Define new host "calima" serving Nextcloud.

author: Guilhem Moulin <guilhem@fripost.org> 2018-12-03 03:37:19 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2018-12-03 03:43:48 +0100
commit: 5ad9fc5e963b9a461f60799d7f185a9e2e13522f (patch)
tree: 8d98b0eaf066f86e8fb24be1ca148be1ec1f1845
parent: 259ad739c650aafd8dddf5afcd829632a6f88a80 (diff)
19 files changed, 328 insertions, 5 deletions
diff --git a/all.yml b/all.yml
index fa3c85d..b86337c 100644
--- a/all.yml
+++ b/all.yml
@@ -1,15 +1,16 @@
 ---
 # Example:
 #   ansible-playbook -i stage_vms all.yml -t rkhunter
 
 - import_playbook: common.yml
 - import_playbook: IMAP.yml
 - import_playbook: MX.yml
 - import_playbook: MSA.yml
 - import_playbook: out.yml
 - import_playbook: webmail.yml
 - import_playbook: lists.yml
 - import_playbook: git.yml
 - import_playbook: wiki.yml
 - import_playbook: bacula.yml
 - import_playbook: munin.yml
+- import_playbook: nextcloud.yml
diff --git a/certs/gencerts.sh b/certs/gencerts.sh
index b25a7d3..291a73f 100755
--- a/certs/gencerts.sh
+++ b/certs/gencerts.sh
@@ -73,40 +73,41 @@ sshfpr() {
     done
 }
 
 allfpr() {
     local typ="$1"
     [ "$typ" = mdwn ] && indent='        ' || indent='    '
 
     header 'IMAP server'
     x509fpr '`imap.fripost.org:993` (IMAP over SSL), `sieve.fripost.org:4190` (ManageSieve, `STARTTLS`)'
 
     header 'SMTP servers'
     x509fpr '`smtp.fripost.org:587` (Mail Submission Agent, `STARTTLS`)'
     x509fpr '`mx1.fripost.org:25` (1st Mail eXchange, `STARTTLS`)'
     x509fpr '`mx2.fripost.org:25` (2nd Mail eXchange, `STARTTLS`)'
 
     header 'Web servers'
     x509fpr '`fripost.org:443`, `www.fripost.org:443` (website), `wiki.fripost.org:443` (wiki)'
     x509fpr '`mail.fripost.org:443`, `webmail.fripost.org:443` (webmail)'
     x509fpr '`lists.fripost.org:443` (list manager)'
     x509fpr '`git.fripost.org:443` (git server and its web interface)'
+    x509fpr '`cloud.fripost.org:443` (lagring för delning)'
 
     header 'SSH server'
     sshfpr '`gitolite@git.fripost.org:22`'
 }
 
 
 [ $# -eq 1 ] || usage
 
 asc="$1"
 asc2=$(mktemp --tmpdir)
 src=$(mktemp --tmpdir)
 src2=$(mktemp --tmpdir)
 mdwn="${asc%.asc}.mdwn"
 mdwn2=$(mktemp --tmpdir)
 DIR="$(dirname "$0")/public"
 VCS_BROWSER='https://git.fripost.org/fripost-ansible'
 trap 'rm -f "$src" "$src2" "$asc2" "$mdwn2"' EXIT
 
 if [ -s "$asc" ]; then
     "$GPG" $GPG_OPTS --logger-file=/dev/null --output="$src" -- "$asc"
diff --git a/certs/ipsec/calima.pem b/certs/ipsec/calima.pem
new file mode 100644
index 0000000..58b6537
--- /dev/null
+++ b/certs/ipsec/calima.pem
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoop7XGKDCQDuEneapSL1
+fwZG+7ibMWqiOHxGHA4sOuJ3A6YiC4tiS0O0dpmi6/0mEMtswAcl4JSlOHYl+2mS
+TNOt0mMiIQUdDFmM4b3NQXzNJMDAcuZ52/k/MPkGH3lnfjGF2Q0uxiAHX59nEeKO
+m6aw6u3iwt8XGP95E3sY7JJ5DKIiZZJsPCFeVyk6vASCeq8S+BOCEHC/IYMAoIZE
+DJwfygAtOUH4EuGPHORjLgSUFYpeA7EwpevzXGdEgGPZj6oMk/Qm6oA59V1PnOpF
+RkidoaeT7Qxxu+7e3qctg1tUE/DTBVNofpGtLbSaUTxM2iQAxU+Y+7LzvcA2M0jx
+9yW9sqHaMOXq2UJrnuaR3hV0rNu5gAZmuetwQs6J3AFmjzR2ADp4xNLnXIQdTXac
+Y2Ick7YKDuMFCTdih45YgqtmK1A8fPicr7kXxdA+yKZuRuuWYxvA9bCC+NZEqlLC
+HBt4P+Go6wWx1Bt0pb9GJo6kwl6rNSzfpVxuS6hfjaAPmBLveNnpagvpmd7YoUJT
+xHNdfCRHYYJWmZCrHBrBSm3CDu4SJIf1S5tIJ7kkK0RXDUoY6wpZIK2Bo0llm+2N
+LSAXpSRJsrBq8lFv7Dvb5a7MRXc07xgUWbU2vRuDPNJxxK/SLSkSCnkjUmLJV5/j
+j/7YnzPPAOKkg2pRW48vBQMCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/certs/public/cloud.fripost.org.pub b/certs/public/cloud.fripost.org.pub
new file mode 100644
index 0000000..fcc2551
--- /dev/null
+++ b/certs/public/cloud.fripost.org.pub
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsB6EsiqVH4Ewh+FdJETv
+RM+0jT9+r6yqhXEqcihW8zne6Gw4OJQXECZ7BTntMWwwVkyFv0/yjd3wgyD6jeQT
+AK8EQkrggb6PF1xOppU9dkXEn1soXShVciS6VFqlC8mJFlaniwWq2Ns5zenCnHc4
+N9dcLuR92PEm7cwhBMve6faLepTB6XHee2Mylrk6z+/Bs31bHE30qqjxZ3Tchedy
+HEO3gchaBsYxi8HzZv9sbZz2u0Ho/vn/U6Xac9KV6mY2PvBmKrGxUJzRiT97PCf5
+Q75v4Jfw5uSFlG+6aUMvDriJJlA25rhFnZDAo3WDAGQJHeTuDwPYOUMnzcaWU46X
+RM4/XTDfPoS0oXxDUVU+SSTkhkLsX9UC4TVhUtsaN8sQMsCvRvakYhv3yHxb0GPF
+iMjJaAyodGAorMUmx6Li5qPuTrm62IIZNcntc5Kng19R2mwFcDNwOz1JissC+ET2
+jbGUtcMPSAw6nodtkUF+TEusXRliIJS4umIern4Bc6O+RohWSPhiCEaqKJ4mXhf6
+a7DyNBrjGeQ2ciZ+JCiSy7aZFzUto/zuswydseXwE61yIcnn1+7oGUK5uiuesXUN
+yMLcdmsogjOb4uxO9zH07syh6Nq3OP2AiY64QzVsNBJ5POjcSWu9iimV3u8J8ms4
+XwKK6rpQ1l7jYLLewE2+oBsCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/certs/public/cloud.fripost.org.pub.back b/certs/public/cloud.fripost.org.pub.back
new file mode 100644
index 0000000..584e3f3
--- /dev/null
+++ b/certs/public/cloud.fripost.org.pub.back
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyA1KQ7E+DCWeNLCaPc6b
+SWg6cNoHZbJAC1aAeDPPh63AqPJzz/pnARVKn+PeA6MZiHb6xEyst1Im62sc0cGb
+z5e0TDZ3H2yk84ibD3GYiL5k2Z4Ig81Arp2MggXxLCwA1/ZvMPk9Ys1hi6oZVz5D
+UxGlqowKuYPfRtFkj/pweboXMPbla44LQiGSwdK5JvMtYwg85804RUUetR38Yuuz
+zUGdTf+xeNvMMZ196SrIOPAYYI3cGCdZt7gx5U6wFkJA6F3xHGHrMHZE6S4t+h2r
+C+dewIQBr6m7z+Ph9z4SUC1XpCMpnoBOhCvPXxhurvT+8HILffk3eo4aogs2mcVR
+zSoxdjbkrtpcg7oKXoJua2mEYlWXSax2gbuu+h4C2205G6pQpkmWw/OdRq2YQJmP
+kYHrczit9l/K3jAx8JfcCnhdfs8b46n/a3ksc2xkxdxTPMYAyJlkg4iWDSiPf2vI
+g4HB1vJPOdBGaoCuQD59XeWItCl9SehN/yBd/LofKxKLvTpYAJC9pVi/Kfzhvym+
+/H6KNIE1FWkKLNdDifzQQACn5wGwOHOmTAOn5u+L0kZt9ttUkJAYzAoH8IvtFZ6P
+ut4RRKP+oAC05ORxZyho1UAlXDeF49/MCAKuXNCWJyZm0P+xRhaCn2JQ+8mVjJPW
+pdk45F7RLEa9FVbDotvXhs8CAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/certs/ssh_known_hosts b/certs/ssh_known_hosts
index b60b9c6..99a22e8 100644
--- a/certs/ssh_known_hosts
+++ b/certs/ssh_known_hosts
@@ -1,11 +1,13 @@
 antilop.fripost.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmmS3Cs0ldlSEfgaL1ltfWpu2xA+1vj2pP5/zNp0aCdwqKoD/wYIa9T2kZKTzFC3J65v8E3fn/tRyDRolqhCeXWDrfBgJstLGH4ZpDMblbDjWnYmz6SY86TvE15BqWqrzDxDgcewHZlCmAxUETBgFNHSVyb1OXsfW4OmqLilbkTxY6v2QzKYzxfZTWOK2yGTO+dnT6dCN54CCItsbExLlDgqQhS/cTitL4MwpPOnMZ1cNiVyTwfDu8sFK/mDA2O+chgmplQemmuSLqnBKlcpnERcySQTetSX/bnZBvCVsDzg1tFn0Zg0PzgPCYauQMRgpk7J4jcv8P0VCK31ppuGsY4a+snvKiHUnFK7DRrJcnqSpRfwV1uL3t0khfBYiogl+zoQJ4G2yE2vKiFHVSe8LKSjgSOcnn4VwvqBNFARXMEF3Wvy72d9ZX+0kzbzp3r95vcWwqMeYDG9QEDI5lgENdhzxTcZD3Pn1hYxf862NO6UIBQW4uUhEI54QLb4bsjl/ZJ1l9KPB7bH4n58tizXlXweimzlJA+PeUzfA5BFhKjIiX9fJkVMcIFi84JmbjGMgw/B9VHewhblN+0Q8UO1PqDSlFIhE3NfWCI+1wMH2Um+zv/7M5aJYfZJvuPsvOx6D9lXOns8+kSNcdYdjkbOsgq+tdHG0eWkBuC7CRdmiKzw==
 antilop.fripost.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6R2d9q2fFtu7P4Br7z141ccR8yhY+hgyi2ylNvrcgQ
 benjamin.marxist.se,benjamin.skangas.se ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArhPJlY+UhU0CILq7EBDLFpZFIemGJsW+d2euZyyYKbZppEtLQHIhXpiW8de1MErT3bkOeS8v8L8v0ZQLvlI/uN6i4yuTDPcf2qYTnoL4P5lzNLDIyNq6YRd26FId0M1A9YJz6t9mORb/Opb3Nq033iz40T2VJ1iJPHlCAcGOyjuxfcaiIrgPWPsKShQNdLkp5k3V0EnJoraB+bgvDfBBH5Cs4cab3EMeWBeZXB2rrICRyKZkm2dXFdDGp9UgujEQazWF0uXKMVZw1A4ZeTKc6GN66Icz5ceBTnJu38pI8ogreVyyKV5WNHeJBTpKhIT6vNQSeu98y1hrF6jIXPuQkw==
 civett.fripost.org,git.fripost.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmlIwAthHdsufAedoBpABqvdrRI6HK7Rl02gC/ErEmtF1TvLsO2IbC2H0jEl8l6yL6eADkmQP9N7xQvpr8EH8v6AKiU6ufo3lih0Xv/OYtyVN2TdD9zzJ6Y0PxeiBaMRM0blMnfxwcfGe6Q61YQE2sbRnfUHINbEODVw5nMBxc7349x6qvsIeleL6cgEA7WWAZvDgucxXZv5IgTBT1amWDfZIadvzz6s5C6EnrGm/XrrVo7P8yD7tT3wcMFEW65S4tx9xE54Z3UydSstiJ+ZMDv4hJsZ6LYj9hgpMDWRiIZxiq/f2AoV87D54T7nSI4txkeXVPgaS7loxPtaJOzRo0prnV3yYuBq/8HaVhAOKTOK2SYFUUNay5BduxrfrQiRIqpL3uUIBA3kyVxR2YQ+FVPDHcve294CPvtTj5IYffMxJnQhkXCFSMgHYFUt9NSKqpq/9Ti3MImUtqgTq7oubwCDeltIKmiOUF9EHTM25ukmcJDvH+r5fyuOddB4/h2D/RJJ75SvKhJnz/H/pIhtYnEDaSEa3Xv9bk6KGj4Y3s49km3lcLOHE909ov0B2m1xFDT3pAiQ2v68hHrbbM/luA/sura5+Ic0mRIA9ZfsTCU1HvBAHM3AtItbrgNAvQfbPlvbZ/6hvlDW0L2CaWNSWO/mc3lcQS5UQC44T1/zkd4w==
 civett.fripost.org,git.fripost.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINCKzoiQ3Ue81kQKl3t1mE2MDuS2ffVfNpNgTI0xKF5B
 elefant.fripost.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQnJ9OqxH1Xe49NYUfriyHs4mz05ECMLADT0VKNGkBAG67DzRL0QyEdBaKM7tUvgBeL9NdtXgt9OUBbCd9aDE45W2Y51r6A94TQqzRtEmlneprEWMuMKigXBpx/Y7l5XyocNvPFBgFM6l3mpoQEX13dJtCtEq/EvF/GGmAjYBUsG2LGbNZdotKyjWOtoSYZRCrON0xyUrQNt/JEw9RdmftHNqvaa04Kj17WZRAg2NT98rniIMhkMMkHr8ONE69YbomP/hfmnwjUb3VHbqSNPdhSdW3+WW1sBAe2+0UMsPurQ+qEO3c/sn0BUg+y+f2If7GVv8hSQP5GEixx9q0aVJ62MJfrXarZRPQWhN5CRcP2gWrUZEG/GnLDixzBid3cP8dEOAXBslZS7wP2GCLYqE9vj/hQ6Wl1kecMsKGEYKfll3GjtzYvi2F1HkdhxhzETw/d+sVk9plVRCHI758uIkXDrcULO5QXzOUGRdytS15IihbpJil4anh9mgqfxN9DpnZ9ZPeWnWfu2qpwjxTlylayHT0d4v+t9XqYI577jy0/9yxFbALYzDEzYxrbp7oh8YQ4olrgjtWaflwSnz1kYtOrl6n5cKYbwIGLv9mGFWyBurpU5aSnyuyzmUYDYciCO0/xjEtb1Xntne+Mb4tbZT8m9AlSv39yOQ0oYZySvrg4Q==
 elefant.fripost.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvImtTaC8egr1pHneqJfizFizU59VRJocvti5ZayRvF
 giraff.fripost.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC4LvKA4E8S/Yh8Il8NqnSYRIzHIv/2BG4iw0pG8lSzvC9yH9uErRUsDsiUSR52ZKYDfxI0pt2UxWSIv8EEA9apvCX7USObM4WucF6jPEMUjHFAGByR4wU/NTjxbvELplqRyxKntbE9YNuIObfjCIijWif1hz0XjaXd3OBASk7orHkk8NQztRJUMUqSHqEqKmCEvw11uoBp8qk3n+8ISvlXb9fX9iDhUPxERh0XbSOJemIM1h1PrbgecdReYEW3nCVXB9xargbZ4WB5a8HsKV9XIhPUH2pIxUTyRgYVJtMrtGzsmdd3ItQPIJgujtQQwzOvFHDjvAdXTzYkqbItvfCN0sPT3S+/QeFANun2nrQzjTkNCiUcpR464/BryoasQhEvggWT/vEFykYyLjDKmnv85Zgqo55Smj+0lvVtKG24SFqSuk2R9yEBrsbSN3ukAFtdceJ/PC9QqONKwLEZOLmMtsLzmYgyJLst32gtOiu4zphgf5O2ISV/eYwXECRCbniLIIdTOXQEgQx96rApoyRnHweTcb87ZLebSNYD0Y7PtrdNVxdlIt7P6M++hf4k4g73xoHxqrGM5bY8sWHjbqm6BCuqF4BplP9aWZUGvhM0c0Cty6OPjiDmAsOo+odgrPk9LzjV2l6RDgT2Euu/F0PvrJHwHaGS1AyyR6XGUbptWQ==
 giraff.fripost.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgW2S1gVYQGNn9j0PBz7QSIhw0w49YlaZN8ku2RYPm8
 mistral.fripost.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzGR8+jafHmXZF7b7DuOe89PSVaulIJ8epu9bgqWCwxfNpS7zNuK5EaOx3zkjhL35959v8G/83uifB/Z5vO8ymUfsZpgt4h95EU/XIif4nBqfQoGwhlvsfSnfY89+513AHx46r/QpcWqJ5UYPXlT4XHPM9A8NnSAMysorhdysesr70sbZfXkQ9pOcvOqtZU5gN6SWfvSYzUQ/WwNAvwXAH8A7rTVsnOsFdtLhK/JAmsVpXQyvuO9Qhl1YsPCnWgLuoGdHibTcx39dndCInFSDDW7o059Jn3u1af7Ns0mMSZhdUBBz3w88JXW5q9xjVjM3yai3u6cuL2a8QiMWfae9GcoDS3FQzdBckf26jxM3/DV4qHej50aHByApioaAFnHaXFLDQeCOGCI2mxtASt7UNCThUKwkLohWWMHXJVgtny8YeAd21Q5FvJnz4L65J2+A7X0PAlkpdesRfo/4FnDmvgL8LzPP9xM3A4on+apY1llJ4M3hWFjkeLt08HjdmPEAehbN+lUaIoTN+ukE2wfZipb7RbHyCanw/JS/GPKQmYGBbiFDv/Mc5Ky9yEi+dStFPNu2E3+jFFSONaPui50/50WQkA70zqtNbPgyZ9jlGS7fP+I+hiZXHCsRhcT0fAWSK4KZg1FKgNPZTi046cpmhJJTaaZsPnhCI4HrV37qSAQ==
 mistral.fripost.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtVVGS/t8LBTinXuDIlVthaOTq9fyP79j1nBOchF4A4
+calima.fripost.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWqe+XY9I+a4hemK5wIlwbqdDFC+jMP+nJ0SA5wX+5Lsu1sdj2FO4ziNZ0zluLA/YLyGawaqWhMWSBvDLtYa4KAv/kwzuc0Zifj6KfeBYhQnWaUZWIJp4y0KvZyaw1/QBYyea56j93zI4H0Ea9ay1jPL3kPTF9x8ynKNi34PhrEpXrXzvv9jrCgKwrwG1s5iqznzE5Rg0xJQIoKSOJXE+3xAbAA9ZGYtaFemMG+fcm67isGPYKS7DBmaMEsAQF0ri/qNsQOo7vMhw5lmYRNzehq74GL/njXzugp8cmClRGGk0YNWA0b9qfzHRYocX25OzAEQ1JE3b3cvctVeZcimqj
+calima.fripost.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbr+FgV+fnwbDsFJ/oiM79ku3V8N+SQwxuHxODIpsmk
diff --git a/common.yml b/common.yml
index 2136c5d..f670699 100644
--- a/common.yml
+++ b/common.yml
@@ -1,58 +1,58 @@
 ---
 # XXX: This organization is unfortunate. As of Ansible 1.4, roles are
 # applied playbook by playbook and not globally for the whole inventory;
 # therefore if two playbooks are given the role 'common', the tasks
 # defined in 'common' would be run twice.
 # The quickfix to ensure that plays are role-disjoint is to create a
 # separate play for each role. Of course the downside is that we loose
 # (most of) the advantage of roles...
 
 - name: Common tasks
   hosts: all
   roles:
     - common
 
 - name: Let's Encrypt
-  hosts: IMAP:MX:MSA:webmail:lists:wiki:git
+  hosts: IMAP:MX:MSA:webmail:lists:wiki:git:nextcloud
   gather_facts: False
   roles:
     - lacme
   tags:
    - letsencrypt
    - lacme
    - ACME
 
 - name: Common SQL tasks
-  hosts: MDA:webmail:lists:bacula-dir
+  hosts: MDA:webmail:lists:bacula-dir:nextcloud
   gather_facts: False
   tags: mysql,sql
   roles:
     - common-SQL
 
 - name: Common LDAP tasks
   hosts: MDA:MSA:LDAP-provider:MX
   gather_facts: True
   tags: slapd,ldap
   roles:
     - common-LDAP
 
 - name: Configure the LDAP provider
   hosts: LDAP-provider
   gather_facts: False
   tags: slapd,ldap
   roles:
     - LDAP-provider
 
 - name: Configure the Web servers
-  hosts: webmail:wiki:lists:git:munin-master
+  hosts: webmail:wiki:lists:git:munin-master:nextcloud
   gather_facts: False
   tags: nginx,www,web
   roles:
     - common-web
 
 - name: Configure amavis
   hosts: out
   gather_facts: False
   tags: amavis
   roles:
     - amavis
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 7386dad..49cf935 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,38 +1,39 @@
 ---
 non_free_packages:
   elefant:
     - firmware-bnx2
 
 # Virtual (non-routable) IPv4 subnet for IPsec.  It is always nullrouted
 # in the absence of xfrm lookup (i.e., when there is no matching IPsec
 # Security Association) to avoid data leaks.
 ipsec_subnet: 172.16.0.0/24
 ipsec:
   # Virtual (non-routable) addresses for IPsec.  They all need to be
   # distinct and belong to the above subnet 'ipsec_subnet'.
   antilop:  172.16.0.1
   benjamin: 172.16.0.2
   civett:   172.16.0.3
   elefant:  172.16.0.4
   giraff:   172.16.0.5
   mistral:  172.16.0.6
+  calima:   172.16.0.7
 
 
 postfix_instance:
   # The keys are the group names associated with a Postfix role, and the
   # values are the name and group (optional) of the instance dedicated
   # to that role.
   # For internal services, we also specify its (non-routable) IP address
   # and port.
   # XXX it's unfortunate that we can only specify a single address, and
   #     therefore have to limit the number of outgoing SMTP proxy and
   #     IMAP server to one. Since hosts(5) files cannot map and IP
   #     address to multiple hostnames, a workaround would be to use
   #     round-robin DNS, but we can't rely on DNS as long as our zone is
   #     unsigned.
   IMAP:    { name: mda
            , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.IMAP[0]].inventory_hostname_short ], '127.0.0.1') }}"
            , port: 2526 }
   MX:      { name: mx,  group: mta }
   out:     { name: out, group: mta
            , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.out[0]].inventory_hostname_short ], '127.0.0.1') }}"
diff --git a/nextcloud.yml b/nextcloud.yml
new file mode 100644
index 0000000..84a3c2d
--- /dev/null
+++ b/nextcloud.yml
@@ -0,0 +1,5 @@
+---
+- name: Configure Nextcloud
+  hosts: nextcloud
+  roles:
+    - nextcloud
diff --git a/production b/production
index 192976b..92eae30 100644
--- a/production
+++ b/production
@@ -1,38 +1,41 @@
 [mistral]
 mistral.fripost.org geoip=se
 
 [elefant]
 elefant.fripost.org geoip=se mxno=1
 
 [giraff]
 giraff.fripost.org geoip=se
 
 [antilop]
 antilop.fripost.org geoip=se
 
 [civett]
 civett.fripost.org geoip=se mxno=2
 
 [benjamin]
 benjamin.skangas.se geoip=se
 
+[calima]
+calima.fripost.org geoip=se
+
 
 # ldap.fripost.org
 [LDAP-provider:children]
 mistral
 
 [NTP-master:children]
 mistral
 
 # imap.fripost.org
 [IMAP:children]
 mistral
 
 # mda.fripost.org
 [MDA:children]
 IMAP
 
 # mx{1,2,3}.fripost.org
 [MX:children]
 elefant
 civett
@@ -48,31 +51,34 @@ giraff
 [bacula-dir:children]
 benjamin
 
 [bacula-sd:children]
 benjamin
 
 # webmail.fripost.org
 [webmail:children]
 elefant
 
 # lists.fripost.org
 [lists:children]
 antilop
 
 [wiki:children]
 civett
 
 [git:children]
 wiki
 
+[nextcloud:children]
+calima
+
 [munin-master:children]
 benjamin
 
 
 # machines behind NAT
 [NATed:children]
 benjamin
 
 # hostnames resolving to a dynamic IP
 [DynDNS:children]
 benjamin
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 563a310..8c606e8 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -5,43 +5,43 @@
 # (in|out|inout)[46]?    (tcp|udp|..) (port|port:port|port,port)  (port|port:port|port,port)
 
 {% if groups.all | length > 1 %}
 inout   udp     500      500                            # ISAKMP
 {% if groups.NATed | length > 0 %}
 inout4  udp     4500     4500                           # IPsec NAT Traversal
 {% endif %}
 {% endif %}
 
 out     tcp     80,443                                  # HTTP/HTTPS
 out     tcp     9418                                    # GIT
 out     udp     53                                      # DNS
 out     tcp     53                                      # DNS
 out     udp     67                                      # DHCP
 out     tcp     22                                      # SSH
 out     udp     123      123                            # NTP
 
 in      tcp     {{ ansible_port|default('22') }}        # SSH
 {% if 'LDAP-provider' in group_names %}
 in      tcp     636                                     # LDAPS
-{% elif 'MX' in group_names or  'lists' in group_names %}
+{% elif 'MX' in group_names or 'lists' in group_names or 'nextcloud' in group_names %}
 out     tcp     636                                     # LDAPS
 {% endif %}
 {% if 'MX' in group_names %}
 in      tcp     25                                      # SMTP
 {% endif %}
 {% if 'out' in group_names or 'MSA' in group_names %}
 out     tcp     25                                      # SMTP
 {% endif %}
 {% if 'IMAP' in group_names %}
 in      tcp     993                                     # IMAPS
 in      tcp     4190                                    # MANAGESIEVE
 {% endif %}
 {% if 'MSA' in group_names %}
 in      tcp     587                                     # SMTP-AUTH
 {% endif %}
-{% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names %}
+{% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names or 'nextcloud' in group_names %}
 in      tcp     80,443                                  # HTTP/HTTPS
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
 out     tcp     11371                                   # HKP
 out     tcp     43                                      # WHOIS
 {% endif %}
diff --git a/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
index f7b255a..8550d0f 100644
--- a/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
+++ b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
@@ -43,21 +43,30 @@ subjectAltName = DNS:fripost.org,DNS:www.fripost.org,DNS:wiki.fripost.org
 notify = /bin/systemctl reload nginx
 {% endif %}
 
 {% if 'webmail' in group_names %}
 [webmail]
 certificate-key = /etc/nginx/ssl/mail.fripost.org.key
 certificate-chain = /etc/nginx/ssl/mail.fripost.org.pem
 subject = /O=Fripost/CN=mail.fripost.org
 subjectAltName = DNS:mail.fripost.org,DNS:webmail.fripost.org
 notify = /bin/systemctl reload nginx
 {% endif %}
 
 {% if 'git' in group_names %}
 [git]
 certificate-key = /etc/nginx/ssl/git.fripost.org.key
 certificate-chain = /etc/nginx/ssl/git.fripost.org.pem
 subject = /O=Fripost/CN=git.fripost.org
 notify = /bin/systemctl reload nginx
 {% endif %}
 
+{% if 'nextcloud' in group_names %}
+[cloud]
+certificate-key = /etc/nginx/ssl/cloud.fripost.org.key
+certificate-chain = /etc/nginx/ssl/cloud.fripost.org.pem
+subject = /O=Fripost/CN=cloud.fripost.org
+subjectAltName = DNS:cloud.fripost.org,DNS:www.cloud.fripost.org
+notify = /bin/systemctl reload nginx
+{% endif %}
+
 ; vim:ft=dosini
diff --git a/roles/nextcloud/files/etc/cron.d/nextcloud b/roles/nextcloud/files/etc/cron.d/nextcloud
new file mode 100644
index 0000000..8bd7d86
--- /dev/null
+++ b/roles/nextcloud/files/etc/cron.d/nextcloud
@@ -0,0 +1,2 @@
+MAILTO=root
+*/15 * * * * www-data php -f /var/www/nextcloud/cron.php
diff --git a/roles/nextcloud/files/etc/ldap/ldap.conf b/roles/nextcloud/files/etc/ldap/ldap.conf
new file mode 100644
index 0000000..5f388f1
--- /dev/null
+++ b/roles/nextcloud/files/etc/ldap/ldap.conf
@@ -0,0 +1,10 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT  /etc/ldap/ssl/ldap.fripost.org.pem
+TLS_REQCERT hard
diff --git a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
new file mode 100644
index 0000000..9e5e9b0
--- /dev/null
+++ b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
@@ -0,0 +1,112 @@
+server {
+    listen      80;
+    listen [::]:80;
+
+    server_name cloud.fripost.org;
+
+    include snippets/acme-challenge.conf;
+
+    access_log  /var/log/nginx/cloud.access.log;
+    error_log   /var/log/nginx/cloud.error.log info;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen      443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name cloud.fripost.org;
+
+    root /var/www/nextcloud/;
+
+    include snippets/headers.conf;
+    add_header X-Robots-Tag                      none;
+    add_header X-Download-Options                noopen;
+    add_header X-Permitted-Cross-Domain-Policies none;
+
+    include snippets/ssl.conf;
+    ssl_certificate     ssl/cloud.fripost.org.pem;
+    ssl_certificate_key ssl/cloud.fripost.org.key;
+    include             snippets/cloud.fripost.org.hpkp-hdr;
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    access_log  /var/log/nginx/cloud.access.log;
+    error_log   /var/log/nginx/cloud.error.log info;
+
+    location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; }
+    location = /.well-known/caldav  { return 301 $scheme://$host/remote.php/dav; }
+
+    # set max upload size
+    client_max_body_size 512M;
+    fastcgi_buffers 64 4K;
+    fastcgi_buffer_size 32k;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    error_page 403 /core/templates/403.php;
+    error_page 404 /core/templates/404.php;
+
+    location = / { return 303 $scheme://$host/apps/files/; }
+    location   / { rewrite ^ /index.php$uri last; }
+
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { internal; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)         { internal; }
+
+    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include snippets/fastcgi-php.conf;
+        fastcgi_param modHeadersAvailable     true;
+        fastcgi_param front_controller_active true;
+        fastcgi_request_buffering off;
+        fastcgi_param PHP_VALUE "upload_max_filesize=512M
+                                 post_max_size=512M
+                                 memory_limit=512M";
+        fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/mnt/nextcloud-data:/etc/nextcloud:/usr/share/php:/tmp:/dev";
+    }
+
+    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+        try_files $uri/ =404;
+        index index.php;
+    }
+
+    location ~* \.(?:css|js|woff|svg|gif)$ {
+        try_files $uri /index.php$uri$is_args$args;
+        expires 30d;
+    }
+
+    location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+        try_files $uri /index.php$uri$is_args$args;
+    }
+}
+
+server {
+    listen      80;
+    listen [::]:80;
+    listen      443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name www.cloud.fripost.org;
+
+    include snippets/acme-challenge.conf;
+
+    access_log  /var/log/nginx/cloud.access.log;
+    error_log   /var/log/nginx/cloud.error.log info;
+
+    location / {
+        return 301 https://cloud.fripost.org$request_uri;
+    }
+}
diff --git a/roles/nextcloud/handlers/main.yml b/roles/nextcloud/handlers/main.yml
new file mode 100644
index 0000000..6552940
--- /dev/null
+++ b/roles/nextcloud/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart php7.0-fpm
+  service: name=php7.0-fpm state=restarted
+
+- name: Restart Nginx
+  service: name=nginx state=restarted
diff --git a/roles/nextcloud/tasks/ldap.yml b/roles/nextcloud/tasks/ldap.yml
new file mode 100644
index 0000000..17cd963
--- /dev/null
+++ b/roles/nextcloud/tasks/ldap.yml
@@ -0,0 +1,17 @@
+- name: Create /etc/ldap/ssl
+  file: path=/etc/ldap/ssl
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy the slapd X.509 certificate
+  copy: src=certs/ldap/ldap.fripost.org.pem
+        dest=/etc/ldap/ssl/ldap.fripost.org.pem
+        owner=root group=root
+        mode=0644
+
+- name: Copy ldap.conf(5)
+  copy: src=etc/ldap/ldap.conf
+        dest=/etc/ldap/ldap.conf
+        owner=root group=root
+        mode=0644
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
new file mode 100644
index 0000000..09554e0
--- /dev/null
+++ b/roles/nextcloud/tasks/main.yml
@@ -0,0 +1,108 @@
+- name: Install PHP
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - php-cli
+    - php-fpm
+    - php-apcu
+    - php-gd
+    - php-imagick
+    - php-mbstring
+    - php-mcrypt
+    - php-xml
+    - php-curl
+    - php-intl
+    - php-ldap
+    - php-mysql
+    - php-zip
+    - php-json
+
+- name: Configure PHP 7.0 Zend opcache
+  lineinfile: dest=/etc/php/7.0/fpm/php.ini
+              regexp='^;?{{ item.var }}\\s*='
+              line="{{ item.var }} = {{ item.value }}"
+              owner=root group=root
+              mode=0644
+  with_items:
+    - { var: opcache.enable,                  value: 1     }
+    - { var: opcache.enable_cli,              value: 1     }
+    - { var: opcache.memory_consumption,      value: 128   }
+    - { var: opcache.interned_strings_buffer, value: 8     }
+    - { var: opcache.max_accelerated_files,   value: 10000 }
+    - { var: opcache.revalidate_freq,         value: 1     }
+    - { var: opcache.fast_shutdown,           value: 1     }
+  notify:
+    - Restart php7.0-fpm
+
+- name: Configure PHP 7.0 pool environment
+  lineinfile: dest=/etc/php/7.0/fpm/pool.d/www.conf
+              regexp='^;?env\[{{ item.var }}\]\\s*='
+              line="env[{{ item.var }}] = {{ item.value }}"
+              owner=root group=root
+              mode=0644
+  with_items:
+    - { var: HOSTNAME, value: "$HOSTNAME"     }
+    - { var: PATH,     value: "/usr/bin:/bin" }
+    - { var: TMP,      value: "/tmp"          }
+    - { var: TMPDIR,   value: "/tmp"          }
+    - { var: TEMP,     value: "/tmp"          }
+  notify:
+    - Restart php7.0-fpm
+
+- name: Start php7.0-fpm
+  service: name=php7.0-fpm state=started
+
+- name: Copy /etc/cron.d/nextcloud
+  copy: src=etc/cron.d/nextcloud
+        dest=/etc/cron.d/nextcloud
+        owner=root group=root
+        mode=0644
+
+- name: Copy /etc/nginx/sites-available/nextcloud
+  copy: src=etc/nginx/sites-available/nextcloud
+        dest=/etc/nginx/sites-available/nextcloud
+        owner=root group=root
+        mode=0644
+  register: r1
+  notify:
+    - Restart Nginx
+
+- name: Create /etc/nginx/sites-enabled/nextcloud
+  file: src=../sites-available/nextcloud
+        dest=/etc/nginx/sites-enabled/nextcloud
+        owner=root group=root
+        state=link force=yes
+  register: r2
+  notify:
+    - Restart Nginx
+
+- name: Copy HPKP header snippet
+  # never modify the pined pubkeys as we don't want to lock out our users
+  template: src=etc/nginx/snippets/cloud.fripost.org.hpkp-hdr.j2
+            dest=/etc/nginx/snippets/cloud.fripost.org.hpkp-hdr
+            validate=/bin/false
+            owner=root group=root
+            mode=0644
+  register: r3
+  notify:
+    - Restart Nginx
+
+- name: Start Nginx
+  service: name=nginx state=started
+  when: not (r1.changed or r2.changed or r3.changed)
+
+- meta: flush_handlers
+
+- name: Fetch Nginx's X.509 certificate
+  # Ensure we don't fetch private data
+  become: False
+  fetch_cmd: cmd="openssl x509 -noout -pubkey"
+             stdin=/etc/nginx/ssl/cloud.fripost.org.pem
+             dest=certs/public/cloud.fripost.org.pub
+  tags:
+    - genkey
+
+- import_tasks: ldap.yml
+  when: "'LDAP-provider' not in group_names"
+  tags:
+    - ldap
diff --git a/roles/nextcloud/templates/etc/nginx/snippets/cloud.fripost.org.hpkp-hdr.j2 b/roles/nextcloud/templates/etc/nginx/snippets/cloud.fripost.org.hpkp-hdr.j2
new file mode 120000
index 0000000..a8ba598
--- /dev/null
+++ b/roles/nextcloud/templates/etc/nginx/snippets/cloud.fripost.org.hpkp-hdr.j2
@@ -0,0 +1 @@
+../../../../../../certs/hpkp-hdr.j2
+\ No newline at end of file
author	Guilhem Moulin <guilhem@fripost.org>	2018-12-03 03:37:19 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2018-12-03 03:43:48 +0100
commit	5ad9fc5e963b9a461f60799d7f185a9e2e13522f (patch)
tree	8d98b0eaf066f86e8fb24be1ca148be1ec1f1845
parent	259ad739c650aafd8dddf5afcd829632a6f88a80 (diff)