From b33a0147290c9703a7403c0ec87a4b8447ba402f Mon Sep 17 00:00:00 2001 From: phil Date: Sat, 26 Jun 2021 01:45:06 +0200 Subject: [PATCH] Fixes fuer zentrale Instancen-Verwaltung --- defaults/main.yml | 11 ++--------- tasks/apache.yml | 6 +++--- tasks/database.yml | 10 +++++----- tasks/fixes.yml | 14 +++----------- tasks/gateway.yml | 16 ++++++++-------- tasks/main.yml | 10 ++++++++-- tasks/nextcloud.yml | 35 +++++++++++++++++------------------ tasks/packages.yml | 6 +++--- tasks/php.yml | 9 ++++----- tasks/version.yml | 14 ++++++++++++++ templates/nginx_site.j2 | 9 ++++----- templates/php_fpm_pool.j2 | 2 +- 12 files changed, 72 insertions(+), 70 deletions(-) create mode 100644 tasks/version.yml diff --git a/defaults/main.yml b/defaults/main.yml index edf563e..9e731a4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,21 +4,14 @@ mysql_socket: /var/run/mysqld/mysqld.sock nextcloud_admin_pw: admin nextcloud_admin_user: systemausfall.org nextcloud_admin_pw: admin -nextcloud_database_host: database.kahlo nextcloud_dl_url: https://download.nextcloud.com/server/releases -nextcloud_gateway: kahlo.kahlo -nextcloud_host: sl-nextcloud.kahlo -nextcloud_mysql_db: "nc_{{ common_name }}" -nextcloud_mysql_pw: admin -nextcloud_mysql_user: "nc_{{ common_name }}" -nextcloud_install_path: "/data/nextcloud/{{ nextcloud_domain }}" +nextcloud_install_path: "/data/nextcloud/{{ instance.domain }}" nextcloud_config_file: "{{ nextcloud_install_path }}/config/config.php" nextcloud_php_memory_limit: 512M nextcloud_php_upload_limit: 512M -nextcloud_trusted_domains: ['localhost', '{{ nextcloud_domain }}'] +nextcloud_trusted_domains: ['localhost', '{{ instance.domain }}'] nextcloud_trusted_proxies: ['10.42.7.1'] nextcloud_version: nextcloud-21.0.1 - nextcloud_mail_from: noreply nextcloud_mail_domain: postfach.senselab.org nextcloud_smtp_auth_type: LOGIN diff --git a/tasks/apache.yml b/tasks/apache.yml index 427107e..1fa6520 100644 --- a/tasks/apache.yml +++ b/tasks/apache.yml @@ -1,5 +1,5 @@ --- -- name: "Apache Module laden" +- name: "apache: {{ instance.domain }}: Module laden" apache2_module: state: present name: "{{ item }}" @@ -9,9 +9,9 @@ - setenvif notify: restart apache -- name: "Apache Seite einrichten" +- name: "apache: {{ instance.domain }}: Seite einrichten" lineinfile: path: /etc/apache2/conf-available/nextcloud_sites.conf insertafter: "^Ansbile" - line: "Use NCSite {{ domain }} {{ user }}" + line: "Use NCSite {{ instance.domain }} {{ instance.user }}" notify: reload apache diff --git a/tasks/database.yml b/tasks/database.yml index c59c7c3..b6c5b0a 100644 --- a/tasks/database.yml +++ b/tasks/database.yml @@ -1,19 +1,19 @@ --- -- name: "Datenbank einrichten" +- name: "database: {{ instance.domain }}: Datenbank einrichten" mysql_db: - name: "{{ database }}" + name: "{{ instance.database }}" state: present login_unix_socket: "{{ mysql_socket }}" login_user: root config_file: /etc/mysql/debian.cnf delegate_to: "{{ database_host }}" -- name: "Datenbank Benutzer einrichten" +- name: "database: {{ instance.domain }}: Benutzer einrichten" mysql_user: - name: "{{ database }}" + name: "{{ instance.database }}" host: "{{ inventory_hostname }}" password: "{{ lookup('password', '/tmp/nc_db_password chars=ascii_letters') }}" - priv: "{{ database }}.*:ALL" + priv: "{{ instance.database }}.*:ALL" state: present login_unix_socket: "{{ mysql_socket }}" login_user: root diff --git a/tasks/fixes.yml b/tasks/fixes.yml index 8a905f1..257bf56 100644 --- a/tasks/fixes.yml +++ b/tasks/fixes.yml @@ -1,16 +1,8 @@ --- -- name: "fixes: Prüfe NC-Version" - shell: - cmd: occ -V | cut -d ' ' -f2 - chdir: "{{ nextcloud_install_path }}" - become: true - become_user: "{{ common_name }}" - register: nc_installed_version - -- name: "fixes: https://github.com/nextcloud/files_pdfviewer/issues/381" +- name: "fixes: {{ instance.domain }} https://github.com/nextcloud/files_pdfviewer/issues/381" get_url: url: https://raw.githubusercontent.com/nextcloud/files_pdfviewer/6d81ffbb65c3758bece144e0aff07b4a0ad20eef/js/files_pdfviewer-main.js dest: "{{ nextcloud_install_path }}/apps/files_pdfviewer/js/files_pdfviewer-main.js" - owner: "{{ common_name }}" - group: "{{ common_name }}" + owner: "{{ instance.user }}" + group: "{{ instance.user }}" when: nc_installed_version >= "21.0.2" diff --git a/tasks/gateway.yml b/tasks/gateway.yml index 812a19e..5f7e5ec 100644 --- a/tasks/gateway.yml +++ b/tasks/gateway.yml @@ -1,29 +1,29 @@ --- -- name: "Gateway Domain zur Zertifikatsliste hinzufügen" +- name: "gateway: {{ instance.domain }}: Domain zur Zertifikatsliste hinzufügen" lineinfile: path: /etc/dehydrated/domains.txt insertafter: "^# nextcloud" - line: "{{ domain }}" + line: "{{ instance.domain }}" # when: dehydrated_installiert delegate_to: "{{ gateway_host }}" -- name: "Gateway Zertifikat erstellen" +- name: "gateway: {{ instance.domain }}: Zertifikat erstellen" command: dehydrated --cron -g delegate_to: "{{ gateway_host }}" -- name: "Gateway Proxy einrichten" +- name: "gateway: {{ instance.domain }}: Proxy einrichten" template: src: nginx_site.j2 - dest: "/etc/nginx/sites-available/{{ domain }}" + dest: "/etc/nginx/sites-available/{{ instance.domain }}" owner: root group: root mode: 0644 delegate_to: "{{ gateway_host }}" -- name: "Gateway Seite aktivieren" +- name: "gateway: {{ instance.domain }}: Seite aktivieren" file: - src: "/etc/nginx/sites-available/{{ domain }}" - dest: "/etc/nginx/sites-enabled/{{ domain }}" + src: "/etc/nginx/sites-available/{{ instance.domain }}" + dest: "/etc/nginx/sites-enabled/{{ instance.domain }}" state: link notify: reload nginx delegate_to: "{{ gateway_host }}" diff --git a/tasks/main.yml b/tasks/main.yml index e78dbf8..db83423 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,6 @@ --- +- import_tasks: version.yml + tags: version - import_tasks: packages.yml - import_tasks: gateway.yml - import_tasks: database.yml @@ -6,7 +8,11 @@ - import_tasks: php.yml - import_tasks: apache.yml - import_tasks: redis.yml -- import_tasks: nextcloud.yml + +- name: "Nextcloud-Task" + include_tasks: nextcloud.yml tags: nextcloud -- import_task: fixes.yml + when: nc_is_installed.stat.exists == False + +- import_tasks: fixes.yml tags: fixes diff --git a/tasks/nextcloud.yml b/tasks/nextcloud.yml index a76d000..44b8cdb 100644 --- a/tasks/nextcloud.yml +++ b/tasks/nextcloud.yml @@ -1,12 +1,11 @@ --- - -- name: "NC Verzeichnis prüfen" +- name: "nextcloud: {{ instance.domain }}: Verzeichnis prüfen" file: path: "{{ nextcloud_install_path }}" mode: 0755 state: directory -- name: "NC herunterladen und entpacken" +- name: "nextcloud: {{ instance.domain }}: herunterladen und entpacken" unarchive: src: "{{ nextcloud_dl_url }}/{{ nextcloud_version }}.tar.bz2" remote_src: true @@ -17,37 +16,37 @@ group: "{{ user }}" mode: 0755 -- name: "NC Installation" +- name: "nextcloud: {{ instance.domain }}: Installation" command: > php "{{ nextcloud_install_path }}"/occ maintenance:install --database "mysql" - --database-name "{{ database }}" --database-user "{{ database }}" + --database-name "{{ instance.database }}" --database-user "{{ instance.database }}" --database-pass "{{ lookup('password', '/tmp/nc_db_password chars=ascii_letters') }}" --database-host "{{ database_host }}" --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_pw }}" become: true - become_user: "{{ user }}" + become_user: "{{ instance.user }}" changed_when: true #todo: Auch auf instances.alias anwenden -- name: "NC trusted domains einrichten" +- name: "nextcloud: {{ instance.domain }}: trusted domains einrichten" command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"' become: true - become_user: "{{ name }}" + become_user: "{{ instance.user }}" changed_when: true with_indexed_items: - '{{ nextcloud_trusted_domains }}' -- name: "NC cron einrichten" +- name: "nextcloud: {{ instance.domain }}: cron einrichten" cron: - name: "nextcloud {{ domain }}" + name: "nextcloud {{ instance.domain }}" minute: "*/5" - user: "{{ user }}" + user: "{{ instance.user }}" job: "php -f {{ nextcloud_install_path}}/cron.php" cron_file: "nextcloud" -- name: "NC allgemeie Konfiguration" +- name: "nextcloud: {{ instance.domain }}: allgemeie Konfiguration" command: "{{ item }}" become: true - become_user: "{{ user }}" + become_user: "{{ instance.user }}" changed_when: true with_items: - "php {{ nextcloud_install_path }}/occ app:enable encryption" @@ -55,14 +54,14 @@ - 'php {{ nextcloud_install_path }}/occ config:system:set memcache.local --value "\\OC\\Memcache\\APCu"' - 'php {{ nextcloud_install_path }}/occ config:system:set memcache.distributed --value "\OC\Memcache\Redis"' - "php {{ nextcloud_install_path }}/occ background:cron" - - 'php {{ nextcloud_install_path }}/occ config:system:set overwrite.cli.url --value https://{{ domain }}' + - 'php {{ nextcloud_install_path }}/occ config:system:set overwrite.cli.url --value https://{{ instance.domain }}' - 'php {{ nextcloud_install_path }}/occ config:system:set htaccess.RewriteBase --value /' - 'php {{ nextcloud_install_path }}/occ maintenance:update:htaccess' - 'php {{ nextcloud_install_path }}/occ config:system:set default_language --value "de"' - 'php {{ nextcloud_install_path }}/occ config:system:set default_phone_region --value "DE"' - 'php {{ nextcloud_install_path }}/occ config:system:set loglevel --value "1"' -- name: "NC Mailversand einrichten" +- name: "nextcloud: {{ instance.domain }}: Mailversand einrichten" blockinfile: path: "{{ nextcloud_config_file }}" insertbefore: '^\);' @@ -76,7 +75,7 @@ 'mail_smtphost' => '{{ nextcloud_smtp_host }}', 'mail_smtpport' => '{{ nextcloud_smtp_port}}', -- name: "NC Filelocking" +- name: "nextcloud: {{ instance.domain }}: Filelocking" blockinfile: path: "{{ nextcloud_config_file }}" insertbefore: '^\);' @@ -90,10 +89,10 @@ 'timeout' => 0.0, ), -- name: "NC trusted proxies einrichten" +- name: "nextcloud: {{ instance.domain }}: trusted proxies einrichten" command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_proxies {{ item.0 }} --value "{{ item.1 }}"' become: true - become_user: "{{ user }}" + become_user: "{{ instance.user }}" changed_when: true with_indexed_items: - '{{ nextcloud_trusted_proxies }}' diff --git a/tasks/packages.yml b/tasks/packages.yml index 3d13d83..65dee09 100644 --- a/tasks/packages.yml +++ b/tasks/packages.yml @@ -1,9 +1,9 @@ --- -- name: "Pakete Fakten sammeln" +- name: "packages: Fakten sammeln" package_facts: manager: apt -- name: "Pakete Datenbank installieren" +- name: "packages: Datenbank-Pakete installieren" apt: pkg: - python-pymysql @@ -11,7 +11,7 @@ cache_valid_time: 3600 delegate_to: "{{ database_host }}" -- name: "Pakete installieren" +- name: "packages: Pakete installieren" apt: pkg: - php-redis diff --git a/tasks/php.yml b/tasks/php.yml index 951c109..0415fa6 100644 --- a/tasks/php.yml +++ b/tasks/php.yml @@ -1,18 +1,17 @@ --- - -- name: "PHP FPM-Nutzer anlegen" +- name: "php: {{ instance.domain }}: FPM-Nutzer anlegen" user: - name: "{{ user }}" + name: "{{ instance.user }}" create_home: no password: "!" groups: redis shell: /bin/false state: present -- name: "PHP FPM-Pool einrichten" +- name: "php: {{ instance.domain }}: FPM-Pool einrichten" template: src: php_fpm_pool.j2 - dest: "/etc/php/{{ php_version }}/fpm/pool.d/{{ user }}.conf" + dest: "/etc/php/{{ php_version }}/fpm/pool.d/{{ instance.user }}.conf" owner: root group: root mode: 0644 diff --git a/tasks/version.yml b/tasks/version.yml new file mode 100644 index 0000000..d6cbaa0 --- /dev/null +++ b/tasks/version.yml @@ -0,0 +1,14 @@ +--- +- name: "version: {{ instance.domain }}: Prüfe NC-Installation" + stat: + path: "{{ nextcloud_install_path }}/version.php" + register: nc_is_installed + +- name: "version: {{ instance.domain }}: Prüfe NC-Version" + shell: + cmd: occ -V | cut -d ' ' -f2 + chdir: "{{ nextcloud_install_path }}" + become: true + become_user: "{{ instance.user }}" + register: nc_installed_version + when: nc_is_installed.stat.exists diff --git a/templates/nginx_site.j2 b/templates/nginx_site.j2 index fcac02e..8e436da 100644 --- a/templates/nginx_site.j2 +++ b/templates/nginx_site.j2 @@ -1,21 +1,20 @@ server { listen 80; - server_name {{ nextcloud_domain }}; + server_name {{ instance.domain }}; include snippets/letsencrypt.conf; location / { return 301 https://$http_host$request_uri; } } server { - server_name {{ nextcloud_domain }}; + server_name {{ instance.domain }}; listen 443 ssl http2; - ssl_certificate /var/lib/dehydrated/certs/{{ nextcloud_domain }}/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certs/{{ nextcloud_domain }}/privkey.pem; + ssl_certificate /var/lib/dehydrated/certs/{{ instance.domain }}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.domain }}/privkey.pem; include /etc/nginx/proxy_params; add_header Referrer-Policy $referrerpolicy; add_header Strict-Transport-Security $sts; add_header X-Content-Type-Options $xcontentoptions; add_header X-XSS-Protection $xxssprotection; -# include /etc/nginx/snippets/hpkp.conf; location ~ /.well-known/(carddav|caldav) { return 301 $scheme://$host/remote.php/dav; diff --git a/templates/php_fpm_pool.j2 b/templates/php_fpm_pool.j2 index f4ba75a..5d7b124 100644 --- a/templates/php_fpm_pool.j2 +++ b/templates/php_fpm_pool.j2 @@ -1,4 +1,4 @@ -[{{ common_name }}] +[{{ instance.user }}] ;prefix = /path/to/pools/$pool user = $pool group = www-data