summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf1
-rw-r--r--roles/nextcloud/files/etc/cron.d/nextcloud2
-rw-r--r--roles/nextcloud/files/etc/nginx/sites-available/nextcloud1
-rw-r--r--roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf17
-rw-r--r--roles/nextcloud/tasks/main.yml50
5 files changed, 52 insertions, 19 deletions
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
index 48ebc63..f82bc5d 100644
--- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
@@ -1,14 +1,13 @@
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include snippets/fastcgi.conf;
-fastcgi_pass unix:/run/php/php7.3-fpm.sock;
diff --git a/roles/nextcloud/files/etc/cron.d/nextcloud b/roles/nextcloud/files/etc/cron.d/nextcloud
index 681cd43..3c4aac0 100644
--- a/roles/nextcloud/files/etc/cron.d/nextcloud
+++ b/roles/nextcloud/files/etc/cron.d/nextcloud
@@ -1,2 +1,2 @@
MAILTO=root
-*/5 * * * * www-data php -f /usr/local/share/nextcloud/cron.php
+*/5 * * * * _nextcloud php -f /usr/local/share/nextcloud/cron.php
diff --git a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
index d748dc9..f1f4b66 100644
--- a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
+++ b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
@@ -59,40 +59,41 @@ server {
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location = / { return 303 $scheme://$host/apps/files/; }
location / { rewrite ^ /index.php$uri last; }
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { internal; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { internal; }
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
include snippets/fastcgi-php.conf;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_param PHP_VALUE "upload_max_filesize=512M
post_max_size=512M
memory_limit=512M";
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/var/www/nextcloud:/mnt/nextcloud-data:/etc/nextcloud:/var/cache/nextcloud:/var/log/nextcloud:/usr/share/php:/tmp:/dev";
+ fastcgi_pass unix:/run/php/php7.3-fpm@nextcloud.sock;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~* \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
expires 30d;
}
location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
}
location = /core/img/favicon.ico {
alias /var/www/nextcloud/fripost.ico;
}
}
diff --git a/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf
new file mode 100644
index 0000000..dfbb8bf
--- /dev/null
+++ b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf
@@ -0,0 +1,17 @@
+[nextcloud]
+user = _nextcloud
+group = nogroup
+listen = /run/php/php7.3-fpm@nextcloud.sock
+listen.owner = www-data
+listen.group = www-data
+listen.mode = 0600
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+env[HOSTNAME] = $HOSTNAME
+env[PATH] = /usr/bin:/bin
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 86b505b..8878987 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -12,52 +12,59 @@
- php-curl
- php-intl
- php-ldap
- php-mysql
- php-zip
- php-json
- php-gmp
- name: Configure PHP 7.3 Zend opcache
lineinfile: dest=/etc/php/7.3/fpm/php.ini
regexp='^;?{{ item.var }}\\s*='
line="{{ item.var }} = {{ item.value }}"
owner=root group=root
mode=0644
with_items:
- { var: opcache.memory_consumption, value: 512 }
- { var: opcache.revalidate_freq, value: 180 }
notify:
- Restart php7.3-fpm
-- name: Configure PHP 7.3 pool environment
- lineinfile: dest=/etc/php/7.3/fpm/pool.d/www.conf
- regexp='^;?env\[{{ item.var }}\]\\s*='
- line="env[{{ item.var }}] = {{ item.value }}"
- owner=root group=root
- mode=0644
- with_items:
- - { var: HOSTNAME, value: "$HOSTNAME" }
- - { var: PATH, value: "/usr/bin:/bin" }
- - { var: TMP, value: "/tmp" }
- - { var: TMPDIR, value: "/tmp" }
- - { var: TEMP, value: "/tmp" }
+- name: Create '_nextcloud' user
+ user: name=_nextcloud system=yes
+ group=nogroup
+ createhome=no
+ home=/nonexistent
+ shell=/usr/sbin/nologin
+ password=!
+ state=present
+
+- name: Delete PHP 7.3 FPM's www pool
+ file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
+ notify:
+ - Restart php7.3-fpm
+
+- name: Configure PHP 7.3 FPM's nextcloud pool
+ copy: src=etc/php/fpm/pool.d/nextcloud.conf
+ dest=/etc/php/7.3/fpm/pool.d/nextcloud.conf
+ owner=root group=root
+ mode=0644
notify:
- Restart php7.3-fpm
- name: Start php7.3-fpm
service: name=php7.3-fpm state=started
- name: Copy /etc/cron.d/nextcloud
copy: src=etc/cron.d/nextcloud
dest=/etc/cron.d/nextcloud
owner=root group=root
mode=0644
- name: Copy /etc/nginx/sites-available/nextcloud
copy: src=etc/nginx/sites-available/nextcloud
dest=/etc/nginx/sites-available/nextcloud
owner=root group=root
mode=0644
register: r1
notify:
- Restart Nginx
@@ -85,82 +92,91 @@
- name: Start Nginx
service: name=nginx state=started
when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
- name: Fetch Nginx's X.509 certificate
# Ensure we don't fetch private data
become: False
fetch_cmd: cmd="openssl x509 -noout -pubkey"
stdin=/etc/nginx/ssl/cloud.fripost.org.pem
dest=certs/public/cloud.fripost.org.pub
tags:
- genkey
- import_tasks: ldap.yml
when: "'LDAP-provider' not in group_names"
tags:
- ldap
+# Note: intentionally don't set an owner/group as we don't want to set
+# ownership unless the path is a mountpoint. The service will fail
+# unless the data directory is mounted and accessible, and that's what
+# we want.
+- name: Create directory /mnt/nextcloud-data
+ file: path=/mnt/nextcloud-data
+ state=directory
+ mode=0700
+
- name: Create directory /var/www/nextcloud
file: path=/var/www/nextcloud
state=directory
owner=root group=root
mode=0755
# Note: Nextcloud doesn't like symlinked apps
# * https://github.com/nextcloud/server/issues/10437
# * https://github.com/nextcloud/server/issues/13556
- name: Create directory /var/www/nextcloud/apps
file: path=/var/www/nextcloud/apps
state=directory
- owner=www-data group=www-data
+ owner=_nextcloud group=nogroup
mode=0755
- name: Create directory /var/log/nextcloud
file: path=/var/log/nextcloud
state=directory
- owner=www-data group=adm
+ owner=_nextcloud group=adm
mode=0750
- name: Create directory /var/cache/nextcloud
file: path=/var/cache/nextcloud
state=directory
- owner=www-data group=www-data
+ owner=_nextcloud group=nogroup
mode=0700
- name: Copy Nextcloud logrotate snippet
copy: src=etc/logrotate.d/nextcloud
dest=/etc/logrotate.d/nextcloud
owner=root group=root
mode=0644
tags:
- logrotate
- name: Install redis-server
apt: pkg={{ packages }}
vars:
packages:
- php-redis
- redis-server
- name: Configure Redis
lineinfile: dest=/etc/redis/redis.conf
regexp='^#?{{ item.var }}\\s+'
line="{{ item.var }} {{ item.value }}"
owner=redis group=redis
mode=0640
with_items:
- { var: port, value: 0 }
- { var: unixsocket, value: /run/redis/redis-server.sock }
- { var: unixsocketperm, value: 770 }
notify:
- Restart Redis
- name: Start redis-server
service: name=redis-server state=started
-- name: Add 'www-data' to the group 'redis'
- user: name=www-data groups=redis append=yes
+- name: Add '_nextcloud' user to 'redis' group
+ user: name=_nextcloud groups=redis append=yes
notify:
- Restart php7.3-fpm
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-08 14:11:23 +0000