Skip to content

Onlyoffice workspace ansible

Based on the files provided, here is an analysis of the Ansible role structure, logic flow, and potential areas for improvement or attention.

1. Role Overview

This Ansible role (onlyoffice_workspace) automates the deployment of the ONLYOFFICE Workspace (Community Server) using Docker Compose. It handles: * Prerequisites: Installing Docker and required system packages. * Verification: Checking Docker Hub for the latest tags and validating the requested version. * Deployment: Cloning the official ONLYOFFICE Docker-CommunityServer repository, configuring docker-compose.yml and database initialization scripts via Jinja2 templates. * Orchestration: Managing the lifecycle of Docker containers (pull, start, health checks). * Networking/SSL: Integrating with an external Nginx/Certbot stack to handle SSL termination and reverse proxying.

2. Logic Flow Analysis

A. Verification & Tag Management (verify.yml)

  • Auth Flow: It attempts to fetch a token from Docker Hub to access the tag list.
    • Note: The Authorization header uses Bearer {{ ...token }}. If the token is invalid or missing, the subsequent uri task will fail.
  • Tag Validation:
    • It fetches the list of tags.
    • It filters tags to find the "latest" version by rejecting tags containing letters (assuming semantic versioning like 8.0.0 vs 8.0.0-beta).
    • It asserts that the user-specified tag matches the latest if workspace_onlyoffice_controlpanel_docker_tag_latest is true.
  • Potential Issue: The regex '[a-zA-Z-]' in the reject filter might be too aggressive. It removes any tag containing a letter or a hyphen.
    • Example: A tag like 8.0.0 passes. A tag like 8.0.0-rc1 is rejected. A tag like latest is rejected.
    • Risk: If the "latest" stable version on Docker Hub has a suffix (e.g., 8.0.0-stable), this logic might fail to identify it correctly or pick an older version.

B. Docker Installation (docker-install.yml)

  • OS Detection: It dynamically constructs the Docker repository URL based on ansible_distribution and ansible_lsb.codename.
  • Idempotency: It checks for the docker binary first. If missing, it installs the GPG key, adds the repo, and installs packages.
  • Privilege Escalation: Correctly uses become: true for installation tasks.

C. Main Deployment (main.yml)

  • Git Management:
    • It clones the repo to /opt/Docker-CommunityServer.
    • Stash Logic: It attempts to git stash before cloning (to preserve local changes) and git stash pop after.
    • Critical Observation: The git module is called with force: true. This usually overwrites the directory. The stash/pop logic might be redundant or prone to errors if the git module performs a hard reset or re-clone that discards the stash context.
  • Configuration:
    • Templates docker-compose.yml and onlyoffice-initdb.sql.
    • The SQL script creates databases and users with hardcoded passwords from variables.
  • Container Orchestration:
    • Uses community.docker.docker_compose_v2 (the newer plugin).
    • Sequential Start: It starts the MySQL container first, then waits for it to be ready by executing a mysql command inside the container with retries.
    • Health Check: It asserts that the onlyoffice and onlyoffice_mailserver databases exist before starting the rest of the stack.
    • Final Start: Starts the full compose stack.
  • State Verification: It queries the running containers and asserts that the list of running containers matches the services defined in the compose file.

D. Nginx & SSL (tasks/docker-certbot.yml & Templates)

  • External Stack: This role assumes an external Nginx/Certbot stack exists (or is deployed by the included role docker-certbot-proxy).
  • Network Integration: The Nginx compose file connects to an external network named onlyoffice.
  • Reverse Proxy: The Nginx config (nginx_onlyoffice-workspace.conf.j2) proxies traffic from panel_fqdn to the internal ONLYOFFICE container (onlyoffice-community-server:{{ workspace_port }}).
  • SSL: Uses Let's Encrypt certificates stored in /etc/letsencrypt.

3. Potential Issues & Recommendations

1. Docker Hub Tag Filtering Logic

The logic to find the "latest" tag is fragile: 

workspace_onlyoffice_controlpanel_docker_latest_tag: "{{ ... | reject('regex', '[a-zA-Z-]') | ... }}"
* Problem: This rejects any tag with a letter or hyphen. If the latest stable tag is 8.0.0, it works. If it is 8.0.0-stable or 8.0.0-1, it gets rejected. * Fix: Use a more specific regex or the community.docker.docker_image_facts module if available, or rely on the latest tag explicitly if the user intends to use it.

2. Git Stash/Pop Redundancy

The git module with force: true typically cleans the directory. * Problem: If the directory exists, git stash saves changes. Then git module runs (potentially resetting the repo). Then git stash pop tries to apply changes. If the git module changes the working tree significantly, the stash might fail to apply or cause conflicts. * Recommendation: If the goal is to ensure the repo is at a specific tag, force: true is usually sufficient. The stash logic is only necessary if you are manually editing files in the repo between runs and want to preserve them. If this is a standard deployment, consider removing the stash logic to simplify the flow.

3. Database Password Security

  • Observation: The onlyoffice-initdb.sql.j2 template writes passwords directly into the SQL file: 
    IDENTIFIED WITH mysql_native_password BY '{{ workspace_mysql_root_password }}';
  • Risk: If the file permissions are not strictly enforced (though mode: "0644" is set), these passwords are visible in the file system.
  • Recommendation: Ensure the directory /opt/Docker-CommunityServer/config/mysql/docker-entrypoint-initdb.d/ has restricted permissions (e.g., 0700 for the directory, 0600 for the file) to prevent other users from reading the SQL file.

4. Nginx Network Dependency

  • Observation: The Nginx compose file expects an external network named onlyoffice: 
    networks:
  onlyoffice:
    external: true
    name: onlyoffice
  • Risk: If the ONLYOFFICE role runs after the Nginx role, the network might not exist yet. If the Nginx role runs first, it might fail if the network doesn't exist.
  • Recommendation: Ensure the onlyoffice network is created by the ONLYOFFICE role (in docker-compose.yml) and that the Nginx role is aware of it, or explicitly create the network in a shared task before both roles run.

5. Variable Naming Consistency

  • Observation: There is a mix of variable naming styles:
    • workspace_onlyoffice_controlpanel_docker_tag
    • workspace_docker_hub_onlyoffice_controlpanel_auth
    • workspace_compose_containers
  • Recommendation: While not a functional error, standardizing the prefix (e.g., onlyoffice_ or workspace_) improves readability.

4. Summary of Key Variables

To run this role successfully, the following variables (likely defined in group_vars or host_vars) must be present: * workspace: Boolean to enable the role. * workspace_verify: Boolean to enable tag verification. * workspace_onlyoffice_controlpanel_docker_tag: The specific version tag to deploy. * workspace_onlyoffice_controlpanel_docker_tag_latest: Boolean to enforce latest version. * workspace_mysql_root_password, workspace_mysql_onlyoffice_user_password, workspace_mysql_mail_admin_password: Database credentials. * workspace_port: The internal port for ONLYOFFICE. * panel_fqdn: The FQDN for the Nginx reverse proxy. * workspace_docker_compose: The dictionary defining the Docker Compose services (likely populated by a separate task or variable file).

5. Conclusion

This is a robust Ansible role that correctly handles the complexity of deploying a multi-container application with database initialization and SSL termination. The primary areas for improvement are the Docker tag filtering logic (which might be too strict) and the Git stash handling (which adds complexity that might not be needed). The integration with the external Nginx stack is well-structured, assuming the network dependencies are managed correctly.

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×