refactor(roles/nextcloud): parameterize OS-specific names for multi-OS support

CHANGELOG.md

@@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+* **role:nextcloud**: Lay the groundwork for non-RHEL platforms (Debian/Ubuntu) by removing hardcoded RHEL-specific names from the role logic. The web server user/group (previously `apache`), the PHP-FPM service name (previously `php-fpm`) and the base package list (previously the RHEL names `openldap-clients`/`samba-client`) are now sourced from OS-specific `vars/` via `shared/platform-variables.yml`. The web server user/group and PHP-FPM service name are exposed as the overridable variables `nextcloud__webserver_user`, `nextcloud__webserver_group` and `nextcloud__php_fpm_service_name` and are now used throughout the tasks, the deployed systemd services and the notify_push unit (not just the `/usr/local/bin/nextcloud-update` script). The SELinux `restorecon` tasks are now guarded by `ansible_facts["selinux"]["status"] != "disabled"`, and the SELinux blocks in the update script use `ansible_facts["os_family"]` instead of `ansible_os_family`. Only `vars/RedHat.yml` ships, so the role still runs on RHEL only (see `COMPATIBILITY.md`); adding a tested `vars/Debian.yml` is all that is needed to extend support.
 * **role:keycloak**: The role no longer leaves the bootstrap admin credentials lying around in `/etc/sysconfig/keycloak` after the first run. It now writes the credentials, waits for Keycloak to consume them on startup (provisioning the bootstrap admin in the `master` realm), re-renders the sysconfig file with the credentials removed, and stores a state marker at `/etc/ansible/facts.d/keycloak__admin_login_bootstrapped.state` so subsequent runs skip the credential render entirely. After the first run, `keycloak__admin_login` can be removed from the inventory. Disaster recovery: delete the marker file, re-add the variable, re-run. Also recommend a `-temp` suffix for the initial admin username (example: `keycloak-admin-temp`) so it is visually obvious in the Keycloak UI which account must be deleted once a permanent admin exists.
 * **role:monitoring_plugins**: `install_method: 'source'` now reads the per-Python-LTS lockfile under `lockfiles/pyXX/requirements.txt` (`py39` ... `py314`) from both the `monitoring-plugins` and `lib` repos, picking the directory that matches the target host's Python. The previous root-level `requirements.txt` no longer exists upstream. No variable changes; rsync sources updated.
 * **CONTRIBUTING**: `meta/argument_specs.yml` must declare the `__dependent_var` slot for any variable that `setup_*` playbooks inject into the role via `vars:`. Dict variables fed by external lookups like `linuxfabrik.lfops.bitwarden_item` should use `type: 'dict'` without strict sub-options, since the lookup returns the full item with additional keys.
@@ -35,6 +36,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+* **role:nextcloud**: Add `meta/argument_specs.yml` declaring all user-facing variables (including the new `nextcloud__webserver_user`, `nextcloud__webserver_group` and `nextcloud__php_fpm_service_name`), so Ansible validates required variables and types at role entry.
 * **role:graylog_datanode, role:graylog_server**: Add template for Graylog 7.1.
 * **role:sshd**: Add Debian 13 support.
 * **role:mirror**: Document the new per-repository `newest_only` subkey on `mirror__reposync_repos` entries. Defaults to `true` (only the newest version of each package is mirrored). Set to `false` for repositories that publish multiple versions in parallel, such as Icinga, where older versions must remain available.

roles/nextcloud/README.md

@@ -233,6 +233,12 @@ nextcloud__users:
 * Type: String.
 * Default: `'*:50:15'`
 
+`nextcloud__php_fpm_service_name`
+
+* Name of the PHP-FPM systemd service that the role restarts (and that the `/usr/local/bin/nextcloud-update` script restarts). Defaults to the OS-specific value (`php-fpm` on RHEL, `php<version>-fpm` on Debian).
+* Type: String.
+* Default: Have a look at [vars/](https://github.com/Linuxfabrik/lfops/blob/main/roles/nextcloud/vars/)
+
 `nextcloud__skip_apps`
 
 * Completely skips the management of Nextcloud apps. Set this to prevent changes via the WebGUI from being overwritten.
@@ -328,6 +334,18 @@ nextcloud__users:
 * Type: Number.
 * Default: `80`
 
+`nextcloud__webserver_group`
+
+* Group of the web server, used for file ownership of the Nextcloud installation. Defaults to the OS-specific value (`apache` on RHEL, `www-data` on Debian).
+* Type: String.
+* Default: Have a look at [vars/](https://github.com/Linuxfabrik/lfops/blob/main/roles/nextcloud/vars/)
+
+`nextcloud__webserver_user`
+
+* User of the web server, used for file ownership, to run the `occ` commands and as the `User=` of the deployed systemd services. Defaults to the OS-specific value (`apache` on RHEL, `www-data` on Debian).
+* Type: String.
+* Default: Have a look at [vars/](https://github.com/Linuxfabrik/lfops/blob/main/roles/nextcloud/vars/)
+
 Example:
 ```yaml
 # optional

roles/nextcloud/defaults/main.yml

@@ -177,6 +177,9 @@ nextcloud__mariadb_login: '{{ mariadb_server__admin_user }}'
 nextcloud__on_calendar_app_update: '06,18,23:{{ 59 | random(seed=inventory_hostname) }}'
 nextcloud__on_calendar_jobs: '*:0/5'          # every 5 minutes
 nextcloud__on_calendar_scan_files: '*:50:15'  # every hour at hh:50:15
+
+nextcloud__php_fpm_service_name: '{{ __nextcloud__php_fpm_service_name }}'
+
 nextcloud__skip_apps: false
 nextcloud__skip_notify_push: false
 
@@ -310,6 +313,9 @@ nextcloud__timer_scan_files_enabled: true
 # 'latest', 'latest-XX' or 'nextcloud-XX.X.XX'
 nextcloud__version: 'latest'
 
+nextcloud__webserver_group: '{{ __nextcloud__webserver_group }}'
+nextcloud__webserver_user: '{{ __nextcloud__webserver_user }}'
+
 # -----------------------------------------------------------------------------
 
 nextcloud__apache_httpd__mods__dependent_var:
@@ -546,6 +552,6 @@ nextcloud__systemd_unit__services__dependent_var:
       Environment=PORT=7867
       ExecStartPre=-/bin/chcon --type bin_t /var/www/html/nextcloud/apps/notify_push/bin/x86_64/notify_push
       ExecStart=/var/www/html/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/html/nextcloud/config/config.php
-      User=apache
+      User={{ nextcloud__webserver_user }}
     enabled: true
     state: 'present'

roles/nextcloud/meta/argument_specs.yml

@@ -0,0 +1,209 @@
+argument_specs:
+  main:
+    options:
+
+      nextcloud__app_configs__dependent_var:
+        type: 'list'
+        elements: 'dict'
+        required: false
+        default: []
+        description: 'Key-value pairs for configuring apps. Dependent-role injection.'
+
+      nextcloud__app_configs__group_var:
+        type: 'list'
+        elements: 'dict'
+        required: false
+        default: []
+        description: 'Key-value pairs for configuring apps. Group-level override.'
+
+      nextcloud__app_configs__host_var:
+        type: 'list'
+        elements: 'dict'
+        required: false
+        default: []
+        description: 'Key-value pairs for configuring apps. Host-level override.'
+
+      nextcloud__apps__dependent_var:
+        type: 'list'
+        elements: 'dict'
+        required: false
+        default: []
+        description: 'Nextcloud apps to install. Dependent-role injection.'
+
+      nextcloud__apps__group_var:
+        type: 'list'
+        elements: 'dict'
+        required: false
+        default: []
+        description: 'Nextcloud apps to install. Group-level override.'
+
+      nextcloud__apps__host_var:
+        type: 'list'
+        elements: 'dict'
+        required: false
+        default: []
+        description: 'Nextcloud apps to install. Host-level override.'
+
+      nextcloud__database_host:
+        type: 'str'
+        required: false
+        default: 'localhost'
+        description: 'Host where MariaDB is located.'
+
+      nextcloud__database_name:
+        type: 'str'
+        required: false
+        default: 'nextcloud'
+        description: 'Name of the Nextcloud database in MariaDB.'
+
+      nextcloud__datadir:
+        type: 'str'
+        required: false
+        default: '/data'
+        description: 'Where to store the user files.'
+
+      nextcloud__fqdn:
+        type: 'str'
+        required: true
+        description: 'The FQDN of the Nextcloud instance.'
+
+      nextcloud__icinga2_api_url:
+        type: 'str'
+        required: false
+        description: 'The URL of the Icinga2 API used to set/remove a downtime in the nextcloud-update script.'
+
+      nextcloud__icinga2_api_user_login:
+        type: 'dict'
+        required: false
+        description: 'The Icinga2 API user used to set/remove a downtime in the nextcloud-update script.'
+
+      nextcloud__icinga2_hostname:
+        type: 'str'
+        required: false
+        description: 'The hostname of the Icinga2 host on which the downtime should be set.'
+
+      nextcloud__mariadb_login:
+        type: 'dict'
+        required: false
+        description: 'The database administrator account. The Nextcloud setup will create its own database account.'
+
+      nextcloud__on_calendar_app_update:
+        type: 'str'
+        required: false
+        description: 'Time to update the Nextcloud apps. See systemd.time(7) for the format.'
+
+      nextcloud__on_calendar_jobs:
+        type: 'str'
+        required: false
+        default: '*:0/5'
+        description: 'Run interval of OCC background jobs. See systemd.time(7) for the format.'
+
+      nextcloud__on_calendar_scan_files:
+        type: 'str'
+        required: false
+        default: '*:50:15'
+        description: 'Run interval of rescanning the filesystem. See systemd.time(7) for the format.'
+
+      nextcloud__php_fpm_service_name:
+        type: 'str'
+        required: false
+        description: 'Name of the PHP-FPM systemd service that the role and the nextcloud-update script restart. OS-specific default from vars/.'
+
+      nextcloud__skip_apps:
+        type: 'bool'
+        required: false
+        default: false
+        description: 'Completely skips the management of Nextcloud apps.'
+
+      nextcloud__skip_notify_push:
+        type: 'bool'
+        required: false
+        default: false
+        description: 'Skips the configuration of notify_push.'
+
+      nextcloud__storage_backend_s3:
+        type: 'dict'
+        required: false
+        description: 'S3 storage backend. If omitted, local storage is used.'
+
+      nextcloud__storage_backend_swift:
+        type: 'dict'
+        required: false
+        description: 'Swift storage backend. If omitted, local storage is used.'
+
+      nextcloud__sysconfig__dependent_var:
+        type: 'list'
+        elements: 'dict'
+        required: false
+        default: []
+        description: 'Nextcloud system config settings. Dependent-role injection.'
+
+      nextcloud__sysconfig__group_var:
+        type: 'list'
+        elements: 'dict'
+        required: false
+        default: []
+        description: 'Nextcloud system config settings. Group-level override.'
+
+      nextcloud__sysconfig__host_var:
+        type: 'list'
+        elements: 'dict'
+        required: false
+        default: []
+        description: 'Nextcloud system config settings. Host-level override.'
+
+      nextcloud__timer_app_update_enabled:
+        type: 'bool'
+        required: false
+        default: false
+        description: 'Enables/disables the systemd timer for updating apps.'
+
+      nextcloud__timer_jobs_enabled:
+        type: 'bool'
+        required: false
+        default: true
+        description: 'Enables/disables the systemd timer for running OCC background jobs.'
+
+      nextcloud__timer_ldap_show_remnants_enabled:
+        type: 'bool'
+        required: false
+        default: true
+        description: 'Enables/disables the systemd timer for mailing LDAP remnants once a month.'
+
+      nextcloud__timer_scan_files_enabled:
+        type: 'bool'
+        required: false
+        default: true
+        description: 'Enables/disables the systemd timer for re-scanning the Nextcloud files.'
+
+      nextcloud__users:
+        type: 'list'
+        elements: 'dict'
+        required: true
+        description: 'User accounts to create. The first user has to be the primary administrator account.'
+
+      nextcloud__version:
+        type: 'str'
+        required: false
+        default: 'latest'
+        description: "Which version to install. One of 'latest', 'latest-XX' or 'nextcloud-XX.X.XX'."
+
+      nextcloud__vhost_virtualhost_ip:
+        type: 'str'
+        required: false
+        description: 'Used within the <VirtualHost virtualhost_ip:virtualhost_port> directive.'
+
+      nextcloud__vhost_virtualhost_port:
+        type: 'int'
+        required: false
+        description: 'Used within the <VirtualHost virtualhost_ip:virtualhost_port> directive.'
+
+      nextcloud__webserver_group:
+        type: 'str'
+        required: false
+        description: 'Group of the web server, used for file ownership. OS-specific default from vars/.'
+
+      nextcloud__webserver_user:
+        type: 'str'
+        required: false
+        description: 'User of the web server, used for file ownership, occ commands and as the User= of the deployed systemd services. OS-specific default from vars/.'

roles/nextcloud/tasks/create-user.yml

@@ -1,7 +1,7 @@
 - name: 'Create Nextcloud user {{ ncuser["username"] }}'
   ansible.builtin.shell: >-
     export OC_PASS={{ ncuser["password"] | quote }};
-    sudo -E -u apache php occ user:add
+    sudo -E -u {{ nextcloud__webserver_user }} php occ user:add
     --password-from-env
     --group {{ ncuser["group"] | d('""') | quote }}
     {{ ncuser["username"] | quote }}
@@ -15,7 +15,7 @@
 
 - name: 'Update Nextcloud settings for user {{ ncuser["username"] }}'
   ansible.builtin.command: |
-    sudo -u apache php occ user:setting {{ ncuser["username"] }} {{ item }}
+    sudo -u {{ nextcloud__webserver_user }} php occ user:setting {{ ncuser["username"] }} {{ item }}
   args:
     chdir: '/var/www/html/nextcloud/'
   # changed_when: there is no easy way to check for changes