commit fbc6af6134e430e0da64459f3d3b3c7dfc961dbd
Author: Mike Holloway <mike.holloway@protonmail.com>
Date:   Fri Nov 28 22:39:22 2025 -0500

    Initial Commit - Semaphore testing after podman-host

diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..a5091e6
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,52 @@
+galaxy_info:
+  author: Mike Holloway
+  description: Technical Consultant
+  company: EquilibrateIT Inc.
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: BSD-3-Clause
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
diff --git a/tasks/certificates.yml b/tasks/certificates.yml
new file mode 100644
index 0000000..32e59cb
--- /dev/null
+++ b/tasks/certificates.yml
@@ -0,0 +1,4 @@
+# step ca certificate "ca.equilibrateit.test" ca.equilibrateit.test.crt ca.equilibrateit.test.key
+# chown 100999:100999 ~stepca/nginx/certs/ca.equilibrateit.test.*
+# manual standup passes test
+# curl --connect-to ca.equilibrateit.test:4443:localhost:4443 https://ca.equilibrateit.test:4443/health
diff --git a/tasks/containers.yml b/tasks/containers.yml
new file mode 100644
index 0000000..ca437ad
--- /dev/null
+++ b/tasks/containers.yml
@@ -0,0 +1,53 @@
+- name: Container tasks
+  block:
+    - name: Pod State created
+      containers.podman.podman_pod:
+        name: "pod_nextcloud"
+        state: created
+        share: ipc,uts
+        hostname: "{{ ansible_host }}"
+        restart_policy: always
+
+    - name: nextcloud Container State created
+      containers.podman.podman_container:
+        name: "nextcloud_app_1"
+        state: created
+        pod: "pod_nextcloud"
+        image: "docker.io/nextcloud/nextcloud:stable-fpm"
+        network: bridge
+        ports:
+          - 9000:9000
+        volumes:
+          - "/home/{{ user.name }}/nextcloud/data:/home/step"
+        env:
+          VIRTUAL_HOST_MULTIPORTS: "{{ lookup('ansible.builtin.template','nextcloud_multiports.json.j2')}}"
+          VIRTUAL_PROTO: "https"
+
+    - name: NGINX Proxy Container State created
+      containers.podman.podman_container:
+        name: "nextcloud_nginx-proxy_1"
+        state: created
+        pod: "pod_nextcloud"
+        image: "docker.io/nginxproxy/nginx-proxy:latest"
+        network: bridge
+        ports:
+          - 8080:80
+          - 4443:443
+        volumes:
+          - "/home/{{ user.name }}/nginx/html:/usr/share/nginx/html"
+          - "/home/{{ user.name }}/nginx/nextcloud_internal_vhost:/etc/nginx/vhost.d/{{ ansible_host }}_location"
+          - "/home/{{ user.name }}/nginx/certs:/etc/nginx/certs"
+          - "/run/user/{{ getent_passwd[user.name][2] }}/podman/podman.sock:/tmp/docker.sock:ro"
+
+    - name: Container State started
+      containers.podman.podman_container:
+        name: "{{ container_to_start }}"
+        state: started
+        pod: "pod_nextcloud"
+      with_items:
+        - "nextcloud_app_1"
+        - "nextcloud_nginx-proxy_1"
+      tags:
+        - init
+      loop_control:
+        loop_var: "container_to_start"
diff --git a/tasks/files.yml b/tasks/files.yml
new file mode 100644
index 0000000..9f78c0b
--- /dev/null
+++ b/tasks/files.yml
@@ -0,0 +1,21 @@
+- name: Container Path data State directory
+  file:
+    path: "/home/{{ user.name }}/nextcloud/data"
+    state: directory
+    owner: "100999"
+    group: "100999"
+
+- name: Container Path certs State directory
+  file:
+    path: "/home/{{ user.name }}/nginx/certs"
+    state: directory
+    owner: "100999"
+    group: "100999"
+
+- name: Container Path html State directory
+  file:
+    path: "/home/{{ user.name }}/nginx/html"
+    state: directory
+    owner: "100999"
+    group: "100999"
+
diff --git a/tasks/firewall.yml b/tasks/firewall.yml
new file mode 100644
index 0000000..ad08ca5
--- /dev/null
+++ b/tasks/firewall.yml
@@ -0,0 +1,23 @@
+- name: Root port forwards for web traffic.
+  firewalld:
+    rich_rule: "{{ item }}"
+    zone: public
+    permanent: true
+    immediate: true
+    state: enabled
+  with_items:
+    - "rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080"
+    - "rule family=ipv4 forward-port port=443 protocol=tcp to-port=4443"
+
+  firewalld:
+    rich_rule: "{{ item }}"
+    zone: trusted
+    permanent: true
+    immediate: true
+    state: enabled
+  with_items:
+    - "rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080"
+    - "rule family=ipv4 forward-port port=443 protocol=tcp to-port=4443"
+
+- command:
+    cmd: "firewall-cmd --reload"
diff --git a/tasks/include-vars.yml b/tasks/include-vars.yml
new file mode 100644
index 0000000..0a70e50
--- /dev/null
+++ b/tasks/include-vars.yml
@@ -0,0 +1,8 @@
+---
+- name: Load a variable file based on the OS type, or a default if not found.
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
+    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_os_family }}.yml"
+    - "default.yml"
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..32b9c14
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+# tasks file for podman_nextcloud
+- import_tasks: include-vars.yml
+
+#- import_tasks: packages.yml
+
+- import_tasks: firewall.yml
+  when: '"molecule" not in group_names'
+
+- name: Parse passwd
+  getent:
+    database: passwd
+
+- block:
+    - include_tasks: files.yml
+      with_items:
+        - "{{ service_users }}"
+      loop_control:
+        loop_var: "user"
+    - include_tasks: containers.yml
+      with_items:
+        - "{{ service_users }}"
+      loop_control:
+        loop_var: "user"
+  when: '"nextcloud" in user.services'
diff --git a/tasks/packages.yml b/tasks/packages.yml
new file mode 100644
index 0000000..85a37a9
--- /dev/null
+++ b/tasks/packages.yml
@@ -0,0 +1,18 @@
+- name: RPM fetch
+  get_url:
+    url: https://github.com/smallstep/cli/releases/download/v0.28.2/step-cli_amd64.rpm
+    checksum: sha256:https://github.com/smallstep/cli/releases/download/v0.28.2/checksums.txt
+    dest: /tmp/
+  register: client_rpm
+
+- name: RPM State present
+  dnf:
+    name: "{{ client_rpm.dest }}"
+    state: present
+    disable_gpg_check: True
+  when: '"OK" in client_rpm.msg'
+
+- name: Required Host Packages State latest
+  dnf:
+    name: openssl
+    state: latest