From b523cf86c8cbedb43cf625a1a847ca828afd5fba Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 13 Oct 2019 17:29:11 +0200 Subject: nextcloud basic installation is finally working properly --- roles/nextcloud/defaults/main.yml | 1 + roles/nextcloud/tasks/main.yml | 73 ++++++++++++++++------- roles/nextcloud/templates/apache-site.conf.j2 | 18 ++++++ roles/nextcloud/templates/nginx-vhost.conf.j2 | 45 ++++++++++++++ roles/nextcloud/templates/pod-with-mariadb.yml.j2 | 10 +++- 5 files changed, 126 insertions(+), 21 deletions(-) create mode 100644 roles/nextcloud/templates/apache-site.conf.j2 create mode 100644 roles/nextcloud/templates/nginx-vhost.conf.j2 (limited to 'roles/nextcloud') diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 0cd84485..16637f44 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -14,6 +14,7 @@ nextcloud_db_gid: "951" # nextcloud_instances: # example: +# new: yes # version: 17.0.0 # port: 8100 # hostnames: diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 190afb47..0f9413b9 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -77,7 +77,7 @@ state: directory -- name: create image config dir +- name: create auxiliary config directory loop: "{{ nextcloud_instances | list }}" file: path: "{{ nextcloud_base_path }}/{{ item }}/config" @@ -85,33 +85,47 @@ - name: create apache vhost config loop: "{{ nextcloud_instances | list }}" - copy: - content: | - - ServerAdmin webmaster@localhost - DocumentRoot /var/www/html - - # SetEnv HTTPS on - # SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - + template: + src: apache-site.conf.j2 dest: "{{ nextcloud_base_path }}/{{ item }}/config/apache-site.conf" -- name: configure apache to run on port 8080 only +- name: configure apache to run on port 8443 only loop: "{{ nextcloud_instances | list }}" copy: content: | - Listen 8080 + Listen 8443 dest: "{{ nextcloud_base_path }}/{{ item }}/config/ports.conf" -- name: install cron trigger script + +- name: create tls cert/key directory loop: "{{ nextcloud_instances | list }}" - template: - src: run-cron.sh.j2 - dest: "{{ nextcloud_base_path }}/{{ item }}/config/run-cron.sh" - mode: 0755 + file: + path: "{{ nextcloud_base_path }}/{{ item }}/config/tls" + state: directory + +- name: generate tls private key for apache + loop: "{{ nextcloud_instances | list }}" + openssl_privatekey: + path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.key" + mode: 0640 + owner: root + group: nc-app + +- name: generate csr for selfsigned certifacate + loop: "{{ nextcloud_instances | list }}" + openssl_csr: + path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.csr" + privatekey_path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.key" + common_name: "nextcloud-{{ item }}" + +## TODO: fix idempotence +- name: generate tls self-signed certificate for apache + loop: "{{ nextcloud_instances | list }}" + openssl_certificate: + path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.crt" + privatekey_path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.key" + csr_path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.csr" + provider: selfsigned - name: generate pod manifests @@ -124,6 +138,13 @@ mode: 0600 +- name: install cron trigger script + loop: "{{ nextcloud_instances | list }}" + template: + src: run-cron.sh.j2 + dest: "{{ nextcloud_base_path }}/{{ item }}/config/run-cron.sh" + mode: 0755 + - name: install template systemd unit for cron trigger template: src: cron@.service.j2 @@ -142,3 +163,15 @@ name: "nextcloud-cron-{{ item }}.timer" state: started enabled: yes + + +- name: configure nginx vhost + loop: "{{ nextcloud_instances | dict2items }}" + include_role: + name: nginx/vhost + vars: + nginx_vhost: + name: "{{ item.key }}" + content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" + acme: true + hostnames: "{{ item.value.hostnames }}" diff --git a/roles/nextcloud/templates/apache-site.conf.j2 b/roles/nextcloud/templates/apache-site.conf.j2 new file mode 100644 index 00000000..457cdfd4 --- /dev/null +++ b/roles/nextcloud/templates/apache-site.conf.j2 @@ -0,0 +1,18 @@ +Include mods-available/socache_shmcb.load +Include mods-available/ssl.load +Include mods-available/ssl.conf + + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + UseCanonicalName Off + UseCanonicalPhysicalPort Off + + SSLEngine On + SSLCertificateFile /etc/apache2/tls/nextcloud.crt + SSLCertificateKeyFile /etc/apache2/tls/nextcloud.key + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + diff --git a/roles/nextcloud/templates/nginx-vhost.conf.j2 b/roles/nextcloud/templates/nginx-vhost.conf.j2 new file mode 100644 index 00000000..717c0dea --- /dev/null +++ b/roles/nextcloud/templates/nginx-vhost.conf.j2 @@ -0,0 +1,45 @@ +server { + listen 80; + listen [::]:80; + server_name {{ item.value.hostnames | join(' ') }}; + + include snippets/acmetool.conf; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ item.value.hostnames | join(' ') }}; + + include snippets/acmetool.conf; + include snippets/ssl.conf; + ssl_certificate /var/lib/acme/live/{{ item.value.hostnames[0] }}/fullchain; + ssl_certificate_key /var/lib/acme/live/{{ item.value.hostnames[0] }}/privkey; + include snippets/hsts.conf; + + location / { + include snippets/proxy-nobuff.conf; + client_max_body_size 512M; + + proxy_set_header Host $host:443; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-Port $server_port; + + # for websockets + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_ssl_trusted_certificate /srv/storage/nextcloud/{{ item.key }}/config/tls/nextcloud.crt; + proxy_ssl_verify on; + proxy_ssl_name nextcloud-{{ item.key }}; + + proxy_pass https://127.0.0.1:{{ item.value.port }}; + } +} diff --git a/roles/nextcloud/templates/pod-with-mariadb.yml.j2 b/roles/nextcloud/templates/pod-with-mariadb.yml.j2 index 7fa40cd4..92347a44 100644 --- a/roles/nextcloud/templates/pod-with-mariadb.yml.j2 +++ b/roles/nextcloud/templates/pod-with-mariadb.yml.j2 @@ -14,6 +14,7 @@ spec: resources: limits: memory: "4Gi" +{% if 'new' in item.value and item.value.new %} env: - name: NEXTCLOUD_TRUSTED_DOMAINS value: "{{ item.value.hostnames | join(' ') }}" @@ -25,6 +26,7 @@ spec: value: nextcloud - name: MYSQL_PASSWORD value: "{{ item.value.database.password }}" +{% endif %} volumeMounts: - name: nextcloud mountPath: /var/www/html @@ -36,8 +38,12 @@ spec: mountPath: /etc/apache2/ports.conf subPath: ports.conf readOnly: true + - name: config + mountPath: /etc/apache2/tls/ + subPath: tls + readOnly: true ports: - - containerPort: 8080 + - containerPort: 8443 hostPort: {{ item.value.port }} - name: database image: "mariadb:{{ item.value.database.version }}" @@ -50,6 +56,7 @@ spec: resources: limits: memory: "2Gi" +{% if 'new' in item.value and item.value.new %} env: - name: MYSQL_RANDOM_ROOT_PASSWORD value: "true" @@ -59,6 +66,7 @@ spec: value: nextcloud - name: MYSQL_PASSWORD value: "{{ item.value.database.password }}" +{% endif %} volumeMounts: - name: database mountPath: /var/lib/mysql -- cgit v1.2.3