Browse Source

Initial commit

master
Mablr 1 year ago
commit
358515d7e4
Signed by: mablr GPG Key ID: 7568670EF499017A
42 changed files with 11162 additions and 0 deletions
  1. +98
    -0
      README.md
  2. +35
    -0
      defaults/config.json
  3. +85
    -0
      defaults/main.yml
  4. +1915
    -0
      files/Debian/cli.php.ini
  5. +1942
    -0
      files/Debian/fpm.php.ini
  6. +1915
    -0
      files/Ubuntu/cli.php.ini
  7. +1914
    -0
      files/Ubuntu/fpm.php.ini
  8. +13
    -0
      files/disable-transparent-huge-pages.service
  9. BIN
      files/httpd-to-php-fpm.pp
  10. BIN
      files/httpd-to-redis-socket.pp
  11. BIN
      files/httpd-to-upload-tmp.pp
  12. +11
    -0
      files/letsencrypt.conf
  13. +13
    -0
      files/optimization.conf
  14. +14
    -0
      files/permissions.sh
  15. +9
    -0
      files/php_optimization.conf
  16. +12
    -0
      files/proxy.conf
  17. +943
    -0
      files/redis.conf
  18. +22
    -0
      handlers/main.yml
  19. +23
    -0
      meta/main.yml
  20. +67
    -0
      tasks/letsencrypt.yml
  21. +31
    -0
      tasks/main.yml
  22. +191
    -0
      tasks/nextcloud.yml
  23. +129
    -0
      tasks/nginx.yml
  24. +113
    -0
      tasks/os.yml
  25. +100
    -0
      tasks/php.yml
  26. +66
    -0
      tasks/postgres.yml
  27. +28
    -0
      tasks/redis.yml
  28. +14
    -0
      tasks/secrets.yml
  29. +70
    -0
      tasks/selfsigned.yml
  30. +125
    -0
      templates/Debian/php-fpm.conf
  31. +417
    -0
      templates/Debian/www.conf
  32. +125
    -0
      templates/Ubuntu/php-fpm.conf
  33. +417
    -0
      templates/Ubuntu/www.conf
  34. +8
    -0
      templates/header.conf.j2
  35. +107
    -0
      templates/nextcloud.conf.j2
  36. +48
    -0
      templates/nginx.conf.j2
  37. +11
    -0
      templates/pg_hba.conf.j2
  38. +53
    -0
      templates/postgresql.conf.j2
  39. +1
    -0
      templates/postgresql.tmpfiles.d.j2
  40. +13
    -0
      templates/ssl.conf.letsencrypt.j2
  41. +12
    -0
      templates/ssl.conf.selfsigned.j2
  42. +52
    -0
      vars/main.yml

+ 98
- 0
README.md View File

@ -0,0 +1,98 @@
# ansible-role-nextcloud
Ansible Role to install Nextcloud. (Based on ReinerNippes [work](https://github.com/ReinerNippes/nextcloud) released under MIT licence)
* Nextcloud (Latest) - <https://nextcloud.com/>
* Nginx - <https://nginx.org/>
* PHP 7.x - <http://www.php.net/>
* PostgreSQL 11 <https://www.postgresql.org/>
* Redis - <https://redis.io/>
* Nextcloud Talk
* Collabora Online <https://www.collaboraoffice.com/>
Most of the settings are recommentations from C. Rieger
Visit his page for all details: <https://www.c-rieger.de/>
## Requirements
Debian 10 or Ubuntu 20.04.
## Role Variables
All variables are defined in inventory file.
```ini
# Server domain name
# Default is the fqdn of the machine
# fqdn = nc.example.org
# selfsigned certificate as default
ssl_certificate_type = 'selfsigned'
# Letsencrypt or selfsigned certificate
# ssl_certificate_type = 'letsencrypt'
# Your email adresse for letsencrypt
# cert_email = nc@example.org
# receive a certificate from staging
# uncomment if you want to use letsencrypt staging environment
# cert_stage = '--staging'
#
# Nextcloud varibales
# data dir
nc_datadir = /var/nc-data
# admin user
nc_admin = 'admin'
nc_passwd = '' # leave empty to generate random password
# database settings
nc_db_type = 'pgsql' # (PostgreSQL)
nc_db_host = ''
nc_db = 'nextcloud'
nc_db_user = 'nextcloud'
nc_db_passwd = '' # leave empty to generate random password
nc_db_prefix = 'oc_'
# Nextcloud mail setup
nc_configure_mail = false
nc_mail_from =
nc_mail_smtpmode = smtp
nc_mail_smtpauthtype = LOGIN
nc_mail_domain =
nc_mail_smtpname =
nc_mail_smtpsecure = tls
nc_mail_smtpauth = 1
nc_mail_smtphost =
nc_mail_smtpport = 587
nc_mail_smtpname =
nc_mail_smtppwd =
# php Version
php_version = '7.3'
# Install turn server for Nextcloud Talk
talk_install = false
# Allways get the latest version of Nextcloud
next_archive = https://download.nextcloud.com/server/releases/latest.tar.bz2
# Install Collabra Online
# more info about collabora office: https://www.collaboraoffice.com/
install_collabora = false
# Install Online Office
# more info about onlyoffice office: https://www.onlyoffice.com
install_onlyoffice = false
#
# defaults path of your generated credentials (e.g. database, talk, onlyoffice)
credential_store = /etc/nextcloud
```

+ 35
- 0
defaults/config.json View File

@ -0,0 +1,35 @@
{
"system": {
"memcache.local": "\\OC\\Memcache\\APCu",
"redis": {
"host": "\/var\/run\/redis\/redis.sock",
"port": "0",
"timeout": "0.0"
},
"memcache.locking": "\\OC\\Memcache\\Redis",
"filelocking.enabled": "true",
"enable_previews": "true",
"enabledPreviewProviders": [
"OC\\Preview\\PNG",
"OC\\Preview\\JPEG",
"OC\\Preview\\GIF",
"OC\\Preview\\BMP",
"OC\\Preview\\XBitmap",
"OC\\Preview\\Movie",
"OC\\Preview\\PDF",
"OC\\Preview\\MP3",
"OC\\Preview\\TXT",
"OC\\Preview\\MarkDown"
],
"preview_max_x": "1024",
"preview_max_y": "768",
"preview_max_scale_factor": "1",
"auth.bruteforce.protection.enabled": "true",
"trashbin_retention_obligation": "auto,7",
"skeletondirectory": "",
"defaultapp": "file",
"activity_expire_days": "14",
"integrity.check.disabled": "false",
"updater.release.channel": "stable"
}
}

+ 85
- 0
defaults/main.yml View File

@ -0,0 +1,85 @@
---
# defaults file for nextcloud
# Nginx
fqdn: ''
# dns resolver (nginx reverse ip lookup) set to 127.0.0.1
# see http://blog.zorinaq.com/nginx-resolver-vulns/
nginx_resolver: '127.0.0.1'
nc_web_port: '80'
nc_ssl_port: '443'
# Postgres
postgresql_version: 11
postgres_user: postgres
pgdata: /var/lib/postgresql/data/pgdata
# Letsencrypt
dhparam_numbits: 4096
# Nextcloud
nc_config:
- { key: "overwrite.cli.url", value: '--value=https://{{ fqdn }}' }
- { key: "trusted_domains", value: '1 --value={{ fqdn }}' }
nc_mail_config:
- { key: "mail_from_address", value: "--value={{ nc_mail_from }}" }
- { key: "mail_smtpmode", value: "--value={{ nc_mail_smtpmode }}" }
- { key: "mail_smtpauthtype", value: "--value={{ nc_mail_smtpauthtype }}" }
- { key: "mail_domain", value: "--value={{ nc_mail_domain }}" }
- { key: "mail_smtpname", value: "--value={{ nc_mail_smtpname }}" }
- { key: "mail_smtpsecure", value: "--value={{ nc_mail_smtpsecure }}" }
- { key: "mail_smtpauth", value: "--value={{ nc_mail_smtpauth }}" }
- { key: "mail_smtphost", value: "--value={{ nc_mail_smtphost }}" }
- { key: "mail_smtpport", value: "--value={{ nc_mail_smtpport }}" }
- { key: "mail_smtpname", value: "--value={{ nc_mail_smtpname }}" }
- { key: "mail_smtppassword", value: "--value={{ nc_mail_smtppwd }}" }
nc_app_config:
- { key: "disable", value: "survey_client" }
- { key: "disable", value: "firstrunwizard" }
- { key: "enable", value: "admin_audit" }
- { key: "enable", value: "files_pdfviewer" }
ssl_certificate_type: selfsigned
nc_datadir: /var/nc-data
# admin user
nc_admin: 'admin'
nc_passwd: '' # leave empty to generate random password
# database settings
nc_db_type: 'pgsql'
nc_db_host: 'localhost'
nc_db: 'ncdb'
nc_db_user: 'ncuser'
nc_db_passwd: '' # leave empty to generate random password
nc_db_prefix: 'oc_'
# Nextcloud mail setup
nc_configure_mail: false
nc_mail_from :
nc_mail_smtpmode: smtp
nc_mail_smtpauthtype: LOGIN
nc_mail_domain:
nc_mail_smtpname:
nc_mail_smtpsecure: tls
nc_mail_smtpauth: 1
nc_mail_smtphost:
nc_mail_smtpport: 587
nc_mail_smtpname:
nc_mail_smtppwd:
# php Version
php_version: '7.3'
# Install turn server for Nextcloud Talk
talk_install: false
# Allways get the latest version of Nextcloud
next_archive: https://download.nextcloud.com/server/releases/latest.tar.bz2
# Install Collabra Online
# more info about collabora office: https://www.collaboraoffice.com/
install_collabora: false

+ 1915
- 0
files/Debian/cli.php.ini
File diff suppressed because it is too large
View File


+ 1942
- 0
files/Debian/fpm.php.ini
File diff suppressed because it is too large
View File


+ 1915
- 0
files/Ubuntu/cli.php.ini
File diff suppressed because it is too large
View File


+ 1914
- 0
files/Ubuntu/fpm.php.ini
File diff suppressed because it is too large
View File


+ 13
- 0
files/disable-transparent-huge-pages.service View File

@ -0,0 +1,13 @@
[Unit]
Description=Disable Transparent Huge Pages
DefaultDependencies=no
After=sysinit.target local-fs.target
Before=basic.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c '/bin/echo never > /sys/kernel/mm/transparent_hugepage/enabled'
ExecStart=/bin/sh -c '/bin/echo never > /sys/kernel/mm/transparent_hugepage/defrag'
[Install]
WantedBy=basic.target

BIN
files/httpd-to-php-fpm.pp View File


BIN
files/httpd-to-redis-socket.pp View File


BIN
files/httpd-to-upload-tmp.pp View File


+ 11
- 0
files/letsencrypt.conf View File

@ -0,0 +1,11 @@
server {
listen 127.0.0.1:81 default_server;
server_name 127.0.0.1;
charset utf-8;
access_log /var/log/nginx/le.access.log main;
error_log /var/log/nginx/le.error.log warn;
location ^~ /.well-known/acme-challenge {
default_type text/plain;
root /var/www/letsencrypt;
}
}

+ 13
- 0
files/optimization.conf View File

@ -0,0 +1,13 @@
fastcgi_buffers 64 64K;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 3840K;
fastcgi_cache_key $http_cookie$request_method$host$request_uri;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
gzip_disable "MSIE [1-6]\.";

+ 14
- 0
files/permissions.sh View File

@ -0,0 +1,14 @@
#!/bin/bash
find /var/www/ -type f -print0 | xargs -0 chmod 0640
find /var/www/ -type d -print0 | xargs -0 chmod 0750
chown -R $WEB_USER:$WEB_GROUP /var/www/
chown -R $WEB_USER:$WEB_GROUP /upload_tmp/
chown -R $WEB_USER:$WEB_GROUP $NC_DATADIR
chmod 0644 /var/www/nextcloud/.htaccess
chmod 0644 /var/www/nextcloud/.user.ini
chmod 600 /etc/letsencrypt/live/$FQDN/fullchain.pem
chmod 600 /etc/letsencrypt/live/$FQDN/privkey.pem
chmod 600 /etc/letsencrypt/live/$FQDN/chain.pem
chmod 600 /etc/letsencrypt/live/$FQDN/cert.pem
chmod 600 /etc/ssl/certs/dhparam.pem
exit 0

+ 9
- 0
files/php_optimization.conf View File

@ -0,0 +1,9 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_cache_valid 404 1m;
fastcgi_cache_valid any 1h;
fastcgi_cache_methods GET HEAD;

+ 12
- 0
files/proxy.conf View File

@ -0,0 +1,12 @@
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
proxy_redirect off;
proxy_max_temp_file_size 0;

+ 943
- 0
files/redis.conf View File

@ -0,0 +1,943 @@
# Redis configuration file example.
#
# Note that in order to read the configuration file, Redis must be
# started with the file path as first argument:
#
# ./redis-server /path/to/redis.conf
# Note on units: when memory size is needed, it is possible to specify
# it in the usual form of 1k 5GB 4M and so forth:
#
# 1k => 1000 bytes
# 1kb => 1024 bytes
# 1m => 1000000 bytes
# 1mb => 1024*1024 bytes
# 1g => 1000000000 bytes
# 1gb => 1024*1024*1024 bytes
#
# units are case insensitive so 1GB 1Gb 1gB are all the same.
################################## INCLUDES ###################################
# Include one or more other config files here. This is useful if you
# have a standard template that goes to all Redis servers but also need
# to customize a few per-server settings. Include files can include
# other files, so use this wisely.
#
# Notice option "include" won't be rewritten by command "CONFIG REWRITE"
# from admin or Redis Sentinel. Since Redis always uses the last processed
# line as value of a configuration directive, you'd better put includes
# at the beginning of this file to avoid overwriting config change at runtime.
#
# If instead you are interested in using includes to override configuration
# options, it is better to use include as the last line.
#
# include /path/to/local.conf
# include /path/to/other.conf
################################ GENERAL #####################################
# By default Redis does not run as a daemon. Use 'yes' if you need it.
# Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
daemonize yes
# When running daemonized, Redis writes a pid file in /var/run/redis.pid by
# default. You can specify a custom pid file location here.
pidfile /var/run/redis/redis-server.pid
# Accept connections on the specified port, default is 6379.
# If port 0 is specified Redis will not listen on a TCP socket.
port 0
# TCP listen() backlog.
#
# In high requests-per-second environments you need an high backlog in order
# to avoid slow clients connections issues. Note that the Linux kernel
# will silently truncate it to the value of /proc/sys/net/core/somaxconn so
# make sure to raise both the value of somaxconn and tcp_max_syn_backlog
# in order to get the desired effect.
tcp-backlog 511
# By default Redis listens for connections from all the network interfaces
# available on the server. It is possible to listen to just one or multiple
# interfaces using the "bind" configuration directive, followed by one or
# more IP addresses.
#
# Examples:
#
# bind 192.168.1.100 10.0.0.1
bind 127.0.0.1
# Specify the path for the Unix socket that will be used to listen for
# incoming connections. There is no default, so Redis will not listen
# on a unix socket when not specified.
#
unixsocket /var/run/redis/redis.sock
unixsocketperm 770
# Close the connection after a client is idle for N seconds (0 to disable)
timeout 0
# TCP keepalive.
#
# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence
# of communication. This is useful for two reasons:
#
# 1) Detect dead peers.
# 2) Take the connection alive from the point of view of network
# equipment in the middle.
#
# On Linux, the specified value (in seconds) is the period used to send ACKs.
# Note that to close the connection the double of the time is needed.
# On other kernels the period depends on the kernel configuration.
#
# A reasonable value for this option is 60 seconds.
tcp-keepalive 0
# Specify the server verbosity level.
# This can be one of:
# debug (a lot of information, useful for development/testing)
# verbose (many rarely useful info, but not a mess like the debug level)
# notice (moderately verbose, what you want in production probably)
# warning (only very important / critical messages are logged)
loglevel notice
# Specify the log file name. Also the empty string can be used to force
# Redis to log on the standard output. Note that if you use standard
# output for logging but daemonize, logs will be sent to /dev/null
logfile /var/log/redis/redis-server.log
# To enable logging to the system logger, just set 'syslog-enabled' to yes,
# and optionally update the other syslog parameters to suit your needs.
# syslog-enabled no
# Specify the syslog identity.
# syslog-ident redis
# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
# syslog-facility local0
# Set the number of databases. The default database is DB 0, you can select
# a different one on a per-connection basis using SELECT <dbid> where
# dbid is a number between 0 and 'databases'-1
databases 16
################################ SNAPSHOTTING ################################
#
# Save the DB on disk:
#
# save <seconds> <changes>
#
# Will save the DB if both the given number of seconds and the given
# number of write operations against the DB occurred.
#
# In the example below the behaviour will be to save:
# after 900 sec (15 min) if at least 1 key changed
# after 300 sec (5 min) if at least 10 keys changed
# after 60 sec if at least 10000 keys changed
#
# Note: you can disable saving completely by commenting out all "save" lines.
#
# It is also possible to remove all the previously configured save
# points by adding a save directive with a single empty string argument
# like in the following example:
#
# save ""
save 900 1
save 300 10
save 60 10000
# By default Redis will stop accepting writes if RDB snapshots are enabled
# (at least one save point) and the latest background save failed.
# This will make the user aware (in a hard way) that data is not persisting
# on disk properly, otherwise chances are that no one will notice and some
# disaster will happen.
#
# If the background saving process will start working again Redis will
# automatically allow writes again.
#
# However if you have setup your proper monitoring of the Redis server
# and persistence, you may want to disable this feature so that Redis will
# continue to work as usual even if there are problems with disk,
# permissions, and so forth.
stop-writes-on-bgsave-error yes
# Compress string objects using LZF when dump .rdb databases?
# For default that's set to 'yes' as it's almost always a win.
# If you want to save some CPU in the saving child set it to 'no' but
# the dataset will likely be bigger if you have compressible values or keys.
rdbcompression yes
# Since version 5 of RDB a CRC64 checksum is placed at the end of the file.
# This makes the format more resistant to corruption but there is a performance
# hit to pay (around 10%) when saving and loading RDB files, so you can disable it
# for maximum performances.
#
# RDB files created with checksum disabled have a checksum of zero that will
# tell the loading code to skip the check.
rdbchecksum yes
# The filename where to dump the DB
dbfilename dump.rdb
# The working directory.
#
# The DB will be written inside this directory, with the filename specified
# above using the 'dbfilename' configuration directive.
#
# The Append Only File will also be created inside this directory.
#
# Note that you must specify a directory here, not a file name.
dir /var/lib/redis
################################# REPLICATION #################################
# Master-Slave replication. Use slaveof to make a Redis instance a copy of
# another Redis server. A few things to understand ASAP about Redis replication.
#
# 1) Redis replication is asynchronous, but you can configure a master to
# stop accepting writes if it appears to be not connected with at least
# a given number of slaves.
# 2) Redis slaves are able to perform a partial resynchronization with the
# master if the replication link is lost for a relatively small amount of
# time. You may want to configure the replication backlog size (see the next
# sections of this file) with a sensible value depending on your needs.
# 3) Replication is automatic and does not need user intervention. After a
# network partition slaves automatically try to reconnect to masters
# and resynchronize with them.
#
# slaveof <masterip> <masterport>
# If the master is password protected (using the "requirepass" configuration
# directive below) it is possible to tell the slave to authenticate before
# starting the replication synchronization process, otherwise the master will
# refuse the slave request.
#
# masterauth <master-password>
# When a slave loses its connection with the master, or when the replication
# is still in progress, the slave can act in two different ways:
#
# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will
# still reply to client requests, possibly with out of date data, or the
# data set may just be empty if this is the first synchronization.
#
# 2) if slave-serve-stale-data is set to 'no' the slave will reply with
# an error "SYNC with master in progress" to all the kind of commands
# but to INFO and SLAVEOF.
#
slave-serve-stale-data yes
# You can configure a slave instance to accept writes or not. Writing against
# a slave instance may be useful to store some ephemeral data (because data
# written on a slave will be easily deleted after resync with the master) but
# may also cause problems if clients are writing to it because of a
# misconfiguration.
#
# Since Redis 2.6 by default slaves are read-only.
#
# Note: read only slaves are not designed to be exposed to untrusted clients
# on the internet. It's just a protection layer against misuse of the instance.
# Still a read only slave exports by default all the administrative commands
# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve
# security of read only slaves using 'rename-command' to shadow all the
# administrative / dangerous commands.
slave-read-only yes
# Replication SYNC strategy: disk or socket.
#
# -------------------------------------------------------
# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY
# -------------------------------------------------------
#
# New slaves and reconnecting slaves that are not able to continue the replication
# process just receiving differences, need to do what is called a "full
# synchronization". An RDB file is transmitted from the master to the slaves.
# The transmission can happen in two different ways:
#
# 1) Disk-backed: The Redis master creates a new process that writes the RDB
# file on disk. Later the file is transferred by the parent
# process to the slaves incrementally.
# 2) Diskless: The Redis master creates a new process that directly writes the
# RDB file to slave sockets, without touching the disk at all.
#
# With disk-backed replication, while the RDB file is generated, more slaves
# can be queued and served with the RDB file as soon as the current child producing
# the RDB file finishes its work. With diskless replication instead once
# the transfer starts, new slaves arriving will be queued and a new transfer
# will start when the current one terminates.
#
# When diskless replication is used, the master waits a configurable amount of
# time (in seconds) before starting the transfer in the hope that multiple slaves
# will arrive and the transfer can be parallelized.
#
# With slow disks and fast (large bandwidth) networks, diskless replication
# works better.
repl-diskless-sync no
# When diskless replication is enabled, it is possible to configure the delay
# the server waits in order to spawn the child that transfers the RDB via socket
# to the slaves.
#
# This is important since once the transfer starts, it is not possible to serve
# new slaves arriving, that will be queued for the next RDB transfer, so the server
# waits a delay in order to let more slaves arrive.
#
# The delay is specified in seconds, and by default is 5 seconds. To disable
# it entirely just set it to 0 seconds and the transfer will start ASAP.
repl-diskless-sync-delay 5
# Slaves send PINGs to server in a predefined interval. It's possible to change
# this interval with the repl_ping_slave_period option. The default value is 10
# seconds.
#
# repl-ping-slave-period 10
# The following option sets the replication timeout for:
#
# 1) Bulk transfer I/O during SYNC, from the point of view of slave.
# 2) Master timeout from the point of view of slaves (data, pings).
# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings).
#
# It is important to make sure that this value is greater than the value
# specified for repl-ping-slave-period otherwise a timeout will be detected
# every time there is low traffic between the master and the slave.
#
# repl-timeout 60
# Disable TCP_NODELAY on the slave socket after SYNC?
#
# If you select "yes" Redis will use a smaller number of TCP packets and
# less bandwidth to send data to slaves. But this can add a delay for
# the data to appear on the slave side, up to 40 milliseconds with
# Linux kernels using a default configuration.
#
# If you select "no" the delay for data to appear on the slave side will
# be reduced but more bandwidth will be used for replication.
#
# By default we optimize for low latency, but in very high traffic conditions
# or when the master and slaves are many hops away, turning this to "yes" may
# be a good idea.
repl-disable-tcp-nodelay no
# Set the replication backlog size. The backlog is a buffer that accumulates
# slave data when slaves are disconnected for some time, so that when a slave
# wants to reconnect again, often a full resync is not needed, but a partial
# resync is enough, just passing the portion of data the slave missed while
# disconnected.
#
# The bigger the replication backlog, the longer the time the slave can be
# disconnected and later be able to perform a partial resynchronization.
#
# The backlog is only allocated once there is at least a slave connected.
#
# repl-backlog-size 1mb
# After a master has no longer connected slaves for some time, the backlog
# will be freed. The following option configures the amount of seconds that
# need to elapse, starting from the time the last slave disconnected, for
# the backlog buffer to be freed.
#
# A value of 0 means to never release the backlog.
#
# repl-backlog-ttl 3600
# The slave priority is an integer number published by Redis in the INFO output.
# It is used by Redis Sentinel in order to select a slave to promote into a
# master if the master is no longer working correctly.
#
# A slave with a low priority number is considered better for promotion, so
# for instance if there are three slaves with priority 10, 100, 25 Sentinel will
# pick the one with priority 10, that is the lowest.
#
# However a special priority of 0 marks the slave as not able to perform the
# role of master, so a slave with priority of 0 will never be selected by
# Redis Sentinel for promotion.
#
# By default the priority is 100.
slave-priority 100
# It is possible for a master to stop accepting writes if there are less than
# N slaves connected, having a lag less or equal than M seconds.
#
# The N slaves need to be in "online" state.
#
# The lag in seconds, that must be <= the specified value, is calculated from
# the last ping received from the slave, that is usually sent every second.
#
# This option does not GUARANTEE that N replicas will accept the write, but
# will limit the window of exposure for lost writes in case not enough slaves
# are available, to the specified number of seconds.
#
# For example to require at least 3 slaves with a lag <= 10 seconds use:
#
# min-slaves-to-write 3
# min-slaves-max-lag 10
#
# Setting one or the other to 0 disables the feature.
#
# By default min-slaves-to-write is set to 0 (feature disabled) and
# min-slaves-max-lag is set to 10.
################################## SECURITY ###################################
# Require clients to issue AUTH <PASSWORD> before processing any other
# commands. This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
# requirepass foobared
# Command renaming.
#
# It is possible to change the name of dangerous commands in a shared
# environment. For instance the CONFIG command may be renamed into something
# hard to guess so that it will still be available for internal-use tools
# but not available for general clients.
#
# Example:
#
# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
#
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
# rename-command CONFIG ""
#
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to slaves may cause problems.
################################### LIMITS ####################################
# Set the max number of connected clients at the same time. By default
# this limit is set to 10000 clients, however if the Redis server is not
# able to configure the process file limit to allow for the specified limit
# the max number of allowed clients is set to the current file limit
# minus 32 (as Redis reserves a few file descriptors for internal uses).
#
# Once the limit is reached Redis will close all the new connections sending
# an error 'max number of clients reached'.
#
maxclients 512
# Don't use more memory than the specified amount of bytes.
# When the memory limit is reached Redis will try to remove keys
# according to the eviction policy selected (see maxmemory-policy).
#
# If Redis can't remove keys according to the policy, or if the policy is
# set to 'noeviction', Redis will start to reply with errors to commands
# that would use more memory, like SET, LPUSH, and so on, and will continue
# to reply to read-only commands like GET.
#
# This option is usually useful when using Redis as an LRU cache, or to set
# a hard memory limit for an instance (using the 'noeviction' policy).
#
# WARNING: If you have slaves attached to an instance with maxmemory on,
# the size of the output buffers needed to feed the slaves are subtracted
# from the used memory count, so that network problems / resyncs will
# not trigger a loop where keys are evicted, and in turn the output
# buffer of slaves is full with DELs of keys evicted triggering the deletion
# of more keys, and so forth until the database is completely emptied.
#
# In short... if you have slaves attached it is suggested that you set a lower
# limit for maxmemory so that there is some free RAM on the system for slave
# output buffers (but this is not needed if the policy is 'noeviction').
#
# maxmemory <bytes>
# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory
# is reached. You can select among five behaviors:
#
# volatile-lru -> remove the key with an expire set using an LRU algorithm
# allkeys-lru -> remove any key according to the LRU algorithm
# volatile-random -> remove a random key with an expire set
# allkeys-random -> remove a random key, any key
# volatile-ttl -> remove the key with the nearest expire time (minor TTL)
# noeviction -> don't expire at all, just return an error on write operations
#
# Note: with any of the above policies, Redis will return an error on write
# operations, when there are no suitable keys for eviction.
#
# At the date of writing these commands are: set setnx setex append
# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd
# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby
# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby
# getset mset msetnx exec sort
#
# The default is:
#
# maxmemory-policy noeviction
# LRU and minimal TTL algorithms are not precise algorithms but approximated
# algorithms (in order to save memory), so you can tune it for speed or
# accuracy. For default Redis will check five keys and pick the one that was
# used less recently, you can change the sample size using the following
# configuration directive.
#
# The default of 5 produces good enough results. 10 Approximates very closely
# true LRU but costs a bit more CPU. 3 is very fast but not very accurate.
#
# maxmemory-samples 5
############################## APPEND ONLY MODE ###############################
# By default Redis asynchronously dumps the dataset on disk. This mode is
# good enough in many applications, but an issue with the Redis process or
# a power outage may result into a few minutes of writes lost (depending on
# the configured save points).
#
# The Append Only File is an alternative persistence mode that provides
# much better durability. For instance using the default data fsync policy
# (see later in the config file) Redis can lose just one second of writes in a
# dramatic event like a server power outage, or a single write if something
# wrong with the Redis process itself happens, but the operating system is
# still running correctly.
#
# AOF and RDB persistence can be enabled at the same time without problems.
# If the AOF is enabled on startup Redis will load the AOF, that is the file
# with the better durability guarantees.
#
# Please check http://redis.io/topics/persistence for more information.
appendonly no
# The name of the append only file (default: "appendonly.aof")
appendfilename "appendonly.aof"
# The fsync() call tells the Operating System to actually write data on disk
# instead of waiting for more data in the output buffer. Some OS will really flush
# data on disk, some other OS will just try to do it ASAP.
#
# Redis supports three different modes:
#
# no: don't fsync, just let the OS flush the data when it wants. Faster.
# always: fsync after every write to the append only log. Slow, Safest.
# everysec: fsync only one time every second. Compromise.
#
# The default is "everysec", as that's usually the right compromise between
# speed and data safety. It's up to you to understand if you can relax this to
# "no" that will let the operating system flush the output buffer when
# it wants, for better performances (but if you can live with the idea of
# some data loss consider the default persistence mode that's snapshotting),
# or on the contrary, use "always" that's very slow but a bit safer than
# everysec.
#
# More details please check the following article:
# http://antirez.com/post/redis-persistence-demystified.html
#
# If unsure, use "everysec".
# appendfsync always
appendfsync everysec
# appendfsync no
# When the AOF fsync policy is set to always or everysec, and a background
# saving process (a background save or AOF log background rewriting) is
# performing a lot of I/O against the disk, in some Linux configurations
# Redis may block too long on the fsync() call. Note that there is no fix for
# this currently, as even performing fsync in a different thread will block
# our synchronous write(2) call.
#
# In order to mitigate this problem it's possible to use the following option
# that will prevent fsync() from being called in the main process while a
# BGSAVE or BGREWRITEAOF is in progress.
#
# This means that while another child is saving, the durability of Redis is
# the same as "appendfsync none". In practical terms, this means that it is
# possible to lose up to 30 seconds of log in the worst scenario (with the
# default Linux settings).
#
# If you have latency problems turn this to "yes". Otherwise leave it as
# "no" that is the safest pick from the point of view of durability.
no-appendfsync-on-rewrite no
# Automatic rewrite of the append only file.
# Redis is able to automatically rewrite the log file implicitly calling
# BGREWRITEAOF when the AOF log size grows by the specified percentage.
#
# This is how it works: Redis remembers the size of the AOF file after the
# latest rewrite (if no rewrite has happened since the restart, the size of
# the AOF at startup is used).
#
# This base size is compared to the current size. If the current size is
# bigger than the specified percentage, the rewrite is triggered. Also
# you need to specify a minimal size for the AOF file to be rewritten, this
# is useful to avoid rewriting the AOF file even if the percentage increase
# is reached but it is still pretty small.
#
# Specify a percentage of zero in order to disable the automatic AOF
# rewrite feature.
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
# An AOF file may be found to be truncated at the end during the Redis
# startup process, when the AOF data gets loaded back into memory.
# This may happen when the system where Redis is running
# crashes, especially when an ext4 filesystem is mounted without the
# data=ordered option (however this can't happen when Redis itself
# crashes or aborts but the operating system still works correctly).
#
# Redis can either exit with an error when this happens, or load as much
# data as possible (the default now) and start if the AOF file is found
# to be truncated at the end. The following option controls this behavior.
#
# If aof-load-truncated is set to yes, a truncated AOF file is loaded and
# the Redis server starts emitting a log to inform the user of the event.
# Otherwise if the option is set to no, the server aborts with an error
# and refuses to start. When the option is set to no, the user requires
# to fix the AOF file using the "redis-check-aof" utility before to restart
# the server.
#
# Note that if the AOF file will be found to be corrupted in the middle
# the server will still exit with an error. This option only applies when
# Redis will try to read more data from the AOF file but not enough bytes
# will be found.
aof-load-truncated yes
################################ LUA SCRIPTING ###############################
# Max execution time of a Lua script in milliseconds.
#
# If the maximum execution time is reached Redis will log that a script is
# still in execution after the maximum allowed time and will start to
# reply to queries with an error.
#
# When a long running script exceeds the maximum execution time only the
# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
# used to stop a script that did not yet called write commands. The second
# is the only way to shut down the server in the case a write command was
# already issued by the script but the user doesn't want to wait for the natural
# termination of the script.
#
# Set it to 0 or a negative value for unlimited execution without warnings.
lua-time-limit 5000
################################ REDIS CLUSTER ###############################
#
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# WARNING EXPERIMENTAL: Redis Cluster is considered to be stable code, however
# in order to mark it as "mature" we need to wait for a non trivial percentage
# of users to deploy it in production.
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
# Normal Redis instances can't be part of a Redis Cluster; only nodes that are
# started as cluster nodes can. In order to start a Redis instance as a
# cluster node enable the cluster support uncommenting the following:
#
# cluster-enabled yes
# Every cluster node has a cluster configuration file. This file is not
# intended to be edited by hand. It is created and updated by Redis nodes.
# Every Redis Cluster node requires a different cluster configuration file.
# Make sure that instances running in the same system do not have
# overlapping cluster configuration file names.
#
# cluster-config-file nodes-6379.conf
# Cluster node timeout is the amount of milliseconds a node must be unreachable
# for it to be considered in failure state.
# Most other internal time limits are multiple of the node timeout.
#
# cluster-node-timeout 15000
# A slave of a failing master will avoid to start a failover if its data
# looks too old.
#
# There is no simple way for a slave to actually have a exact measure of
# its "data age", so the following two checks are performed:
#
# 1) If there are multiple slaves able to failover, they exchange messages
# in order to try to give an advantage to the slave with the best
# replication offset (more data from the master processed).
# Slaves will try to get their rank by offset, and apply to the start
# of the failover a delay proportional to their rank.
#
# 2) Every single slave computes the time of the last interaction with
# its master. This can be the last ping or command received (if the master
# is still in the "connected" state), or the time that elapsed since the
# disconnection with the master (if the replication link is currently down).
# If the last interaction is too old, the slave will not try to failover
# at all.
#
# The point "2" can be tuned by user. Specifically a slave will not perform
# the failover if, since the last interaction with the master, the time
# elapsed is greater than:
#
# (node-timeout * slave-validity-factor) + repl-ping-slave-period
#
# So for example if node-timeout is 30 seconds, and the slave-validity-factor
# is 10, and assuming a default repl-ping-slave-period of 10 seconds, the
# slave will not try to failover if it was not able to talk with the master
# for longer than 310 seconds.
#
# A large slave-validity-factor may allow slaves with too old data to failover
# a master, while a too small value may prevent the cluster from being able to
# elect a slave at all.
#
# For maximum availability, it is possible to set the slave-validity-factor
# to a value of 0, which means, that slaves will always try to failover the
# master regardless of the last time they interacted with the master.
# (However they'll always try to apply a delay proportional to their
# offset rank).
#
# Zero is the only value able to guarantee that when all the partitions heal
# the cluster will always be able to continue.
#
# cluster-slave-validity-factor 10
# Cluster slaves are able to migrate to orphaned masters, that are masters
# that are left without working slaves. This improves the cluster ability
# to resist to failures as otherwise an orphaned master can't be failed over
# in case of failure if it has no working slaves.
#
# Slaves migrate to orphaned masters only if there are still at least a
# given number of other working slaves for their old master. This number
# is the "migration barrier". A migration barrier of 1 means that a slave
# will migrate only if there is at least 1 other working slave for its master
# and so forth. It usually reflects the number of slaves you want for every
# master in your cluster.
#
# Default is 1 (slaves migrate only if their masters remain with at least
# one slave). To disable migration just set it to a very large value.
# A value of 0 can be set but is useful only for debugging and dangerous
# in production.
#
# cluster-migration-barrier 1
# By default Redis Cluster nodes stop accepting queries if they detect there
# is at least an hash slot uncovered (no available node is serving it).
# This way if the cluster is partially down (for example a range of hash slots
# are no longer covered) all the cluster becomes, eventually, unavailable.
# It automatically returns available as soon as all the slots are covered again.
#
# However sometimes you want the subset of the cluster which is working,
# to continue to accept queries for the part of the key space that is still
# covered. In order to do so, just set the cluster-require-full-coverage
# option to no.
#
# cluster-require-full-coverage yes
# In order to setup your cluster make sure to read the documentation
# available at http://redis.io web site.
################################## SLOW LOG ###################################
# The Redis Slow Log is a system to log queries that exceeded a specified
# execution time. The execution time does not include the I/O operations
# like talking with the client, sending the reply and so forth,
# but just the time needed to actually execute the command (this is the only
# stage of command execution where the thread is blocked and can not serve
# other requests in the meantime).
#
# You can configure the slow log with two parameters: one tells Redis
# what is the execution time, in microseconds, to exceed in order for the
# command to get logged, and the other parameter is the length of the
# slow log. When a new command is logged the oldest one is removed from the
# queue of logged commands.
# The following time is expressed in microseconds, so 1000000 is equivalent
# to one second. Note that a negative number disables the slow log, while
# a value of zero forces the logging of every command.
slowlog-log-slower-than 10000
# There is no limit to this length. Just be aware that it will consume memory.
# You can reclaim memory used by the slow log with SLOWLOG RESET.
slowlog-max-len 128
################################ LATENCY MONITOR ##############################
# The Redis latency monitoring subsystem samples different operations
# at runtime in order to collect data related to possible sources of
# latency of a Redis instance.
#
# Via the LATENCY command this information is available to the user that can
# print graphs and obtain reports.
#
# The system only logs operations that were performed in a time equal or
# greater than the amount of milliseconds specified via the
# latency-monitor-threshold configuration directive. When its value is set
# to zero, the latency monitor is turned off.
#
# By default latency monitoring is disabled since it is mostly not needed
# if you don't have latency issues, and collecting data has a performance
# impact, that while very small, can be measured under big load. Latency
# monitoring can easily be enabled at runtime using the command
# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
latency-monitor-threshold 0
############################# EVENT NOTIFICATION ##############################
# Redis can notify Pub/Sub clients about events happening in the key space.
# This feature is documented at http://redis.io/topics/notifications
#
# For instance if keyspace events notification is enabled, and a client
# performs a DEL operation on key "foo" stored in the Database 0, two
# messages will be published via Pub/Sub:
#
# PUBLISH __keyspace@0__:foo del
# PUBLISH __keyevent@0__:del foo
#
# It is possible to select the events that Redis will notify among a set
# of classes. Every class is identified by a single character:
#
# K Keyspace events, published with __keyspace@<db>__ prefix.
# E Keyevent events, published with __keyevent@<db>__ prefix.
# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ...
# $ String commands
# l List commands
# s Set commands
# h Hash commands
# z Sorted set commands
# x Expired events (events generated every time a key expires)
# e Evicted events (events generated when a key is evicted for maxmemory)
# A Alias for g$lshzxe, so that the "AKE" string means all the events.
#
# The "notify-keyspace-events" takes as argument a string that is composed
# of zero or multiple characters. The empty string means that notifications
# are disabled.
#
# Example: to enable list and generic events, from the point of view of the
# event name, use:
#
# notify-keyspace-events Elg
#
# Example 2: to get the stream of the expired keys subscribing to channel
# name __keyevent@0__:expired use:
#
# notify-keyspace-events Ex
#
# By default all notifications are disabled because most users don't need
# this feature and the feature has some overhead. Note that if you don't
# specify at least one of K or E, no events will be delivered.
notify-keyspace-events ""
############################### ADVANCED CONFIG ###############################
# Hashes are encoded using a memory efficient data structure when they have a
# small number of entries, and the biggest entry does not exceed a given
# threshold. These thresholds can be configured using the following directives.
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
# Similarly to hashes, small lists are also encoded in a special way in order
# to save a lot of space. The special representation is only used when
# you are under the following limits:
list-max-ziplist-entries 512
list-max-ziplist-value 64
# Sets have a special encoding in just one case: when a set is composed
# of just strings that happen to be integers in radix 10 in the range
# of 64 bit signed integers.
# The following configuration setting sets the limit in the size of the
# set in order to use this special memory saving encoding.
set-max-intset-entries 512
# Similarly to hashes and lists, sorted sets are also specially encoded in
# order to save a lot of space. This encoding is only used when the length and
# elements of a sorted set are below the following limits:
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
# HyperLogLog sparse representation bytes limit. The limit includes the
# 16 bytes header. When an HyperLogLog using the sparse representation crosses
# this limit, it is converted into the dense representation.
#
# A value greater than 16000 is totally useless, since at that point the
# dense representation is more memory efficient.
#
# The suggested value is ~ 3000 in order to have the benefits of
# the space efficient encoding without slowing down too much PFADD,
# which is O(N) with the sparse encoding. The value can be raised to
# ~ 10000 when CPU is not a concern, but space is, and the data set is
# composed of many HyperLogLogs with cardinality in the 0 - 15000 range.
hll-sparse-max-bytes 3000
# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in
# order to help rehashing the main Redis hash table (the one mapping top-level
# keys to values). The hash table implementation Redis uses (see dict.c)
# performs a lazy rehashing: the more operation you run into a hash table
# that is rehashing, the more rehashing "steps" are performed, so if the
# server is idle the rehashing is never complete and some more memory is used
# by the hash table.
#
# The default is to use this millisecond 10 times every second in order to
# actively rehash the main dictionaries, freeing memory when possible.
#
# If unsure:
# use "activerehashing no" if you have hard latency requirements and it is
# not a good thing in your environment that Redis can reply from time to time
# to queries with 2 milliseconds delay.
#
# use "activerehashing yes" if you don't have such hard requirements but
# want to free memory asap when possible.
activerehashing yes
# The client output buffer limits can be used to force disconnection of clients
# that are not reading data from the server fast enough for some reason (a
# common reason is that a Pub/Sub client can't consume messages as fast as the
# publisher can produce them).
#
# The limit can be set differently for the three different classes of clients:
#
# normal -> normal clients including MONITOR clients
# slave -> slave clients
# pubsub -> clients subscribed to at least one pubsub channel or pattern
#
# The syntax of every client-output-buffer-limit directive is the following:
#
# client-output-buffer-limit <class> <hard limit> <soft limit> <soft seconds>
#
# A client is immediately disconnected once the hard limit is reached, or if
# the soft limit is reached and remains reached for the specified number of
# seconds (continuously).
# So for instance if the hard limit is 32 megabytes and the soft limit is
# 16 megabytes / 10 seconds, the client will get disconnected immediately
# if the size of the output buffers reach 32 megabytes, but will also get
# disconnected if the client reaches 16 megabytes and continuously overcomes
# the limit for 10 seconds.
#
# By default normal clients are not limited because they don't receive data
# without asking (in a push way), but just after a request, so only
# asynchronous clients may create a scenario where data is requested faster
# than it can read.
#
# Instead there is a default limit for pubsub and slave clients, since
# subscribers and slaves receive data in a push fashion.
#
# Both the hard or the soft limit can be disabled by setting them to zero.
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit slave 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
# Redis calls an internal function to perform many background tasks, like
# closing connections of clients in timeout, purging expired keys that are
# never requested, and so forth.
#
# Not all tasks are performed with the same frequency, but Redis checks for
# tasks to perform according to the specified "hz" value.
#
# By default "hz" is set to 10. Raising the value will use more CPU when
# Redis is idle, but at the same time will make Redis more responsive when
# there are many keys expiring at the same time, and timeouts may be
# handled with more precision.
#
# The range is between 1 and 500, however a value over 100 is usually not
# a good idea. Most users should use the default of 10 and raise this up to
# 100 only in environments where very low latency is required.
hz 10
# When a child rewrites the AOF file, if the following option is enabled
# the file will be fsync-ed every 32 MB of data generated. This is useful
# in order to commit the file to the disk more incrementally and avoid
# big latency spikes.
aof-rewrite-incremental-fsync yes

+ 22
- 0
handlers/main.yml View File

@ -0,0 +1,22 @@
---
# handlers file for nextcloud
- name: restart redis-server
systemd:
name: redis
state: restarted
- name: restart nginx
listen: enable coturn
systemd:
name: nginx
state: restarted
- name: restart php-fpm
systemd:
name: "{{ php_service_name[ansible_distribution] }}"
state: restarted
- name: restart postgresql
systemd:
name: postgresql
state: restarted

+ 23
- 0
meta/main.yml View File

@ -0,0 +1,23 @@
galaxy_info:
author: Mablr
description: Installs nextcloud instance
company: Elukerio
license: GPL-3.0-only
min_ansible_version: 2.8
platforms:
- name: debian
versions:
- buster
- name: ubuntu
versions:
- 20
galaxy_tags:
- nextcloud
- redis
- nginx
- postgres

+ 67
- 0
tasks/letsencrypt.yml View File

@ -0,0 +1,67 @@
---
# tasks file for nextcloud
- name: add additional repos
apt_repository:
repo: 'deb http://ftp.debian.org/{{ ansible_distribution|lower }} {{ ansible_distribution_release }}-backports main'
update_cache: true
state: present
- name: apt dist-upgrade
apt:
upgrade: dist
autoremove: true
- name: install python-certbot-nginx packages
apt:
name: python-certbot-nginx
autoremove: true
default_release: "{{ ansible_distribution_release }}-backports"
state: latest
- name: install needed pip packages
pip:
name: acme
state: latest
- name: include os specific tasks
include_tasks: "{{ ansible_distribution }}.yml"
- name: ensure "{{ dhparam_path | dirname }}" exists
file:
name: "{{ dhparam_path | dirname }}"
owner: root
group: "{{ ansible_env.SUDO_USER | default('root') }}"
mode: 0755
state: directory
- name: use the pre-defined DH groups ffdhe4096 recommended by the IETF in [RFC 7919 https://tools.ietf.org/html/rfc7919]
copy:
dest: "{{ dhparam_path }}"
owner: root
group: root
mode: 0644
content: |
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
-----END DH PARAMETERS-----
- name: ensure nginx is stopped nginx
systemd:
name: nginx
state: stopped
enabled: true
- name: install letsencrypt certificates
shell: "certbot certonly --standalone --installer nginx --email {{ cert_email }} --non-interactive --domain {{ fqdn }} --agree-tos {{ cert_stage|default('') }}"
args:
creates: /etc/letsencrypt/live/{{ fqdn }}/cert.pem

+ 31
- 0
tasks/main.yml View File

@ -0,0 +1,31 @@
---
# tasks file for nextcloud
- include_tasks: os.yml
tags: os
- include_tasks: secrets.yml
tags: secrets
- include_tasks: redis.yml
tags: redis
- include_tasks: nginx.yml
tags: nginx
- include_tasks: php.yml
tags: php
- include_tasks: postgres.yml
tags: postgres
- include_tasks: letsencrypt.yml
when: ssl_certificate_type == 'letsencrypt'
tags: letsencrypt
- include_tasks: selfsigned.yml
when: ssl_certificate_type == 'selfsigned'
tags: selfsigned
- include_tasks: nextcloud.yml
tags: nextcloud

+ 191
- 0
tasks/nextcloud.yml View File

@ -0,0 +1,191 @@
---
# tasks file for nextcloud
- name: download nextcloud archive
get_url:
url: "{{ next_archive }}"
dest: /tmp/nextcloud.tar.bz2
checksum: "sha256:{{ next_archive }}.sha256"
- name: install nextcloud
unarchive:
src: /tmp/nextcloud.tar.bz2
dest: /var/www
remote_src: true
creates: /var/www/nextcloud/occ
- name: set permissions
script: permissions.sh
environment:
FQDN: "{{ fqdn }}"
NC_DATADIR: "{{ nc_datadir }}"
WEB_USER: "{{ web_user[ansible_distribution] }}"
WEB_GROUP: "{{ web_group[ansible_distribution] }}"
- block:
- name: selinux targets
sefcontext:
target: "{{ item }}"
setype: httpd_sys_rw_content_t
state: present
with_items:
- '{{ nc_datadir }}(/.*)?'
- '/var/www/nextcloud/config(/.*)?'
- '/var/www/nextcloud/apps(/.*)?'
- '/var/www/nextcloud/assets(/.*)?'
- '/var/www/nextcloud/.htaccess'
- '/var/www/nextcloud/.user.ini'
- '/var/www/nextcloud/3rdparty/aws/aws-sdk-php/src/data/logs(/.*)?'
- '/usr/local/tmp(/.*)?'
- '/upload_tmp(/.*)?'
- name: enable seboolean settings
command: setsebool -P {{ item }} on
loop:
- httpd_can_sendmail
- httpd_unified
- httpd_graceful_shutdown
- httpd_can_network_relay
- httpd_can_network_connect
- httpd_can_network_connect_db
- daemons_enable_cluster_mode
- httpd_execmem
- name: enable seboolean settings
command: semodule -i {{ role_path }}/files/{{ item }}
loop:
- httpd-to-php-fpm.pp
- httpd-to-redis-socket.pp
- httpd-to-upload-tmp.pp
- name: restorecon
command: restorecon -Rv {{ item }}
loop:
- '/var/www/nextcloud/'
- '{{ nc_datadir }}'
- '/upload_tmp'
- '/usr/local/tmp'
when:
- (ansible_os_family == "RedHat")
- ('status' in ansible_selinux)
- (ansible_selinux.status == "enabled")
- name: flush all handlers to restart server
meta: flush_handlers
- name: start nginx
systemd:
name: nginx
state: started
- name: restart redis
systemd:
name: redis
state: restarted
- name: first setup nextcloud
become_user: "{{ web_user[ansible_distribution] }}"
become_flags: "{{ ansible_become_flags | default(omit) }}"
become: yes
shell: >
php occ maintenance:install \
--database {{ nc_db_type }} \
--database-host "{{ nc_db_host }}" \
--database-name {{ nc_db }} \
--database-table-prefix {{ nc_db_prefix }} \
--database-user {{ nc_db_user }} \
--database-pass {{ nc_db_passwd }} \
--admin-user {{ nc_admin }} \
--admin-pass {{ nc_passwd }} \
--data-dir {{ nc_datadir }}
args:
chdir: /var/www/nextcloud/
creates: /var/www/nextcloud/config/config.php
register: setup_nc
- debug: var=setup_nc verbosity=2
- name: set nextcloud domain config.php values
become_user: "{{ web_user[ansible_distribution] }}"
become_flags: "{{ ansible_become_flags | default(omit) }}"
become: yes
shell: php occ config:system:set {{ item.key }} {{ item.value }}
args:
chdir: /var/www/nextcloud/
with_items: "{{ nc_config }}"
- name: set nextcloud mail config.php values
become_user: "{{ web_user[ansible_distribution] }}"
become_flags: "{{ ansible_become_flags | default(omit) }}"
become: yes
shell: php occ config:system:set {{ item.key }} {{ item.value }}
args:
chdir: /var/www/nextcloud/
with_items: "{{ nc_mail_config }}"
when: nc_configure_mail|bool
- name: copy defaults/config.json to /tmp
copy:
src: "{{ role_path }}/defaults/config.json"
dest: /tmp/nextcloud.config.json
owner: "{{ web_user[ansible_distribution] }}"
mode: 0600
- name: set default config
become_user: "{{ web_user[ansible_distribution] }}"
become_flags: "{{ ansible_become_flags | default(omit) }}"
become: yes
shell: php occ config:import /tmp/nextcloud.config.json
args:
chdir: /var/www/nextcloud/
register: setup_nc
- name: copy defaults/config.json to /tmp
file:
name: /tmp/nextcloud.config.json
state: absent
- debug: var=setup_nc verbosity=2
- name: backup jobs, upgrade apps and database tuning
become_user: "{{ web_user[ansible_distribution] }}"
become_flags: "{{ ansible_become_flags | default(omit) }}"
become: yes
shell: php occ {{ item }}
args:
chdir: /var/www/nextcloud/
loop:
- background:cron
- upgrade
- db:add-missing-indices
- db:convert-filecache-bigint
- name: upgrade nextcloud
become_user: "{{ web_user[ansible_distribution] }}"
become_flags: "{{ ansible_become_flags | default(omit) }}"
become: yes
shell: php occ upgrade
args:
chdir: /var/www/nextcloud/
- name: adjust app settings
become_user: "{{ web_user[ansible_distribution] }}"
become_flags: "{{ ansible_become_flags | default(omit) }}"
become: yes
shell: php occ app:{{ item.key }} {{ item.value }}
args:
chdir: /var/www/nextcloud/
with_items: "{{ nc_app_config }}"
- name: add nextcloud cronjob
cron:
name: nextcloud cronjob
minute: '*/15'
user: "{{ web_user[ansible_distribution] }}"
job: "php -f /var/www/nextcloud/cron.php > /dev/null 2>&1"
- name: run nextcloud cronjob
become_user: "{{ web_user[ansible_distribution] }}"
become_flags: "{{ ansible_become_flags | default(omit) }}"
become: yes
shell: php -f /var/www/nextcloud/cron.php
args:
chdir: /var/www/nextcloud/
when: setup_nc is changed

+ 129
- 0
tasks/nginx.yml View File

@ -0,0 +1,129 @@
---
# vars file for nextcloud
- name: add nginx key
apt_key:
url: https://nginx.org/keys/nginx_signing.key
state: present
- name: add additional debian repos
apt_repository:
repo: "{{ item }}"
state: present
update_cache: true
with_items:
- 'deb http://nginx.org/packages/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release }} nginx'
- 'deb-src http://nginx.org/packages/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release }} nginx'
- name: apt dist-upgrade
apt:
upgrade: dist
autoremove: true
- name: install additional packages
apt:
name:
- nginx
- python-pip
- python-netaddr
autoremove: true
allow_unauthenticated: true
state: latest
- name: stop and enable nginx
systemd:
name: nginx
state: stopped
enabled: true
- name: create some folders
file:
name: "{{ item.path }}"
state: directory
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
with_items:
- { path: '{{ nc_datadir }}', owner: '{{ web_user[ansible_distribution] }}', group: '{{ web_group[ansible_distribution] }}', mode: '0750' }
- { path: '/var/www', owner: '{{ web_user[ansible_distribution] }}', group: '{{ web_group[ansible_distribution] }}', mode: '0750' }
- { path: '/var/www/letsencrypt', owner: '{{ web_user[ansible_distribution] }}', group: '{{ web_group[ansible_distribution] }}', mode: '0750' }
- { path: '/upload_tmp', owner: '{{ web_user[ansible_distribution] }}', group: '{{ web_group[ansible_distribution] }}', mode: '0755' }
- name: install pip netaddress
pip:
name: netaddr
state: latest
when: false
- name: set netmask
set_fact:
net_mask: "{{ ansible_default_ipv4.network }}/{{ ansible_default_ipv4.netmask }}"
- name: bring /etc/nginx/nginx.conf in place
template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
owner: root
group: root
mode: 0644
force: true
notify: restart nginx
- name: use ec2 public hostname if fqdn is not defined
set_fact:
fqdn: "{{ fqdn if ( fqdn ) else facter_ec2_metadata['public-hostname'] }}"
when: facter_ec2_metadata is defined
- name: use ansible_fqdn if fqdn is not defined
set_fact:
fqdn: "{{ fqdn if ( fqdn ) else ansible_fqdn }}"
- name: nginx nextcloud config
template:
src: nextcloud.conf.j2
dest: /etc/nginx/conf.d/nextcloud.conf
owner: root
group: root
mode: 0644
notify: restart nginx
- name: nginx header config
template:
src: header.conf.j2
dest: /etc/nginx/conf.d/header.conf
owner: root
group: root
mode: 0644
notify: restart nginx
- name: nginx config for ssl
template:
src: ssl.conf.{{ ssl_certificate_type }}.j2
dest: /etc/nginx/conf.d/ssl.conf
owner: root
group: root
mode: 0644
notify: restart nginx
- name: copy some nginx config file
copy:
src: "{{ item }}"
dest: "/etc/nginx/conf.d/{{ item }}"
owner: root
group: root
mode: 0644
force: true
with_items:
- optimization.conf
- php_optimization.conf
- proxy.conf
notify: restart nginx
- name: copy letencrypt.conf
copy:
src: letsencrypt.conf
dest: /etc/nginx/conf.d/letsencrypt.conf
owner: root
group: root
mode: 0644
force: true
notify: restart nginx

+ 113
- 0
tasks/os.yml View File

@ -0,0 +1,113 @@
---
# tasks file for nextcloud
- name: apt dist-upgrade
apt:
upgrade: dist
autoremove: true
- name: install additional packages
apt:
name:
- zip
- unzip
- bzip2
- screen
- curl
- ffmpeg
- imagemagick
- ghostscript
- libfile-fcntllock-perl
- software-properties-common
- apt-transport-https
- facter
state: latest
- name: create some folders
file:
name: "{{ item.path }}"
state: directory
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
with_items:
- { path: '/usr/local/tmp/apc', owner: '{{ web_user[ansible_distribution] }}', group: 'root', mode: '1777' }
- { path: '/usr/local/tmp/sessions', owner: '{{ web_user[ansible_distribution] }}', group: 'root', mode: '1777' }
- { path: '/usr/local/tmp/cache', owner: '{{ web_user[ansible_distribution] }}', group: 'root', mode: '1777' }
- name: get uid of web_user
user:
name: "{{ web_user[ansible_distribution] }}"
register: web_user_id
- name: mount tmp fs
mount:
src: "tmpfs"
path: "{{ item }}"
fstype: tmpfs
opts: "defaults,noatime,nosuid,nodev,noexec,mode=1777"
passno: "0"
state: mounted
with_items:
- /tmp
- /var/tmp
- name: mount tmp fs
mount:
src: "tmpfs"
path: "{{ item }}"
fstype: tmpfs
opts: "defaults,uid={{ web_user_id.uid }},size=300M,noatime,nosuid,nodev,noexec,mode=1777"
passno: "0"
state: mounted
with_items:
- /usr/local/tmp/apc
- /usr/local/tmp/cache
- /usr/local/tmp/sessions
# - name: sysctl vm.overcommit_memory=1
# sysctl:
# name: vm.overcommit_memory
# value: "1"
# state: present
# reload: true
# sysctl_file: /etc/sysctl.conf
# - name: sysctl -w net.core.somaxconn=65535
# sysctl:
# name: net.core.somaxconn
# value: "65535"
# state: present
# reload: true
# sysctl_file: /etc/sysctl.conf
# - name: disable transparent hugepages - copy service file
# copy:
# src: disable-transparent-huge-pages.service
# dest: '/lib/systemd/system/disable-transparent-huge-pages.service'
# owner: root
# group: root
# mode: 0644
# - name: enable service disable-transparent-hugepages
# service:
# name: disable-transparent-huge-pages.service
# enabled: true
# state: started
- name: create symbolic link to /usr/bin/gs
file:
src: /usr/bin/gs
dest: /usr/local/bin/gs
state: link
- name: change ImageMagick settings
lineinfile:
path: '/etc/ImageMagick-6/policy.xml'
line: ' <policy domain="coder" rights="read|write" pattern="{{ item }}" />'
regexp: '(.*)<policy domain="coder" rights="(.*)" pattern="{{ item }}" />(.*)'
insertbefore: '</policymap>'
loop:
- PS
- EPI
- PDF
- XPS

+ 100
- 0
tasks/php.yml View File

@ -0,0 +1,100 @@
---
# vars file for nextcloud
- name: add sury.org/php key
apt_key:
url: https://packages.sury.org/php/apt.gpg
state: present
- name: add additional repos
apt_repository:
repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
validate_certs: true
update_cache: true
state: present
- name: apt dist-upgrade
apt:
upgrade: dist
autoremove: true
- name: install additional packages
apt:
name:
- php{{ php_version }}-fpm
- php{{ php_version }}-gd
- "{{ php_db_extension[nc_db_type] }}"
- php{{ php_version }}-curl
- php{{ php_version }}-xml