diff options
| -rw-r--r-- | roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf | 1 | ||||
| -rw-r--r-- | roles/nextcloud/files/etc/cron.d/nextcloud | 2 | ||||
| -rw-r--r-- | roles/nextcloud/files/etc/nginx/sites-available/nextcloud | 1 | ||||
| -rw-r--r-- | roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf | 17 | ||||
| -rw-r--r-- | roles/nextcloud/tasks/main.yml | 50 |
5 files changed, 52 insertions, 19 deletions
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf index 48ebc63..f82bc5d 100644 --- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf @@ -1,14 +1,13 @@ # regex to split $uri to $fastcgi_script_name and $fastcgi_path fastcgi_split_path_info ^(.+?\.php)(/.*)$; # Check that the PHP script exists before passing it try_files $fastcgi_script_name =404; # Bypass the fact that try_files resets $fastcgi_path_info # see: http://trac.nginx.org/nginx/ticket/321 set $path_info $fastcgi_path_info; fastcgi_param PATH_INFO $path_info; fastcgi_index index.php; include snippets/fastcgi.conf; -fastcgi_pass unix:/run/php/php7.3-fpm.sock; diff --git a/roles/nextcloud/files/etc/cron.d/nextcloud b/roles/nextcloud/files/etc/cron.d/nextcloud index 681cd43..3c4aac0 100644 --- a/roles/nextcloud/files/etc/cron.d/nextcloud +++ b/roles/nextcloud/files/etc/cron.d/nextcloud @@ -1,2 +1,2 @@ MAILTO=root -*/5 * * * * www-data php -f /usr/local/share/nextcloud/cron.php +*/5 * * * * _nextcloud php -f /usr/local/share/nextcloud/cron.php diff --git a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud index d748dc9..f1f4b66 100644 --- a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud +++ b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud @@ -59,40 +59,41 @@ server { error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; location = / { return 303 $scheme://$host/apps/files/; } location / { rewrite ^ /index.php$uri last; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { internal; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { internal; } location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { include snippets/fastcgi-php.conf; fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_intercept_errors on; fastcgi_request_buffering off; fastcgi_param PHP_VALUE "upload_max_filesize=512M post_max_size=512M memory_limit=512M"; fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/var/www/nextcloud:/mnt/nextcloud-data:/etc/nextcloud:/var/cache/nextcloud:/var/log/nextcloud:/usr/share/php:/tmp:/dev"; + fastcgi_pass unix:/run/php/php7.3-fpm@nextcloud.sock; } location ~ ^/(?:updater|ocs-provider)(?:$|/) { try_files $uri/ =404; index index.php; } location ~* \.(?:css|js|woff|svg|gif)$ { try_files $uri /index.php$uri$is_args$args; expires 30d; } location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ { try_files $uri /index.php$uri$is_args$args; } location = /core/img/favicon.ico { alias /var/www/nextcloud/fripost.ico; } } diff --git a/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf new file mode 100644 index 0000000..dfbb8bf --- /dev/null +++ b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf @@ -0,0 +1,17 @@ +[nextcloud] +user = _nextcloud +group = nogroup +listen = /run/php/php7.3-fpm@nextcloud.sock +listen.owner = www-data +listen.group = www-data +listen.mode = 0600 +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/bin:/bin +env[TMP] = /tmp +env[TMPDIR] = /tmp +env[TEMP] = /tmp diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 86b505b..8878987 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -12,52 +12,59 @@ - php-curl - php-intl - php-ldap - php-mysql - php-zip - php-json - php-gmp - name: Configure PHP 7.3 Zend opcache lineinfile: dest=/etc/php/7.3/fpm/php.ini regexp='^;?{{ item.var }}\\s*=' line="{{ item.var }} = {{ item.value }}" owner=root group=root mode=0644 with_items: - { var: opcache.memory_consumption, value: 512 } - { var: opcache.revalidate_freq, value: 180 } notify: - Restart php7.3-fpm -- name: Configure PHP 7.3 pool environment - lineinfile: dest=/etc/php/7.3/fpm/pool.d/www.conf - regexp='^;?env\[{{ item.var }}\]\\s*=' - line="env[{{ item.var }}] = {{ item.value }}" - owner=root group=root - mode=0644 - with_items: - - { var: HOSTNAME, value: "$HOSTNAME" } - - { var: PATH, value: "/usr/bin:/bin" } - - { var: TMP, value: "/tmp" } - - { var: TMPDIR, value: "/tmp" } - - { var: TEMP, value: "/tmp" } +- name: Create '_nextcloud' user + user: name=_nextcloud system=yes + group=nogroup + createhome=no + home=/nonexistent + shell=/usr/sbin/nologin + password=! + state=present + +- name: Delete PHP 7.3 FPM's www pool + file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent + notify: + - Restart php7.3-fpm + +- name: Configure PHP 7.3 FPM's nextcloud pool + copy: src=etc/php/fpm/pool.d/nextcloud.conf + dest=/etc/php/7.3/fpm/pool.d/nextcloud.conf + owner=root group=root + mode=0644 notify: - Restart php7.3-fpm - name: Start php7.3-fpm service: name=php7.3-fpm state=started - name: Copy /etc/cron.d/nextcloud copy: src=etc/cron.d/nextcloud dest=/etc/cron.d/nextcloud owner=root group=root mode=0644 - name: Copy /etc/nginx/sites-available/nextcloud copy: src=etc/nginx/sites-available/nextcloud dest=/etc/nginx/sites-available/nextcloud owner=root group=root mode=0644 register: r1 notify: - Restart Nginx @@ -85,82 +92,91 @@ - name: Start Nginx service: name=nginx state=started when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data become: False fetch_cmd: cmd="openssl x509 -noout -pubkey" stdin=/etc/nginx/ssl/cloud.fripost.org.pem dest=certs/public/cloud.fripost.org.pub tags: - genkey - import_tasks: ldap.yml when: "'LDAP-provider' not in group_names" tags: - ldap +# Note: intentionally don't set an owner/group as we don't want to set +# ownership unless the path is a mountpoint. The service will fail +# unless the data directory is mounted and accessible, and that's what +# we want. +- name: Create directory /mnt/nextcloud-data + file: path=/mnt/nextcloud-data + state=directory + mode=0700 + - name: Create directory /var/www/nextcloud file: path=/var/www/nextcloud state=directory owner=root group=root mode=0755 # Note: Nextcloud doesn't like symlinked apps # * https://github.com/nextcloud/server/issues/10437 # * https://github.com/nextcloud/server/issues/13556 - name: Create directory /var/www/nextcloud/apps file: path=/var/www/nextcloud/apps state=directory - owner=www-data group=www-data + owner=_nextcloud group=nogroup mode=0755 - name: Create directory /var/log/nextcloud file: path=/var/log/nextcloud state=directory - owner=www-data group=adm + owner=_nextcloud group=adm mode=0750 - name: Create directory /var/cache/nextcloud file: path=/var/cache/nextcloud state=directory - owner=www-data group=www-data + owner=_nextcloud group=nogroup mode=0700 - name: Copy Nextcloud logrotate snippet copy: src=etc/logrotate.d/nextcloud dest=/etc/logrotate.d/nextcloud owner=root group=root mode=0644 tags: - logrotate - name: Install redis-server apt: pkg={{ packages }} vars: packages: - php-redis - redis-server - name: Configure Redis lineinfile: dest=/etc/redis/redis.conf regexp='^#?{{ item.var }}\\s+' line="{{ item.var }} {{ item.value }}" owner=redis group=redis mode=0640 with_items: - { var: port, value: 0 } - { var: unixsocket, value: /run/redis/redis-server.sock } - { var: unixsocketperm, value: 770 } notify: - Restart Redis - name: Start redis-server service: name=redis-server state=started -- name: Add 'www-data' to the group 'redis' - user: name=www-data groups=redis append=yes +- name: Add '_nextcloud' user to 'redis' group + user: name=_nextcloud groups=redis append=yes notify: - Restart php7.3-fpm |