From 66c51e0dcbe77e3630e7a23fbbb4c3f83d64f496 Mon Sep 17 00:00:00 2001 From: "Jorge E. Gomez" Date: Sat, 18 Jun 2022 21:51:25 -0500 Subject: [PATCH] Simplifies tasks and variables --- README.md | 519 ----------- local.yml | 5 +- roles/nextcloud/defaults/main.yml | 87 +- roles/nextcloud/files/mysql_nextcloud.cnf | 9 +- roles/nextcloud/tasks/db_mysql.yml | 92 +- roles/nextcloud/tasks/http_nginx.yml | 62 +- roles/nextcloud/tasks/main.yml | 67 +- roles/nextcloud/tasks/nc_apps.yml | 64 +- roles/nextcloud/tasks/nc_download.yml | 62 +- roles/nextcloud/tasks/nc_installation.yml | 203 ++-- roles/nextcloud/tasks/redis_server.yml | 14 +- roles/nextcloud/templates/nginx_nc.j2 | 18 +- .../nextcloud/templates/nginx_php_handler.j2 | 9 +- roles/nextcloud/templates/redis.conf.j2 | 875 +----------------- roles/nextcloud/vars/main.yml | 64 +- 15 files changed, 276 insertions(+), 1874 deletions(-) diff --git a/README.md b/README.md index 9cb7d15..abf8561 100644 --- a/README.md +++ b/README.md @@ -10,522 +10,3 @@ Based on [Aalaesar's role][1] [1]: https://github.com/aalaesar/install_nextcloud -## install_nextcloud - -This role installs and configures an Nextcloud instance for a Debian/Ubuntu server. - -The role's main actions are: -- [x] Packages dependencies installation. -- [x] Database configuration (if located on the same host). -- [x] Strengthened files permissions and ownership following Nextcloud recommendations. -- [x] Web server configuration. -- [x] Redis Server installation. -- [x] Strengthened TLS configuration following _Mozilla SSL Configuration Generator_, intermediate profile by default, modern profile available. -- [x] Post installation of Nextcloud applications - -## Requirements -### Ansible version -Ansible >2.4 -### Python libraries -To use `ipwrap` filter in Ansible, you need to install the netaddr Python library on a computer on which you use Ansible (it is not required on remote hosts). It can usually be installed with either your system package manager or using pip: -```bash -$ pip install netaddr -``` -### Setup module: -The role uses facts gathered by Ansible on the remote host. If you disable the Setup module in your playbook, the role will not work properly. -### Root access -This role requires root access, so either configure it in your inventory files, run it in a playbook with a global `become: yes` or invoke the role in your playbook like: -> playbook.yml: - -```YAML -- hosts: dnsserver - become: yes - roles: - - role: aalaesar.install_nextcloud -``` - -## Role Variables - -Role's variables (and their default values): - -### Choose the version - -**_WARNING: Since Nexcloud 11 requires php v5.6 or later, command line installation will fail on old OS without php v5.6+ support._** - -_Known issue while installing Nextcloud 11 on an Ubuntu 14.04 system:_ [#27](https://github.com/aalaesar/install_nextcloud/issues/27) - -An URL will be generated following naming rules used in the nextcloud repository -_Not following this rules correctly may make the role unable to download nextcloud._ - -#### Repository naming rules: -Some variables changes depending on the channel used and if get_latest is true. -This table summarize the possible cases. - -|channel|latest|major&latest|major|full|special| -|---|---|---|---|---|---| -|**releases**|yes/no|_null_ \|9\|10\|...|_null_|"10.0.3"|_null_| -|**prereleases**|_null_|_null_|_null_|"11.0.1"|_null_ \|"RC(n)\|beta(n)"| -|**daily**|yes/no|_null_ \|master\|stable9\|...|master\|9\|10\|...|_null_|_null_ \|"YYYY-MM-DD"| - -**major&latest** = major value when latest is true -_null_ = "not used" -#### version variables: -```YAML -nextcloud_version_channel: "releases" # releases | prereleases | daily -``` -Specify the main channel to use. -```YAML -nextcloud_get_latest: true -``` -Specify if the "latest" archive should be downloaded. - -```YAML -# nextcloud_version_major: 10 -``` -Specify what major version you desire. - -```YAML -# nextcloud_version_full: "10.0.3" -``` -The full version of the desired nextcloud instance. type **M.F.P** _(Major.Feature.Patch)_ - -```YAML -# nextcloud_version_special: "" -``` -Specify a special string in the archive's filename. -For prereleases: "RCn|beta" | for daily "YYYY-MM-DD" - -```YAML -nextcloud_repository: "https://download.nextcloud.com/server" -``` -Repository's URL. - -```YAML -nextcloud_archive_format: "zip" # zip | tar.bz2 -``` -Choose between the 2 archive formats available in the repository. - -```YAML -# nextcloud_full_url: -``` -_If you don't like rules..._ -Specify directly a full URL to the archive. The role will skip the url generation and download the archive. **Requires nextcloud_version_major to be set along**. -#### Examples: -- Download your own archive: - (_you **must** specify the nextcloud major version along_) -```YAML -nextcloud_full_url: https://download.nextcloud.com/server/releases/nextcloud-23.0.0.zip -nextcloud_version_major: 42 -``` -- Choose the latest release (default): -```YAML -nextcloud_version_channel: "releases" -nextcloud_get_latest: true -``` -- Choose the latest v23 release: -```YAML -nextcloud_version_channel: "releases" -nextcloud_get_latest: true -nextcloud_version_major: 23 -``` -- Choose a specific release: -```YAML -nextcloud_version_channel: "releases" -nextcloud_get_latest: false -nextcloud_version_full: "23.0.0" -``` -- Get the nextcloud 24.0.1 prerelease 1: -```YAML -nextcloud_version_channel: "prereleases" -nextcloud_version_full: "23.0.0" -nextcloud_version_special: "RC3" -``` -- Get the latest daily: -```YAML -nextcloud_version_channel: "daily" -nextcloud_get_latest: true -``` -- Get the latest daily for stable 10: -```YAML -nextcloud_version_channel: "daily" -nextcloud_get_latest: true -nextcloud_version_major: "stable23" -``` -- Get the daily for master at january 1rst 2022: -```YAML -nextcloud_version_channel: "daily" -nextcloud_get_latest: false -nextcloud_version_major: "master" -nextcloud_version_special: "2022-01-01" -``` -### Main configuration -```YAML -nextcloud_trusted_domain: - - "{{ ansible_fqdn }}" - - "{{ ansible_default_ipv4.address }}" -``` -The list of domains you will use to access the same Nextcloud instance. -```YAML -nextcloud_trusted_proxies: [] -``` -The list of trusted proxies IPs if Nextcloud runs through a reverse proxy. -```YAML -nextcloud_instance_name: "{{ nextcloud_trusted_domain | first }}" -``` -The name of the Nextcloud instance. By default, the first element in the list of trusted domains -### WebServer configuration -```YAML -nextcloud_install_websrv: true -``` -The webserver setup can be skipped if you have one installed already. -```YAML -nextcloud_websrv: "apache2" -``` -The http server used by nextcloud. Available values are: **apache2** or **nginx**. -```YAML -nextcloud_disable_websrv_default_site: false -``` -Disable the default site of the chosen http server. (`000-default.conf` in Apache, `default` in Nginx.) -```YAML -nextcloud_websrv_template: "templates/{{nextcloud_websrv}}_nc.j2" -``` -The jinja2 template creating the instance configuration for your webserver. -You can provide your own through this parameter. -```YAML -nextcloud_webroot: "/opt/nextcloud" -``` -The Nextcloud root directory. -```YAML -nextcloud_data_dir: "/var/ncdata" -``` -The Nextcloud data directory. This directory will contain all the Nextcloud files. Choose wisely. -```YAML -nextcloud_admin_name: "admin" -``` -Defines the Nextcloud admin's login. -```YAML -nextcloud_admin_pwd: "secret" -``` -Defines the Nextcloud admin's password. -**Not defined by default** -If not defined by the user, a random password will be generated. - -```YAML -nextcloud_max_upload_size: "512m" -``` -Defines the max size allowed to be uploaded on the server. -Use 0 to __disable__. - -### Redis Server configuration -```YAML -nextcloud_install_redis_server: true -``` -Whenever the role should install a redis server on the same host. -```YAML -nextcloud_redis_host: '/var/run/redis/redis.sock' -``` -The Hostname of redis server. It is set to use UNIX socket as redis is on same host. Set to hostname if it is not the case. -```YAML -nextcloud_redis_port: 0 -``` -The port of redis server. Port 0 is for socket use. Default redis port is 6379. -```YAML -nextcloud_redis_settings: - - { name: 'redis host', value: '"{{ nextcloud_redis_host }}"' } - - { name: 'redis port', value: "{{ nextcloud_redis_port }}" } - - { name: 'memcache.locking', value: '\OC\Memcache\Redis' } -``` -Settings to use redis server with Nextcloud - -### Nextcloud Background Jobs -```YAML -nextcloud_background_cron: True -``` -Set operating system cron for executing Nextcloud regular tasks. This method enables the execution of scheduled jobs without the inherent limitations the Web server might have. - -### Custom nextcloud settings -```YAML -nextcloud_config_settings: - - { name: 'overwrite.cli.url', value: 'https://{{ nextcloud_trusted_domain | first }}' } - - { name: 'memcache.local', value: '\OC\Memcache\APCu' } - - { name: 'open_basedir', value: '/dev/urandom' } - - { name: 'mysql.utf8mb4', value: 'true' } - - { name: 'updater.release.channel', value: 'production' } # production | stable | daily | beta -``` -Setting custom Nextcloud setting in config.php ( [Config.php Parameters Documentations](https://docs.nextcloud.com/server/stable/admin_manual/) ) - -Default custom settings: -- **Base URL**: 'https:// {{nextcloud_instance_name}}' -- **Memcache local**: APCu -- **Mysql Character Set**: utf8mb4 -- **PHP read access to /dev/urandom**: Enabled -- **Updater Relese Channel:** Production -### Database configuration -```YAML -nextcloud_install_db: true -``` -Whenever the role should install and configure a database on the same host. -```YAML -nextcloud_db_host: "127.0.0.1" -``` -The database server's ip/hostname where Nextcloud's database is located. -```YAML -nextcloud_db_backend: "mysql" -``` -Database type used by nextcloud. - -Supported values are: -- mysql -- mariadb -- pgsql _(PostgreSQL)_ - -```YAML -nextcloud_db_name: "nextcloud" -``` -The Nextcloud instance's database name. -```YAML -nextcloud_db_admin: "ncadmin" -``` -The Nextcloud instance's database user's login -```YAML -nextcloud_db_pwd: "secret" -``` -The Nextcloud instance's database user's password. - -**Not defined by default.** - -If not defined by the user, a random password will be generated. - -### TLS configuration -```YAML -nextcloud_install_tls: true -``` -TLS setup can be skipped if you manage it separately (e.g. behind a reverse proxy). -```YAML -nextcloud_tls_enforce: true -``` -Force http to https. -```YAML -nextcloud_mozilla_modern_ssl_profile: true -``` -Force Mozilla modern SSL profile in webserver configuration (intermediate profile is used when false). -```YAML -nextcloud_hsts: false -``` -Set HTTP Strict-Transport-Security header (e.g. "max-age=15768000; includeSubDomains; preload"). - -_(Before enabling HSTS, please read into this topic first)_ -```YAML -nextcloud_tls_cert_method: "self-signed" -``` -Defines various method for retrieving a TLS certificate. -- **self-signed**: generate a _one year_ self-signed certificate for the trusted domain on the remote host and store it in _/etc/ssl_. -- **signed**: copy provided signed certificate for the trusted domain to the remote host or in /etc/ssl by default. - Uses: -```YAML - # Mandatory: - nextcloud_tls_src_cert: /local/path/to/cert - # ^local path to the certificate's key. - nextcloud_tls_src_cert_key: /local/path/to/cert/key - # ^local path to the certificate. - - # Optional: - nextcloud_tls_cert: "/etc/ssl/{{ nextcloud_trusted_domain }}.crt" - # ^remote absolute path to the certificate's key. - nextcloud_tls_cert_key: "/etc/ssl/{{ nextcloud_trusted_domain }}.key" - # ^remote absolute path to the certificate. -``` -- **installed**: if the certificate for the trusted domain is already on the remote host, specify its location. - Uses: -```YAML - nextcloud_tls_cert: /path/to/cert - # ^remote absolute path to the certificate's key. mandatory - nextcloud_tls_cert_key: /path/to/cert/key - # ^remote absolute path to the certificate. mandatory - nextcloud_tls_cert_chain: /path/to/cert/chain - # ^remote absolute path to the certificate's full chain- used only by apache - Optional -``` -```YAML -nextcloud_tls_session_cache_size: 50m -``` -Set the size of the shared nginx TLS session cache to 50 MB. - -### System configuration - -install and use a custom version for PHP instead of the default one: -```YAML -php_ver: '7.1' -php_custom: yes -php_ver: "{{ php_ver }}" -php_dir: "/etc/php/{{ php_ver }}" -php_bin: "php-fpm{{ php_ver }}" -php_pkg_apcu: "php-apcu" -php_pkg_spe: - - "php{{ php_ver }}-imap" - - "php{{ php_ver }}-imagick" - - "php{{ php_ver }}-xml" - - "php{{ php_ver }}-zip" - - "php{{ php_ver }}-mbstring" - - "php-redis" -php_socket: "/run/php/{{ php_ver }}-fpm.sock" -php_memory_limit: 512M -``` - -```YAML -nextcloud_websrv_user: "www-data" -``` -system user for the http server -```YAML -nextcloud_websrv_group: "www-data" -``` -system group for the http server -```YAML -nextcloud_mysql_root_pwd: "secret" -``` -root password for the mysql server - -**Not defined by default** - -If not defined by the user, and mysql/mariadb is installed during the run, a random password will be generated. - -### Generated password -The role uses Ansible's password Lookup: -- If a password is generated by the role, ansible stores it **locally** in **nextcloud_instances/{{ nextcloud_trusted_domain }}/** (relative to the working directory) -- if the file already exist, it reuse its content -- see [the ansible password lookup documentation](https://docs.ansible.com/ansible/latest/plugins/lookup/password.html) for more info - -### Post installation: -#### Applications installation - -Since **v1.3.0**, it is possible to download, install and enable nextcloud applications during a post-install process. - -The application (app) to install have to be declared in the `nextcloud_apps` dictionary in a "key:value" pair. -- The app name is the key -- The download link, is the value. - -```YAML -nextcloud_apps: - app_name_1: "http://download_link.com/some_archive.zip" - app_name_2: "http://getlink.com/another_archive.zip" -``` - -Alternatively, if you need to configure an application after enabling it, you can use this structure. -```YAML -nextcloud_apps: - app_name_1: - source: "http://download_link.com/some_archive.zip" - conf: - parameter1: ldap:\/\/ldapsrv - parameter2: another_value -``` - -**Notes:** -- Because the role is using nextcloud's occ, it is not possible to install an app from the official nextcloud app store. -- If you know that the app is already installed, you can give an empty string to skip the download. -- The app name need the be equal to the folder name located in the **apps folder** of the nextcloud instance, which is extracted from the downloaded archive. -The name may not be canon some times. (like **appName-x.y.z** instead of **appName**) -- The role will **not** update an already enabled application. -- The configuration is applied only when the app in enabled the first time: -Changing a parameter, then running the role again while the app is already enabled will **not** update its configuration. -- this post_install process is tagged and can be called directly using the `--tags install_apps` option. - -## Dependencies - -none - -## Example Playbook -### Case 1: Installing a quick Nextcloud demo -In some case, you may want to deploy quickly many instances of Nextcloud on multiple hosts for testing/demo purpose and don't want to tune the role's variables for each hosts: Just run the playbook without any additional variable (all default) ! - -```YAML ---- -- hosts: server - roles: - - role: aalaesar.install_nextcloud -``` - -- This will install a Nextcloud 10.0.1 instance in /opt/nextcloud using apache2 and mysql. -- it will be available at **https:// {{ ansible default ipv4 }}** using a self signed certificate. -- Generated passwords are stored in **nextcloud_instances/{{ nextcloud_trusted_domain }}/** from your working directory. - -### Case 1.1: specifying the version channel, branch, etc. -You can choose the version channel to download a specific version of nextcloud. Here's a variation of the previous case, this time installing the latest nightly in master. -```YAML ---- -- hosts: server - roles: - - role: aalaesar.install_nextcloud - nextcloud_version_channel: "daily" - nextcloud_version_major: "master" -``` - -### Case 2: Using letsencrypt with this role. -This role is not designed to manage letsencrypt certificates. However you can still use your certificates with nextcloud. - -You must create first your certificates using a letsencrypt ACME client or an Ansible role like [this one] (https://github.com/jaywink/ansible-letsencrypt) - -then call _install_nextcloud_ by setting `nextcloud_tls_cert_method: "installed"` - -Here 2 examples for apache and nginx (because they have slightly different configurations) -```YAML ---- -- hosts: apache_server - roles: - - role: aalaesar.install_nextcloud - nextcloud_trusted_domain: - - "example.com" - nextcloud_tls_cert_method: "installed" - nextcloud_tls_cert: "/etc/letsencrypt/live/example.com/cert.pem" - nextcloud_tls_cert_key: "/etc/letsencrypt/live/example.com/privkey.pem" - nextcloud_tls_cert_chain: "/etc/letsencrypt/live/example.com/chain.pem" - -- hosts: nginx_server - roles: - - role: aalaesar.install_nextcloud - nextcloud_trusted_domain: - - "example2.com" - nextcloud_tls_cert_method: "installed" - nextcloud_tls_cert: "/etc/letsencrypt/live/example2.com/fullchain.pem" - nextcloud_tls_cert_key: "/etc/letsencrypt/live/example2.com/privkey.pem" -``` -### Case 3: integration to an existing system. -- An Ansible master want to install a new Nextcloud instance on an existing Ubuntu 14.04 server with nginx & mariadb installed. -- As is server do not meet the php requirements for Nextcloud 11, he chooses to use the lastest Nextcloud 10 release. -- He wants it to be accessible from internet at _cloud.example.tld_ and from his intranet at _dbox.intra.net_. -- He already have a valid certificate for the intranet domain in /etc/nginx/certs/ installed -- he wants the following apps to be installed & enabled : files_external, calendar, agenda, richdocuments (Collabora) -- The richdocuments app has to be configured to point out to the Collabora domain. - -He can run the role with the following variables to install Nextcloud accordingly to its existing requirements . - -```YAML ---- -- hosts: server - roles: - - role: aalaesar.install_nextcloud - nextcloud_version_major: 23 - nextcloud_trusted_domain: - - "cloud.example.tld" - - "dbox.intra.net" - nextcloud_websrv: "nginx" - nextcloud_admin_pwd: "secret007" - nextcloud_webroot: "/var/www/nextcloud/" - nextcloud_data_dir: "/ncdata" - nextcloud_db_pwd: "secretagency" - nextcloud_tls_cert_method: "installed" - nextcloud_tls_cert: "/etc/nginx/certs/nextcloud.crt" - nextcloud_tls_cert_key: "/etc/nginx/certs/nextcloud.key" - nextcloud_mysql_root_pwd: "42h2g2" - nextcloud_apps: - files_external: "" #enable files_external which is already installed in nextcloud - calendar: "https://github.com/nextcloud/calendar/releases/download/v1.5.0/calendar.tar.gz" - contacts: "https://github.com/nextcloud/contacts/releases/download/v1.5.3/contacts.tar.gz" - richdocuments-1.1.25: # the app name is equal to the extracted folder name from the archive - source: "https://github.com/nextcloud/richdocuments/archive/1.1.25.zip" - conf: - wopi_url: 'https://office.example.tld' -``` - -## License - -BSD diff --git a/local.yml b/local.yml index e9ba392..0b2cc1e 100644 --- a/local.yml +++ b/local.yml @@ -6,6 +6,9 @@ - nextcloud vars: - nextcloud_trusted_domain: + nextcloud_trusted_domains: - cloud.agofer.net + nextcloud_trusted_proxies: + - '10.0.3.58' + diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 49e84b5..79563c4 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -1,94 +1,15 @@ --- -# defaults file for nextcloud -# [DOWNLOAD] - # An URL will be generated following naming rules used by nextcloud's repository - # Not following this rules correctly will make the role unable to download nextcloud. -nextcloud_version_channel: "releases" # mandatory # releases | prereleases | daily - # channel releases requires version_full. - # channel prereleases requires version_full. Optional: version_special. - # channel daily requires requires version_full & version_special. -nextcloud_get_latest: true # mandatory # specify if the latest archive should be downloaded. - # Override generated file name for channels: releases | daily. - # optional : version_major. -# nextcloud_version_major: 10 # (9 | 10 | 11| ..) for releases | for daily : (master | stable9 | stable10 | ...) -# nextcloud_version_full: "10.0.3" # full version string -# nextcloud_version_special: "" # For prereleases: "RCn|beta" | for daily "YYYY-MM-DD" -nextcloud_repository: "https://download.nextcloud.com/server" # Domain URL where to download Nextcloud. -nextcloud_archive_format: "zip" # zip | tar.bz2 -# nextcloud_full_url: "https://download.nextcloud.com/server/releases/nextcloud-23.0.0.zip" # specify directly a full URL to the archive if you don't like rules. +# Nextcloud role defaults - -# [CONFIG] -nextcloud_trusted_domain: +nextcloud_trusted_domains: - "{{ ansible_fqdn }}" - "{{ ansible_default_ipv4.address }}" -nextcloud_ipv6: false - nextcloud_trusted_proxies: [] -nextcloud_instance_name: "{{ nextcloud_trusted_domain | first }}" +nextcloud_instance_name: "{{ nextcloud_trusted_domains | first }}" -nextcloud_disable_websrv_default_site: false -nextcloud_websrv_template: "templates/nginx_nc.j2" -nextcloud_webroot: "/opt/nextcloud" -nextcloud_data_dir: "/var/ncdata" -nextcloud_admin_name: "admin" -# nextcloud_admin_pwd: "secret" +nextcloud_admin_name: 'admin' -nextcloud_install_redis_server: true -nextcloud_redis_host: '/var/run/redis/redis.sock' -nextcloud_redis_port: 0 - -nextcloud_redis_settings: - - { name: 'redis host', value: '"{{ nextcloud_redis_host }}"' } - - { name: 'redis port', value: "{{ nextcloud_redis_port }}" } - - { name: 'memcache.locking', value: '\OC\Memcache\Redis' } - -nextcloud_background_cron: True - -## Custom nextcloud settings -## https://docs.nextcloud.com/server/12/admin_manual/configuration_server/config_sample_php_parameters.html -nextcloud_config_settings: - - { name: 'overwrite.cli.url', value: 'https://{{ nextcloud_trusted_domain | first }}' } - - { name: 'memcache.local', value: '\OC\Memcache\APCu' } - - { name: 'open_basedir', value: '/dev/urandom' } - - { name: 'mysql.utf8mb4', value: 'true' } - - { name: 'updater.release.channel', value: 'production' } # production | stable | daily | beta - -# [DATABASE] -nextcloud_install_db: true -nextcloud_db_host: "127.0.0.1" -nextcloud_db_backend: "mysql" # "mysql"/"mariadb" | "pgsql" -nextcloud_db_name: "nextcloud" -nextcloud_db_admin: "ncadmin" -# nextcloud_db_pwd: "secret" - -# [TLS] parameters used in the apache2 & nginx templates -## max file's size allowed to be uploaded on the server -nextcloud_max_upload_size: 512m # in Byte or human readable size notation (g|m|k) -nextcloud_mozilla_modern_ssl_profile: false # when false, intermediate profile is used -nextcloud_tls_dhparam: "/etc/ssl/dhparam.pem" -nextcloud_hsts: false # recommended >= 15552000 -# nextcloud_tls_cert: /path/to/cert -# nextcloud_tls_cert_key: /path/to/cert/key -# nextcloud_tls_cert_chain: /path/to/cert/chain -# nextcloud_tls_src_cert: /path/to/cert -# nextcloud_tls_src_cert_key: /path/to/cert/key -nextcloud_tls_session_cache_size: 50m # in Byte or human readable size notation (g|m|k) - -# [APPS] nextcloud_apps: {} -# [SYSTEM] -#nextcloud_mysql_root_pwd: "secret" - -php_custom: false -php_memory_limit: 512M - -# [system] -# system_configuration for php 7.4: -php_dir: "/etc/php/7.4" -php_bin: "php-fpm7.4" - -php_socket: "/run/php/php7.4-fpm.sock" diff --git a/roles/nextcloud/files/mysql_nextcloud.cnf b/roles/nextcloud/files/mysql_nextcloud.cnf index c2a1bdc..a017842 100644 --- a/roles/nextcloud/files/mysql_nextcloud.cnf +++ b/roles/nextcloud/files/mysql_nextcloud.cnf @@ -1,12 +1,9 @@ -################################################################################ +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # This file was generated by Ansible -# Do NOT modify this file by hand! -################################################################################ +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Nextcloud mysql.cnf [mysqld] binlog_format = MIXED -innodb_large_prefix=on -innodb_file_format=barracuda -innodb_file_per_table=true \ No newline at end of file +innodb_file_per_table=true diff --git a/roles/nextcloud/tasks/db_mysql.yml b/roles/nextcloud/tasks/db_mysql.yml index 09a74da..2f30140 100644 --- a/roles/nextcloud/tasks/db_mysql.yml +++ b/roles/nextcloud/tasks/db_mysql.yml @@ -1,89 +1,61 @@ --- -- name: "[mySQL: Debian] - Service is installed." - package: - name: "{{ 'default-' if ((ansible_distribution|lower) == 'debian' and nextcloud_db_backend == 'mysql') else '' }}{{ nextcloud_db_backend }}-server" - state: present - register: nc_mysql_db_install - -- name: "[mySQL] - Packages are installed." - package: - name: "{{ nc_mysql_deps }}" +- name: Install MySQL server (Mariadb segfaults in Jammy LXD on Bionic host) + apt: + name: '{{ mysql_packages }}' state: present vars: - nc_mysql_deps: - - "php{{ php_ver }}-mysql" - - "python{{ '3' if ansible_python.version.major == 3 else '' }}-pymysql" + mysql_packages: + - 'default-mysql-server' + - 'php-mysql' + - 'python3-pymysql' -- name: "[mySQL] - generate {{ nextcloud_db_backend }} root Password:" +- name: Generate a random MySQL root password set_fact: - nextcloud_mysql_root_pwd: "{{ lookup( 'password', 'nextcloud_instances/'+ nextcloud_instance_name +'/mysql_root.pwd' ) }}" - when: nextcloud_mysql_root_pwd is not defined + nextcloud_mysql_root_pwd: "{{ lookup('password', 'passwords/mysql_root.pwd') }}" -- name: "[mySQL] - save {{ nextcloud_db_backend }} root password in config file" +- name: Save root password in config file ini_file: - path: "{{ mysql_credential_file[(ansible_os_family|lower)] }}" + path: '/etc/mysql/debian.cnf' section: client option: password - value: "{{ nextcloud_mysql_root_pwd }}" + value: '{{ nextcloud_mysql_root_pwd }}' + mode: 0600 no_log: true - when: mysql_credential_file[(ansible_os_family|lower)] is defined -# use debian default credentials to work on user root password -- name: "[mySQL] - Update {{ nextcloud_db_backend }} root password" +- name: Update MySQL root password mysql_user: name: root - - password: "{{ nextcloud_mysql_root_pwd }}" - config_file: "{{ mysql_credential_file[(ansible_os_family|lower)] | default(omit) }}" + password: '{{ nextcloud_mysql_root_pwd }}' + config_file: '/etc/mysql/debian.cnf' check_implicit_admin: yes - priv: "*.*:ALL,GRANT" - # Assuming the root user has only localhost access + priv: '*.*:ALL,GRANT' host_all: yes - -- name: "[mySQL] - Delete the anonymous user." - mysql_user: - user: "" - state: "absent" - login_user: root - login_password: "{{ nextcloud_mysql_root_pwd }}" - config_file: "{{ mysql_credential_file[(ansible_os_family|lower)] | default(omit) }}" - ignore_errors: yes - -- name: "[mySQL] - Removes the MySQL test database" - mysql_db: - name: test - state: absent - login_user: root - login_password: "{{ nextcloud_mysql_root_pwd }}" - config_file: "{{ mysql_credential_file[(ansible_os_family|lower)] | default(omit) }}" - ignore_errors: yes - -- name: "[mySQL] - Set mysql config option for nextcloud" +- name: Set mysql options for nextcloud copy: + src: mysql_nextcloud.cnf dest: /etc/mysql/conf.d/nextcloud.cnf - src: files/mysql_nextcloud.cnf notify: restart mysql -- name: "[mySQL] - Generate database user Password." +- name: Generate database user Password set_fact: - nextcloud_db_pwd: "{{ lookup( 'password', 'nextcloud_instances/'+ nextcloud_instance_name +'/db_admin.pwd' ) }}" - when: nextcloud_db_pwd is not defined + nextcloud_db_pwd: "{{ lookup('password', 'passwords/db_admin.pwd') }}" -- name: "[mySQL] - Add Database {{ nextcloud_db_name }}." +- name: Create nextcloud database mysql_db: - name: "{{ nextcloud_db_name }}" + name: 'nextcloud' login_user: root - login_password: "{{ nextcloud_mysql_root_pwd }}" - config_file: "{{ mysql_credential_file[(ansible_os_family|lower)] | default(omit) }}" + login_password: '{{ nextcloud_mysql_root_pwd }}' + config_file: '/etc/mysql/debian.cnf' state: present -- name: "[mySQL] - Configure the database user." +- name: Configure the database user mysql_user: - name: "{{ nextcloud_db_admin }}" - password: "{{ nextcloud_db_pwd }}" - priv: "{{ nextcloud_db_name }}.*:ALL" + name: 'ncadmin' + password: '{{ nextcloud_db_pwd }}' + priv: 'nextcloud.*:ALL' login_user: root - login_password: "{{ nextcloud_mysql_root_pwd }}" - config_file: "{{ mysql_credential_file[(ansible_os_family|lower)] | default(omit) }}" + login_password: '{{ nextcloud_mysql_root_pwd }}' + config_file: '/etc/mysql/debian.cnf' state: present + diff --git a/roles/nextcloud/tasks/http_nginx.yml b/roles/nextcloud/tasks/http_nginx.yml index 6f7c844..514e0e2 100644 --- a/roles/nextcloud/tasks/http_nginx.yml +++ b/roles/nextcloud/tasks/http_nginx.yml @@ -1,17 +1,9 @@ --- - name: Configure php-fpm - lineinfile: - dest: "{{ php_dir }}/fpm/pool.d/www.conf" - regexp: '^\;env' - state: absent - # validate: "/usr/sbin/{{ php_bin }} -t #%s" - notify: reload php-fpm - -- name: "[NGINX] - Add path variable to php-fpm" blockinfile: - dest: "{{ php_dir }}/fpm/pool.d/www.conf" + dest: '{{ php_dir }}/fpm/pool.d/www.conf' insertafter: '^; Default Value: clean env$' - marker: "; {mark} ANSIBLE MANAGED BLOCK" + marker: '; {mark} ANSIBLE MANAGED BLOCK' block: | env[HOSTNAME] = $HOSTNAME env[PATH] = $PATH @@ -20,23 +12,20 @@ env[TEMP] = /tmp notify: reload php-fpm -- name: "[NGINX] - enable APC for php CLI" - lineinfile: - dest: "{{ php_dir }}/cli/php.ini" - line: "apc.enable_cli = 1" - insertbefore: "^; End:$" - state: present - # validate: "/usr/sbin/{{ php_bin }} -t #%s" +- name: Enable APC for php CLI + copy: + dest: '{{ php_dir }}/cli/conf.d/10-local.ini' + content: 'apc.enable_cli = 1' notify: reload php-fpm -- name: "[NGINX] - enable PHP OPcache for php.ini" +- name: Configure cache and memory for PHP lineinfile: - dest: "{{ php_dir }}/fpm/php.ini" + dest: '{{ php_dir }}/fpm/php.ini' state: present - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + regexp: '{{ item.regexp }}' + line: '{{ item.line }}' backrefs: yes - with_items: + loop: - { regexp: 'opcache.enable=0', line: 'opcache.enable=1' } - { regexp: 'opcache.enable_cli', line: 'opcache.enable_cli=1' } - { regexp: 'opcache.interned_strings_buffer', line: 'opcache.interned_strings_buffer=8' } @@ -45,44 +34,41 @@ - { regexp: 'opcache.save_comments', line: 'opcache.save_comments=1' } - { regexp: 'opcache.revalidate_freq', line: 'opcache.revalidate_freq=1' } - { regexp: 'memory_limit', line: 'memory_limit={{ php_memory_limit }}'} - # validate: "/usr/sbin/{{ php_bin }} -t #%s" notify: reload php-fpm - -- name: "[NGINX] - Public Diffie-Hellman Parameter are generated. This might take a while." - command: "openssl dhparam -out {{ nextcloud_tls_dhparam }} 2048" +- name: Generate Diffie-Hellman parameters (slow) + command: "openssl dhparam -out {{ tls_dhparam }} 2048" args: - creates: "{{ nextcloud_tls_dhparam }}" + creates: '{{ tls_dhparam }}' -- name: "[NGINX] - php handler configuration is present." +- name: Configure nginx for php-fpm handling template: + src: nginx_php_handler.j2 dest: /etc/nginx/sites-available/php_handler.cnf - src: templates/nginx_php_handler.j2 notify: reload http -- name: "[NGINX] - php handler is enabled" +- name: Enable php-fpm handling in nginx file: path: /etc/nginx/sites-enabled/php_handler src: /etc/nginx/sites-available/php_handler.cnf state: link notify: reload http -- name: "[NGINX] - generate Nextcloud configuration for nginx" +- name: Configure nextcloud in nginx template: - dest: /etc/nginx/sites-available/nc_{{ nextcloud_instance_name }}.cnf - src: "{{ nextcloud_websrv_template }}" + dest: /etc/nginx/sites-available/nextcloud.cnf + src: 'nginx_nc.j2' notify: reload http -- name: "[NGINX] - Enable Nextcloud in nginx conf" +- name: Enable Nextcloud in nginx conf file: - path: /etc/nginx/sites-enabled/nc_{{ nextcloud_instance_name }} - src: /etc/nginx/sites-available/nc_{{ nextcloud_instance_name }}.cnf + path: /etc/nginx/sites-enabled/nextcloud + src: /etc/nginx/sites-available/nextcloud.cnf state: link notify: reload http -- name: "[NGINX] - Disable nginx default site" +- name: Disable nginx default site file: path: /etc/nginx/sites-enabled/default state: absent - when: nextcloud_disable_websrv_default_site | bool notify: reload http diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index b1b0e1d..c1e6e81 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -9,80 +9,73 @@ - start http - start php-fpm -- fail: - msg: Debugging - - name: Configure Nginx web server include_tasks: http_nginx.yml - name: Configure Redis server - include_tasks: ./redis_server.yml - when: (nextcloud_install_redis_server | bool) + include_tasks: redis_server.yml -- block: - - name: Configure mysql/mariadb database - include_tasks: ./db_mysql.yml - when: nextcloud_db_backend in ["mysql", "mariadb"] +- name: Configure MySQL database + include_tasks: db_mysql.yml - - name: Configure PostgreSQL database - include_tasks: ./db_postgresql.yml - when: nextcloud_db_backend in ["pgsql"] - when: nextcloud_install_db +#- name: Configure PostgreSQL database +# include_tasks: ./db_postgresql.yml -- name: Check Nextcloud installed - stat: "path={{ nextcloud_webroot }}/index.php" +- name: Check whether Nextcloud is installed + stat: + path: '{{ nextcloud_webroot }}/index.php' register: nc_nextcloud_installed -- name: Downloading Nextcloud - include_tasks: ./nc_download.yml +- name: Download Nextcloud + include_tasks: nc_download.yml when: not nc_nextcloud_installed.stat.exists -- name: Check Nextcloud configuration exists. - stat: path="{{ nextcloud_webroot }}/config/config.php" +- name: Check whether Nextcloud configuration exists + stat: + path: '{{ nextcloud_webroot }}/config/config.php' register: nc_nextcloud_conf -- name: Check Nextcloud is configured - command: grep -q "{{ nextcloud_trusted_domain| first }}" {{ nextcloud_webroot }}/config/config.php +- name: Check whether Nextcloud is configured + command: grep -q '{{ nextcloud_trusted_domains | first }}' {{ nextcloud_webroot }}/config/config.php failed_when: False changed_when: False register: nc_nextcloud_configured when: nc_nextcloud_conf.stat.exists - name: Nextcloud installation - include_tasks: ./nc_installation.yml + include_tasks: nc_installation.yml when: | (not nc_nextcloud_conf.stat.exists) or (nc_nextcloud_configured.rc is defined and nc_nextcloud_configured.rc != 0) - block: - - name: "[NC apps] - lists the number of apps available in the instance." - command: php occ app:list --output=json_pretty --no-warnings + - name: Lists the Nextcloud apps available + command: 'php occ app:list --output=json_pretty --no-warnings' args: - chdir: "{{ nextcloud_webroot }}" - become_user: "{{ nextcloud_websrv_user }}" + chdir: '{{ nextcloud_webroot }}' + become_user: 'www-data' become: yes - become_flags: "{{ ansible_become_flags | default(omit) }}" changed_when: false register: nc_apps_list - - name: "[NC apps] - convert list to yaml." - set_fact: nc_available_apps="{{ nc_apps_list.stdout | from_json }}" + - name: Convert list of apps to YAML + set_fact: + nc_available_apps: '{{ nc_apps_list.stdout | from_json }}' - - name: "[NC apps] - installation." - include_tasks: ./nc_apps.yml - # do if the app is not enabled and ( (archive path is not "") or (app is disabled) ) + - name: Install selected Nexctcloud apps + include_tasks: nc_apps.yml when: - item.key not in nc_available_apps.enabled - (item.value is not none) or (item.key in nc_available_apps.disabled) - with_dict: "{{ nextcloud_apps }}" + loop: '{{ nextcloud_apps }}' when: - nextcloud_apps is defined - nextcloud_apps is mapping - name: Add indices - command: php occ db:add-missing-indices + command: 'php occ db:add-missing-indices' args: - chdir: "{{ nextcloud_webroot }}" - become_user: "{{ nextcloud_websrv_user }}" + chdir: '{{ nextcloud_webroot }}' + become_user: 'www-data' become: yes - become_flags: "{{ ansible_become_flags | default(omit) }}" + diff --git a/roles/nextcloud/tasks/nc_apps.yml b/roles/nextcloud/tasks/nc_apps.yml index 835818c..76b1088 100644 --- a/roles/nextcloud/tasks/nc_apps.yml +++ b/roles/nextcloud/tasks/nc_apps.yml @@ -1,63 +1,61 @@ --- -- name: parse the item values +- name: Parse apps data set_fact: - nc_app_name: "{{ item.key }}" - nc_app_cfg: "{{ item.value }}" + nc_app_name: '{{ item.key }}' + nc_app_cfg: '{{ item.value }}' - block: - - name: "[ App {{ nc_app_name }} ] - Download Archive in apps folder." + - name: 'Download app {{ nc_app_name }}' unarchive: copy: no - src: "{{ nc_app_cfg }}" - dest: "{{ nextcloud_webroot }}/apps/" - owner: "{{ nextcloud_websrv_user }}" - group: "{{ nextcloud_websrv_group }}" - creates: "{{ nextcloud_webroot }}/apps/{{ nc_app_name }}" + src: '{{ nc_app_cfg }}' + dest: '{{ nextcloud_webroot }}/apps/' + owner: 'www-data' + group: 'www-data' + creates: '{{ nextcloud_webroot }}/apps/{{ nc_app_name }}' when: nc_app_cfg is not none - - name: "[ App {{ nc_app_name }} ] - enable the application." - become_user: "{{ nextcloud_websrv_user }}" - become_flags: "{{ ansible_become_flags | default(omit) }}" + - name: 'Enable app {{ nc_app_name }}' + become_user: 'www-data' become: yes - command: php occ app:enable "{{ nc_app_name }}" + command: php occ app:enable '{{ nc_app_name }}' args: - chdir: "{{ nextcloud_webroot }}" + chdir: '{{ nextcloud_webroot }}' when: nc_app_cfg is string - block: - - name: verify the app's yaml declaration + - name: Verify app declaration when it's not a simple string assert: that: - (nc_app_cfg.source is defined) and (nc_app_cfg.source is string) - msg: "{{ nc_app_name }} is not well declared." + msg: '{{ nc_app_name }} is not well declared.' - - name: "[ App {{ nc_app_name }} ] - Download Archive in apps folder." + - name: 'Download app {{ nc_app_name }}' unarchive: copy: no - src: "{{ nc_app_cfg.source }}" - dest: "{{ nextcloud_webroot }}/apps/" - owner: "{{ nextcloud_websrv_user }}" - group: "{{ nextcloud_websrv_group }}" - creates: "{{ nextcloud_webroot }}/apps/{{ nc_app_name }}" + src: '{{ nc_app_cfg.source }}' + dest: '{{ nextcloud_webroot }}/apps/' + owner: 'www-data' + group: 'www-data' + creates: '{{ nextcloud_webroot }}/apps/{{ nc_app_name }}' when: nc_app_cfg.source is not none - - name: "[ App {{ nc_app_name }} ] - enable the application." - become_user: "{{ nextcloud_websrv_user }}" - become_flags: "{{ ansible_become_flags | default(omit) }}" + - name: 'Enable app {{ nc_app_name }}' + become_user: 'www-data' become: yes - command: php occ app:enable "{{ nc_app_name }}" + command: php occ app:enable '{{ nc_app_name }}' args: - chdir: "{{ nextcloud_webroot }}" + chdir: '{{ nextcloud_webroot }}' - block: - - name: "[ App {{ nc_app_name }} ] - Configure the application " - become_user: "{{ nextcloud_websrv_user }}" - become_flags: "{{ ansible_become_flags | default(omit) }}" + - name: 'Configure app {{ nc_app_name }}' + become_user: 'www-data' become: yes - command: php occ config:app:set {{ nc_app_name }} {{ item_cfg.key }} --value="{{ item_cfg.value }}" + command: php occ config:app:set {{ nc_app_name }} {{ item_cfg.key }} --value='{{ item_cfg.value }}' args: - chdir: "{{ nextcloud_webroot }}" - with_dict: "{{ nc_app_cfg.conf | default({}) }}" + chdir: '{{ nextcloud_webroot }}' + loop: '{{ nc_app_cfg.conf | default({}) }}' loop_control: loop_var: item_cfg when: nc_app_cfg.conf is defined when: (nc_app_cfg is mapping) + diff --git a/roles/nextcloud/tasks/nc_download.yml b/roles/nextcloud/tasks/nc_download.yml index 7b11a34..8644c13 100644 --- a/roles/nextcloud/tasks/nc_download.yml +++ b/roles/nextcloud/tasks/nc_download.yml @@ -1,46 +1,32 @@ --- -- name: "[NC-DL] - Unzip is installed" - package: name=unzip state=present - when: nextcloud_archive_format == "zip" +- name: Install bzip2 + apt: + name: 'bzip2' + state: present -- name: "[NC-DL] - bunzip2 is installed" - package: name=bzip2 state=present - when: nextcloud_archive_format == "tar.bz2" - -- name: you must specify the major version - assert: - that: nextcloud_version_major is defined - when: nextcloud_full_url is defined - -#- name: "[NC-DL] - Create webroot folder" -# file: -# path: "{{ nextcloud_webroot }}" -# recurese: yes -# state: directory - -- name: "[NC-DL] - Create and set directory ownership & permissions for the webroot folder" +- name: Set permissions for web root folder file: - path: "{{ nextcloud_webroot }}" - mode: "u=rwX,g=rX,o-rwx" + path: '{{ nextcloud_webroot }}' + mode: 0750 recurse: yes state: directory - owner: "{{ nextcloud_websrv_user }}" - group: "{{ nextcloud_websrv_group }}" + owner: 'www-data' + group: 'www-data' -- block: - - name: "Download & extract Nextcloud to /tmp." - unarchive: - copy: no - src: "{{ nextcloud_full_url | default(nextcloud_calculated_url) }}" - dest: "/tmp/" - vars: - nextcloud_calculated_url: "{{ nextcloud_repository }}/{{ nextcloud_version_channel }}/{{ nextcloud_calculated_file }}" - nextcloud_calculated_file: "{{ [nextcloud_dl_file_name[just_a_dict_key], nextcloud_archive_format]|join('.') }}" - just_a_dict_key: "{{ 'latest' if ((nextcloud_get_latest|bool) and (nextcloud_version_channel != 'prereleases')) else nextcloud_version_channel }}" +- name: Download and extract Nextcloud + unarchive: + remote_src: yes + src: '{{ nextcloud_full_url }}' + dest: '{{ nextcloud_webroot | dirname }}/' + when: False +- name: Download and extract Nextcloud + unarchive: + remote_src: yes + src: '/root/nextcloud-24.0.1.tar.bz2' + dest: '{{ nextcloud_webroot | dirname }}/' + owner: 'www-data' + group: 'www-data' + mode: 'u=rwX,g=rX,o-rwx' + when: True - - name: "[NC-DL] - Move extracted files to {{ nextcloud_webroot }}." - command: "cp -r /tmp/nextcloud/. {{ nextcloud_webroot }}/" - - - name: "[NC-DL] - Remove nextcloud archive files" - file: path=/tmp/nextcloud state=absent diff --git a/roles/nextcloud/tasks/nc_installation.yml b/roles/nextcloud/tasks/nc_installation.yml index ae9121d..81b6400 100644 --- a/roles/nextcloud/tasks/nc_installation.yml +++ b/roles/nextcloud/tasks/nc_installation.yml @@ -1,168 +1,109 @@ --- -######### # Run command line installation. + # the web server must be running by now in order to launch the installation - name: Trigger all pending handlers meta: flush_handlers -- name: "[NC] - Setting directory ownership & permissions for the data folder" +- name: Set data folder file: - path: "{{ nextcloud_data_dir }}" - mode: "u=rwX,g=rX,o-rwx" - recurse: yes + path: '/var/ncdata' + mode: '0750' state: directory - owner: "{{ nextcloud_websrv_user }}" - group: "{{ nextcloud_websrv_group }}" + owner: 'www-data' + group: 'www-data' -- name: "[NC] - generate {{ nextcloud_admin_name }} password:" - set_fact: nextcloud_admin_pwd="{{ lookup( 'password', 'nextcloud_instances/'+ nextcloud_instance_name +'/web_admin.pwd length=10' ) }}" - when: nextcloud_admin_pwd is not defined +- name: Generate Nextcloud admin password + set_fact: + nextcloud_admin_pwd: "{{ lookup('password', 'passwords/web_admin.pwd length=12') }}" -- name: "[NC] - Set temporary permissions for command line installation." +- name: Remove existing configuration file file: - path: "{{ nextcloud_webroot }}" - state: directory - recurse: yes - owner: "{{ nextcloud_websrv_user }}" - group: "{{ nextcloud_websrv_group }}" + path: '{{ nextcloud_webroot }}/config/config.php' + state: absent -- block: - - name: "[NC] - removing possibly old or incomplete config.php" - file: - path: "{{ nextcloud_webroot }}/config/config.php" - state: absent - - - name: "[NC] - Run occ installation command" - become_user: "{{ nextcloud_websrv_user }}" - become_flags: "{{ ansible_become_flags | default(omit) }}" - become: yes - command: > - php occ maintenance:install - --database={{ nextcloud_tmp_backend }} - --database-host={{ nextcloud_db_host }} - --database-name={{ nextcloud_db_name }} - --database-user={{ nextcloud_db_admin }} - --database-pass={{ nextcloud_db_pwd }} - --admin-user={{ nextcloud_admin_name }} - --admin-pass={{ nextcloud_admin_pwd }} - --data-dir={{ nextcloud_data_dir }} - args: - chdir: "{{ nextcloud_webroot }}" - creates: "{{ nextcloud_webroot }}/config/config.php" - vars: - # mariadb is equal to mysql for occ - nextcloud_tmp_backend: "{{ 'mysql' if nextcloud_db_backend == 'mariadb' else nextcloud_db_backend }}" - notify: reload http - - - name: "[NC] - Verify config.php - check filesize" - stat: path="{{ nextcloud_webroot }}/config/config.php" - register: nc_installation_confsize - failed_when: nc_installation_confsize.stat.size is undefined or nc_installation_confsize.stat.size <= 100 - - - name: "[NC] - Verify config.php - php syntax check" - command: "php -l {{ nextcloud_webroot }}/config/config.php" - register: nc_installation_confphp - changed_when: False - failed_when: - - nc_installation_confphp.rc is defined - - nc_installation_confphp.rc != 0 - - rescue: - # - name: Unfix su issue with occ - # include_tasks: tasks/unfix_su.yml - # when: ansible_become_method == "su" - - - name: "[NC] - removing config.php when occ fail" - file: - path: "{{ nextcloud_webroot }}/config/config.php" - state: absent - failed_when: True - -- name: "[NC] - Set Trusted Domains" - become_user: "{{ nextcloud_websrv_user }}" - become_flags: "{{ ansible_become_flags | default(omit) }}" +- name: Run occ installation command + become_user: 'www-data' become: yes - command: php occ config:system:set trusted_domains {{ item.0 }} --value="{{ item.1 | ipwrap }}" + command: > + php occ maintenance:install + --database=mysql + --database-host=127.0.0.1 + --database-name=nextcloud + --database-user=ncadmin + --database-pass={{ nextcloud_db_pwd }} + --admin-user={{ nextcloud_admin_name }} + --admin-pass={{ nextcloud_admin_pwd }} + --data-dir=/var/ncdata args: - chdir: "{{ nextcloud_webroot }}" - with_indexed_items: "{{ nextcloud_trusted_domain }}" + chdir: '{{ nextcloud_webroot }}' + creates: '{{ nextcloud_webroot }}/config/config.php' + notify: reload http + +- name: Set trusted domains + become_user: 'www-data' + become: yes + command: 'php occ config:system:set trusted_domains {{ index }} --value="{{ item }}"' + args: + chdir: '{{ nextcloud_webroot }}' + loop: '{{ nextcloud_trusted_domains | flatten(levels=1) }}' + loop_control: + index_var: index changed_when: true -- name: "[NC] - Set Trusted Proxies" - become_user: "{{ nextcloud_websrv_user }}" - become_flags: "{{ ansible_become_flags | default(omit) }}" +- name: Set trusted proxies + become_user: 'www-data' become: yes - command: php occ config:system:set trusted_proxies {{ item.0 }} --value="{{ item.1 }}" + command: 'php occ config:system:set trusted_proxies {{ index }} --value="{{ item }}"' args: - chdir: "{{ nextcloud_webroot }}" - with_indexed_items: "{{ nextcloud_trusted_proxies }}" + chdir: '{{ nextcloud_webroot }}' + loop: '{{ nextcloud_trusted_proxies | flatten(levels=1) }}' + loop_control: + index_var: index changed_when: true -- name: "[NC] - Set Nextcloud settings in config.php" - become_user: "{{ nextcloud_websrv_user }}" - become_flags: "{{ ansible_become_flags | default(omit) }}" +- name: Set other Nextcloud settings in config.php + become_user: 'www-data' become: yes - command: php occ config:system:set {{ item.name }} --value="{{ item.value }}" + command: 'php occ config:system:set {{ item.name }} --value="{{ item.value }}"' args: - chdir: "{{ nextcloud_webroot }}" - with_items: - - "{{ nextcloud_config_settings }}" + chdir: '{{ nextcloud_webroot }}' + loop: '{{ nextcloud_config_settings }}' changed_when: true -- name: "[NC] - Set Redis Server" - become_user: "{{ nextcloud_websrv_user }}" - become_flags: "{{ ansible_become_flags | default(omit) }}" +- name: Set Redis Server + become_user: 'www-data' become: yes - command: php occ config:system:set {{ item.name }} --value="{{ item.value }}" + command: 'php occ config:system:set {{ item.name }} --value="{{ item.value }}"' args: - chdir: "{{ nextcloud_webroot }}" - with_items: - - "{{ nextcloud_redis_settings }}" - when: (nextcloud_install_redis_server | bool) + chdir: '{{ nextcloud_webroot }}' + loop: '{{ nextcloud_redis_settings }}' -- name: "[NC] - Install Cronjob" +- name: Install Cron job cron: - name: "Nextcloud Cronjob" - minute: "*/15" - user: "{{ nextcloud_websrv_user }}" - job: "php {{ nextcloud_webroot }}/cron.php" - cron_file: "nextcloud" - when: (nextcloud_background_cron | bool) + name: 'Nextcloud Cron' + minute: '*/15' + user: 'www-data' + job: 'php {{ nextcloud_webroot }}/cron.php' + cron_file: 'nextcloud' -- name: "[NC] - Set Cron method to Crontab" - become_user: "{{ nextcloud_websrv_user }}" - become_flags: "{{ ansible_become_flags | default(omit) }}" +- name: Inform cron method to Nextcloud + become_user: 'www-data' become: yes - command: php occ background:cron + command: 'php occ background:cron' args: - chdir: "{{ nextcloud_webroot }}" - when: (nextcloud_background_cron | bool) + chdir: '{{ nextcloud_webroot }}' -- name: "[NC] - Set Custom Mimetype" +- name: Set Custom Mimetype copy: - dest: "{{ nextcloud_webroot }}/config/mimetypemapping.json" - src: files/nextcloud_custom_mimetypemapping.json + src: nextcloud_custom_mimetypemapping.json + dest: '{{ nextcloud_webroot }}/config/mimetypemapping.json' -- name: "[NC] - Ensure Nextcloud directories are 0750" - command: find {{ nextcloud_data_dir }} -type d -exec chmod -c 0750 {} \; - register: nc_installation_chmod_result - changed_when: "nc_installation_chmod_result.stdout != \"\"" - -- name: "[NC] - Ensure Nextcloud files are 0640" - command: find {{ nextcloud_data_dir }} -type f -exec chmod -c 0640 {} \; - register: nc_installation_chmod_result - changed_when: "nc_installation_chmod_result.stdout != \"\"" - -- name: "[NC] - Setting stronger directory ownership" +- name: Increase security for existing Nextcloud folders and files file: - path: "{{ nextcloud_webroot }}/{{ item }}/" + path: /var/ncdata + mode: 'o-rwx' recurse: yes - owner: "{{ nextcloud_websrv_user }}" - group: "{{ nextcloud_websrv_group }}" + owner: 'www-data' + group: 'www-data' state: directory - with_items: - - apps - - assets - - config - - themes - - updater diff --git a/roles/nextcloud/tasks/redis_server.yml b/roles/nextcloud/tasks/redis_server.yml index 3663946..464a0ee 100644 --- a/roles/nextcloud/tasks/redis_server.yml +++ b/roles/nextcloud/tasks/redis_server.yml @@ -1,13 +1,11 @@ --- -- name: "[REDIS] - Required packages are installed." - package: "name={{ redix_deps + php_pkg_spe }} state=present" - vars: - redix_deps: - - redis-server - notify: start redis +- name: Install Redis + apt: + name: 'redis-server' + state: present -- name: "[REDIS] - Redis configuration is present." +- name: Configure Redis template: + src: redis.conf.j2 dest: /etc/redis/redis.conf - src: templates/redis.conf.j2 notify: restart redis diff --git a/roles/nextcloud/templates/nginx_nc.j2 b/roles/nextcloud/templates/nginx_nc.j2 index 4b7944f..6c267ba 100644 --- a/roles/nextcloud/templates/nginx_nc.j2 +++ b/roles/nextcloud/templates/nginx_nc.j2 @@ -1,10 +1,9 @@ -################################################################################ -# This file was generated by Ansible for {{ansible_fqdn}} -# Do NOT modify this file by hand! -################################################################################ +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +{{ ansible_managed | comment }} +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ server { - server_name {{ nextcloud_trusted_domain | ipwrap | join(' ') }}; + server_name {{ nextcloud_trusted_domains | join(' ') }}; listen 80; @@ -13,7 +12,6 @@ server { client_body_timeout 300s; fastcgi_buffers 64 4K; -{% if (nextcloud_computed_major_version|int) > 13 %} # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; @@ -21,14 +19,6 @@ server { gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; -{% else %} - # Disable gzip to avoid the removal of the ETag header - gzip off; -{% endif %} - - # Pagespeed is not supported by Nextcloud, so if your server is built - # with the `ngx_pagespeed` module, uncomment this line to disable it. - #pagespeed off; # HTTP response headers borrowed from Nextcloud `.htaccess` add_header Referrer-Policy "no-referrer" always; diff --git a/roles/nextcloud/templates/nginx_php_handler.j2 b/roles/nextcloud/templates/nginx_php_handler.j2 index 3035cd8..4d48ea7 100644 --- a/roles/nextcloud/templates/nginx_php_handler.j2 +++ b/roles/nextcloud/templates/nginx_php_handler.j2 @@ -1,9 +1,8 @@ -################################################################################ -# This file was generated by Ansible for {{ansible_fqdn}} -# Do NOT modify this file by hand! -################################################################################ +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +{{ ansible_managed | comment }} +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ upstream php-handler { - #server 127.0.0.1:9000; + # server 127.0.0.1:9000; server unix:{{ php_socket }}; } diff --git a/roles/nextcloud/templates/redis.conf.j2 b/roles/nextcloud/templates/redis.conf.j2 index ec52a3c..d092c52 100644 --- a/roles/nextcloud/templates/redis.conf.j2 +++ b/roles/nextcloud/templates/redis.conf.j2 @@ -1,957 +1,94 @@ -################################################################################ -# This file was generated by Ansible for {{ansible_fqdn}} -# Do NOT modify this file by hand! -################################################################################ - -# Redis configuration file example. -# -# Note that in order to read the configuration file, Redis must be -# started with the file path as first argument: -# -# ./redis-server /path/to/redis.conf - -# Note on units: when memory size is needed, it is possible to specify -# it in the usual form of 1k 5GB 4M and so forth: -# -# 1k => 1000 bytes -# 1kb => 1024 bytes -# 1m => 1000000 bytes -# 1mb => 1024*1024 bytes -# 1g => 1000000000 bytes -# 1gb => 1024*1024*1024 bytes -# -# units are case insensitive so 1GB 1Gb 1gB are all the same. - -################################## INCLUDES ################################### - -# Include one or more other config files here. This is useful if you -# have a standard template that goes to all Redis servers but also need -# to customize a few per-server settings. Include files can include -# other files, so use this wisely. -# -# Notice option "include" won't be rewritten by command "CONFIG REWRITE" -# from admin or Redis Sentinel. Since Redis always uses the last processed -# line as value of a configuration directive, you'd better put includes -# at the beginning of this file to avoid overwriting config change at runtime. -# -# If instead you are interested in using includes to override configuration -# options, it is better to use include as the last line. -# -# include /path/to/local.conf -# include /path/to/other.conf +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +{{ ansible_managed | comment }} +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ################################ GENERAL ##################################### -# By default Redis does not run as a daemon. Use 'yes' if you need it. -# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. daemonize yes - -# When running daemonized, Redis writes a pid file in /var/run/redis.pid by -# default. You can specify a custom pid file location here. pidfile /var/run/redis/redis-server.pid - -# Accept connections on the specified port, default is 6379. -# If port 0 is specified Redis will not listen on a TCP socket. -{% if nextcloud_redis_port is defined %} -port {{ nextcloud_redis_port|int}} -{% endif %} - -# TCP listen() backlog. -# -# In high requests-per-second environments you need an high backlog in order -# to avoid slow clients connections issues. Note that the Linux kernel -# will silently truncate it to the value of /proc/sys/net/core/somaxconn so -# make sure to raise both the value of somaxconn and tcp_max_syn_backlog -# in order to get the desired effect. +port {{ nextcloud_redis_port }} tcp-backlog 511 -# By default Redis listens for connections from all the network interfaces -# available on the server. It is possible to listen to just one or multiple -# interfaces using the "bind" configuration directive, followed by one or -# more IP addresses. -# -# Examples: -# -# bind 192.168.1.100 10.0.0.1 -{% if nextcloud_redis_host is defined and (nextcloud_redis_port|int) > 0 %} -bind {{ nextcloud_redis_host }} -{% endif %} - -# Specify the path for the Unix socket that will be used to listen for -# incoming connections. There is no default, so Redis will not listen -# on a unix socket when not specified. -# -# unixsocket /var/run/redis/redis.sock -# unixsocketperm 700 -{% if nextcloud_redis_port is defined and (nextcloud_redis_port|int) == 0 %} +{% if nextcloud_redis_port|int == 0 %} unixsocket {{ nextcloud_redis_host }} unixsocketperm 777 {% endif %} - -# Close the connection after a client is idle for N seconds (0 to disable) timeout 0 -# TCP keepalive. -# -# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence -# of communication. This is useful for two reasons: -# -# 1) Detect dead peers. -# 2) Take the connection alive from the point of view of network -# equipment in the middle. -# -# On Linux, the specified value (in seconds) is the period used to send ACKs. -# Note that to close the connection the double of the time is needed. -# On other kernels the period depends on the kernel configuration. -# -# A reasonable value for this option is 60 seconds. tcp-keepalive 0 -# Specify the server verbosity level. -# This can be one of: -# debug (a lot of information, useful for development/testing) -# verbose (many rarely useful info, but not a mess like the debug level) -# notice (moderately verbose, what you want in production probably) -# warning (only very important / critical messages are logged) loglevel notice - -# Specify the log file name. Also the empty string can be used to force -# Redis to log on the standard output. Note that if you use standard -# output for logging but daemonize, logs will be sent to /dev/null logfile /var/log/redis/redis-server.log - -# To enable logging to the system logger, just set 'syslog-enabled' to yes, -# and optionally update the other syslog parameters to suit your needs. -# syslog-enabled no - -# Specify the syslog identity. -# syslog-ident redis - -# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. -# syslog-facility local0 - -# Set the number of databases. The default database is DB 0, you can select -# a different one on a per-connection basis using SELECT where -# dbid is a number between 0 and 'databases'-1 databases 16 ################################ SNAPSHOTTING ################################ -# -# Save the DB on disk: -# -# save -# -# Will save the DB if both the given number of seconds and the given -# number of write operations against the DB occurred. -# -# In the example below the behaviour will be to save: -# after 900 sec (15 min) if at least 1 key changed -# after 300 sec (5 min) if at least 10 keys changed -# after 60 sec if at least 10000 keys changed -# -# Note: you can disable saving completely by commenting out all "save" lines. -# -# It is also possible to remove all the previously configured save -# points by adding a save directive with a single empty string argument -# like in the following example: -# -# save "" save 900 1 save 300 10 save 60 10000 -# By default Redis will stop accepting writes if RDB snapshots are enabled -# (at least one save point) and the latest background save failed. -# This will make the user aware (in a hard way) that data is not persisting -# on disk properly, otherwise chances are that no one will notice and some -# disaster will happen. -# -# If the background saving process will start working again Redis will -# automatically allow writes again. -# -# However if you have setup your proper monitoring of the Redis server -# and persistence, you may want to disable this feature so that Redis will -# continue to work as usual even if there are problems with disk, -# permissions, and so forth. stop-writes-on-bgsave-error yes - -# Compress string objects using LZF when dump .rdb databases? -# For default that's set to 'yes' as it's almost always a win. -# If you want to save some CPU in the saving child set it to 'no' but -# the dataset will likely be bigger if you have compressible values or keys. rdbcompression yes - -# Since version 5 of RDB a CRC64 checksum is placed at the end of the file. -# This makes the format more resistant to corruption but there is a performance -# hit to pay (around 10%) when saving and loading RDB files, so you can disable it -# for maximum performances. -# -# RDB files created with checksum disabled have a checksum of zero that will -# tell the loading code to skip the check. rdbchecksum yes - -# The filename where to dump the DB dbfilename dump.rdb - -# The working directory. -# -# The DB will be written inside this directory, with the filename specified -# above using the 'dbfilename' configuration directive. -# -# The Append Only File will also be created inside this directory. -# -# Note that you must specify a directory here, not a file name. dir /var/lib/redis ################################# REPLICATION ################################# - -# Master-Slave replication. Use slaveof to make a Redis instance a copy of -# another Redis server. A few things to understand ASAP about Redis replication. -# -# 1) Redis replication is asynchronous, but you can configure a master to -# stop accepting writes if it appears to be not connected with at least -# a given number of slaves. -# 2) Redis slaves are able to perform a partial resynchronization with the -# master if the replication link is lost for a relatively small amount of -# time. You may want to configure the replication backlog size (see the next -# sections of this file) with a sensible value depending on your needs. -# 3) Replication is automatic and does not need user intervention. After a -# network partition slaves automatically try to reconnect to masters -# and resynchronize with them. -# -# slaveof - -# If the master is password protected (using the "requirepass" configuration -# directive below) it is possible to tell the slave to authenticate before -# starting the replication synchronization process, otherwise the master will -# refuse the slave request. -# -# masterauth - -# When a slave loses its connection with the master, or when the replication -# is still in progress, the slave can act in two different ways: -# -# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will -# still reply to client requests, possibly with out of date data, or the -# data set may just be empty if this is the first synchronization. -# -# 2) if slave-serve-stale-data is set to 'no' the slave will reply with -# an error "SYNC with master in progress" to all the kind of commands -# but to INFO and SLAVEOF. -# slave-serve-stale-data yes - -# You can configure a slave instance to accept writes or not. Writing against -# a slave instance may be useful to store some ephemeral data (because data -# written on a slave will be easily deleted after resync with the master) but -# may also cause problems if clients are writing to it because of a -# misconfiguration. -# -# Since Redis 2.6 by default slaves are read-only. -# -# Note: read only slaves are not designed to be exposed to untrusted clients -# on the internet. It's just a protection layer against misuse of the instance. -# Still a read only slave exports by default all the administrative commands -# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve -# security of read only slaves using 'rename-command' to shadow all the -# administrative / dangerous commands. slave-read-only yes - -# Replication SYNC strategy: disk or socket. -# -# ------------------------------------------------------- -# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY -# ------------------------------------------------------- -# -# New slaves and reconnecting slaves that are not able to continue the replication -# process just receiving differences, need to do what is called a "full -# synchronization". An RDB file is transmitted from the master to the slaves. -# The transmission can happen in two different ways: -# -# 1) Disk-backed: The Redis master creates a new process that writes the RDB -# file on disk. Later the file is transferred by the parent -# process to the slaves incrementally. -# 2) Diskless: The Redis master creates a new process that directly writes the -# RDB file to slave sockets, without touching the disk at all. -# -# With disk-backed replication, while the RDB file is generated, more slaves -# can be queued and served with the RDB file as soon as the current child producing -# the RDB file finishes its work. With diskless replication instead once -# the transfer starts, new slaves arriving will be queued and a new transfer -# will start when the current one terminates. -# -# When diskless replication is used, the master waits a configurable amount of -# time (in seconds) before starting the transfer in the hope that multiple slaves -# will arrive and the transfer can be parallelized. -# -# With slow disks and fast (large bandwidth) networks, diskless replication -# works better. repl-diskless-sync no - -# When diskless replication is enabled, it is possible to configure the delay -# the server waits in order to spawn the child that transfers the RDB via socket -# to the slaves. -# -# This is important since once the transfer starts, it is not possible to serve -# new slaves arriving, that will be queued for the next RDB transfer, so the server -# waits a delay in order to let more slaves arrive. -# -# The delay is specified in seconds, and by default is 5 seconds. To disable -# it entirely just set it to 0 seconds and the transfer will start ASAP. repl-diskless-sync-delay 5 - -# Slaves send PINGs to server in a predefined interval. It's possible to change -# this interval with the repl_ping_slave_period option. The default value is 10 -# seconds. -# -# repl-ping-slave-period 10 - -# The following option sets the replication timeout for: -# -# 1) Bulk transfer I/O during SYNC, from the point of view of slave. -# 2) Master timeout from the point of view of slaves (data, pings). -# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). -# -# It is important to make sure that this value is greater than the value -# specified for repl-ping-slave-period otherwise a timeout will be detected -# every time there is low traffic between the master and the slave. -# -# repl-timeout 60 - -# Disable TCP_NODELAY on the slave socket after SYNC? -# -# If you select "yes" Redis will use a smaller number of TCP packets and -# less bandwidth to send data to slaves. But this can add a delay for -# the data to appear on the slave side, up to 40 milliseconds with -# Linux kernels using a default configuration. -# -# If you select "no" the delay for data to appear on the slave side will -# be reduced but more bandwidth will be used for replication. -# -# By default we optimize for low latency, but in very high traffic conditions -# or when the master and slaves are many hops away, turning this to "yes" may -# be a good idea. repl-disable-tcp-nodelay no - -# Set the replication backlog size. The backlog is a buffer that accumulates -# slave data when slaves are disconnected for some time, so that when a slave -# wants to reconnect again, often a full resync is not needed, but a partial -# resync is enough, just passing the portion of data the slave missed while -# disconnected. -# -# The bigger the replication backlog, the longer the time the slave can be -# disconnected and later be able to perform a partial resynchronization. -# -# The backlog is only allocated once there is at least a slave connected. -# -# repl-backlog-size 1mb - -# After a master has no longer connected slaves for some time, the backlog -# will be freed. The following option configures the amount of seconds that -# need to elapse, starting from the time the last slave disconnected, for -# the backlog buffer to be freed. -# -# A value of 0 means to never release the backlog. -# -# repl-backlog-ttl 3600 - -# The slave priority is an integer number published by Redis in the INFO output. -# It is used by Redis Sentinel in order to select a slave to promote into a -# master if the master is no longer working correctly. -# -# A slave with a low priority number is considered better for promotion, so -# for instance if there are three slaves with priority 10, 100, 25 Sentinel will -# pick the one with priority 10, that is the lowest. -# -# However a special priority of 0 marks the slave as not able to perform the -# role of master, so a slave with priority of 0 will never be selected by -# Redis Sentinel for promotion. -# -# By default the priority is 100. slave-priority 100 -# It is possible for a master to stop accepting writes if there are less than -# N slaves connected, having a lag less or equal than M seconds. -# -# The N slaves need to be in "online" state. -# -# The lag in seconds, that must be <= the specified value, is calculated from -# the last ping received from the slave, that is usually sent every second. -# -# This option does not GUARANTEE that N replicas will accept the write, but -# will limit the window of exposure for lost writes in case not enough slaves -# are available, to the specified number of seconds. -# -# For example to require at least 3 slaves with a lag <= 10 seconds use: -# -# min-slaves-to-write 3 -# min-slaves-max-lag 10 -# -# Setting one or the other to 0 disables the feature. -# -# By default min-slaves-to-write is set to 0 (feature disabled) and -# min-slaves-max-lag is set to 10. - -################################## SECURITY ################################### - -# Require clients to issue AUTH before processing any other -# commands. This might be useful in environments in which you do not trust -# others with access to the host running redis-server. -# -# This should stay commented out for backward compatibility and because most -# people do not need auth (e.g. they run their own servers). -# -# Warning: since Redis is pretty fast an outside user can try up to -# 150k passwords per second against a good box. This means that you should -# use a very strong password otherwise it will be very easy to break. -# -# requirepass foobared - -# Command renaming. -# -# It is possible to change the name of dangerous commands in a shared -# environment. For instance the CONFIG command may be renamed into something -# hard to guess so that it will still be available for internal-use tools -# but not available for general clients. -# -# Example: -# -# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 -# -# It is also possible to completely kill a command by renaming it into -# an empty string: -# -# rename-command CONFIG "" -# -# Please note that changing the name of commands that are logged into the -# AOF file or transmitted to slaves may cause problems. - ################################### LIMITS #################################### -# Set the max number of connected clients at the same time. By default -# this limit is set to 10000 clients, however if the Redis server is not -# able to configure the process file limit to allow for the specified limit -# the max number of allowed clients is set to the current file limit -# minus 32 (as Redis reserves a few file descriptors for internal uses). -# -# Once the limit is reached Redis will close all the new connections sending -# an error 'max number of clients reached'. -# -# maxclients 10000 - -# Don't use more memory than the specified amount of bytes. -# When the memory limit is reached Redis will try to remove keys -# according to the eviction policy selected (see maxmemory-policy). -# -# If Redis can't remove keys according to the policy, or if the policy is -# set to 'noeviction', Redis will start to reply with errors to commands -# that would use more memory, like SET, LPUSH, and so on, and will continue -# to reply to read-only commands like GET. -# -# This option is usually useful when using Redis as an LRU cache, or to set -# a hard memory limit for an instance (using the 'noeviction' policy). -# -# WARNING: If you have slaves attached to an instance with maxmemory on, -# the size of the output buffers needed to feed the slaves are subtracted -# from the used memory count, so that network problems / resyncs will -# not trigger a loop where keys are evicted, and in turn the output -# buffer of slaves is full with DELs of keys evicted triggering the deletion -# of more keys, and so forth until the database is completely emptied. -# -# In short... if you have slaves attached it is suggested that you set a lower -# limit for maxmemory so that there is some free RAM on the system for slave -# output buffers (but this is not needed if the policy is 'noeviction'). -# -# maxmemory - -# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory -# is reached. You can select among five behaviors: -# -# volatile-lru -> remove the key with an expire set using an LRU algorithm -# allkeys-lru -> remove any key according to the LRU algorithm -# volatile-random -> remove a random key with an expire set -# allkeys-random -> remove a random key, any key -# volatile-ttl -> remove the key with the nearest expire time (minor TTL) -# noeviction -> don't expire at all, just return an error on write operations -# -# Note: with any of the above policies, Redis will return an error on write -# operations, when there are no suitable keys for eviction. -# -# At the date of writing these commands are: set setnx setex append -# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd -# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby -# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby -# getset mset msetnx exec sort -# -# The default is: -# -# maxmemory-policy noeviction - -# LRU and minimal TTL algorithms are not precise algorithms but approximated -# algorithms (in order to save memory), so you can tune it for speed or -# accuracy. For default Redis will check five keys and pick the one that was -# used less recently, you can change the sample size using the following -# configuration directive. -# -# The default of 5 produces good enough results. 10 Approximates very closely -# true LRU but costs a bit more CPU. 3 is very fast but not very accurate. -# -# maxmemory-samples 5 ############################## APPEND ONLY MODE ############################### -# By default Redis asynchronously dumps the dataset on disk. This mode is -# good enough in many applications, but an issue with the Redis process or -# a power outage may result into a few minutes of writes lost (depending on -# the configured save points). -# -# The Append Only File is an alternative persistence mode that provides -# much better durability. For instance using the default data fsync policy -# (see later in the config file) Redis can lose just one second of writes in a -# dramatic event like a server power outage, or a single write if something -# wrong with the Redis process itself happens, but the operating system is -# still running correctly. -# -# AOF and RDB persistence can be enabled at the same time without problems. -# If the AOF is enabled on startup Redis will load the AOF, that is the file -# with the better durability guarantees. -# -# Please check http://redis.io/topics/persistence for more information. - appendonly no - -# The name of the append only file (default: "appendonly.aof") - appendfilename "appendonly.aof" - -# The fsync() call tells the Operating System to actually write data on disk -# instead of waiting for more data in the output buffer. Some OS will really flush -# data on disk, some other OS will just try to do it ASAP. -# -# Redis supports three different modes: -# -# no: don't fsync, just let the OS flush the data when it wants. Faster. -# always: fsync after every write to the append only log. Slow, Safest. -# everysec: fsync only one time every second. Compromise. -# -# The default is "everysec", as that's usually the right compromise between -# speed and data safety. It's up to you to understand if you can relax this to -# "no" that will let the operating system flush the output buffer when -# it wants, for better performances (but if you can live with the idea of -# some data loss consider the default persistence mode that's snapshotting), -# or on the contrary, use "always" that's very slow but a bit safer than -# everysec. -# -# More details please check the following article: -# http://antirez.com/post/redis-persistence-demystified.html -# -# If unsure, use "everysec". - -# appendfsync always appendfsync everysec -# appendfsync no - -# When the AOF fsync policy is set to always or everysec, and a background -# saving process (a background save or AOF log background rewriting) is -# performing a lot of I/O against the disk, in some Linux configurations -# Redis may block too long on the fsync() call. Note that there is no fix for -# this currently, as even performing fsync in a different thread will block -# our synchronous write(2) call. -# -# In order to mitigate this problem it's possible to use the following option -# that will prevent fsync() from being called in the main process while a -# BGSAVE or BGREWRITEAOF is in progress. -# -# This means that while another child is saving, the durability of Redis is -# the same as "appendfsync none". In practical terms, this means that it is -# possible to lose up to 30 seconds of log in the worst scenario (with the -# default Linux settings). -# -# If you have latency problems turn this to "yes". Otherwise leave it as -# "no" that is the safest pick from the point of view of durability. - no-appendfsync-on-rewrite no - -# Automatic rewrite of the append only file. -# Redis is able to automatically rewrite the log file implicitly calling -# BGREWRITEAOF when the AOF log size grows by the specified percentage. -# -# This is how it works: Redis remembers the size of the AOF file after the -# latest rewrite (if no rewrite has happened since the restart, the size of -# the AOF at startup is used). -# -# This base size is compared to the current size. If the current size is -# bigger than the specified percentage, the rewrite is triggered. Also -# you need to specify a minimal size for the AOF file to be rewritten, this -# is useful to avoid rewriting the AOF file even if the percentage increase -# is reached but it is still pretty small. -# -# Specify a percentage of zero in order to disable the automatic AOF -# rewrite feature. - auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb - -# An AOF file may be found to be truncated at the end during the Redis -# startup process, when the AOF data gets loaded back into memory. -# This may happen when the system where Redis is running -# crashes, especially when an ext4 filesystem is mounted without the -# data=ordered option (however this can't happen when Redis itself -# crashes or aborts but the operating system still works correctly). -# -# Redis can either exit with an error when this happens, or load as much -# data as possible (the default now) and start if the AOF file is found -# to be truncated at the end. The following option controls this behavior. -# -# If aof-load-truncated is set to yes, a truncated AOF file is loaded and -# the Redis server starts emitting a log to inform the user of the event. -# Otherwise if the option is set to no, the server aborts with an error -# and refuses to start. When the option is set to no, the user requires -# to fix the AOF file using the "redis-check-aof" utility before to restart -# the server. -# -# Note that if the AOF file will be found to be corrupted in the middle -# the server will still exit with an error. This option only applies when -# Redis will try to read more data from the AOF file but not enough bytes -# will be found. aof-load-truncated yes ################################ LUA SCRIPTING ############################### -# Max execution time of a Lua script in milliseconds. -# -# If the maximum execution time is reached Redis will log that a script is -# still in execution after the maximum allowed time and will start to -# reply to queries with an error. -# -# When a long running script exceeds the maximum execution time only the -# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be -# used to stop a script that did not yet called write commands. The second -# is the only way to shut down the server in the case a write command was -# already issued by the script but the user doesn't want to wait for the natural -# termination of the script. -# -# Set it to 0 or a negative value for unlimited execution without warnings. lua-time-limit 5000 ################################ REDIS CLUSTER ############################### -# -# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -# WARNING EXPERIMENTAL: Redis Cluster is considered to be stable code, however -# in order to mark it as "mature" we need to wait for a non trivial percentage -# of users to deploy it in production. -# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -# -# Normal Redis instances can't be part of a Redis Cluster; only nodes that are -# started as cluster nodes can. In order to start a Redis instance as a -# cluster node enable the cluster support uncommenting the following: -# -# cluster-enabled yes -# Every cluster node has a cluster configuration file. This file is not -# intended to be edited by hand. It is created and updated by Redis nodes. -# Every Redis Cluster node requires a different cluster configuration file. -# Make sure that instances running in the same system do not have -# overlapping cluster configuration file names. -# -# cluster-config-file nodes-6379.conf - -# Cluster node timeout is the amount of milliseconds a node must be unreachable -# for it to be considered in failure state. -# Most other internal time limits are multiple of the node timeout. -# -# cluster-node-timeout 15000 - -# A slave of a failing master will avoid to start a failover if its data -# looks too old. -# -# There is no simple way for a slave to actually have a exact measure of -# its "data age", so the following two checks are performed: -# -# 1) If there are multiple slaves able to failover, they exchange messages -# in order to try to give an advantage to the slave with the best -# replication offset (more data from the master processed). -# Slaves will try to get their rank by offset, and apply to the start -# of the failover a delay proportional to their rank. -# -# 2) Every single slave computes the time of the last interaction with -# its master. This can be the last ping or command received (if the master -# is still in the "connected" state), or the time that elapsed since the -# disconnection with the master (if the replication link is currently down). -# If the last interaction is too old, the slave will not try to failover -# at all. -# -# The point "2" can be tuned by user. Specifically a slave will not perform -# the failover if, since the last interaction with the master, the time -# elapsed is greater than: -# -# (node-timeout * slave-validity-factor) + repl-ping-slave-period -# -# So for example if node-timeout is 30 seconds, and the slave-validity-factor -# is 10, and assuming a default repl-ping-slave-period of 10 seconds, the -# slave will not try to failover if it was not able to talk with the master -# for longer than 310 seconds. -# -# A large slave-validity-factor may allow slaves with too old data to failover -# a master, while a too small value may prevent the cluster from being able to -# elect a slave at all. -# -# For maximum availability, it is possible to set the slave-validity-factor -# to a value of 0, which means, that slaves will always try to failover the -# master regardless of the last time they interacted with the master. -# (However they'll always try to apply a delay proportional to their -# offset rank). -# -# Zero is the only value able to guarantee that when all the partitions heal -# the cluster will always be able to continue. -# -# cluster-slave-validity-factor 10 - -# Cluster slaves are able to migrate to orphaned masters, that are masters -# that are left without working slaves. This improves the cluster ability -# to resist to failures as otherwise an orphaned master can't be failed over -# in case of failure if it has no working slaves. -# -# Slaves migrate to orphaned masters only if there are still at least a -# given number of other working slaves for their old master. This number -# is the "migration barrier". A migration barrier of 1 means that a slave -# will migrate only if there is at least 1 other working slave for its master -# and so forth. It usually reflects the number of slaves you want for every -# master in your cluster. -# -# Default is 1 (slaves migrate only if their masters remain with at least -# one slave). To disable migration just set it to a very large value. -# A value of 0 can be set but is useful only for debugging and dangerous -# in production. -# -# cluster-migration-barrier 1 - -# By default Redis Cluster nodes stop accepting queries if they detect there -# is at least an hash slot uncovered (no available node is serving it). -# This way if the cluster is partially down (for example a range of hash slots -# are no longer covered) all the cluster becomes, eventually, unavailable. -# It automatically returns available as soon as all the slots are covered again. -# -# However sometimes you want the subset of the cluster which is working, -# to continue to accept queries for the part of the key space that is still -# covered. In order to do so, just set the cluster-require-full-coverage -# option to no. -# -# cluster-require-full-coverage yes - -# In order to setup your cluster make sure to read the documentation -# available at http://redis.io web site. ################################## SLOW LOG ################################### -# The Redis Slow Log is a system to log queries that exceeded a specified -# execution time. The execution time does not include the I/O operations -# like talking with the client, sending the reply and so forth, -# but just the time needed to actually execute the command (this is the only -# stage of command execution where the thread is blocked and can not serve -# other requests in the meantime). -# -# You can configure the slow log with two parameters: one tells Redis -# what is the execution time, in microseconds, to exceed in order for the -# command to get logged, and the other parameter is the length of the -# slow log. When a new command is logged the oldest one is removed from the -# queue of logged commands. - -# The following time is expressed in microseconds, so 1000000 is equivalent -# to one second. Note that a negative number disables the slow log, while -# a value of zero forces the logging of every command. slowlog-log-slower-than 10000 - -# There is no limit to this length. Just be aware that it will consume memory. -# You can reclaim memory used by the slow log with SLOWLOG RESET. slowlog-max-len 128 ################################ LATENCY MONITOR ############################## -# The Redis latency monitoring subsystem samples different operations -# at runtime in order to collect data related to possible sources of -# latency of a Redis instance. -# -# Via the LATENCY command this information is available to the user that can -# print graphs and obtain reports. -# -# The system only logs operations that were performed in a time equal or -# greater than the amount of milliseconds specified via the -# latency-monitor-threshold configuration directive. When its value is set -# to zero, the latency monitor is turned off. -# -# By default latency monitoring is disabled since it is mostly not needed -# if you don't have latency issues, and collecting data has a performance -# impact, that while very small, can be measured under big load. Latency -# monitoring can easily be enabled at runtime using the command -# "CONFIG SET latency-monitor-threshold " if needed. latency-monitor-threshold 0 ############################# EVENT NOTIFICATION ############################## -# Redis can notify Pub/Sub clients about events happening in the key space. -# This feature is documented at http://redis.io/topics/notifications -# -# For instance if keyspace events notification is enabled, and a client -# performs a DEL operation on key "foo" stored in the Database 0, two -# messages will be published via Pub/Sub: -# -# PUBLISH __keyspace@0__:foo del -# PUBLISH __keyevent@0__:del foo -# -# It is possible to select the events that Redis will notify among a set -# of classes. Every class is identified by a single character: -# -# K Keyspace events, published with __keyspace@__ prefix. -# E Keyevent events, published with __keyevent@__ prefix. -# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... -# $ String commands -# l List commands -# s Set commands -# h Hash commands -# z Sorted set commands -# x Expired events (events generated every time a key expires) -# e Evicted events (events generated when a key is evicted for maxmemory) -# A Alias for g$lshzxe, so that the "AKE" string means all the events. -# -# The "notify-keyspace-events" takes as argument a string that is composed -# of zero or multiple characters. The empty string means that notifications -# are disabled. -# -# Example: to enable list and generic events, from the point of view of the -# event name, use: -# -# notify-keyspace-events Elg -# -# Example 2: to get the stream of the expired keys subscribing to channel -# name __keyevent@0__:expired use: -# -# notify-keyspace-events Ex -# -# By default all notifications are disabled because most users don't need -# this feature and the feature has some overhead. Note that if you don't -# specify at least one of K or E, no events will be delivered. notify-keyspace-events "" ############################### ADVANCED CONFIG ############################### -# Hashes are encoded using a memory efficient data structure when they have a -# small number of entries, and the biggest entry does not exceed a given -# threshold. These thresholds can be configured using the following directives. hash-max-ziplist-entries 512 hash-max-ziplist-value 64 - -# Similarly to hashes, small lists are also encoded in a special way in order -# to save a lot of space. The special representation is only used when -# you are under the following limits: list-max-ziplist-entries 512 list-max-ziplist-value 64 - -# Sets have a special encoding in just one case: when a set is composed -# of just strings that happen to be integers in radix 10 in the range -# of 64 bit signed integers. -# The following configuration setting sets the limit in the size of the -# set in order to use this special memory saving encoding. set-max-intset-entries 512 - -# Similarly to hashes and lists, sorted sets are also specially encoded in -# order to save a lot of space. This encoding is only used when the length and -# elements of a sorted set are below the following limits: zset-max-ziplist-entries 128 zset-max-ziplist-value 64 - -# HyperLogLog sparse representation bytes limit. The limit includes the -# 16 bytes header. When an HyperLogLog using the sparse representation crosses -# this limit, it is converted into the dense representation. -# -# A value greater than 16000 is totally useless, since at that point the -# dense representation is more memory efficient. -# -# The suggested value is ~ 3000 in order to have the benefits of -# the space efficient encoding without slowing down too much PFADD, -# which is O(N) with the sparse encoding. The value can be raised to -# ~ 10000 when CPU is not a concern, but space is, and the data set is -# composed of many HyperLogLogs with cardinality in the 0 - 15000 range. hll-sparse-max-bytes 3000 - -# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in -# order to help rehashing the main Redis hash table (the one mapping top-level -# keys to values). The hash table implementation Redis uses (see dict.c) -# performs a lazy rehashing: the more operation you run into a hash table -# that is rehashing, the more rehashing "steps" are performed, so if the -# server is idle the rehashing is never complete and some more memory is used -# by the hash table. -# -# The default is to use this millisecond 10 times every second in order to -# actively rehash the main dictionaries, freeing memory when possible. -# -# If unsure: -# use "activerehashing no" if you have hard latency requirements and it is -# not a good thing in your environment that Redis can reply from time to time -# to queries with 2 milliseconds delay. -# -# use "activerehashing yes" if you don't have such hard requirements but -# want to free memory asap when possible. activerehashing yes - -# The client output buffer limits can be used to force disconnection of clients -# that are not reading data from the server fast enough for some reason (a -# common reason is that a Pub/Sub client can't consume messages as fast as the -# publisher can produce them). -# -# The limit can be set differently for the three different classes of clients: -# -# normal -> normal clients including MONITOR clients -# slave -> slave clients -# pubsub -> clients subscribed to at least one pubsub channel or pattern -# -# The syntax of every client-output-buffer-limit directive is the following: -# -# client-output-buffer-limit -# -# A client is immediately disconnected once the hard limit is reached, or if -# the soft limit is reached and remains reached for the specified number of -# seconds (continuously). -# So for instance if the hard limit is 32 megabytes and the soft limit is -# 16 megabytes / 10 seconds, the client will get disconnected immediately -# if the size of the output buffers reach 32 megabytes, but will also get -# disconnected if the client reaches 16 megabytes and continuously overcomes -# the limit for 10 seconds. -# -# By default normal clients are not limited because they don't receive data -# without asking (in a push way), but just after a request, so only -# asynchronous clients may create a scenario where data is requested faster -# than it can read. -# -# Instead there is a default limit for pubsub and slave clients, since -# subscribers and slaves receive data in a push fashion. -# -# Both the hard or the soft limit can be disabled by setting them to zero. client-output-buffer-limit normal 0 0 0 client-output-buffer-limit slave 256mb 64mb 60 client-output-buffer-limit pubsub 32mb 8mb 60 - -# Redis calls an internal function to perform many background tasks, like -# closing connections of clients in timeout, purging expired keys that are -# never requested, and so forth. -# -# Not all tasks are performed with the same frequency, but Redis checks for -# tasks to perform according to the specified "hz" value. -# -# By default "hz" is set to 10. Raising the value will use more CPU when -# Redis is idle, but at the same time will make Redis more responsive when -# there are many keys expiring at the same time, and timeouts may be -# handled with more precision. -# -# The range is between 1 and 500, however a value over 100 is usually not -# a good idea. Most users should use the default of 10 and raise this up to -# 100 only in environments where very low latency is required. hz 10 - -# When a child rewrites the AOF file, if the following option is enabled -# the file will be fsync-ed every 32 MB of data generated. This is useful -# in order to commit the file to the disk more incrementally and avoid -# big latency spikes. aof-rewrite-incremental-fsync yes + diff --git a/roles/nextcloud/vars/main.yml b/roles/nextcloud/vars/main.yml index 97bb64e..f6497fd 100644 --- a/roles/nextcloud/vars/main.yml +++ b/roles/nextcloud/vars/main.yml @@ -21,38 +21,38 @@ required_packages: - php-xml - php-zip - php-apcu - - php-mysql -nextcloud_dl_file_name: - latest: "{{['latest', nextcloud_version_major]|reject('undefined')|join('-')}}" - releases: "{{['nextcloud', nextcloud_version_full]|reject('undefined')|join('-')}}" - prereleases: "nextcloud-{{[nextcloud_version_full, nextcloud_version_special]|reject('undefined')|join()}}" - daily: "nextcloud-{{nextcloud_version_major|d('')}}-daily-{{nextcloud_version_special|d('')}}" +php_dir: '/etc/php/{{ php_ver }}' -mysql_credential_file: - debian: '/etc/mysql/debian.cnf' +tls_dhparam: '/etc/ssl/dhparam.pem' + +php_socket: '/run/php/php-fpm.sock' + +php_memory_limit: 512M + +nextcloud_max_upload_size: 512m # in Byte or human readable size notation (g|m|k) + +nextcloud_webroot: '/opt/nextcloud' + +nextcloud_redis_host: '/var/run/redis/redis.sock' + +nextcloud_redis_port: 0 + +nextcloud_redis_settings: + - { name: 'redis host', value: '"{{ nextcloud_redis_host }}"' } + - { name: 'redis port', value: "{{ nextcloud_redis_port }}" } + - { name: 'memcache.locking', value: '\OC\Memcache\Redis' } + +nextcloud_config_settings: + - { name: 'overwrite.cli.url', value: 'https://{{ nextcloud_trusted_domains | first }}' } + - { name: 'memcache.local', value: '\OC\Memcache\APCu' } + - { name: 'open_basedir', value: '/dev/urandom' } + - { name: 'mysql.utf8mb4', value: 'true' } + - { name: 'updater.release.channel', value: 'stable' } + +nextcloud_full_url: 'https://download.nextcloud.com/server/releases/nextcloud-24.0.1.tar.bz2' + +#nextcloud_full_url: 'https://download.nextcloud.com/server/releases/latest.tar.bz2 ' + +nextcloud_admin_name: 'admin' -nextcloud_max_upload_size_in_bytes: "{{ nextcloud_max_upload_size | human_to_bytes }}" -## finding the major version selected by the user : -## type : string -# the user will set either nextcloud_version_major or nextcloud_version_full -# to pin point a major/specific version. -# if nextcloud_version_major is set it can have 3 values: -# - 'master' : we just set an arbitrary high version (99) -- used for daily -# - a version number [M] : here's what we need. neat ! -# - stable[M] : just remove the 'stable' and here we go ! -# note: There is still a case when the user could use the master branch AND specify a very old date -# and that whould make the computed major version inconsistent. -# But I'm sure at 99.99% nobody wants to do that when using the daily channel. -# if nextcloud_version_full is set, it always have the form [Major.minor.patch] version number. (M.m.p) -# so the major version is the first element. -# if both variables are set we exclude the prerelease channel that do not use the major version on the first condition. -# if none are defined, either the user misconfigured the playbook that's calling the role -# and the play should fail - so we won't manage this case here - -# or nextcloud_get_latest is true which is the equivalent for us of using "master" -nextcloud_computed_major_version: > # type string - {%- if nextcloud_version_major is defined and nextcloud_version_channel not in ['prereleases'] -%} - {{99 if nextcloud_version_major == 'master' else (nextcloud_version_major|regex_replace('stable')) }} - {%- elif nextcloud_version_full is defined -%} - {{ (nextcloud_version_full.split('.'))[0] }} - {%- else -%}99{%- endif -%}