ISTI-ansible-roles
/
ansible-role-nextcloud
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Import the old nextcloud role.

This commit is contained in:
Andrea Dell'Amico 2020-06-03 20:32:37 +02:00
parent aec36c59ec
commit a88aaaae08
8 changed files with 399 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
README.md
View File

@ -1,31 +1,32 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
A role that installs nextcloud.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
The most important variables are listed below:
``` yaml
nextcloud_version: 18.0.4
nextcloud_dist_filename: 'nextcloud-{{ nextcloud_version }}.tar.bz2'
nextcloud_download_url: 'https://download.nextcloud.com/server/releases/{{ nextcloud_dist_filename }}'
nextcloud_local_redis: True
nextcloud_local_memcache: False
nextcloud_local_postgresql: True
nextcloud_encryption_enabled: True
nextcloud_ldap_auth: False
```
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
* php-fpm
* nginx
* postgresl
* memcached
* redis
License
-------
@ -35,4 +36,4 @@ EUPL-1.2
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

33
defaults/main.yml
View File

@ -1,2 +1,33 @@
---
# defaults file for ansible-role-template
nextcloud_version: 18.0.4
nextcloud_dist_filename: 'nextcloud-{{ nextcloud_version }}.tar.bz2'
nextcloud_download_url: 'https://download.nextcloud.com/server/releases/{{ nextcloud_dist_filename }}'
nextcloud_local_redis: True
nextcloud_local_memcache: False
nextcloud_local_postgresql: True
nextcloud_web_basedir: /var/www
nextcloud_web_root: '{{ nextcloud_web_basedir }}/nextcloud'
nextcloud_data_base_dir: /srv
nextcloud_data_dir: '{{ nextcloud_data_base_dir }}/nextcloud/data'
nextcloud_oc_dir: '{{ nextcloud_data_base_dir }}/nextcloud/oc_keys'
nextcloud_servername: '{{ ansible_fqdn }}'
nextcloud_servernames:
- { webroot: '{{ nextcloud_web_root }}', id: 1, name: '{{ nextcloud_servername }}' }
nextcloud_user: nextcloud
nextcloud_db: pgsql
nextcloud_db_host: localhost
nextcloud_db_name: nextcloud
nextcloud_db_user: nextcloud_u
#nextcloud_db_pwd: 'Use a vault file'
nextcloud_admin_user: nc_admin
#nextcloud_admin_u_pwd: 'Use a vault file'
nextcloud_encryption_enabled: True
nextcloud_ldap_auth: False
nextcloud_phpfpm_default_memory_limit: "512M"
php_global_settings: '{{ nextcloud_php_global_settings }}'
phpfpm_pools: '{{ nextcloud_phpfpm_pools }}'

80
meta/main.yml
View File

@ -1,61 +1,47 @@
galaxy_info:
author: your name
description: your description
author: Andrea Dell'Amico
description: Systems Architect
company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL-1.2
license: EUPL 1.2+
min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
platforms:
- name: Ubuntu
versions:
- bionic
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
galaxy_tags:
- users
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
dependencies:
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-postgresql.git
version: master
name: postgresql
state: latest
when: nextcloud_local_postgresql
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-php-fpm.git
version: master
name: php-fpm
state: latest
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-nginx.git
version: master
name: nginx
state: latest
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-redis.git
version: master
name: redis
state: latest
when: nextcloud_local_redis
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-memcached.git
version: master
name: memcached
state: latest
when: nextcloud_local_memcached

3
tasks/main.yml
View File

@ -1,2 +1,3 @@
---
# tasks file for ansible-role-template
- import_tasks: nextcloud-nginx.yml
- import_tasks: nextcloud-install.yml

89
tasks/nextcloud-install.yml Normal file
View File

@ -0,0 +1,89 @@
---
- block:
- name: Install the nextcloud php prerequisites
apt: name={{ nextcloud_php_required_packages }} state=present cache_valid_time=1800
tags: [ 'nextcloud', 'php', 'php-fpm' ]
- block:
- name: Create the nextcloud webroot
file: dest={{ nextcloud_web_basedir }} owner=root group=root state=directory
- name: Create the nextcloud data directory
file: dest={{ nextcloud_data_dir }} state=directory owner={{ item.user }} group={{ item.user }}
with_items: '{{ phpfpm_pools }}'
- name: Get nextcloud
get_url: url={{ nextcloud_download_url }} dest=/srv/{{ nextcloud_dist_filename }}
- name: Unpack the nextcloud archive
unarchive: remote_src=yes src=/srv/{{ nextcloud_dist_filename }} dest={{ nextcloud_web_basedir }} owner={{ item.user }} group={{ item.user }}
args:
creates: '{{ item.doc_root }}/index.php'
with_items: '{{ phpfpm_pools }}'
tags: [ 'nextcloud' ]
- block:
- name: Configure the nextcloud instance
shell: cd {{ item.doc_root }} ; php occ maintenance:install --database="{{ nextcloud_db }}" --database-host "{{ nextcloud_db_host }}" --database-name "{{ nextcloud_db_name }}" --database-user "{{ nextcloud_db_user }}" --database-pass "{{ nextcloud_db_pwd }}" --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_u_pwd }}" --data-dir={{ nextcloud_data_dir }} ; touch {{ nextcloud_data_dir }}/.ht_nextcloud_setup
args:
creates: '{{ nextcloud_data_dir }}/.ht_nextcloud_setup'
with_items: '{{ phpfpm_pools }}'
- name: Set the trusted domains list
shell: cd {{ item.webroot }} ; php occ config:system:set trusted_domains {{ item.id }} --value={{ item.name }} ; touch {{ nextcloud_data_dir }}/.ht_nextcloud_trusted_domains
args:
creates: '{{ nextcloud_data_dir }}/.ht_nextcloud_trusted_domains'
with_items: '{{ nextcloud_servernames }}'
- name: Setup the cron configuration
shell: cd {{ item.webroot }} ; php occ background:cron ; touch {{ nextcloud_data_dir }}/.ht_nextcloud_cron
args:
creates: 'touch {{ nextcloud_data_dir }}/.ht_nextcloud_cron'
with_items: '{{ nextcloud_servernames }}'
tags: [ 'nextcloud', 'nextcloud_config_cron' ]
- name: Install the nextcloud cron job
cron: user={{ item.user }} minute="*/15" job="php -f {{ item.doc_root }}/cron.php" name="NextCloud cron job"
with_items: '{{ phpfpm_pools }}'
tags: [ 'nextcloud', 'nextcloud_config_cron' ]
become: True
become_user: '{{ nextcloud_user }}'
tags: [ 'nextcloud', 'nextcloud_config' ]
- block:
- name: Create the nextcloud encryption keys directory
become_user: root
file: dest={{ nextcloud_oc_dir }} state=directory owner={{ item.user }} group={{ item.user }}
with_items: '{{ phpfpm_pools }}'
- name: Activate global encryption
shell: cd {{ item.doc_root }} ; php occ app:enable encryption ; php occ encryption:enable ; php occ encryption:enable-master-key ; php occ encryption:change-key-storage-root {{ nextcloud_oc_dir }} ; touch {{ nextcloud_oc_dir }}/.ht_nextcloud_oc
args:
creates: '{{ nextcloud_oc_dir }}/.ht_nextcloud_oc'
with_items: '{{ phpfpm_pools }}'
become: True
become_user: '{{ nextcloud_user }}'
when: nextcloud_encryption_enabled
tags: [ 'nextcloud', 'nextcloud_config', 'nextcloud_config_oc' ]
- block:
- name: Enable ldap
shell: cd {{ item.doc_root }} ; php occ app:enable user_ldap ; touch {{ item.doc_root }}/.ht_nextcloud_ldap_enabled
args:
creates: '{{ item.doc_root }}/.ht_nextcloud_ldap_enabled'
with_items: '{{ phpfpm_pools }}'
- name: Create an empty ldap configuration to start with
shell: cd {{ item.doc_root }} ; php occ ldap:create-empty-config ; touch {{ item.doc_root }}/.ht_nextcloud_ldap_configured
args:
creates: '{{ item.doc_root }}/.ht_nextcloud_ldap_configured'
with_items: '{{ phpfpm_pools }}'
become: True
become_user: '{{ nextcloud_user }}'
when: nextcloud_ldap_auth
tags: [ 'nextcloud', 'nextcloud_config', 'nextcloud_config_ldap' ]

17
tasks/nextcloud-nginx.yml Normal file
View File

@ -0,0 +1,17 @@
---
- block:
- name: Install the nginx virtualhosts
template: src=nginx-virthost.conf dest=/etc/nginx/sites-available/{{ item.virthost }} owner=root group=root mode=0444
with_items: '{{ phpfpm_pools }}'
notify: Reload nginx
- name: Enable the nginx virtualhosts
file: src=/etc/nginx/sites-available/{{ item.virthost }} dest=/etc/nginx/sites-enabled/{{ item.virthost }} state=link
with_items: '{{ phpfpm_pools }}'
notify: Reload nginx
- name: Create the nginx body temp directory
file: dest={{ nginx_client_body_temp_dir }} state=directory owner=www-data group=www-data mode=1700
when: nginx_client_body_temp_dir is defined
tags: [ 'nginx', 'virtualhost', 'nextcloud' ]

160
templates/nginx-virthost.conf Normal file
View File

@ -0,0 +1,160 @@
upstream php-handler {
server {{ item.listen }};
#server unix:/var/run/php5-fpm.sock;
}
server {
listen 80;
listen [::]:80;
server_name {{ item.nginx_servername }};
# enforce https
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
return 404;
}
include /etc/nginx/snippets/letsencrypt-proxy.conf;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ item.nginx_servername }};
include /etc/nginx/snippets/nginx-server-ssl.conf;
server_tokens off;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000";
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root {{ item.doc_root }};
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php;
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}

48
vars/main.yml
View File

@ -1,2 +1,48 @@
---
# vars file for ansible-role-template
nginx_use_common_virthost: False
phpfpm_default_user: '{{ nextcloud_user }}'
phpfpm_default_pool_name: nextcloud
redis_install: True
http_port: 80
https_port: 443
php_version: 7.4
nextcloud_php_required_packages:
- 'php{{ php_version }}-gd'
- 'php{{ php_version }}-json'
- 'php{{ php_version }}-ldap'
- 'php{{ php_version }}-{{ nextcloud_db }}'
- 'php{{ php_version }}-xml'
- 'php{{ php_version }}-mbstring'
- 'php{{ php_version }}-intl'
- 'php{{ php_version }}-curl'
- 'php{{ php_version }}-zip'
- 'php{{ php_version }}-bz2'
- 'php{{ php_version }}-gmp'
- 'php-imagick'
- 'php-redis'
- 'php-apcu'
nextcloud_php_global_settings:
- { option: 'always_populate_raw_post_data', value: '-1' }
- { option: 'allow_url_fopen', value: 'on' }
- { option: 'max_execution_time', value: '240' }
- { option: 'memory_limit', value: '{{ phpfpm_default_memory_limit }}' }
- { option: 'max_input_vars', value: '1400' }
- { option: 'post_max_size', value: '32M' }
- { option: 'upload_max_filesize', value: '32M' }
- { option: 'opcache.enable', value: '1' }
- { option: 'opcache.enable_cli', value: '1' }
- { option: 'opcache.interned_strings_buffer', value: '8' }
- { option: 'opcache.max_accelerated_files', value: '10000' }
- { option: 'opcache.memory_consumption', value: '128' }
- { option: 'opcache.save_comments', value: '1' }
- { option: 'opcache.revalidate_freq', value: '1' }
php_cli_global_settings: '{{ php_global_settings }}'
nextcloud_phpfpm_pools:
- { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ nextcloud_phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}', doc_root: '{{ nextcloud_web_root }}', req_term_timeout: '240s', virthost: '{{ nextcloud_servername }}', nginx_servername: '{{ nextcloud_servername }}' }