Fixes fuer zentrale Instancen-Verwaltung

This commit is contained in:
phil 2021-06-26 01:45:06 +02:00
parent e63c995f11
commit b33a014729
12 changed files with 72 additions and 70 deletions

View file

@ -4,21 +4,14 @@ mysql_socket: /var/run/mysqld/mysqld.sock
nextcloud_admin_pw: admin nextcloud_admin_pw: admin
nextcloud_admin_user: systemausfall.org nextcloud_admin_user: systemausfall.org
nextcloud_admin_pw: admin nextcloud_admin_pw: admin
nextcloud_database_host: database.kahlo
nextcloud_dl_url: https://download.nextcloud.com/server/releases nextcloud_dl_url: https://download.nextcloud.com/server/releases
nextcloud_gateway: kahlo.kahlo nextcloud_install_path: "/data/nextcloud/{{ instance.domain }}"
nextcloud_host: sl-nextcloud.kahlo
nextcloud_mysql_db: "nc_{{ common_name }}"
nextcloud_mysql_pw: admin
nextcloud_mysql_user: "nc_{{ common_name }}"
nextcloud_install_path: "/data/nextcloud/{{ nextcloud_domain }}"
nextcloud_config_file: "{{ nextcloud_install_path }}/config/config.php" nextcloud_config_file: "{{ nextcloud_install_path }}/config/config.php"
nextcloud_php_memory_limit: 512M nextcloud_php_memory_limit: 512M
nextcloud_php_upload_limit: 512M nextcloud_php_upload_limit: 512M
nextcloud_trusted_domains: ['localhost', '{{ nextcloud_domain }}'] nextcloud_trusted_domains: ['localhost', '{{ instance.domain }}']
nextcloud_trusted_proxies: ['10.42.7.1'] nextcloud_trusted_proxies: ['10.42.7.1']
nextcloud_version: nextcloud-21.0.1 nextcloud_version: nextcloud-21.0.1
nextcloud_mail_from: noreply nextcloud_mail_from: noreply
nextcloud_mail_domain: postfach.senselab.org nextcloud_mail_domain: postfach.senselab.org
nextcloud_smtp_auth_type: LOGIN nextcloud_smtp_auth_type: LOGIN

View file

@ -1,5 +1,5 @@
--- ---
- name: "Apache Module laden" - name: "apache: {{ instance.domain }}: Module laden"
apache2_module: apache2_module:
state: present state: present
name: "{{ item }}" name: "{{ item }}"
@ -9,9 +9,9 @@
- setenvif - setenvif
notify: restart apache notify: restart apache
- name: "Apache Seite einrichten" - name: "apache: {{ instance.domain }}: Seite einrichten"
lineinfile: lineinfile:
path: /etc/apache2/conf-available/nextcloud_sites.conf path: /etc/apache2/conf-available/nextcloud_sites.conf
insertafter: "^Ansbile" insertafter: "^Ansbile"
line: "Use NCSite {{ domain }} {{ user }}" line: "Use NCSite {{ instance.domain }} {{ instance.user }}"
notify: reload apache notify: reload apache

View file

@ -1,19 +1,19 @@
--- ---
- name: "Datenbank einrichten" - name: "database: {{ instance.domain }}: Datenbank einrichten"
mysql_db: mysql_db:
name: "{{ database }}" name: "{{ instance.database }}"
state: present state: present
login_unix_socket: "{{ mysql_socket }}" login_unix_socket: "{{ mysql_socket }}"
login_user: root login_user: root
config_file: /etc/mysql/debian.cnf config_file: /etc/mysql/debian.cnf
delegate_to: "{{ database_host }}" delegate_to: "{{ database_host }}"
- name: "Datenbank Benutzer einrichten" - name: "database: {{ instance.domain }}: Benutzer einrichten"
mysql_user: mysql_user:
name: "{{ database }}" name: "{{ instance.database }}"
host: "{{ inventory_hostname }}" host: "{{ inventory_hostname }}"
password: "{{ lookup('password', '/tmp/nc_db_password chars=ascii_letters') }}" password: "{{ lookup('password', '/tmp/nc_db_password chars=ascii_letters') }}"
priv: "{{ database }}.*:ALL" priv: "{{ instance.database }}.*:ALL"
state: present state: present
login_unix_socket: "{{ mysql_socket }}" login_unix_socket: "{{ mysql_socket }}"
login_user: root login_user: root

View file

@ -1,16 +1,8 @@
--- ---
- name: "fixes: Prüfe NC-Version" - name: "fixes: {{ instance.domain }} https://github.com/nextcloud/files_pdfviewer/issues/381"
shell:
cmd: occ -V | cut -d ' ' -f2
chdir: "{{ nextcloud_install_path }}"
become: true
become_user: "{{ common_name }}"
register: nc_installed_version
- name: "fixes: https://github.com/nextcloud/files_pdfviewer/issues/381"
get_url: get_url:
url: https://raw.githubusercontent.com/nextcloud/files_pdfviewer/6d81ffbb65c3758bece144e0aff07b4a0ad20eef/js/files_pdfviewer-main.js url: https://raw.githubusercontent.com/nextcloud/files_pdfviewer/6d81ffbb65c3758bece144e0aff07b4a0ad20eef/js/files_pdfviewer-main.js
dest: "{{ nextcloud_install_path }}/apps/files_pdfviewer/js/files_pdfviewer-main.js" dest: "{{ nextcloud_install_path }}/apps/files_pdfviewer/js/files_pdfviewer-main.js"
owner: "{{ common_name }}" owner: "{{ instance.user }}"
group: "{{ common_name }}" group: "{{ instance.user }}"
when: nc_installed_version >= "21.0.2" when: nc_installed_version >= "21.0.2"

View file

@ -1,29 +1,29 @@
--- ---
- name: "Gateway Domain zur Zertifikatsliste hinzufügen" - name: "gateway: {{ instance.domain }}: Domain zur Zertifikatsliste hinzufügen"
lineinfile: lineinfile:
path: /etc/dehydrated/domains.txt path: /etc/dehydrated/domains.txt
insertafter: "^# nextcloud" insertafter: "^# nextcloud"
line: "{{ domain }}" line: "{{ instance.domain }}"
# when: dehydrated_installiert # when: dehydrated_installiert
delegate_to: "{{ gateway_host }}" delegate_to: "{{ gateway_host }}"
- name: "Gateway Zertifikat erstellen" - name: "gateway: {{ instance.domain }}: Zertifikat erstellen"
command: dehydrated --cron -g command: dehydrated --cron -g
delegate_to: "{{ gateway_host }}" delegate_to: "{{ gateway_host }}"
- name: "Gateway Proxy einrichten" - name: "gateway: {{ instance.domain }}: Proxy einrichten"
template: template:
src: nginx_site.j2 src: nginx_site.j2
dest: "/etc/nginx/sites-available/{{ domain }}" dest: "/etc/nginx/sites-available/{{ instance.domain }}"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
delegate_to: "{{ gateway_host }}" delegate_to: "{{ gateway_host }}"
- name: "Gateway Seite aktivieren" - name: "gateway: {{ instance.domain }}: Seite aktivieren"
file: file:
src: "/etc/nginx/sites-available/{{ domain }}" src: "/etc/nginx/sites-available/{{ instance.domain }}"
dest: "/etc/nginx/sites-enabled/{{ domain }}" dest: "/etc/nginx/sites-enabled/{{ instance.domain }}"
state: link state: link
notify: reload nginx notify: reload nginx
delegate_to: "{{ gateway_host }}" delegate_to: "{{ gateway_host }}"

View file

@ -1,4 +1,6 @@
--- ---
- import_tasks: version.yml
tags: version
- import_tasks: packages.yml - import_tasks: packages.yml
- import_tasks: gateway.yml - import_tasks: gateway.yml
- import_tasks: database.yml - import_tasks: database.yml
@ -6,7 +8,11 @@
- import_tasks: php.yml - import_tasks: php.yml
- import_tasks: apache.yml - import_tasks: apache.yml
- import_tasks: redis.yml - import_tasks: redis.yml
- import_tasks: nextcloud.yml
- name: "Nextcloud-Task"
include_tasks: nextcloud.yml
tags: nextcloud tags: nextcloud
- import_task: fixes.yml when: nc_is_installed.stat.exists == False
- import_tasks: fixes.yml
tags: fixes tags: fixes

View file

@ -1,12 +1,11 @@
--- ---
- name: "nextcloud: {{ instance.domain }}: Verzeichnis prüfen"
- name: "NC Verzeichnis prüfen"
file: file:
path: "{{ nextcloud_install_path }}" path: "{{ nextcloud_install_path }}"
mode: 0755 mode: 0755
state: directory state: directory
- name: "NC herunterladen und entpacken" - name: "nextcloud: {{ instance.domain }}: herunterladen und entpacken"
unarchive: unarchive:
src: "{{ nextcloud_dl_url }}/{{ nextcloud_version }}.tar.bz2" src: "{{ nextcloud_dl_url }}/{{ nextcloud_version }}.tar.bz2"
remote_src: true remote_src: true
@ -17,37 +16,37 @@
group: "{{ user }}" group: "{{ user }}"
mode: 0755 mode: 0755
- name: "NC Installation" - name: "nextcloud: {{ instance.domain }}: Installation"
command: > command: >
php "{{ nextcloud_install_path }}"/occ maintenance:install --database "mysql" php "{{ nextcloud_install_path }}"/occ maintenance:install --database "mysql"
--database-name "{{ database }}" --database-user "{{ database }}" --database-name "{{ instance.database }}" --database-user "{{ instance.database }}"
--database-pass "{{ lookup('password', '/tmp/nc_db_password chars=ascii_letters') }}" --database-host "{{ database_host }}" --database-pass "{{ lookup('password', '/tmp/nc_db_password chars=ascii_letters') }}" --database-host "{{ database_host }}"
--admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_pw }}" --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_pw }}"
become: true become: true
become_user: "{{ user }}" become_user: "{{ instance.user }}"
changed_when: true changed_when: true
#todo: Auch auf instances.alias anwenden #todo: Auch auf instances.alias anwenden
- name: "NC trusted domains einrichten" - name: "nextcloud: {{ instance.domain }}: trusted domains einrichten"
command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"' command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"'
become: true become: true
become_user: "{{ name }}" become_user: "{{ instance.user }}"
changed_when: true changed_when: true
with_indexed_items: with_indexed_items:
- '{{ nextcloud_trusted_domains }}' - '{{ nextcloud_trusted_domains }}'
- name: "NC cron einrichten" - name: "nextcloud: {{ instance.domain }}: cron einrichten"
cron: cron:
name: "nextcloud {{ domain }}" name: "nextcloud {{ instance.domain }}"
minute: "*/5" minute: "*/5"
user: "{{ user }}" user: "{{ instance.user }}"
job: "php -f {{ nextcloud_install_path}}/cron.php" job: "php -f {{ nextcloud_install_path}}/cron.php"
cron_file: "nextcloud" cron_file: "nextcloud"
- name: "NC allgemeie Konfiguration" - name: "nextcloud: {{ instance.domain }}: allgemeie Konfiguration"
command: "{{ item }}" command: "{{ item }}"
become: true become: true
become_user: "{{ user }}" become_user: "{{ instance.user }}"
changed_when: true changed_when: true
with_items: with_items:
- "php {{ nextcloud_install_path }}/occ app:enable encryption" - "php {{ nextcloud_install_path }}/occ app:enable encryption"
@ -55,14 +54,14 @@
- 'php {{ nextcloud_install_path }}/occ config:system:set memcache.local --value "\\OC\\Memcache\\APCu"' - 'php {{ nextcloud_install_path }}/occ config:system:set memcache.local --value "\\OC\\Memcache\\APCu"'
- 'php {{ nextcloud_install_path }}/occ config:system:set memcache.distributed --value "\OC\Memcache\Redis"' - 'php {{ nextcloud_install_path }}/occ config:system:set memcache.distributed --value "\OC\Memcache\Redis"'
- "php {{ nextcloud_install_path }}/occ background:cron" - "php {{ nextcloud_install_path }}/occ background:cron"
- 'php {{ nextcloud_install_path }}/occ config:system:set overwrite.cli.url --value https://{{ domain }}' - 'php {{ nextcloud_install_path }}/occ config:system:set overwrite.cli.url --value https://{{ instance.domain }}'
- 'php {{ nextcloud_install_path }}/occ config:system:set htaccess.RewriteBase --value /' - 'php {{ nextcloud_install_path }}/occ config:system:set htaccess.RewriteBase --value /'
- 'php {{ nextcloud_install_path }}/occ maintenance:update:htaccess' - 'php {{ nextcloud_install_path }}/occ maintenance:update:htaccess'
- 'php {{ nextcloud_install_path }}/occ config:system:set default_language --value "de"' - 'php {{ nextcloud_install_path }}/occ config:system:set default_language --value "de"'
- 'php {{ nextcloud_install_path }}/occ config:system:set default_phone_region --value "DE"' - 'php {{ nextcloud_install_path }}/occ config:system:set default_phone_region --value "DE"'
- 'php {{ nextcloud_install_path }}/occ config:system:set loglevel --value "1"' - 'php {{ nextcloud_install_path }}/occ config:system:set loglevel --value "1"'
- name: "NC Mailversand einrichten" - name: "nextcloud: {{ instance.domain }}: Mailversand einrichten"
blockinfile: blockinfile:
path: "{{ nextcloud_config_file }}" path: "{{ nextcloud_config_file }}"
insertbefore: '^\);' insertbefore: '^\);'
@ -76,7 +75,7 @@
'mail_smtphost' => '{{ nextcloud_smtp_host }}', 'mail_smtphost' => '{{ nextcloud_smtp_host }}',
'mail_smtpport' => '{{ nextcloud_smtp_port}}', 'mail_smtpport' => '{{ nextcloud_smtp_port}}',
- name: "NC Filelocking" - name: "nextcloud: {{ instance.domain }}: Filelocking"
blockinfile: blockinfile:
path: "{{ nextcloud_config_file }}" path: "{{ nextcloud_config_file }}"
insertbefore: '^\);' insertbefore: '^\);'
@ -90,10 +89,10 @@
'timeout' => 0.0, 'timeout' => 0.0,
), ),
- name: "NC trusted proxies einrichten" - name: "nextcloud: {{ instance.domain }}: trusted proxies einrichten"
command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_proxies {{ item.0 }} --value "{{ item.1 }}"' command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_proxies {{ item.0 }} --value "{{ item.1 }}"'
become: true become: true
become_user: "{{ user }}" become_user: "{{ instance.user }}"
changed_when: true changed_when: true
with_indexed_items: with_indexed_items:
- '{{ nextcloud_trusted_proxies }}' - '{{ nextcloud_trusted_proxies }}'

View file

@ -1,9 +1,9 @@
--- ---
- name: "Pakete Fakten sammeln" - name: "packages: Fakten sammeln"
package_facts: package_facts:
manager: apt manager: apt
- name: "Pakete Datenbank installieren" - name: "packages: Datenbank-Pakete installieren"
apt: apt:
pkg: pkg:
- python-pymysql - python-pymysql
@ -11,7 +11,7 @@
cache_valid_time: 3600 cache_valid_time: 3600
delegate_to: "{{ database_host }}" delegate_to: "{{ database_host }}"
- name: "Pakete installieren" - name: "packages: Pakete installieren"
apt: apt:
pkg: pkg:
- php-redis - php-redis

View file

@ -1,18 +1,17 @@
--- ---
- name: "php: {{ instance.domain }}: FPM-Nutzer anlegen"
- name: "PHP FPM-Nutzer anlegen"
user: user:
name: "{{ user }}" name: "{{ instance.user }}"
create_home: no create_home: no
password: "!" password: "!"
groups: redis groups: redis
shell: /bin/false shell: /bin/false
state: present state: present
- name: "PHP FPM-Pool einrichten" - name: "php: {{ instance.domain }}: FPM-Pool einrichten"
template: template:
src: php_fpm_pool.j2 src: php_fpm_pool.j2
dest: "/etc/php/{{ php_version }}/fpm/pool.d/{{ user }}.conf" dest: "/etc/php/{{ php_version }}/fpm/pool.d/{{ instance.user }}.conf"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644

14
tasks/version.yml Normal file
View file

@ -0,0 +1,14 @@
---
- name: "version: {{ instance.domain }}: Prüfe NC-Installation"
stat:
path: "{{ nextcloud_install_path }}/version.php"
register: nc_is_installed
- name: "version: {{ instance.domain }}: Prüfe NC-Version"
shell:
cmd: occ -V | cut -d ' ' -f2
chdir: "{{ nextcloud_install_path }}"
become: true
become_user: "{{ instance.user }}"
register: nc_installed_version
when: nc_is_installed.stat.exists

View file

@ -1,21 +1,20 @@
server { server {
listen 80; listen 80;
server_name {{ nextcloud_domain }}; server_name {{ instance.domain }};
include snippets/letsencrypt.conf; include snippets/letsencrypt.conf;
location / { return 301 https://$http_host$request_uri; } location / { return 301 https://$http_host$request_uri; }
} }
server { server {
server_name {{ nextcloud_domain }}; server_name {{ instance.domain }};
listen 443 ssl http2; listen 443 ssl http2;
ssl_certificate /var/lib/dehydrated/certs/{{ nextcloud_domain }}/fullchain.pem; ssl_certificate /var/lib/dehydrated/certs/{{ instance.domain }}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/{{ nextcloud_domain }}/privkey.pem; ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.domain }}/privkey.pem;
include /etc/nginx/proxy_params; include /etc/nginx/proxy_params;
add_header Referrer-Policy $referrerpolicy; add_header Referrer-Policy $referrerpolicy;
add_header Strict-Transport-Security $sts; add_header Strict-Transport-Security $sts;
add_header X-Content-Type-Options $xcontentoptions; add_header X-Content-Type-Options $xcontentoptions;
add_header X-XSS-Protection $xxssprotection; add_header X-XSS-Protection $xxssprotection;
# include /etc/nginx/snippets/hpkp.conf;
location ~ /.well-known/(carddav|caldav) { location ~ /.well-known/(carddav|caldav) {
return 301 $scheme://$host/remote.php/dav; return 301 $scheme://$host/remote.php/dav;

View file

@ -1,4 +1,4 @@
[{{ common_name }}] [{{ instance.user }}]
;prefix = /path/to/pools/$pool ;prefix = /path/to/pools/$pool
user = $pool user = $pool
group = www-data group = www-data