Removed extra service unit step. Systemd seems to not need the extra help to correct track the status of the container, and it was often preventing the container started.

README.md

@@ -1,6 +1,6 @@
 # Ansible Role: nextcloud
 
-This Ansible Role installs a rootless [Nextcloud](https://github.com/nextcloud/docker) container using Podman. It is intended to be composed with separate roles for Podman and any database backend such as PostgreSQL or Mariadb.
+This Ansible Role installs a rootless [Nextcloud](https://github.com/nextcloud/docker) container using Podman. It is intended to be composed with separate roles for Podman, database, and web proxy.
 
 ## Requirements
 
@@ -10,33 +10,48 @@ This Ansible Role installs a rootless [Nextcloud](https://github.com/nextcloud/d
 ## Dependencies
 
 * [mariadb](docs/DATABASE.md) (optional)
-* postgresql (optional)
+* [postgresql](docs/POSTGRES.md) (optional)
+* [nginx_conf](docs/examples/nginx_conf.yml) (optional)
 
 ## Role Variables
 
-See the role [defaults](defaults/main.yml) and the Nextcloud [environment variable documentation](https://github.com/nextcloud/docker/blob/master/README.md#auto-configuration-via-environment-variables). For a working example, see this [homelab stack](https://github.com/bleetube/satstack).
+See the role [defaults](defaults/main.yml) and the Nextcloud [environment variable](https://github.com/nextcloud/docker/blob/master/README.md#auto-configuration-via-environment-variables) documentation. For a working example, see this [homelab stack](https://github.com/bleetube/satstack).
 
 ## Example Playbook
 
 ```yaml
 - hosts: nextcloud
+  become: true
   roles:
+    - role: nginxinc.nginx_core.nginx
     - role: fauust.mariadb
-      become: true
     - role: alvistack.podman
-      become: true
+    - role: bleetube.redis
     - role: bleetube.nextcloud
+      become: false
+  tasks:
+    - import_tasks: nginx_conf.yml
 ```
 
-## Example Deployment
+## Systemd
+
+```
+systemctl --user status container-nextcloud.service
+```
+
+## Upgrades
+
+Configure `nextcloud_version`.
 
 ```bash
-ansible-playbook playbooks/nextcloud.yml
+ansible-playbook playbooks/nextcloud.yml --tags nextcloud
+podman exec -it -u www-data nextcloud /var/www/html/occ app:update --all
+podman exec -it -u www-data nextcloud /var/www/html/occ upgrade
 ```
 
 ## Backups
 
-TODO
+See the [postgres example](docs/examples/postgres-backup.sh).
 
 ## Monitoring
 
@@ -45,6 +60,10 @@ TODO
 ## Resources
 
 * [nextcloud.admin](https://github.com/nextcloud/ansible-collection-nextcloud-admin) collection
+* [Apps](https://apps.nextcloud.com/)
+* [Admin Manual](https://docs.nextcloud.com/server/latest/admin_manual/)
+* [User Manual](https://docs.nextcloud.com/server/latest/user_manual/)
+
 
 ## Thanks
 

docs/PODMAN.md

@@ -1,12 +1,29 @@
 # Podman
 
-Example using [alvistack/ansible-role-podman](https://github.com/alvistack/ansible-role-podman):
+Example using [alvistack/ansible-role-podman](https://github.com/alvistack/ansible-role-podman) on Ubuntu. It currently requires working around the deprecated apt_key usage, and ensuring linger for the ansible/podman user. This should be addressed in the future.
-
 
 ```yaml
+---
 - hosts: podman
   become: true
 
+  vars:
+    podman_apt_key_url: "http://downloadcontent.opensuse.org/repositories/home:/alvistack/xUbuntu_22.04/Release.key"
+
+  pre_tasks:
+    - name: anxs.podman | Add podman apt repository key.
+      ansible.builtin.get_url:
+        url: "{{ podman_apt_key_url }}"
+        dest: /usr/share/keyrings/podman-alvistack.asc
+        mode: '0644'
+
+    - name: anxs.podman | Ensure the repository is added with the relevant trusted GPG key
+      ansible.builtin.lineinfile:
+        path: /etc/apt/sources.list.d/podman-alvistack.list
+        regexp: 'apt.podman.org'
+        line: "deb [arch=amd64 signed-by=/usr/share/keyrings/podman-alvistack.asc] http://downloadcontent.opensuse.org/repositories/home:/alvistack/xUbuntu_22.04/ /"
+        create: true
+
   roles:
     - alvistack.podman
 
@@ -15,4 +32,19 @@ Example using [alvistack/ansible-role-podman](https://github.com/alvistack/ansib
       command:
         cmd: "loginctl enable-linger {{ sysadmin_username }}"
         creates: "/var/lib/systemd/linger/{{ sysadmin_username }}"
+      tags: test
+
+    - name: Ensure the data directories for docker-compose exist and are owned by the user.
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: directory
+        owner: "{{ sysadmin_username }}"
+        group: "{{ sysadmin_username }}"
+      loop:
+        - /var/compose
+
+    - name: alvistack.podman | Remove deprecated apt source entry
+      ansible.builtin.file:
+        path: /etc/apt/sources.list.d/home:alvistack.list
+        state: absent
 ```

docs/POSTGRES.md

@@ -0,0 +1,37 @@
+# PostgreSQL
+
+This variation of the [original role](https://github.com/Tronde/ansible_role_deploy_nextcloud_with_mariadb_pod) is intended to be composed with another role that sets up the database. Here is an example using [anxs.postgresql](https://github.com/ANXS/postgresql)
+
+## Example Playbook
+
+```yaml
+  roles:
+    - anxs.postgresql
+```
+
+## Example Variables
+
+```yaml
+postgresql_users:
+  - name: nextcloud
+    pass: "{{ lookup('ansible.builtin.env', 'NEXTCLOUD_POSTGRES_PASSWORD') }}"
+    encrypted: yes
+    state: present
+
+postgresql_databases:
+  - name: nextcloud
+    owner: nextcloud
+    state: present
+```
+
+In this example, there are two users because both `localhost` and `%` (all-hosts wildcard) are [mutually exclusive](https://stackoverflow.com/q/10823854/9290). I am also using environment variables to  separate secret stores from the repository.
+
+## PG 15
+
+I'm temporarily using this branch to get PG15:
+
+```yaml
+  - src: https://github.com/ANXS/postgresql
+    name: anxs.postgresql
+    version: development
+```

docs/examples/nginx.conf.j2

@@ -0,0 +1,136 @@
+
+        # HSTS settings
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+
+        # set max upload size
+        client_max_body_size 512M;
+        fastcgi_buffers 64 4K;
+
+        # Enable gzip but do not remove ETag headers
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+        # Pagespeed is not supported by Nextcloud, so if your server is built
+        # with the `ngx_pagespeed` module, uncomment this line to disable it.
+        #pagespeed off;
+
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Referrer-Policy                      "no-referrer"       always;
+        add_header X-Content-Type-Options               "nosniff"           always;
+        add_header X-Download-Options                   "noopen"            always;
+        add_header X-Frame-Options                      "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
+        add_header X-Robots-Tag                         "noindex, nofollow" always;
+        add_header X-XSS-Protection                     "1; mode=block"     always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
+#       root /var/www/html;
+        root {{ nextcloud_web_root }};
+
+        # Specify how to handle directories -- specifying `/index.php$request_uri`
+        # here as the fallback means that Nginx always exhibits the desired behaviour
+        # when a client requests a path that corresponds to a directory that exists
+        # on the server. In particular, if that directory contains an index.php file,
+        # that file is correctly served; if it doesn't, then the request is passed to
+        # the front-end controller. This consistent behaviour means that we don't need
+        # to specify custom rules for certain paths (e.g. images and other assets,
+        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+        # `try_files $uri $uri/ /index.php$request_uri`
+        # always provides the desired behaviour.
+        index index.php index.html /index.php$request_uri;
+
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        location = / {
+            if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+            }
+        }
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }
+
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+        # which handle static assets (as seen below). If this block is not declared first,
+        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+        # to the URI, resulting in a HTTP 500 error response.
+        location ~ \.php(?:$|/) {
+            # Required for legacy support
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+            set $path_info $fastcgi_path_info;
+
+            try_files $fastcgi_script_name =404;
+
+            include fastcgi_params;
+#           fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
+            fastcgi_param PATH_INFO $path_info;
+            #fastcgi_param HTTPS on;
+
+            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+            fastcgi_param front_controller_active true;     # Enable pretty urls
+            fastcgi_pass php-handler;
+
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+        }
+
+        location ~ \.(?:css|js|svg|gif)$ {
+            try_files $uri /index.php$request_uri;
+            expires 6M;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        # Rule borrowed from `.htaccess`
+        location /remote {
+            return 301 /remote.php$request_uri;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.php$request_uri;
+        }

docs/examples/nginx_conf.yml

@@ -0,0 +1,35 @@
+---
+# https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf
+- name: Nextcloud | Configure nginx with the template
+  ansible.builtin.template:
+    src: templates/nginx.conf.j2
+    dest: /etc/nginx/nextcloud_template.conf
+
+# https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf
+- name: Nextcloud | Configure nginx to include the template
+  ansible.builtin.import_role:
+    name: nginxinc.nginx_core.nginx_config
+  vars:
+    nginx_config_http_template_enable: true
+    nginx_config_http_template:
+      - template_file: http/default.conf.j2
+        deployment_location: "/etc/nginx/conf.d/nextcloud_{{ inventory_hostname }}.conf"
+        backup: false
+        config:
+          upstreams:
+            - name: php-handler
+              servers:
+                - address: "{{ nextcloud_fpm_upstream }}"
+          servers:
+            - core:
+                listen:
+                  - address: "{{ default_interface_ipv4_address|default(ansible_default_ipv4.address) }}:{{ nextcloud_https_port|default(4440) }} ssl"
+                include:
+                  - "/etc/nginx/acme_{{ inventory_hostname }}.conf"
+                  - /etc/nginx/nextcloud_template.conf
+              http2: # requires nginx_core.nginx_config >= 0.7.0
+                enabled: true
+          headers:
+            add_headers:
+              - name: X-Real-IP
+                value: $remote_addr

docs/examples/postgres-backup.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+TARGET=example
+TIMESTAMP=$(date +%m-%d-%Y)
+
+# nextcloud files
+rsync --delete-after -ta ${TARGET}:/var/compose/nextcloud $HOME/archive/${TARGET}/
+
+# nextcloud postgresql
+BACKUP_DIR=$HOME/archive/${TARGET}/postgresql
+DUMP_FILE=/var/lib/postgresql/nextcloud_${TIMESTAMP}.dump.bz2
+ssh root@${TARGET} "doas -u postgres /usr/bin/pg_dump -Fc nextcloud | /usr/bin/bzip2 > ${DUMP_FILE}"
+mkdir -p $HOME/archive/${TARGET}/postgresql/
+rsync -tav ${TARGET}:${DUMP_FILE} $HOME/archive/${TARGET}/postgresql/
+ssh root@${TARGET} rm -v ${DUMP_FILE}
+
+# restore
+#su - postgres
+# dropdb nextcloud; createdb nextcloud
+#bzcat nextcloud_*.dump.bz2 | pg_restore -d nextcloud

tasks/podman.yml

@@ -0,0 +1,25 @@
+---
+- name: Create volumes
+  containers.podman.podman_volume:
+    state: present
+    name: "{{ item }}"
+    recreate: no
+    debug: no
+  loop: "{{ nextcloud_create_volumes }}"
+
+# https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/docker-compose.yml
+- name: Create container
+  containers.podman.podman_container:
+    debug: no 
+    image: "{{ nextcloud_image }}:{{ nextcloud_version }}"
+    image_strict: yes
+    recreate: yes
+    state: present
+    name: "{{ nextcloud_name }}"
+    env: "{{ nextcloud_config }}"
+    volume: "{{ nextcloud_volumes }}"
+    ports: "{{ nextcloud_ports }}"
+  register: podman_output
+
+- ansible.builtin.debug:
+    var: podman_output

tasks/systemd.yml

@@ -0,0 +1,34 @@
+---
+- name: Generate systemd unit file for the container(s)
+  containers.podman.podman_generate_systemd:
+    name: nextcloud
+    dest: ~/.config/systemd/user/
+    restart_policy: on-failure
+    restart_sec: 60
+
+- name: Start the container(s) with systemd, so systemd will know the state of the container(s) moving forward.
+  ansible.builtin.systemd:
+    name: container-nextcloud
+    scope: user
+    state: started
+  failed_when: false
+  #register: systemd_result
+  #until: systemd_result is succeeded
+  #retries: 1
+
+- name: Install systemd timer to run cron jobs
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "~/.config/systemd/user/{{ item }}"
+  loop:
+    - nextcloud-cron.service
+    - nextcloud-cron.timer
+
+- name: Install systemd timer to run cron jobs
+  ansible.builtin.systemd:
+    name: nextcloud-cron.timer
+    scope: user
+    daemon_reload: true
+    state: started
+    enabled: true
+  tags: test

templates/nextcloud-cron.service.j2

@@ -0,0 +1,6 @@
+[Unit]
+Description=Nextcloud cron.php job
+
+[Service]
+ExecStart=podman exec -u www-data {{ nextcloud_name }} /usr/local/bin/php -f /var/www/html/cron.php
+KillMode=process

templates/nextcloud-cron.timer.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=Run Nextcloud cron.php every 5 minutes
+
+[Timer]
+OnBootSec=5m
+OnUnitActiveSec=5m
+Unit=nextcloud-cron.service
+
+[Install]
+WantedBy=timers.target

tests/test.yml

@@ -3,4 +3,4 @@
   remote_user: root
   connection: local
   roles:
-    - bleetube.nextcloud
+    - nextcloud