diff options
Diffstat (limited to 'roles/nextcloud/tasks')
| -rw-r--r-- | roles/nextcloud/tasks/ldap.yml | 17 | ||||
| -rw-r--r-- | roles/nextcloud/tasks/main.yml | 200 |
2 files changed, 217 insertions, 0 deletions
diff --git a/roles/nextcloud/tasks/ldap.yml b/roles/nextcloud/tasks/ldap.yml new file mode 100644 index 0000000..17cd963 --- /dev/null +++ b/roles/nextcloud/tasks/ldap.yml @@ -0,0 +1,17 @@ +- name: Create /etc/ldap/ssl + file: path=/etc/ldap/ssl + state=directory + owner=root group=root + mode=0755 + +- name: Copy the slapd X.509 certificate + copy: src=certs/ldap/ldap.fripost.org.pem + dest=/etc/ldap/ssl/ldap.fripost.org.pem + owner=root group=root + mode=0644 + +- name: Copy ldap.conf(5) + copy: src=etc/ldap/ldap.conf + dest=/etc/ldap/ldap.conf + owner=root group=root + mode=0644 diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml new file mode 100644 index 0000000..14bc02c --- /dev/null +++ b/roles/nextcloud/tasks/main.yml @@ -0,0 +1,200 @@ +- name: Install PHP + apt: pkg={{ packages }} + vars: + packages: + - php-cli + - php-bcmath + - php-fpm + - php-apcu + - php-gd + - php-gmp + - php-imagick + - php-mbstring + - php-xml + - php-curl + - php-intl + - php-ldap + - php-mysql + - php-zip + - php-json + - php-gmp + +- name: Configure PHP 8.2 Zend opcache + lineinfile: dest=/etc/php/8.2/fpm/php.ini + regexp='^;?{{ item.var }}\\s*=' + line="{{ item.var }} = {{ item.value }}" + owner=root group=root + mode=0644 + with_items: + - { var: opcache.memory_consumption, value: 512 } + - { var: opcache.revalidate_freq, value: 180 } + - { var: opcache.interned_strings_buffer, value: 12 } + notify: + - Restart php8.2-fpm + +- name: Configure PHP 8.2 CLI + lineinfile: dest=/etc/php/8.2/cli/php.ini + regexp='^;?{{ item.var }}\\s*=' + line="{{ item.var }} = {{ item.value }}" + owner=root group=root + mode=0644 + with_items: + - { var: apc.enable_cli, value: 1 } + +- name: Create '_nextcloud' user + user: name=_nextcloud system=yes + group=nogroup + createhome=no + home=/nonexistent + shell=/usr/sbin/nologin + password=! + state=present + +- name: Delete PHP 8.2 FPM's www pool + file: path=/etc/php/8.2/fpm/pool.d/www.conf state=absent + notify: + - Restart php8.2-fpm + +- name: Configure PHP 8.2 FPM's nextcloud pool + copy: src=etc/php/fpm/pool.d/nextcloud.conf + dest=/etc/php/8.2/fpm/pool.d/nextcloud.conf + owner=root group=root + mode=0644 + notify: + - Restart php8.2-fpm + +- name: Start php8.2-fpm + service: name=php8.2-fpm state=started + +- name: Copy /etc/cron.d/nextcloud + copy: src=etc/cron.d/nextcloud + dest=/etc/cron.d/nextcloud + owner=root group=root + mode=0644 + +- name: Copy /etc/nginx/sites-available/nextcloud + copy: src=etc/nginx/sites-available/nextcloud + dest=/etc/nginx/sites-available/nextcloud + owner=root group=root + mode=0644 + register: r1 + notify: + - Restart Nginx + +- name: Create /etc/nginx/sites-enabled/nextcloud + file: src=../sites-available/nextcloud + dest=/etc/nginx/sites-enabled/nextcloud + owner=root group=root + state=link force=yes + register: r2 + notify: + - Restart Nginx + +- name: Copy HPKP header snippet + # never modify the pined pubkeys as we don't want to lock out our users + template: src=etc/nginx/snippets/cloud.fripost.org.hpkp-hdr.j2 + dest=/etc/nginx/snippets/cloud.fripost.org.hpkp-hdr + validate=/bin/false + owner=root group=root + mode=0644 + register: r3 + notify: + - Restart Nginx + +- name: Start Nginx + service: name=nginx state=started + when: not (r1.changed or r2.changed or r3.changed) + +- meta: flush_handlers + +- name: Fetch Nginx's X.509 certificate + # Ensure we don't fetch private data + become: False + fetch_cmd: cmd="openssl x509 -noout -pubkey" + stdin=/etc/nginx/ssl/cloud.fripost.org.pem + dest=certs/public/cloud.fripost.org.pub + tags: + - genkey + +- import_tasks: ldap.yml + when: "'LDAP_provider' not in group_names" + tags: + - ldap + +# Note: intentionally don't set an owner/group as we don't want to set +# ownership unless the path is a mountpoint. The service will fail +# unless the data directory is mounted and accessible, and that's what +# we want. +- name: Create directory /mnt/nextcloud-data + file: path=/mnt/nextcloud-data + state=directory + mode=0700 + +- name: Create directory /var/www/nextcloud + file: path=/var/www/nextcloud + state=directory + owner=root group=root + mode=0755 + +# Note: Nextcloud doesn't like symlinked apps +# * https://github.com/nextcloud/server/issues/10437 +# * https://github.com/nextcloud/server/issues/13556 +- name: Create directory /var/www/nextcloud/apps + file: path=/var/www/nextcloud/apps + state=directory + owner=_nextcloud group=nogroup + mode=0755 + +- name: Create directory /var/log/nextcloud + file: path=/var/log/nextcloud + state=directory + owner=_nextcloud group=adm + mode=0750 + +- name: Create directory /var/cache/nextcloud + file: path=/var/cache/nextcloud + state=directory + owner=_nextcloud group=nogroup + mode=0700 + +- name: Copy Nextcloud logrotate snippet + copy: src=etc/logrotate.d/nextcloud + dest=/etc/logrotate.d/nextcloud + owner=root group=root + mode=0644 + tags: + - logrotate + +- name: Install redis-server + apt: pkg={{ packages }} + vars: + packages: + - php-redis + - redis-server + +- name: Configure Redis + lineinfile: dest=/etc/redis/redis.conf + regexp='^#?\\s*{{ item.var }}\\s+' + line="{{ item.var }} {{ item.value }}" + owner=redis group=redis + mode=0640 + with_items: + - { var: port, value: 0 } + - { var: unixsocket, value: /run/redis/redis-server.sock } + - { var: unixsocketperm, value: 660 } + notify: + - Restart Redis + +- name: Start redis-server + service: name=redis-server state=started + +- name: Add '_nextcloud' user to 'redis' group + user: name=_nextcloud groups=redis append=yes + notify: + - Restart php8.2-fpm + +- name: Install other Nextcloud dependencies + apt: pkg={{ packages }} + vars: + packages: + - libmagickcore-6.q16-6-extra |