From a0174ab533e59086ea1a9b4fc76bcf5c3d1b8648 Mon Sep 17 00:00:00 2001 From: Someone Date: Fri, 4 Oct 2024 13:42:40 +0200 Subject: [PATCH] [roles/service/nextcloud] setup nextcloud service --- roles/service/nextcloud/defaults/main.yml | 50 +++ .../files/default/nextcloud-cron@.service | 23 ++ .../files/default/nextcloud-cron@.timer | 18 ++ roles/service/nextcloud/tasks/main.yml | 285 ++++++++++++++++++ .../vars/default/vars_nginx_vhost_custom.yml | 142 +++++++++ 5 files changed, 518 insertions(+) create mode 100644 roles/service/nextcloud/defaults/main.yml create mode 100644 roles/service/nextcloud/files/default/nextcloud-cron@.service create mode 100644 roles/service/nextcloud/files/default/nextcloud-cron@.timer create mode 100644 roles/service/nextcloud/tasks/main.yml create mode 100644 roles/service/nextcloud/vars/default/vars_nginx_vhost_custom.yml diff --git a/roles/service/nextcloud/defaults/main.yml b/roles/service/nextcloud/defaults/main.yml new file mode 100644 index 0000000..fecc45c --- /dev/null +++ b/roles/service/nextcloud/defaults/main.yml @@ -0,0 +1,50 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# If not overridden in inventory or as a parameter, this is the value that will be used +# +--- +nextcloud_download_url: "https://download.nextcloud.com/server/releases/latest-29.tar.bz2" +nextcloud_download_checksum: "sha256:https://download.nextcloud.com/server/releases/latest-29.tar.bz2.sha256" + +nextcloud_domain: "cloud.localhost" +nextcloud_db_host: "127.0.0.1" +nextcloud_db_name: "nextcloud" + +# Where are the data files stored. +nextcloud_data_dir_path: "/srv/{{nextcloud_domain}}" + +# Install apps. +nextcloud_installed_apps: + - 'calendar' + - 'contacts' + - 'tasks' + - 'files_retention' + - 'files_automatedtagging' + - 'richdocuments' + - 'richdocumentscode' + - 'unroundedcorners' + + +# Set/override config options. +nextcloud_config_options: + - { key: "updatechecker", value: "false" } + - { key: "has_internet_connection", value: "false" } + - { key: "skeletondirectory", value: "" } + - { key: "trashbin_retention_obligation", value: "30, 90" } + - { key: "versions_retention_obligation", value: "30, 90" } + - { key: "mail_from_address", value: "nextcloud-noreply" } + - { key: "mail_smtpmode", value: "smtp" } + - { key: "mail_domain", value: "localhost" } + - { key: "mail_smtphost", value: "mail.localhost" } + - { key: "memcache.local", value: "\\OC\\Memcache\\APCu" } + - { key: "maintenance_window_start", value: "1" } +# - { key: "config_is_read_only", value: "true" } # unset and set by ansible. + +# must set. +#nextcloud_db_pw: None +#nextcloud_admin_user: "" +#nextcloud_admin_pw: "" diff --git a/roles/service/nextcloud/files/default/nextcloud-cron@.service b/roles/service/nextcloud/files/default/nextcloud-cron@.service new file mode 100644 index 0000000..e55f01c --- /dev/null +++ b/roles/service/nextcloud/files/default/nextcloud-cron@.service @@ -0,0 +1,23 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +[Unit] +Description=Run cron.php for Nextcloud at %I +ConditionPathIsDirectory=/var/www/%I/ +OnFailure=unit-status-mail@%n.service + +[Service] +Type=oneshot +User=www-data +Group=www-data +UMask=0077 +Nice=5 +IOSchedulingClass=best-effort +IOSchedulingPriority=6 +ExecStart=/usr/bin/php --define apc.enable_cli=1 -f ./cron.php +WorkingDirectory=/var/www/%I/ diff --git a/roles/service/nextcloud/files/default/nextcloud-cron@.timer b/roles/service/nextcloud/files/default/nextcloud-cron@.timer new file mode 100644 index 0000000..5e69723 --- /dev/null +++ b/roles/service/nextcloud/files/default/nextcloud-cron@.timer @@ -0,0 +1,18 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +[Unit] +Description=Run cron.php for Nextcloud at %I + +[Timer] +OnBootSec=15min +OnUnitActiveSec=30min +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/roles/service/nextcloud/tasks/main.yml b/roles/service/nextcloud/tasks/main.yml new file mode 100644 index 0000000..aa07215 --- /dev/null +++ b/roles/service/nextcloud/tasks/main.yml @@ -0,0 +1,285 @@ +##################################### +### someone"s ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +#- name: create postgres-db and user +# include_role: +# name: util/postgres-db-usr +# vars: +# pg_data: +# db_server_delegate: "{{nextcloud_db_server_delegate}}" +# dbname: "{{nextcloud_db_name}}" +# pw: "{{nextcloud_db_pw}}" +# when: nextcloud_db_create | default('True') + + +- name: include vars_nginx_vhost_custom + include_vars: + file: "{{item}}" + name: vars_nginx_vhost_custom + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/{{nextcloud_domain}}-vars_nginx_vhost_custom.yml" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/{{nextcloud_domain}}-vars_nginx_vhost_custom.yml" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/{{nextcloud_domain}}-vars_nginx_vhost_custom.yml" + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vars_nginx_vhost_custom.yml" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vars_nginx_vhost_custom.yml" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vars_nginx_vhost_custom.yml" + - "default/vars_nginx_vhost_custom.yml" + + +- name: configure gitweb vhost + include_role: + name: server/nginx/vhost-unified + vars: + vhost_type: "custom+php" + vhost_name: "{{nextcloud_domain}}" + vhost_php_custom: ["bzip2", "php8.2-apcu", "php8.2-bcmath", "php8.2-pgsql", "php8.2-curl", "php8.2-gd", "php8.2-gmp", "php8.2-intl", "php-imagick", "php8.2-mbstring", "php8.2-xml", "php8.2-zip"] + vhost_dotfile_protection: False + vhost_custom: + vhost_custom_pre_server: "{{vars_nginx_vhost_custom.vhost_custom_pre_server}}" + vhost_custom: "{{vars_nginx_vhost_custom.vhost_custom}}" + + +- name: set up data-dir + file: + path: "{{nextcloud_data_dir_path}}" + state: directory + mode: 0750 + owner: "www-data" + group: "www-data" + + +- name: download nextcloud release and check checksums + get_url: + url: "{{nextcloud_download_url}}" + dest: "/var/www/{{nextcloud_domain}}-nextcloud.tar.bz2" + mode: 0640 + owner: "www-data" + group: "www-data" + checksum: "{{nextcloud_download_checksum}}" + timeout: 30 + tags: "online" + register: download + + +- name: set up new webroot-dir + file: + path: "/var/www/{{nextcloud_domain}}.tmp" + state: directory + mode: 0750 + owner: "www-data" + group: "www-data" + when: download.changed + + +- name: download and extract nextcloud files + unarchive: + src: "/var/www/{{nextcloud_domain}}-nextcloud.tar.bz2" + dest: "/var/www/{{nextcloud_domain}}.tmp" + remote_src: yes + mode: "u=rwX,g=rX,o-rwx" + owner: "www-data" + group: "www-data" + extra_opts: + - '--strip-components=1' + - '--show-stored-names' + when: download.changed + + +- name: use existing config file + command: "mv /var/www/{{nextcloud_domain}}/config/config.php /var/www/{{nextcloud_domain}}.tmp/config/" + args: + removes: "/var/www/{{nextcloud_domain}}/config/config.php" + when: download.changed + + +- name: remove old files + file: + path: "/var/www/{{nextcloud_domain}}" + state: absent + when: download.changed + + +- name: move newly extracted files to destination + command: "mv /var/www/{{nextcloud_domain}}.tmp /var/www/{{nextcloud_domain}}" + args: + creates: "/var/www/{{nextcloud_domain}}" + when: download.changed + + +- name: remove possibly left over files + file: + path: "/var/www/{{nextcloud_domain}}.tmp" + state: absent + when: download.changed + + +- name: install nextcloud + become: true + become_user: "www-data" + command: > + php occ maintenance:install + --database=pgsql + --database-host="{{nextcloud_db_host}}" + --database-name="{{nextcloud_db_name}}" + --database-user="{{nextcloud_db_name}}" + --database-pass="{{nextcloud_db_pw}}" + --admin-user="{{nextcloud_admin_user}}" + --admin-pass="{{nextcloud_admin_pw}}" + --data-dir="{{nextcloud_data_dir_path}}/data" + args: + chdir: "/var/www/{{nextcloud_domain}}" + creates: "/var/www/{{nextcloud_domain}}/config/config.php" + when: download.changed + + +- name: write-unlock config + become: true + become_user: "www-data" + lineinfile: + path: "/var/www/{{nextcloud_domain}}/config/config.php" + state: absent + regexp: 'config_is_read_only' + changed_when: False + + +- name: finish nextcloud upgrade by running occ upgrade + become: true + become_user: "www-data" + shell: 'php --define apc.enable_cli=1 occ upgrade' + args: + chdir: "/var/www/{{nextcloud_domain}}" + register: script_res + changed_when: "'Nextcloud is already latest version' not in script_res.stdout" + + +- name: ensure trusted domains are set + become: true + become_user: "www-data" + shell: 'echo "prev-$(php --define apc.enable_cli=1 occ config:system:get trusted_domains {{ item.0 }})-"; php --define apc.enable_cli=1 occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"' + args: + chdir: "/var/www/{{nextcloud_domain}}" + register: script_res +# changed_when: "'prev-{{item.1}}-' not in script_res.stdout" + changed_when: False + with_indexed_items: + - 'localhost' + - "{{nextcloud_domain}}" + + +- name: install apps + become: true + become_user: "www-data" + shell: 'php --define apc.enable_cli=1 occ app:install -- "{{ item }}" || true' + args: + chdir: "/var/www/{{nextcloud_domain}}" + register: script_res +# changed_when: "'{{item}} already installed' not in script_res.stdout" + changed_when: False + with_items: + - "{{nextcloud_installed_apps}}" + tags: "online" + + +- name: finish nextcloud upgrade by running occ db:add-missing-columns + become: true + become_user: "www-data" + shell: 'php --define apc.enable_cli=1 occ db:add-missing-columns' + args: + chdir: "/var/www/{{nextcloud_domain}}" + register: script_res + changed_when: "'Adding' in script_res.stdout" + + +- name: finish nextcloud upgrade by running occ db:add-missing-indices + become: true + become_user: "www-data" + shell: 'php --define apc.enable_cli=1 occ db:add-missing-indices' + args: + chdir: "/var/www/{{nextcloud_domain}}" + register: script_res + changed_when: "'Adding' in script_res.stdout" + + +- name: finish nextcloud upgrade by running occ db:add-missing-primary-keys + become: true + become_user: "www-data" + shell: 'php --define apc.enable_cli=1 occ db:add-missing-primary-keys' + args: + chdir: "/var/www/{{nextcloud_domain}}" + register: script_res + changed_when: "'Adding' in script_res.stdout" + + +- name: finish nextcloud upgrade by running occ maintenance:repair --include-expensive + become: true + become_user: "www-data" + shell: 'php --define apc.enable_cli=1 occ maintenance:repair --include-expensive' + args: + chdir: "/var/www/{{nextcloud_domain}}" + register: script_res + changed_when: "'Adding' in script_res.stdout" + + + # Failcloud expects an unsafe config-key behavior + # Therefore we must use + # shell: 'echo "prev-$(php occ config:system:get {{ item.key }})-"; php occ config:system:set $(echo -n "{{ item.key }}" ) --value "{{ item.value }}"' + # instead of + # shell: 'echo "prev-$(php occ config:system:get {{ item.key }})-"; php occ config:system:set "{{ item.key }}"--value "{{ item.value }}"' +- name: apply config options + become: true + become_user: "www-data" + shell: 'echo "prev-$(php --define apc.enable_cli=1 occ config:system:get {{ item.key }})-"; php --define apc.enable_cli=1 occ config:system:set $(echo -n "{{ item.key }}" ) --value "{{ item.value }}"' + args: + chdir: "/var/www/{{nextcloud_domain}}" + register: script_res +# changed_when: "'prev-{{item.value}}-' not in script_res.stdout" + changed_when: False + with_items: + - "{{nextcloud_config_options[nextcloud_domain]}}" + + +- name: write-lock config + become: true + become_user: "www-data" + shell: 'php --define apc.enable_cli=1 occ config:system:set config_is_read_only --value true' + args: + chdir: "/var/www/{{nextcloud_domain}}" + changed_when: False + + +- name: copy nextcloud-cron@.service to /etc/systemd/system/ + copy: + src: "{{item}}" + dest: "/etc/systemd/system/nextcloud-cron@.service" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nextcloud-cron@.service" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nextcloud-cron@.service" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nextcloud-cron@.service" + - "default/nextcloud-cron@.service" + + +- name: copy nextcloud-cron@.timer to /etc/systemd/system/ + copy: + src: "{{item}}" + dest: "/etc/systemd/system/nextcloud-cron@.timer" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nextcloud-cron@.timer" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nextcloud-cron@.timer" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nextcloud-cron@.timer" + - "default/nextcloud-cron@.timer" + + +- name: reload, enable and start nextcloud-cron@.timer. + include_role: name="base/systemd/enable-and-start" + vars: + service_name: "nextcloud-cron@{{nextcloud_domain}}.timer" diff --git a/roles/service/nextcloud/vars/default/vars_nginx_vhost_custom.yml b/roles/service/nextcloud/vars/default/vars_nginx_vhost_custom.yml new file mode 100644 index 0000000..cd4fc8a --- /dev/null +++ b/roles/service/nextcloud/vars/default/vars_nginx_vhost_custom.yml @@ -0,0 +1,142 @@ +##################################### +### someone"s ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +vhost_custom_pre_server: |- + +vhost_custom: |- + # Enable gzip but do not remove ETag headers + #gzip on; + #gzip_vary on; + #gzip_comp_level 4; + #gzip_min_length 256; + #gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + #gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Pagespeed is not supported by Nextcloud, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to disable it. + #pagespeed off; + + # The settings allows you to optimize the HTTP2 bandwitdth. + # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ + # for tunning hints + client_body_buffer_size 512k; + + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + include mime.types; + types { + text/javascript mjs; + application/wasm wasm; + } + + # Path to the root of your installation + root /var/www/{{vhost_name}}; + + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + location /.well-known/pki-validation { try_files $uri $uri/ =404; } + + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass unix:/var/run/php/php-fpm.sock; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; + } + + # Serve static files + location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { + try_files $uri /index.php$request_uri; + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Cache-Control "public, max-age=15778463"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + } + + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } -- 2.43.0