diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2022-01-31 23:59:07 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2022-01-31 23:59:07 +0100 |
| commit | ebdc942ade4aed78fd7305b4afd54481a619e26f (patch) | |
| tree | 046e9d937a9380fc855b710f3c1cc3fe03d93e70 /roles/elevate | |
| parent | ansible_default_ipv4 is very weird (diff) | |
rework elevate/media role (WIP)
Diffstat (limited to 'roles/elevate')
22 files changed, 46 insertions, 817 deletions
diff --git a/roles/elevate/media/defaults/main.yml b/roles/elevate/media/defaults/main.yml index 6ec62b4e..5cde7860 100644 --- a/roles/elevate/media/defaults/main.yml +++ b/roles/elevate/media/defaults/main.yml @@ -1,34 +1,30 @@ --- -nextcloud_version: 20.0.11 +elevate_media_share_uid: "800" +elevate_media_share_gid: "800" +# elevate_media_share_storage: +# ... -nextcloud_hostnames: - - wolke.example.com -nextcloud_db: - db: nextcloud - user: nextcloud - password: changeme +# elevate_media_nextcloud_storage: +# ... -nextcloud_admin: - user: admin - password: changeme +# elevate_media_nextcloud_instance: +# ... -nextcloud_lvm: {} -nextcloud_memory_limit: 8G -nextcloud_max_upload_size: 20G +## legacy stuff -nextcloud_app_config: - - app: theming - opts: - - name: name - value: Elevate Media Server - - name: slogan - value: Fileserver for Elevate Staff - - name: url - value: https://elevate.at +# nextcloud_memory_limit: 8G +# nextcloud_max_upload_size: 20G -share_uid: 800 -share_gid: 800 +# nextcloud_app_config: +# - app: theming +# opts: +# - name: name +# value: Elevate Media Server +# - name: slogan +# value: Fileserver for Elevate Staff +# - name: url +# value: https://elevate.at -nextcloud_memory_ratio: 0.3 +# nextcloud_memory_ratio: 0.3 diff --git a/roles/elevate/media/handlers/main.yml b/roles/elevate/media/handlers/main.yml index a4f722af..e5ff2eeb 100644 --- a/roles/elevate/media/handlers/main.yml +++ b/roles/elevate/media/handlers/main.yml @@ -1,12 +1,4 @@ --- -- name: netplan apply - command: netplan apply - -- name: firewall restart - service: - name: saswall - state: restarted - - name: restart nmbd service: name: nmbd diff --git a/roles/elevate/media/tasks/main.yml b/roles/elevate/media/tasks/main.yml index 89bf2038..448d3537 100644 --- a/roles/elevate/media/tasks/main.yml +++ b/roles/elevate/media/tasks/main.yml @@ -1,36 +1,18 @@ --- -- name: install packages +- name: install samba apt: name: - - mdadm - - nginx - - systemd-docker - - "{{ python_basename }}-openssl" - - samba - - saswall + - samba state: present -- name: configure network - import_tasks: network.yml - - name: configure samba import_tasks: samba.yml -- name: install and configure nextcloud - import_tasks: nextcloud.yml - -- name: configure nginx vhost - import_role: - name: nginx/vhost - vars: - nginx_vhost: - name: nextcloud - content: "{{ lookup('template', 'nextcloud-nginx.conf.j2') }}" - acme: true - hostnames: "{{ nextcloud_hostnames }}" +# - name: install and configure nextcloud +# import_tasks: nextcloud.yml -- name: install dstat script - template: - src: dstat.sh.j2 - dest: /usr/local/bin/dstat.sh - mode: 0755 +# - name: install dstat script +# template: +# src: dstat.sh.j2 +# dest: /usr/local/bin/dstat.sh +# mode: 0755 diff --git a/roles/elevate/media/tasks/network.yml b/roles/elevate/media/tasks/network.yml deleted file mode 100644 index ef6d364a..00000000 --- a/roles/elevate/media/tasks/network.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -- name: create netplan conf-available directory - file: - path: /etc/netplan/conf-available - state: directory - -- name: install netplan configs - loop: - - lan-only - - r3 - - r3-with-lan - - elevate-festival - - elevate-office - template: - src: "netplan/{{ item }}.yaml.j2" - dest: "/etc/netplan/conf-available/{{ item }}.yaml" - notify: netplan apply - -- name: install firewall scripts - loop: - - lan-only - - r3 - - r3-with-lan - - elevate-festival - - elevate-office - template: - src: "firewall/{{ item }}.sh.j2" - dest: "/etc/saswall/{{ item }}.sh" - mode: 0755 - notify: firewall restart - -- name: remove default netplan config - file: - path: /etc/netplan/01-netcfg.yaml - state: absent - notify: netplan apply - -- name: set active netwok setup - loop: - - dest: /etc/netplan/01-active.yaml - src: "conf-available/{{ network_setup }}.yaml" - - dest: /etc/saswall/rules.sh - src: "{{ network_setup }}.sh" - file: - state: link - dest: "{{ item.dest }}" - src: "{{ item.src }}" - notify: - - netplan apply - - firewall restart - -- name: make sure network config has been applied - meta: flush_handlers diff --git a/roles/elevate/media/tasks/samba.yml b/roles/elevate/media/tasks/samba.yml index 65cc1d1b..3101a82a 100644 --- a/roles/elevate/media/tasks/samba.yml +++ b/roles/elevate/media/tasks/samba.yml @@ -2,35 +2,31 @@ - name: create group for shared access group: name: share - gid: "{{ share_gid }}" + gid: "{{ elevate_media_share_gid }}" - name: create guest user for samba user: name: share - uid: "{{ share_uid }}" + uid: "{{ elevate_media_share_uid }}" home: /var/lib/share group: share shell: /bin/false -## TODO: create software raid + lvm -> mount to /srv/smbdata +- name: prepare storage volume for samba share + vars: + storage_volume: "{{ elevate_media_share_storage | combine({'dest': '/srv/_samba_/share', 'mode': '02775', 'owner': 'root', 'group': 'share'}) }}" + include_role: + name: "storage/{{ elevate_media_share_storage.type }}/volume" -- name: create directory for shared data +- name: create directory for read-only nextcloud file bind-mounts file: state: directory - path: /srv/smbdata/share - owner: root - group: share - mode: 02775 - -- name: create directory for read-only nextcloud files - file: - state: directory - path: /srv/smbdata/nextcloud + path: /srv/_samba_/nextcloud - name: install samba config template: src: smb.conf.j2 dest: /etc/samba/smb.conf notify: - - restart nmbd - - restart smbd + - restart nmbd + - restart smbd diff --git a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 b/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 deleted file mode 100644 index c9d6cb88..00000000 --- a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 +++ /dev/null @@ -1,98 +0,0 @@ -####################### -# Definitions # -####################### - -IPTABLES="/sbin/iptables" -IP6TABLES="/sbin/ip6tables" - -[ -x $IPTABLES ] || exit 0 -[ -x $IP6TABLES ] || exit 0 - -FILTER="$IPTABLES -t filter" -NAT="$IPTABLES -t nat" -MANGLE="$IPTABLES -t mangle" - -FILTER6="$IP6TABLES -t filter" -MANGLE6="$IP6TABLES -t mangle" - -LAN_IF="{{ network.primary.name }}" -LAN_IPADDR="{{ network.primary.address | ipaddr('address') }}" -LAN_NETMASK="{{ network.primary.address | ipaddr('netmask') }}" - -EXT_IF="wg-gwhetzner" -EXT_IPADDR="192.168.254.2" - -EXT_SERVICES_TCP="80 443 {{ ansible_port }}" -EXT_SERVICES_UDP="" - - -######################### -# IPv4 UP # -######################### - -ipv4_up() { - $FILTER -A INPUT -i lo -j ACCEPT - - $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT - $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT - for port in $EXT_SERVICES_TCP; do - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT - done - for port in $EXT_SERVICES_UDP; do - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT - done - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - - $FILTER -P INPUT DROP - $FILTER -P FORWARD DROP - - echo -n "success" -} - - -######################### -# IPv6 UP # -######################### - -ipv6_up() { - $FILTER6 -A INPUT -i lo -j ACCEPT - - $FILTER6 -P INPUT DROP - $FILTER6 -P FORWARD DROP - - echo -n "success" -} - - -######################### -# IPv4 DOWN # -######################### - -ipv4_down() { - $MANGLE -F - $NAT -F - $FILTER -F - $FILTER -P INPUT ACCEPT - $FILTER -P FORWARD ACCEPT - $FILTER -P OUTPUT ACCEPT - - echo -n "success" -} - - -######################### -# IPv6 DOWN # -######################### - -ipv6_down() { - $MANGLE6 -F - $FILTER6 -F - $FILTER6 -P INPUT ACCEPT - $FILTER6 -P FORWARD ACCEPT - $FILTER6 -P OUTPUT ACCEPT - - echo -n "success" -} diff --git a/roles/elevate/media/templates/firewall/elevate-office.sh.j2 b/roles/elevate/media/templates/firewall/elevate-office.sh.j2 deleted file mode 100644 index 93805cdf..00000000 --- a/roles/elevate/media/templates/firewall/elevate-office.sh.j2 +++ /dev/null @@ -1,82 +0,0 @@ -####################### -# Definitions # -####################### - -IPTABLES="/sbin/iptables" -IP6TABLES="/sbin/ip6tables" - -[ -x $IPTABLES ] || exit 0 -[ -x $IP6TABLES ] || exit 0 - -FILTER="$IPTABLES -t filter" -NAT="$IPTABLES -t nat" -MANGLE="$IPTABLES -t mangle" - -FILTER6="$IP6TABLES -t filter" -MANGLE6="$IP6TABLES -t mangle" - -LAN_IF="{{ network.primary.name }}" -LAN_IPADDR="192.168.0.250" -LAN_NETMASK="255.255.255.0" - - -######################### -# IPv4 UP # -######################### - -ipv4_up() { - $FILTER -A INPUT -i lo -j ACCEPT - - $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT - $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - $FILTER -P INPUT DROP - $FILTER -P FORWARD DROP - - echo -n "success" -} - - -######################### -# IPv6 UP # -######################### - -ipv6_up() { - $FILTER6 -A INPUT -i lo -j ACCEPT - - $FILTER6 -P INPUT DROP - $FILTER6 -P FORWARD DROP - - echo -n "success" -} - - -######################### -# IPv4 DOWN # -######################### - -ipv4_down() { - $MANGLE -F - $NAT -F - $FILTER -F - $FILTER -P INPUT ACCEPT - $FILTER -P FORWARD ACCEPT - $FILTER -P OUTPUT ACCEPT - - echo -n "success" -} - - -######################### -# IPv6 DOWN # -######################### - -ipv6_down() { - $MANGLE6 -F - $FILTER6 -F - $FILTER6 -P INPUT ACCEPT - $FILTER6 -P FORWARD ACCEPT - $FILTER6 -P OUTPUT ACCEPT - - echo -n "success" -} diff --git a/roles/elevate/media/templates/firewall/lan-only.sh.j2 b/roles/elevate/media/templates/firewall/lan-only.sh.j2 deleted file mode 100644 index 85f0cde4..00000000 --- a/roles/elevate/media/templates/firewall/lan-only.sh.j2 +++ /dev/null @@ -1,82 +0,0 @@ -####################### -# Definitions # -####################### - -IPTABLES="/sbin/iptables" -IP6TABLES="/sbin/ip6tables" - -[ -x $IPTABLES ] || exit 0 -[ -x $IP6TABLES ] || exit 0 - -FILTER="$IPTABLES -t filter" -NAT="$IPTABLES -t nat" -MANGLE="$IPTABLES -t mangle" - -FILTER6="$IP6TABLES -t filter" -MANGLE6="$IP6TABLES -t mangle" - -LAN_IF="{{ network.primary.name }}" -LAN_IPADDR="{{ network.primary.address | ipaddr('address') }}" -LAN_NETMASK="{{ network.primary.address | ipaddr('netmask') }}" - - -######################### -# IPv4 UP # -######################### - -ipv4_up() { - $FILTER -A INPUT -i lo -j ACCEPT - - $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT - $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - $FILTER -P INPUT DROP - $FILTER -P FORWARD DROP - - echo -n "success" -} - - -######################### -# IPv6 UP # -######################### - -ipv6_up() { - $FILTER6 -A INPUT -i lo -j ACCEPT - - $FILTER6 -P INPUT DROP - $FILTER6 -P FORWARD DROP - - echo -n "success" -} - - -######################### -# IPv4 DOWN # -######################### - -ipv4_down() { - $MANGLE -F - $NAT -F - $FILTER -F - $FILTER -P INPUT ACCEPT - $FILTER -P FORWARD ACCEPT - $FILTER -P OUTPUT ACCEPT - - echo -n "success" -} - - -######################### -# IPv6 DOWN # -######################### - -ipv6_down() { - $MANGLE6 -F - $FILTER6 -F - $FILTER6 -P INPUT ACCEPT - $FILTER6 -P FORWARD ACCEPT - $FILTER6 -P OUTPUT ACCEPT - - echo -n "success" -} diff --git a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 b/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 deleted file mode 100644 index fb2d45a9..00000000 --- a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 +++ /dev/null @@ -1,97 +0,0 @@ -####################### -# Definitions # -####################### - -IPTABLES="/sbin/iptables" -IP6TABLES="/sbin/ip6tables" - -[ -x $IPTABLES ] || exit 0 -[ -x $IP6TABLES ] || exit 0 - -FILTER="$IPTABLES -t filter" -NAT="$IPTABLES -t nat" -MANGLE="$IPTABLES -t mangle" - -FILTER6="$IP6TABLES -t filter" -MANGLE6="$IP6TABLES -t mangle" - -LAN_IF="{{ network.primary.name }}" -LAN_IPADDR="{{ network.primary.address | ipaddr('address') }}" -LAN_NETMASK="{{ network.primary.address | ipaddr('netmask') }}" - -EXT_IF="{{ network.primary.name }}.{{ network_zones.ccinet.vlan }}" -EXT_IPADDR="89.106.211.61" - -EXT_SERVICES_TCP="80 443 {{ ansible_port }}" -EXT_SERVICES_UDP="" - - -######################### -# IPv4 UP # -######################### - -ipv4_up() { - $FILTER -A INPUT -i lo -j ACCEPT - - $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT - - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT - for port in $EXT_SERVICES_TCP; do - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT - done - for port in $EXT_SERVICES_UDP; do - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT - done - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - - $FILTER -P INPUT DROP - $FILTER -P FORWARD DROP - - echo -n "success" -} - - -######################### -# IPv6 UP # -######################### - -ipv6_up() { - $FILTER6 -A INPUT -i lo -j ACCEPT - - $FILTER6 -P INPUT DROP - $FILTER6 -P FORWARD DROP - - echo -n "success" -} - - -######################### -# IPv4 DOWN # -######################### - -ipv4_down() { - $MANGLE -F - $NAT -F - $FILTER -F - $FILTER -P INPUT ACCEPT - $FILTER -P FORWARD ACCEPT - $FILTER -P OUTPUT ACCEPT - - echo -n "success" -} - - -######################### -# IPv6 DOWN # -######################### - -ipv6_down() { - $MANGLE6 -F - $FILTER6 -F - $FILTER6 -P INPUT ACCEPT - $FILTER6 -P FORWARD ACCEPT - $FILTER6 -P OUTPUT ACCEPT - - echo -n "success" -} diff --git a/roles/elevate/media/templates/firewall/r3.sh.j2 b/roles/elevate/media/templates/firewall/r3.sh.j2 deleted file mode 100644 index a8425825..00000000 --- a/roles/elevate/media/templates/firewall/r3.sh.j2 +++ /dev/null @@ -1,91 +0,0 @@ -####################### -# Definitions # -####################### - -IPTABLES="/sbin/iptables" -IP6TABLES="/sbin/ip6tables" - -[ -x $IPTABLES ] || exit 0 -[ -x $IP6TABLES ] || exit 0 - -FILTER="$IPTABLES -t filter" -NAT="$IPTABLES -t nat" -MANGLE="$IPTABLES -t mangle" - -FILTER6="$IP6TABLES -t filter" -MANGLE6="$IP6TABLES -t mangle" - -EXT_IF="{{ network.primary.name }}" -EXT_IPADDR="89.106.211.61" - -EXT_SERVICES_TCP="80 443 {{ ansible_port }}" -EXT_SERVICES_UDP="" - - -######################### -# IPv4 UP # -######################### - -ipv4_up() { - $FILTER -A INPUT -i lo -j ACCEPT - - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT - for port in $EXT_SERVICES_TCP; do - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT - done - for port in $EXT_SERVICES_UDP; do - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT - done - $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - - $FILTER -P INPUT DROP - $FILTER -P FORWARD DROP - - echo -n "success" -} - - -######################### -# IPv6 UP # -######################### - -ipv6_up() { - $FILTER6 -A INPUT -i lo -j ACCEPT - - $FILTER6 -P INPUT DROP - $FILTER6 -P FORWARD DROP - - echo -n "success" -} - - -######################### -# IPv4 DOWN # -######################### - -ipv4_down() { - $MANGLE -F - $NAT -F - $FILTER -F - $FILTER -P INPUT ACCEPT - $FILTER -P FORWARD ACCEPT - $FILTER -P OUTPUT ACCEPT - - echo -n "success" -} - - -######################### -# IPv6 DOWN # -######################### - -ipv6_down() { - $MANGLE6 -F - $FILTER6 -F - $FILTER6 -P INPUT ACCEPT - $FILTER6 -P FORWARD ACCEPT - $FILTER6 -P OUTPUT ACCEPT - - echo -n "success" -} diff --git a/roles/elevate/media/templates/netplan/elevate-festival.yaml.j2 b/roles/elevate/media/templates/netplan/elevate-festival.yaml.j2 deleted file mode 100644 index 9ca54c55..00000000 --- a/roles/elevate/media/templates/netplan/elevate-festival.yaml.j2 +++ /dev/null @@ -1,11 +0,0 @@ -network: - version: 2 - renderer: networkd - ethernets: - {{ network.primary.name }}: - addresses: [ {{ network.primary.address }} ] - gateway4: {{ network.primary.gateway }} - accept-ra: false - nameservers: - search: [ {{ network.domain }} ] - addresses: {{ network.nameservers | to_json }} diff --git a/roles/elevate/media/templates/netplan/elevate-office.yaml.j2 b/roles/elevate/media/templates/netplan/elevate-office.yaml.j2 deleted file mode 100644 index 1dcecf7a..00000000 --- a/roles/elevate/media/templates/netplan/elevate-office.yaml.j2 +++ /dev/null @@ -1,11 +0,0 @@ -network: - version: 2 - renderer: networkd - ethernets: - {{ network.primary.name }}: - addresses: [ 192.168.0.250/24 ] - gateway4: 192.168.0.1 - accept-ra: false - nameservers: - search: [ {{ network.domain }} ] - addresses: [ 192.168.0.1 ] diff --git a/roles/elevate/media/templates/netplan/lan-only.yaml.j2 b/roles/elevate/media/templates/netplan/lan-only.yaml.j2 deleted file mode 100644 index 9ca54c55..00000000 --- a/roles/elevate/media/templates/netplan/lan-only.yaml.j2 +++ /dev/null @@ -1,11 +0,0 @@ -network: - version: 2 - renderer: networkd - ethernets: - {{ network.primary.name }}: - addresses: [ {{ network.primary.address }} ] - gateway4: {{ network.primary.gateway }} - accept-ra: false - nameservers: - search: [ {{ network.domain }} ] - addresses: {{ network.nameservers | to_json }} diff --git a/roles/elevate/media/templates/netplan/r3-with-lan.yaml.j2 b/roles/elevate/media/templates/netplan/r3-with-lan.yaml.j2 deleted file mode 100644 index 3dbfeba6..00000000 --- a/roles/elevate/media/templates/netplan/r3-with-lan.yaml.j2 +++ /dev/null @@ -1,18 +0,0 @@ -network: - version: 2 - renderer: networkd - ethernets: - {{ network.primary.name }}: - addresses: [ {{ network.primary.address }} ] - accept-ra: false - vlans: - {{ network.primary.name }}.{{ network_zones.ccinet.vlan }}: - id: {{ network_zones.ccinet.vlan }} - link: {{ network.primary.name }} - addresses: [ 89.106.211.61/27 ] - gateway4: 89.106.211.33 - accept-ra: false - nameservers: - search: [ elevate.at ] - addresses: - - "89.106.211.33" diff --git a/roles/elevate/media/templates/netplan/r3.yaml.j2 b/roles/elevate/media/templates/netplan/r3.yaml.j2 deleted file mode 100644 index 91654c09..00000000 --- a/roles/elevate/media/templates/netplan/r3.yaml.j2 +++ /dev/null @@ -1,12 +0,0 @@ -network: - version: 2 - renderer: networkd - ethernets: - {{ network.primary.name }}: - addresses: [ 89.106.211.61/27 ] - gateway4: 89.106.211.33 - accept-ra: false - nameservers: - search: [ elevate.at ] - addresses: - - "89.106.211.33" diff --git a/roles/elevate/media/templates/nextcloud-Dockerfile.j2 b/roles/elevate/media/templates/nextcloud-Dockerfile.j2 deleted file mode 100644 index 33b817f1..00000000 --- a/roles/elevate/media/templates/nextcloud-Dockerfile.j2 +++ /dev/null @@ -1,8 +0,0 @@ -FROM nextcloud:{{ nextcloud_version }}-fpm - -RUN set -x \ - && bash -c 'cd / && find -user www-data -exec chown {{ share_uid }} {} \; || true' \ - && bash -c 'cd / && find -group www-data -exec chown {{ share_gid }} {} \; || true' \ - && sed -e 's/^www-data:\([^:]*\):[0-9]*:[0-9]*:\(.*\)/www-data:\1:{{ share_uid }}:{{ share_gid }}:\2/' -i /etc/passwd \ - && sed -e 's/^www-data:\([^:]*\):[0-9]*:\(.*\)/www-data:\1:800:\2/' -i /etc/group \ - && sed -e 's/^\(exec.*\)$/umask 002\n\1/' -i /entrypoint.sh diff --git a/roles/elevate/media/templates/nextcloud-cron.service.j2 b/roles/elevate/media/templates/nextcloud-cron.service.j2 deleted file mode 100644 index c88d3bdc..00000000 --- a/roles/elevate/media/templates/nextcloud-cron.service.j2 +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=Nextcloud cron.php job - -[Service] -Type=oneshot -ExecStart=/usr/bin/docker exec -u www-data nextcloud.service php -f /var/www/html/cron.php -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -ProtectSystem=strict -ProtectHome=yes -ProtectKernelTunables=yes -ProtectControlGroups=yes -RestrictRealtime=yes -RestrictAddressFamilies=AF_UNIX diff --git a/roles/elevate/media/templates/nextcloud-cron.timer.j2 b/roles/elevate/media/templates/nextcloud-cron.timer.j2 deleted file mode 100644 index ee77e2c3..00000000 --- a/roles/elevate/media/templates/nextcloud-cron.timer.j2 +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=Nextcloud cron.php job timer - -[Timer] -OnCalendar=*:0/10 - -[Install] -WantedBy=timers.target diff --git a/roles/elevate/media/templates/nextcloud-fpm.conf.j2 b/roles/elevate/media/templates/nextcloud-fpm.conf.j2 deleted file mode 100644 index e550e3f0..00000000 --- a/roles/elevate/media/templates/nextcloud-fpm.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[www] -listen = 127.0.0.1:9000 diff --git a/roles/elevate/media/templates/nextcloud-nginx.conf.j2 b/roles/elevate/media/templates/nextcloud-nginx.conf.j2 deleted file mode 100644 index 3033d449..00000000 --- a/roles/elevate/media/templates/nextcloud-nginx.conf.j2 +++ /dev/null @@ -1,122 +0,0 @@ -upstream php-handler { - server 127.0.0.1:9000; -} - -server { - listen 80; - listen [::]:80; - server_name {{ nextcloud_hostnames | join(' ') }}; - - include snippets/acmetool.conf; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{ nextcloud_hostnames | join(' ') }}; - - include snippets/acmetool.conf; - include snippets/tls.conf; - ssl_certificate /var/lib/acme/live/{{ nextcloud_hostnames[0] }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ nextcloud_hostnames[0] }}/privkey; - include snippets/hsts.conf; - - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; - - fastcgi_hide_header X-Powered-By; - - root /srv/nextcloud/www/; - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; - } - - # set max upload size - client_max_body_size 512M; - fastcgi_buffers 64 4K; - - # fix buffering problem for big downloads - fastcgi_buffering off; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - location / { - rewrite ^ /index.php; - } - - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { - deny all; - } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - try_files $fastcgi_script_name =404; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - #Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass php-handler; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^/(?:updater|ocs-provider)(?:$|/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js and css files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - ## It is intended to have hsts duplicated to the one above - include snippets/hsts.conf; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } -} diff --git a/roles/elevate/media/templates/nextcloud.service.j2 b/roles/elevate/media/templates/nextcloud.service.j2 deleted file mode 100644 index 3406737f..00000000 --- a/roles/elevate/media/templates/nextcloud.service.j2 +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Nextcloud -After=docker.service -Requires=docker.service - -[Service] -ExecStart=/usr/bin/systemd-docker --cgroups name=systemd run --rm --network host --name %n -m {{ (ansible_memtotal_mb * nextcloud_memory_ratio) | round | int }}M -v /srv/nextcloud/config/nextcloud-fpm.conf:/usr/local/etc/php-fpm.d/zzzzz.conf -v /srv/nextcloud/config/nextcloud:/var/www/html/config -v /srv/ncdata/nextcloud:/var/www/html/data -v /srv/smbdata/share:/srv/external/share -v /srv/nextcloud/www:/var/www/html nextcloud:{{ inventory_hostname }} -Restart=always -RestartSec=10 -Type=notify -NotifyAccess=all -TimeoutStartSec=30 -TimeoutStopSec=5 - -[Install] -WantedBy=multi-user.target diff --git a/roles/elevate/media/templates/smb.conf.j2 b/roles/elevate/media/templates/smb.conf.j2 index e33aed7e..11435622 100644 --- a/roles/elevate/media/templates/smb.conf.j2 +++ b/roles/elevate/media/templates/smb.conf.j2 @@ -10,9 +10,9 @@ printcap name = /dev/null disable spoolss = yes -#### Networking ### -# socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 - socket options = TCP_NODELAY +#### Perfomance Tuning ### + socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=131072 SO_RCVBUF=131072 + use sendfile = true #### Debugging/Accounting #### log file = /var/log/samba/log.%m @@ -31,7 +31,7 @@ [share] comment = Shared Space - path = /srv/smbdata/share + path = /srv/_samba_/share browseable = yes read only = no guest ok = yes @@ -42,7 +42,7 @@ [nextcloud] comment = Read-Only Access to Nextcloud Files - path = /srv/smbdata/nextcloud + path = /srv/_samba_/nextcloud browseable = yes read only = yes guest ok = yes |