From 2a161df7bb7f273df77098d916f175eaf4e87bb4 Mon Sep 17 00:00:00 2001 From: "Andreas B. Mundt" Date: Mon, 13 Jan 2020 20:44:10 +0100 Subject: [PATCH] Implement nextcloud role. --- README | 2 +- roles/nextcloud/defaults/main.yml | 6 + roles/nextcloud/files/krb5-nextcloud.conf | 27 ++++ roles/nextcloud/files/nextcloud.conf | 15 +++ roles/nextcloud/handlers/main.yml | 11 ++ roles/nextcloud/tasks/main.yml | 151 ++++++++++++++++++++++ 6 files changed, 211 insertions(+), 1 deletion(-) create mode 100644 roles/nextcloud/defaults/main.yml create mode 100644 roles/nextcloud/files/krb5-nextcloud.conf create mode 100644 roles/nextcloud/files/nextcloud.conf create mode 100644 roles/nextcloud/handlers/main.yml create mode 100644 roles/nextcloud/tasks/main.yml diff --git a/README b/README index e3506a9..490c984 100644 --- a/README +++ b/README @@ -63,7 +63,7 @@ Kerberox • run ansible: ssh-copy-id ansible@1.2.3.4 - ansible-playbook installbox.yml -v --become --ask-become-pass -u ansible -i 1.2.3.4, + ansible-playbook kerberox.yml -v --become --ask-become-pass -u ansible -i 1.2.3.4, Kerberox and installbox provide a local ansible configuration space which can be used to install clients and/or to check/modify the local diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml new file mode 100644 index 0000000..4b8122f --- /dev/null +++ b/roles/nextcloud/defaults/main.yml @@ -0,0 +1,6 @@ +db_nextcloud_pwd: "{{ lookup('password', '/tmp/db-nextcloud.pwd length=24') }}" +nc_admin_pwd: "{{ lookup('password', '/tmp/nc-admin.pwd length=24') }}" +nc_admin_pwd_file: "/root/nc-admin.pwd" +www_root: "/var/www" +nc_dir: "{{ www_root }}/nextcloud" +data_dir: "/var/nc-data" diff --git a/roles/nextcloud/files/krb5-nextcloud.conf b/roles/nextcloud/files/krb5-nextcloud.conf new file mode 100644 index 0000000..3b84912 --- /dev/null +++ b/roles/nextcloud/files/krb5-nextcloud.conf @@ -0,0 +1,27 @@ +Alias /nextcloud "/var/www/nextcloud/" + + + AuthType GSSAPI + AuthName "Login to NextCloud" + GssapiAllowedMech krb5 + GssapiLocalName On + GssapiCredStore keytab:/etc/krb5.keytab.http + GssapiUseSessions On + GssapiNegotiateOnce On + GssapiBasicAuth On + require valid-user + + + + Require all granted + Options FollowSymlinks MultiViews + AllowOverride All + + + Dav off + + + SetEnv HOME /var/www/nextcloud + SetEnv HTTP_HOME /var/www/nextcloud + + diff --git a/roles/nextcloud/files/nextcloud.conf b/roles/nextcloud/files/nextcloud.conf new file mode 100644 index 0000000..8996eac --- /dev/null +++ b/roles/nextcloud/files/nextcloud.conf @@ -0,0 +1,15 @@ +Alias /nextcloud "/var/www/nextcloud/" + + + Require all granted + Options FollowSymlinks MultiViews + AllowOverride All + + + Dav off + + + SetEnv HOME /var/www/nextcloud + SetEnv HTTP_HOME /var/www/nextcloud + + diff --git a/roles/nextcloud/handlers/main.yml b/roles/nextcloud/handlers/main.yml new file mode 100644 index 0000000..9d2f7c6 --- /dev/null +++ b/roles/nextcloud/handlers/main.yml @@ -0,0 +1,11 @@ +- name: restart apache2 + systemd: + name: apache2 + state: restarted + listen: "restart apache2" + +- name: restart php-fpm + systemd: + name: php{{ php_ver.stdout }}-fpm + state: restarted + listen: "restart php-fpm" diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml new file mode 100644 index 0000000..d88f095 --- /dev/null +++ b/roles/nextcloud/tasks/main.yml @@ -0,0 +1,151 @@ +## Install and configure nextcloud + +- name: install apache, php- and db-packages + apt: + name: + - apache2 + - mariadb-server + - python3-pymysql + - php-apcu + - php-fpm + - php-curl + - php-gd + - php-imagick + - php-intl + - php-json + - php-ldap + - php-mbstring + - php-mysql + - php-xml + - php-zip + state: latest + +- name: disable apache modules + apache2_module: + state: absent + name: "{{ item }}" + with_items: + - mpm_prefork + - mpm_worker + notify: "restart apache2" + +- name: enable apache modules + apache2_module: + name: "{{ item }}" + with_items: + - proxy_fcgi + - mpm_event + - ssl + - http2 + notify: "restart apache2" + +- name: find php version + shell: ls /etc/php/ | sort | tail -1 + register: php_ver + changed_when: False + +- name: enable php-fpm conf + command: a2enconf php{{ php_ver.stdout }}-fpm + args: + creates: /etc/apache2/conf-enabled/php{{ php_ver.stdout }}-fpm.conf + notify: "restart apache2" + +- name: tune php-fpm + replace: + dest: /etc/php/{{ php_ver.stdout }}/fpm/pool.d/www.conf + regexp: "{{ item.regex }}" + replace: "{{ item.replace }}" + with_items: + - { regex: "^pm.max_children = .*$", replace: "pm.max_children = 120" } + - { regex: "^pm.start_servers = .*$", replace: "pm.start_servers = 12" } + - { regex: "^pm.min_spare_servers = .*$", replace: "pm.min_spare_servers = 6" } + - { regex: "^pm.max_spare_servers = .*$", replace: "pm.max_spare_servers = 18" } + notify: "restart php-fpm" + +- name: increase php memory limit + replace: + dest: "/etc/php/{{ php_ver.stdout }}/fpm/php.ini" + regexp: "^memory_limit = .*" + replace: "memory_limit = 512M" + notify: "restart apache2" + +- name: provide nextcloud site + copy: + src: nextcloud.conf + dest: /etc/apache2/sites-available/nextcloud.conf + +- name: enable https + command: a2ensite default-ssl.conf + args: + creates: /etc/apache2/sites-enabled/default-ssl.conf + notify: "restart apache2" + +- name: enable nextcloud site + command: a2ensite nextcloud.conf + args: + creates: /etc/apache2/sites-enabled/nextcloud.conf + notify: "restart apache2" + +- name: create a new database with name 'nextcloud' + mysql_db: + login_unix_socket: /var/run/mysqld/mysqld.sock + name: nextcloud + state: present + +- name: create database user 'nextcloud' + mysql_user: + login_unix_socket: /var/run/mysqld/mysqld.sock + name: nextcloud + password: "{{ db_nextcloud_pwd }}" + priv: 'nextcloud.*:ALL' + state: present + +- name: unpack nextcloud archive + unarchive: + src: nextcloud.tar.bz2 + dest: "{{ www_root }}" + owner: www-data + group: www-data + creates: "{{ nc_dir }}" + +- name: make sure data directory exists + file: + path: "{{ data_dir }}" + state: directory + owner: www-data + group: www-data + recurse: yes + +- name: initialize nextcloud + command: + cmd: > + sudo -u www-data php occ maintenance:install + --database "mysql" + --database-name "nextcloud" + --database-user "nextcloud" + --database-pass "{{ db_nextcloud_pwd }}" + --admin-user "nc-admin" + --admin-pass "{{ nc_admin_pwd }}" + --data-dir "{{ data_dir }}" + args: + chdir: "{{ nc_dir }}" + creates: "{{ nc_dir }}/config/config.php" + no_log: true + +- name: dump nc-admin password + shell: echo -n "{{ nc_admin_pwd }}" > "{{ nc_admin_pwd_file }}" ; chmod 0600 "{{ nc_admin_pwd_file }}" + no_log: true + args: + creates: "{{ nc_admin_pwd_file }}" + +- name: enable APCu memcache + lineinfile: + dest: "{{ nc_dir }}/config/config.php" + line: " 'memcache.local' => '\\OC\\Memcache\\APCu'," + insertbefore: "'installed' => true," + +- name: allow access from LAN + lineinfile: + dest: "{{ nc_dir }}/config/config.php" + line: " 1 => '192.168.*.*'," + insertafter: "0 => 'localhost',"