Fix Nextcloud DNS resolution and implement systemd cron for background jobs

- Enable IP forwarding in security playbook (net.ipv4.ip_forward = 1) - Add podman network firewall rules to fix container DNS/HTTPS access - Implement systemd timer for reliable Nextcloud background job execution - Add database optimization tasks (indices, bigint conversion, mimetypes) - Configure maintenance window (04:00 UTC) and phone region (NO) - Add security headers (X-Robots-Tag, X-Permitted-Cross-Domain-Policies) - Create Nextcloud removal playbook for clean uninstall - Fix nftables interface matching (podman0 vs podman+) Root cause: nftables FORWARD chain blocked container egress traffic Solution: Explicit firewall rules for podman0 bridge interface
2025-12-20 19:51:26 +01:00
parent 90bbcd97b1
commit 846ab74f87
14 changed files with 484 additions and 11 deletions
--- a/playbooks/remove-nextcloud.yml
+++ b/playbooks/remove-nextcloud.yml
@@ -0,0 +1,212 @@
+---
+# =================================================================
+# Nextcloud Removal Playbook
+# =================================================================
+# Rick-Infra - Clean removal of Nextcloud installation
+#
+# This playbook removes all Nextcloud components:
+# - Systemd services and timers
+# - Container and images
+# - Data directories
+# - Database and user
+# - Caddy configuration
+# - System user and groups
+#
+# Usage: ansible-playbook playbooks/remove-nextcloud.yml -i inventory/hosts.yml
+
+- name: Remove Nextcloud Installation
+  hosts: arch-vps
+  become: yes
+  gather_facts: yes
+  
+  vars:
+    nextcloud_user: nextcloud
+    nextcloud_group: nextcloud
+    nextcloud_home: /opt/nextcloud
+    nextcloud_db_name: nextcloud
+    nextcloud_db_user: nextcloud
+    caddy_sites_enabled_dir: /etc/caddy/sites-enabled
+  
+  tasks:
+    # ============================================
+    # Stop and Disable Services
+    # ============================================
+    
+    - name: Stop and disable nextcloud-cron timer
+      systemd:
+        name: nextcloud-cron.timer
+        state: stopped
+        enabled: no
+      failed_when: false
+      
+    - name: Stop and disable nextcloud-cron service
+      systemd:
+        name: nextcloud-cron.service
+        state: stopped
+        enabled: no
+      failed_when: false
+    
+    - name: Stop and disable nextcloud service
+      systemd:
+        name: nextcloud.service
+        state: stopped
+        enabled: no
+      failed_when: false
+    
+    # ============================================
+    # Remove Container and Images
+    # ============================================
+    
+    - name: Remove nextcloud container (if running)
+      command: podman rm -f nextcloud
+      register: container_remove
+      changed_when: container_remove.rc == 0
+      failed_when: false
+    
+    - name: Remove nextcloud images
+      command: podman rmi -f {{ item }}
+      loop:
+        - docker.io/library/nextcloud:stable-fpm
+        - docker.io/library/nextcloud
+      register: image_remove
+      changed_when: image_remove.rc == 0
+      failed_when: false
+    
+    # ============================================
+    # Remove Systemd Units
+    # ============================================
+    
+    - name: Remove nextcloud-cron systemd units
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /etc/systemd/system/nextcloud-cron.timer
+        - /etc/systemd/system/nextcloud-cron.service
+    
+    - name: Remove nextcloud quadlet file
+      file:
+        path: /etc/containers/systemd/nextcloud.container
+        state: absent
+    
+    - name: Reload systemd daemon
+      systemd:
+        daemon_reload: yes
+    
+    # ============================================
+    # Remove Database
+    # ============================================
+    
+    - name: Drop nextcloud database
+      become_user: postgres
+      postgresql_db:
+        name: "{{ nextcloud_db_name }}"
+        state: absent
+      failed_when: false
+    
+    - name: Drop nextcloud database user
+      become_user: postgres
+      postgresql_user:
+        name: "{{ nextcloud_db_user }}"
+        state: absent
+      failed_when: false
+    
+    # ============================================
+    # Remove Caddy Configuration
+    # ============================================
+    
+    - name: Remove nextcloud Caddy configuration
+      file:
+        path: "{{ caddy_sites_enabled_dir }}/nextcloud.caddy"
+        state: absent
+      notify: reload caddy
+    
+    # ============================================
+    # Remove Data Directories
+    # ============================================
+    
+    - name: Remove nextcloud home directory (including all data)
+      file:
+        path: "{{ nextcloud_home }}"
+        state: absent
+    
+    # ============================================
+    # Remove User and Groups
+    # ============================================
+    
+    - name: Remove nextcloud user
+      user:
+        name: "{{ nextcloud_user }}"
+        state: absent
+        remove: yes
+        force: yes
+    
+    - name: Remove nextcloud group
+      group:
+        name: "{{ nextcloud_group }}"
+        state: absent
+    
+    # ============================================
+    # Clean Up Remaining Files
+    # ============================================
+    
+    - name: Find nextcloud-related files in /tmp
+      find:
+        paths: /tmp
+        patterns: "nextcloud*,nc_*"
+        file_type: any
+      register: tmp_files
+    
+    - name: Remove nextcloud temp files
+      file:
+        path: "{{ item.path }}"
+        state: absent
+      loop: "{{ tmp_files.files }}"
+      when: tmp_files.files | length > 0
+      failed_when: false
+    
+    - name: Remove caddy logs for nextcloud
+      file:
+        path: /var/log/caddy/nextcloud.log
+        state: absent
+      failed_when: false
+    
+    # ============================================
+    # Verification
+    # ============================================
+    
+    - name: Verify nextcloud service is removed
+      command: systemctl list-units --all nextcloud*
+      register: units_check
+      changed_when: false
+    
+    - name: Verify nextcloud container is removed
+      command: podman ps -a --filter name=nextcloud
+      register: container_check
+      changed_when: false
+    
+    - name: Display removal status
+      debug:
+        msg: |
+          ✅ Nextcloud removal complete!
+          
+          Removed components:
+          - ⏹️  Nextcloud service and cron timer
+          - 🐳 Container: {{ 'Removed' if container_remove.rc == 0 else 'Not found' }}
+          - 🗄️  Database: {{ nextcloud_db_name }}
+          - 📁 Data directory: {{ nextcloud_home }}
+          - 👤 System user: {{ nextcloud_user }}
+          - 🌐 Caddy configuration
+          
+          Remaining services:
+          {{ units_check.stdout }}
+          
+          Containers:
+          {{ container_check.stdout }}
+  
+  handlers:
+    - name: reload caddy
+      systemd:
+        name: caddy
+        state: reloaded
+      failed_when: false