summaryrefslogtreecommitdiff
path: root/roles/elevate
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2022-01-31 23:59:07 +0100
committerChristian Pointner <equinox@spreadspace.org>2022-01-31 23:59:07 +0100
commitebdc942ade4aed78fd7305b4afd54481a619e26f (patch)
tree046e9d937a9380fc855b710f3c1cc3fe03d93e70 /roles/elevate
parentansible_default_ipv4 is very weird (diff)
rework elevate/media role (WIP)
Diffstat (limited to 'roles/elevate')
-rw-r--r--roles/elevate/media/defaults/main.yml46
-rw-r--r--roles/elevate/media/handlers/main.yml8
-rw-r--r--roles/elevate/media/tasks/main.yml36
-rw-r--r--roles/elevate/media/tasks/network.yml53
-rw-r--r--roles/elevate/media/tasks/samba.yml26
-rw-r--r--roles/elevate/media/templates/firewall/elevate-festival.sh.j298
-rw-r--r--roles/elevate/media/templates/firewall/elevate-office.sh.j282
-rw-r--r--roles/elevate/media/templates/firewall/lan-only.sh.j282
-rw-r--r--roles/elevate/media/templates/firewall/r3-with-lan.sh.j297
-rw-r--r--roles/elevate/media/templates/firewall/r3.sh.j291
-rw-r--r--roles/elevate/media/templates/netplan/elevate-festival.yaml.j211
-rw-r--r--roles/elevate/media/templates/netplan/elevate-office.yaml.j211
-rw-r--r--roles/elevate/media/templates/netplan/lan-only.yaml.j211
-rw-r--r--roles/elevate/media/templates/netplan/r3-with-lan.yaml.j218
-rw-r--r--roles/elevate/media/templates/netplan/r3.yaml.j212
-rw-r--r--roles/elevate/media/templates/nextcloud-Dockerfile.j28
-rw-r--r--roles/elevate/media/templates/nextcloud-cron.service.j215
-rw-r--r--roles/elevate/media/templates/nextcloud-cron.timer.j28
-rw-r--r--roles/elevate/media/templates/nextcloud-fpm.conf.j22
-rw-r--r--roles/elevate/media/templates/nextcloud-nginx.conf.j2122
-rw-r--r--roles/elevate/media/templates/nextcloud.service.j216
-rw-r--r--roles/elevate/media/templates/smb.conf.j210
22 files changed, 46 insertions, 817 deletions
diff --git a/roles/elevate/media/defaults/main.yml b/roles/elevate/media/defaults/main.yml
index 6ec62b4e..5cde7860 100644
--- a/roles/elevate/media/defaults/main.yml
+++ b/roles/elevate/media/defaults/main.yml
@@ -1,34 +1,30 @@
---
-nextcloud_version: 20.0.11
+elevate_media_share_uid: "800"
+elevate_media_share_gid: "800"
+# elevate_media_share_storage:
+# ...
-nextcloud_hostnames:
- - wolke.example.com
-nextcloud_db:
- db: nextcloud
- user: nextcloud
- password: changeme
+# elevate_media_nextcloud_storage:
+# ...
-nextcloud_admin:
- user: admin
- password: changeme
+# elevate_media_nextcloud_instance:
+# ...
-nextcloud_lvm: {}
-nextcloud_memory_limit: 8G
-nextcloud_max_upload_size: 20G
+## legacy stuff
-nextcloud_app_config:
- - app: theming
- opts:
- - name: name
- value: Elevate Media Server
- - name: slogan
- value: Fileserver for Elevate Staff
- - name: url
- value: https://elevate.at
+# nextcloud_memory_limit: 8G
+# nextcloud_max_upload_size: 20G
-share_uid: 800
-share_gid: 800
+# nextcloud_app_config:
+# - app: theming
+# opts:
+# - name: name
+# value: Elevate Media Server
+# - name: slogan
+# value: Fileserver for Elevate Staff
+# - name: url
+# value: https://elevate.at
-nextcloud_memory_ratio: 0.3
+# nextcloud_memory_ratio: 0.3
diff --git a/roles/elevate/media/handlers/main.yml b/roles/elevate/media/handlers/main.yml
index a4f722af..e5ff2eeb 100644
--- a/roles/elevate/media/handlers/main.yml
+++ b/roles/elevate/media/handlers/main.yml
@@ -1,12 +1,4 @@
---
-- name: netplan apply
- command: netplan apply
-
-- name: firewall restart
- service:
- name: saswall
- state: restarted
-
- name: restart nmbd
service:
name: nmbd
diff --git a/roles/elevate/media/tasks/main.yml b/roles/elevate/media/tasks/main.yml
index 89bf2038..448d3537 100644
--- a/roles/elevate/media/tasks/main.yml
+++ b/roles/elevate/media/tasks/main.yml
@@ -1,36 +1,18 @@
---
-- name: install packages
+- name: install samba
apt:
name:
- - mdadm
- - nginx
- - systemd-docker
- - "{{ python_basename }}-openssl"
- - samba
- - saswall
+ - samba
state: present
-- name: configure network
- import_tasks: network.yml
-
- name: configure samba
import_tasks: samba.yml
-- name: install and configure nextcloud
- import_tasks: nextcloud.yml
-
-- name: configure nginx vhost
- import_role:
- name: nginx/vhost
- vars:
- nginx_vhost:
- name: nextcloud
- content: "{{ lookup('template', 'nextcloud-nginx.conf.j2') }}"
- acme: true
- hostnames: "{{ nextcloud_hostnames }}"
+# - name: install and configure nextcloud
+# import_tasks: nextcloud.yml
-- name: install dstat script
- template:
- src: dstat.sh.j2
- dest: /usr/local/bin/dstat.sh
- mode: 0755
+# - name: install dstat script
+# template:
+# src: dstat.sh.j2
+# dest: /usr/local/bin/dstat.sh
+# mode: 0755
diff --git a/roles/elevate/media/tasks/network.yml b/roles/elevate/media/tasks/network.yml
deleted file mode 100644
index ef6d364a..00000000
--- a/roles/elevate/media/tasks/network.yml
+++ /dev/null
@@ -1,53 +0,0 @@
----
-- name: create netplan conf-available directory
- file:
- path: /etc/netplan/conf-available
- state: directory
-
-- name: install netplan configs
- loop:
- - lan-only
- - r3
- - r3-with-lan
- - elevate-festival
- - elevate-office
- template:
- src: "netplan/{{ item }}.yaml.j2"
- dest: "/etc/netplan/conf-available/{{ item }}.yaml"
- notify: netplan apply
-
-- name: install firewall scripts
- loop:
- - lan-only
- - r3
- - r3-with-lan
- - elevate-festival
- - elevate-office
- template:
- src: "firewall/{{ item }}.sh.j2"
- dest: "/etc/saswall/{{ item }}.sh"
- mode: 0755
- notify: firewall restart
-
-- name: remove default netplan config
- file:
- path: /etc/netplan/01-netcfg.yaml
- state: absent
- notify: netplan apply
-
-- name: set active netwok setup
- loop:
- - dest: /etc/netplan/01-active.yaml
- src: "conf-available/{{ network_setup }}.yaml"
- - dest: /etc/saswall/rules.sh
- src: "{{ network_setup }}.sh"
- file:
- state: link
- dest: "{{ item.dest }}"
- src: "{{ item.src }}"
- notify:
- - netplan apply
- - firewall restart
-
-- name: make sure network config has been applied
- meta: flush_handlers
diff --git a/roles/elevate/media/tasks/samba.yml b/roles/elevate/media/tasks/samba.yml
index 65cc1d1b..3101a82a 100644
--- a/roles/elevate/media/tasks/samba.yml
+++ b/roles/elevate/media/tasks/samba.yml
@@ -2,35 +2,31 @@
- name: create group for shared access
group:
name: share
- gid: "{{ share_gid }}"
+ gid: "{{ elevate_media_share_gid }}"
- name: create guest user for samba
user:
name: share
- uid: "{{ share_uid }}"
+ uid: "{{ elevate_media_share_uid }}"
home: /var/lib/share
group: share
shell: /bin/false
-## TODO: create software raid + lvm -> mount to /srv/smbdata
+- name: prepare storage volume for samba share
+ vars:
+ storage_volume: "{{ elevate_media_share_storage | combine({'dest': '/srv/_samba_/share', 'mode': '02775', 'owner': 'root', 'group': 'share'}) }}"
+ include_role:
+ name: "storage/{{ elevate_media_share_storage.type }}/volume"
-- name: create directory for shared data
+- name: create directory for read-only nextcloud file bind-mounts
file:
state: directory
- path: /srv/smbdata/share
- owner: root
- group: share
- mode: 02775
-
-- name: create directory for read-only nextcloud files
- file:
- state: directory
- path: /srv/smbdata/nextcloud
+ path: /srv/_samba_/nextcloud
- name: install samba config
template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
notify:
- - restart nmbd
- - restart smbd
+ - restart nmbd
+ - restart smbd
diff --git a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 b/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
deleted file mode 100644
index c9d6cb88..00000000
--- a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
+++ /dev/null
@@ -1,98 +0,0 @@
-#######################
-# Definitions #
-#######################
-
-IPTABLES="/sbin/iptables"
-IP6TABLES="/sbin/ip6tables"
-
-[ -x $IPTABLES ] || exit 0
-[ -x $IP6TABLES ] || exit 0
-
-FILTER="$IPTABLES -t filter"
-NAT="$IPTABLES -t nat"
-MANGLE="$IPTABLES -t mangle"
-
-FILTER6="$IP6TABLES -t filter"
-MANGLE6="$IP6TABLES -t mangle"
-
-LAN_IF="{{ network.primary.name }}"
-LAN_IPADDR="{{ network.primary.address | ipaddr('address') }}"
-LAN_NETMASK="{{ network.primary.address | ipaddr('netmask') }}"
-
-EXT_IF="wg-gwhetzner"
-EXT_IPADDR="192.168.254.2"
-
-EXT_SERVICES_TCP="80 443 {{ ansible_port }}"
-EXT_SERVICES_UDP=""
-
-
-#########################
-# IPv4 UP #
-#########################
-
-ipv4_up() {
- $FILTER -A INPUT -i lo -j ACCEPT
-
- $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
- $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
- for port in $EXT_SERVICES_TCP; do
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT
- done
- for port in $EXT_SERVICES_UDP; do
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT
- done
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-
- $FILTER -P INPUT DROP
- $FILTER -P FORWARD DROP
-
- echo -n "success"
-}
-
-
-#########################
-# IPv6 UP #
-#########################
-
-ipv6_up() {
- $FILTER6 -A INPUT -i lo -j ACCEPT
-
- $FILTER6 -P INPUT DROP
- $FILTER6 -P FORWARD DROP
-
- echo -n "success"
-}
-
-
-#########################
-# IPv4 DOWN #
-#########################
-
-ipv4_down() {
- $MANGLE -F
- $NAT -F
- $FILTER -F
- $FILTER -P INPUT ACCEPT
- $FILTER -P FORWARD ACCEPT
- $FILTER -P OUTPUT ACCEPT
-
- echo -n "success"
-}
-
-
-#########################
-# IPv6 DOWN #
-#########################
-
-ipv6_down() {
- $MANGLE6 -F
- $FILTER6 -F
- $FILTER6 -P INPUT ACCEPT
- $FILTER6 -P FORWARD ACCEPT
- $FILTER6 -P OUTPUT ACCEPT
-
- echo -n "success"
-}
diff --git a/roles/elevate/media/templates/firewall/elevate-office.sh.j2 b/roles/elevate/media/templates/firewall/elevate-office.sh.j2
deleted file mode 100644
index 93805cdf..00000000
--- a/roles/elevate/media/templates/firewall/elevate-office.sh.j2
+++ /dev/null
@@ -1,82 +0,0 @@
-#######################
-# Definitions #
-#######################
-
-IPTABLES="/sbin/iptables"
-IP6TABLES="/sbin/ip6tables"
-
-[ -x $IPTABLES ] || exit 0
-[ -x $IP6TABLES ] || exit 0
-
-FILTER="$IPTABLES -t filter"
-NAT="$IPTABLES -t nat"
-MANGLE="$IPTABLES -t mangle"
-
-FILTER6="$IP6TABLES -t filter"
-MANGLE6="$IP6TABLES -t mangle"
-
-LAN_IF="{{ network.primary.name }}"
-LAN_IPADDR="192.168.0.250"
-LAN_NETMASK="255.255.255.0"
-
-
-#########################
-# IPv4 UP #
-#########################
-
-ipv4_up() {
- $FILTER -A INPUT -i lo -j ACCEPT
-
- $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
- $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
- $FILTER -P INPUT DROP
- $FILTER -P FORWARD DROP
-
- echo -n "success"
-}
-
-
-#########################
-# IPv6 UP #
-#########################
-
-ipv6_up() {
- $FILTER6 -A INPUT -i lo -j ACCEPT
-
- $FILTER6 -P INPUT DROP
- $FILTER6 -P FORWARD DROP
-
- echo -n "success"
-}
-
-
-#########################
-# IPv4 DOWN #
-#########################
-
-ipv4_down() {
- $MANGLE -F
- $NAT -F
- $FILTER -F
- $FILTER -P INPUT ACCEPT
- $FILTER -P FORWARD ACCEPT
- $FILTER -P OUTPUT ACCEPT
-
- echo -n "success"
-}
-
-
-#########################
-# IPv6 DOWN #
-#########################
-
-ipv6_down() {
- $MANGLE6 -F
- $FILTER6 -F
- $FILTER6 -P INPUT ACCEPT
- $FILTER6 -P FORWARD ACCEPT
- $FILTER6 -P OUTPUT ACCEPT
-
- echo -n "success"
-}
diff --git a/roles/elevate/media/templates/firewall/lan-only.sh.j2 b/roles/elevate/media/templates/firewall/lan-only.sh.j2
deleted file mode 100644
index 85f0cde4..00000000
--- a/roles/elevate/media/templates/firewall/lan-only.sh.j2
+++ /dev/null
@@ -1,82 +0,0 @@
-#######################
-# Definitions #
-#######################
-
-IPTABLES="/sbin/iptables"
-IP6TABLES="/sbin/ip6tables"
-
-[ -x $IPTABLES ] || exit 0
-[ -x $IP6TABLES ] || exit 0
-
-FILTER="$IPTABLES -t filter"
-NAT="$IPTABLES -t nat"
-MANGLE="$IPTABLES -t mangle"
-
-FILTER6="$IP6TABLES -t filter"
-MANGLE6="$IP6TABLES -t mangle"
-
-LAN_IF="{{ network.primary.name }}"
-LAN_IPADDR="{{ network.primary.address | ipaddr('address') }}"
-LAN_NETMASK="{{ network.primary.address | ipaddr('netmask') }}"
-
-
-#########################
-# IPv4 UP #
-#########################
-
-ipv4_up() {
- $FILTER -A INPUT -i lo -j ACCEPT
-
- $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
- $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
- $FILTER -P INPUT DROP
- $FILTER -P FORWARD DROP
-
- echo -n "success"
-}
-
-
-#########################
-# IPv6 UP #
-#########################
-
-ipv6_up() {
- $FILTER6 -A INPUT -i lo -j ACCEPT
-
- $FILTER6 -P INPUT DROP
- $FILTER6 -P FORWARD DROP
-
- echo -n "success"
-}
-
-
-#########################
-# IPv4 DOWN #
-#########################
-
-ipv4_down() {
- $MANGLE -F
- $NAT -F
- $FILTER -F
- $FILTER -P INPUT ACCEPT
- $FILTER -P FORWARD ACCEPT
- $FILTER -P OUTPUT ACCEPT
-
- echo -n "success"
-}
-
-
-#########################
-# IPv6 DOWN #
-#########################
-
-ipv6_down() {
- $MANGLE6 -F
- $FILTER6 -F
- $FILTER6 -P INPUT ACCEPT
- $FILTER6 -P FORWARD ACCEPT
- $FILTER6 -P OUTPUT ACCEPT
-
- echo -n "success"
-}
diff --git a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 b/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2
deleted file mode 100644
index fb2d45a9..00000000
--- a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2
+++ /dev/null
@@ -1,97 +0,0 @@
-#######################
-# Definitions #
-#######################
-
-IPTABLES="/sbin/iptables"
-IP6TABLES="/sbin/ip6tables"
-
-[ -x $IPTABLES ] || exit 0
-[ -x $IP6TABLES ] || exit 0
-
-FILTER="$IPTABLES -t filter"
-NAT="$IPTABLES -t nat"
-MANGLE="$IPTABLES -t mangle"
-
-FILTER6="$IP6TABLES -t filter"
-MANGLE6="$IP6TABLES -t mangle"
-
-LAN_IF="{{ network.primary.name }}"
-LAN_IPADDR="{{ network.primary.address | ipaddr('address') }}"
-LAN_NETMASK="{{ network.primary.address | ipaddr('netmask') }}"
-
-EXT_IF="{{ network.primary.name }}.{{ network_zones.ccinet.vlan }}"
-EXT_IPADDR="89.106.211.61"
-
-EXT_SERVICES_TCP="80 443 {{ ansible_port }}"
-EXT_SERVICES_UDP=""
-
-
-#########################
-# IPv4 UP #
-#########################
-
-ipv4_up() {
- $FILTER -A INPUT -i lo -j ACCEPT
-
- $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
-
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
- for port in $EXT_SERVICES_TCP; do
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT
- done
- for port in $EXT_SERVICES_UDP; do
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT
- done
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-
- $FILTER -P INPUT DROP
- $FILTER -P FORWARD DROP
-
- echo -n "success"
-}
-
-
-#########################
-# IPv6 UP #
-#########################
-
-ipv6_up() {
- $FILTER6 -A INPUT -i lo -j ACCEPT
-
- $FILTER6 -P INPUT DROP
- $FILTER6 -P FORWARD DROP
-
- echo -n "success"
-}
-
-
-#########################
-# IPv4 DOWN #
-#########################
-
-ipv4_down() {
- $MANGLE -F
- $NAT -F
- $FILTER -F
- $FILTER -P INPUT ACCEPT
- $FILTER -P FORWARD ACCEPT
- $FILTER -P OUTPUT ACCEPT
-
- echo -n "success"
-}
-
-
-#########################
-# IPv6 DOWN #
-#########################
-
-ipv6_down() {
- $MANGLE6 -F
- $FILTER6 -F
- $FILTER6 -P INPUT ACCEPT
- $FILTER6 -P FORWARD ACCEPT
- $FILTER6 -P OUTPUT ACCEPT
-
- echo -n "success"
-}
diff --git a/roles/elevate/media/templates/firewall/r3.sh.j2 b/roles/elevate/media/templates/firewall/r3.sh.j2
deleted file mode 100644
index a8425825..00000000
--- a/roles/elevate/media/templates/firewall/r3.sh.j2
+++ /dev/null
@@ -1,91 +0,0 @@
-#######################
-# Definitions #
-#######################
-
-IPTABLES="/sbin/iptables"
-IP6TABLES="/sbin/ip6tables"
-
-[ -x $IPTABLES ] || exit 0
-[ -x $IP6TABLES ] || exit 0
-
-FILTER="$IPTABLES -t filter"
-NAT="$IPTABLES -t nat"
-MANGLE="$IPTABLES -t mangle"
-
-FILTER6="$IP6TABLES -t filter"
-MANGLE6="$IP6TABLES -t mangle"
-
-EXT_IF="{{ network.primary.name }}"
-EXT_IPADDR="89.106.211.61"
-
-EXT_SERVICES_TCP="80 443 {{ ansible_port }}"
-EXT_SERVICES_UDP=""
-
-
-#########################
-# IPv4 UP #
-#########################
-
-ipv4_up() {
- $FILTER -A INPUT -i lo -j ACCEPT
-
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
- for port in $EXT_SERVICES_TCP; do
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT
- done
- for port in $EXT_SERVICES_UDP; do
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT
- done
- $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-
- $FILTER -P INPUT DROP
- $FILTER -P FORWARD DROP
-
- echo -n "success"
-}
-
-
-#########################
-# IPv6 UP #
-#########################
-
-ipv6_up() {
- $FILTER6 -A INPUT -i lo -j ACCEPT
-
- $FILTER6 -P INPUT DROP
- $FILTER6 -P FORWARD DROP
-
- echo -n "success"
-}
-
-
-#########################
-# IPv4 DOWN #
-#########################
-
-ipv4_down() {
- $MANGLE -F
- $NAT -F
- $FILTER -F
- $FILTER -P INPUT ACCEPT
- $FILTER -P FORWARD ACCEPT
- $FILTER -P OUTPUT ACCEPT
-
- echo -n "success"
-}
-
-
-#########################
-# IPv6 DOWN #
-#########################
-
-ipv6_down() {
- $MANGLE6 -F
- $FILTER6 -F
- $FILTER6 -P INPUT ACCEPT
- $FILTER6 -P FORWARD ACCEPT
- $FILTER6 -P OUTPUT ACCEPT
-
- echo -n "success"
-}
diff --git a/roles/elevate/media/templates/netplan/elevate-festival.yaml.j2 b/roles/elevate/media/templates/netplan/elevate-festival.yaml.j2
deleted file mode 100644
index 9ca54c55..00000000
--- a/roles/elevate/media/templates/netplan/elevate-festival.yaml.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-network:
- version: 2
- renderer: networkd
- ethernets:
- {{ network.primary.name }}:
- addresses: [ {{ network.primary.address }} ]
- gateway4: {{ network.primary.gateway }}
- accept-ra: false
- nameservers:
- search: [ {{ network.domain }} ]
- addresses: {{ network.nameservers | to_json }}
diff --git a/roles/elevate/media/templates/netplan/elevate-office.yaml.j2 b/roles/elevate/media/templates/netplan/elevate-office.yaml.j2
deleted file mode 100644
index 1dcecf7a..00000000
--- a/roles/elevate/media/templates/netplan/elevate-office.yaml.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-network:
- version: 2
- renderer: networkd
- ethernets:
- {{ network.primary.name }}:
- addresses: [ 192.168.0.250/24 ]
- gateway4: 192.168.0.1
- accept-ra: false
- nameservers:
- search: [ {{ network.domain }} ]
- addresses: [ 192.168.0.1 ]
diff --git a/roles/elevate/media/templates/netplan/lan-only.yaml.j2 b/roles/elevate/media/templates/netplan/lan-only.yaml.j2
deleted file mode 100644
index 9ca54c55..00000000
--- a/roles/elevate/media/templates/netplan/lan-only.yaml.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-network:
- version: 2
- renderer: networkd
- ethernets:
- {{ network.primary.name }}:
- addresses: [ {{ network.primary.address }} ]
- gateway4: {{ network.primary.gateway }}
- accept-ra: false
- nameservers:
- search: [ {{ network.domain }} ]
- addresses: {{ network.nameservers | to_json }}
diff --git a/roles/elevate/media/templates/netplan/r3-with-lan.yaml.j2 b/roles/elevate/media/templates/netplan/r3-with-lan.yaml.j2
deleted file mode 100644
index 3dbfeba6..00000000
--- a/roles/elevate/media/templates/netplan/r3-with-lan.yaml.j2
+++ /dev/null
@@ -1,18 +0,0 @@
-network:
- version: 2
- renderer: networkd
- ethernets:
- {{ network.primary.name }}:
- addresses: [ {{ network.primary.address }} ]
- accept-ra: false
- vlans:
- {{ network.primary.name }}.{{ network_zones.ccinet.vlan }}:
- id: {{ network_zones.ccinet.vlan }}
- link: {{ network.primary.name }}
- addresses: [ 89.106.211.61/27 ]
- gateway4: 89.106.211.33
- accept-ra: false
- nameservers:
- search: [ elevate.at ]
- addresses:
- - "89.106.211.33"
diff --git a/roles/elevate/media/templates/netplan/r3.yaml.j2 b/roles/elevate/media/templates/netplan/r3.yaml.j2
deleted file mode 100644
index 91654c09..00000000
--- a/roles/elevate/media/templates/netplan/r3.yaml.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-network:
- version: 2
- renderer: networkd
- ethernets:
- {{ network.primary.name }}:
- addresses: [ 89.106.211.61/27 ]
- gateway4: 89.106.211.33
- accept-ra: false
- nameservers:
- search: [ elevate.at ]
- addresses:
- - "89.106.211.33"
diff --git a/roles/elevate/media/templates/nextcloud-Dockerfile.j2 b/roles/elevate/media/templates/nextcloud-Dockerfile.j2
deleted file mode 100644
index 33b817f1..00000000
--- a/roles/elevate/media/templates/nextcloud-Dockerfile.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-FROM nextcloud:{{ nextcloud_version }}-fpm
-
-RUN set -x \
- && bash -c 'cd / && find -user www-data -exec chown {{ share_uid }} {} \; || true' \
- && bash -c 'cd / && find -group www-data -exec chown {{ share_gid }} {} \; || true' \
- && sed -e 's/^www-data:\([^:]*\):[0-9]*:[0-9]*:\(.*\)/www-data:\1:{{ share_uid }}:{{ share_gid }}:\2/' -i /etc/passwd \
- && sed -e 's/^www-data:\([^:]*\):[0-9]*:\(.*\)/www-data:\1:800:\2/' -i /etc/group \
- && sed -e 's/^\(exec.*\)$/umask 002\n\1/' -i /entrypoint.sh
diff --git a/roles/elevate/media/templates/nextcloud-cron.service.j2 b/roles/elevate/media/templates/nextcloud-cron.service.j2
deleted file mode 100644
index c88d3bdc..00000000
--- a/roles/elevate/media/templates/nextcloud-cron.service.j2
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=Nextcloud cron.php job
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/docker exec -u www-data nextcloud.service php -f /var/www/html/cron.php
-NoNewPrivileges=yes
-PrivateTmp=yes
-PrivateDevices=yes
-ProtectSystem=strict
-ProtectHome=yes
-ProtectKernelTunables=yes
-ProtectControlGroups=yes
-RestrictRealtime=yes
-RestrictAddressFamilies=AF_UNIX
diff --git a/roles/elevate/media/templates/nextcloud-cron.timer.j2 b/roles/elevate/media/templates/nextcloud-cron.timer.j2
deleted file mode 100644
index ee77e2c3..00000000
--- a/roles/elevate/media/templates/nextcloud-cron.timer.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=Nextcloud cron.php job timer
-
-[Timer]
-OnCalendar=*:0/10
-
-[Install]
-WantedBy=timers.target
diff --git a/roles/elevate/media/templates/nextcloud-fpm.conf.j2 b/roles/elevate/media/templates/nextcloud-fpm.conf.j2
deleted file mode 100644
index e550e3f0..00000000
--- a/roles/elevate/media/templates/nextcloud-fpm.conf.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-[www]
-listen = 127.0.0.1:9000
diff --git a/roles/elevate/media/templates/nextcloud-nginx.conf.j2 b/roles/elevate/media/templates/nextcloud-nginx.conf.j2
deleted file mode 100644
index 3033d449..00000000
--- a/roles/elevate/media/templates/nextcloud-nginx.conf.j2
+++ /dev/null
@@ -1,122 +0,0 @@
-upstream php-handler {
- server 127.0.0.1:9000;
-}
-
-server {
- listen 80;
- listen [::]:80;
- server_name {{ nextcloud_hostnames | join(' ') }};
-
- include snippets/acmetool.conf;
-
- location / {
- return 301 https://$host$request_uri;
- }
-}
-
-server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name {{ nextcloud_hostnames | join(' ') }};
-
- include snippets/acmetool.conf;
- include snippets/tls.conf;
- ssl_certificate /var/lib/acme/live/{{ nextcloud_hostnames[0] }}/fullchain;
- ssl_certificate_key /var/lib/acme/live/{{ nextcloud_hostnames[0] }}/privkey;
- include snippets/hsts.conf;
-
- add_header X-Frame-Options "SAMEORIGIN";
- add_header X-Content-Type-Options nosniff;
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- add_header X-Download-Options noopen;
- add_header X-Permitted-Cross-Domain-Policies none;
- add_header Referrer-Policy no-referrer;
-
- fastcgi_hide_header X-Powered-By;
-
- root /srv/nextcloud/www/;
-
- location = /robots.txt {
- allow all;
- log_not_found off;
- access_log off;
- }
-
- location = /.well-known/carddav {
- return 301 $scheme://$host/remote.php/dav;
- }
- location = /.well-known/caldav {
- return 301 $scheme://$host/remote.php/dav;
- }
-
- # set max upload size
- client_max_body_size 512M;
- fastcgi_buffers 64 4K;
-
- # fix buffering problem for big downloads
- fastcgi_buffering off;
-
- # Enable gzip but do not remove ETag headers
- gzip on;
- gzip_vary on;
- gzip_comp_level 4;
- gzip_min_length 256;
- gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
- gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-
- location / {
- rewrite ^ /index.php;
- }
-
- location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
- deny all;
- }
- location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
- deny all;
- }
-
- location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
- fastcgi_split_path_info ^(.+?\.php)(/.*)$;
- try_files $fastcgi_script_name =404;
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_param HTTPS on;
- #Avoid sending the security headers twice
- fastcgi_param modHeadersAvailable true;
- fastcgi_param front_controller_active true;
- fastcgi_pass php-handler;
- fastcgi_intercept_errors on;
- fastcgi_request_buffering off;
- }
-
- location ~ ^/(?:updater|ocs-provider)(?:$|/) {
- try_files $uri/ =404;
- index index.php;
- }
-
- # Adding the cache control header for js and css files
- # Make sure it is BELOW the PHP block
- location ~ \.(?:css|js|woff2?|svg|gif)$ {
- try_files $uri /index.php$request_uri;
- add_header Cache-Control "public, max-age=15778463";
- ## It is intended to have hsts duplicated to the one above
- include snippets/hsts.conf;
- add_header X-Content-Type-Options nosniff;
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- add_header X-Download-Options noopen;
- add_header X-Permitted-Cross-Domain-Policies none;
- add_header Referrer-Policy no-referrer;
-
- # Optional: Don't log access to assets
- access_log off;
- }
-
- location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
- try_files $uri /index.php$request_uri;
- # Optional: Don't log access to other assets
- access_log off;
- }
-}
diff --git a/roles/elevate/media/templates/nextcloud.service.j2 b/roles/elevate/media/templates/nextcloud.service.j2
deleted file mode 100644
index 3406737f..00000000
--- a/roles/elevate/media/templates/nextcloud.service.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=Nextcloud
-After=docker.service
-Requires=docker.service
-
-[Service]
-ExecStart=/usr/bin/systemd-docker --cgroups name=systemd run --rm --network host --name %n -m {{ (ansible_memtotal_mb * nextcloud_memory_ratio) | round | int }}M -v /srv/nextcloud/config/nextcloud-fpm.conf:/usr/local/etc/php-fpm.d/zzzzz.conf -v /srv/nextcloud/config/nextcloud:/var/www/html/config -v /srv/ncdata/nextcloud:/var/www/html/data -v /srv/smbdata/share:/srv/external/share -v /srv/nextcloud/www:/var/www/html nextcloud:{{ inventory_hostname }}
-Restart=always
-RestartSec=10
-Type=notify
-NotifyAccess=all
-TimeoutStartSec=30
-TimeoutStopSec=5
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/elevate/media/templates/smb.conf.j2 b/roles/elevate/media/templates/smb.conf.j2
index e33aed7e..11435622 100644
--- a/roles/elevate/media/templates/smb.conf.j2
+++ b/roles/elevate/media/templates/smb.conf.j2
@@ -10,9 +10,9 @@
printcap name = /dev/null
disable spoolss = yes
-#### Networking ###
-# socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
- socket options = TCP_NODELAY
+#### Perfomance Tuning ###
+ socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=131072 SO_RCVBUF=131072
+ use sendfile = true
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
@@ -31,7 +31,7 @@
[share]
comment = Shared Space
- path = /srv/smbdata/share
+ path = /srv/_samba_/share
browseable = yes
read only = no
guest ok = yes
@@ -42,7 +42,7 @@
[nextcloud]
comment = Read-Only Access to Nextcloud Files
- path = /srv/smbdata/nextcloud
+ path = /srv/_samba_/nextcloud
browseable = yes
read only = yes
guest ok = yes