Fixes fuer zentrale Instancen-Verwaltung

This commit is contained in:
phil 2021-06-26 01:45:06 +02:00
parent e63c995f11
commit b33a014729
12 changed files with 72 additions and 70 deletions

View file

@ -4,21 +4,14 @@ mysql_socket: /var/run/mysqld/mysqld.sock
nextcloud_admin_pw: admin
nextcloud_admin_user: systemausfall.org
nextcloud_admin_pw: admin
nextcloud_database_host: database.kahlo
nextcloud_dl_url: https://download.nextcloud.com/server/releases
nextcloud_gateway: kahlo.kahlo
nextcloud_host: sl-nextcloud.kahlo
nextcloud_mysql_db: "nc_{{ common_name }}"
nextcloud_mysql_pw: admin
nextcloud_mysql_user: "nc_{{ common_name }}"
nextcloud_install_path: "/data/nextcloud/{{ nextcloud_domain }}"
nextcloud_install_path: "/data/nextcloud/{{ instance.domain }}"
nextcloud_config_file: "{{ nextcloud_install_path }}/config/config.php"
nextcloud_php_memory_limit: 512M
nextcloud_php_upload_limit: 512M
nextcloud_trusted_domains: ['localhost', '{{ nextcloud_domain }}']
nextcloud_trusted_domains: ['localhost', '{{ instance.domain }}']
nextcloud_trusted_proxies: ['10.42.7.1']
nextcloud_version: nextcloud-21.0.1
nextcloud_mail_from: noreply
nextcloud_mail_domain: postfach.senselab.org
nextcloud_smtp_auth_type: LOGIN

View file

@ -1,5 +1,5 @@
---
- name: "Apache Module laden"
- name: "apache: {{ instance.domain }}: Module laden"
apache2_module:
state: present
name: "{{ item }}"
@ -9,9 +9,9 @@
- setenvif
notify: restart apache
- name: "Apache Seite einrichten"
- name: "apache: {{ instance.domain }}: Seite einrichten"
lineinfile:
path: /etc/apache2/conf-available/nextcloud_sites.conf
insertafter: "^Ansbile"
line: "Use NCSite {{ domain }} {{ user }}"
line: "Use NCSite {{ instance.domain }} {{ instance.user }}"
notify: reload apache

View file

@ -1,19 +1,19 @@
---
- name: "Datenbank einrichten"
- name: "database: {{ instance.domain }}: Datenbank einrichten"
mysql_db:
name: "{{ database }}"
name: "{{ instance.database }}"
state: present
login_unix_socket: "{{ mysql_socket }}"
login_user: root
config_file: /etc/mysql/debian.cnf
delegate_to: "{{ database_host }}"
- name: "Datenbank Benutzer einrichten"
- name: "database: {{ instance.domain }}: Benutzer einrichten"
mysql_user:
name: "{{ database }}"
name: "{{ instance.database }}"
host: "{{ inventory_hostname }}"
password: "{{ lookup('password', '/tmp/nc_db_password chars=ascii_letters') }}"
priv: "{{ database }}.*:ALL"
priv: "{{ instance.database }}.*:ALL"
state: present
login_unix_socket: "{{ mysql_socket }}"
login_user: root

View file

@ -1,16 +1,8 @@
---
- name: "fixes: Prüfe NC-Version"
shell:
cmd: occ -V | cut -d ' ' -f2
chdir: "{{ nextcloud_install_path }}"
become: true
become_user: "{{ common_name }}"
register: nc_installed_version
- name: "fixes: https://github.com/nextcloud/files_pdfviewer/issues/381"
- name: "fixes: {{ instance.domain }} https://github.com/nextcloud/files_pdfviewer/issues/381"
get_url:
url: https://raw.githubusercontent.com/nextcloud/files_pdfviewer/6d81ffbb65c3758bece144e0aff07b4a0ad20eef/js/files_pdfviewer-main.js
dest: "{{ nextcloud_install_path }}/apps/files_pdfviewer/js/files_pdfviewer-main.js"
owner: "{{ common_name }}"
group: "{{ common_name }}"
owner: "{{ instance.user }}"
group: "{{ instance.user }}"
when: nc_installed_version >= "21.0.2"

View file

@ -1,29 +1,29 @@
---
- name: "Gateway Domain zur Zertifikatsliste hinzufügen"
- name: "gateway: {{ instance.domain }}: Domain zur Zertifikatsliste hinzufügen"
lineinfile:
path: /etc/dehydrated/domains.txt
insertafter: "^# nextcloud"
line: "{{ domain }}"
line: "{{ instance.domain }}"
# when: dehydrated_installiert
delegate_to: "{{ gateway_host }}"
- name: "Gateway Zertifikat erstellen"
- name: "gateway: {{ instance.domain }}: Zertifikat erstellen"
command: dehydrated --cron -g
delegate_to: "{{ gateway_host }}"
- name: "Gateway Proxy einrichten"
- name: "gateway: {{ instance.domain }}: Proxy einrichten"
template:
src: nginx_site.j2
dest: "/etc/nginx/sites-available/{{ domain }}"
dest: "/etc/nginx/sites-available/{{ instance.domain }}"
owner: root
group: root
mode: 0644
delegate_to: "{{ gateway_host }}"
- name: "Gateway Seite aktivieren"
- name: "gateway: {{ instance.domain }}: Seite aktivieren"
file:
src: "/etc/nginx/sites-available/{{ domain }}"
dest: "/etc/nginx/sites-enabled/{{ domain }}"
src: "/etc/nginx/sites-available/{{ instance.domain }}"
dest: "/etc/nginx/sites-enabled/{{ instance.domain }}"
state: link
notify: reload nginx
delegate_to: "{{ gateway_host }}"

View file

@ -1,4 +1,6 @@
---
- import_tasks: version.yml
tags: version
- import_tasks: packages.yml
- import_tasks: gateway.yml
- import_tasks: database.yml
@ -6,7 +8,11 @@
- import_tasks: php.yml
- import_tasks: apache.yml
- import_tasks: redis.yml
- import_tasks: nextcloud.yml
- name: "Nextcloud-Task"
include_tasks: nextcloud.yml
tags: nextcloud
- import_task: fixes.yml
when: nc_is_installed.stat.exists == False
- import_tasks: fixes.yml
tags: fixes

View file

@ -1,12 +1,11 @@
---
- name: "NC Verzeichnis prüfen"
- name: "nextcloud: {{ instance.domain }}: Verzeichnis prüfen"
file:
path: "{{ nextcloud_install_path }}"
mode: 0755
state: directory
- name: "NC herunterladen und entpacken"
- name: "nextcloud: {{ instance.domain }}: herunterladen und entpacken"
unarchive:
src: "{{ nextcloud_dl_url }}/{{ nextcloud_version }}.tar.bz2"
remote_src: true
@ -17,37 +16,37 @@
group: "{{ user }}"
mode: 0755
- name: "NC Installation"
- name: "nextcloud: {{ instance.domain }}: Installation"
command: >
php "{{ nextcloud_install_path }}"/occ maintenance:install --database "mysql"
--database-name "{{ database }}" --database-user "{{ database }}"
--database-name "{{ instance.database }}" --database-user "{{ instance.database }}"
--database-pass "{{ lookup('password', '/tmp/nc_db_password chars=ascii_letters') }}" --database-host "{{ database_host }}"
--admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_pw }}"
become: true
become_user: "{{ user }}"
become_user: "{{ instance.user }}"
changed_when: true
#todo: Auch auf instances.alias anwenden
- name: "NC trusted domains einrichten"
- name: "nextcloud: {{ instance.domain }}: trusted domains einrichten"
command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"'
become: true
become_user: "{{ name }}"
become_user: "{{ instance.user }}"
changed_when: true
with_indexed_items:
- '{{ nextcloud_trusted_domains }}'
- name: "NC cron einrichten"
- name: "nextcloud: {{ instance.domain }}: cron einrichten"
cron:
name: "nextcloud {{ domain }}"
name: "nextcloud {{ instance.domain }}"
minute: "*/5"
user: "{{ user }}"
user: "{{ instance.user }}"
job: "php -f {{ nextcloud_install_path}}/cron.php"
cron_file: "nextcloud"
- name: "NC allgemeie Konfiguration"
- name: "nextcloud: {{ instance.domain }}: allgemeie Konfiguration"
command: "{{ item }}"
become: true
become_user: "{{ user }}"
become_user: "{{ instance.user }}"
changed_when: true
with_items:
- "php {{ nextcloud_install_path }}/occ app:enable encryption"
@ -55,14 +54,14 @@
- 'php {{ nextcloud_install_path }}/occ config:system:set memcache.local --value "\\OC\\Memcache\\APCu"'
- 'php {{ nextcloud_install_path }}/occ config:system:set memcache.distributed --value "\OC\Memcache\Redis"'
- "php {{ nextcloud_install_path }}/occ background:cron"
- 'php {{ nextcloud_install_path }}/occ config:system:set overwrite.cli.url --value https://{{ domain }}'
- 'php {{ nextcloud_install_path }}/occ config:system:set overwrite.cli.url --value https://{{ instance.domain }}'
- 'php {{ nextcloud_install_path }}/occ config:system:set htaccess.RewriteBase --value /'
- 'php {{ nextcloud_install_path }}/occ maintenance:update:htaccess'
- 'php {{ nextcloud_install_path }}/occ config:system:set default_language --value "de"'
- 'php {{ nextcloud_install_path }}/occ config:system:set default_phone_region --value "DE"'
- 'php {{ nextcloud_install_path }}/occ config:system:set loglevel --value "1"'
- name: "NC Mailversand einrichten"
- name: "nextcloud: {{ instance.domain }}: Mailversand einrichten"
blockinfile:
path: "{{ nextcloud_config_file }}"
insertbefore: '^\);'
@ -76,7 +75,7 @@
'mail_smtphost' => '{{ nextcloud_smtp_host }}',
'mail_smtpport' => '{{ nextcloud_smtp_port}}',
- name: "NC Filelocking"
- name: "nextcloud: {{ instance.domain }}: Filelocking"
blockinfile:
path: "{{ nextcloud_config_file }}"
insertbefore: '^\);'
@ -90,10 +89,10 @@
'timeout' => 0.0,
),
- name: "NC trusted proxies einrichten"
- name: "nextcloud: {{ instance.domain }}: trusted proxies einrichten"
command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_proxies {{ item.0 }} --value "{{ item.1 }}"'
become: true
become_user: "{{ user }}"
become_user: "{{ instance.user }}"
changed_when: true
with_indexed_items:
- '{{ nextcloud_trusted_proxies }}'

View file

@ -1,9 +1,9 @@
---
- name: "Pakete Fakten sammeln"
- name: "packages: Fakten sammeln"
package_facts:
manager: apt
- name: "Pakete Datenbank installieren"
- name: "packages: Datenbank-Pakete installieren"
apt:
pkg:
- python-pymysql
@ -11,7 +11,7 @@
cache_valid_time: 3600
delegate_to: "{{ database_host }}"
- name: "Pakete installieren"
- name: "packages: Pakete installieren"
apt:
pkg:
- php-redis

View file

@ -1,18 +1,17 @@
---
- name: "PHP FPM-Nutzer anlegen"
- name: "php: {{ instance.domain }}: FPM-Nutzer anlegen"
user:
name: "{{ user }}"
name: "{{ instance.user }}"
create_home: no
password: "!"
groups: redis
shell: /bin/false
state: present
- name: "PHP FPM-Pool einrichten"
- name: "php: {{ instance.domain }}: FPM-Pool einrichten"
template:
src: php_fpm_pool.j2
dest: "/etc/php/{{ php_version }}/fpm/pool.d/{{ user }}.conf"
dest: "/etc/php/{{ php_version }}/fpm/pool.d/{{ instance.user }}.conf"
owner: root
group: root
mode: 0644

14
tasks/version.yml Normal file
View file

@ -0,0 +1,14 @@
---
- name: "version: {{ instance.domain }}: Prüfe NC-Installation"
stat:
path: "{{ nextcloud_install_path }}/version.php"
register: nc_is_installed
- name: "version: {{ instance.domain }}: Prüfe NC-Version"
shell:
cmd: occ -V | cut -d ' ' -f2
chdir: "{{ nextcloud_install_path }}"
become: true
become_user: "{{ instance.user }}"
register: nc_installed_version
when: nc_is_installed.stat.exists

View file

@ -1,21 +1,20 @@
server {
listen 80;
server_name {{ nextcloud_domain }};
server_name {{ instance.domain }};
include snippets/letsencrypt.conf;
location / { return 301 https://$http_host$request_uri; }
}
server {
server_name {{ nextcloud_domain }};
server_name {{ instance.domain }};
listen 443 ssl http2;
ssl_certificate /var/lib/dehydrated/certs/{{ nextcloud_domain }}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/{{ nextcloud_domain }}/privkey.pem;
ssl_certificate /var/lib/dehydrated/certs/{{ instance.domain }}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.domain }}/privkey.pem;
include /etc/nginx/proxy_params;
add_header Referrer-Policy $referrerpolicy;
add_header Strict-Transport-Security $sts;
add_header X-Content-Type-Options $xcontentoptions;
add_header X-XSS-Protection $xxssprotection;
# include /etc/nginx/snippets/hpkp.conf;
location ~ /.well-known/(carddav|caldav) {
return 301 $scheme://$host/remote.php/dav;

View file

@ -1,4 +1,4 @@
[{{ common_name }}]
[{{ instance.user }}]
;prefix = /path/to/pools/$pool
user = $pool
group = www-data