\Redis',
+  'redis' => array (
+    'host' => '{{ redis_host }}',
+    'port' => 6379,
+  ),

+ 5 - 0

@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+password="{{ nextcloud_mysql_root_pwd }}"

@@ -0,0 +1,17 @@
+# vars file for nextcloud
+  latest: "{{ ['latest', nextcloud_version_major]|reject('undefined')|join('-') }}"
+  releases: "{{ ['nextcloud', nextcloud_version_full]|reject('undefined')|join('-') }}"
+  prereleases: "nextcloud-{{ [nextcloud_version_full, nextcloud_version_special]|reject('undefined')|join() }}"
+  daily: "nextcloud-{{ nextcloud_version_major|d('') }}-daily-{{ nextcloud_version_special|d('') }}"
+  debian: '/etc/mysql/debian.cnf'
+nextcloud_max_upload_size_in_bytes: "{{ nextcloud_max_upload_size | human_to_bytes }}"
+# load configurations references
+os_config_ref: "{{ lookup('ansible.builtin.template', [role_path,'defaults','os_config_ref.yml']|join('/')) | from_yaml }}"
+php_config_ref: "{{ lookup('ansible.builtin.template', [role_path,'defaults','php_config_ref.yml']|join('/')) | from_yaml }}"

@@ -0,0 +1,5 @@
+node_exporter_version: 1.3.1 
+node_exporter_url: "{{ node_exporter_version }}"
+node_exporter_tarball: "node_exporter-{{ node_exporter_version }}.linux-amd64"
+node_exporter_skip_install: false

@@ -0,0 +1,14 @@

@@ -0,0 +1,70 @@
+- name: Creating node_exporter user group
+  group: name="node_exporter"
+  become: true
+- name: Creating node_exporter user
+  user:
+    name: "node_exporter"
+    group: "node_exporter"
+    system: yes
+    shell: "/sbin/nologin"
+    comment: "node_exporter nologin User"
+    createhome: "no"
+    state: present
+- name: Node exporter... Download Prometheus archive
+  get_url:
+    url:  "{{ node_exporter_url }}/{{ node_exporter_tarball }}.tar.gz"
+    dest: /tmp/{{ node_exporter_tarball }}.tar.gz
+    checksum: "sha256:{{ node_exporter_url }}/sha256sums.txt"
+  register: _download_archive
+  until: _download_archive is succeeded
+  retries: 5
+  delay: 2
+  when: not node_exporter_skip_install
+- name: Node exporter... unpack prometheus binaries
+  unarchive:
+    src: "/tmp/{{ node_exporter_tarball }}.tar.gz"
+    dest: "/tmp"
+    creates: "/tmp/{{ node_exporter_tarball }}/node_exporter"
+    remote_src: true
+  when: not node_exporter_skip_install
+- name: Node exporter... Copy prometheus node exporter file to bin
+  copy:
+    src: "/tmp/{{ node_exporter_tarball }}/node_exporter"
+    dest: "/usr/local/bin/node_exporter"
+    owner: node_exporter
+    group: node_exporter
+    remote_src: yes
+    mode: 0755
+  when: not node_exporter_skip_install
+- name: Delete node exporter tmp folder
+  file:
+    path: "/tmp/{{ node_exporter_tarball }}.tar.gz"
+    state: absent
+  when: not node_exporter_skip_install
+- name: Node exporter... Copy systemd init file
+  copy:
+    dest: /etc/systemd/system/node_exporter.service
+    src: files/node_exporter.service
+    owner: root
+    group: root
+    mode: 0640
+- name: Start node_exporter service
+  service:
+    name: node_exporter
+    state: started
+    enabled: yes
+- name: Check if node exporter emits metrices
+  uri:
+    url:
+    method: GET
+    status_code: 200

@@ -0,0 +1,228 @@
+alertmanager_version: "0.24.0"
+alertmanager_tarball: "alertmanager-{{ alertmanager_version }}.linux-amd64"
+alertmanager_url: "{{ alertmanager_version }}"
+alertmanager_skip_install: false
+prometheus_version: 2.37.1
+prometheus_tarball: "prometheus-{{ prometheus_version }}.linux-amd64"
+prometheus_url: "{{ prometheus_version }}"
+prometheus_skip_install: false
+prometheus_binary_local_dir: ''
+prometheus_binary_install_dir: '/usr/local/bin'
+prometheus_config_dir: /etc/prometheus
+prometheus_db_dir: /var/lib/prometheus
+prometheus_read_only_dirs: []
+prometheus_web_listen_address: ""
+prometheus_web_external_url: ''
+# See
+  tls_server_config: {}
+  http_server_config: {}
+  basic_auth_users: {}
+prometheus_storage_retention: "30d"
+# Available since Prometheus 2.7.0
+# [EXPERIMENTAL] Maximum number of bytes that can be stored for blocks. Units
+# supported: KB, MB, GB, TB, PB.
+prometheus_storage_retention_size: "0"
+prometheus_config_flags_extra: {}
+# prometheus_config_flags_extra:
+#   storage.tsdb.retention: 15d
+#   alertmanager.timeout: 10s
+prometheus_alertmanager_config: []
+# prometheus_alertmanager_config:
+#   - scheme: https
+#     path_prefix: alertmanager/
+#     basic_auth:
+#       username: user
+#       password: pass
+#     static_configs:
+#       - targets: [""]
+#     proxy_url: ""
+prometheus_alert_relabel_configs: []
+# prometheus_alert_relabel_configs:
+#   - action: labeldrop
+#     regex: replica
+  scrape_interval: 15s
+  scrape_timeout: 10s
+  evaluation_interval: 15s
+prometheus_remote_write: []
+# prometheus_remote_write:
+#   - url:
+#     basic_auth:
+#       password: FOO
+prometheus_remote_read: []
+# prometheus_remote_read:
+#   - url:
+#     basic_auth:
+#       password: FOO
+  environment: "{{ ansible_fqdn | default(ansible_host) | default(inventory_hostname) }}"
+prometheus_targets: {}
+#  node:
+#    - targets:
+#        - localhost:9100
+#      labels:
+#        env: test
+  - job_name: "prometheus"
+    metrics_path: "{{ prometheus_metrics_path }}"
+    static_configs:
+      - targets:
+          - "{{ ansible_fqdn | default(ansible_host) | default('localhost') }}:9090"
+  - job_name: "node"
+    file_sd_configs:
+      - files:
+          - "{{ prometheus_config_dir }}/file_sd/node.yml"
+# Alternative config file name, searched in ansible templates path.
+prometheus_config_file: 'prometheus.yml.j2'
+  - prometheus/rules/*.rules
+  - prometheus/targets/*.yml
+  - prometheus/targets/*.json
+  - alert: Watchdog
+    expr: vector(1)
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      description: "This is an alert meant to ensure that the entire alerting pipeline is functional.\nThis alert is always firing, therefore it should always be firing in Alertmanager\nand always fire against a receiver. There are integrations with various notification\nmechanisms that send a notification when this alert is not firing. For example the\n\"DeadMansSnitch\" integration in PagerDuty."
+      summary: 'Ensure entire alerting pipeline is functional'
+  - alert: InstanceDown
+    expr: 'up == 0'
+    for: 5m
+    labels:
+      severity: critical
+    annotations:
+      description: '{% raw %}{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.{% endraw %}'
+      summary: '{% raw %}Instance {{ $labels.instance }} down{% endraw %}'
+  - alert: RebootRequired
+    expr: 'node_reboot_required > 0'
+    labels:
+      severity: warning
+    annotations:
+      description: '{% raw %}{{ $labels.instance }} requires a reboot.{% endraw %}'
+      summary: '{% raw %}Instance {{ $labels.instance }} - reboot required{% endraw %}'
+  - alert: NodeFilesystemSpaceFillingUp
+    annotations:
+      description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left and is filling up.{% endraw %}'
+      summary: 'Filesystem is predicted to run out of space within the next 24 hours.'
+    expr: "(\n  node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"} / node_filesystem_size_bytes{job=\"node\",fstype!=\"\"} * 100 < 40\nand\n  predict_linear(node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"}[6h], 24*60*60) < 0\nand\n  node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n"
+    for: 1h
+    labels:
+      severity: warning
+  - alert: NodeFilesystemSpaceFillingUp
+    annotations:
+      description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left and is filling up fast.{% endraw %}'
+      summary: 'Filesystem is predicted to run out of space within the next 4 hours.'
+    expr: "(\n  node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"} / node_filesystem_size_bytes{job=\"node\",fstype!=\"\"} * 100 < 20\nand\n  predict_linear(node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"}[6h], 4*60*60) < 0\nand\n  node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n"
+    for: 1h
+    labels:
+      severity: critical
+  - alert: NodeFilesystemAlmostOutOfSpace
+    annotations:
+      description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left.{% endraw %}'
+      summary: 'Filesystem has less than 5% space left.'
+    expr: "(\n  node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"} / node_filesystem_size_bytes{job=\"node\",fstype!=\"\"} * 100 < 5\nand\n  node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n"
+    for: 1h
+    labels:
+      severity: warning
+  - alert: NodeFilesystemAlmostOutOfSpace
+    annotations:
+      description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left.{% endraw %}'
+      summary: 'Filesystem has less than 3% space left.'
+    expr: "(\n  node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"} / node_filesystem_size_bytes{job=\"node\",fstype!=\"\"} * 100 < 3\nand\n  node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n"
+    for: 1h
+    labels:
+      severity: critical
+  - alert: NodeFilesystemFilesFillingUp
+    annotations:
+      description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left and is filling up.{% endraw %}'
+      summary: 'Filesystem is predicted to run out of inodes within the next 24 hours.'
+    expr: "(\n  node_filesystem_files_free{job=\"node\",fstype!=\"\"} / node_filesystem_files{job=\"node\",fstype!=\"\"} * 100 < 40\nand\n  predict_linear(node_filesystem_files_free{job=\"node\",fstype!=\"\"}[6h], 24*60*60) < 0\nand\n  node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n"
+    for: 1h
+    labels:
+      severity: warning
+  - alert: NodeFilesystemFilesFillingUp
+    annotations:
+      description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left and is filling up fast.{% endraw %}'
+      summary: 'Filesystem is predicted to run out of inodes within the next 4 hours.'
+    expr: "(\n  node_filesystem_files_free{job=\"node\",fstype!=\"\"} / node_filesystem_files{job=\"node\",fstype!=\"\"} * 100 < 20\nand\n  predict_linear(node_filesystem_files_free{job=\"node\",fstype!=\"\"}[6h], 4*60*60) < 0\nand\n  node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n"
+    for: 1h
+    labels:
+      severity: critical
+  - alert: NodeFilesystemAlmostOutOfFiles
+    annotations:
+      description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left.{% endraw %}'
+      summary: 'Filesystem has less than 5% inodes left.'
+    expr: "(\n  node_filesystem_files_free{job=\"node\",fstype!=\"\"} / node_filesystem_files{job=\"node\",fstype!=\"\"} * 100 < 5\nand\n  node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n"
+    for: 1h
+    labels:
+      severity: warning
+  - alert: NodeFilesystemAlmostOutOfFiles
+    annotations:
+      description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left.{% endraw %}'
+      summary: 'Filesystem has less than 3% inodes left.'
+    expr: "(\n  node_filesystem_files_free{job=\"node\",fstype!=\"\"} / node_filesystem_files{job=\"node\",fstype!=\"\"} * 100 < 3\nand\n  node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n"
+    for: 1h
+    labels:
+      severity: critical
+  - alert: NodeNetworkReceiveErrs
+    annotations:
+      description: '{% raw %}{{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf "%.0f" $value }} receive errors in the last two minutes.{% endraw %}'
+      summary: 'Network interface is reporting many receive errors.'
+    expr: "increase(node_network_receive_errs_total[2m]) > 10\n"
+    for: 1h
+    labels:
+      severity: warning
+  - alert: NodeNetworkTransmitErrs
+    annotations:
+      description: '{% raw %}{{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf "%.0f" $value }} transmit errors in the last two minutes.{% endraw %}'
+      summary: 'Network interface is reporting many transmit errors.'
+    expr: "increase(node_network_transmit_errs_total[2m]) > 10\n"
+    for: 1h
+    labels:
+      severity: warning
+  - alert: NodeHighNumberConntrackEntriesUsed
+    annotations:
+      description: '{% raw %}{{ $value | humanizePercentage }} of conntrack entries are used{% endraw %}'
+      summary: 'Number of conntrack are getting close to the limit'
+    expr: "(node_nf_conntrack_entries / node_nf_conntrack_entries_limit) > 0.75\n"
+    labels:
+      severity: warning
+  - alert: NodeClockSkewDetected
+    annotations:
+      message: '{% raw %}Clock on {{ $labels.instance }} is out of sync by more than 300s. Ensure NTP is configured correctly on this host.{% endraw %}'
+      summary: 'Clock skew detected.'
+    expr: "(\n  node_timex_offset_seconds > 0.05\nand\n  deriv(node_timex_offset_seconds[5m]) >= 0\n)\nor\n(\n  node_timex_offset_seconds < -0.05\nand\n  deriv(node_timex_offset_seconds[5m]) <= 0\n)\n"
+    for: 10m
+    labels:
+      severity: warning
+  - alert: NodeClockNotSynchronising
+    annotations:
+      message: '{% raw %}Clock on {{ $labels.instance }} is not synchronising. Ensure NTP is configured on this host.{% endraw %}'
+      summary: 'Clock not synchronising.'
+    expr: "min_over_time(node_timex_sync_status[5m]) == 0\n"
+    for: 10m
+    labels:
+      severity: warning

@@ -0,0 +1,16 @@
+ExecStart=/usr/local/bin/alertmanager --config.file=/etc/alertmanager/alertmanager.yml --storage.path=/data/alertmanager

+ 18 - 0

@@ -0,0 +1,18 @@
+  slack_api_url: ""
+  group_by: ['instance', 'severity']
+  group_wait: 30s
+  group_interval: 5m
+  repeat_interval: 3h
+  routes:
+  - match:
+      alertname: InstanceDown
+  receiver: 'alert-team'
+- name: 'alert-team'
+  slack_configs:
+  - channel: "#webhook-test"
+    text: "summary: {{ .CommonAnnotations.summary }}\ndescription: {{ .CommonAnnotations.description }}"

+ 17 - 0

@@ -0,0 +1,17 @@
+- name: restart prometheus
+  become: true
+  systemd:
+    daemon_reload: true
+    name: prometheus
+    state: restarted
+- name: reload prometheus
+  become: true
+  systemd:
+    name: prometheus
+    state: reloaded
+- name: reload alertmanager
+  command: systemctl daemon-reload
+  listen: systemd_reload

+ 88 - 0

@@ -0,0 +1,88 @@
+- name: Creating alertmanager user group
+  group: name="alertmanager"
+  become: true
+- name: Creating alertmanager user
+  user:
+    name: "alertmanager"
+    group: "alertmanager"
+    system: yes
+    shell: "/sbin/nologin"
+    comment: "alertmanager nologin User"
+    createhome: "no"
+    state: present
+- name: AlertManager... Download alertmanager archive
+  get_url:
+    url:  "{{ alertmanager_url }}/{{ alertmanager_tarball }}.tar.gz"
+    dest: /tmp/{{ alertmanager_tarball }}.tar.gz
+    checksum: "sha256:{{ alertmanager_url }}/sha256sums.txt"
+  register: _download_archive
+  until: _download_archive is succeeded
+  retries: 5
+  delay: 2
+  when: not alertmanager_skip_install
+- name: AlertManager... unpack alertmanager binaries
+  unarchive:
+    src: "/tmp/{{ alertmanager_tarball }}.tar.gz"
+    dest: "/tmp"
+    creates: "/tmp/{{ alertmanager_tarball }}/alertmanager"
+    remote_src: true
+  when: not alertmanager_skip_install
+- name: Copy alertmanager executable to bin
+  copy:
+    src: "/tmp/{{ alertmanager_tarball }}/alertmanager"
+    dest: "/usr/local/bin/alertmanager"
+    owner: alertmanager
+    group: alertmanager
+    remote_src: yes
+    mode: 0755
+- name: Delete alertmanager tmp folder
+  file:
+    path: '/tmp/{{ alertmanager_tarball }}'
+    state: absent
+- name: Creates data directory
+  file: 
+    path: "/data/alertmanager/"
+    state: directory
+    owner: alertmanager
+    group: alertmanager
+    mode: 0755
+- name: Creates config directory
+  file: 
+    path: "/etc/alertmanager/"
+    state: directory
+    owner: alertmanager
+    group: alertmanager
+    mode: 0755
+- name: Copy config file
+  copy:
+    src: "{{ role_path }}/files/alertmanager.yml"
+    dest: /etc/alertmanager/alertmanager.yml
+- name: AlertManager... Copy systemd init file
+  copy:
+    dest: /etc/systemd/system/alertmanager.service
+    src: files/alertmanager.service
+    owner: root
+    group: root
+    mode: 0640
+  notify: systemd_reload
+- name: Start alertmanager service
+  service:
+    name: alertmanager
+    state: started
+    enabled: yes
+- name: Check if alertmanager is accessible
+  uri:
+    url: http://localhost:9093
+    method: GET
+    status_code: 200

+ 69 - 0

@@ -0,0 +1,69 @@
+- name: alerting rules file
+  template:
+    src: "alert.rules.j2"
+    dest: "{{ prometheus_config_dir }}/rules/ansible_managed.rules"
+    owner: root
+    group: prometheus
+    mode: 0640
+    validate: "{{ prometheus_binary_install_dir }}/promtool check rules %s"
+  when:
+    - prometheus_alert_rules != []
+  notify:
+    - reload prometheus
+- name: copy custom alerting rule files
+  copy:
+    src: "{{ item }}"
+    dest: "{{ prometheus_config_dir }}/rules/"
+    owner: root
+    group: prometheus
+    mode: 0640
+    validate: "{{ prometheus_binary_install_dir }}/promtool check rules %s"
+  with_fileglob: "{{ prometheus_alert_rules_files }}"
+  notify:
+    - reload prometheus
+- name: configure prometheus
+  template:
+    src: "{{ prometheus_config_file }}"
+    dest: "{{ prometheus_config_dir }}/prometheus.yml"
+    force: true
+    owner: root
+    group: prometheus
+    mode: 0640
+    validate: "{{ prometheus_binary_install_dir }}/promtool check config %s"
+  notify:
+    - reload prometheus
+- name: configure Prometheus web
+  copy:
+    content: "{{ prometheus_web_config | to_nice_yaml(indent=2,sort_keys=False) }}"
+    dest: "{{ prometheus_config_dir }}/web.yml"
+    force: true
+    owner: root
+    group: prometheus
+    mode: 0640
+- name: configure prometheus static targets
+  copy:
+    content: |
+      #jinja2: lstrip_blocks: True
+      {{ item.value | to_nice_yaml(indent=2,sort_keys=False) }}
+    dest: "{{ prometheus_config_dir }}/file_sd/{{ item.key }}.yml"
+    force: true
+    owner: root
+    group: prometheus
+    mode: 0640
+  with_dict: "{{ prometheus_targets }}"
+  when: prometheus_targets != {}
+- name: copy prometheus custom static targets
+  copy:
+    src: "{{ item }}"
+    dest: "{{ prometheus_config_dir }}/file_sd/"
+    force: true
+    owner: root
+    group: prometheus
+    mode: 0640
+  with_fileglob: "{{ prometheus_static_targets_files }}"

+ 88 - 0

@@ -0,0 +1,88 @@
+- name: Get systemd version
+  command: systemctl --version
+  changed_when: false
+  check_mode: false
+  register: __systemd_version
+  tags:
+    - skip_ansible_lint
+- name: Set systemd version fact
+  set_fact:
+    prometheus_systemd_version: "{{ __systemd_version.stdout_lines[0].split(' ')[-1] }}"
+- name: Assert no duplicate config flags
+  assert:
+    that:
+      - prometheus_config_flags_extra['config.file'] is not defined
+      - prometheus_config_flags_extra['storage.tsdb.path'] is not defined
+      - prometheus_config_flags_extra['storage.local.path'] is not defined
+      - prometheus_config_flags_extra['web.listen-address'] is not defined
+      - prometheus_config_flags_extra['web.external-url'] is not defined
+    msg: "Detected duplicate configuration entry. Please check your ansible variables and role"
+- name: Assert external_labels aren't configured twice
+  assert:
+    that: prometheus_global.external_labels is not defined
+    msg: "Use prometheus_external_labels to define external labels"
+- name: Set prometheus external metrics path
+  set_fact:
+    prometheus_metrics_path: "/{{ ( prometheus_web_external_url + '/metrics' ) | regex_replace('^(.*://)?(.*?)/') }}"
+- name: Fail when prometheus_config_flags_extra duplicates parameters set by other variables
+  fail:
+    msg: >
+      Whooops. You are duplicating configuration. Please look at your prometheus_config_flags_extra
+      and check against other variables in defaults/main.yml
+  with_items:
+    - 'storage.tsdb.retention'
+    - 'storage.tsdb.path'
+    - 'storage.local.retention'
+    - 'storage.local.path'
+    - 'config.file'
+    - 'web.listen-address'
+    - 'web.external-url'
+  when: item in prometheus_config_flags_extra.keys()
+- name: Get all file_sd files from scrape_configs
+  set_fact:
+    file_sd_files: "{{ prometheus_scrape_configs | json_query('[*][].file_sd_configs[*][].files[]') }}"
+- name: Fail when file_sd targets are not defined in scrape_configs
+  fail:
+    msg: >
+      Oh, snap! `{{ item.key }}` couldn't be found in your scrape configs. Please ensure you provided
+      all targets from prometheus_targets in prometheus_scrape_configs
+  when: not prometheus_config_dir + "/file_sd/" + item.key + ".yml" in file_sd_files
+  #  when: not item | basename | splitext | difference(['.yml']) | join('') in prometheus_targets.keys()
+  with_dict: "{{ prometheus_targets }}"
+- name: Alert when prometheus_alertmanager_config is empty, but prometheus_alert_rules is specified
+  debug:
+    msg: >
+      No alertmanager configuration was specified. If you want your alerts to be sent make sure to
+      specify a prometheus_alertmanager_config in defaults/main.yml.
+  when:
+    - prometheus_alertmanager_config == []
+    - prometheus_alert_rules != []
+- name: Download... Download Prometheus archive
+  get_url:
+    url:  "{{ prometheus_url }}/{{ prometheus_tarball }}.tar.gz"
+    dest: /tmp/{{ prometheus_tarball }}.tar.gz
+    checksum: "sha256:{{ prometheus_url }}/sha256sums.txt"
+  register: _download_archive
+  until: _download_archive is succeeded
+  retries: 5
+  delay: 2
+  when: not prometheus_skip_install
+- name: unpack prometheus binaries
+  unarchive:
+    src: "/tmp/{{ prometheus_tarball }}.tar.gz"
+    dest: "/tmp"
+    creates: "/tmp/{{ prometheus_tarball }}/prometheus"
+    remote_src: true
+  when: not prometheus_skip_install

+ 97 - 0

+- name: create prometheus system group
+  group:
+    name: prometheus
+    system: true
+    state: present
+- name: create prometheus system user
+  user:
+    name: prometheus
+    system: true
+    shell: "/usr/sbin/nologin"
+    group: prometheus
+    createhome: false
+    home: "{{ prometheus_db_dir }}"
+- name: create prometheus data directory
+  file:
+    path: "{{ prometheus_db_dir }}"
+    state: directory
+    owner: prometheus
+    group: prometheus
+    mode: 0755
+- name: create prometheus configuration directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: prometheus
+    mode: 0770
+  with_items:
+    - "{{ prometheus_config_dir }}"
+    - "{{ prometheus_config_dir }}/rules"
+    - "{{ prometheus_config_dir }}/file_sd"
+- name: propagate official prometheus and promtool binaries
+  copy:
+    src: "/tmp/{{ prometheus_tarball }}/{{ item }}"
+    dest: "{{ prometheus_binary_install_dir }}/{{ item }}"
+    mode: 0755
+    owner: root
+    group: root
+    remote_src: true
+  with_items:
+    - prometheus
+    - promtool
+  notify:
+    - restart prometheus
+- name: propagate official console templates
+  copy:
+    src: "/tmp/{{ prometheus_tarball }}/{{ item }}/"
+    dest: "{{ prometheus_config_dir }}/{{ item }}"
+    mode: 0644
+    owner: root
+    group: root
+    remote_src: true
+  with_items:
+    - console_libraries
+    - consoles
+  notify:
+    - restart prometheus
+      #- name: propagate locally distributed prometheus and promtool binaries
+      #  copy:
+      #    src: "{{ prometheus_binary_local_dir }}/{{ item }}"
+      #    dest: "{{ prometheus_binary_install_dir }}/{{ item }}"
+      #    mode: 0755
+      #    owner: root
+      #    group: root
+      #    remote_src: true
+      #  with_items:
+      #    - prometheus
+      #    - promtool
+      #  notify:
+      #    - restart prometheus
+- name: create systemd service unit
+  template:
+    src: prometheus.service.j2
+    dest: /etc/systemd/system/prometheus.service
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - restart prometheus
+- name: Allow prometheus to bind to port in SELinux
+  seport:
+    ports: "{{ prometheus_web_listen_address.split(':')[1] }}"
+    proto: tcp
+    setype: http_port_t
+    state: present
+  when:
+    - (ansible_os_family == "RedHat")
+    - (ansible_selinux.status == "enabled")

@@ -0,0 +1,17 @@
+- include: download.yml
+- include: install.yml
+  when: not prometheus_skip_install
+- include: configure.yml
+- name: ensure prometheus service is started and enabled
+  become: true
+  systemd:
+    daemon_reload: true
+    name: prometheus
+    state: started
+    enabled: true
+- include: alertmanager.yml

@@ -0,0 +1,6 @@
+{{ ansible_managed | comment }}
+- name: ansible managed alert rules
+  rules:
+  {{ prometheus_alert_rules | to_nice_yaml(indent=2,sort_keys=False) | indent(2,False) }}

@@ -0,0 +1,85 @@
+{{ ansible_managed | comment }}
+Environment="GOMAXPROCS={{ ansible_processor_vcpus|default(ansible_processor_count) }}"
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart={{ prometheus_binary_install_dir }}/prometheus \
+  --storage.tsdb.path={{ prometheus_db_dir }} \
+{% if prometheus_version is version('2.7.0', '>=') %}
+  --storage.tsdb.retention.time={{ prometheus_storage_retention }} \
+  --storage.tsdb.retention.size={{ prometheus_storage_retention_size }} \
+{% else %}
+  --storage.tsdb.retention={{ prometheus_storage_retention }} \
+{% endif %}
+{% if prometheus_version is version('2.24.0', '>=') %}
+  --web.config.file={{ prometheus_config_dir }}/web.yml \
+{% endif %}
+  --web.console.libraries={{ prometheus_config_dir }}/console_libraries \
+  --web.console.templates={{ prometheus_config_dir }}/consoles \
+  --web.listen-address={{ prometheus_web_listen_address }} \
+  --web.external-url={{ prometheus_web_external_url }} \
+{% for flag, flag_value in prometheus_config_flags_extra.items() %}
+{% if not flag_value %}
+  --{{ flag }} \
+{% elif flag_value is string %}
+  --{{ flag }}={{ flag_value }} \
+{% elif flag_value is sequence %}
+{% for flag_value_item in flag_value %}
+  --{{ flag }}={{ flag_value_item }} \
+{% endfor %}
+{% endif %}
+{% endfor %}
+  --config.file={{ prometheus_config_dir }}/prometheus.yml
+#SystemCallFilter=@signal @timer
+{% if prometheus_systemd_version | int >= 231 %}
+ReadWritePaths={{ prometheus_db_dir }}
+{% for path in prometheus_read_only_dirs %}
+ReadOnlyPaths={{ path }}
+{% endfor %}
+{% else %}
+ReadWriteDirectories={{ prometheus_db_dir }}
+{% for path in prometheus_read_only_dirs %}
+ReadOnlyDirectories={{ path }}
+{% endfor %}
+{% endif %}
+{% if prometheus_systemd_version | int >= 232 %}
+{% else %}
+{% endif %}
+{% if http_proxy is defined %}
+Environment="HTTP_PROXY={{ http_proxy }}"{% if https_proxy is defined %} "HTTPS_PROXY={{ https_proxy }}{% endif %}"
+{% endif %}

@@ -0,0 +1,34 @@
+#jinja2: trim_blocks: True, lstrip_blocks: True
+{{ ansible_managed | comment }}
+  {{ prometheus_global | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+  external_labels:
+    {{ prometheus_external_labels | to_nice_yaml(indent=2,sort_keys=False) | indent(4, False) }}
+{% if prometheus_remote_write != [] %}
+  {{ prometheus_remote_write | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if prometheus_remote_read != [] %}
+  {{ prometheus_remote_read | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+  - {{ prometheus_config_dir }}/rules/*.rules
+{% if prometheus_alertmanager_config | length > 0 %}
+  alertmanagers:
+  {{ prometheus_alertmanager_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2,False) }}
+  {% if prometheus_alert_relabel_configs | length > 0 %}
+  alert_relabel_configs:
+  {{ prometheus_alert_relabel_configs | to_nice_yaml(indent=2,sort_keys=False) | indent(2,False) }}
+  {% endif %}
+{% endif %}
+  {{ prometheus_scrape_configs | to_nice_yaml(indent=2,sort_keys=False) | indent(2,False) }}

@@ -0,0 +1,50 @@
+redis_port: 6379
+redis_bind_interface: "" # overload from role
+redis_unixsocket: ''
+redis_timeout: 300
+redis_loglevel: "notice"
+redis_logfile: /var/log/redis/redis-server.log
+redis_databases: 16
+# Set to an empty set to disable persistence (saving the DB to disk).
+  - 900 1
+  - 300 10
+  - 60 10000
+redis_rdbcompression: "yes"
+redis_dbfilename: dump.rdb
+redis_dbdir: /var/lib/redis
+redis_maxmemory: 0
+redis_maxmemory_policy: "noeviction"
+redis_maxmemory_samples: 5
+redis_appendonly: "no"
+redis_appendfsync: "everysec"
+# Add extra include files for local configuration/overrides.
+redis_includes: []
+# Require authentication to Redis with a password.
+redis_requirepass: ""
+# Disable certain Redis commands for security reasons.
+redis_disabled_commands: []
+#  - KEYS
+#  - DEL
+#  - CONFIG
+#  - BGSAVE
+#  - SAVE
+#  - SPOP
+#  - SREM
+#  - RENAME
+#  - DEBUG

@@ -0,0 +1,11 @@
+- name: start redis
+  ansible.builtin.service:
+    name: "{{ redis_daemon }}"
+    state: started
+- name: restart redis
+  ansible.builtin.service:
+    name: "{{ redis_daemon }}"
+    state: restarted

Niektoré súbory nie sú zobrazené, pretože je v týchto rozdielových dátach zmenené mnoho súborov