To avoid maintaining too many similarly-looking playbooks, I've decided to merge this playbook into the newly-created MASH playbook. For more details about this, see the Why create such a mega playbook? section of the new playbook's README file.
This nextcloud-docker-ansible-deploy playbook will not receive additional updates.
Steps to migrate from nextcloud-docker-ansible-deploy to hosting Nextcloud using the MASH playbook:
-
Get started with the MASH playbook. Do an initial installation which contains Postgres, Traefik, etc. Enabling the Nextcloud service is done below in step 2.
-
Configure the Nextcloud service with the MASH playbook. You can reuse your
vars.ymlfile with these changes:
- renaming
nextcloud_nextcloud_tonextcloud_in all variable names - renaming
nextcloud_apache_tonextcloud_in all variable names - renaming
nextcloud_docker_container_tonextcloud_container_in all variable names - renaming
nextcloud_server_fqn_nextcloudtonextcloud_hostnamein all variable names - renaming
nextcloud_collabora_onlinetocollabora_onlinein all variable names - renaming
collabora_online_domaintocollabora_online_hostname - the addition of
nextcloud_enabled: true - the removal of various
nextcloud_playbook_variables. You may need to replace them withmosh_playbook_variables - the removal of
nextcloud_generic_secret_key. This has been superseded bymash_playbook_generic_secret_key - the removal of any other variables you had in your old
vars.ymlfile (devture_postgres_connection_password, etc.). Your newvars.ymlfile likely already defines some of these variables, so there's no need to define them twice.
-
If you were using the Collabora Online service (agent or server), configure it as well.
-
Do an initial installation by running the following command in the MASH playbook's directory:
just run-tags install-all. NOTE: there's a difference betweenjust run-tags install-allandjust install-all; we use the former here, because we don't want to start the Nextcloud service just yet -
Get the new
nextclouddatabase credentials by running the following command in the MASH playbook's directoryjust run-tags print-nextcloud-db-credentials -
SSH into the server and do the following:
-
Stop and disable all old Nextcloud services by running:
cd /etc/systemd/system && systemctl disable --now nextcloud*(note the*at the end) -
Stop and disable devture Traefik services by running:
cd /etc/systemd/system && systemctl disable --now devture-traefik.service -
Start the database back up:
systemctl start nextcloud-postgres -
Create a database dump by running:
/nextcloud/postgres/bin/dump-all /nextcloud. This will create the/nextcloud/latest-dump.sql.gzfile -
Stop the database:
systemctl stop nextcloud-postgres -
Sync the Nextcloud data by running:
rsync -avr /nextcloud/nextcloud/. /mash/nextcloud/. -
Fix permissions for the Nextcloud data:
chown -R mash:mash /mash/nextcloud -
Adjust the database credentials in the
/mash/nextcloud/data/config/config.phpfile using the information you got from the step above (step 5)dbhostshould be set tomash-postgres:5432dbpasswordshould be set to the password you got from step 5
-
-
Import the Nextcloud database dump into the Postgres instance by running the following command in the MASH playbook's directory:
just run-tags import-postgres --extra-vars=server_path_postgres_dump=/nextcloud/latest-dump.sql.gz --extra-vars=postgres_default_import_database=nextcloud -
Re-run the MASH playbook and start all services by running the following command in the MASH playbook's directory:
-
just run-tags install-all,start -
just run-tags adjust-nextcloud-config -
(optional) if you're using Collabora Online:
- add
nextcloud_collabora_app_wopi_url: "{{ collabora_online_url }}"to your configuration - run
just run-tags install-nextcloud-app-collabora
- add
-
-
Verify that your new Nextcloud installation works
-
Clean up by SSH-ing into the server and doing the following:
rm /etc/systemd/system/nextcloud*rm -rf /nextcloud- getting rid of this playbook
Thanks to Julian-Samuel Gebühr (@moan0s), the playbook can now set up Collabora Online Development Edition (CODE) - Your Private Office Suite In The Cloud.
See our Setting up Collabora Online (Office) integration documentation to get started.
We've previously used make for easily running some playbook commands (e.g. make roles which triggers ansible-galaxy, see Makefile).
Our Makefile is still around and you can still run these commands.
In addition, we've added support for running commands via just - a more modern command-runner alternative to make. Instead of make roles, you can now run just roles to accomplish the same.
Our justfile already defines some additional helpful shortcut commands that weren't part of our Makefile. Here are some examples:
just install-allto trigger the much longeransible-playbook -i inventory/hosts setup.yml --tags=install-all,startcommandjust install-all --ask-vault-pass- commands also support additional arguments (--ask-vault-passwill be appended to the above installation command)just run-tags install-nextcloud,start- to run specific playbook tagsjust start-all- (re-)starts all servicesjust stop-group postgres- to stop only the Postgres service
Additional helpful commands and shortcuts may be defined in the future.
This is all completely optional. If you find it difficult to install just or don't find any of this convenient, feel free to run all commands manually.
If you're using an externally-managed Traefik server or other reverse-proxy, you may need to adapt your vars.yml configuration.
To ensure connectivity of Nextcloud (actually nextcloud-reverse-proxy-companion) to Traefik, we used to put nextcloud-reverse-proxy-companion in Traefik's network (as a main network), and then also connect the nextcloud-reverse-proxy-companion container to "additional networks" (the nextcloud network, etc.).
While this worked, it was a little backwards. We now have a better way to do things - putting nextcloud-reverse-proxy-companion in its own nextcloud network as main, and connecting it to additional networks (e.g. traefik) after creating the container, but before starting it. This also seems to work well and is more straightforward.
The playbook will warn you if you're using any variables that have been renamed or dropped.
Until now, Traefik ran in the same container network (nextcloud) as all Nextcloud services so it could reverse-proxy to them easily.
From now on:
-
Traefik runs in its own new
traefikcontainer network -
Nextcloud services continue to run in the
nextcloudcontainer network -
Nextcloud services which Traefik needs to reverse-proxy to (e.g. the
nextcloud-reverse-proxy-companioncontainer) are automatically connected to thetraefikadditional container network, thanks to a newnextcloud_playbook_reverse_proxyable_services_additional_networksvariable controlling this behavior
To upgrade your setup, consider first stopping all services (running the playbook with --tags=stop) and then installing (--tags=setup-all,start).
If you're reverse-proxying via your own Traefik instance (not installed by this playbook), you may need to use this additional configuration: nextcloud_playbook_reverse_proxyable_services_additional_networks: [traefik] (for Traefik running in a container network named traefik).
This playbook has been completely overhauled:
-
Docker installation is now handled by an upstream Ansible role geerlingguy/ansible-role-docker, so we don't need to maintain this in this playbook
-
various other Ansible roles have been extracted out into roles shared with other Ansible playbooks (see
requirements.yml). These get installed into your working directory (inroles/galaxy) by you runningmake roles. Consider runningmake rolesevery time you update the playbook -
functionality which used to live in a single
nextcloud_serverrole has been split into various Ansible roles (seeroles/custom/) -
the Postgres database setup has been redone (improved security; support for additional databases in the future; etc), so you'll need to dump and reimport your database
-
Traefik is the new default reverse-proxy, because it plays more nicely with other containered web services on the host. You can still switch back to nginx though
-
Nextcloud now runs with more tightened permissions (
docker run --user=.. --cap-drop=ALL --read-only) for increased security -
it no longer installs scripts in
/usr/local/bin, but only in/nextcloud/*/bin -
it no longer uses cronjobs (and thus, no longer depends on a cron daemon) - periodic tasks are now powered by systemd timers
Support for the following services has changed:
-
dropped support for Goofys - consider finding an alternative for mounting S3 storage into Nextcloud. It was deemed complicated to migrate this feature to our new setup and its usefulness is dubious. If you need it, let us know or better yet spend the time to re-add it.
-
dropped support for Preview Generator. The usefulness of this feature is also dubious, so we've kept things simple and dropped it. If you need it, let us know or better yet spend the time to re-add it.
-
regressed support for OnlyOffice. We've tried to port this feature to the next playbook setup, but are still hitting some problems. This may be fixed later.
-
various playbook variables have been renamed. The playbook should tell you about the old and new names of most of these the next time you run it.
By default, this playbook now uses Traefik for reverse-proxying to Nextcloud.
We recommend that you adopt this new default as it's a simpler and more interoperable setup.
To switch back to the previous default (nextcloud-nginx-proxy) or to figure out how to make your other reverse-proxy work with the new setup, see Switching back to nextcloud-nginx-proxy or the Using your own webserver, instead of this playbook's Traefik documentation.
Using Traefik as a default reverse-proxy makes this playbook play more nicely with other containerized web services on the host which are also using Traefik (among which other playbooks like gitea-docker-ansible-deploy).
If you were previously using Traefik as described in our docs, you can now probably get rid of all your custom reverse-proxy configuration except for the nextcloud_container_network variable (previously called nextcloud_docker_network), which specifies the container network Traefik and Nextcloud would share. Consider learning more in the Using your own webserver, instead of this playbook's Traefik documentation.
Despite Traefik being the default reverse-proxy, you can still switch back to using nginx as a reverse-proxy with the following configuration:
nextcloud_playbook_reverse_proxy_type: playbook-managed-nginxYou will also need to relocate your SSL certificate files from /nextcloud/ssl to /nextcloud/nginx-proxy/ssl. We tell you how to do this below, in Restore your SSL certificates (if you will be using nextcloud-nginx-proxy).
While your existing Nextcloud installation is still up and running, perform a Postgres database dump.
You will need this database dump later, to re-import it into the new Nextcloud Postgres database server the playbook will set up for you.
Use a command like this:
/usr/bin/docker exec \
--env-file=/nextcloud/environment-variables/env-postgres-pgsql-docker \
nextcloud-postgres \
/usr/local/bin/pg_dumpall -h nextcloud-postgres \
| gzip -c \
> /nextcloud-postgres-dump.sql.gzBefore migrating, do a full backup. A simple way to do it is like this:
- Run
make rolesto pull dependency Ansible roles (defined inrequirements.yml) intoroles/galaxy. Also, remember to run this every time you update your playbook. - Stop all services:
ansible-playbook -i inventory/hosts setup.yml --tags=stop - Move
/nextcloudaway:mv /nextcloud /nextcloud-backup
Doing this, you're both making a backup and freeing up /nextcloud, so that the new playbook installation can use it.
You will need to add these required variables (also see examples/host-vars.yml).
# This variable used to be called host_specific_nextcloud_hostname
nextcloud_server_fqn_nextcloud: nextcloud.DOMAIN
# A secret used as a base, for generating various other secrets.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
nextcloud_generic_secret_key: ''
# The email address to provide to Traefik (which is then provided to Let's Encrypt) for obtaining SSL certificates
devture_traefik_config_certificatesResolvers_acme_email: ''
# or (if you're disabling Traefik) and using `nextcloud-nginx-proxy`:
# nextcloud_nginx_proxy_ssl_support_email: ''
# A Postgres password to use for the superuser Postgres user (called `root` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service) using this superuser account.
devture_postgres_connection_password: ''
# A Postgres password to use for the `nextcloud` database.
# You will use the same password during initial Nextcloud installation.
nextcloud_nextcloud_database_password: ''Don't forget to make your vars.yml adjustments related to the reverse-proxy for Traefik or nginx, as described above in Traefik is the new default reverse-proxy or switching back to nginx.
The next time you run the playbook, it will warn you if you're still using some variables that have been renamed or dropped.
-
Delete cronjobs:
rm /etc/cron.d/nextcloud-*. The new setup uses systemd timers, not cronjobs -
Delete scripts:
rm /usr/local/bin/nextcloud-*. These scripts will live in/nextcloud/*/binafter the new setup -
Delete existing systemd services:
rm /etc/systemd/system/nextcloud*.service. The new setup may recreate some of them later
If you are using Traefik (the new default reverse-proxy), this step does not apply to you.
This step is not strictly required, as the new playbook can obtain new SSL certificates. Still, you may wish to use your existing ones to avoid hitting some Let's Encrypt rate-limits, etc.
To restore your old SSL certificates, do this:
- Create the directory tree:
mkdir -p /nextcloud/nginx-proxy/ssl - Copy your old certificates:
rsync -avr /nextcloud-backup/ssl/. /nextcloud/nginx-proxy/ssl/. - Fix up permissions:
chown -R nextcloud:nextcloud /nextcloud/nginx-proxy/ssl
Make sure you've adjusted your playbook configuration.
-
If you haven't already, run
make rolesto pull dependency Ansible roles (defined inrequirements.yml) intoroles/galaxy. Also, remember to run this every time you update your playbook. -
Run the playbook:
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all -
Import your old Postgres database:
ansible-playbook -i inventory/hosts setup.yml --tags=import-postgres --extra-vars='{"server_path_postgres_dump": "/nextcloud-postgres-dump.sql.gz", "postgres_default_import_database": "nextcloud"}' -
Make sure all Nextcloud services are stopped:
ansible-playbook -i inventory/hosts setup.yml --tags=stop -
Migrate your old data:
rsync -avr --delete /nextcloud-backup/nextcloud-data/. /nextcloud/nextcloud/data/. -
Fix ownership of the data:
chown nextcloud:nextcloud /nextcloud/nextcloud/data/ -R -
Change the database password in the Nextcloud config (we used a
nextcloud-passwordpassword by default, but now use one provided by you in thenextcloud_nextcloud_database_passwordvariable): Either edit the/nextcloud/nextcloud/data/config/config.phpfile manually or run this command (after adjusting theYOUR_DATABASE_PASSWORD_HEREpart):sed -i "s/ 'dbpassword' => 'nextcloud-password',/ 'dbpassword' => 'YOUR_DATABASE_PASSWORD_HERE',/" /nextcloud/nextcloud/data/config/config.php -
Start all services:
ansible-playbook -i inventory/hosts setup.yml --tags=start
Thanks to Gergely Horváth (@hooger) we now have Fail2ban support, configured as recommended by the Nextcloud guide upstream.
Fail2ban is also enabled by default now. If you wish to continue running without Fail2ban, add this to your vars.yml file: nextcloud_fail2ban_enabled: false.
Instead of mounting individual directories for storage (config, data, custom_apps, etc.), we now directly mount /nextcloud/nextcloud-data at /var/www/html.
What we were doing before is nice and clean, but not standard and was leading to various Nextcloud issues (pretty URLs not working, etc.).
The only thing you need to do to migrate (besides re-running the playbook) is to fix pretty URLs support: docker exec -u www-data nextcloud-apache php /var/www/html/occ maintenance:update:htaccess
The playbook now supports the new Ansible 2.8.
A manual change is required to the inventory/hosts file, changing the group name from nextcloud-servers to nextcloud_servers (dash to underscore).
To avoid doing it manually, run this:
- Linux:
sed -i 's/nextcloud-servers/nextcloud_servers/g' inventory/hosts - Mac:
sed -i '' 's/nextcloud-servers/nextcloud_servers/g' inventory/hosts
nextcloud_nextcloud_config_additional_parameters was introduced to supersede the previously-existing nextcloud_nextcloud_config_parameters variable.
You're supposed to put your own parameters in nextcloud_nextcloud_config_additional_parameters from now on.
The playbook now installs Postgres 11 by default.
If you have have an existing setup, it's likely running on an older Postgres version (9.x or 10.x). You can easily upgrade by following the Maintenance / upgrading PostgreSQL guide.
The following playbook variables were renamed:
- from
nextcloud_docker_image_nextcloudtonextcloud_nextcloud_container_image - from
nextcloud_docker_image_nginxtonextcloud_nginx_proxy_container_image - from
nextcloud_docker_image_goofystonextcloud_goofys_docker_image - from
nextcloud_docker_image_postgres_v9tonextcloud_postgres_docker_image_v9 - from
nextcloud_docker_image_postgres_v10tonextcloud_postgres_docker_image_v10 - from
nextcloud_apache_container_memory_limittonextcloud_nextcloud_apache_container_memory_limit - from
nextcloud_apache_container_memory_swap_limittonextcloud_nextcloud_apache_container_memory_swap_limit
The playbook can now install and configure an OnlyOffice Document Server and the OnlyOffice app for Nextcloud.
--log-driver=none is used for all Docker containers now.
All these containers are started through systemd anyway and get logged in journald, so there's no need for Docker to be logging the same thing using the default json-file driver. Doing that was growing /var/lib/docker/containers/.. infinitely until service/container restart.
As a result of this, things like docker logs nextcloud-apache won't work anymore. journalctl -u nextcloud-apache is how one can see the logs.
We've been using acmetool (with the willwill/acme-docker container image) until now.
Due to the container image being deprecated, and things looking bleak for acmetool's support of the newer ACME v2 API endpoint, we've switched to using certbot (with the certbot/certbot container image).
Simply re-running the playbook will retrieve new certificates (via certbot) for you. To ensure you don't leave any old files behind, though, you'd better do this:
systemctl stop 'nextcloud*'- stop your custom webserver, if you're running one (only affects you if you've installed with
nextcloud_nginx_proxy_enabled: false) mv /nextcloud/ssl /nextcloud/ssl-acmetool-delete-later- re-run the playbook's installation
- possibly delete
/nextcloud/ssl-acmetool-delete-later