aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRomain Gonçalves <me@rgoncalves.se>2024-02-13 23:10:06 +0100
committerRomain Gonçalves <me@rgoncalves.se>2024-02-13 23:16:09 +0100
commitb1f371ec9d587e3727e85afe34473ed154d1fc48 (patch)
tree8bdb6ba50c499d77262bfa9cb5a845353c9cdcd4
parent2a53a9778d87e6f525c6cf4f23052f1f3d35911e (diff)
downloadrules-b1f371ec9d587e3727e85afe34473ed154d1fc48.tar.gz
feat(roles/nextcloud): automate with occ
-rw-r--r--group_vars/all.yml20
-rw-r--r--roles/nextcloud/defaults/main.yml101
-rw-r--r--roles/nextcloud/meta/main.yml66
-rw-r--r--roles/nextcloud/occ.yml80
-rw-r--r--roles/nextcloud/tasks/database.yml18
-rw-r--r--roles/nextcloud/tasks/main.yml99
-rw-r--r--roles/nextcloud/tasks/php.yml17
-rw-r--r--roles/nextcloud/templates/datadirectory.config.php.j28
-rw-r--r--roles/nextcloud/templates/etc-php-7.3.ini.j2198
-rw-r--r--roles/nextcloud/templates/var-www-nextcloud-config-custom.config.php.j24
10 files changed, 360 insertions, 251 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml
index ca98ea6..ee658c1 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -35,6 +35,16 @@ __global_services:
# roles overrides
+nextcloud__db_password: "{{ lookup(
+ 'ansible.builtin.password',
+ 'secrets/files/passwords/' + inventory_hostname + '_nextcloud__db.txt',
+ )}}"
+nextcloud__admin_password: "{{ lookup(
+ 'ansible.builtin.password',
+ 'secrets/files/passwords/' + inventory_hostname + '_nextcloud__admin.txt',
+ )}}"
+nextcloud__admin_email: contact@rgoncalves.se
+
httpd__log_format: forwarded
wireguard_domain_controller: "{{ __global_domain_controller }}"
@@ -82,3 +92,13 @@ sshd_keys__users: "[
{{ user.username }},
{% endfor %}
]"
+
+nextcloud__users: "[
+ {% for user in __users %}
+ {{ {
+ 'username': user.username,
+ 'fullname': user.firstname + ' ' + user.lastname,
+ 'email': user.email,
+ } }},
+ {% endfor %}
+ ]"
diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml
index f1835cf..2dc20c7 100644
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@@ -5,7 +5,104 @@ nextcloud__package_dependencies:
- php-pgsql-8.1.27
- php-pdo_pgsql-8.1.27
-nextcloud__user: nextcloud
-nextcloud__group: nextcloud
+nextcloud__db_name: nextcloud
+nextcloud__db_user: nextcloud
+nextcloud__db_host: 127.0.0.1
+nextcloud__db_password: "{{ lookup('ansible.builtin.password', '/dev/null') }}"
+
+nextcloud__admin_name: admin
+nextcloud__admin_password: "{{ lookup(
+ 'ansible.builtin.password', '/dev/null'
+ ) }}"
+
+nextcloud__chroot_dir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+nextcloud__chroot_data_dir: /nextcloud/data
+
+nextcloud__data_dir: "{{ httpd_pre__chroot_dir }}{{ nextcloud__chroot_data_dir }}"
+
+nextcloud__owned_directories:
+ - apps
+ - data
+ - updater
nextcloud__php_service_name: php81_fpm
+nextcloud__php_configuration_file: /etc/php-8.1.ini
+nextcloud__php_fpm_configuration_file: /etc/php-fpm.ini
+
+nextcloud__occ_system_settings:
+ - option: trusted_domains
+ value: "1 --value={{ nextcloud__domain_name }}"
+ - option: skeletondirectory
+ value: ""
+
+nextcloud__disabled_apps:
+ - firstrunwizard
+ - sharebymail
+
+nextcloud__enabled_apps:
+ - encryption
+
+nextcloud__php_fpm_settings:
+ # PHP
+ - section: www
+ option: clear_env
+ value: 0
+
+nextcloud__php_settings:
+ # PHP
+ - section: PHP
+ option: post_max_size
+ value: 513M
+ - section: PHP
+ option: upload_max_filesize
+ value: 513M
+ - section: PHP
+ option: allow_url_fopen
+ value: 1
+ - section: PHP
+ option: memory_limit
+ value: 513M
+ # opcache
+ - section: opcache
+ option: opcache.enable
+ value: 1
+ - section: opcache
+ option: opcache_enable_cli
+ value: 1
+ - section: opcache
+ option: opcache.memory_consumption
+ value: 512
+ - section: opcache
+ option: opcache.interned_strings_buffer
+ value: 8
+ - section: opcache
+ option: opcache.max_accelerated_files
+ value: 10000
+ - section: opcache
+ option: opcache.revalidate_freq
+ value: 1
+ - section: opcache
+ option: opcache.save_comments
+ value: 1
+ # modules
+ - section: zip
+ option: extension
+ value: zip.so
+ - section: gd
+ option: extension
+ value: gd.so
+ - section: pgsql
+ option: extension
+ value: pgsql.so
+ - section: pdo_pgsql
+ option: extension
+ value: pdo_pgsql.so
+ - section: curl
+ option: extension
+ value: curl.so
+ - section: intl
+ option: extension
+ value: intl.so
+ - section: opcache
+ option: extension
+ value: opcache.so
diff --git a/roles/nextcloud/meta/main.yml b/roles/nextcloud/meta/main.yml
index 246fc09..0ad3396 100644
--- a/roles/nextcloud/meta/main.yml
+++ b/roles/nextcloud/meta/main.yml
@@ -2,6 +2,8 @@
dependencies:
- role: httpd_pre
+ - role: redis
+ - role: postgresql
argument_specs:
main:
@@ -18,7 +20,71 @@ argument_specs:
required: true
description: Package name to be installed
+ nextcloud__package_dependencies:
+ type: list
+ elements: str
+ required: true
+ description: Extra packages
+
nextcloud__domain_name:
type: str
required: true
description: Domain name
+
+ nextcloud__db_name:
+ type: str
+ required: true
+
+ nextcloud__db_password:
+ type: str
+ required: true
+
+ nextcloud__db_user:
+ type: str
+ required: true
+
+ nextcloud__db_host:
+ type: str
+ required: true
+
+ nextcloud__data_dir:
+ type: str
+ required: true
+
+ nextcloud__owned_directories:
+ type: str
+ required: true
+
+ nextcloud__admin_password:
+ type: str
+ required: true
+
+ nextcloud__admin_name:
+ type: str
+ required: true
+
+ nextcloud__admin_email:
+ type: str
+ required: true
+
+ nextcloud__php_service_name:
+ type: str
+ required: true
+
+ nextcloud__php_configuration_file:
+ type: str
+ required: true
+
+ nextcloud__php_settings:
+ type: list
+ elements: dict
+ options:
+ section:
+ type: str
+ required: true
+ option:
+ type: str
+ required: true
+ value:
+ type: str
+ required: true
diff --git a/roles/nextcloud/occ.yml b/roles/nextcloud/occ.yml
new file mode 100644
index 0000000..04c9539
--- /dev/null
+++ b/roles/nextcloud/occ.yml
@@ -0,0 +1,80 @@
+---
+
+- name: maintenance:install nextcloud
+ ansible.builtin.command:
+ argv:
+ - php
+ - occ
+ - maintenance:install
+ - --database=pgsql
+ - "--database-name={{ nextcloud__db_name }}"
+ - "--database-port={{ postgresql__port }}"
+ - "--database-user={{ nextcloud__db_user }}"
+ - "--database-pass={{ nextcloud__db_password }}"
+ - "--database-host={{ nextcloud__db_host }}"
+ - "--admin-email={{ nextcloud__admin_email }}"
+ - "--admin-user={{ nextcloud__admin_name }}"
+ - "--admin-pass={{ nextcloud__admin_password }}"
+ chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+ creates: "{{ nextcloud__data_dir }}/appdata_*"
+ register: nextcloud__result_maintenance_install
+ failed_when:
+ - nextcloud__result_maintenance_install.rc != 0
+ - '"is not defined" is not in nextcloud__result_maintenance_install.stderr'
+ changed_when:
+ - '"is not defined" is not in nextcloud__result_maintenance_install.stderr'
+
+- name: set system settings
+ ansible.builtin.command:
+ cmd: "php occ config:system:set {{ item.option }} {{ item.value }}"
+ chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+ loop: "{{ nextcloud__occ_system_settings }}"
+
+- name: disable applications
+ ansible.builtin.command:
+ cmd: "php occ app:enable {{ item }}"
+ chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+ loop: "{{ nextcloud__disabled_apps }}"
+ register: nextcloud__result_disable_applications
+ changed_when:
+ - "'already disabled' not in nextcloud__result_disable_applications.stdout"
+
+- name: enable applications
+ ansible.builtin.command:
+ cmd: "php occ app:enable {{ item }}"
+ chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+ loop: "{{ nextcloud__enabled_apps }}"
+ register: nextcloud__result_enable_applications
+ changed_when:
+ - "'already enabled' not in nextcloud__result_enable_applications.stdout"
+
+- name: enable encryption
+ ansible.builtin.command:
+ cmd: php occ encryption:enable
+ chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+ register: nextcloud__result_enable_encryption
+ changed_when:
+ - "'already enabled' not in nextcloud__result_enable_encryption.stdout"
+
+- name: create application users
+ ansible.builtin.command:
+ argv:
+ - php
+ - occ
+ - user:add
+ - --password-from-env
+ - "--display-name={{ item.fullname }}"
+ - "{{ item.username }}"
+ chdir: "{{ httpd_pre__chroot_dir }}/nextcloud"
+ environment:
+ OC_PASS: "{{ lookup(
+ 'ansible.builtin.password',
+ 'secrets/files/passwords/' + inventory_hostname + '_nextcloud__user_' + item.username + '.txt',
+ )}}"
+ loop: "{{ nextcloud__users }}"
+ register: nextcloud__result_create_application_users
+ failed_when:
+ - nextcloud__result_create_application_users.rc == 1
+ - '"already exists" not in nextcloud__result_create_application_users.stdout'
+ changed_when:
+ - '"already exists" not in nextcloud__result_create_application_users.stdout'
diff --git a/roles/nextcloud/tasks/database.yml b/roles/nextcloud/tasks/database.yml
new file mode 100644
index 0000000..601ee9d
--- /dev/null
+++ b/roles/nextcloud/tasks/database.yml
@@ -0,0 +1,18 @@
+---
+
+- name: create nextcloud database
+ community.postgresql.postgresql_db:
+ name: "{{ nextcloud__db_name }}"
+ encoding: UTF-8
+
+- name: create nextcloud database user
+ community.postgresql.postgresql_user:
+ db: "{{ nextcloud__db_name }}"
+ name: "{{ nextcloud__db_user }}"
+ password: "{{ nextcloud__db_password }}"
+
+- name: add nextcloud db user permissions
+ community.postgresql.postgresql_schema:
+ db: "{{ nextcloud__db_name }}"
+ name: "{{ nextcloud__db_user }}"
+ owner: "{{ nextcloud__db_user }}"
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index bb744e7..2a1a0bc 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -20,10 +20,60 @@
name: "{{ nextcloud__package_dependencies }}"
state: present
-- name: start and enable php-service
+- name: chown directories to www user
+ file:
+ path: "{{ httpd_pre__chroot_dir }}/nextcloud/{{ item }}"
+ owner: "{{ httpd_pre__user }}"
+ group: "{{ httpd_pre__group }}"
+ recurse: true
+ loop: "{{ nextcloud__owned_directories }}"
+
+- name: create .ocdata file
+ ansible.builtin.file:
+ path: "{{ nextcloud__data_dir }}/.ocdata"
+ owner: "{{ httpd_pre__user }}"
+ group: "{{ httpd_pre__group }}"
+ mode: "0600"
+ state: touch
+
+- name: generate datadirectory workaround configuration
+ ansible.builtin.template:
+ src: datadirectory.config.php.j2
+ dest: "{{ nextcloud__chroot_dir }}/config/datadirectory.config.php"
+ owner: "{{ httpd_pre__user }}"
+ group: "{{ httpd_pre__group }}"
+ mode: "0644"
+
+- name: import php tasks
+ ansible.builtin.import_tasks:
+ file: database.yml
+
+- name: import database tasks
+ ansible.builtin.import_tasks:
+ file: database.yml
+ become: true
+ become_user: "{{ postgresql__user }}"
+
+- name: import occ tasks
+ ansible.builtin.import_tasks:
+ file: occ.yml
+ become: true
+ become_user: "{{ httpd_pre__user }}"
+ become_method: su
+ become_flags: -s /bin/sh
+
+- name: enable nextcloud background jobs
+ ansible.builtin.cron:
+ name: nextcloud background jobs
+ minute: "*/5"
+ job: "php -f {{ nextcloud__chroot_dir }}/cron.php"
+ user: "{{ httpd_pre__user }}"
+
+
+- name: start and enable php-fpm service
ansible.builtin.service:
name: "{{ nextcloud__php_service_name }}"
- state: started
+ state: restarted
enabled: true
- name: generate nextcloud httpd configuration
@@ -33,48 +83,3 @@
owner: 0
group: 0
mode: "0644"
-
-# - name: generate nextcloud php config
-# template:
-# src: etc-php-7.3.ini.j2
-# dest: /etc/php-7.3.ini
-# owner: "www"
-# group: "www"
-# mode: "0644"
-
-# - name: generate nextcloud custom config
-# template:
-# src: var-www-nextcloud-config-custom.config.php.j2
-# dest: /var/www/nextcloud/config/custom.config.php
-# owner: "www"
-# group: "www"
-# mode: "0644"
-
-# - name: copy configuration for domain name and tls in chroot
-# shell: |
-# mkdir -p /var/www/etc/ssl
-# install -m 444 -o root -g bin /etc/resolv.conf /var/www/etc
-# install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf /var/www/etc/ssl/
-
-# - name: enable cron job for nextcloud indexing and housekeeping
-# cron:
-# name: "nextcloud indexing"
-# minute: "*/5"
-# job: "php -f /var/www/nextcloud/cron.php"
-# user: www
-
-# - name: ensure directories are chown to www
-# file:
-# path: "/var/www/nextcloud/{{ item }}"
-# owner: "www"
-# group: "www"
-# recurse: true
-# loop:
-# - "apps"
-# - "updater"
-#
-# - name: ensure php-fpm is restarted and enabled
-# service:
-# name: php73_fpm
-# state: restarted
-# enabled: true
diff --git a/roles/nextcloud/tasks/php.yml b/roles/nextcloud/tasks/php.yml
new file mode 100644
index 0000000..9721e8f
--- /dev/null
+++ b/roles/nextcloud/tasks/php.yml
@@ -0,0 +1,17 @@
+---
+
+- name: apply php settings
+ community.general.ini_file:
+ path: "{{ nextcloud__php_configuration_file }}"
+ section: "{{ item.section }}"
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
+ loop: "{{ nextcloud__php_settings }}"
+
+- name: apply php-fpm settings
+ community.general.ini_file:
+ path: "{{ nextcloud__php_fpm_configuration_file }}"
+ section: "{{ item.section }}"
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
+ loop: "{{ nextcloud__php_fpm_settings }}"
diff --git a/roles/nextcloud/templates/datadirectory.config.php.j2 b/roles/nextcloud/templates/datadirectory.config.php.j2
new file mode 100644
index 0000000..d5af69a
--- /dev/null
+++ b/roles/nextcloud/templates/datadirectory.config.php.j2
@@ -0,0 +1,8 @@
+<?php
+
+if (\OC::$CLI) {
+ $CONFIG['datadirectory'] = '{{ nextcloud__data_dir }}';
+} else {
+ $CONFIG['datadirectory'] = '{{ nextcloud__chroot_data_dir }}';
+}
+
diff --git a/roles/nextcloud/templates/etc-php-7.3.ini.j2 b/roles/nextcloud/templates/etc-php-7.3.ini.j2
deleted file mode 100644
index 0e79971..0000000
--- a/roles/nextcloud/templates/etc-php-7.3.ini.j2
+++ /dev/null
@@ -1,198 +0,0 @@
-[PHP]
-auto_append_file=
-auto_globals_jit=On
-auto_prepend_file=
-default_charset="UTF-8"
-default_mimetype="text/html"
-disable_classes=
-disable_functions=
-display_errors=Off
-display_startup_errors=Off
-doc_root=
-enable_dl=Off
-engine=On
-error_reporting=E_ALL & ~E_DEPRECATED & ~E_STRICT
-expose_php=On
-extension_dir="/usr/local/lib/php-7.3/modules"
-html_errors=On
-ignore_repeated_errors=Off
-ignore_repeated_source=Off
-implicit_flush=Off
-include_path=".:/pear/lib:/var/www/pear/lib"
-log_errors=On
-log_errors_max_len=1024
-max_execution_time=30
-output_buffering=4096
-precision=14
-register_argc_argv=Off
-report_memleaks=On
-request_order="GP"
-serialize_precision=-1
-short_open_tag=Off
-unserialize_callback_func=
-user_dir=
-variables_order="GPCS"
-zend.enable_gc=On
-zlib.output_compression=Off
-
-allow_url_fopen=On
-allow_url_include=Off
-default_socket_timeout=60
-file_uploads=On
-max_file_uploads=20
-
-memory_limit={{ nextcloud_php_memory_limit }}
-max_input_time={{ nextcloud_php_max_inputtime }}
-post_max_size={{ nextcloud_php_upload_maxsize }}
-upload_max_filesize={{ nextcloud_php_upload_maxsize }}
-
-pm=dynamic
-pm.maxchildren=120
-pm.start_servers=12
-pm.min_spare_servers=6
-pm.max_spare_servers=18
-
-extension=curl
-extension=gd
-extension=intl
-extension=pdo_pgsql
-extension=zip
-
-[CLI Server]
-cli_server.color=On
-
-[Date]
-date.timezone=UTC
-
-[iconv]
-
-[imap]
-
-[intl]
-
-[sqlite3]
-
-[Pcre]
-
-[Pdo]
-
-[Pdo_mysql]
-pdo_mysql.default_socket=
-
-[Phar]
-
-[mail function]
-SMTP=localhost
-smtp_port=25
-mail.add_x_header=Off
-
-[ODBC]
-odbc.allow_persistent=On
-odbc.check_persistent=On
-odbc.max_persistent=-1
-odbc.max_links=-1
-odbc.defaultlrl=4096
-odbc.defaultbinmode=1
-
-[Interbase]
-ibase.allow_persistent=1
-ibase.max_persistent=-1
-ibase.max_links=-1
-ibase.timestampformat="%Y-%m-%d %H:%M:%S"
-ibase.dateformat="%Y-%m-%d"
-ibase.timeformat="%H:%M:%S"
-
-[MySQLi]
-mysqli.max_persistent=-1
-mysqli.allow_persistent=On
-mysqli.max_links=-1
-mysqli.default_port=3306
-mysqli.default_socket=
-mysqli.default_host=
-mysqli.default_user=
-mysqli.default_pw=
-mysqli.reconnect=Off
-
-[mysqlnd]
-mysqlnd.collect_statistics=On
-mysqlnd.collect_memory_statistics=Off
-
-[OCI8]
-
-[PostgreSQL]
-pgsql.allow_persistent=On
-pgsql.auto_reset_persistent=Off
-pgsql.max_persistent=-1
-pgsql.max_links=-1
-pgsql.ignore_notice=0
-pgsql.log_notice=0
-
-[bcmath]
-bcmath.scale=0
-
-[browscap]
-
-[Session]
-session.save_handler=files
-session.use_strict_mode=0
-session.use_cookies=1
-session.use_only_cookies=1
-session.name=PHPSESSID
-session.auto_start=0
-session.cookie_lifetime=0
-session.cookie_path=/
-session.cookie_domain=
-session.cookie_httponly=
-session.cookie_samesite=
-session.serialize_handler=php
-session.gc_probability=1
-session.gc_divisor=1000
-session.gc_maxlifetime=1440
-session.referer_check=
-session.cache_limiter=nocache
-session.cache_expire=180
-session.use_trans_sid=0
-session.sid_length=26
-session.trans_sid_tags="a=href,area=href,frame=src,form="
-session.sid_bits_per_character=5
-
-[Assertion]
-zend.assertions=-1
-
-[COM]
-
-[mbstring]
-
-[gd]
-
-[exif]
-
-[Tidy]
-
-tidy.clean_output=Off
-
-[soap]
-soap.wsdl_cache_enabled=1
-soap.wsdl_cache_dir="/tmp"
-soap.wsdl_cache_ttl=86400
-soap.wsdl_cache_limit=5
-
-[sysvshm]
-
-[ldap]
-ldap.max_links=-1
-
-[dba]
-
-[opcache]
-opcache.enable=1
-opcache.enable_cli=1
-opcache.memory_consumption=128
-opcache.interned_strings_buffer=8
-opcache.max_accelerated_files=10000
-opcache.revalidate_freq=1
-opcache.save_comments=1
-
-[curl]
-
-[openssl]
diff --git a/roles/nextcloud/templates/var-www-nextcloud-config-custom.config.php.j2 b/roles/nextcloud/templates/var-www-nextcloud-config-custom.config.php.j2
deleted file mode 100644
index 15df079..0000000
--- a/roles/nextcloud/templates/var-www-nextcloud-config-custom.config.php.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-<?php
-$CONFIG = array (
- 'datadirectory' => ((php_sapi_name() == 'cli') ? '/var/www' : '') . '/nextcloud/data',
-);
remember that computers suck.