From 63eb7d74f74e7567061d6f5ec59a2454366c327a Mon Sep 17 00:00:00 2001 From: phil Date: Sun, 21 May 2023 23:01:31 +0200 Subject: [PATCH] Update Nextcloud role to include Hiddenservice tasks --- defaults/main.yml | 8 +- handlers/main.yml | 16 ++-- meta/main.yml | 4 +- tasks/apache.yml | 40 +++++++--- tasks/common.yml | 44 ++--------- tasks/configuration.yml | 78 +++++++++++-------- tasks/database.yml | 14 ++-- tasks/fail2ban.yml | 12 +-- tasks/gateway.yml | 45 +++++------ tasks/hiddenservice.yml | 23 ++++++ tasks/main.yml | 67 ++++++++++------ tasks/nextcloud.yml | 49 ++++++++---- tasks/packages.yml | 18 +---- tasks/php.yml | 31 ++++---- tasks/redis.yml | 16 ++-- tasks/user.yml | 12 +-- tasks/version.yml | 18 ----- templates/apache2/custom.conf.j2 | 4 +- ...{apache_site.conf.j2 => nextcloud.conf.j2} | 0 templates/apache2/nextcloud_sites.conf.j2 | 5 ++ templates/fail2ban/jail.conf.j2 | 4 +- templates/nginx_site.j2 | 16 ++-- templates/php_fpm_pool.j2 | 2 +- 23 files changed, 282 insertions(+), 244 deletions(-) create mode 100644 tasks/hiddenservice.yml delete mode 100644 tasks/version.yml rename templates/apache2/{apache_site.conf.j2 => nextcloud.conf.j2} (100%) create mode 100644 templates/apache2/nextcloud_sites.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 8a9fe37..78b7e01 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,15 +2,15 @@ apache_custom_conf_path: /etc/apache2/conf-available nextcloud_admin_user: systemausfall.org -nextcloud_admin_pw: "{{ lookup('password', '/tmp/{{ instance.name }}_admin_pwd length=42 chars=ascii_letters,digits') }}" -nextcloud_db_password: "{{ lookup('password', '/tmp/{{ instance.name }}_db_pwd length=42 chars=ascii_letters,digits') }}" +nextcloud_admin_pw: "{{ lookup('password', '/tmp/{{ item.name }}_admin_pwd length=42 chars=ascii_letters,digits') }}" +nextcloud_db_password: "{{ lookup('password', '/tmp/{{ item.name }}_db_pwd length=42 chars=ascii_letters,digits') }}" nextcloud_github_api_url: https://api.github.com/repos/nextcloud/server/releases/latest nextcloud_dl_url: "https://download.nextcloud.com/server/releases/nextcloud-{{ latest_version.stdout }}.tar.bz2" nextcloud_root: /data/nextcloud -nextcloud_install_path: "{{ nextcloud_root }}/{{ instance.name }}" +nextcloud_install_path: "{{ nextcloud_root }}/{{ item.name }}" nextcloud_config_file: "{{ nextcloud_install_path }}/config/config.php" nextcloud_php_memory_limit: 512M nextcloud_php_upload_limit: 512M -nextcloud_trusted_domains: ['localhost', '{{ instance.name }}'] +nextcloud_trusted_domains: ['localhost', '{{ item.name }}'] redis_config_file: /etc/redis/redis.conf diff --git a/handlers/main.yml b/handlers/main.yml index ad99105..cfb8a2f 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,22 +1,26 @@ --- - name: reload apache - service: + ansible.builtin.service: name: apache2 state: reloaded - name: restart apache - service: - name: apache2 - state: restarted + ansible.builtin.service: + name: apache2 + state: restarted + +- name: Get certificate + ansible.builtin.command: dehydrated --cron -g + delegate_to: "{{ gateway_host }}" - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded delegate_to: "{{ gateway_host }}" - name: restart fail2ban - service: + ansible.builtin.service: name: fail2ban state: restarted diff --git a/meta/main.yml b/meta/main.yml index c597a49..c5289f7 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -3,8 +3,8 @@ galaxy_info: description: Role to deploy Nextcloud company: Sense.Lab license: GPLv3 - min_ansible_version: 2.4 + min_ansible_version: "2.4" platforms: - name: Debian versions: - - Buster + - bullseye diff --git a/tasks/apache.yml b/tasks/apache.yml index c6ca024..f36502c 100644 --- a/tasks/apache.yml +++ b/tasks/apache.yml @@ -1,13 +1,35 @@ --- -- name: "apache: {{ instance.name }}: Seite einrichten" - lineinfile: - path: /etc/apache2/conf-available/nextcloud_sites.conf - insertafter: "^Ansbile" - line: "Use NCSite {{ instance.name }} {{ instance.user }}" +- name: "Apache | Aktiviere Apache-Module" + community.general.apache2_module: + name: "{{ item.name }}" + state: "{{ item.state | default('present') }}" + loop: + - name: env + - name: expires + - name: headers + - name: macro + - name: mpm_event + - name: mpm_prefork + state: absent + - name: proxy_fcgi + - name: setenvif + notify: restart apache + +- name: "Apache | Richte Nextcloud-Seiten ein" + ansible.builtin.template: + src: apache2/nextcloud_sites.conf.j2 + dest: /etc/apache2/conf-available/nextcloud_sites.conf + mode: "0644" notify: reload apache -- name: "apache: {{ instance.alias }}: Alias einrichten" - template: - src: apache2/custom.conf.j2 - dest: "{{ apache_custom_conf_path }}/{{ instance.name }}.conf" +- name: "Apache | Kopiere Apache-Vorlage für Seitenkonfiguration" + ansible.builtin.template: + src: apache2/nextcloud.conf.j2 + dest: /etc/apache2/sites-available/nextcloud.conf + mode: "0644" + +- name: "Apache | Aktiviere Apache-Seitenkonfiguration" + ansible.builtin.command: + cmd: a2ensite nextcloud.conf + creates: /etc/apache2/sites-enabled/nextcloud.conf notify: reload apache diff --git a/tasks/common.yml b/tasks/common.yml index 141ebe6..ed081bd 100644 --- a/tasks/common.yml +++ b/tasks/common.yml @@ -1,43 +1,9 @@ --- -- name: "Common | Aktiviere Apache-Module" - ansible.builtin.apache2_module: - name: "{{ item.name }}" - state: "{{ item.state|default('present') }}" - loop: - - name: env - - name: expires - - name: headers - - name: macro - - name: mpm_event - - name: mpm_prefork - state: absent - - name: proxy_fcgi - - name: setenvif - notify: restart apache - -- name: "Common | Erstelle Apache-Konfiguration für NC-Seiten" - ansible.builtin.file: - path: /etc/apache2/conf-available/nextcloud_sites.conf - state: touch - mode: 0644 - -- name: "Common | Kopiere Apache-Vorlage für Seitenkonfiguration" - ansible.builtin.template: - src: ../roles/nextcloud/templates/apache_site.conf.j2 - dest: /etc/apache2/sites-available/nextcloud.conf - mode: 0644 - -- name: "Common | Aktiviere Apache-Seitenkonfiguration" - ansible.builtin.command: - cmd: a2ensite nextcloud.conf - creates: /etc/apache2/sites-enabled/nextcloud.conf - notify: reload apache - - name: "Common | Kopiere PHP-CLI-Konfiguration" ansible.builtin.copy: - src: ../roles/nextcloud/files/30-sao-nextcloud.ini + src: 30-sao-nextcloud.ini dest: "/etc/php/{{ php_version.stdout }}/mods-available/sao-nextcloud.ini" - mode: 0644 + mode: "0644" - name: "Common | Aktiviere PHP-CLI-Konfiguration" ansible.builtin.file: @@ -45,7 +11,7 @@ dest: "/etc/php/{{ php_version.stdout }}/cli/conf.d/30-sao-nextcloud.ini" state: link -- name: "Common | Ermittle letzte Version" +- name: "Common | Ermittle aktuelle Nextcloud-Version" ansible.builtin.shell: cmd: curl -sL "{{ nextcloud_github_api_url }}" | jq -r ".tag_name" | cut -d 'v' -f2 changed_when: false @@ -53,6 +19,6 @@ - name: "Common | Kopiere Update-Skript" ansible.builtin.template: - src: ../roles/nextcloud/templates/nextcloud-updater.j2 + src: nextcloud-updater.j2 dest: "/usr/local/bin/nextcloud-updater" - mode: 0755 + mode: "0755" diff --git a/tasks/configuration.yml b/tasks/configuration.yml index 77ce5cf..ec2214c 100644 --- a/tasks/configuration.yml +++ b/tasks/configuration.yml @@ -1,52 +1,62 @@ --- -- name: "Configuration | Richte trusted domains ein | {{ instance.name }}" - ansible.builtin.command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"' +- name: "Configuration | Setze Variable" + ansible.builtin.set_fact: + nextcloud_install_path: "{{ nextcloud_root }}/{{ instances.name }}" + +- name: "Configuration | Richte trusted domains ein | {{ instances.name }}" + ansible.builtin.command: + cmd: 'php occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"' + chdir: "{{ nextcloud_install_path }}" become: true - become_user: "{{ instance.user }}" + become_user: "{{ instances.user }}" changed_when: true with_indexed_items: - - '{{ nextcloud.trusted_domains | default(instance.name) }}' + - '{{ instances.config.trusted_domains }}' -- name: "Configuration | Richte cron-Job ein | {{ instance.name }}" +- name: "Configuration | Richte cron-Job ein | {{ instances.name }}" ansible.builtin.cron: - name: "nextcloud {{ instance.name }}" + name: "nextcloud {{ instances.name }}" minute: "*/5" - user: "{{ instance.user }}" - job: "php -f {{ nextcloud_install_path}}/cron.php" + user: "{{ instances.user }}" + job: "php -f {{ nextcloud_install_path }}/cron.php" cron_file: "nextcloud" -- name: "Configuration | Richte allgemeie Konfiguration ein | {{ instance.name }}" - ansible.builtin.command: "{{ item }}" +- name: "Configuration | Richte allgemeie Konfiguration ein | {{ instances.name }}" + ansible.builtin.command: + cmd: "{{ commands }}" + chdir: "{{ nextcloud_install_path }}" become: true - become_user: "{{ instance.user }}" + become_user: "{{ instances.user }}" changed_when: true - with_items: - - 'php {{ nextcloud_install_path }}/occ config:system:set memcache.local --value "\\OC\\Memcache\\APCu"' - - 'php {{ nextcloud_install_path }}/occ config:system:set memcache.distributed --value "\OC\Memcache\Redis"' - - "php {{ nextcloud_install_path }}/occ background:cron" - - 'php {{ nextcloud_install_path }}/occ config:system:set overwrite.cli.url --value https://{{ instance.name }}' - - 'php {{ nextcloud_install_path }}/occ config:system:set htaccess.RewriteBase --value /' - - 'php {{ nextcloud_install_path }}/occ maintenance:update:htaccess' - - 'php {{ nextcloud_install_path }}/occ config:system:set default_language --value "de"' - - 'php {{ nextcloud_install_path }}/occ config:system:set default_phone_region --value "DE"' - - 'php {{ nextcloud_install_path }}/occ config:system:set loglevel --value "1"' + loop: + - 'php occ config:system:set memcache.local --value "\\OC\\Memcache\\APCu"' + - 'php occ config:system:set memcache.distributed --value "\OC\Memcache\Redis"' + - "php occ background:cron" + - 'php occ config:system:set overwrite.cli.url --value https://{{ instances.name }}' + - 'php occ config:system:set htaccess.RewriteBase --value /' + - 'php occ maintenance:update:htaccess' + - 'php occ config:system:set default_language --value "de"' + - 'php occ config:system:set default_phone_region --value "DE"' + - 'php occ config:system:set loglevel --value "1"' + loop_control: + loop_var: commands -- name: "Configuration | Richte Mailversand ein | {{ instance.name }}" +- name: "Configuration | Richte Mailversand ein | {{ instances.name }}" ansible.builtin.blockinfile: path: "{{ nextcloud_config_file }}" insertbefore: '^\);' marker: "// {mark} ANSIBLE MANAGED BLOCK" marker_begin: mailserver block: |2 - 'mail_from_address' => '{{ nextcloud.mail_from }}', + 'mail_from_address' => '{{ instances.config.mail_from }}', 'mail_smtpmode' => 'smtp', 'mail_sendmailmode' => 'smtp', - 'mail_domain' => '{{ nextcloud.mail_domain }}', - 'mail_smtpauthtype' => '{{ nextcloud.smtp_auth_type }}', - 'mail_smtphost' => '{{ nextcloud.smtp_host }}', - 'mail_smtpport' => '{{ nextcloud.smtp_port }}', + 'mail_domain' => '{{ instances.config.mail_domain }}', + 'mail_smtpauthtype' => '{{ instances.config.smtp_auth_type }}', + 'mail_smtphost' => '{{ instances.config.smtp_host }}', + 'mail_smtpport' => '{{ instances.config.smtp_port }}', -- name: "Configuration | Richte Filelocking ein | {{ instance.name }}" +- name: "Configuration | Richte Filelocking ein | {{ instances.name }}" ansible.builtin.blockinfile: path: "{{ nextcloud_config_file }}" insertbefore: '^\);' @@ -62,15 +72,17 @@ 'timeout' => 1.5, ), -- name: "Configuration | Richte trusted proxies ein | {{ instance.name }}" - ansible.builtin.command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_proxies {{ item.0 }} --value "{{ item.1 }}"' +- name: "Configuration | Richte trusted proxies ein | {{ instances.name }}" + ansible.builtin.command: + cmd: 'php occ config:system:set trusted_proxies {{ item.0 }} --value "{{ item.1 }}"' + chdir: "{{ nextcloud_install_path }}" become: true - become_user: "{{ instance.user }}" + become_user: "{{ instances.user }}" changed_when: true with_indexed_items: - - "{{ nextcloud.trusted_proxies }}" + - "{{ instances.config.trusted_proxies }}" -- name: "Configuration | Richte Logging ein | {{ instance.name }}" +- name: "Configuration | Richte Logging ein | {{ instances.name }}" ansible.builtin.blockinfile: path: "{{ nextcloud_config_file }}" insertbefore: '^\);' diff --git a/tasks/database.yml b/tasks/database.yml index 71e9301..6c5aaeb 100644 --- a/tasks/database.yml +++ b/tasks/database.yml @@ -1,18 +1,18 @@ --- -- name: "database | {{ instance.name }} | Datenbank einrichten" - mysql_db: - name: "{{ instance.database }}" +- name: "Database | Erstelle Datenbank | {{ item.name }}" + community.mysql.mysql_db: + name: "{{ item.database }}" state: present login_unix_socket: "{{ mysql_socket }}" login_user: root delegate_to: "{{ database_host }}" -- name: "database | {{ instance.name }} | Benutzer einrichten" - mysql_user: - name: "{{ instance.database }}" +- name: "Database | Richten Datenbank-Benutzer ein | {{ item.name }}" + community.mysql.mysql_user: + name: "{{ item.database }}" host: "{{ inventory_hostname }}" password: "{{ nextcloud_db_password }}" - priv: "{{ instance.database }}.*:ALL" + priv: "{{ item.database }}.*:ALL" state: present login_unix_socket: "{{ mysql_socket }}" login_user: root diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml index d724c57..5d44a7e 100644 --- a/tasks/fail2ban.yml +++ b/tasks/fail2ban.yml @@ -1,12 +1,14 @@ --- -- name: "fail2ban | {{ instance.name }} | Kopiere Filter" - copy: +- name: "Fail2ban | Kopiere Filter | {{ item.name }}" + ansible.builtin.copy: src: fail2ban/filter.conf dest: /etc/fail2ban/filter.d/nextcloud.conf + mode: "0644" notify: restart fail2ban -- name: "fail2ban | {{ instance.name }} | Kopiere Jail" - template: +- name: "Fail2ban | Kopiere Jail | {{ item.name }}" + ansible.builtin.template: src: fail2ban/jail.conf.j2 - dest: /etc/fail2ban/jail.d/nextcloud-{{ instance.user }}.conf + dest: /etc/fail2ban/jail.d/nextcloud-{{ item.user }}.conf + mode: "0644" notify: restart fail2ban diff --git a/tasks/gateway.yml b/tasks/gateway.yml index 8359a85..65bd6af 100644 --- a/tasks/gateway.yml +++ b/tasks/gateway.yml @@ -1,40 +1,33 @@ --- -- name: "gateway: {{ instance.name }}: Domain zur Zertifikatsliste hinzufügen" - lineinfile: +- name: "Gateway | Füge Domain zur Zertifikatsliste hinzu | {{ item.name }}" + ansible.builtin.lineinfile: path: /etc/dehydrated/domains.txt insertafter: "^# nextcloud" - line: "{{ instance.name }}" + line: "{{ item.name }}" register: dehydrated - delegate_to: "{{ gateway_host }}" -- name: "gateway: {{ instance.name }}: Alias zur Zertifikatsliste hinzufügen" - lineinfile: +- name: "Gateway | Füge Alias zur Zertifikatsliste hinzu | {{ item.name }}" + ansible.builtin.lineinfile: path: /etc/dehydrated/domains.txt insertafter: "^# nextcloud" - line: "{{ item }}" - when: instance.alias is defined - register: dehydrated - delegate_to: "{{ gateway_host }}" - loop: "{{ instance.alias }}" + line: "{{ alias }}" + when: item.alias is defined + loop: "{{ item.alias }}" + loop_control: + loop_var: alias + notify: Get certificate -- name: "gateway: {{ instance.name }}: Zertifikat erstellen" - command: dehydrated --cron -g - delegate_to: "{{ gateway_host }}" - when: dehydrated.changed - -- name: "gateway: {{ instance.name }}: Proxy einrichten" - template: +- name: "Gateway | Richte Proxy ein | {{ item.name }}" + ansible.builtin.template: src: nginx_site.j2 - dest: "/etc/nginx/sites-available/{{ instance.name }}" + dest: "/etc/nginx/sites-available/{{ item.name }}" owner: root group: root - mode: 0644 - delegate_to: "{{ gateway_host }}" + mode: "0644" -- name: "gateway: {{ instance.name }}: Seite aktivieren" - file: - src: "/etc/nginx/sites-available/{{ instance.name }}" - dest: "/etc/nginx/sites-enabled/{{ instance.name }}" +- name: "Gateway | Aktiviere Seite | {{ item.name }}" + ansible.builtin.file: + src: "/etc/nginx/sites-available/{{ item.name }}" + dest: "/etc/nginx/sites-enabled/{{ item.name }}" state: link notify: reload nginx - delegate_to: "{{ gateway_host }}" diff --git a/tasks/hiddenservice.yml b/tasks/hiddenservice.yml new file mode 100644 index 0000000..8a53fed --- /dev/null +++ b/tasks/hiddenservice.yml @@ -0,0 +1,23 @@ +--- +- name: "Hiddenservice | Richte Hiddenservice ein | {{ item.name }}" + ansible.builtin.import_role: + name: configure-hiddenservice + delegate_to: "{{ onion_host }}" + when: item.config.hiddenservice is defined and item.config.hiddenservice + +- name: "Hiddenservice | Kopiere Apache-Anpassungen | {{ item.name }}" + ansible.builtin.template: + src: templates/apache2/custom.conf.j2 + dest: "/etc/apache2/conf-available/{{ item.name }}.conf" + mode: "0644" + notify: reload apache + +# Das erste Argument gibt den Platz im Array an, beginnend mit 0. +- name: "Hiddenservice | Richte trusted domains ein | {{ item.name }}" + ansible.builtin.command: + cmd: 'php occ config:system:set trusted_domains {{ item.config.trusted_domains | length }} --value "{{ hiddenservice_address.stdout }}"' + chdir: "{{ nextcloud_install_path }}" + become: true + become_user: "{{ item.user }}" + changed_when: true + when: item.config.hiddenservice is defined and item.config.hiddenservice diff --git a/tasks/main.yml b/tasks/main.yml index 3cc6008..c7cd482 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,39 +1,58 @@ --- -- import_tasks: version.yml - tags: version +- name: Run common tasks + ansible.builtin.import_tasks: common.yml + tags: common -- import_tasks: gateway.yml - tags: gateway +- name: Install packages + ansible.builtin.import_tasks: packages.yml + tags: packages -- import_tasks: database.yml +- name: Redis + ansible.builtin.import_tasks: redis.yml + tags: redis + +- name: Setup Gateway + ansible.builtin.include_tasks: gateway.yml + args: + apply: + delegate_to: "{{ gateway_host }}" + loop: "{{ nextcloud_instances }}" + +- name: Run database tasks + ansible.builtin.include_tasks: database.yml tags: database + loop: "{{ nextcloud_instances }}" -- import_tasks: user.yml +- name: Run user tasks + ansible.builtin.include_tasks: user.yml tags: user + loop: "{{ nextcloud_instances }}" -- import_tasks: php.yml +- name: Run php tasks + ansible.builtin.include_tasks: php.yml tags: php + loop: "{{ nextcloud_instances }}" -- name: Configure hiddenservices - ansible.builtin.import_role: - name: configure-hiddenservice - tags: hiddenservice - delegate_to: "{{ onion_host }}" - when: item.config.hiddenservice is defined and item.config.hiddenservice +- name: Run Hiddenservice tasks + ansible.builtin.include_tasks: hiddenservice.yml + loop: "{{ nextcloud_instances }}" -- import_tasks: user.yml - tags: user - -- import_tasks: apache.yml +- name: Run Webserver tasks + ansible.builtin.import_tasks: apache.yml tags: apache -- name: "Nextcloud installieren" - include_tasks: nextcloud.yml - when: nc_is_installed.stat.exists == False - tags: nextcloud +- name: Installation + ansible.builtin.include_tasks: nextcloud.yml + loop: "{{ nextcloud_instances }}" -- import_tasks: configuration.yml - tags: configuration +- name: Configure Nextcloud + ansible.builtin.include_tasks: configuration.yml + loop: "{{ nextcloud_instances }}" + loop_control: + loop_var: instances + index_var: instance_id -- import_tasks: fail2ban.yml +- name: Configure Fail2ban + ansible.builtin.include_tasks: fail2ban.yml tags: fail2ban + loop: "{{ nextcloud_instances }}" diff --git a/tasks/nextcloud.yml b/tasks/nextcloud.yml index 1218b87..3cd15ea 100644 --- a/tasks/nextcloud.yml +++ b/tasks/nextcloud.yml @@ -1,29 +1,50 @@ --- -- name: "nextcloud: {{ instance.name }}: Verzeichnis prüfen" - file: - path: "{{ nextcloud_install_path }}" - mode: 0644 - state: directory +- name: "Nextcloud | Prüfe NC-Installation | {{ item.name }}" + ansible.builtin.stat: + path: "{{ nextcloud_install_path }}/version.php" + register: nc_is_installed + check_mode: false + changed_when: false -- name: "nextcloud: {{ instance.name }}: herunterladen und entpacken" - unarchive: +- name: "Nextcloud | Prüfe NC-Version | {{ item.name }}" + ansible.builtin.shell: + cmd: php ./occ -V | awk '{print $NF}' + chdir: "{{ nextcloud_install_path }}" + become: true + become_user: "{{ item.user }}" + register: nc_installed_version + when: nc_is_installed.stat.exists + check_mode: false + changed_when: false + +- name: "Nextcloud | Prüfe Installationsverzeichnis | {{ item.name }}" + ansible.builtin.file: + path: "{{ nextcloud_install_path }}" + mode: "0644" + state: directory + when: not nc_is_installed.stat.exists + +- name: "Nextcloud | Lade Archiv herunter | {{ item.name }}" + ansible.builtin.unarchive: src: "{{ nextcloud_dl_url }}" remote_src: true extra_opts: - "--strip-components=1" dest: "{{ nextcloud_install_path }}" - owner: "{{ instance.user }}" - group: "{{ instance.user }}" - mode: 0644 + owner: "{{ item.user }}" + group: "{{ item.user }}" + mode: "0644" + when: not nc_is_installed.stat.exists -- name: "nextcloud: {{ instance.name }}: Installation" - command: +- name: "Nextcloud | Führe Installation aus | {{ item.name }}" + ansible.builtin.command: cmd: > php occ maintenance:install --database "mysql" - --database-name "{{ instance.database }}" --database-user "{{ instance.database }}" + --database-name "{{ item.database }}" --database-user "{{ item.database }}" --database-pass "{{ nextcloud_db_password }}" --database-host "{{ database_host }}" --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_pw }}" chdir: "{{ nextcloud_install_path }}" become: true - become_user: "{{ instance.user }}" + become_user: "{{ item.user }}" changed_when: true + when: not nc_is_installed.stat.exists diff --git a/tasks/packages.yml b/tasks/packages.yml index 81674ba..a4dc235 100644 --- a/tasks/packages.yml +++ b/tasks/packages.yml @@ -1,18 +1,6 @@ --- -- name: "packages: Fakten sammeln" - package_facts: - manager: apt - -- name: "packages: Datenbank-Pakete installieren" - apt: - pkg: - - python3-pymysql - update_cache: yes - cache_valid_time: 3600 - delegate_to: "{{ database_host }}" - -- name: "packages: Pakete installieren" - apt: +- name: "Packages | Installiere Pakete" + ansible.builtin.apt: pkg: - php-apcu - php-bcmath @@ -27,5 +15,5 @@ - php-zip - redis - libmagickcore-6.q16-6-extra - update_cache: yes + update_cache: true cache_valid_time: 3600 diff --git a/tasks/php.yml b/tasks/php.yml index 58186b4..dbca4fe 100644 --- a/tasks/php.yml +++ b/tasks/php.yml @@ -1,32 +1,33 @@ --- -- name: "php | {{ instance.name }} | FPM-Pool kopieren" - template: +- name: "PHP | Erstelle FPM-Pool| {{ item.name }}" + ansible.builtin.template: src: php_fpm_pool.j2 - dest: "/etc/php/{{ php_version.stdout }}/fpm/pool.d/{{ instance.user }}.cfg" + dest: "/etc/php/{{ php_version.stdout }}/fpm/pool.d/{{ item.user }}.cfg" owner: root group: root - mode: 0644 + mode: "0644" notify: - stop php-fpm-socket - stop php-fpm-service - start php-fpm-socket -- name: "php | {{ instance.name }} | Erstelle Log-Datei" - file: - path: "{{ php_fpm_log_dir }}/{{ instance.user }}.log" +- name: "PHP | Erstelle Log-Datei | {{ item.name }}" + ansible.builtin.file: + path: "{{ php_fpm_log_dir }}/{{ item.user }}.log" state: touch - owner: "{{ instance.user }}" - group: "{{ instance.user }}" + owner: "{{ item.user }}" + group: "{{ item.user }}" + mode: "0644" -- name: "php | {{ instance.name }} | Aktiviere systemd Socket" - systemd: - name: "php-fpm@{{ instance.user }}.socket" +- name: "PHP | Aktiviere systemd Socket | {{ item.name }}" + ansible.builtin.systemd: + name: "php-fpm@{{ item.user }}.socket" enabled: true state: started daemon_reload: true -- name: "php | {{ instance.name }} | Aktiviere systemd Service" - systemd: - name: "php-fpm@{{ instance.user }}.service" +- name: "PHP | Aktiviere systemd Service | {{ item.name }}" + ansible.builtin.systemd: + name: "php-fpm@{{ item.user }}.service" enabled: true daemon-reload: true diff --git a/tasks/redis.yml b/tasks/redis.yml index 79fc465..d9ad30c 100644 --- a/tasks/redis.yml +++ b/tasks/redis.yml @@ -1,22 +1,22 @@ --- -- name: "redis: Aktiviere Socket" - lineinfile: +- name: "Redis | Aktiviere Socket" + ansible.builtin.lineinfile: path: "{{ redis_config_file }}" regexp: '^# unixsocket /var/run/redis/redis-server.sock' line: 'unixsocket /var/run/redis/redis-server.sock' -- name: "redis: Socket-Berechtigungen stetzen" - lineinfile: +- name: "Redis | Setze Socket-Berechtigungen" + ansible.builtin.lineinfile: path: "{{ redis_config_file }}" regexp: '^# unixsocketperm 700' line: 'unixsocketperm 770' -- name: "redis: Ermittle Anzahl der NC-Instanzen" - set_fact: +- name: "Redis | Ermittle Anzahl der NC-Instanzen" + ansible.builtin.set_fact: instances_number: "{{ nextcloud_instances | length }}" -- name: "redis: Konfiguriere Anzahl der Datenbanken" - lineinfile: +- name: "Redis | Konfiguriere Anzahl der Datenbanken" + ansible.builtin.lineinfile: path: "{{ redis_config_file }}" regexp: '^databases 16$' line: 'databases {{ instances_number }}' diff --git a/tasks/user.yml b/tasks/user.yml index 776fc29..d224784 100644 --- a/tasks/user.yml +++ b/tasks/user.yml @@ -1,15 +1,15 @@ --- -- name: "user | {{ instance.name }} | Nextcloud-System-Nutzer anlegen" - user: - name: "{{ instance.user }}" +- name: "User | Lege Nextcloud-System-Nutzer an | {{ item.name }}" + ansible.builtin.user: + name: "{{ item.user }}" create_home: false password_lock: true groups: redis shell: /bin/false state: present -- name: "user | {{ instance.name }} | Füge www-data zur Nextcloud-Nutzer-Gruppe hinzu" - user: +- name: "User | Füge www-data zur Nextcloud-Nutzer-Gruppe hinzu | {{ item.name }}" + ansible.builtin.user: name: www-data - groups: "{{ instance.user }}" + groups: "{{ item.user }}" append: true diff --git a/tasks/version.yml b/tasks/version.yml deleted file mode 100644 index 1514682..0000000 --- a/tasks/version.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: "version: {{ instance.name }}: Prüfe NC-Installation" - stat: - path: "{{ nextcloud_install_path }}/version.php" - register: nc_is_installed - check_mode: false - changed_when: false - -- name: "version: {{ instance.name }}: Prüfe NC-Version" - shell: - cmd: php ./occ -V | awk '{print $NF}' - chdir: "{{ nextcloud_install_path }}" - become: true - become_user: "{{ instance.user }}" - register: nc_installed_version - when: nc_is_installed.stat.exists - check_mode: false - changed_when: false diff --git a/templates/apache2/custom.conf.j2 b/templates/apache2/custom.conf.j2 index 6689880..c1cfcfe 100644 --- a/templates/apache2/custom.conf.j2 +++ b/templates/apache2/custom.conf.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} -{% if instance.alias is defined %} -{% for alias in instance.alias %} +{% if item.alias is defined %} +{% for alias in item.alias %} ServerAlias {{ alias }} {% endfor %} {% endif %} diff --git a/templates/apache2/apache_site.conf.j2 b/templates/apache2/nextcloud.conf.j2 similarity index 100% rename from templates/apache2/apache_site.conf.j2 rename to templates/apache2/nextcloud.conf.j2 diff --git a/templates/apache2/nextcloud_sites.conf.j2 b/templates/apache2/nextcloud_sites.conf.j2 new file mode 100644 index 0000000..e52cabc --- /dev/null +++ b/templates/apache2/nextcloud_sites.conf.j2 @@ -0,0 +1,5 @@ +### {{ ansible_managed }} + +{% for site in nextcloud_instances %} +Use NCSite {{ site.name }} {{ site.user }} +{% endfor %} diff --git a/templates/fail2ban/jail.conf.j2 b/templates/fail2ban/jail.conf.j2 index 36d2d12..d3fb794 100644 --- a/templates/fail2ban/jail.conf.j2 +++ b/templates/fail2ban/jail.conf.j2 @@ -1,6 +1,6 @@ # {{ ansible_managed }} -[nextcloud-{{ instance.user }}] +[nextcloud-{{ item.user }}] backend = auto enabled = true port = 80,443 @@ -9,4 +9,4 @@ filter = nextcloud maxretry = 3 bantime = 86400 findtime = 43200 -logpath = {{ nextcloud_root }}/{{ instance.name }}/data/nextcloud.log +logpath = {{ nextcloud_root }}/{{ item.name }}/data/nextcloud.log diff --git a/templates/nginx_site.j2 b/templates/nginx_site.j2 index e262e6e..0768ac9 100644 --- a/templates/nginx_site.j2 +++ b/templates/nginx_site.j2 @@ -1,8 +1,8 @@ server { listen 80; - server_name {{ instance.name }}; -{% if instance.alias is defined %} - {% for alias in instance.alias %} + server_name {{ item.name }}; +{% if item.alias is defined %} + {% for alias in item.alias %} server_name {{ alias }}; {% endfor %} {% endif %} @@ -12,9 +12,9 @@ server { server { listen 443 ssl http2; - server_name {{ instance.name }}; - ssl_certificate /var/lib/dehydrated/certs/{{ instance.name }}/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.name }}/privkey.pem; + server_name {{ item.name }}; + ssl_certificate /var/lib/dehydrated/certs/{{ item.name }}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/{{ item.name }}/privkey.pem; include /etc/nginx/proxy_params; add_header Referrer-Policy $referrerpolicy; add_header Strict-Transport-Security $sts; @@ -30,8 +30,8 @@ server { } } -{% if instance.alias is defined %} - {% for alias in instance.alias %} +{% if item.alias is defined %} + {% for alias in item.alias %} server { listen 443 ssl http2; server_name {{ alias }}; diff --git a/templates/php_fpm_pool.j2 b/templates/php_fpm_pool.j2 index e7c45da..04f056b 100644 --- a/templates/php_fpm_pool.j2 +++ b/templates/php_fpm_pool.j2 @@ -1,7 +1,7 @@ [global] error_log = ${FPM_ERROR_LOG} -[{{ instance.user }}] +[{{ item.user }}] listen = ${FPM_SOCKET_PATH} pm = dynamic pm.max_children = 60