From b09bf84a3b3163d262168aa5b411ade89161c6c1 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 18 Jan 2020 12:17:12 -0600 Subject: [PATCH] nextcloud: Deploy Nextcloud w/ Apache+PHP-FPM The *nextcloud* role installs Nextcloud from the specified release archive, downloading it to the control machine first if necessary, and configures Apache and PHP-FPM to serve it. The `nextcloud.yml` playbook uses the *cert* role to install the X.509 certificate for the Nextcloud server, sets up Apache HTTPD with the *apache* role, and installs Nextcloud using the *nextcloud* role. The host *cloud0.pyrocufflink.blue* is the Nextcloud server for Pyrocufflink. --- group_vars/nextcloud.yml | 8 ++ hosts | 7 ++ nextcloud.yml | 11 +++ roles/nextcloud/defaults/main.yml | 2 + roles/nextcloud/handlers/main.yml | 12 +++ roles/nextcloud/tasks/main.yml | 91 +++++++++++++++++++ .../templates/nextcloud.httpd.conf.j2 | 16 ++++ roles/nextcloud/vars/main.yml | 25 +++++ roles/ssh-hostkeys/files/ssh_known_hosts | 3 + vault/nextcloud | 8 ++ 10 files changed, 183 insertions(+) create mode 100644 group_vars/nextcloud.yml create mode 100644 nextcloud.yml create mode 100644 roles/nextcloud/defaults/main.yml create mode 100644 roles/nextcloud/handlers/main.yml create mode 100644 roles/nextcloud/tasks/main.yml create mode 100644 roles/nextcloud/templates/nextcloud.httpd.conf.j2 create mode 100644 roles/nextcloud/vars/main.yml create mode 100644 vault/nextcloud diff --git a/group_vars/nextcloud.yml b/group_vars/nextcloud.yml new file mode 100644 index 0000000..4c03349 --- /dev/null +++ b/group_vars/nextcloud.yml @@ -0,0 +1,8 @@ +nextcloud_server_name: nextcloud.pyrocufflink.net +apache_server_name: '{{ nextcloud_server_name }}' +pg_hba_extra: +- type: host + database: nextcloud + user: nextcloud + address: ::1/128 + method: md5 diff --git a/hosts b/hosts index 836f7cf..abce53f 100644 --- a/hosts +++ b/hosts @@ -65,9 +65,15 @@ koji0.pyrocufflink.blue [named-server:children] pyrocufflink-dns +[nextcloud] +cloud0.pyrocufflink.blue + [ntpd] dc0.pyrocufflink.blue +[postgresql] +cloud0.pyrocufflink.blue + [public-web] web0.pyrocufflink.blue @@ -76,6 +82,7 @@ build0-amd64.pyrocufflink.blue burp0.pyrocufflink.blue burp1.pyrocufflink.blue bw0.pyrocufflink.blue +cloud0.pyrocufflink.blue dc0.pyrocufflink.blue dns0.pyrocufflink.blue file0.pyrocufflink.blue diff --git a/nextcloud.yml b/nextcloud.yml new file mode 100644 index 0000000..24c2783 --- /dev/null +++ b/nextcloud.yml @@ -0,0 +1,11 @@ +- hosts: nextcloud + vars_files: + - vault/nextcloud + roles: + - role: cert + cert_src: lego/_.pyrocufflink.net.crt + cert_dest: '{{ apache_ssl_certificate }}' + cert_key_src: lego/_.pyrocufflink.net.key + cert_key_dest: '{{ apache_ssl_certificate_key }}' + - apache + - nextcloud diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml new file mode 100644 index 0000000..d0c6938 --- /dev/null +++ b/roles/nextcloud/defaults/main.yml @@ -0,0 +1,2 @@ +nextcloud_version: 17.0.0 +nextcloud_archive_sha256: 6081421b33ecdb3130b2bfb2293a3f4045aeb0b471ee570e675de3d931a142a6 diff --git a/roles/nextcloud/handlers/main.yml b/roles/nextcloud/handlers/main.yml new file mode 100644 index 0000000..fe3d91d --- /dev/null +++ b/roles/nextcloud/handlers/main.yml @@ -0,0 +1,12 @@ +- name: reload httpd + service: + name: httpd + state: reloaded +- name: upgrade nextcloud + become: true + become_user: apache + command: php /var/www/html/occ upgrade +- name: update nextcloud .htaccess + become: true + become_user: apache + command: php /var/www/html/occ maintenance:update:htaccess diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml new file mode 100644 index 0000000..08bd574 --- /dev/null +++ b/roles/nextcloud/tasks/main.yml @@ -0,0 +1,91 @@ +- name: ensure rpmfusion repo is installed + package: + name: >- + https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_version }}.noarch.rpm + tags: + - install + +- name: ensure required packages are installed + package: + name: '{{ nextcloud_packages }}' + state: present + tags: + - install + +- name: ensure nextcloud database user exists + become: true + become_user: postgres + postgresql_user: + name: nextcloud + password: '{{ nextcloud_db_password }}' + state: present +- name: ensure nextcloud database exists + become: true + become_user: postgres + postgresql_db: + name: nextcloud + owner: nextcloud + state: present + +- name: ensure nextcloud installation archive is available + become: false + delegate_to: localhost + get_url: + url: '{{ nextcloud_archive_url }}' + dest: roles/nextcloud/files/{{ nextcloud_archive_name }} + checksum: 'sha256:{{ nextcloud_archive_sha256 }}' + tags: + - unarchive + +- name: ensure html directory permissions are set + file: + path: /var/www/html + owner: apache + group: apache + mode: '0755' + +- name: ensure nextcloud is installed + become: true + become_user: apache + unarchive: + src: '{{ nextcloud_archive_name }}' + dest: /var/www/html + extra_opts: + - --strip-components=1 + notify: + - upgrade nextcloud + - update nextcloud .htaccess + tags: + - install + - unarchive + +- name: ensure nextcloud data directories exist + file: + path: /var/www/html/{{ item.name }} + owner: apache + group: apache + mode: '{{ item.mode|d("0755") }}' + setype: httpd_sys_rw_content_t + state: directory + with_items: + - name: config + - name: custom_apps + - name: data + mode: '0770' + +- name: ensure apache is configured to serve nextcloud + template: + src: nextcloud.httpd.conf.j2 + dest: /etc/httpd/conf.d/nextcloud.conf + mode: '0644' + notify: reload httpd + +- name: ensure php-fpm starts at boot + service: + name: php-fpm + enabled: true + +- name: ensure php-fpm service is running + service: + name: php-fpm + state: started diff --git a/roles/nextcloud/templates/nextcloud.httpd.conf.j2 b/roles/nextcloud/templates/nextcloud.httpd.conf.j2 new file mode 100644 index 0000000..c549ab2 --- /dev/null +++ b/roles/nextcloud/templates/nextcloud.httpd.conf.j2 @@ -0,0 +1,16 @@ +RewriteEngine On +RewriteCond %{HTTPS} !on +RewriteRule /.* https://%{SERVER_NAME}$0 + +Header always set \ + Strict-Transport-Security "max-age=63072000; includeSubDomains" + + +Require all granted +AllowOverride All +Options FollowSymLinks MultiViews + + +Dav off + + diff --git a/roles/nextcloud/vars/main.yml b/roles/nextcloud/vars/main.yml new file mode 100644 index 0000000..6e8f19d --- /dev/null +++ b/roles/nextcloud/vars/main.yml @@ -0,0 +1,25 @@ +nextcloud_packages: +- bzip2 +- ffmpeg +- php +- php-fpm +- php-gd +- php-gmp +- php-intl +- php-json +- php-ldap +- php-mbstring +- php-opcache +- php-pdo +- php-pecl-apcu +- php-pecl-imagick +- php-pecl-zip +- php-pgsql +- php-process +- php-smbclient +- php-xml +- python3-psycopg2 +- tar +nextcloud_archive_name: nextcloud-{{ nextcloud_version }}.tar.bz2 +nextcloud_archive_url: >- + https://download.nextcloud.com/server/releases/{{ nextcloud_archive_name }} diff --git a/roles/ssh-hostkeys/files/ssh_known_hosts b/roles/ssh-hostkeys/files/ssh_known_hosts index ded9725..77d7f4b 100644 --- a/roles/ssh-hostkeys/files/ssh_known_hosts +++ b/roles/ssh-hostkeys/files/ssh_known_hosts @@ -13,6 +13,9 @@ burp1.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCoHG7YZ0bQ3vvjmpUI bw0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFhC0Lu+6oNiMYQ3bALQ0L4erepswgYalGW/spbd4UJ/t1GaHx1xGKmwrIqJ/+IGULEEHyO9Ldz5PmMTTmdh7Ms= bw0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKQJvmcowUDnqJ8wKwreKNsd43g0Az0heAWRmSxG/sl9 bw0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4C69f0KJe32ZReE9FE7jZwzbPiuBnIop+f4Redo5KtOAHSd6qNpR6+ZCImgdEV+DlxC8UFRa5kqVg6jD4niGQl2p1/07c/G7b/uSKpSp5HvmBKWOiqVVfqnZcHUJC6fhTWaNqvp6zbtV8LbdTE/oStI06qKpCrUsoROHaek2zS0KznGk/UMOIiSS32XZbZKzwTSaL9LPIvugnv7HnkHHWl/IAC5vG7BXSLJLRksjS/4X8CWnYbOJB3wUt8oq1rNfD19LqFnqGUYmp3w8jk7Z6yJUdNKqWMihoV8z4HnqJ9KSGlfGMG/Tx691DXzXRXSQWiPTcZhBl8SET2NV2xEO5 +cloud0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIdqy2vDbPHBHznTnngNoxruf2+zK2mxs+uNctc6TT3GDCLEvaSBaP6a8lp2fIxyuK/KxmROSmSwkNNvzy/reuQ= +cloud0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJWCsUW0cQuRUqvnRIFfdx6qFaDOHk63x/jVyhbmw8oY +cloud0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFtfj3I5+gvUHgLn09hYXeOV2s/AHX4ye8NT2lrqI9e5UxGP43XaJbnI16PLVY91HxJ5uRK/bMzdg6M9XuLUG6fHLm4z/tcXGpvib1hc0YNi8Yjr14if0mAjYxKB6PJQf7/JcS5KBW8VJH5SD8nylFLQJuTWdf9vDDWsyB7Xtd/sEp0IG/pVQS4mssvWXakDSMoAQZGBu+TAlh8B5Ih7s+gGoCrOGgGhp8odVLfP2NbiQ/W3C3agDo+K5OyHNMdLoNKq7c3xECibSuZe21zNAuOLgE94K0T8LbHiTKpbLUertVCggCbDuWqbjLLbN7uonykvODPjoxEPZdebEnngj7j9A8TIn+DRrvqvqQGyjB3B7bHOr5K0B4aine4m6zTAFMjY8hU70XkkZFeII4KtNbhZCCH6Nz0e/1AdcdTZcAkXRRmBHIdaT36D8YJs06PBhCDxGEUCUQ09M2060gpy6gdUGE9H4U3iztCWUYS1AloZD73m+RHuyNhSRAiSkb/SM= cm0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJu4U5OdSbCXwofCCeejxEv5ia4YgzUYI01aXy1cDp9GcndmmwZl0NHbF815G98YK3O16Kv4nTV4IEUF7JJu0/s= cm0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICb5SUiJ3yFQlXlqmxV18ZrfFD1z1/Nov2IJG9Y2snUd cm0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC07DmchhYaGlFpawpS2hswPKioVlPkLObalQ3jx/TTENu2sLNcBUzVR6y2H82EnWOjnHDOYwdKPbHjjFtOQTr8wYJlOpw75v2DesUmvn8aPhz8XMKO4M9HuwPvgo6ybc9r+VEQgm3H9LLCDSMojkkO04T0KGuAyUfV2kYnLWzjclyUXgYGNqnmHatEn1WAU8olKkyP+CImvQTctisIF9rJotBNV+f4UO7NvioaieUyBCoWlHBGUMI18m12zaoItaMoV8WHlksXoQek9EWrioC/W51nFusDr1Cwmtwz/20mtiiYn5upUz0MtEc8FFvAk7jlpFPAB1dGZMPyLXaWHKjJ diff --git a/vault/nextcloud b/vault/nextcloud new file mode 100644 index 0000000..51ac037 --- /dev/null +++ b/vault/nextcloud @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.1;AES256 +66373432366362303731363866636266313635656637303139383061396236333030633937373461 +3538616535343334663937663532303764333737653536330a616464346532616433336632313037 +66356437353766336563336139353462653162333035653833656466373639373965333932376165 +3336393133393061330a336661323761316536636262303934363038303239653235653535663236 +63656332656162613935343530316465366462363039663638616561373437666431373261653635 +64346138323065396536333335323931333034346337353337653865663830653539623466333738 +653931666565333264316635663235353537