├── .gitattributes ├── LICENSE ├── README.md ├── ansible.cfg ├── cloud-stuff ├── README.md └── cloud-init ├── collabora.yml ├── files └── permissions.sh ├── group_vars └── all.yml ├── inventory ├── meta └── main.yml ├── nextcloud.yml ├── only_office.yml ├── prepare_system.sh └── roles ├── nc_fail2ban ├── README.md ├── defaults │ └── main.yml ├── files │ ├── fail2ban-server.pp │ └── nextcloud.conf ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── Amazon.yml │ ├── CentOS.yml │ ├── Debian.yml │ ├── Fedora.yml │ ├── Ubuntu.yml │ ├── main.yml │ └── selinux.yml ├── templates │ └── nextcloud.local.j2 └── vars │ └── main.yml ├── prep_collabora ├── README.md ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml └── vars │ └── main.yml ├── prep_docker ├── README.md ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── Amazon.yml │ ├── CentOS.yml │ ├── Debian.yml │ ├── Fedora.yml │ ├── Ubuntu.yml │ └── main.yml └── vars │ └── main.yml ├── prep_letsencrypt ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── Amazon.yml │ ├── CentOS.yml │ ├── Debian.yml │ ├── Fedora.yml │ ├── Ubuntu.yml │ └── main.yml └── vars │ └── main.yml ├── prep_mariadb ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── Amazon.yml │ ├── CentOS.yml │ ├── Debian.yml │ ├── Fedora.yml │ ├── Ubuntu.yml │ └── main.yml ├── templates │ └── my.cnf.j2 └── vars │ └── main.yml ├── prep_nextcloud ├── defaults │ ├── config.json │ └── main.yml ├── files │ ├── httpd-to-php-fpm.pp │ ├── httpd-to-redis-socket.pp │ └── httpd-to-upload-tmp.pp ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── main.yml │ └── selinux.yml └── vars │ └── main.yml ├── prep_nginx ├── defaults │ └── main.yml ├── files │ ├── letsencrypt.conf │ ├── optimization.conf │ ├── php_optimization.conf │ └── proxy.conf ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── Amazon.yml │ ├── CentOS.yml │ ├── Debian.yml │ ├── Fedora.yml │ ├── Ubuntu.yml │ └── main.yml ├── templates │ ├── header.conf.j2 │ ├── nextcloud.conf.j2 │ ├── nginx.conf.j2 │ ├── ssl.conf.letsencrypt.j2 │ └── ssl.conf.selfsigned.j2 └── vars │ └── main.yml ├── prep_onlyoffice ├── README.md ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml └── vars │ └── main.yml ├── prep_os ├── defaults │ └── main.yml ├── files │ └── disable-transparent-huge-pages.service ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── Amazon.yml │ ├── CentOS.yml │ ├── Debian.yml │ ├── Fedora.yml │ ├── Ubuntu.yml │ └── main.yml └── vars │ └── main.yml ├── prep_php ├── defaults │ └── main.yml ├── files │ ├── Amazon │ │ ├── cli.php.ini │ │ └── fpm.php.ini │ ├── CentOS │ │ ├── cli.php.ini │ │ └── fpm.php.ini │ ├── Debian │ │ ├── cli.php.ini │ │ └── fpm.php.ini │ ├── Fedora │ │ ├── cli.php.ini │ │ └── fpm.php.ini │ └── Ubuntu │ │ ├── cli.php.ini │ │ └── fpm.php.ini ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── Amazon.yml │ ├── CentOS.yml │ ├── Debian.yml │ ├── Fedora.yml │ ├── Ubuntu.yml │ ├── main.yml │ └── selinux.yml ├── templates │ ├── Amazon │ │ ├── php-fpm.conf │ │ └── www.conf │ ├── CentOS │ │ ├── php-fpm.conf │ │ └── www.conf │ ├── Debian │ │ ├── php-fpm.conf │ │ └── www.conf │ ├── Fedora │ │ ├── php-fpm.conf │ │ └── www.conf │ └── Ubuntu │ │ ├── php-fpm.conf │ │ └── www.conf └── vars │ └── main.yml ├── prep_postgres ├── README.md ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── Amazon.yml │ ├── CentOS.yml │ ├── Debian.yml │ ├── Fedora.yml │ ├── Ubuntu.yml │ └── main.yml ├── templates │ ├── pg_hba.conf.j2 │ ├── postgresql.conf.j2 │ └── postgresql.tmpfiles.d.j2 └── vars │ └── main.yml ├── prep_redis ├── README.md ├── defaults │ └── main.yml ├── files │ └── redis.conf ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── Amazon.yml │ ├── CentOS.yml │ ├── Debian.yml │ ├── Fedora.yml │ ├── Ubuntu.yml │ └── main.yml └── vars │ └── main.yml ├── prep_secrets ├── README.md ├── defaults │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml └── vars │ └── main.yml ├── prep_selfssl ├── README.md ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml └── vars │ └── main.yml ├── prep_talk ├── README.md ├── defaults │ └── main.yml ├── files │ └── centos_rpms │ │ ├── turnserver-4.5.0.7-0.el7.x86_64.rpm │ │ ├── turnserver-client-libs-4.5.0.7-0.el7.x86_64.rpm │ │ └── turnserver-utils-4.5.0.7-0.el7.x86_64.rpm ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── CentOS.yml │ ├── Debian.yml │ ├── Fedora.yml │ ├── Ubuntu.yml │ └── main.yml ├── templates │ └── turnserver.conf.j2 └── vars │ └── main.yml ├── prep_ufw ├── README.md ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── Debian.yml │ ├── Ubuntu.yml │ └── main.yml ├── templates │ └── etc_default_ufw.j2 └── vars │ └── main.yml └── restic_backup ├── README.md ├── defaults └── main.yml ├── meta └── main.yml ├── tasks ├── install_rclone.yml ├── install_restic.yml └── main.yml ├── templates └── backup_nextcloud.sh.j2 └── vars └── main.yml /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 ReinerNippes 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | inventory = inventory 3 | 4 | callback_enabled = profile_tasks 5 | retry_files_enabled = False 6 | host_key_checking = False 7 | 8 | # Use the YAML callback plugin. 9 | stdout_callback = yaml 10 | # Use the stdout_callback when running ad-hoc commands. 11 | bin_ansible_callbacks = True 12 | -------------------------------------------------------------------------------- /cloud-stuff/README.md: -------------------------------------------------------------------------------- 1 | NextCloud in the Cloud 2 | ========= 3 | 4 | Launch a AWS EC2, DigitalOcean Droplet, OpenStack Server wait 5-20 minutes and login to your NextCloud 5 | 6 | The cloud-init snipet is an example to launch a Nextcloud server in the cloud that is automatically fully configured up&running ready to use. 7 | 8 | More infos about cloud-init: https://cloudinit.readthedocs.io/en/latest/ 9 | -------------------------------------------------------------------------------- /cloud-stuff/cloud-init: -------------------------------------------------------------------------------- 1 | #cloud-config 2 | 3 | # 4 | # Bootstrap Nextcloud 5 | # 6 | # Edit ssh-authorized-keys: and runcmd: according to your needs 7 | # Insert this as cloud-config/user data at launch of your ec2, droplet, openstack server, etc. pp. 8 | # Login to your full configured NextCloud/Talk/Collabora-Server 9 | 10 | # 11 | # Create default system user (see below system_info: ) 12 | # 13 | users: 14 | - default 15 | # 16 | # Install the minimal set of programs to bootstrap ansible and nextcloud 17 | # 18 | packages: 19 | - vim 20 | - mc 21 | - wget 22 | - curl 23 | # 24 | # Update server already at launch time 25 | # 26 | package_upgrade: true 27 | # 28 | # Create default system user 29 | # Edit the name and ssh-authorized-keys according to your needs 30 | # 31 | system_info: 32 | default_user: 33 | name: ec2-user 34 | uid: 1000 35 | gecos: "cloud-init created default user" 36 | lock_passwd: True 37 | sudo: ["ALL=(ALL) NOPASSWD:ALL"] 38 | home: /home/ec2-user 39 | shell: /bin/bash 40 | ssh-authorized-keys: 41 | - 'ssh-rsa ' 42 | # 43 | # Install and configure NextCloud in three steps 44 | # Put any changes to the settings in the ansible inventory file as extra variables to ansible-pull 45 | # e.g.: ansible-pull ... -e "next_archive=https://download.nextcloud.com/server/prereleases/nextcloud-13.0.5RC2.tar.bz2" -e "nc_passwd=your_secret" 46 | # 47 | runcmd: 48 | - curl -s https://raw.githubusercontent.com/ReinerNippes/nextcloud/master/prepare_system.sh | /bin/bash 49 | - # 50 | - # Insert a command to set a DynDNS record for this server here 51 | - # e.g. Strato DynDNS 52 | - # curl --silent --show-error --insecure --user [BENUTZERNAME]:[PASSWORT] https://dyndns.strato.com/nic/update?hostname=[HOSTNAME] 53 | - HOME=/root ansible-pull --clean --force -d /root/nextcloud -i 'localhost,' -U https://github.com/ReinerNippes/nextcloud.git nextcloud.yml -e "fqdn=nextcloud.domain.com" 54 | 55 | -------------------------------------------------------------------------------- /collabora.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: install collabora for nextcloud 4 | hosts: nextcloud 5 | connection: local 6 | become: true 7 | 8 | roles: 9 | - { role: prep_collabora, when: install_collabora == 'true' } 10 | 11 | -------------------------------------------------------------------------------- /files/permissions.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | find /var/www/ -type f -print0 | xargs -0 chmod 0640 3 | find /var/www/ -type d -print0 | xargs -0 chmod 0750 4 | chown -R $WEB_USER:$WEB_GROUP /var/www/ 5 | chown -R $WEB_USER:$WEB_GROUP /upload_tmp/ 6 | chown -R $WEB_USER:$WEB_GROUP $NC_DATADIR 7 | chmod 0644 /var/www/nextcloud/.htaccess 8 | chmod 0644 /var/www/nextcloud/.user.ini 9 | chmod 600 /etc/letsencrypt/live/$FQDN/fullchain.pem 10 | chmod 600 /etc/letsencrypt/live/$FQDN/privkey.pem 11 | chmod 600 /etc/letsencrypt/live/$FQDN/chain.pem 12 | chmod 600 /etc/letsencrypt/live/$FQDN/cert.pem 13 | chmod 600 /etc/ssl/certs/dhparam.pem 14 | exit 0 15 | -------------------------------------------------------------------------------- /group_vars/all.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Some common variables used in more then roles 3 | 4 | web_user: 5 | CentOS: 'nginx' 6 | Fedora: 'nginx' 7 | Amazon: 'nginx' 8 | Ubuntu: 'www-data' 9 | Debian: 'www-data' 10 | 11 | web_group: 12 | CentOS: 'nginx' 13 | Fedora: 'nginx' 14 | Amazon: 'nginx' 15 | Ubuntu: 'www-data' 16 | Debian: 'www-data' 17 | 18 | pg_user_id: 19 | CentOS: '70' 20 | Fedora: '70' 21 | Amazon: '70' 22 | Ubuntu: '70' 23 | Debian: '70' 24 | 25 | pg_group_id: 26 | CentOS: '70' 27 | Fedora: '70' 28 | Amazon: '70' 29 | Ubuntu: '70' 30 | Debian: '70' 31 | 32 | credential_store: /etc/nextcloud 33 | dhparam_path: /etc/nginx/certs/dhparam.pem 34 | 35 | # example of rclone config to backup to a s3 bucket 36 | 37 | #rclone_remote: | 38 | # [backup-selfhosted] 39 | # type = s3 40 | # provider = AWS 41 | # env_auth = false 42 | # access_key_id = AKIxxxxx 43 | # secret_access_key = QMpoxxxx 44 | # region = us-east-1 45 | # acl = private 46 | # server_side_encryption = AES256 47 | # storage_class = STANDARD_IA 48 | -------------------------------------------------------------------------------- /inventory: -------------------------------------------------------------------------------- 1 | [nextcloud] 2 | localhost ansible_connection=local 3 | 4 | [nextcloud:vars] 5 | 6 | # Server domain name 7 | # Default is the fqdn of the machine 8 | # fqdn = nc.example.org 9 | 10 | # selfsigned certificate as default 11 | ssl_certificate_type = 'selfsigned' 12 | 13 | # Letsencrypt or selfsigned certificate 14 | # ssl_certificate_type = 'letsencrypt' 15 | 16 | 17 | # Your email adresse for letsencrypt 18 | # cert_email = nc@example.org 19 | 20 | # receive a certificate from staging 21 | # uncomment if you want to use letsencrypt staging environment 22 | # cert_stage = '--staging' 23 | 24 | # 25 | # Nextcloud varibales 26 | 27 | # web ports 28 | nc_web_port = 80 29 | nc_ssl_port = 443 30 | 31 | # data dir 32 | nc_datadir = /var/nc-data 33 | 34 | # admin user 35 | nc_admin = 'admin' 36 | nc_passwd = '' # leave empty to generate random password 37 | 38 | # database settings 39 | # nc_db_type = 'mysql' # (MariaDB) 40 | nc_db_type = 'pgsql' # (PostgreSQL) 41 | nc_db_host = 'localhost' 42 | nc_db = 'nextcloud' 43 | nc_db_user = 'nextcloud' 44 | nc_db_passwd = '' # leave empty to generate random password 45 | 46 | # Nextcloud mail setup 47 | nc_configure_mail = false 48 | nc_mail_from = 49 | nc_mail_smtpmode = smtp 50 | nc_mail_smtpauthtype = LOGIN 51 | nc_mail_domain = 52 | nc_mail_smtpname = 53 | nc_mail_smtpsecure = tls 54 | nc_mail_smtpauth = 1 55 | nc_mail_smtphost = 56 | nc_mail_smtpport = 587 57 | nc_mail_smtpname = 58 | nc_mail_smtppwd = 59 | 60 | # php Version 61 | php_version = '7.3' 62 | 63 | # Install turn server for Nextcloud Talk 64 | # currently broken for https://help.nextcloud.com/t/cannot-install-talk-on-fresh-nextcloud-18-install/68613 65 | talk_install = false 66 | 67 | # Allways get the latest version of Nextcloud 68 | next_archive = https://download.nextcloud.com/server/releases/latest.tar.bz2 69 | 70 | # Install restic backup tool if backup_folder is not empty 71 | # more info about restic: https://restic.readthedocs.io/en/latest/ 72 | # to use a local directory as a restic repository (not a good idea anyway) 73 | restic_repo = '' # e.g. '/var/backups/nextcloud' 74 | 75 | # use rclone to backup a cloud storage, see https://rclone.org for more details 76 | # configure also rclone_remote in group_vars/all.yml 77 | # restic_repo = "rclone:backup-selfhosted:selfhosted-{{ lookup('password', '{{ credential_store }}/restic_backup_s3_bucket_uid chars=ascii_lowercase,digits length=12') }}/backup" 78 | 79 | # crontab setings for the backup script - default daily at 3pm 80 | restic_backup_day = '*' 81 | restic_backup_minute = '0' 82 | restic_backup_hour = '3' 83 | 84 | # Install Collabra Online 85 | # more info about collabora office: https://www.collaboraoffice.com/ 86 | install_collabora = false 87 | 88 | # Install Online Office 89 | # more info about onlyoffice office: https://www.onlyoffice.com 90 | install_onlyoffice = false 91 | onlyoffice_ssl_port = 8443 92 | 93 | # Install ufw 94 | install_ufw = true 95 | 96 | # Install fail2ban 97 | install_fail2ban = true 98 | 99 | # 100 | # defaults path of your generated credentials (e.g. database, talk, onlyoffice) 101 | credential_store = /etc/nextcloud 102 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | description: ReinerNippes Ansible role to deploy Nextcloud server 3 | company: nippes.it 4 | min_ansible_version: 2.9 5 | platforms: 6 | - name: GenericUNIX 7 | - name: Ubuntu 8 | versions: 9 | - 16 10 | -------------------------------------------------------------------------------- /nextcloud.yml: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ansible-playbook 2 | 3 | - name: 'install nextcloud' 4 | hosts: nextcloud 5 | become: true 6 | 7 | roles: 8 | - { role: prep_ufw, when: install_ufw == 'true' and (ansible_os_family == "Debian" or ansible_os_family == "Ubuntu") } 9 | - prep_os 10 | - prep_redis 11 | - prep_nginx 12 | - prep_php 13 | - { role: prep_mariadb, when: (nc_db_type == 'mysql') and (nc_db_host == 'localhost') } 14 | - { role: prep_postgres, when: (nc_db_type == 'pgsql') and (nc_db_host == 'localhost') } 15 | - { role: prep_letsencrypt, when: ssl_certificate_type == 'letsencrypt' } 16 | - { role: prep_selfssl, when: ssl_certificate_type == 'selfsigned' } 17 | - { role: restic_backup, when: restic_repo != '' } 18 | - prep_nextcloud 19 | - { role: prep_talk, when: talk_install == 'true' } 20 | - { role: prep_collabora, when: install_collabora == 'true' } 21 | - { role: prep_onlyoffice, when: install_onlyoffice == 'true' } 22 | - { role: nc_fail2ban, when: install_fail2ban == 'true' } 23 | 24 | post_tasks: 25 | - name: We are ready 26 | debug: 27 | msg: 28 | - "Your Nextcloud at https://{{ fqdn }} is ready." 29 | - "Login with user: {{ nc_admin }} and password: {{ nc_passwd }} " 30 | - "Other secrets you'll find in the directory {{ credential_store }} " 31 | 32 | -------------------------------------------------------------------------------- /only_office.yml: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ansible-playbook 2 | 3 | - name: 'install onlyoffice for nextcloud' 4 | hosts: nextcloud 5 | become: true 6 | 7 | roles: 8 | - { role: prep_onlyoffice, when: install_onlyoffice == 'true' } 9 | 10 | -------------------------------------------------------------------------------- /prepare_system.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -uxe 2 | # 3 | # Prepare system for nextcloud devel 4 | # 5 | 6 | install_pip () { 7 | curl https://bootstrap.pypa.io/get-pip.py | $SUDO $PYTHON_BIN 8 | $SUDO pip install setuptools -U 9 | $SUDO pip install ansible -U 10 | $SUDO pip install netaddr -U 11 | $SUDO pip install dnspython -U 12 | $SUDO pip install passlib -U 13 | $SUDO pip install bcrypt -U 14 | } 15 | 16 | prepare_ubuntu() { 17 | $SUDO apt update -y 18 | $SUDO apt dist-upgrade -y 19 | $SUDO apt install software-properties-common curl git mc vim facter python python-is-python3 python-apt aptitude -y 20 | [ $(uname -m) == "aarch64" ] && $SUDO apt install gcc python-dev libffi-dev libssl-dev make -y 21 | 22 | PYTHON_BIN=/usr/bin/python 23 | install_pip 24 | $SUDO pip install python-apt -U 25 | 26 | set +x 27 | echo 28 | echo " Ubuntu Sytem ready for nextcloud." 29 | echo 30 | ansible --version 31 | } 32 | 33 | prepare_debian() { 34 | $SUDO apt update -y 35 | $SUDO apt dist-upgrade -y 36 | $SUDO apt install dirmngr curl git mc vim facter python python-apt aptitude -y 37 | [ $(uname -m) == "aarch64" ] && $SUDO apt install gcc python-dev libffi-dev libssl-dev make -y 38 | 39 | PYTHON_BIN=/usr/bin/python 40 | install_pip 41 | $SUDO pip install python-apt -U 42 | 43 | set +x 44 | echo 45 | echo " Debian Sytem ready for nextcloud." 46 | echo 47 | ansible --version 48 | } 49 | 50 | prepare_raspbian() { 51 | $SUDO apt update -y 52 | $SUDO apt dist-upgrade -y 53 | $SUDO apt install dirmngr mc vim git libffi-dev curl facter -y 54 | PYTHON_BIN=/usr/bin/python 55 | install_pip 56 | 57 | set +x 58 | echo 59 | echo " Rasbpian System ready for nextcloud." 60 | echo 61 | ansible --version 62 | } 63 | 64 | prepare_centos() { 65 | $SUDO yum install epel-release -y 66 | $SUDO yum install git vim mc curl facter libselinux-python python -y 67 | $SUDO yum update -y 68 | 69 | PYTHON_BIN=/usr/bin/python 70 | install_pip 71 | 72 | set +x 73 | echo 74 | echo " CentOS Sytem ready for nextcloud." 75 | echo 76 | ansible --version 77 | } 78 | 79 | prepare_fedora() { 80 | $SUDO dnf install git vim mc curl facter libselinux-python python python3 python3-dnf -y 81 | $SUDO dnf update -y 82 | 83 | PYTHON_BIN=/usr/bin/python 84 | install_pip 85 | $SUDO dnf reinstall python3-pip -y 86 | 87 | set +x 88 | echo 89 | echo " Fedora Sytem ready for nextcloud." 90 | echo 91 | ansible --version 92 | } 93 | 94 | prepare_amzn() { 95 | $SUDO amazon-linux-extras install epel -y 96 | $SUDO yum install git vim mc curl facter libselinux-python python -y 97 | $SUDO yum update -y 98 | 99 | PYTHON_BIN=/usr/bin/python 100 | install_pip 101 | 102 | set +x 103 | echo 104 | echo " Amazon Linux 2 ready for nextcloud." 105 | echo 106 | ansible --version 107 | } 108 | 109 | usage() { 110 | echo 111 | echo "Linux distribution not detected." 112 | echo "Use: ID=[ubuntu|debian|centos|raspbian|amzn|fedora] prepare_system.sh" 113 | echo "Other distributions not yet supported." 114 | echo 115 | } 116 | 117 | if [ -f /etc/os-release ]; then 118 | . /etc/os-release 119 | elif [ -f /etc/debian_version ]; then 120 | $ID=debian 121 | fi 122 | 123 | # root or not 124 | if [[ $EUID -ne 0 ]]; then 125 | SUDO='sudo -H' 126 | else 127 | SUDO='' 128 | fi 129 | 130 | case $ID in 131 | 'ubuntu') 132 | prepare_ubuntu 133 | ;; 134 | 'debian') 135 | prepare_debian 136 | ;; 137 | 'raspbian') 138 | prepare_raspbian 139 | ;; 140 | 'centos') 141 | prepare_centos 142 | ;; 143 | 'fedora') 144 | prepare_fedora 145 | ;; 146 | 'amzn') 147 | prepare_amzn 148 | ;; 149 | 150 | *) 151 | usage 152 | ;; 153 | esac 154 | 155 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for nc_failban -------------------------------------------------------------------------------- /roles/nc_fail2ban/files/fail2ban-server.pp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReinerNippes/nextcloud/738dd14321c2e64a3463fbc2c03e8323ec89470b/roles/nc_fail2ban/files/fail2ban-server.pp -------------------------------------------------------------------------------- /roles/nc_fail2ban/files/nextcloud.conf: -------------------------------------------------------------------------------- 1 | [Definition] 2 | failregex = ^{.*"message":"Login failed: .* \(Remote IP: \)".*}$ 3 | ^{.*"message":"Login failed: '.*' \(Remote IP: ''\)".*}$ 4 | ignoreregex = 5 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for nc_fail22ban 3 | 4 | - name: restart fail2ban 5 | systemd: 6 | name: fail2ban 7 | state: restarted 8 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Basic setup of nextcloud fail2ban 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 1.2 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: [] 49 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 50 | # if you add dependencies to this list. 51 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/tasks/Amazon.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Amazon related tasks 4 | 5 | - name: install fail2ban 6 | yum: 7 | name: 8 | - fail2ban 9 | - fail2ban-firewalld 10 | - fail2ban-server 11 | - fail2ban-systemd 12 | state: latest 13 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/tasks/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # CentOS related tasks 4 | 5 | - name: install fail2ban 6 | yum: 7 | name: 8 | - fail2ban 9 | - fail2ban-firewalld 10 | - fail2ban-server 11 | - fail2ban-systemd 12 | state: latest 13 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Debian related OS tasks 4 | 5 | - name: install fail2ban packages 6 | apt: 7 | name: fail2ban 8 | autoremove: true 9 | state: latest 10 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/tasks/Fedora.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Fedora related tasks 4 | 5 | - name: install fail2ban 6 | yum: 7 | name: 8 | - fail2ban 9 | - fail2ban-firewalld 10 | - fail2ban-server 11 | - fail2ban-systemd 12 | state: latest 13 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Ubuntu related OS tasks 4 | 5 | - name: install fail2ban packages 6 | apt: 7 | name: fail2ban 8 | autoremove: true 9 | state: latest 10 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for nc_fail2ban 3 | 4 | - name: include os specific tasks 5 | include_tasks: "{{ ansible_distribution }}.yml" 6 | 7 | - name: configure fail2ban 8 | copy: 9 | src: nextcloud.conf 10 | dest: /etc/fail2ban/filter.d/nextcloud.conf 11 | owner: root 12 | group: root 13 | mode: 0644 14 | notify: restart fail2ban 15 | 16 | - name: create new jail 17 | template: 18 | src: nextcloud.local.j2 19 | dest: /etc/fail2ban/jail.d/nextcloud.local 20 | owner: root 21 | group: root 22 | mode: 0644 23 | notify: restart fail2ban 24 | 25 | - name: enable fail2ban 26 | systemd: 27 | name: fail2ban 28 | enabled: true 29 | 30 | - name: include selinux tasks 31 | include_tasks: selinux.yml 32 | when: 33 | - (ansible_os_family == "RedHat") 34 | - ('status' in ansible_selinux) 35 | - (ansible_selinux.status == "enabled") 36 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/tasks/selinux.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: enable seboolean settings 4 | command: semodule -i {{ role_path }}/files/fail2ban-server.pp 5 | 6 | - name: restorecon 7 | command: restorecon -Rv /var/nc-data/nextcloud.log 8 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/templates/nextcloud.local.j2: -------------------------------------------------------------------------------- 1 | [nextcloud] 2 | backend = auto 3 | enabled = true 4 | port = {{ nc_web_port }},{{ nc_ssl_port }} 5 | protocol = tcp 6 | filter = nextcloud 7 | maxretry = 3 8 | bantime = 36000 9 | findtime = 36000 10 | logpath = {{ nc_datadir }}/nextcloud.log 11 | -------------------------------------------------------------------------------- /roles/nc_fail2ban/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for nc_failban -------------------------------------------------------------------------------- /roles/prep_collabora/README.md: -------------------------------------------------------------------------------- 1 | prep_collabora 2 | ============= 3 | 4 | Installation of docker and Collabora Online for Nextcloud. 5 | 6 | Requirements 7 | ------------ 8 | 9 | nginx and nextcloud has to installed and configured. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | MIT 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/prep_collabora/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_collabora -------------------------------------------------------------------------------- /roles/prep_collabora/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_collabora 3 | 4 | - name: restart collabora container 5 | shell: docker restart collabora_online 6 | # docker_container: 7 | # name: collabra_online 8 | # state: started 9 | # restart: yes 10 | -------------------------------------------------------------------------------- /roles/prep_collabora/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Basic setup of nextcloud Collabora with docker 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 2.5 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | min_ansible_container_version: 2.1 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: 49 | - prep_docker 50 | -------------------------------------------------------------------------------- /roles/prep_collabora/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_collabora 3 | 4 | - name: install collabora app 5 | shell: sudo -u {{ web_user[ansible_distribution] }} php occ app:install richdocuments 6 | args: 7 | chdir: /var/www/nextcloud/ 8 | creates: /var/www/nextcloud/apps/richdocuments 9 | notify: restart collabora container 10 | 11 | - name: enable collabora app 12 | shell: sudo -u {{ web_user[ansible_distribution] }} php occ app:enable richdocuments 13 | args: 14 | chdir: /var/www/nextcloud/ 15 | 16 | - name: set collabora wopi url 17 | shell: sudo -u {{ web_user[ansible_distribution] }} php occ config:app:set richdocuments wopi_url --value https://{{ fqdn }}:{{ nc_ssl_port }} 18 | args: 19 | chdir: /var/www/nextcloud/ 20 | notify: restart collabora container 21 | 22 | - name: pull collabora image 23 | docker_image: 24 | name: collabora/code 25 | 26 | - name: start a collabora container 27 | docker_container: 28 | name: collabora_online 29 | image: collabora/code 30 | state: started 31 | restart: yes 32 | restart_policy: always 33 | tty: yes 34 | ports: 35 | - "127.0.0.1:9980:9980" 36 | env: 37 | domain: "{{ fqdn | regex_replace('\\.', '\\.') }}" 38 | capabilities: MKNOD 39 | notify: restart collabora container 40 | -------------------------------------------------------------------------------- /roles/prep_collabora/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_collabora -------------------------------------------------------------------------------- /roles/prep_docker/README.md: -------------------------------------------------------------------------------- 1 | prep_collabra 2 | ============= 3 | 4 | Installation of docker and Collabra Online for Nextcloud. 5 | 6 | Requirements 7 | ------------ 8 | 9 | nginx and nextcloud has to installed and configured. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | MIT 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/prep_docker/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_colabra -------------------------------------------------------------------------------- /roles/prep_docker/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_docker 3 | 4 | - name: restart docker 5 | systemd: 6 | name: docker 7 | daemon_reload: yes 8 | state: restarted 9 | -------------------------------------------------------------------------------- /roles/prep_docker/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Basic setup of docker for dependencies 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 1.2 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | galaxy_tags: [] 40 | # List tags for your role here, one per line. A tag is a keyword that describes 41 | # and categorizes the role. Users find roles by searching for tags. Be sure to 42 | # remove the '[]' above, if you add tags to this list. 43 | # 44 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 45 | # Maximum 20 tags per role. 46 | 47 | dependencies: [] 48 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 49 | # if you add dependencies to this list. 50 | -------------------------------------------------------------------------------- /roles/prep_docker/tasks/Amazon.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Amazon Linux related docker OS tasks 3 | 4 | - name: install docker 5 | yum: 6 | name: docker 7 | state: latest 8 | 9 | - name: remove python-requests 10 | yum: 11 | name: python-requests 12 | state: absent 13 | 14 | - name: install python docker 15 | pip: 16 | name: 17 | - pip 18 | - docker 19 | state: latest 20 | 21 | - name: re-install cloud-init 22 | yum: 23 | name: cloud-init 24 | state: latest -------------------------------------------------------------------------------- /roles/prep_docker/tasks/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # CentOS related OS tasks 3 | 4 | - name: add docker repo 5 | get_url: 6 | url: https://download.docker.com/linux/centos/docker-ce.repo 7 | dest: /etc/yum.repos.d/docker.repo 8 | owner: root 9 | group: root 10 | mode: 0644 11 | 12 | - name: install docker 13 | yum: 14 | name: docker-ce 15 | state: latest 16 | 17 | - name: enable docker 18 | systemd: 19 | name: docker 20 | daemon_reload: yes 21 | enabled: yes 22 | 23 | - name: fix docker backend for collabora 24 | lineinfile: 25 | path: /etc/systemd/system/multi-user.target.wants/docker.service 26 | regexp: '^ExecStart=' 27 | line: 'ExecStart=/usr/bin/dockerd --storage-driver=devicemapper' 28 | register: systemdchanged 29 | 30 | # force restart of docker rightaway 31 | - name: restart docker 32 | systemd: 33 | name: docker 34 | daemon_reload: yes 35 | state: restarted 36 | when: systemdchanged.changed 37 | 38 | -------------------------------------------------------------------------------- /roles/prep_docker/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Debian related OS tasks 3 | 4 | - name: remove debian repo docker if present 5 | apt: 6 | name: 7 | - docker 8 | - docker-engine 9 | - docker.io 10 | state: absent 11 | 12 | - name: install needed packages 13 | apt: 14 | name: 15 | - apt-transport-https 16 | - ca-certificates 17 | - python-pip 18 | - software-properties-common 19 | state: latest 20 | 21 | - name: add docker key 22 | apt_key: 23 | url: https://download.docker.com/linux/debian/gpg 24 | state: present 25 | 26 | - name: add additional docker repo 27 | apt_repository: 28 | repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' 29 | validate_certs: true 30 | update_cache: true 31 | state: present 32 | 33 | - name: install docker 34 | apt: 35 | name: docker-ce 36 | state: latest -------------------------------------------------------------------------------- /roles/prep_docker/tasks/Fedora.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Fedora related OS tasks 3 | 4 | - name: add docker repo 5 | get_url: 6 | url: https://download.docker.com/linux/fedora/docker-ce.repo 7 | dest: /etc/yum.repos.d/docker.repo 8 | owner: root 9 | group: root 10 | mode: 0644 11 | 12 | - name: install docker 13 | yum: 14 | name: docker-ce 15 | state: latest 16 | 17 | - name: enable docker 18 | systemd: 19 | name: docker 20 | daemon_reload: yes 21 | enabled: yes 22 | 23 | - name: fix docker backend for collabora 24 | lineinfile: 25 | path: /etc/systemd/system/multi-user.target.wants/docker.service 26 | regexp: '^ExecStart=' 27 | line: 'ExecStart=/usr/bin/dockerd --storage-driver=devicemapper' 28 | register: systemdchanged 29 | 30 | # force restart of docker rightaway 31 | - name: restart docker 32 | systemd: 33 | name: docker 34 | daemon_reload: yes 35 | state: restarted 36 | when: systemdchanged.changed 37 | 38 | -------------------------------------------------------------------------------- /roles/prep_docker/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: remove ubuntu repo docker 5 | apt: 6 | name: 7 | - docker 8 | - docker-engine 9 | - docker.io 10 | state: absent 11 | 12 | - name: install needed packages 13 | apt: 14 | name: 15 | - apt-transport-https 16 | - ca-certificates 17 | - python-pip 18 | - software-properties-common 19 | state: latest 20 | 21 | - name: add docker key 22 | apt_key: 23 | url: "{{ item }}" 24 | state: present 25 | with_items: 26 | - https://download.docker.com/linux/ubuntu/gpg 27 | 28 | - name: add additional docker repo 29 | apt_repository: 30 | repo: "{{ item }}" 31 | validate_certs: true 32 | update_cache: true 33 | state: present 34 | with_items: 35 | - deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable 36 | 37 | - name: install docker 38 | apt: 39 | name: docker-ce 40 | state: latest 41 | -------------------------------------------------------------------------------- /roles/prep_docker/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_colabra 3 | 4 | - name: include os specific tasks 5 | include_tasks: "{{ ansible_distribution }}.yml" 6 | 7 | - name: install python docker 8 | pip: 9 | name: 10 | - pip 11 | - docker 12 | state: latest 13 | 14 | - name: enable docker 15 | systemd: 16 | name: docker 17 | state: started 18 | enabled: true 19 | daemon_reload: yes 20 | 21 | - name: add to group docker 22 | user: 23 | name: '{{ ansible_env.SUDO_USER }}' 24 | append: true 25 | groups: docker 26 | when: ansible_env.SUDO_USER | default('root') != 'root' 27 | -------------------------------------------------------------------------------- /roles/prep_docker/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_colabra -------------------------------------------------------------------------------- /roles/prep_letsencrypt/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_letsencrypt 3 | 4 | dhparam_numbits: 2048 -------------------------------------------------------------------------------- /roles/prep_letsencrypt/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_letsencrypt -------------------------------------------------------------------------------- /roles/prep_letsencrypt/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Get letsencrypt certificate for nextcloud 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 2.4 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: [] 49 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 50 | # if you add dependencies to this list. -------------------------------------------------------------------------------- /roles/prep_letsencrypt/tasks/Amazon.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Amazon related tasks 4 | 5 | - name: remove python-requests 6 | yum: 7 | name: python-requests 8 | state: absent 9 | 10 | - name: install needed pip packages 11 | pip: 12 | name: 13 | - pyOpenSSL 14 | - requests 15 | - setuptools 16 | - certbot-nginx 17 | state: latest 18 | 19 | - name: letsencrypt renewal cronjob 20 | cron: 21 | name: "letsencrypt automatic renewal" 22 | hour: "3,15" 23 | job: "python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" 24 | 25 | - name: re-install cloud-init 26 | yum: 27 | name: cloud-init 28 | state: latest -------------------------------------------------------------------------------- /roles/prep_letsencrypt/tasks/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # CentOS related tasks 4 | 5 | - name: install needed pip packages 6 | pip: 7 | name: 8 | - pyOpenSSL 9 | - requests 10 | - setuptools 11 | - certbot-nginx 12 | state: latest 13 | 14 | - name: letsencrypt renewal cronjob 15 | cron: 16 | name: "letsencrypt automatic renewal" 17 | hour: "3,15" 18 | job: "python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" 19 | -------------------------------------------------------------------------------- /roles/prep_letsencrypt/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: add additional repos 5 | apt_repository: 6 | repo: 'deb http://ftp.debian.org/{{ ansible_distribution|lower }} {{ ansible_distribution_release }}-backports main' 7 | update_cache: true 8 | state: present 9 | 10 | - name: apt dist-upgrade 11 | apt: 12 | upgrade: dist 13 | autoremove: true 14 | 15 | - name: install python-certbot-nginx packages 16 | apt: 17 | name: python-certbot-nginx 18 | autoremove: true 19 | default_release: "{{ ansible_distribution_release }}-backports" 20 | state: latest 21 | 22 | - name: install needed pip packages 23 | pip: 24 | name: acme 25 | state: latest -------------------------------------------------------------------------------- /roles/prep_letsencrypt/tasks/Fedora.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Fedora related tasks 4 | 5 | - name: install needed pip packages 6 | pip: 7 | name: 8 | - pyOpenSSL 9 | - requests 10 | - setuptools 11 | - certbot-nginx 12 | state: latest 13 | 14 | - name: letsencrypt renewal cronjob 15 | cron: 16 | name: "letsencrypt automatic renewal" 17 | hour: "3,15" 18 | job: "python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" 19 | -------------------------------------------------------------------------------- /roles/prep_letsencrypt/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: Add an apt key by id from a keyserver 5 | apt_key: 6 | keyserver: hkps://keyserver.ubuntu.com 7 | id: "{{ item }}" 8 | with_items: 9 | - 7BF576066ADA65728FC7E70A8C47BE8E75BCA694 10 | 11 | - name: add additional repos 12 | apt_repository: 13 | repo: 'deb http://ppa.launchpad.net/certbot/certbot/ubuntu {{ ansible_distribution_release }} main' 14 | validate_certs: true 15 | update_cache: true 16 | state: present 17 | 18 | - name: apt dist-upgrade 19 | apt: 20 | upgrade: dist 21 | autoremove: true 22 | 23 | - name: install python-certbot-nginx packages 24 | apt: 25 | name: python-certbot-nginx 26 | autoremove: true 27 | state: latest 28 | -------------------------------------------------------------------------------- /roles/prep_letsencrypt/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_letsencrypt 3 | 4 | - name: include os specific tasks 5 | include_tasks: "{{ ansible_distribution }}.yml" 6 | 7 | - name: ensure "{{ dhparam_path | dirname }}" exists 8 | file: 9 | name: "{{ dhparam_path | dirname }}" 10 | owner: root 11 | group: "{{ ansible_env.SUDO_USER | default('root') }}" 12 | mode: 0755 13 | state: directory 14 | 15 | - name: use the pre-defined DH groups ffdhe4096 recommended by the IETF in [RFC 7919 https://tools.ietf.org/html/rfc7919] 16 | copy: 17 | dest: "{{ dhparam_path }}" 18 | owner: root 19 | group: root 20 | mode: 0644 21 | content: | 22 | -----BEGIN DH PARAMETERS----- 23 | MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz 24 | +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a 25 | 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 26 | YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi 27 | 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD 28 | ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 29 | 7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 30 | nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e 31 | 8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx 32 | iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K 33 | zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= 34 | -----END DH PARAMETERS----- 35 | 36 | - name: ensure nginx is stopped nginx 37 | systemd: 38 | name: nginx 39 | state: stopped 40 | enabled: true 41 | 42 | - name: install letsencrypt certificates 43 | shell: "certbot certonly --standalone --installer nginx --email {{ cert_email }} --non-interactive --domain {{ fqdn }} --agree-tos {{ cert_stage|default('') }}" 44 | args: 45 | creates: /etc/letsencrypt/live/{{ fqdn }}/cert.pem 46 | -------------------------------------------------------------------------------- /roles/prep_letsencrypt/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_letsencrypt -------------------------------------------------------------------------------- /roles/prep_mariadb/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_mariadb 3 | 4 | mariadb_version: 10.3 5 | -------------------------------------------------------------------------------- /roles/prep_mariadb/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_mariadb 3 | - name: restart mariadb 4 | systemd: 5 | name: mysql 6 | state: restarted 7 | -------------------------------------------------------------------------------- /roles/prep_mariadb/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Basic setup of nextcloud database 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 2.4 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: 49 | - prep_secrets -------------------------------------------------------------------------------- /roles/prep_mariadb/tasks/Amazon.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Amazon related tasks 4 | 5 | - name: add MariaDB repo 6 | yum_repository: 7 | name: mariadb 8 | description: Extra Packages for Enterprise Linux 7 - $basearch 9 | baseurl: http://yum.mariadb.org/{{ mariadb_version }}/centos7-amd64 10 | gpgkey: https://yum.mariadb.org/RPM-GPG-KEY-MariaDB 11 | gpgcheck: yes 12 | enabled: 1 13 | 14 | - name: install MariaDB 15 | yum: 16 | name: 17 | - MariaDB-server 18 | - MariaDB-client 19 | enablerepo: mariadb 20 | state: latest 21 | register: install_mariadb 22 | 23 | - name: install MySQLdb python package for database setup 24 | yum: 25 | name: MySQL-python 26 | state: present 27 | when: false 28 | 29 | - name: enable MariaDB 30 | systemd: 31 | name: mysql 32 | enabled: true 33 | 34 | - name: stop if installed 35 | systemd: 36 | name: mysql 37 | state: stopped 38 | when: install_mariadb is changed 39 | -------------------------------------------------------------------------------- /roles/prep_mariadb/tasks/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # CentOS related tasks 4 | 5 | - name: add MariaDB repo 6 | yum_repository: 7 | name: mariadb 8 | description: Extra Packages for Enterprise Linux 7 - $basearch 9 | baseurl: http://yum.mariadb.org/{{ mariadb_version }}/centos{{ ansible_distribution_major_version|int }}-amd64 10 | gpgkey: https://yum.mariadb.org/RPM-GPG-KEY-MariaDB 11 | gpgcheck: yes 12 | enabled: 1 13 | 14 | - name: install MariaDB 15 | yum: 16 | name: 17 | - MariaDB-server 18 | - MariaDB-client 19 | enablerepo: mariadb 20 | state: latest 21 | register: install_mariadb 22 | 23 | - name: install MySQLdb python package for database setup 24 | yum: 25 | name: MySQL-python 26 | state: present 27 | when: false 28 | 29 | - name: enable MariaDB 30 | systemd: 31 | name: mysql 32 | enabled: true 33 | 34 | - name: stop if installed 35 | systemd: 36 | name: mysql 37 | state: stopped 38 | when: install_mariadb is changed 39 | -------------------------------------------------------------------------------- /roles/prep_mariadb/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: install mariadb-server packages 5 | apt: 6 | name: mariadb-server 7 | autoremove: true 8 | state: latest 9 | -------------------------------------------------------------------------------- /roles/prep_mariadb/tasks/Fedora.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Fedora related tasks 4 | 5 | - name: add MariaDB repo 6 | yum_repository: 7 | name: mariadb 8 | description: Extra Packages for Enterprise Linux 7 - $basearch 9 | baseurl: http://yum.mariadb.org/{{ mariadb_version }}/fedora{{ ansible_distribution_major_version|int }}-amd64 10 | gpgkey: https://yum.mariadb.org/RPM-GPG-KEY-MariaDB 11 | gpgcheck: yes 12 | enabled: 1 13 | 14 | - name: install MariaDB 15 | yum: 16 | name: 17 | - MariaDB-server 18 | - MariaDB-client 19 | enablerepo: mariadb 20 | state: latest 21 | register: install_mariadb 22 | 23 | - name: install MySQLdb python package for database setup 24 | yum: 25 | name: MySQL-python 26 | state: present 27 | when: false 28 | 29 | - name: enable MariaDB 30 | service: 31 | name: mariadb 32 | enabled: true 33 | 34 | - name: stop if installed 35 | service: 36 | name: mariadb 37 | state: stopped 38 | when: install_mariadb is changed 39 | -------------------------------------------------------------------------------- /roles/prep_mariadb/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: install mariadb-server packages 5 | apt: 6 | name: mariadb-server 7 | autoremove: true 8 | state: latest 9 | -------------------------------------------------------------------------------- /roles/prep_mariadb/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_mariadb 3 | 4 | - name: include os specific tasks 5 | include_tasks: "{{ ansible_distribution }}.yml" 6 | 7 | - name: install PyMySQL 8 | pip: 9 | name: PyMySQL 10 | state: latest 11 | become: true 12 | 13 | - name: create conf dir 14 | file: 15 | name: "{{ mariadb_conf_dir[ansible_distribution] | dirname }}" 16 | owner: root 17 | group: root 18 | mode: 0755 19 | state: directory 20 | 21 | - name: configure mariadb 22 | template: 23 | src: my.cnf.j2 24 | dest: "{{ mariadb_conf_dir[ansible_distribution] }}" 25 | owner: root 26 | group: root 27 | mode: 0644 28 | notify: restart mariadb 29 | 30 | - name: start and enable MariaDB 31 | systemd: 32 | name: mysql 33 | state: restarted 34 | 35 | - name: remove anonymous user 36 | mysql_user: 37 | name: '' 38 | host_all: yes 39 | state: absent 40 | login_unix_socket: "{{ mariadb_sock_dir[ansible_distribution] }}/mysqld.sock" 41 | 42 | - name: remove test db 43 | mysql_db: 44 | name: test 45 | state: absent 46 | login_unix_socket: "{{ mariadb_sock_dir[ansible_distribution] }}/mysqld.sock" 47 | 48 | - name: create nextcloud db 49 | mysql_db: 50 | name: "{{ nc_db }}" 51 | collation: utf8mb4_general_ci 52 | encoding: utf8mb4 53 | login_unix_socket: "{{ mariadb_sock_dir[ansible_distribution] }}/mysqld.sock" 54 | 55 | - name: create nextcloud user 56 | mysql_user: 57 | name: "{{ nc_db_user }}" 58 | password: "{{ nc_db_passwd }}" 59 | priv: "{{ nc_db }}.*:ALL" 60 | state: present 61 | login_unix_socket: "{{ mariadb_sock_dir[ansible_distribution] }}/mysqld.sock" 62 | -------------------------------------------------------------------------------- /roles/prep_mariadb/templates/my.cnf.j2: -------------------------------------------------------------------------------- 1 | [client] 2 | port = 3306 3 | socket = {{ mariadb_sock_dir[ansible_distribution] }}/mysqld.sock 4 | default-character-set = utf8mb4 5 | 6 | [mysqld_safe] 7 | socket = {{ mariadb_sock_dir[ansible_distribution] }}/mysqld.sock 8 | nice = 0 9 | 10 | [mysqld] 11 | user = mysql 12 | pid-file = {{ mariadb_sock_dir[ansible_distribution] }}/mysqld.pid 13 | socket = {{ mariadb_sock_dir[ansible_distribution] }}/mysqld.sock 14 | port = 3306 15 | basedir = /usr 16 | datadir = /var/lib/mysql 17 | tmpdir = /tmp 18 | lc_messages_dir = /usr/share/mysql 19 | lc_messages = en_US 20 | skip-external-locking 21 | skip-name-resolve 22 | bind-address = 127.0.0.1 23 | max_connections = 200 24 | connect_timeout = 5 25 | wait_timeout = 600 26 | max_allowed_packet = 16M 27 | thread_cache_size = 128 28 | sort_buffer_size = 4M 29 | bulk_insert_buffer_size = 16M 30 | tmp_table_size = 64M 31 | max_heap_table_size = 64M 32 | myisam_recover_options = BACKUP 33 | key_buffer_size = 128M 34 | #open-files-limit = 2000 35 | table_open_cache = 400 36 | myisam_sort_buffer_size = 512M 37 | concurrent_insert = 2 38 | read_buffer_size = 2M 39 | read_rnd_buffer_size = 1M 40 | query_cache_limit = 2M 41 | query_cache_size = 64M 42 | query_cache_type = 1 43 | query_cache_min_res_unit = 2k 44 | log_warnings = 2 45 | #slow_query_log_file = /var/log/mysql/mariadb-slow.log 46 | long_query_time = 1 47 | log_slow_verbosity = query_plan 48 | slow-query-log = 1 49 | #slow-query-log-file = /var/log/mysql/slow.log 50 | #log_bin = /var/log/mysql/mariadb-bin 51 | #log_bin_index = /var/log/mysql/mariadb-bin.index 52 | expire_logs_days = 10 53 | max_binlog_size = 100M 54 | default_storage_engine = InnoDB 55 | innodb_buffer_pool_size = 256M 56 | innodb_buffer_pool_instances = 1 57 | innodb_flush_log_at_trx_commit = 2 58 | innodb_log_buffer_size = 32M 59 | innodb_max_dirty_pages_pct = 90 60 | innodb_large_prefix=true 61 | innodb_file_format=barracuda 62 | innodb_file_per_table = 1 63 | innodb_open_files = 400 64 | innodb_io_capacity = 400 65 | innodb_flush_method = O_DIRECT 66 | character-set-server = utf8mb4 67 | collation-server = utf8mb4_general_ci 68 | transaction_isolation = READ-COMMITTED 69 | binlog_format = ROW 70 | 71 | [mysqldump] 72 | quick 73 | quote-names 74 | max_allowed_packet = 16M 75 | 76 | [mysql] 77 | #no-auto-rehash # faster start of mysql but no tab completion 78 | 79 | [isamchk] 80 | key_buffer = 16M 81 | 82 | [client-server] 83 | #!includedir /etc/mysql/conf.d/ 84 | #!includedir /etc/mysql/mariadb.conf.d/ 85 | -------------------------------------------------------------------------------- /roles/prep_mariadb/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_mariadb 3 | 4 | mariadb_conf_dir: 5 | Amazon: /etc/my.cnf.d/my.cnf 6 | CentOS: /etc/my.cnf.d/my.cnf 7 | Fedora: /etc/my.cnf.d/my.cnf 8 | Ubuntu: /etc/mysql/mariadb.conf.d/90-nextcloud.cnf 9 | Debian: /etc/mysql/mariadb.conf.d/90-nextcloud.cnf 10 | 11 | mariadb_sock_dir: 12 | Amazon: /var/lib/mysql 13 | CentOS: /var/lib/mysql 14 | Fedora: /var/lib/mysql 15 | Ubuntu: /var/run/mysqld 16 | Debian: /var/run/mysqld 17 | -------------------------------------------------------------------------------- /roles/prep_nextcloud/defaults/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "system": { 3 | "memcache.local": "\\OC\\Memcache\\APCu", 4 | "redis": { 5 | "host": "\/var\/run\/redis\/redis.sock", 6 | "port": "0", 7 | "timeout": "0.0" 8 | }, 9 | "memcache.locking": "\\OC\\Memcache\\Redis", 10 | "filelocking.enabled": "true", 11 | "enable_previews": "true", 12 | "enabledPreviewProviders": [ 13 | "OC\\Preview\\PNG", 14 | "OC\\Preview\\JPEG", 15 | "OC\\Preview\\GIF", 16 | "OC\\Preview\\BMP", 17 | "OC\\Preview\\XBitmap", 18 | "OC\\Preview\\Movie", 19 | "OC\\Preview\\PDF", 20 | "OC\\Preview\\MP3", 21 | "OC\\Preview\\TXT", 22 | "OC\\Preview\\MarkDown" 23 | ], 24 | "preview_max_x": "1024", 25 | "preview_max_y": "768", 26 | "preview_max_scale_factor": "1", 27 | "auth.bruteforce.protection.enabled": "true", 28 | "trashbin_retention_obligation": "auto,7", 29 | "skeletondirectory": "", 30 | "defaultapp": "file", 31 | "activity_expire_days": "14", 32 | "integrity.check.disabled": "false", 33 | "updater.release.channel": "stable" 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /roles/prep_nextcloud/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_nextcloud 3 | 4 | nc_config: 5 | - { key: "overwrite.cli.url", value: '--value=https://{{ fqdn }}' } 6 | - { key: "trusted_domains", value: '1 --value={{ fqdn }}' } 7 | 8 | nc_mail_config: 9 | - { key: "mail_from_address", value: "--value={{ nc_mail_from }}" } 10 | - { key: "mail_smtpmode", value: "--value={{ nc_mail_smtpmode }}" } 11 | - { key: "mail_smtpauthtype", value: "--value={{ nc_mail_smtpauthtype }}" } 12 | - { key: "mail_domain", value: "--value={{ nc_mail_domain }}" } 13 | - { key: "mail_smtpname", value: "--value={{ nc_mail_smtpname }}" } 14 | - { key: "mail_smtpsecure", value: "--value={{ nc_mail_smtpsecure }}" } 15 | - { key: "mail_smtpauth", value: "--value={{ nc_mail_smtpauth }}" } 16 | - { key: "mail_smtphost", value: "--value={{ nc_mail_smtphost }}" } 17 | - { key: "mail_smtpport", value: "--value={{ nc_mail_smtpport }}" } 18 | - { key: "mail_smtpname", value: "--value={{ nc_mail_smtpname }}" } 19 | - { key: "mail_smtppassword", value: "--value={{ nc_mail_smtppwd }}" } 20 | 21 | nc_app_config: 22 | - { key: "disable", value: "survey_client" } 23 | - { key: "disable", value: "firstrunwizard" } 24 | - { key: "enable", value: "admin_audit" } 25 | - { key: "enable", value: "files_pdfviewer" } -------------------------------------------------------------------------------- /roles/prep_nextcloud/files/httpd-to-php-fpm.pp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReinerNippes/nextcloud/738dd14321c2e64a3463fbc2c03e8323ec89470b/roles/prep_nextcloud/files/httpd-to-php-fpm.pp -------------------------------------------------------------------------------- /roles/prep_nextcloud/files/httpd-to-redis-socket.pp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReinerNippes/nextcloud/738dd14321c2e64a3463fbc2c03e8323ec89470b/roles/prep_nextcloud/files/httpd-to-redis-socket.pp -------------------------------------------------------------------------------- /roles/prep_nextcloud/files/httpd-to-upload-tmp.pp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReinerNippes/nextcloud/738dd14321c2e64a3463fbc2c03e8323ec89470b/roles/prep_nextcloud/files/httpd-to-upload-tmp.pp -------------------------------------------------------------------------------- /roles/prep_nextcloud/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_nextcloud -------------------------------------------------------------------------------- /roles/prep_nextcloud/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Install and setup nextcloud 4 | company: nippes.it 5 | 6 | 7 | # If the issue tracker for your role is not on github, uncomment the 8 | # next line and provide a value 9 | # issue_tracker_url: http://example.com/issue/tracker 10 | 11 | # Some suggested licenses: 12 | # - BSD (default) 13 | # - MIT 14 | # - GPLv2 15 | # - GPLv3 16 | # - Apache 17 | # - CC-BY 18 | license: MIT 19 | 20 | min_ansible_version: 2.4 21 | 22 | # If this a Container Enabled role, provide the minimum Ansible Container version. 23 | # min_ansible_container_version: 24 | 25 | # Optionally specify the branch Galaxy will use when accessing the GitHub 26 | # repo for this role. During role install, if no tags are available, 27 | # Galaxy will use this branch. During import Galaxy will access files on 28 | # this branch. If Travis integration is configured, only notifications for this 29 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 30 | # (usually master) will be used. 31 | #github_branch: 32 | 33 | # 34 | # platforms is a list of platforms, and each platform has a name and a list of versions. 35 | # 36 | platforms: 37 | - name: Ubuntu 38 | versions: 39 | - 16 40 | 41 | galaxy_tags: [] 42 | # List tags for your role here, one per line. A tag is a keyword that describes 43 | # and categorizes the role. Users find roles by searching for tags. Be sure to 44 | # remove the '[]' above, if you add tags to this list. 45 | # 46 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 47 | # Maximum 20 tags per role. 48 | 49 | dependencies: [] 50 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 51 | # if you add dependencies to this list. -------------------------------------------------------------------------------- /roles/prep_nextcloud/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_nextcloud 3 | 4 | - name: generate admin passwd if nextcloud_passwd is empty 5 | set_fact: 6 | nc_passwd: "{{ lookup('password', '{{ credential_store }}/nextcloud_admin_secret chars=ascii_letters,digits length=32') }}" 7 | when: nc_passwd == '' 8 | 9 | - name: download nextcloud archive 10 | get_url: 11 | url: "{{ next_archive }}" 12 | dest: /tmp/nextcloud.tar.bz2 13 | checksum: "sha256:{{ next_archive }}.sha256" 14 | 15 | - name: install nextcloud 16 | unarchive: 17 | src: /tmp/nextcloud.tar.bz2 18 | dest: /var/www 19 | remote_src: true 20 | creates: /var/www/nextcloud/occ 21 | 22 | - name: set permissions 23 | script: permissions.sh 24 | environment: 25 | FQDN: "{{ fqdn }}" 26 | NC_DATADIR: "{{ nc_datadir }}" 27 | WEB_USER: "{{ web_user[ansible_distribution] }}" 28 | WEB_GROUP: "{{ web_group[ansible_distribution] }}" 29 | 30 | - name: include selinux tasks 31 | include_tasks: selinux.yml 32 | when: 33 | - (ansible_os_family == "RedHat") 34 | - ('status' in ansible_selinux) 35 | - (ansible_selinux.status == "enabled") 36 | 37 | - name: flush all handlers to restart server 38 | meta: flush_handlers 39 | 40 | - name: start nginx 41 | systemd: 42 | name: nginx 43 | state: started 44 | 45 | - name: restart redis 46 | systemd: 47 | name: redis 48 | state: restarted 49 | 50 | - name: first setup nextcloud 51 | become_user: "{{ web_user[ansible_distribution] }}" 52 | become_flags: "{{ ansible_become_flags | default(omit) }}" 53 | become: yes 54 | shell: > 55 | php occ maintenance:install 56 | --database {{ nc_db_type }} 57 | --database-host "{{ nc_db_host }}" 58 | --database-name {{ nc_db }} 59 | --database-user {{ nc_db_user }} 60 | --database-pass {{ nc_db_passwd }} 61 | --admin-user {{ nc_admin }} 62 | --admin-pass {{ nc_passwd }} 63 | --data-dir {{ nc_datadir }} 64 | args: 65 | chdir: /var/www/nextcloud/ 66 | creates: /var/www/nextcloud/config/config.php 67 | register: setup_nc 68 | 69 | - debug: var=setup_nc verbosity=2 70 | 71 | - name: set nextcloud domain config.php values 72 | become_user: "{{ web_user[ansible_distribution] }}" 73 | become_flags: "{{ ansible_become_flags | default(omit) }}" 74 | become: yes 75 | shell: php occ config:system:set {{ item.key }} {{ item.value }} 76 | args: 77 | chdir: /var/www/nextcloud/ 78 | with_items: "{{ nc_config }}" 79 | 80 | - name: set nextcloud mail config.php values 81 | become_user: "{{ web_user[ansible_distribution] }}" 82 | become_flags: "{{ ansible_become_flags | default(omit) }}" 83 | become: yes 84 | shell: php occ config:system:set {{ item.key }} {{ item.value }} 85 | args: 86 | chdir: /var/www/nextcloud/ 87 | with_items: "{{ nc_mail_config }}" 88 | when: nc_configure_mail|bool 89 | 90 | - name: copy defaults/config.json to /tmp 91 | copy: 92 | src: "{{ role_path }}/defaults/config.json" 93 | dest: /tmp/nextcloud.config.json 94 | owner: "{{ web_user[ansible_distribution] }}" 95 | mode: 0600 96 | 97 | - name: set default config 98 | become_user: "{{ web_user[ansible_distribution] }}" 99 | become_flags: "{{ ansible_become_flags | default(omit) }}" 100 | become: yes 101 | shell: php occ config:import /tmp/nextcloud.config.json 102 | args: 103 | chdir: /var/www/nextcloud/ 104 | register: setup_nc 105 | 106 | - name: copy defaults/config.json to /tmp 107 | file: 108 | name: /tmp/nextcloud.config.json 109 | state: absent 110 | 111 | - debug: var=setup_nc verbosity=2 112 | 113 | - name: backup jobs, upgrade apps and database tuning 114 | become_user: "{{ web_user[ansible_distribution] }}" 115 | become_flags: "{{ ansible_become_flags | default(omit) }}" 116 | become: yes 117 | shell: php occ {{ item }} 118 | args: 119 | chdir: /var/www/nextcloud/ 120 | loop: 121 | - background:cron 122 | - upgrade 123 | - db:add-missing-indices 124 | - db:convert-filecache-bigint 125 | 126 | - name: upgrade nextcloud 127 | become_user: "{{ web_user[ansible_distribution] }}" 128 | become_flags: "{{ ansible_become_flags | default(omit) }}" 129 | become: yes 130 | shell: php occ upgrade 131 | args: 132 | chdir: /var/www/nextcloud/ 133 | 134 | - name: adjust app settings 135 | become_user: "{{ web_user[ansible_distribution] }}" 136 | become_flags: "{{ ansible_become_flags | default(omit) }}" 137 | become: yes 138 | shell: php occ app:{{ item.key }} {{ item.value }} 139 | args: 140 | chdir: /var/www/nextcloud/ 141 | with_items: "{{ nc_app_config }}" 142 | 143 | - name: add nextcloud cronjob 144 | cron: 145 | name: nextcloud cronjob 146 | minute: '*/5' 147 | user: "{{ web_user[ansible_distribution] }}" 148 | job: "php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" 149 | 150 | - name: run nextcloud cronjob 151 | become_user: "{{ web_user[ansible_distribution] }}" 152 | become_flags: "{{ ansible_become_flags | default(omit) }}" 153 | become: yes 154 | shell: php -f /var/www/nextcloud/cron.php 155 | args: 156 | chdir: /var/www/nextcloud/ 157 | when: setup_nc is changed 158 | 159 | -------------------------------------------------------------------------------- /roles/prep_nextcloud/tasks/selinux.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: selinux targets 4 | sefcontext: 5 | target: "{{ item }}" 6 | setype: httpd_sys_rw_content_t 7 | state: present 8 | with_items: 9 | - '{{ nc_datadir }}(/.*)?' 10 | - '/var/www/nextcloud/config(/.*)?' 11 | - '/var/www/nextcloud/apps(/.*)?' 12 | - '/var/www/nextcloud/assets(/.*)?' 13 | - '/var/www/nextcloud/.htaccess' 14 | - '/var/www/nextcloud/.user.ini' 15 | - '/var/www/nextcloud/3rdparty/aws/aws-sdk-php/src/data/logs(/.*)?' 16 | - '/usr/local/tmp(/.*)?' 17 | - '/upload_tmp(/.*)?' 18 | 19 | - name: enable seboolean settings 20 | command: setsebool -P {{ item }} on 21 | loop: 22 | - httpd_can_sendmail 23 | - httpd_unified 24 | - httpd_graceful_shutdown 25 | - httpd_can_network_relay 26 | - httpd_can_network_connect 27 | - httpd_can_network_connect_db 28 | - daemons_enable_cluster_mode 29 | - httpd_execmem 30 | 31 | - name: enable seboolean settings 32 | command: semodule -i {{ role_path }}/files/{{ item }} 33 | loop: 34 | - httpd-to-php-fpm.pp 35 | - httpd-to-redis-socket.pp 36 | - httpd-to-upload-tmp.pp 37 | 38 | - name: restorecon 39 | command: restorecon -Rv {{ item }} 40 | loop: 41 | - '/var/www/nextcloud/' 42 | - '{{ nc_datadir }}' 43 | - '/upload_tmp' 44 | - '/usr/local/tmp' 45 | -------------------------------------------------------------------------------- /roles/prep_nextcloud/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_nextcloud 3 | -------------------------------------------------------------------------------- /roles/prep_nginx/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_nginx 3 | 4 | fqdn: '' 5 | 6 | # dns resolver (nginx reverse ip lookup) set to 127.0.0.1 7 | # see http://blog.zorinaq.com/nginx-resolver-vulns/ 8 | nginx_resolver: '127.0.0.1' 9 | -------------------------------------------------------------------------------- /roles/prep_nginx/files/letsencrypt.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 127.0.0.1:81 default_server; 3 | server_name 127.0.0.1; 4 | charset utf-8; 5 | access_log /var/log/nginx/le.access.log main; 6 | error_log /var/log/nginx/le.error.log warn; 7 | location ^~ /.well-known/acme-challenge { 8 | default_type text/plain; 9 | root /var/www/letsencrypt; 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /roles/prep_nginx/files/optimization.conf: -------------------------------------------------------------------------------- 1 | fastcgi_buffers 64 64K; 2 | fastcgi_buffer_size 256k; 3 | fastcgi_busy_buffers_size 3840K; 4 | fastcgi_cache_key $http_cookie$request_method$host$request_uri; 5 | fastcgi_cache_use_stale error timeout invalid_header http_500; 6 | fastcgi_ignore_headers Cache-Control Expires Set-Cookie; 7 | gzip on; 8 | gzip_vary on; 9 | gzip_comp_level 4; 10 | gzip_min_length 256; 11 | gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; 12 | gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; 13 | gzip_disable "MSIE [1-6]\."; 14 | -------------------------------------------------------------------------------- /roles/prep_nginx/files/php_optimization.conf: -------------------------------------------------------------------------------- 1 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 2 | fastcgi_param PATH_INFO $fastcgi_path_info; 3 | fastcgi_param modHeadersAvailable true; 4 | fastcgi_param front_controller_active true; 5 | fastcgi_intercept_errors on; 6 | fastcgi_request_buffering off; 7 | fastcgi_cache_valid 404 1m; 8 | fastcgi_cache_valid any 1h; 9 | fastcgi_cache_methods GET HEAD; 10 | -------------------------------------------------------------------------------- /roles/prep_nginx/files/proxy.conf: -------------------------------------------------------------------------------- 1 | proxy_set_header Host $host; 2 | proxy_set_header X-Real-IP $remote_addr; 3 | proxy_set_header X-Forwarded-Host $host; 4 | proxy_set_header X-Forwarded-Protocol $scheme; 5 | proxy_set_header X-Forwarded-For $remote_addr; 6 | proxy_set_header X-Forwarded-Port $server_port; 7 | proxy_set_header X-Forwarded-Server $host; 8 | proxy_connect_timeout 3600; 9 | proxy_send_timeout 3600; 10 | proxy_read_timeout 3600; 11 | proxy_redirect off; 12 | proxy_max_temp_file_size 0; 13 | -------------------------------------------------------------------------------- /roles/prep_nginx/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_nginx 3 | 4 | - name: restart nginx 5 | listen: enable coturn 6 | systemd: 7 | name: nginx 8 | state: restarted 9 | -------------------------------------------------------------------------------- /roles/prep_nginx/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Basic setup of nextcloud nginx server 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 2.4 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: [] 49 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 50 | # if you add dependencies to this list. -------------------------------------------------------------------------------- /roles/prep_nginx/tasks/Amazon.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Amazon related tasks 4 | # 5 | - name: add nginx yum repos 6 | yum_repository: 7 | name: nginx 8 | description: NGINX YUM repo 9 | baseurl: http://nginx.org/packages/mainline/centos/7/$basearch/ 10 | gpgkey: https://nginx.org/keys/nginx_signing.key 11 | gpgcheck: yes 12 | enabled: 0 13 | 14 | - name: update os 15 | yum: 16 | name: '*' 17 | update_cache: true 18 | state: latest 19 | 20 | - name: install needed packages 21 | yum: 22 | name: 23 | - nginx 24 | - firewalld 25 | state: latest 26 | enablerepo: nginx 27 | 28 | - name: open firewall ports 22/{{ nc_web_port }}/{{ nc_ssl_port }} 29 | firewalld: 30 | port: "{{ item }}" 31 | permanent: true 32 | immediate: false 33 | state: enabled 34 | with_items: 35 | - 22/tcp 36 | - '{{ nc_web_port }}/tcp' 37 | - '{{ nc_ssl_port }}/tcp' 38 | -------------------------------------------------------------------------------- /roles/prep_nginx/tasks/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # CentOS related tasks 4 | # 5 | - name: add nginx yum repos 6 | yum_repository: 7 | name: nginx 8 | description: NGINX YUM repo 9 | baseurl: http://nginx.org/packages/mainline/centos/{{ ansible_distribution_major_version|int }}/$basearch/ 10 | gpgkey: https://nginx.org/keys/nginx_signing.key 11 | gpgcheck: yes 12 | enabled: 0 13 | 14 | - name: update os 15 | yum: 16 | name: '*' 17 | update_cache: true 18 | state: latest 19 | 20 | - name: install needed packages 21 | yum: 22 | name: 23 | - nginx 24 | - firewalld 25 | state: latest 26 | enablerepo: nginx 27 | 28 | - name: open firewall ports 22/{{ nc_web_port }}/{{ nc_ssl_port }} 29 | firewalld: 30 | port: "{{ item }}" 31 | permanent: true 32 | immediate: false 33 | state: enabled 34 | with_items: 35 | - 22/tcp 36 | - '{{ nc_web_port }}/tcp' 37 | - '{{ nc_ssl_port }}/tcp' 38 | -------------------------------------------------------------------------------- /roles/prep_nginx/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Debian related OS tasks 3 | 4 | - name: add nginx key 5 | apt_key: 6 | url: https://nginx.org/keys/nginx_signing.key 7 | state: present 8 | 9 | - name: add additional debian repos 10 | apt_repository: 11 | repo: "{{ item }}" 12 | state: present 13 | update_cache: true 14 | with_items: 15 | - 'deb http://nginx.org/packages/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release }} nginx' 16 | - 'deb-src http://nginx.org/packages/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release }} nginx' 17 | 18 | - name: apt dist-upgrade 19 | apt: 20 | upgrade: dist 21 | autoremove: true 22 | 23 | - name: install additional packages 24 | apt: 25 | name: 26 | - nginx 27 | - python-pip 28 | - python-netaddr 29 | autoremove: true 30 | allow_unauthenticated: true 31 | state: latest 32 | -------------------------------------------------------------------------------- /roles/prep_nginx/tasks/Fedora.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Fedora related tasks 4 | # 5 | - name: add nginx yum repos 6 | yum_repository: 7 | name: nginx 8 | description: NGINX YUM repo 9 | baseurl: http://nginx.org/packages/mainline/centos/7/$basearch/ 10 | gpgkey: https://nginx.org/keys/nginx_signing.key 11 | gpgcheck: yes 12 | enabled: 0 13 | 14 | - name: update os 15 | yum: 16 | name: '*' 17 | update_cache: true 18 | state: latest 19 | 20 | - name: install needed packages 21 | yum: 22 | name: 23 | - nginx 24 | - firewalld 25 | state: latest 26 | enablerepo: nginx 27 | 28 | - name: open firewall ports 22/{{ nc_web_port }}/{{ nc_ssl_port }} 29 | firewalld: 30 | port: "{{ item }}" 31 | permanent: true 32 | immediate: false 33 | state: enabled 34 | with_items: 35 | - 22/tcp 36 | - '{{ nc_web_port }}/tcp' 37 | - '{{ nc_ssl_port }}/tcp' 38 | -------------------------------------------------------------------------------- /roles/prep_nginx/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: Add an apt key by id for PPA for NGINX Mainline with HTTP/2 5 | apt_key: 6 | keyserver: hkps://keyserver.ubuntu.com 7 | id: 14AA40EC0831756756D7F66C4F4EA0AAE5267A6C 8 | state: present 9 | 10 | - name: add additional repos for PPA for NGINX Mainline with HTTP/2 11 | apt_repository: 12 | repo: 'deb http://ppa.launchpad.net/ondrej/nginx-mainline/ubuntu {{ ansible_distribution_release }} main' 13 | validate_certs: true 14 | update_cache: true 15 | state: present 16 | 17 | - name: remove standard nginx 18 | apt: 19 | name: 20 | - nginx-full 21 | state: absent 22 | 23 | - name: apt dist-upgrade 24 | apt: 25 | upgrade: dist 26 | autoremove: true 27 | 28 | - name: install additional packages 29 | apt: 30 | name: [nginx-extras,openssl] 31 | autoremove: true 32 | state: latest 33 | 34 | - name: install needed packages 35 | apt: 36 | name: 37 | - python-pip 38 | - python-netaddr 39 | state: latest 40 | -------------------------------------------------------------------------------- /roles/prep_nginx/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_nginx 3 | 4 | - name: include os specific tasks 5 | include_tasks: "{{ ansible_distribution }}.yml" 6 | 7 | - name: stop and enable nginx 8 | systemd: 9 | name: nginx 10 | state: stopped 11 | enabled: true 12 | 13 | - name: create some folders 14 | file: 15 | name: "{{ item.path }}" 16 | state: directory 17 | owner: "{{ item.owner }}" 18 | group: "{{ item.group }}" 19 | mode: "{{ item.mode }}" 20 | with_items: 21 | - { path: '{{ nc_datadir }}', owner: '{{ web_user[ansible_distribution] }}', group: '{{ web_group[ansible_distribution] }}', mode: '0750' } 22 | - { path: '/var/www', owner: '{{ web_user[ansible_distribution] }}', group: '{{ web_group[ansible_distribution] }}', mode: '0750' } 23 | - { path: '/var/www/letsencrypt', owner: '{{ web_user[ansible_distribution] }}', group: '{{ web_group[ansible_distribution] }}', mode: '0750' } 24 | - { path: '/upload_tmp', owner: '{{ web_user[ansible_distribution] }}', group: '{{ web_group[ansible_distribution] }}', mode: '0755' } 25 | 26 | - name: install pip netaddress 27 | pip: 28 | name: netaddr 29 | state: latest 30 | when: false 31 | 32 | - name: set netmask 33 | set_fact: 34 | net_mask: "{{ ansible_default_ipv4.network }}/{{ ansible_default_ipv4.netmask }}" 35 | 36 | - name: bring /etc/nginx/nginx.conf in place 37 | template: 38 | src: nginx.conf.j2 39 | dest: /etc/nginx/nginx.conf 40 | owner: root 41 | group: root 42 | mode: 0644 43 | force: true 44 | notify: restart nginx 45 | 46 | - name: use ec2 public hostname if fqdn is not defined 47 | set_fact: 48 | fqdn: "{{ fqdn if ( fqdn ) else facter_ec2_metadata['public-hostname'] }}" 49 | when: facter_ec2_metadata is defined 50 | 51 | - name: use ansible_fqdn if fqdn is not defined 52 | set_fact: 53 | fqdn: "{{ fqdn if ( fqdn ) else ansible_fqdn }}" 54 | 55 | - name: nginx nextcloud config 56 | template: 57 | src: nextcloud.conf.j2 58 | dest: /etc/nginx/conf.d/nextcloud.conf 59 | owner: root 60 | group: root 61 | mode: 0644 62 | notify: restart nginx 63 | 64 | - name: nginx header config 65 | template: 66 | src: header.conf.j2 67 | dest: /etc/nginx/conf.d/header.conf 68 | owner: root 69 | group: root 70 | mode: 0644 71 | notify: restart nginx 72 | 73 | - name: nginx config for ssl 74 | template: 75 | src: ssl.conf.{{ ssl_certificate_type }}.j2 76 | dest: /etc/nginx/conf.d/ssl.conf 77 | owner: root 78 | group: root 79 | mode: 0644 80 | notify: restart nginx 81 | 82 | - name: copy some nginx config file 83 | copy: 84 | src: "{{ item }}" 85 | dest: "/etc/nginx/conf.d/{{ item }}" 86 | owner: root 87 | group: root 88 | mode: 0644 89 | force: true 90 | with_items: 91 | - optimization.conf 92 | - php_optimization.conf 93 | - proxy.conf 94 | notify: restart nginx 95 | 96 | - name: copy letencrypt.conf 97 | copy: 98 | src: letsencrypt.conf 99 | dest: /etc/nginx/conf.d/letsencrypt.conf 100 | owner: root 101 | group: root 102 | mode: 0644 103 | force: true 104 | notify: restart nginx 105 | 106 | -------------------------------------------------------------------------------- /roles/prep_nginx/templates/header.conf.j2: -------------------------------------------------------------------------------- 1 | {% if ssl_certificate_type == 'letsencrypt' %}add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";{% endif %} 2 | add_header Referrer-Policy "no-referrer" always; 3 | add_header X-Content-Type-Options "nosniff" always; 4 | add_header X-Download-Options "noopen" always; 5 | add_header X-Frame-Options "SAMEORIGIN" always; 6 | add_header X-Permitted-Cross-Domain-Policies "none" always; 7 | add_header X-Robots-Tag "none" always; 8 | add_header X-XSS-Protection "1; mode=block" always; 9 | -------------------------------------------------------------------------------- /roles/prep_nginx/templates/nextcloud.conf.j2: -------------------------------------------------------------------------------- 1 | server { 2 | listen {{ nc_web_port }} default_server; 3 | {% if ansible_default_ipv6.address is defined %}listen [::]:{{ nc_web_port }};{% endif %} 4 | 5 | server_name {{ fqdn }}; 6 | #Your DDNS adress, (e.g. from desec.io or no-ip.com) 7 | location ^~ /.well-known/acme-challenge { 8 | proxy_pass http://127.0.0.1:81; 9 | } 10 | location / { 11 | return 301 https://$server_name:{{ nc_ssl_port }}; 12 | } 13 | } 14 | server { 15 | listen {{ nc_ssl_port }} ssl http2 default_server; 16 | {% if ansible_default_ipv6.address is defined %}listen [::]:{{ nc_ssl_port }} ssl http2;{% endif %} 17 | 18 | server_name {{ fqdn }}; 19 | root /var/www/nextcloud/; 20 | access_log /var/log/nginx/nextcloud.access.log main; 21 | error_log /var/log/nginx/nextcloud.error.log warn; 22 | 23 | location = /robots.txt { 24 | allow all; 25 | log_not_found off; 26 | access_log off; 27 | } 28 | 29 | location = /.well-known/carddav { 30 | return 301 $scheme://$host:{{ nc_ssl_port }}/remote.php/dav; 31 | } 32 | location = /.well-known/caldav { 33 | return 301 $scheme://$host:{{ nc_ssl_port }}/remote.php/dav; 34 | } 35 | location = /.well-known/webfinger { 36 | return 301 $scheme://$host:{{ nc_ssl_port }}/public.php?service=webfinger; 37 | } 38 | {% if install_collabora %} 39 | 40 | location ^~ /loleaflet { 41 | proxy_pass https://localhost:9980; 42 | proxy_set_header Host $http_host; 43 | } 44 | 45 | location ^~ /hosting/discovery { 46 | proxy_pass https://localhost:9980; 47 | proxy_set_header Host $http_host; 48 | } 49 | 50 | location ^~ /lool { 51 | proxy_pass https://localhost:9980; 52 | proxy_set_header Host $http_host; 53 | proxy_set_header Upgrade $http_upgrade; 54 | proxy_set_header Connection "upgrade"; 55 | } 56 | 57 | location ^~ /hosting/capabilities { 58 | proxy_pass https://localhost:9980; 59 | proxy_set_header Host $http_host; 60 | } 61 | {% endif %} 62 | 63 | client_max_body_size 10240M; 64 | 65 | location / { 66 | rewrite ^ /index.php; 67 | } 68 | location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { 69 | deny all; 70 | } 71 | location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { 72 | deny all; 73 | } 74 | location ~* \.(?:flv|mp4|mov|m4a)$ { 75 | mp4; 76 | mp4_buffer_size 5m; 77 | mp4_max_buffer_size 10m; 78 | fastcgi_split_path_info ^(.+\.php)(/.*)$; 79 | include fastcgi_params; 80 | include /etc/nginx/conf.d/php_optimization.conf; 81 | fastcgi_pass php-handler; 82 | fastcgi_param HTTPS on; 83 | } 84 | location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { 85 | fastcgi_split_path_info ^(.+\.php)(/.*)$; 86 | try_files $fastcgi_script_name =404; 87 | include fastcgi_params; 88 | include /etc/nginx/conf.d/php_optimization.conf; 89 | fastcgi_pass php-handler; 90 | fastcgi_param HTTPS on; 91 | } 92 | location ~ ^/(?:updater|ocs-provider)(?:$|/) { 93 | try_files $uri/ =404; 94 | index index.php; 95 | } 96 | location ~ \.(?:css|js|woff|svg|gif)$ { 97 | try_files $uri /index.php$uri$is_args$args; 98 | add_header Cache-Control "public, max-age=15778463"; 99 | access_log off; 100 | expires 30d; 101 | } 102 | location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { 103 | try_files $uri /index.php$uri$is_args$args; 104 | access_log off; 105 | expires 30d; 106 | } 107 | } 108 | -------------------------------------------------------------------------------- /roles/prep_nginx/templates/nginx.conf.j2: -------------------------------------------------------------------------------- 1 | user {{ web_user[ansible_distribution] }}; 2 | worker_processes auto; 3 | error_log /var/log/nginx/error.log warn; 4 | pid /var/run/nginx.pid; 5 | 6 | events { 7 | worker_connections 1024; 8 | multi_accept on; 9 | use epoll; 10 | } 11 | http { 12 | server_names_hash_bucket_size 128; 13 | upstream php-handler { 14 | server unix:{{ php_socket[ansible_distribution] }}; 15 | } 16 | {% if install_onlyoffice %} 17 | upstream onlyoffice-docker { 18 | server 127.0.0.1:{{ onlyoffice_ssl_port }}; 19 | } 20 | {% endif %} 21 | 22 | set_real_ip_from 127.0.0.1; 23 | set_real_ip_from 10.0.0.0/8; 24 | set_real_ip_from 172.16.0.0/12; 25 | set_real_ip_from 192.168.2.0/24; 26 | real_ip_header X-Forwarded-For; 27 | real_ip_recursive on; 28 | 29 | include /etc/nginx/mime.types; 30 | #include /etc/nginx/ssl.conf; 31 | default_type application/octet-stream; 32 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 33 | '$status $body_bytes_sent "$http_referer" ' 34 | '"$http_user_agent" "$http_x_forwarded_for" ' 35 | '"$host" sn="$server_name" ' 36 | 'rt=$request_time ' 37 | 'ua="$upstream_addr" us="$upstream_status" ' 38 | 'ut="$upstream_response_time" ul="$upstream_response_length" ' 39 | 'cs=$upstream_cache_status' ; 40 | access_log /var/log/nginx/access.log main; 41 | sendfile on; 42 | send_timeout 3600; 43 | tcp_nopush on; 44 | tcp_nodelay on; 45 | open_file_cache max=500 inactive=10m; 46 | open_file_cache_errors on; 47 | keepalive_timeout 65; 48 | reset_timedout_connection on; 49 | server_tokens off; 50 | resolver {{ nginx_resolver|default('8.8.8.8') }}; 51 | resolver_timeout 10s; 52 | include /etc/nginx/conf.d/*.conf; 53 | } 54 | -------------------------------------------------------------------------------- /roles/prep_nginx/templates/ssl.conf.letsencrypt.j2: -------------------------------------------------------------------------------- 1 | ssl_certificate /etc/letsencrypt/live/{{ fqdn }}/fullchain.pem; 2 | ssl_certificate_key /etc/letsencrypt/live/{{ fqdn }}/privkey.pem; 3 | ssl_trusted_certificate /etc/letsencrypt/live/{{ fqdn }}/fullchain.pem; 4 | ssl_dhparam {{ dhparam_path }}; 5 | ssl_session_timeout 1d; 6 | ssl_session_cache shared:SSL:50m; 7 | ssl_session_tickets off; 8 | ssl_protocols TLSv1.3 TLSv1.2; 9 | ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384'; 10 | ssl_prefer_server_ciphers on; 11 | ssl_ecdh_curve secp521r1:secp384r1; 12 | ssl_stapling on; 13 | ssl_stapling_verify on; 14 | -------------------------------------------------------------------------------- /roles/prep_nginx/templates/ssl.conf.selfsigned.j2: -------------------------------------------------------------------------------- 1 | ssl_certificate /etc/nginx/certs/cert.pem; 2 | ssl_certificate_key /etc/nginx/certs/key.pem; 3 | ssl_dhparam {{ dhparam_path }}; 4 | ssl_session_timeout 1d; 5 | ssl_session_cache shared:SSL:50m; 6 | ssl_session_tickets off; 7 | ssl_protocols TLSv1.3 TLSv1.2; 8 | ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384'; 9 | ssl_prefer_server_ciphers on; 10 | ssl_ecdh_curve secp384r1; 11 | ssl_stapling on; 12 | ssl_stapling_verify on; 13 | -------------------------------------------------------------------------------- /roles/prep_nginx/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_nginx 3 | 4 | php_socket: 5 | 'CentOS': '/run/php-fpm/php{{ php_version }}-fpm.sock' 6 | 'Amazon': '/run/php-fpm/php{{ php_version }}-fpm.sock' 7 | 'Fedora': '/run/php-fpm/php{{ php_version }}-fpm.sock' 8 | 'Ubuntu': '/run/php/php{{ php_version }}-fpm.sock' 9 | 'Debian': '/run/php/php{{ php_version }}-fpm.sock' 10 | -------------------------------------------------------------------------------- /roles/prep_onlyoffice/README.md: -------------------------------------------------------------------------------- 1 | prep_onlyoffice 2 | ============= 3 | 4 | Installation of docker and onlyoffice for Nextcloud. 5 | 6 | Requirements 7 | ------------ 8 | 9 | nginx and nextcloud has to installed and configured. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | MIT 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/prep_onlyoffice/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_onlyoffice -------------------------------------------------------------------------------- /roles/prep_onlyoffice/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_onlyoffice 3 | -------------------------------------------------------------------------------- /roles/prep_onlyoffice/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Basic setup of nextcloud onlyoffice with docker 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 2.5 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | min_ansible_container_version: 2.1 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: 49 | - prep_secrets 50 | - prep_docker 51 | -------------------------------------------------------------------------------- /roles/prep_onlyoffice/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_onlyoffice 3 | 4 | - name: install onlyoffice app 5 | become_user: "{{ web_user[ansible_distribution] }}" 6 | become_flags: "{{ ansible_become_flags | default(omit) }}" 7 | become: yes 8 | shell: php occ app:install onlyoffice 9 | args: 10 | chdir: /var/www/nextcloud/ 11 | creates: /var/www/nextcloud/apps/onlyoffice 12 | ignore_errors: true 13 | 14 | - name: enable onlyoffice app 15 | become_user: "{{ web_user[ansible_distribution] }}" 16 | become_flags: "{{ ansible_become_flags | default(omit) }}" 17 | become: yes 18 | shell: php occ app:enable onlyoffice 19 | args: 20 | chdir: /var/www/nextcloud/ 21 | 22 | - name: set onlyoffice server url 23 | become_user: "{{ web_user[ansible_distribution] }}" 24 | become_flags: "{{ ansible_become_flags | default(omit) }}" 25 | become: yes 26 | shell: php occ config:app:set onlyoffice DocumentServerUrl --value https://{{ fqdn }}:{{ onlyoffice_ssl_port }} 27 | args: 28 | chdir: /var/www/nextcloud/ 29 | 30 | - name: set onlyoffice server secret 31 | become_user: "{{ web_user[ansible_distribution] }}" 32 | become_flags: "{{ ansible_become_flags | default(omit) }}" 33 | become: yes 34 | shell: php occ config:app:set onlyoffice jwt_secret --value {{ lookup('password', '{{ credential_store }}/onlyoffice_secret chars=ascii_letters,digits length=32') }} 35 | args: 36 | chdir: /var/www/nextcloud/ 37 | 38 | - name: set onlyoffice cert check off 39 | become_user: "{{ web_user[ansible_distribution] }}" 40 | become_flags: "{{ ansible_become_flags | default(omit) }}" 41 | become: yes 42 | shell: php occ config:system:set onlyoffice verify_peer_off --value=true --type=boolean 43 | args: 44 | chdir: /var/www/nextcloud/ 45 | when: ssl_certificate_type == 'selfsigned' 46 | 47 | - name: start a onlyoffice container 48 | docker_container: 49 | name: onlyoffice 50 | image: onlyoffice/documentserver 51 | state: started 52 | restart: yes 53 | restart_policy: always 54 | interactive: true 55 | tty: yes 56 | ports: 57 | - "{{ onlyoffice_ssl_port }}:443" 58 | env: 59 | ONLYOFFICE_HTTPS_HSTS_ENABLED: 'false' 60 | JWT_ENABLED: 'true' 61 | JWT_SECRET: "{{ lookup('password', '{{ credential_store }}/onlyoffice_secret chars=ascii_letters,digits length=32') }}" 62 | volumes: '{{ onlyoffice_volumes[ssl_certificate_type] }}' 63 | 64 | - name: open ufw firewall 65 | include_role: 66 | name: prep_ufw 67 | vars: 68 | ufw_rules: 69 | - { port: '{{ onlyoffice_ssl_port }}', rule: allow } 70 | when: ansible_os_family == "Debian" or ansible_os_family == "Ubuntu" 71 | 72 | - name: open firewalld 73 | firewalld: 74 | port: "{{ item }}" 75 | permanent: true 76 | immediate: true 77 | state: enabled 78 | with_items: 79 | - '{{ onlyoffice_ssl_port }}/tcp' 80 | when: ansible_os_family == "Redhat" 81 | 82 | -------------------------------------------------------------------------------- /roles/prep_onlyoffice/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_onlyoffice 3 | 4 | onlyoffice_volumes: 5 | selfsigned: 6 | - '/etc/nginx/certs/key.pem:/var/www/onlyoffice/Data/certs/onlyoffice.key:ro' 7 | - '/etc/nginx/certs/cert.pem:/var/www/onlyoffice/Data/certs/onlyoffice.crt:ro' 8 | - '{{ dhparam_path }}:/var/www/onlyoffice/Data/certs/dhparam.pem:ro' 9 | letsencrypt: 10 | - '/etc/letsencrypt/live/{{ fqdn }}/privkey.pem:/var/www/onlyoffice/Data/certs/onlyoffice.key:ro' 11 | - '/etc/letsencrypt/live/{{ fqdn }}/fullchain.pem:/var/www/onlyoffice/Data/certs/onlyoffice.crt:ro' 12 | - '{{ dhparam_path }}:/var/www/onlyoffice/Data/certs/dhparam.pem:ro' -------------------------------------------------------------------------------- /roles/prep_os/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_os -------------------------------------------------------------------------------- /roles/prep_os/files/disable-transparent-huge-pages.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Disable Transparent Huge Pages 3 | DefaultDependencies=no 4 | After=sysinit.target local-fs.target 5 | Before=basic.target 6 | 7 | [Service] 8 | Type=oneshot 9 | ExecStart=/bin/sh -c '/bin/echo never > /sys/kernel/mm/transparent_hugepage/enabled' 10 | ExecStart=/bin/sh -c '/bin/echo never > /sys/kernel/mm/transparent_hugepage/defrag' 11 | 12 | [Install] 13 | WantedBy=basic.target 14 | -------------------------------------------------------------------------------- /roles/prep_os/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_os -------------------------------------------------------------------------------- /roles/prep_os/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Basic os setup of nextcloud server 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 2.4 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: 49 | - prep_nginx 50 | -------------------------------------------------------------------------------- /roles/prep_os/tasks/Amazon.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Amazon related tasks 3 | 4 | - name: add amazon epel repo 5 | shell: amazon-linux-extras install epel 6 | args: 7 | creates: /etc/yum.repos.d/amzn2-extras.repo 8 | 9 | - name: update os 10 | yum: 11 | name: '*' 12 | update_cache: true 13 | state: latest 14 | 15 | - name: install needed packages 16 | yum: 17 | name: 18 | - zip 19 | - unzip 20 | - bzip2 21 | - screen 22 | - curl 23 | - wget 24 | - perl-File-FcntlLock 25 | - ImageMagick 26 | - ghostscript 27 | - postfix 28 | - firewalld 29 | - facter 30 | - policycoreutils-python 31 | state: latest 32 | enablerepo: amzn2extra-epel 33 | -------------------------------------------------------------------------------- /roles/prep_os/tasks/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # CentOS related tasks 3 | 4 | - name: add epel repo 5 | yum_repository: 6 | name: epel 7 | description: Extra Packages for Enterprise Linux 7 - $basearch 8 | mirrorlist: https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch 9 | gpgkey: https://getfedora.org/static/352C64E5.txt 10 | gpgcheck: yes 11 | failovermethod: priority 12 | enabled: 1 13 | 14 | - name: update os 15 | yum: 16 | name: '*' 17 | update_cache: true 18 | state: latest 19 | 20 | - name: install needed packages 21 | yum: 22 | name: 23 | - zip 24 | - unzip 25 | - bzip2 26 | - screen 27 | - curl 28 | - wget 29 | - perl-File-FcntlLock 30 | - ImageMagick 31 | - ghostscript 32 | - postfix 33 | - firewalld 34 | - facter 35 | - policycoreutils-python 36 | state: latest 37 | enablerepo: epel 38 | 39 | - name: remove unneeded packages 40 | yum: 41 | name: python-requests 42 | state: absent 43 | 44 | -------------------------------------------------------------------------------- /roles/prep_os/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: apt dist-upgrade 5 | apt: 6 | upgrade: dist 7 | autoremove: true 8 | 9 | - name: install additional packages 10 | apt: 11 | name: 12 | - zip 13 | - unzip 14 | - bzip2 15 | - screen 16 | - curl 17 | - ffmpeg 18 | - imagemagick 19 | - ghostscript 20 | - libfile-fcntllock-perl 21 | - software-properties-common 22 | - apt-transport-https 23 | - facter 24 | state: latest 25 | -------------------------------------------------------------------------------- /roles/prep_os/tasks/Fedora.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Fedora related tasks 3 | 4 | - name: update os 5 | yum: 6 | name: '*' 7 | update_cache: true 8 | state: latest 9 | 10 | - name: install needed packages 11 | yum: 12 | name: 13 | - zip 14 | - unzip 15 | - bzip2 16 | - screen 17 | - curl 18 | - wget 19 | - cronie 20 | - perl-File-FcntlLock 21 | - ImageMagick 22 | - ghostscript 23 | - postfix 24 | - firewalld 25 | - facter 26 | - python3-policycoreutils 27 | state: latest 28 | enablerepo: epel 29 | 30 | - name: enable cronie 31 | systemd: 32 | name: 'crond.service' 33 | state: 'started' 34 | enabled: true -------------------------------------------------------------------------------- /roles/prep_os/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: apt dist-upgrade 5 | apt: 6 | upgrade: dist 7 | autoremove: true 8 | 9 | - name: install additional packages 10 | apt: 11 | name: 12 | - zip 13 | - unzip 14 | - bzip2 15 | - screen 16 | - curl 17 | - ffmpeg 18 | - imagemagick 19 | - ghostscript 20 | - libfile-fcntllock-perl 21 | - language-pack-en-base 22 | - software-properties-common 23 | - facter 24 | state: latest 25 | -------------------------------------------------------------------------------- /roles/prep_os/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_os 3 | 4 | - name: include os specific tasks 5 | include_tasks: "{{ ansible_distribution }}.yml" 6 | 7 | - name: create some folders 8 | file: 9 | name: "{{ item.path }}" 10 | state: directory 11 | owner: "{{ item.owner }}" 12 | group: "{{ item.group }}" 13 | mode: "{{ item.mode }}" 14 | with_items: 15 | - { path: '/usr/local/tmp/apc', owner: '{{ web_user[ansible_distribution] }}', group: 'root', mode: '1777' } 16 | - { path: '/usr/local/tmp/sessions', owner: '{{ web_user[ansible_distribution] }}', group: 'root', mode: '1777' } 17 | - { path: '/usr/local/tmp/cache', owner: '{{ web_user[ansible_distribution] }}', group: 'root', mode: '1777' } 18 | 19 | - name: get uid of web_user 20 | user: 21 | name: "{{ web_user[ansible_distribution] }}" 22 | register: web_user_id 23 | 24 | - name: mount tmp fs 25 | mount: 26 | src: "tmpfs" 27 | path: "{{ item }}" 28 | fstype: tmpfs 29 | opts: "defaults,noatime,nosuid,nodev,noexec,mode=1777" 30 | passno: "0" 31 | state: mounted 32 | with_items: 33 | - /tmp 34 | - /var/tmp 35 | 36 | - name: mount tmp fs 37 | mount: 38 | src: "tmpfs" 39 | path: "{{ item }}" 40 | fstype: tmpfs 41 | opts: "defaults,uid={{ web_user_id.uid }},size=300M,noatime,nosuid,nodev,noexec,mode=1777" 42 | passno: "0" 43 | state: mounted 44 | with_items: 45 | - /usr/local/tmp/apc 46 | - /usr/local/tmp/cache 47 | - /usr/local/tmp/sessions 48 | 49 | - name: sysctl vm.overcommit_memory=1 50 | sysctl: 51 | name: vm.overcommit_memory 52 | value: "1" 53 | state: present 54 | reload: true 55 | sysctl_file: /etc/sysctl.conf 56 | 57 | - name: sysctl -w net.core.somaxconn=65535 58 | sysctl: 59 | name: net.core.somaxconn 60 | value: "65535" 61 | state: present 62 | reload: true 63 | sysctl_file: /etc/sysctl.conf 64 | 65 | - name: disable transparent hugepages - copy service file 66 | copy: 67 | src: disable-transparent-huge-pages.service 68 | dest: '{{ service_path[ansible_distribution] }}/disable-transparent-huge-pages.service' 69 | owner: root 70 | group: root 71 | mode: 0644 72 | 73 | - name: enable service disable-transparent-hugepages 74 | service: 75 | name: disable-transparent-huge-pages.service 76 | enabled: true 77 | state: started 78 | 79 | - name: create symbolic link to /usr/bin/gs 80 | file: 81 | src: /usr/bin/gs 82 | dest: /usr/local/bin/gs 83 | state: link 84 | 85 | - name: change ImageMagick settings 86 | lineinfile: 87 | path: '{{ imagemagick_xml_path[ansible_distribution] }}' 88 | line: ' ' 89 | regexp: '(.*)(.*)' 90 | insertbefore: '' 91 | loop: 92 | - PS 93 | - EPI 94 | - PDF 95 | - XPS 96 | -------------------------------------------------------------------------------- /roles/prep_os/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_os 3 | 4 | imagemagick_xml_path: 5 | CentOS: /etc/ImageMagick-6/policy.xml 6 | Fedora: /etc/ImageMagick-6/policy.xml 7 | Amazon: /etc/ImageMagick/policy.xml 8 | Ubuntu: /etc/ImageMagick-6/policy.xml 9 | Debian: /etc/ImageMagick-6/policy.xml 10 | 11 | service_path: 12 | CentOS: '/usr/lib/systemd/system' 13 | Fedora: '/usr/lib/systemd/system' 14 | Amazon: '/usr/lib/systemd/system' 15 | Ubuntu: '/lib/systemd/system' 16 | Debian: '/lib/systemd/system' 17 | -------------------------------------------------------------------------------- /roles/prep_php/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_php -------------------------------------------------------------------------------- /roles/prep_php/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_php 3 | 4 | - name: restart php-fpm 5 | systemd: 6 | name: "{{ php_service_name[ansible_distribution] }}" 7 | state: restarted 8 | -------------------------------------------------------------------------------- /roles/prep_php/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Basic setup of php 7.x for nextcloud 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 2.4 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: [] 49 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 50 | # if you add dependencies to this list. -------------------------------------------------------------------------------- /roles/prep_php/tasks/Amazon.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: install amazon php7.3 3 | shell: amazon-linux-extras install php{{ php_version }} 4 | args: 5 | creates: /usr/bin/php 6 | 7 | - name: update os 8 | yum: 9 | name: '*' 10 | update_cache: true 11 | state: latest 12 | 13 | - name: install needed packages 14 | yum: 15 | name: 16 | - php 17 | - php-cli 18 | - php-fpm 19 | - php-gd 20 | - php-{% if nc_db_type == 'mysql' %}mysqlnd{% elif nc_db_type == 'pgsql' %}pgsql{% endif %} 21 | - php-curl 22 | - php-xml 23 | - php-intl 24 | - php-mbstring 25 | - php-json 26 | - php-bz2 27 | - php-redis 28 | - php-pecl-imagick 29 | - php-common 30 | - php-gmp 31 | - php-intl 32 | - php-ldap 33 | - php-opcache 34 | - php-pear 35 | - php-pdo 36 | - php-pecl-apcu 37 | - php-pecl-zip 38 | state: latest 39 | 40 | - name: configure php 41 | copy: 42 | src: "{{ item.file }}" 43 | dest: "{{ item.dest }}" 44 | owner: root 45 | group: root 46 | mode: 0644 47 | force: true 48 | with_items: 49 | - { file: '{{ ansible_distribution }}/cli.php.ini', dest: '{{ php_cli_conf_dir[ansible_distribution] }}/php-cli.ini' } 50 | notify: restart php-fpm 51 | 52 | - name: correct ownership /var/lib/php 53 | file: 54 | name: "{{ item.name }}" 55 | owner: "{{ item.owner }}" 56 | group: "{{ item.group }}" 57 | mode: 0770 58 | with_items: 59 | - { owner: nginx, group: nginx, name: '/var/lib/php/session' } 60 | - { owner: root, group: nginx, name: '/var/lib/php/wsdlcache' } 61 | - { owner: root, group: nginx, name: '/var/lib/php/opcache' } 62 | - { owner: root, group: nginx, name: '/var/lib/php/peclxml' } 63 | 64 | - name: replace opcache.max_accelerated_files=4000 65 | lineinfile: 66 | path: /etc/php.d/10-opcache.ini 67 | regexp: '^opcache.max_accelerated_files=(.*)' 68 | line: 'opcache.max_accelerated_files=10000' 69 | backup: true 70 | notify: restart php-fpm 71 | 72 | - name: alias php 73 | copy: 74 | content: | 75 | #!/bin/bash 76 | alias php="php -c /etc/php-cli.ini" 77 | dest: /etc/profile.d/php-cli-ini.sh 78 | when: false 79 | -------------------------------------------------------------------------------- /roles/prep_php/tasks/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: add php{{ php_version | replace(".","") }} repo 3 | yum_repository: 4 | name: remi-php{{ php_version | replace(".","") }} 5 | description: Remi's PHP {{ php_version | replace(".","") }} RPM repository for Enterprise Linux {{ ansible_distribution_major_version|int }} - $basearch 6 | mirrorlist: https://rpms.remirepo.net/enterprise/{{ ansible_distribution_major_version|int }}/php{{ php_version | replace(".","") }}/httpsmirror 7 | gpgkey: http://rpms.remirepo.net/RPM-GPG-KEY-remi 8 | gpgcheck: yes 9 | enabled: 1 10 | 11 | - name: add remi safe repo 12 | yum_repository: 13 | name: remi-safe 14 | description: Safe Remi’s RPM repository for Enterprise Linux $releasever - $basearch 15 | mirrorlist: http://rpms.remirepo.net/enterprise/$releasever/safe/mirror 16 | gpgkey: http://rpms.remirepo.net/RPM-GPG-KEY-remi 17 | gpgcheck: yes 18 | enabled: 1 19 | 20 | - name: add remi repo 21 | yum_repository: 22 | name: remi 23 | description: Remi’s RPM repository for Enterprise Linux $releasever - $basearch 24 | mirrorlist: http://rpms.remirepo.net/enterprise/$releasever/remi/mirror 25 | gpgkey: http://rpms.remirepo.net/RPM-GPG-KEY-remi 26 | gpgcheck: yes 27 | enabled: 1 28 | 29 | - name: update os 30 | yum: 31 | name: '*' 32 | update_cache: true 33 | state: latest 34 | 35 | - name: install needed packages 36 | yum: 37 | name: 38 | - php-cli 39 | - php-fpm 40 | - php-gd 41 | - php-{% if nc_db_type == 'mysql' %}mysqlnd{% elif nc_db_type == 'pgsql' %}pgsql{% endif %} 42 | - php-curl 43 | - php-xml 44 | - php-intl 45 | - php-mbstring 46 | - php-json 47 | - php-bz2 48 | - php-smbclient 49 | - php-redis 50 | - php-pecl-imagick 51 | - php-common 52 | - php-gmp 53 | - php-intl 54 | - php-imap 55 | - php-ldap 56 | - php-opcache 57 | - php-mcrypt 58 | # - php-mysql 59 | - php-pear 60 | - php-pdo 61 | - php-pecl-apcu 62 | - php-pecl-zip 63 | state: latest 64 | 65 | - name: configure php 66 | copy: 67 | src: "{{ item.file }}" 68 | dest: "{{ item.dest }}" 69 | owner: root 70 | group: root 71 | mode: 0644 72 | force: true 73 | with_items: 74 | - { file: '{{ ansible_distribution }}/cli.php.ini', dest: '{{ php_cli_conf_dir[ansible_distribution] }}/php-cli.ini' } 75 | notify: restart php-fpm 76 | 77 | - name: correct ownership /var/lib/php 78 | file: 79 | name: "{{ item.name }}" 80 | owner: "{{ item.owner }}" 81 | group: "{{ item.group }}" 82 | mode: 0770 83 | with_items: 84 | - { owner: nginx, group: nginx, name: /var/lib/php/session } 85 | - { owner: root, group: nginx, name: /var/lib/php/wsdlcache } 86 | - { owner: root, group: nginx, name: /var/lib/php/opcache } 87 | 88 | - name: replace opcache.max_accelerated_files=4000 89 | lineinfile: 90 | path: /etc/php.d/10-opcache.ini 91 | regexp: '^opcache.max_accelerated_files=(.*)' 92 | line: 'opcache.max_accelerated_files=10000' 93 | backup: true 94 | notify: restart php-fpm 95 | 96 | - name: alias php 97 | copy: 98 | content: | 99 | #!/bin/bash 100 | alias php="php -c /etc/php-cli.ini" 101 | dest: /etc/profile.d/php-cli-ini.sh 102 | when: false 103 | -------------------------------------------------------------------------------- /roles/prep_php/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Debian related OS tasks 4 | 5 | - name: add sury.org/php key 6 | apt_key: 7 | url: https://packages.sury.org/php/apt.gpg 8 | state: present 9 | 10 | - name: add additional repos 11 | apt_repository: 12 | repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main' 13 | validate_certs: true 14 | update_cache: true 15 | state: present 16 | 17 | - name: apt dist-upgrade 18 | apt: 19 | upgrade: dist 20 | autoremove: true 21 | 22 | - name: install additional packages 23 | apt: 24 | name: 25 | - php{{ php_version }}-fpm 26 | - php{{ php_version }}-gd 27 | - "{{ php_db_extension[nc_db_type] }}" 28 | - php{{ php_version }}-curl 29 | - php{{ php_version }}-xml 30 | - php{{ php_version }}-zip 31 | - php{{ php_version }}-intl 32 | - php{{ php_version }}-mbstring 33 | - php{{ php_version }}-json 34 | - php{{ php_version }}-bz2 35 | - php{{ php_version }}-ldap 36 | - php{{ php_version }}-bcmath 37 | - php{{ php_version }}-gmp 38 | - php-apcu 39 | - php-imagick 40 | - php-smbclient 41 | - php-redis 42 | - php-imagick 43 | autoremove: true 44 | state: latest 45 | 46 | 47 | - name: configure php 48 | copy: 49 | src: "{{ item.file }}" 50 | dest: "{{ item.dest }}" 51 | owner: root 52 | group: root 53 | mode: 0644 54 | force: true 55 | with_items: 56 | - { file: '{{ ansible_distribution }}/cli.php.ini', dest: '{{ php_cli_conf_dir[ansible_distribution] }}/php.ini' } 57 | notify: restart php-fpm 58 | -------------------------------------------------------------------------------- /roles/prep_php/tasks/Fedora.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: add php{{ php_version | replace(".","") }} repo 4 | yum: 5 | name: 'https://rpms.remirepo.net/fedora/remi-release-{{ ansible_distribution_major_version|int }}.rpm' 6 | state: present 7 | 8 | - name: update os 9 | yum: 10 | name: '*' 11 | update_cache: true 12 | state: latest 13 | 14 | - name: install needed packages 15 | yum: 16 | name: 17 | - php-cli 18 | - php-fpm 19 | - php-gd 20 | - php-{% if nc_db_type == 'mysql' %}mysqlnd{% elif nc_db_type == 'pgsql' %}pgsql{% endif %} 21 | - php-curl 22 | - php-xml 23 | - php-intl 24 | - php-mbstring 25 | - php-json 26 | - php-bz2 27 | - php-smbclient 28 | - php-redis 29 | - php-pecl-imagick 30 | - php-common 31 | - php-gmp 32 | - php-intl 33 | - php-imap 34 | - php-ldap 35 | - php-opcache 36 | - php-mcrypt 37 | - php-pear 38 | - php-pdo 39 | - php-pecl-apcu 40 | - php-pecl-zip 41 | state: latest 42 | enablerepo: remi-php73 43 | disablerepo: remi-php54 44 | 45 | - name: configure php 46 | copy: 47 | src: "{{ item.file }}" 48 | dest: "{{ item.dest }}" 49 | owner: root 50 | group: root 51 | mode: 0644 52 | force: true 53 | with_items: 54 | - { file: '{{ ansible_distribution }}/cli.php.ini', dest: '{{ php_cli_conf_dir[ansible_distribution] }}/php-cli.ini' } 55 | notify: restart php-fpm 56 | 57 | - name: correct ownership /var/lib/php 58 | file: 59 | name: "{{ item.name }}" 60 | owner: "{{ item.owner }}" 61 | group: "{{ item.group }}" 62 | mode: 0770 63 | with_items: 64 | - { owner: nginx, group: nginx, name: /var/lib/php/session } 65 | - { owner: root, group: nginx, name: /var/lib/php/wsdlcache } 66 | - { owner: root, group: nginx, name: /var/lib/php/opcache } 67 | 68 | - name: replace opcache.max_accelerated_files=4000 69 | lineinfile: 70 | path: /etc/php.d/10-opcache.ini 71 | regexp: '^opcache.max_accelerated_files=(.*)' 72 | line: 'opcache.max_accelerated_files=10000' 73 | backup: true 74 | notify: restart php-fpm 75 | 76 | - name: alias php 77 | copy: 78 | content: | 79 | #!/bin/bash 80 | alias php="php -c /etc/php-cli.ini" 81 | dest: /etc/profile.d/php-cli-ini.sh 82 | when: false 83 | 84 | - name: unmask tmp.mount 85 | systemd: 86 | name: tmp.mount 87 | masked: no -------------------------------------------------------------------------------- /roles/prep_php/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Ubuntu related OS tasks 4 | 5 | - name: Add an apt key by id from a keyserver 6 | apt_key: 7 | keyserver: hkps://keyserver.ubuntu.com 8 | id: "{{ item }}" 9 | with_items: 10 | - 14AA40EC0831756756D7F66C4F4EA0AAE5267A6C 11 | 12 | - name: add additional repos 13 | apt_repository: 14 | repo: 'deb http://ppa.launchpad.net/ondrej/php/ubuntu {{ ansible_distribution_release }} main' 15 | validate_certs: true 16 | update_cache: true 17 | state: present 18 | 19 | - name: apt dist-upgrade 20 | apt: 21 | upgrade: dist 22 | autoremove: true 23 | 24 | - name: install additional packages 25 | apt: 26 | name: 27 | - php{{ php_version }}-fpm 28 | - php{{ php_version }}-gd 29 | - "{{ php_db_extension[nc_db_type] }}" 30 | - php{{ php_version }}-curl 31 | - php{{ php_version }}-xml 32 | - php{{ php_version }}-zip 33 | - php{{ php_version }}-intl 34 | - php{{ php_version }}-mbstring 35 | - php{{ php_version }}-json 36 | - php{{ php_version }}-bz2 37 | - php{{ php_version }}-ldap 38 | - php{{ php_version }}-bcmath 39 | - php{{ php_version }}-gmp 40 | - php-apcu 41 | - php-imagick 42 | - php-smbclient 43 | - php-redis 44 | autoremove: true 45 | state: latest 46 | 47 | - name: configure php 48 | copy: 49 | src: "{{ item.file }}" 50 | dest: "{{ item.dest }}" 51 | owner: root 52 | group: root 53 | mode: 0644 54 | force: true 55 | with_items: 56 | - { file: '{{ ansible_distribution }}/cli.php.ini', dest: '{{ php_cli_conf_dir[ansible_distribution] }}/php.ini' } 57 | notify: restart php-fpm 58 | 59 | - name: configure php postgres module 60 | copy: 61 | dest: /etc/php/{{ php_version }}/mods-available/pgsql.ini 62 | content: | 63 | # configuration for PHP PostgreSQL module 64 | extension=pgsql.so 65 | 66 | [PostgresSQL] 67 | pgsql.allow_persistent = On 68 | pgsql.auto_reset_persistent = Off 69 | pgsql.max_persistent = -1 70 | pgsql.max_links = -1 71 | pgsql.ignore_notice = 0 72 | pgsql.log_notice = 0 73 | owner: root 74 | group: root 75 | mode: 0644 76 | when: nc_db_type == 'pgsql' 77 | notify: restart php-fpm 78 | 79 | - name: configure php mysql module 80 | copy: 81 | dest: /etc/php/{{ php_version }}/mods-available/pdo_mysql.ini 82 | content: | 83 | # configuration for PHP MySQL module 84 | extension=pdo_mysql.so 85 | 86 | [mysql] 87 | mysql.allow_local_infile=On 88 | mysql.allow_persistent=On 89 | mysql.cache_size=2000 90 | mysql.max_persistent=-1 91 | mysql.max_links=-1 92 | mysql.default_port= 93 | mysql.default_socket=/var/lib/mysql/mysql.sock 94 | mysql.default_host= 95 | mysql.default_user= 96 | mysql.default_password= 97 | mysql.connect_timeout=60 98 | mysql.trace_mode=Off 99 | owner: root 100 | group: root 101 | mode: 0644 102 | when: nc_db_type == 'mysql' 103 | notify: restart php-fpm 104 | 105 | -------------------------------------------------------------------------------- /roles/prep_php/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_php 3 | 4 | - name: os spefic path 5 | include_tasks: "{{ ansible_distribution }}.yml" 6 | 7 | - name: configure php 8 | copy: 9 | src: "{{ item.file }}" 10 | dest: "{{ item.dest }}" 11 | owner: root 12 | group: root 13 | mode: 0644 14 | force: true 15 | with_items: 16 | - { file: '{{ ansible_distribution }}/fpm.php.ini', dest: '{{ php_fpm_conf_dir[ansible_distribution] }}/php.ini' } 17 | notify: restart php-fpm 18 | 19 | - name: configure php 20 | template: 21 | src: "{{ item.file }}" 22 | dest: "{{ item.dest }}" 23 | owner: root 24 | group: root 25 | mode: 0644 26 | force: true 27 | with_items: 28 | - { file: '{{ ansible_distribution }}/www.conf', dest: '{{ php_www_conf_dir[ansible_distribution] }}/www.conf' } 29 | - { file: '{{ ansible_distribution }}/php-fpm.conf', dest: '{{ php_fpm_conf_dir[ansible_distribution] }}/php-fpm.conf' } 30 | notify: restart php-fpm 31 | 32 | - name: include selinux tasks 33 | include_tasks: selinux.yml 34 | when: 35 | - (ansible_os_family == "RedHat") 36 | - ('status' in ansible_selinux) 37 | - (ansible_selinux.status == "enabled") 38 | 39 | - name: enable php-fpm 40 | systemd: 41 | name: "{{ php_service_name[ansible_distribution] }}" 42 | state: restarted 43 | enabled: true 44 | -------------------------------------------------------------------------------- /roles/prep_php/tasks/selinux.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: selinux targets 4 | sefcontext: 5 | target: "{{ item }}" 6 | setype: httpd_sys_rw_content_t 7 | state: present 8 | with_items: 9 | - '/tmp(/.*)?' 10 | 11 | - name: restorecon 12 | command: restorecon -Rv '{{ item }}' 13 | loop: 14 | - '/tmp' 15 | -------------------------------------------------------------------------------- /roles/prep_php/templates/Amazon/php-fpm.conf: -------------------------------------------------------------------------------- 1 | ;;;;;;;;;;;;;;;;;;;;; 2 | ; FPM Configuration ; 3 | ;;;;;;;;;;;;;;;;;;;;; 4 | 5 | ; All relative paths in this configuration file are relative to PHP's install 6 | ; prefix (/usr). This prefix can be dynamically changed by using the 7 | ; '-p' argument from the command line. 8 | 9 | ;;;;;;;;;;;;;;;;;; 10 | ; Global Options ; 11 | ;;;;;;;;;;;;;;;;;; 12 | 13 | [global] 14 | ; Pid file 15 | ; Note: the default prefix is /var 16 | ; Default Value: none 17 | pid = /run/php-fpm/php{{ php_version }}-fpm.pid 18 | 19 | ; Error log file 20 | ; If it's set to "syslog", log is sent to syslogd instead of being written 21 | ; into a local file. 22 | ; Note: the default prefix is /var 23 | ; Default Value: log/php-fpm.log 24 | error_log = /var/log/php{{ php_version }}-fpm.log 25 | 26 | ; syslog_facility is used to specify what type of program is logging the 27 | ; message. This lets syslogd specify that messages from different facilities 28 | ; will be handled differently. 29 | ; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) 30 | ; Default Value: daemon 31 | ;syslog.facility = daemon 32 | 33 | ; syslog_ident is prepended to every message. If you have multiple FPM 34 | ; instances running on the same server, you can change the default value 35 | ; which must suit common needs. 36 | ; Default Value: php-fpm 37 | ;syslog.ident = php-fpm 38 | 39 | ; Log level 40 | ; Possible Values: alert, error, warning, notice, debug 41 | ; Default Value: notice 42 | ;log_level = notice 43 | 44 | ; If this number of child processes exit with SIGSEGV or SIGBUS within the time 45 | ; interval set by emergency_restart_interval then FPM will restart. A value 46 | ; of '0' means 'Off'. 47 | ; Default Value: 0 48 | emergency_restart_threshold = 10 49 | 50 | ; Interval of time used by emergency_restart_interval to determine when 51 | ; a graceful restart will be initiated. This can be useful to work around 52 | ; accidental corruptions in an accelerator's shared memory. 53 | ; Available Units: s(econds), m(inutes), h(ours), or d(ays) 54 | ; Default Unit: seconds 55 | ; Default Value: 0 56 | emergency_restart_interval = 1m 57 | 58 | ; Time limit for child processes to wait for a reaction on signals from master. 59 | ; Available units: s(econds), m(inutes), h(ours), or d(ays) 60 | ; Default Unit: seconds 61 | ; Default Value: 0 62 | process_control_timeout = 10s 63 | 64 | ; The maximum number of processes FPM will fork. This has been designed to control 65 | ; the global number of processes when using dynamic PM within a lot of pools. 66 | ; Use it with caution. 67 | ; Note: A value of 0 indicates no limit 68 | ; Default Value: 0 69 | ; process.max = 128 70 | 71 | ; Specify the nice(2) priority to apply to the master process (only if set) 72 | ; The value can vary from -19 (highest priority) to 20 (lowest priority) 73 | ; Note: - It will only work if the FPM master process is launched as root 74 | ; - The pool process will inherit the master process priority 75 | ; unless specified otherwise 76 | ; Default Value: no set 77 | ; process.priority = -19 78 | 79 | ; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. 80 | ; Default Value: yes 81 | ;daemonize = yes 82 | 83 | ; Set open file descriptor rlimit for the master process. 84 | ; Default Value: system defined value 85 | ;rlimit_files = 1024 86 | 87 | ; Set max core size rlimit for the master process. 88 | ; Possible Values: 'unlimited' or an integer greater or equal to 0 89 | ; Default Value: system defined value 90 | ;rlimit_core = 0 91 | 92 | ; Specify the event mechanism FPM will use. The following is available: 93 | ; - select (any POSIX os) 94 | ; - poll (any POSIX os) 95 | ; - epoll (linux >= 2.5.44) 96 | ; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0) 97 | ; - /dev/poll (Solaris >= 7) 98 | ; - port (Solaris >= 10) 99 | ; Default Value: not set (auto detection) 100 | ;events.mechanism = epoll 101 | 102 | ; When FPM is built with systemd integration, specify the interval, 103 | ; in seconds, between health report notification to systemd. 104 | ; Set to 0 to disable. 105 | ; Available Units: s(econds), m(inutes), h(ours) 106 | ; Default Unit: seconds 107 | ; Default value: 10 108 | ;systemd_interval = 10 109 | 110 | ;;;;;;;;;;;;;;;;;;;; 111 | ; Pool Definitions ; 112 | ;;;;;;;;;;;;;;;;;;;; 113 | 114 | ; Multiple pools of child processes may be started with different listening 115 | ; ports and different management options. The name of the pool will be 116 | ; used in logs and stats. There is no limitation on the number of pools which 117 | ; FPM can handle. Your system will tell you anyway :) 118 | 119 | ; Include one or more files. If glob(3) exists, it is used to include a bunch of 120 | ; files from a glob(3) pattern. This directive can be used everywhere in the 121 | ; file. 122 | ; Relative path can also be used. They will be prefixed by: 123 | ; - the global prefix if it's been set (-p argument) 124 | ; - /usr otherwise 125 | include=/etc/php-fpm.d/*.conf 126 | -------------------------------------------------------------------------------- /roles/prep_php/templates/CentOS/php-fpm.conf: -------------------------------------------------------------------------------- 1 | ;;;;;;;;;;;;;;;;;;;;; 2 | ; FPM Configuration ; 3 | ;;;;;;;;;;;;;;;;;;;;; 4 | 5 | ; All relative paths in this configuration file are relative to PHP's install 6 | ; prefix (/usr). This prefix can be dynamically changed by using the 7 | ; '-p' argument from the command line. 8 | 9 | ;;;;;;;;;;;;;;;;;; 10 | ; Global Options ; 11 | ;;;;;;;;;;;;;;;;;; 12 | 13 | [global] 14 | ; Pid file 15 | ; Note: the default prefix is /var 16 | ; Default Value: none 17 | pid = /run/php-fpm/php7.2-fpm.pid 18 | 19 | ; Error log file 20 | ; If it's set to "syslog", log is sent to syslogd instead of being written 21 | ; into a local file. 22 | ; Note: the default prefix is /var 23 | ; Default Value: log/php-fpm.log 24 | error_log = /var/log/php7.2-fpm.log 25 | 26 | ; syslog_facility is used to specify what type of program is logging the 27 | ; message. This lets syslogd specify that messages from different facilities 28 | ; will be handled differently. 29 | ; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) 30 | ; Default Value: daemon 31 | ;syslog.facility = daemon 32 | 33 | ; syslog_ident is prepended to every message. If you have multiple FPM 34 | ; instances running on the same server, you can change the default value 35 | ; which must suit common needs. 36 | ; Default Value: php-fpm 37 | ;syslog.ident = php-fpm 38 | 39 | ; Log level 40 | ; Possible Values: alert, error, warning, notice, debug 41 | ; Default Value: notice 42 | ;log_level = notice 43 | 44 | ; If this number of child processes exit with SIGSEGV or SIGBUS within the time 45 | ; interval set by emergency_restart_interval then FPM will restart. A value 46 | ; of '0' means 'Off'. 47 | ; Default Value: 0 48 | emergency_restart_threshold = 10 49 | 50 | ; Interval of time used by emergency_restart_interval to determine when 51 | ; a graceful restart will be initiated. This can be useful to work around 52 | ; accidental corruptions in an accelerator's shared memory. 53 | ; Available Units: s(econds), m(inutes), h(ours), or d(ays) 54 | ; Default Unit: seconds 55 | ; Default Value: 0 56 | emergency_restart_interval = 1m 57 | 58 | ; Time limit for child processes to wait for a reaction on signals from master. 59 | ; Available units: s(econds), m(inutes), h(ours), or d(ays) 60 | ; Default Unit: seconds 61 | ; Default Value: 0 62 | process_control_timeout = 10s 63 | 64 | ; The maximum number of processes FPM will fork. This has been designed to control 65 | ; the global number of processes when using dynamic PM within a lot of pools. 66 | ; Use it with caution. 67 | ; Note: A value of 0 indicates no limit 68 | ; Default Value: 0 69 | ; process.max = 128 70 | 71 | ; Specify the nice(2) priority to apply to the master process (only if set) 72 | ; The value can vary from -19 (highest priority) to 20 (lowest priority) 73 | ; Note: - It will only work if the FPM master process is launched as root 74 | ; - The pool process will inherit the master process priority 75 | ; unless specified otherwise 76 | ; Default Value: no set 77 | ; process.priority = -19 78 | 79 | ; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. 80 | ; Default Value: yes 81 | ;daemonize = yes 82 | 83 | ; Set open file descriptor rlimit for the master process. 84 | ; Default Value: system defined value 85 | ;rlimit_files = 1024 86 | 87 | ; Set max core size rlimit for the master process. 88 | ; Possible Values: 'unlimited' or an integer greater or equal to 0 89 | ; Default Value: system defined value 90 | ;rlimit_core = 0 91 | 92 | ; Specify the event mechanism FPM will use. The following is available: 93 | ; - select (any POSIX os) 94 | ; - poll (any POSIX os) 95 | ; - epoll (linux >= 2.5.44) 96 | ; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0) 97 | ; - /dev/poll (Solaris >= 7) 98 | ; - port (Solaris >= 10) 99 | ; Default Value: not set (auto detection) 100 | ;events.mechanism = epoll 101 | 102 | ; When FPM is built with systemd integration, specify the interval, 103 | ; in seconds, between health report notification to systemd. 104 | ; Set to 0 to disable. 105 | ; Available Units: s(econds), m(inutes), h(ours) 106 | ; Default Unit: seconds 107 | ; Default value: 10 108 | ;systemd_interval = 10 109 | 110 | ;;;;;;;;;;;;;;;;;;;; 111 | ; Pool Definitions ; 112 | ;;;;;;;;;;;;;;;;;;;; 113 | 114 | ; Multiple pools of child processes may be started with different listening 115 | ; ports and different management options. The name of the pool will be 116 | ; used in logs and stats. There is no limitation on the number of pools which 117 | ; FPM can handle. Your system will tell you anyway :) 118 | 119 | ; Include one or more files. If glob(3) exists, it is used to include a bunch of 120 | ; files from a glob(3) pattern. This directive can be used everywhere in the 121 | ; file. 122 | ; Relative path can also be used. They will be prefixed by: 123 | ; - the global prefix if it's been set (-p argument) 124 | ; - /usr otherwise 125 | include=/etc/php-fpm.d/*.conf 126 | -------------------------------------------------------------------------------- /roles/prep_php/templates/Debian/php-fpm.conf: -------------------------------------------------------------------------------- 1 | ;;;;;;;;;;;;;;;;;;;;; 2 | ; FPM Configuration ; 3 | ;;;;;;;;;;;;;;;;;;;;; 4 | 5 | ; All relative paths in this configuration file are relative to PHP's install 6 | ; prefix (/usr). This prefix can be dynamically changed by using the 7 | ; '-p' argument from the command line. 8 | 9 | ;;;;;;;;;;;;;;;;;; 10 | ; Global Options ; 11 | ;;;;;;;;;;;;;;;;;; 12 | 13 | [global] 14 | ; Pid file 15 | ; Note: the default prefix is /var 16 | ; Default Value: none 17 | pid = /run/php/php{{ php_version }}-fpm.pid 18 | 19 | ; Error log file 20 | ; If it's set to "syslog", log is sent to syslogd instead of being written 21 | ; into a local file. 22 | ; Note: the default prefix is /var 23 | ; Default Value: log/php-fpm.log 24 | error_log = /var/log/php{{ php_version }}-fpm.log 25 | 26 | ; syslog_facility is used to specify what type of program is logging the 27 | ; message. This lets syslogd specify that messages from different facilities 28 | ; will be handled differently. 29 | ; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) 30 | ; Default Value: daemon 31 | ;syslog.facility = daemon 32 | 33 | ; syslog_ident is prepended to every message. If you have multiple FPM 34 | ; instances running on the same server, you can change the default value 35 | ; which must suit common needs. 36 | ; Default Value: php-fpm 37 | ;syslog.ident = php-fpm 38 | 39 | ; Log level 40 | ; Possible Values: alert, error, warning, notice, debug 41 | ; Default Value: notice 42 | ;log_level = notice 43 | 44 | ; If this number of child processes exit with SIGSEGV or SIGBUS within the time 45 | ; interval set by emergency_restart_interval then FPM will restart. A value 46 | ; of '0' means 'Off'. 47 | ; Default Value: 0 48 | emergency_restart_threshold = 10 49 | 50 | ; Interval of time used by emergency_restart_interval to determine when 51 | ; a graceful restart will be initiated. This can be useful to work around 52 | ; accidental corruptions in an accelerator's shared memory. 53 | ; Available Units: s(econds), m(inutes), h(ours), or d(ays) 54 | ; Default Unit: seconds 55 | ; Default Value: 0 56 | emergency_restart_interval = 1m 57 | 58 | ; Time limit for child processes to wait for a reaction on signals from master. 59 | ; Available units: s(econds), m(inutes), h(ours), or d(ays) 60 | ; Default Unit: seconds 61 | ; Default Value: 0 62 | process_control_timeout = 10s 63 | 64 | ; The maximum number of processes FPM will fork. This has been designed to control 65 | ; the global number of processes when using dynamic PM within a lot of pools. 66 | ; Use it with caution. 67 | ; Note: A value of 0 indicates no limit 68 | ; Default Value: 0 69 | ; process.max = 128 70 | 71 | ; Specify the nice(2) priority to apply to the master process (only if set) 72 | ; The value can vary from -19 (highest priority) to 20 (lowest priority) 73 | ; Note: - It will only work if the FPM master process is launched as root 74 | ; - The pool process will inherit the master process priority 75 | ; unless specified otherwise 76 | ; Default Value: no set 77 | ; process.priority = -19 78 | 79 | ; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. 80 | ; Default Value: yes 81 | ;daemonize = yes 82 | 83 | ; Set open file descriptor rlimit for the master process. 84 | ; Default Value: system defined value 85 | ;rlimit_files = 1024 86 | 87 | ; Set max core size rlimit for the master process. 88 | ; Possible Values: 'unlimited' or an integer greater or equal to 0 89 | ; Default Value: system defined value 90 | ;rlimit_core = 0 91 | 92 | ; Specify the event mechanism FPM will use. The following is available: 93 | ; - select (any POSIX os) 94 | ; - poll (any POSIX os) 95 | ; - epoll (linux >= 2.5.44) 96 | ; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0) 97 | ; - /dev/poll (Solaris >= 7) 98 | ; - port (Solaris >= 10) 99 | ; Default Value: not set (auto detection) 100 | ;events.mechanism = epoll 101 | 102 | ; When FPM is built with systemd integration, specify the interval, 103 | ; in seconds, between health report notification to systemd. 104 | ; Set to 0 to disable. 105 | ; Available Units: s(econds), m(inutes), h(ours) 106 | ; Default Unit: seconds 107 | ; Default value: 10 108 | ;systemd_interval = 10 109 | 110 | ;;;;;;;;;;;;;;;;;;;; 111 | ; Pool Definitions ; 112 | ;;;;;;;;;;;;;;;;;;;; 113 | 114 | ; Multiple pools of child processes may be started with different listening 115 | ; ports and different management options. The name of the pool will be 116 | ; used in logs and stats. There is no limitation on the number of pools which 117 | ; FPM can handle. Your system will tell you anyway :) 118 | 119 | ; Include one or more files. If glob(3) exists, it is used to include a bunch of 120 | ; files from a glob(3) pattern. This directive can be used everywhere in the 121 | ; file. 122 | ; Relative path can also be used. They will be prefixed by: 123 | ; - the global prefix if it's been set (-p argument) 124 | ; - /usr otherwise 125 | include=/etc/php/{{ php_version }}/fpm/pool.d/*.conf 126 | -------------------------------------------------------------------------------- /roles/prep_php/templates/Fedora/php-fpm.conf: -------------------------------------------------------------------------------- 1 | ;;;;;;;;;;;;;;;;;;;;; 2 | ; FPM Configuration ; 3 | ;;;;;;;;;;;;;;;;;;;;; 4 | 5 | ; All relative paths in this configuration file are relative to PHP's install 6 | ; prefix (/usr). This prefix can be dynamically changed by using the 7 | ; '-p' argument from the command line. 8 | 9 | ;;;;;;;;;;;;;;;;;; 10 | ; Global Options ; 11 | ;;;;;;;;;;;;;;;;;; 12 | 13 | [global] 14 | ; Pid file 15 | ; Note: the default prefix is /var 16 | ; Default Value: none 17 | pid = /run/php-fpm/php7.2-fpm.pid 18 | 19 | ; Error log file 20 | ; If it's set to "syslog", log is sent to syslogd instead of being written 21 | ; into a local file. 22 | ; Note: the default prefix is /var 23 | ; Default Value: log/php-fpm.log 24 | error_log = /var/log/php7.2-fpm.log 25 | 26 | ; syslog_facility is used to specify what type of program is logging the 27 | ; message. This lets syslogd specify that messages from different facilities 28 | ; will be handled differently. 29 | ; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) 30 | ; Default Value: daemon 31 | ;syslog.facility = daemon 32 | 33 | ; syslog_ident is prepended to every message. If you have multiple FPM 34 | ; instances running on the same server, you can change the default value 35 | ; which must suit common needs. 36 | ; Default Value: php-fpm 37 | ;syslog.ident = php-fpm 38 | 39 | ; Log level 40 | ; Possible Values: alert, error, warning, notice, debug 41 | ; Default Value: notice 42 | ;log_level = notice 43 | 44 | ; If this number of child processes exit with SIGSEGV or SIGBUS within the time 45 | ; interval set by emergency_restart_interval then FPM will restart. A value 46 | ; of '0' means 'Off'. 47 | ; Default Value: 0 48 | emergency_restart_threshold = 10 49 | 50 | ; Interval of time used by emergency_restart_interval to determine when 51 | ; a graceful restart will be initiated. This can be useful to work around 52 | ; accidental corruptions in an accelerator's shared memory. 53 | ; Available Units: s(econds), m(inutes), h(ours), or d(ays) 54 | ; Default Unit: seconds 55 | ; Default Value: 0 56 | emergency_restart_interval = 1m 57 | 58 | ; Time limit for child processes to wait for a reaction on signals from master. 59 | ; Available units: s(econds), m(inutes), h(ours), or d(ays) 60 | ; Default Unit: seconds 61 | ; Default Value: 0 62 | process_control_timeout = 10s 63 | 64 | ; The maximum number of processes FPM will fork. This has been designed to control 65 | ; the global number of processes when using dynamic PM within a lot of pools. 66 | ; Use it with caution. 67 | ; Note: A value of 0 indicates no limit 68 | ; Default Value: 0 69 | ; process.max = 128 70 | 71 | ; Specify the nice(2) priority to apply to the master process (only if set) 72 | ; The value can vary from -19 (highest priority) to 20 (lowest priority) 73 | ; Note: - It will only work if the FPM master process is launched as root 74 | ; - The pool process will inherit the master process priority 75 | ; unless specified otherwise 76 | ; Default Value: no set 77 | ; process.priority = -19 78 | 79 | ; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. 80 | ; Default Value: yes 81 | ;daemonize = yes 82 | 83 | ; Set open file descriptor rlimit for the master process. 84 | ; Default Value: system defined value 85 | ;rlimit_files = 1024 86 | 87 | ; Set max core size rlimit for the master process. 88 | ; Possible Values: 'unlimited' or an integer greater or equal to 0 89 | ; Default Value: system defined value 90 | ;rlimit_core = 0 91 | 92 | ; Specify the event mechanism FPM will use. The following is available: 93 | ; - select (any POSIX os) 94 | ; - poll (any POSIX os) 95 | ; - epoll (linux >= 2.5.44) 96 | ; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0) 97 | ; - /dev/poll (Solaris >= 7) 98 | ; - port (Solaris >= 10) 99 | ; Default Value: not set (auto detection) 100 | ;events.mechanism = epoll 101 | 102 | ; When FPM is built with systemd integration, specify the interval, 103 | ; in seconds, between health report notification to systemd. 104 | ; Set to 0 to disable. 105 | ; Available Units: s(econds), m(inutes), h(ours) 106 | ; Default Unit: seconds 107 | ; Default value: 10 108 | ;systemd_interval = 10 109 | 110 | ;;;;;;;;;;;;;;;;;;;; 111 | ; Pool Definitions ; 112 | ;;;;;;;;;;;;;;;;;;;; 113 | 114 | ; Multiple pools of child processes may be started with different listening 115 | ; ports and different management options. The name of the pool will be 116 | ; used in logs and stats. There is no limitation on the number of pools which 117 | ; FPM can handle. Your system will tell you anyway :) 118 | 119 | ; Include one or more files. If glob(3) exists, it is used to include a bunch of 120 | ; files from a glob(3) pattern. This directive can be used everywhere in the 121 | ; file. 122 | ; Relative path can also be used. They will be prefixed by: 123 | ; - the global prefix if it's been set (-p argument) 124 | ; - /usr otherwise 125 | include=/etc/php-fpm.d/*.conf 126 | -------------------------------------------------------------------------------- /roles/prep_php/templates/Ubuntu/php-fpm.conf: -------------------------------------------------------------------------------- 1 | ;;;;;;;;;;;;;;;;;;;;; 2 | ; FPM Configuration ; 3 | ;;;;;;;;;;;;;;;;;;;;; 4 | 5 | ; All relative paths in this configuration file are relative to PHP's install 6 | ; prefix (/usr). This prefix can be dynamically changed by using the 7 | ; '-p' argument from the command line. 8 | 9 | ;;;;;;;;;;;;;;;;;; 10 | ; Global Options ; 11 | ;;;;;;;;;;;;;;;;;; 12 | 13 | [global] 14 | ; Pid file 15 | ; Note: the default prefix is /var 16 | ; Default Value: none 17 | pid = /run/php/php{{ php_version }}-fpm.pid 18 | 19 | ; Error log file 20 | ; If it's set to "syslog", log is sent to syslogd instead of being written 21 | ; into a local file. 22 | ; Note: the default prefix is /var 23 | ; Default Value: log/php-fpm.log 24 | error_log = /var/log/php{{ php_version }}-fpm.log 25 | 26 | ; syslog_facility is used to specify what type of program is logging the 27 | ; message. This lets syslogd specify that messages from different facilities 28 | ; will be handled differently. 29 | ; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) 30 | ; Default Value: daemon 31 | ;syslog.facility = daemon 32 | 33 | ; syslog_ident is prepended to every message. If you have multiple FPM 34 | ; instances running on the same server, you can change the default value 35 | ; which must suit common needs. 36 | ; Default Value: php-fpm 37 | ;syslog.ident = php-fpm 38 | 39 | ; Log level 40 | ; Possible Values: alert, error, warning, notice, debug 41 | ; Default Value: notice 42 | ;log_level = notice 43 | 44 | ; If this number of child processes exit with SIGSEGV or SIGBUS within the time 45 | ; interval set by emergency_restart_interval then FPM will restart. A value 46 | ; of '0' means 'Off'. 47 | ; Default Value: 0 48 | emergency_restart_threshold = 10 49 | 50 | ; Interval of time used by emergency_restart_interval to determine when 51 | ; a graceful restart will be initiated. This can be useful to work around 52 | ; accidental corruptions in an accelerator's shared memory. 53 | ; Available Units: s(econds), m(inutes), h(ours), or d(ays) 54 | ; Default Unit: seconds 55 | ; Default Value: 0 56 | emergency_restart_interval = 1m 57 | 58 | ; Time limit for child processes to wait for a reaction on signals from master. 59 | ; Available units: s(econds), m(inutes), h(ours), or d(ays) 60 | ; Default Unit: seconds 61 | ; Default Value: 0 62 | process_control_timeout = 10s 63 | 64 | ; The maximum number of processes FPM will fork. This has been designed to control 65 | ; the global number of processes when using dynamic PM within a lot of pools. 66 | ; Use it with caution. 67 | ; Note: A value of 0 indicates no limit 68 | ; Default Value: 0 69 | ; process.max = 128 70 | 71 | ; Specify the nice(2) priority to apply to the master process (only if set) 72 | ; The value can vary from -19 (highest priority) to 20 (lowest priority) 73 | ; Note: - It will only work if the FPM master process is launched as root 74 | ; - The pool process will inherit the master process priority 75 | ; unless specified otherwise 76 | ; Default Value: no set 77 | ; process.priority = -19 78 | 79 | ; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. 80 | ; Default Value: yes 81 | ;daemonize = yes 82 | 83 | ; Set open file descriptor rlimit for the master process. 84 | ; Default Value: system defined value 85 | ;rlimit_files = 1024 86 | 87 | ; Set max core size rlimit for the master process. 88 | ; Possible Values: 'unlimited' or an integer greater or equal to 0 89 | ; Default Value: system defined value 90 | ;rlimit_core = 0 91 | 92 | ; Specify the event mechanism FPM will use. The following is available: 93 | ; - select (any POSIX os) 94 | ; - poll (any POSIX os) 95 | ; - epoll (linux >= 2.5.44) 96 | ; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0) 97 | ; - /dev/poll (Solaris >= 7) 98 | ; - port (Solaris >= 10) 99 | ; Default Value: not set (auto detection) 100 | ;events.mechanism = epoll 101 | 102 | ; When FPM is built with systemd integration, specify the interval, 103 | ; in seconds, between health report notification to systemd. 104 | ; Set to 0 to disable. 105 | ; Available Units: s(econds), m(inutes), h(ours) 106 | ; Default Unit: seconds 107 | ; Default value: 10 108 | ;systemd_interval = 10 109 | 110 | ;;;;;;;;;;;;;;;;;;;; 111 | ; Pool Definitions ; 112 | ;;;;;;;;;;;;;;;;;;;; 113 | 114 | ; Multiple pools of child processes may be started with different listening 115 | ; ports and different management options. The name of the pool will be 116 | ; used in logs and stats. There is no limitation on the number of pools which 117 | ; FPM can handle. Your system will tell you anyway :) 118 | 119 | ; Include one or more files. If glob(3) exists, it is used to include a bunch of 120 | ; files from a glob(3) pattern. This directive can be used everywhere in the 121 | ; file. 122 | ; Relative path can also be used. They will be prefixed by: 123 | ; - the global prefix if it's been set (-p argument) 124 | ; - /usr otherwise 125 | include=/etc/php/{{ php_version }}/fpm/pool.d/*.conf 126 | -------------------------------------------------------------------------------- /roles/prep_php/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_php 3 | 4 | php_db_extension: 5 | mysql: php{{ php_version }}-mysql 6 | pgsql: php{{ php_version }}-pgsql 7 | 8 | php_service_name: 9 | CentOS: php-fpm 10 | Fedora: php-fpm 11 | Amazon: php-fpm 12 | Ubuntu: php{{ php_version }}-fpm 13 | Debian: php{{ php_version }}-fpm 14 | 15 | php_fpm_conf_dir: 16 | CentOS: /etc 17 | Fedora: /etc 18 | Amazon: /etc 19 | Ubuntu: /etc/php/{{ php_version }}/fpm 20 | Debian: /etc/php/{{ php_version }}/fpm 21 | 22 | php_cli_conf_dir: 23 | CentOS: /etc 24 | Fedora: /etc 25 | Amazon: /etc 26 | Ubuntu: /etc/php/{{ php_version }}/cli 27 | Debian: /etc/php/{{ php_version }}/cli 28 | 29 | php_www_conf_dir: 30 | CentOS: /etc/php-fpm.d 31 | Fedora: /etc/php-fpm.d 32 | Amazon: /etc/php-fpm.d 33 | Ubuntu: /etc/php/{{ php_version }}/fpm/pool.d 34 | Debian: /etc/php/{{ php_version }}/fpm/pool.d 35 | -------------------------------------------------------------------------------- /roles/prep_postgres/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/prep_postgres/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_postgres 3 | 4 | postgresql_version: 10 5 | postgres_user: postgres 6 | pgdata: /var/lib/postgresql/data/pgdata -------------------------------------------------------------------------------- /roles/prep_postgres/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_postgres 3 | 4 | - name: restart postgresql 5 | service: name=postgresql state=restarted 6 | -------------------------------------------------------------------------------- /roles/prep_postgres/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Bring up postgresql database for nextcloud 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 2.5 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | min_ansible_container_version: 2.1 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: 49 | - prep_secrets 50 | -------------------------------------------------------------------------------- /roles/prep_postgres/tasks/Amazon.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # CentOS related OS tasks 3 | 4 | - name: add amazon epel repo 5 | shell: amazon-linux-extras install postgresql{{ postgresql_version }} 6 | 7 | - name: install postgres server 8 | yum: 9 | name: 10 | - postgresql-server 11 | - postgresql-contrib 12 | state: latest 13 | 14 | - name: install psycopg2-binary 15 | pip: 16 | name: 17 | - psycopg2-binary 18 | - pexpect 19 | state: latest 20 | become: true 21 | 22 | - name: 'init postgresql database' 23 | command: /usr/bin/postgresql-setup --initdb 24 | args: 25 | creates: /var/lib/pgsql/data/PG_VERSION 26 | become: yes 27 | 28 | - name: ensure postgres is running 29 | systemd: 30 | name: postgresql 31 | enabled: true 32 | state: started 33 | 34 | - name: update postgresql authentication settings 35 | template: 36 | dest: '/var/lib/pgsql/data/pg_hba.conf' 37 | owner: postgres 38 | src: pg_hba.conf.j2 39 | register: pg_hba_conf 40 | 41 | - name: apply postgresql general settings 42 | template: 43 | dest: '/var/lib/pgsql/data/postgresql.conf' 44 | owner: postgres 45 | src: postgresql.conf.j2 46 | register: pg_general_conf 47 | 48 | - name: create unix socket directory 49 | file: 50 | path: '/var/run/postgresql' 51 | state: directory 52 | owner: 'postgres' 53 | group: 'postgres' 54 | mode: 02775 55 | setype: 'postgresql_var_run_t' 56 | 57 | - name: configure postgresql tmpfiles.d 58 | template: 59 | src: 'postgresql.tmpfiles.d.j2' 60 | dest: '/usr/lib/tmpfiles.d/postgresql.conf' 61 | owner: 'root' 62 | group: 'root' 63 | mode: '0644' 64 | setype: 'lib_t' 65 | when: ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' 66 | 67 | - name: restart postgresql when authentication settings changed 68 | service: 69 | name: postgresql 70 | state: restarted 71 | when: pg_hba_conf is changed or pg_general_conf is changed 72 | register: postgresql_restart 73 | 74 | - name: wait for postgresql restart 75 | wait_for: 76 | host: localhost 77 | port: 5432 78 | when: postgresql_restart is changed 79 | -------------------------------------------------------------------------------- /roles/prep_postgres/tasks/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # CentOS related OS tasks 3 | 4 | - name: add postgres repo 5 | yum: 6 | name: https://download.postgresql.org/pub/repos/yum/{{ postgresql_version }}/redhat/rhel-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm 7 | state: present 8 | 9 | - name: install postgres server 10 | yum: 11 | name: 12 | - postgresql{{ postgresql_version }} 13 | - postgresql{{ postgresql_version }}-server 14 | - postgresql{{ postgresql_version }}-contrib 15 | state: latest 16 | 17 | - name: install psycopg2-binary 18 | pip: 19 | name: 20 | - psycopg2-binary 21 | - pexpect 22 | - pip 23 | state: latest 24 | become: true 25 | 26 | - name: 'init postgresql database' 27 | command: /usr/pgsql-{{ postgresql_version }}/bin/postgresql-{{ postgresql_version }}-setup initdb 28 | args: 29 | creates: /var/lib/pgsql/{{ postgresql_version }}/data/PG_VERSION 30 | become: yes 31 | 32 | - name: ensure postgres is running 33 | systemd: 34 | name: postgresql-{{ postgresql_version }} 35 | enabled: true 36 | state: started 37 | 38 | - name: update postgresql authentication settings 39 | template: 40 | dest: '/var/lib/pgsql/{{ postgresql_version }}/data/pg_hba.conf' 41 | owner: postgres 42 | src: pg_hba.conf.j2 43 | register: pg_hba_conf 44 | 45 | - name: apply postgresql general settings 46 | template: 47 | dest: '/var/lib/pgsql/{{ postgresql_version }}/data/postgresql.conf' 48 | owner: postgres 49 | src: postgresql.conf.j2 50 | register: pg_general_conf 51 | 52 | - name: create unix socket directory 53 | file: 54 | path: '/var/run/postgresql' 55 | state: directory 56 | owner: 'postgres' 57 | group: 'postgres' 58 | mode: 02775 59 | setype: 'postgresql_var_run_t' 60 | 61 | - name: configure postgresql tmpfiles.d 62 | template: 63 | src: 'postgresql.tmpfiles.d.j2' 64 | dest: '/usr/lib/tmpfiles.d/postgresql.conf' 65 | owner: 'root' 66 | group: 'root' 67 | mode: '0644' 68 | setype: 'lib_t' 69 | when: ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' 70 | 71 | - name: restart postgresql when authentication settings changed 72 | service: 73 | name: postgresql-{{ postgresql_version }} 74 | state: restarted 75 | when: pg_hba_conf is changed or pg_general_conf is changed 76 | register: postgresql_restart 77 | 78 | - name: wait for postgresql restart 79 | wait_for: 80 | host: localhost 81 | port: 5432 82 | when: postgresql_restart is changed 83 | -------------------------------------------------------------------------------- /roles/prep_postgres/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Debian related OS tasks 3 | 4 | - name: add postgres repo key 5 | apt_key: 6 | url: https://www.postgresql.org/media/keys/ACCC4CF8.asc 7 | state: present 8 | 9 | - name: add postgresql to sources list 10 | apt_repository: 11 | repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main" 12 | validate_certs: true 13 | update_cache: true 14 | state: present 15 | 16 | - name: apt install postgresql-client with Update 17 | apt: 18 | name: 19 | - "postgresql-{{ postgresql_version }}" 20 | - "postgresql-client-{{ postgresql_version }}" 21 | - "postgresql-contrib-{{ postgresql_version }}" 22 | - "postgresql-server-dev-{{ postgresql_version }}" 23 | state: latest 24 | update_cache: true 25 | 26 | - name: install psycopg2 27 | pip: 28 | name: 29 | - psycopg2-binary 30 | - pip 31 | state: latest 32 | become: true 33 | 34 | - name: ensure postgres is running 35 | systemd: 36 | name: postgresql 37 | enabled: true 38 | state: started 39 | -------------------------------------------------------------------------------- /roles/prep_postgres/tasks/Fedora.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Fedora related OS tasks 3 | 4 | - name: add postgres repo 5 | yum: 6 | name: https://download.postgresql.org/pub/repos/yum/{{ postgresql_version }}/fedora/fedora-{{ ansible_distribution_major_version|int }}-x86_64/pgdg-fedora-repo-latest.noarch.rpm 7 | state: present 8 | 9 | - name: install postgres server 10 | yum: 11 | name: 12 | - postgresql{{ postgresql_version }} 13 | - postgresql{{ postgresql_version }}-server 14 | - postgresql{{ postgresql_version }}-contrib 15 | state: latest 16 | 17 | - name: install psycopg2-binary 18 | pip: 19 | name: 20 | - psycopg2-binary 21 | - pexpect 22 | - pip 23 | state: latest 24 | become: true 25 | 26 | - name: 'init postgresql database' 27 | command: /usr/pgsql-{{ postgresql_version }}/bin/postgresql-{{ postgresql_version }}-setup initdb 28 | args: 29 | creates: /var/lib/pgsql/{{ postgresql_version }}/data/PG_VERSION 30 | become: yes 31 | 32 | - name: ensure postgres is running 33 | systemd: 34 | name: postgresql-{{ postgresql_version }} 35 | enabled: true 36 | state: started 37 | 38 | - name: update postgresql authentication settings 39 | template: 40 | dest: '/var/lib/pgsql/{{ postgresql_version }}/data/pg_hba.conf' 41 | owner: postgres 42 | src: pg_hba.conf.j2 43 | register: pg_hba_conf 44 | 45 | - name: apply postgresql general settings 46 | template: 47 | dest: '/var/lib/pgsql/{{ postgresql_version }}/data/postgresql.conf' 48 | owner: postgres 49 | src: postgresql.conf.j2 50 | register: pg_general_conf 51 | 52 | - name: create unix socket directory 53 | file: 54 | path: '/var/run/postgresql' 55 | state: directory 56 | owner: 'postgres' 57 | group: 'postgres' 58 | mode: 02775 59 | setype: 'postgresql_var_run_t' 60 | 61 | - name: configure postgresql tmpfiles.d 62 | template: 63 | src: 'postgresql.tmpfiles.d.j2' 64 | dest: '/usr/lib/tmpfiles.d/postgresql.conf' 65 | owner: 'root' 66 | group: 'root' 67 | mode: '0644' 68 | setype: 'lib_t' 69 | when: ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' 70 | 71 | - name: restart postgresql when authentication settings changed 72 | service: 73 | name: postgresql-{{ postgresql_version }} 74 | state: restarted 75 | when: pg_hba_conf is changed or pg_general_conf is changed 76 | register: postgresql_restart 77 | 78 | - name: wait for postgresql restart 79 | wait_for: 80 | host: localhost 81 | port: 5432 82 | when: postgresql_restart is changed 83 | -------------------------------------------------------------------------------- /roles/prep_postgres/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: add postgres repo key 5 | apt_key: 6 | url: https://www.postgresql.org/media/keys/ACCC4CF8.asc 7 | state: present 8 | 9 | - name: add postgresql to sources list 10 | apt_repository: 11 | repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main" 12 | validate_certs: true 13 | update_cache: true 14 | state: present 15 | 16 | - name: apt install postgresql with update 17 | apt: 18 | name: 19 | - "postgresql-{{ postgresql_version }}" 20 | - "postgresql-client-{{ postgresql_version }}" 21 | - "postgresql-contrib-{{ postgresql_version }}" 22 | - "postgresql-server-dev-{{ postgresql_version }}" 23 | state: latest 24 | update_cache: true 25 | 26 | - name: install psycopg2 27 | pip: 28 | name: 29 | - psycopg2-binary 30 | - pip 31 | state: latest 32 | become: true 33 | 34 | - name: ensure postgres is running 35 | systemd: 36 | name: postgresql 37 | enabled: true 38 | state: started 39 | register: postgresql_start 40 | 41 | - name: Wait for PostgreSQL to start if it wasnt 42 | wait_for: 43 | host: localhost 44 | port: 5432 45 | when: postgresql_start is changed 46 | -------------------------------------------------------------------------------- /roles/prep_postgres/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_postgres 3 | 4 | - name: include os specific tasks 5 | include_tasks: "{{ ansible_distribution }}.yml" 6 | 7 | - name: create {{ nc_db }} db 8 | postgresql_db: 9 | name: "{{ nc_db }}" 10 | state: present 11 | encoding: UTF-8 12 | template: template0 13 | become: yes 14 | become_user: postgres 15 | 16 | 17 | - name: "Create {{ nc_db_user }} account" 18 | postgresql_user: 19 | encrypted: yes 20 | db: "{{ nc_db }}" 21 | name: "{{ nc_db_user }}" 22 | password: "{{ nc_db_passwd }}" 23 | become: yes 24 | become_user: postgres 25 | 26 | - name: "Grant all privileges on database {{ nc_db }} to {{ nc_db_user }}" 27 | postgresql_privs: 28 | db: "postgres" 29 | privs: ALL 30 | type: database 31 | obj: "{{ nc_db }}" 32 | role: "{{ nc_db_user }}" 33 | become: yes 34 | become_user: postgres 35 | 36 | -------------------------------------------------------------------------------- /roles/prep_postgres/templates/pg_hba.conf.j2: -------------------------------------------------------------------------------- 1 | # !!! This file managed by Ansible. Any local changes may be overwritten. !!! 2 | 3 | # Database administrative login by UNIX sockets 4 | # note: you may wish to restrict this further later 5 | local all postgres peer 6 | local {{ nc_db }} {{ web_user[ansible_distribution] }} peer 7 | 8 | # TYPE DATABASE USER CIDR-ADDRESS METHOD 9 | local all all md5 10 | host all all {{ postgres_allowed_ipv4 }} md5 11 | host all all {{ postgres_allowed_ipv6 }} md5 12 | -------------------------------------------------------------------------------- /roles/prep_postgres/templates/postgresql.conf.j2: -------------------------------------------------------------------------------- 1 | # DB Version: 10 2 | # OS Type: linux 3 | # DB Type: web 4 | # Total Memory (RAM): 2 GB 5 | # CPUs num: 4 6 | # Connections num: 10 7 | # Data Storage: ssd 8 | # source: https://pgtune.leopard.in.ua/#/ 9 | 10 | max_connections = 100 11 | shared_buffers = 512MB 12 | effective_cache_size = 1536MB 13 | maintenance_work_mem = 128MB 14 | checkpoint_completion_target = 0.7 15 | wal_buffers = 16MB 16 | default_statistics_target = 100 17 | random_page_cost = 1.1 18 | effective_io_concurrency = 200 19 | work_mem = 26214kB 20 | min_wal_size = 1GB 21 | max_wal_size = 2GB 22 | max_worker_processes = 4 23 | max_parallel_workers_per_gather = 2 24 | max_parallel_workers = 4 25 | 26 | listen_addresses = '*' 27 | port = 5432 28 | 29 | unix_socket_directories = '{{ postgres_run_dir }}, /tmp' 30 | dynamic_shared_memory_type = posix # the default is the first option 31 | 32 | 33 | log_destination = 'stderr' # Valid values are combinations of 34 | logging_collector = on # Enable capturing of stderr and csvlog 35 | log_directory = 'pg_log' # directory where log files are written, 36 | log_filename = 'postgresql-%a.log' # log file name pattern, 37 | log_truncate_on_rotation = on # If on, an existing log file with the 38 | log_rotation_age = 1d # Automatic rotation of logfiles will 39 | log_rotation_size = 0 # Automatic rotation of logfiles will 40 | 41 | log_line_prefix = '< %m >' # special values: 42 | log_timezone = 'UTC' 43 | 44 | # - Locale and Formatting - 45 | 46 | datestyle = 'iso, mdy' 47 | timezone = 'UTC' 48 | lc_messages = 'en_US.UTF-8' # locale for system error message 49 | lc_monetary = 'en_US.UTF-8' # locale for monetary formatting 50 | lc_numeric = 'en_US.UTF-8' # locale for number formatting 51 | lc_time = 'en_US.UTF-8' # locale for time formatting 52 | 53 | default_text_search_config = 'pg_catalog.english' 54 | -------------------------------------------------------------------------------- /roles/prep_postgres/templates/postgresql.tmpfiles.d.j2: -------------------------------------------------------------------------------- 1 | d {{ postgres_run_dir }} 0755 postgres postgres - 2 | -------------------------------------------------------------------------------- /roles/prep_postgres/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_postgres 3 | 4 | postgres_run_dir: '/var/run/postgresql' 5 | postgres_allowed_ipv4: '127.0.0.1/32' 6 | postgres_allowed_ipv6: '::1/128' 7 | 8 | -------------------------------------------------------------------------------- /roles/prep_redis/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/prep_redis/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_redis -------------------------------------------------------------------------------- /roles/prep_redis/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_redis 3 | 4 | - name: restart redis-server 5 | systemd: 6 | name: redis 7 | state: restarted 8 | -------------------------------------------------------------------------------- /roles/prep_redis/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Basic setup of redis server for nextcloud 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 2.4 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: [] 49 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 50 | # if you add dependencies to this list. -------------------------------------------------------------------------------- /roles/prep_redis/tasks/Amazon.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Amazon related tasks 4 | 5 | - name: install needed packages 6 | yum: 7 | name: redis 8 | state: latest 9 | enablerepo: amzn2extra-epel 10 | -------------------------------------------------------------------------------- /roles/prep_redis/tasks/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # CentOS related tasks 4 | 5 | - name: install needed packages 6 | yum: 7 | name: redis 8 | state: latest 9 | enablerepo: epel 10 | -------------------------------------------------------------------------------- /roles/prep_redis/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: install additional packages 5 | apt: 6 | name: redis-server 7 | autoremove: true 8 | state: latest 9 | -------------------------------------------------------------------------------- /roles/prep_redis/tasks/Fedora.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Fedora related tasks 4 | 5 | - name: install needed packages 6 | yum: 7 | name: redis 8 | state: latest 9 | enablerepo: epel 10 | -------------------------------------------------------------------------------- /roles/prep_redis/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: install additional packages 5 | apt: 6 | name: redis-server 7 | autoremove: true 8 | state: latest 9 | -------------------------------------------------------------------------------- /roles/prep_redis/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_redis 3 | 4 | - name: include os specific tasks 5 | include_tasks: "{{ ansible_distribution }}.yml" 6 | 7 | - name: configure redis 8 | copy: 9 | src: redis.conf 10 | dest: "{{ redis_conf_path[ansible_distribution] }}/redis.conf" 11 | owner: root 12 | group: root 13 | mode: 0644 14 | force: true 15 | notify: restart redis-server 16 | 17 | - name: add user {{ web_user[ansible_distribution] }} to group redis 18 | user: 19 | name: "{{ web_user[ansible_distribution] }}" 20 | groups: redis 21 | 22 | - name: start and enable redis 23 | systemd: 24 | name: redis 25 | state: started 26 | enabled: true 27 | 28 | -------------------------------------------------------------------------------- /roles/prep_redis/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_redis 3 | 4 | redis_conf_path: 5 | CentOS: '/etc' 6 | Fedora: '/etc' 7 | Amazon: '/etc' 8 | Ubuntu: '/etc/redis' 9 | Debian: '/etc/redis' 10 | 11 | -------------------------------------------------------------------------------- /roles/prep_secrets/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/prep_secrets/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_secrets 3 | 4 | credential_store: /etc/nextcloud -------------------------------------------------------------------------------- /roles/prep_secrets/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Basic setup of secrets from nextcloud 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 1.2 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: [] 49 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 50 | # if you add dependencies to this list. 51 | -------------------------------------------------------------------------------- /roles/prep_secrets/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_secrets 3 | 4 | - name: make sure {{ credential_store }} is available 5 | file: 6 | name: '{{ credential_store }}' 7 | owner: root 8 | group: "{{ ansible_env.SUDO_USER | default('root') }}" 9 | mode: 0775 10 | state: directory 11 | delegate_to: localhost 12 | 13 | - name: generate db passwd if nc_db_passwd is empty 14 | set_fact: 15 | nc_db_passwd: "{{ lookup('password', '{{ credential_store }}/database_secret chars=ascii_letters,digits length=32') }}" 16 | when: nc_db_passwd == '' 17 | -------------------------------------------------------------------------------- /roles/prep_secrets/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_secrets -------------------------------------------------------------------------------- /roles/prep_selfssl/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/prep_selfssl/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_selfssl 3 | 4 | fqdn: '' -------------------------------------------------------------------------------- /roles/prep_selfssl/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_selfssl -------------------------------------------------------------------------------- /roles/prep_selfssl/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Basic setup of nextcloud ssl selfsigned 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 1.2 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: [] 49 | -------------------------------------------------------------------------------- /roles/prep_selfssl/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_selfssl 3 | 4 | - name: ensure "{{ dhparam_path | dirname }}" exists 5 | file: 6 | name: "{{ dhparam_path | dirname }}" 7 | owner: root 8 | group: root 9 | mode: 0755 10 | state: directory 11 | 12 | - name: use the pre-defined DH groups ffdhe4096 recommended by the IETF in [RFC 7919 https://tools.ietf.org/html/rfc7919] 13 | copy: 14 | dest: "{{ dhparam_path }}" 15 | owner: root 16 | group: root 17 | mode: 0644 18 | content: | 19 | -----BEGIN DH PARAMETERS----- 20 | MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz 21 | +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a 22 | 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 23 | YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi 24 | 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD 25 | ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 26 | 7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 27 | nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e 28 | 8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx 29 | iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K 30 | zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= 31 | -----END DH PARAMETERS----- 32 | 33 | - name: use ec2 public hostname if fqdn is not defined 34 | set_fact: 35 | fqdn: "{{ fqdn if ( fqdn ) else facter_ec2_metadata['public-hostname'] }}" 36 | when: facter_ec2_metadata is defined 37 | 38 | - name: use ansible_fqdn if fqdn is not defined 39 | set_fact: 40 | fqdn: "{{ fqdn if ( fqdn ) else ansible_fqdn }}" 41 | 42 | - name: create fake certificate directory 43 | file: 44 | dest: /etc/nginx/certs 45 | owner: root 46 | group: root 47 | mode: 0755 48 | state: directory 49 | 50 | - name: install needed pip packages 51 | pip: 52 | name: 53 | - pyOpenSSL 54 | state: latest 55 | 56 | - name: generate an openssl private key with the default values 57 | openssl_privatekey: 58 | path: /etc/nginx/certs/key.pem 59 | 60 | - name: generate an openssl certificate signing request 61 | openssl_csr: 62 | path: /etc/nginx/certs/cert.csr 63 | privatekey_path: /etc/nginx/certs/key.pem 64 | common_name: "{{ fqdn }}" 65 | 66 | - name: Generate a Self Signed OpenSSL certificate 67 | openssl_certificate: 68 | path: /etc/nginx/certs/cert.pem 69 | privatekey_path: /etc/nginx/certs/key.pem 70 | csr_path: /etc/nginx/certs/cert.csr 71 | provider: selfsigned 72 | -------------------------------------------------------------------------------- /roles/prep_selfssl/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_selfssl -------------------------------------------------------------------------------- /roles/prep_talk/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/prep_talk/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_talk -------------------------------------------------------------------------------- /roles/prep_talk/files/centos_rpms/turnserver-4.5.0.7-0.el7.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReinerNippes/nextcloud/738dd14321c2e64a3463fbc2c03e8323ec89470b/roles/prep_talk/files/centos_rpms/turnserver-4.5.0.7-0.el7.x86_64.rpm -------------------------------------------------------------------------------- /roles/prep_talk/files/centos_rpms/turnserver-client-libs-4.5.0.7-0.el7.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReinerNippes/nextcloud/738dd14321c2e64a3463fbc2c03e8323ec89470b/roles/prep_talk/files/centos_rpms/turnserver-client-libs-4.5.0.7-0.el7.x86_64.rpm -------------------------------------------------------------------------------- /roles/prep_talk/files/centos_rpms/turnserver-utils-4.5.0.7-0.el7.x86_64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ReinerNippes/nextcloud/738dd14321c2e64a3463fbc2c03e8323ec89470b/roles/prep_talk/files/centos_rpms/turnserver-utils-4.5.0.7-0.el7.x86_64.rpm -------------------------------------------------------------------------------- /roles/prep_talk/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_talk 3 | 4 | - name: restart coturn 5 | listen: restart coturn 6 | systemd: 7 | name: coturn 8 | state: restarted 9 | 10 | - name: restart turnserver 11 | listen: restart turnserver 12 | systemd: 13 | name: turnserver 14 | state: restarted 15 | -------------------------------------------------------------------------------- /roles/prep_talk/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Installs Nextcloud Talk 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 2.5 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | platforms: 36 | - name: Ubuntu 37 | versions: 38 | - 16 39 | 40 | galaxy_tags: [] 41 | # List tags for your role here, one per line. A tag is a keyword that describes 42 | # and categorizes the role. Users find roles by searching for tags. Be sure to 43 | # remove the '[]' above, if you add tags to this list. 44 | # 45 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 46 | # Maximum 20 tags per role. 47 | 48 | dependencies: 49 | - prep_secrets 50 | -------------------------------------------------------------------------------- /roles/prep_talk/tasks/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # CentOS related OS tasks 3 | 4 | - name: install coturn 5 | yum: 6 | name: 7 | - "{{ role_path }}/files/centos_rpms/turnserver-4.5.0.7-0.el7.x86_64.rpm" 8 | - "{{ role_path }}/files/centos_rpms/turnserver-client-libs-4.5.0.7-0.el7.x86_64.rpm" 9 | - "{{ role_path }}/files/centos_rpms/turnserver-utils-4.5.0.7-0.el7.x86_64.rpm" 10 | state: latest 11 | 12 | - name: set coturn pid file 13 | lineinfile: 14 | path: /etc/sysconfig/turnserver 15 | regexp: '^EXTRA_OPTIONS=' 16 | line: 'EXTRA_OPTIONS="--pidfile /var/run/turnserver/turnserver.pid"' 17 | 18 | - name: bring /etc/turnserver/turnserver.conf in place 19 | template: 20 | src: turnserver.conf.j2 21 | dest: /etc/turnserver/turnserver.conf 22 | owner: root 23 | group: root 24 | mode: 0644 25 | force: true 26 | notify: restart turnserver 27 | 28 | - name: enable turnserver 29 | systemd: 30 | name: turnserver 31 | state: started 32 | enabled: true 33 | -------------------------------------------------------------------------------- /roles/prep_talk/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Debian related OS tasks 3 | 4 | - name: install coturn 5 | apt: 6 | name: coturn 7 | state: latest 8 | 9 | - name: enable coturn at boot 10 | lineinfile: 11 | path: /etc/default/coturn 12 | regexp: '(.*)TURNSERVER_ENABLED=(.*)' 13 | line: 'TURNSERVER_ENABLED=1' 14 | backup: true 15 | notify: restart coturn 16 | 17 | - name: bring /etc/turnserver.conf in place 18 | template: 19 | src: turnserver.conf.j2 20 | dest: /etc/turnserver.conf 21 | owner: root 22 | group: root 23 | mode: 0644 24 | force: true 25 | notify: restart coturn 26 | 27 | - name: enable coturn 28 | systemd: 29 | name: coturn 30 | state: started 31 | enabled: true -------------------------------------------------------------------------------- /roles/prep_talk/tasks/Fedora.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # CentOS related OS tasks 3 | 4 | - name: install coturn 5 | dnf: 6 | name: coturn 7 | state: latest 8 | 9 | - name: bring /etc/turnserver/turnserver.conf in place 10 | template: 11 | src: turnserver.conf.j2 12 | dest: /etc/coturn/turnserver.conf 13 | owner: root 14 | group: root 15 | mode: 0644 16 | force: true 17 | notify: restart coturn 18 | 19 | - name: enable turnserver 20 | systemd: 21 | name: coturn 22 | state: started 23 | enabled: true 24 | 25 | - name: open firewall 26 | firewalld: 27 | port: "{{ item }}" 28 | permanent: true 29 | immediate: false 30 | state: enabled 31 | with_items: 32 | - 5349/tcp 33 | - 5349/udp 34 | 35 | -------------------------------------------------------------------------------- /roles/prep_talk/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: install coturn 5 | apt: 6 | name: coturn 7 | state: latest 8 | 9 | - name: enable coturn at boot 10 | lineinfile: 11 | path: /etc/default/coturn 12 | regexp: '(.*)TURNSERVER_ENABLED=(.*)' 13 | line: 'TURNSERVER_ENABLED=1' 14 | backup: true 15 | notify: restart coturn 16 | 17 | - name: bring /etc/turnserver.conf in place 18 | template: 19 | src: turnserver.conf.j2 20 | dest: /etc/turnserver.conf 21 | owner: root 22 | group: root 23 | mode: 0644 24 | force: true 25 | notify: restart coturn 26 | 27 | - name: enable coturn 28 | systemd: 29 | name: coturn 30 | state: started 31 | enabled: true -------------------------------------------------------------------------------- /roles/prep_talk/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_talk 3 | 4 | - name: include os specific tasks 5 | include_tasks: "{{ ansible_distribution }}.yml" 6 | 7 | - name: install talk app 8 | shell: sudo -u {{ web_user[ansible_distribution] }} php occ app:install spreed 9 | args: 10 | chdir: /var/www/nextcloud/ 11 | creates: /var/www/nextcloud/apps/spreed 12 | 13 | - name: enable talk app 14 | shell: sudo -u {{ web_user[ansible_distribution] }} php occ app:enable spreed 15 | args: 16 | chdir: /var/www/nextcloud/ 17 | 18 | - name: set stun_server 19 | shell: sudo -u {{ web_user[ansible_distribution] }} php occ config:app:set spreed stun_servers --value '["{{ fqdn }}:5349"]' 20 | args: 21 | chdir: /var/www/nextcloud/ 22 | 23 | - name: set turn server 24 | shell: sudo -u {{ web_user[ansible_distribution] }} php occ config:app:set spreed turn_servers --value '[{"server":"{{ fqdn }}:5349","secret":"{{ lookup('password', '{{ credential_store }}/talk_secret chars=ascii_letters,digits length=32') | lower }}","protocols":"udp,tcp"}]' 25 | args: 26 | chdir: /var/www/nextcloud/ 27 | 28 | - name: open ufw firewall 29 | include_role: 30 | name: prep_ufw 31 | vars: 32 | ufw_applications: 33 | - { name: TurnServer, rule: allow, from_ip: any } 34 | when: ansible_os_family == "Debian" or ansible_os_family == "Ubuntu" 35 | 36 | -------------------------------------------------------------------------------- /roles/prep_talk/templates/turnserver.conf.j2: -------------------------------------------------------------------------------- 1 | tls-listening-port=5349 2 | fingerprint 3 | #lt-cred-mech 4 | use-auth-secret 5 | static-auth-secret={{ lookup('password', '{{ credential_store }}/talk_secret chars=ascii_letters,digits length=32') | lower }} 6 | realm={{ fqdn }} 7 | total-quota=100 8 | bps-capacity=0 9 | stale-nonce=600 10 | {% if ssl_certificate_type == 'letsencrypt' %} 11 | cert=/etc/letsencrypt/live/{{ fqdn }}/fullchain.pem 12 | pkey=/etc/letsencrypt/live/{{ fqdn }}/privkey.pem 13 | {% endif %} 14 | {% if ssl_certificate_type == 'selfsigned' %} 15 | cert=/etc/nginx/certs/cert.pem 16 | pkey=/etc/nginx/certs/key.pem 17 | {% endif %} 18 | dh-file={{ dhparam_path }} 19 | cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5" 20 | #no-loopback-peers 21 | no-multicast-peers 22 | no-tlsv1 23 | no-tlsv1_1 24 | no-stdout-log 25 | -------------------------------------------------------------------------------- /roles/prep_talk/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_talk -------------------------------------------------------------------------------- /roles/prep_ufw/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/prep_ufw/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for prep_ufw 3 | 4 | # ufw_rules: 5 | # - { [port: ""] [rule: allow] [proto: any] [from_ip: any] [to_ip: any] } 6 | ufw_rules: 7 | - { port: 22, rule: allow } 8 | - { port: '{{ nc_web_port }}', rule: allow } 9 | - { port: '{{ nc_ssl_port }}', rule: allow } 10 | 11 | #ufw_applications: 12 | # - { name: OpenSSH, rule: allow, from_ip: any } 13 | # list of rules 14 | 15 | # list of profiles located in /etc/ufw/applications.d 16 | ufw_applications: [] 17 | 18 | # /etc/defaut/ufw settings 19 | ufw_ipv6: "yes" 20 | ufw_default_input_policy: DROP 21 | ufw_default_output_policy: ACCEPT 22 | ufw_default_forward_policy: DROP 23 | ufw_default_application_policy: SKIP 24 | 25 | # firewall state: enabled | disabled 26 | ufw_state: enabled 27 | ufw_logging: "off" 28 | 29 | # always reset the firewall 30 | ufw_reset: yes -------------------------------------------------------------------------------- /roles/prep_ufw/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for prep_ufw 3 | 4 | - name: reload ufw 5 | ufw: 6 | state: reloaded 7 | when: ufw_state == 'enabled' -------------------------------------------------------------------------------- /roles/prep_ufw/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Installs UFirewall 4 | company: Nippes.it 5 | # If the issue tracker for your role is not on github, uncomment the 6 | # next line and provide a value 7 | # issue_tracker_url: http://example.com/issue/tracker 8 | 9 | # Some suggested licenses: 10 | # - BSD (default) 11 | # - MIT 12 | # - GPLv2 13 | # - GPLv3 14 | # - Apache 15 | # - CC-BY 16 | license: MIT 17 | 18 | min_ansible_version: 1.2 19 | 20 | # If this a Container Enabled role, provide the minimum Ansible Container version. 21 | # min_ansible_container_version: 22 | 23 | # Optionally specify the branch Galaxy will use when accessing the GitHub 24 | # repo for this role. During role install, if no tags are available, 25 | # Galaxy will use this branch. During import Galaxy will access files on 26 | # this branch. If Travis integration is configured, only notifications for this 27 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 28 | # (usually master) will be used. 29 | #github_branch: 30 | 31 | # 32 | # platforms is a list of platforms, and each platform has a name and a list of versions. 33 | # 34 | platforms: 35 | - name: Ubuntu 36 | versions: 37 | - 16 38 | 39 | galaxy_tags: [] 40 | # List tags for your role here, one per line. A tag is a keyword that describes 41 | # and categorizes the role. Users find roles by searching for tags. Be sure to 42 | # remove the '[]' above, if you add tags to this list. 43 | # 44 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 45 | # Maximum 20 tags per role. 46 | 47 | dependencies: [] 48 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 49 | # if you add dependencies to this list. 50 | -------------------------------------------------------------------------------- /roles/prep_ufw/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Debian related OS tasks 3 | 4 | - name: Installing ufw package 5 | package: 6 | name: ufw 7 | state: latest 8 | -------------------------------------------------------------------------------- /roles/prep_ufw/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Ubuntu related OS tasks 3 | 4 | - name: Installing ufw package 5 | package: 6 | name: ufw 7 | state: latest 8 | -------------------------------------------------------------------------------- /roles/prep_ufw/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for prep_ufw 3 | 4 | - name: include os specific tasks 5 | include_tasks: "{{ ansible_distribution }}.yml" 6 | 7 | - name: Configuring port/protocol/network rules 8 | ufw: 9 | delete: "{{ item.delete | default(omit) }}" 10 | direction: "{{ item.direction | default(omit) }}" 11 | from_ip: "{{ item.from_ip | default(omit) }}" 12 | from_port: "{{ item.from_port | default(omit) }}" 13 | insert: "{{ item.insert | default(omit) }}" 14 | interface: "{{ item.interface | default(omit) }}" 15 | log: "{{ item.log | default(omit) }}" 16 | logging: "{{ item.logging | default(omit) }}" 17 | name: "{{ item.name | default(omit) }}" 18 | policy: "{{ item.policy | default(omit) }}" 19 | port: "{{ item.port | default(omit) }}" 20 | proto: "{{ item.proto | default(omit) }}" 21 | rule: "{{ item.rule | default('allow') }}" 22 | state: "{{ item.state | default(omit) }}" 23 | to_ip: "{{ item.to_ip | default(omit) }}" 24 | to_port: "{{ item.to_port | default(omit) }}" 25 | with_items: "{{ ufw_rules }}" 26 | 27 | - name: Configuring application rules 28 | ufw: 29 | name: "{{ item.name }}" 30 | rule: "{{ item.rule if item.rule is defined else 'allow' }}" 31 | from_ip: "{{ item.from_ip | default(omit) }}" 32 | with_items: "{{ ufw_applications }}" 33 | 34 | - name: Configuring firewall 35 | template: 36 | src: etc_default_ufw.j2 37 | dest: /etc/default/ufw 38 | owner: root 39 | group: root 40 | mode: 0644 41 | notify: reload ufw 42 | 43 | - name: Configuring service 44 | ufw: 45 | state: "{{ ufw_state }}" 46 | logging: "{{ ufw_logging }}" 47 | 48 | - name: Enabling firewall 49 | ufw: 50 | state: enabled 51 | when: ufw_reset|bool 52 | 53 | - name: start ufw 54 | systemd: 55 | name: ufw 56 | state: started 57 | enabled: true 58 | when: ufw_state == 'enabled' -------------------------------------------------------------------------------- /roles/prep_ufw/templates/etc_default_ufw.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | 4 | # Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback 5 | # accepted). You will need to 'disable' and then 'enable' the firewall for 6 | # the changes to take affect. 7 | IPV6={{ ufw_ipv6 }} 8 | 9 | # Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if 10 | # you change this you will most likely want to adjust your rules. 11 | DEFAULT_INPUT_POLICY="{{ ufw_default_input_policy }}" 12 | 13 | # Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if 14 | # you change this you will most likely want to adjust your rules. 15 | DEFAULT_OUTPUT_POLICY="{{ ufw_default_output_policy }}" 16 | 17 | # Set the default forward policy to ACCEPT, DROP or REJECT. Please note that 18 | # if you change this you will most likely want to adjust your rules 19 | DEFAULT_FORWARD_POLICY="{{ ufw_default_forward_policy }}" 20 | 21 | # Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please 22 | # note that setting this to ACCEPT may be a security risk. See 'man ufw' for 23 | # details 24 | DEFAULT_APPLICATION_POLICY="{{ ufw_default_application_policy }}" 25 | 26 | # By default, ufw only touches its own chains. Set this to 'yes' to have ufw 27 | # manage the built-in chains too. Warning: setting this to 'yes' will break 28 | # non-ufw managed firewall rules 29 | MANAGE_BUILTINS=no 30 | 31 | # 32 | # IPT backend 33 | # 34 | # only enable if using iptables backend 35 | IPT_SYSCTL=/etc/ufw/sysctl.conf 36 | 37 | # Extra connection tracking modules to load. Complete list can be found in 38 | # net/netfilter/Kconfig of your kernel source. Some common modules: 39 | # nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support 40 | # nf_conntrack_netbios_ns: NetBIOS (samba) client support 41 | # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT 42 | # nf_conntrack_ftp, nf_nat_ftp: active FTP support 43 | # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side) 44 | IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" 45 | 46 | -------------------------------------------------------------------------------- /roles/prep_ufw/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for prep_ufw -------------------------------------------------------------------------------- /roles/restic_backup/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/restic_backup/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for restic backup 3 | 4 | # checkout the latest version of restic. set to x.y.z to get a specific version 5 | restic_version: 'latest' 6 | 7 | restic_backup_secret: '' 8 | restic_install_path: '/usr/local/bin' 9 | 10 | # use a local directory as a restic repository (not a good idea anyway) 11 | restic_repo: '/var/backups/selfosted' 12 | 13 | # use rclone to backup a cloud storage, see https://rclone.org for more details 14 | #restic_repo: "rclone:backup-selfhosted:selfhosted-{{ lookup('password', '{{ selfhosted_credential_store }}/restic_backup_s3_bucket_uid chars=ascii_lowercase,digits length=12') }}/backup" 15 | #rclone_remote: | 16 | # [backup-selfhosted] 17 | # type = s3 18 | # provider = AWS 19 | # env_auth = false 20 | # access_key_id = AKIxxxxx 21 | # secret_access_key = QMpoxxxx 22 | # region = us-east-1 23 | # acl = private 24 | # server_side_encryption = AES256 25 | # storage_class = STANDARD_IA 26 | 27 | # crontab setings for the backup script - default daily at 3pm 28 | restic_backup_day: '*' 29 | restic_backup_minute: '0' 30 | restic_backup_hour: '3' 31 | -------------------------------------------------------------------------------- /roles/restic_backup/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Reiner Nippes 3 | description: Installs restic backup tool 4 | company: nippes.it 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Some suggested licenses: 11 | # - BSD (default) 12 | # - MIT 13 | # - GPLv2 14 | # - GPLv3 15 | # - Apache 16 | # - CC-BY 17 | license: MIT 18 | 19 | min_ansible_version: 2.5 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # Optionally specify the branch Galaxy will use when accessing the GitHub 25 | # repo for this role. During role install, if no tags are available, 26 | # Galaxy will use this branch. During import Galaxy will access files on 27 | # this branch. If Travis integration is configured, only notifications for this 28 | # branch will be accepted. Otherwise, in all cases, the repo's default branch 29 | # (usually master) will be used. 30 | #github_branch: 31 | 32 | # 33 | # platforms is a list of platforms, and each platform has a name and a list of versions. 34 | # 35 | # platforms: 36 | # - name: Fedora 37 | # versions: 38 | # - all 39 | # - 25 40 | # - name: SomePlatform 41 | # versions: 42 | # - all 43 | # - 1.0 44 | # - 7 45 | # - 99.99 46 | 47 | galaxy_tags: [] 48 | # List tags for your role here, one per line. A tag is a keyword that describes 49 | # and categorizes the role. Users find roles by searching for tags. Be sure to 50 | # remove the '[]' above, if you add tags to this list. 51 | # 52 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 53 | # Maximum 20 tags per role. 54 | 55 | dependencies: 56 | - prep_secrets 57 | -------------------------------------------------------------------------------- /roles/restic_backup/tasks/install_rclone.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # install and configure rclone 3 | 4 | - name: install latest rclone debian package 5 | apt: 6 | deb: '{{ rclone_download_url }}.deb' 7 | state: present 8 | when: ansible_pkg_mgr == 'apt' 9 | 10 | - name: install latest rclone rpm package 11 | yum: 12 | name: '{{ rclone_download_url }}.rpm' 13 | state: present 14 | when: ansible_pkg_mgr == 'yum' 15 | 16 | - name: make sure rclone config folder exists 17 | file: 18 | name: '/root/.config/rclone' 19 | owner: 'root' 20 | group: 'root' 21 | mode: '0700' 22 | state: directory 23 | 24 | - name: create rclone config 25 | blockinfile: 26 | content: '{{ rclone_remote }}' 27 | path: '/root/.config/rclone/rclone.conf' 28 | create: true 29 | owner: 'root' 30 | group: 'root' 31 | mode: '0600' -------------------------------------------------------------------------------- /roles/restic_backup/tasks/install_restic.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file to install restic 3 | 4 | - name: get latest restic version from github 5 | uri: 6 | url: https://api.github.com/repos/restic/restic/tags 7 | register: restic_tags 8 | when: restic_version == 'latest' 9 | 10 | - name: set restic version 11 | set_fact: 12 | restic_version: "{{ restic_tags.json.0.name | replace('v','') }}" 13 | when: restic_version == 'latest' 14 | 15 | - name: download restic binary 16 | get_url: 17 | url: '{{ restic_download_url }}' 18 | dest: '{{ restic_install_path }}/restic.bz2' 19 | force: true 20 | checksum: 'sha256:https://github.com/restic/restic/releases/download/v{{ restic_version }}/SHA256SUMS' 21 | 22 | - name: decompress the binary 23 | shell: "bunzip2 --force {{ restic_install_path }}/restic.bz2" 24 | 25 | - name: ensure permissions are correct 26 | file: 27 | path: '{{ restic_install_path }}/restic' 28 | mode: '0755' 29 | owner: 'root' 30 | group: 'root' 31 | -------------------------------------------------------------------------------- /roles/restic_backup/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for restic_backup 3 | 4 | - name: install restic 5 | include_tasks: install_restic.yml 6 | 7 | - name: install rclone 8 | include_tasks: install_rclone.yml 9 | when: ( 'rclone' in restic_repo ) 10 | 11 | - name: generate restic secret if restic_backup_secret is empty 12 | set_fact: 13 | restic_backup_secret: "{{ lookup('password', '{{ credential_store }}/restic_backup_secret chars=ascii_letters,digits length=32') }}" 14 | when: restic_backup_secret == '' 15 | 16 | - name: create restic backup directory 17 | file: 18 | name: '{{ restic_repo }}' 19 | owner: 'root' 20 | group: 'root' 21 | mode: '0700' 22 | state: directory 23 | when: ( 'rclone' not in restic_repo ) 24 | 25 | - name: initialize repository 26 | command: '{{ restic_install_path }}/restic init' 27 | environment: 28 | RESTIC_REPOSITORY: "{{ restic_repo }}" 29 | RESTIC_PASSWORD: "{{ restic_backup_secret }}" 30 | # no_log: true 31 | register: restic_init 32 | changed_when: "'created restic backend' in restic_init.stdout" 33 | failed_when: 34 | - restic_init.rc != 0 35 | - not ( 'config already initialized' in restic_init.stderr or 'config file already exists' in restic_init.stderr ) 36 | 37 | - name: create restic selfhosted backup script 38 | template: 39 | src: 'backup_nextcloud.sh.j2' 40 | dest: '/usr/local/bin/backup_nextcloud.sh' 41 | owner: 'root' 42 | group: 'root' 43 | mode: '0750' 44 | force: false 45 | 46 | - name: crontab entry 47 | cron: 48 | name: "backup nextcloud" 49 | day: "{{ restic_backup_day }}" 50 | minute: "{{ restic_backup_minute }}" 51 | hour: "{{ restic_backup_hour }}" 52 | job: "/usr/local/bin/backup_nextcloud.sh > /dev/null 2>&1" 53 | 54 | -------------------------------------------------------------------------------- /roles/restic_backup/templates/backup_nextcloud.sh.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export RESTIC_REPOSITORY="{{ restic_repo }}" 4 | export RESTIC_PASSWORD="{{ restic_backup_secret }}" 5 | 6 | # abort entire script if any command fails 7 | set -e 8 | 9 | # Make sure nextcloud is enabled when we are done 10 | trap "sudo -u {{ web_user[ansible_distribution] }} php /var/www/nextcloud/occ maintenance:mode --off" EXIT 11 | 12 | # set nextcloud to maintenance mode 13 | sudo -u {{ web_user[ansible_distribution] }} php /var/www/nextcloud/occ maintenance:mode --on 14 | 15 | # unlock restic to keep automatic backup going 16 | {{ restic_install_path }}/restic unlock --cleanup-cache 17 | 18 | # backup the database 19 | {% if nc_db_type == 'mysql' %} 20 | mysqldump --single-transaction -h localhost -u {{ nc_db_user }} -p{{ nc_db_passwd }} {{ nc_db }} | {{ restic_install_path }}/restic backup --stdin --stdin-filename db_mysql_nextcloud.sql 21 | {% elif nc_db_type == 'pgsql' %} 22 | sudo -u postgres pg_dump -c -U postgres {{ nc_db }} | {{ restic_install_path }}/restic backup --stdin --stdin-filename db_postgres_nextcloud.sql 23 | {% endif %} 24 | 25 | # backup the data dir and nextcloud 26 | {{ restic_install_path }}/restic backup {{ nc_datadir }} /var/www/nextcloud 27 | 28 | # turn maintenance mode off 29 | sudo -u {{ web_user[ansible_distribution] }} php /var/www/nextcloud/occ maintenance:mode --off 30 | 31 | # delete trap 32 | trap "" EXIT 33 | 34 | # clean up backup dir 35 | {{ restic_install_path }}/restic forget --keep-daily 7 --keep-weekly 5 --keep-monthly 12 --keep-yearly 75 36 | {{ restic_install_path }}/restic prune 37 | -------------------------------------------------------------------------------- /roles/restic_backup/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for restic_backup 3 | 4 | pkg_architekture: 5 | 'x86_64': amd64 6 | 'armv7l': arm 7 | 'aarch64': arm64 8 | 9 | restic_download_url: 'https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_{{ pkg_architekture[ansible_architecture] }}.bz2' 10 | rclone_download_url: 'https://downloads.rclone.org/rclone-current-linux-{{ pkg_architekture[ansible_architecture] }}' 11 | --------------------------------------------------------------------------------