From 5ad9fc5e963b9a461f60799d7f185a9e2e13522f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 3 Dec 2018 03:37:19 +0100 Subject: Define new host "calima" serving Nextcloud. --- all.yml | 1 + certs/gencerts.sh | 1 + certs/ipsec/calima.pem | 14 +++ certs/public/cloud.fripost.org.pub | 14 +++ certs/public/cloud.fripost.org.pub.back | 14 +++ certs/ssh_known_hosts | 2 + common.yml | 6 +- group_vars/all.yml | 1 + nextcloud.yml | 5 + production | 6 ++ roles/common/templates/etc/iptables/services.j2 | 4 +- .../lacme/templates/etc/lacme/lacme-certs.conf.j2 | 9 ++ roles/nextcloud/files/etc/cron.d/nextcloud | 2 + roles/nextcloud/files/etc/ldap/ldap.conf | 10 ++ .../files/etc/nginx/sites-available/nextcloud | 112 +++++++++++++++++++++ roles/nextcloud/handlers/main.yml | 6 ++ roles/nextcloud/tasks/ldap.yml | 17 ++++ roles/nextcloud/tasks/main.yml | 108 ++++++++++++++++++++ .../nginx/snippets/cloud.fripost.org.hpkp-hdr.j2 | 1 + 19 files changed, 328 insertions(+), 5 deletions(-) create mode 100644 certs/ipsec/calima.pem create mode 100644 certs/public/cloud.fripost.org.pub create mode 100644 certs/public/cloud.fripost.org.pub.back create mode 100644 nextcloud.yml create mode 100644 roles/nextcloud/files/etc/cron.d/nextcloud create mode 100644 roles/nextcloud/files/etc/ldap/ldap.conf create mode 100644 roles/nextcloud/files/etc/nginx/sites-available/nextcloud create mode 100644 roles/nextcloud/handlers/main.yml create mode 100644 roles/nextcloud/tasks/ldap.yml create mode 100644 roles/nextcloud/tasks/main.yml create mode 120000 roles/nextcloud/templates/etc/nginx/snippets/cloud.fripost.org.hpkp-hdr.j2 diff --git a/all.yml b/all.yml index fa3c85d..b86337c 100644 --- a/all.yml +++ b/all.yml @@ -13,3 +13,4 @@ - import_playbook: wiki.yml - import_playbook: bacula.yml - import_playbook: munin.yml +- import_playbook: nextcloud.yml diff --git a/certs/gencerts.sh b/certs/gencerts.sh index b25a7d3..291a73f 100755 --- a/certs/gencerts.sh +++ b/certs/gencerts.sh @@ -90,6 +90,7 @@ allfpr() { x509fpr '`mail.fripost.org:443`, `webmail.fripost.org:443` (webmail)' x509fpr '`lists.fripost.org:443` (list manager)' x509fpr '`git.fripost.org:443` (git server and its web interface)' + x509fpr '`cloud.fripost.org:443` (lagring för delning)' header 'SSH server' sshfpr '`gitolite@git.fripost.org:22`' diff --git a/certs/ipsec/calima.pem b/certs/ipsec/calima.pem new file mode 100644 index 0000000..58b6537 --- /dev/null +++ b/certs/ipsec/calima.pem @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoop7XGKDCQDuEneapSL1 +fwZG+7ibMWqiOHxGHA4sOuJ3A6YiC4tiS0O0dpmi6/0mEMtswAcl4JSlOHYl+2mS +TNOt0mMiIQUdDFmM4b3NQXzNJMDAcuZ52/k/MPkGH3lnfjGF2Q0uxiAHX59nEeKO +m6aw6u3iwt8XGP95E3sY7JJ5DKIiZZJsPCFeVyk6vASCeq8S+BOCEHC/IYMAoIZE +DJwfygAtOUH4EuGPHORjLgSUFYpeA7EwpevzXGdEgGPZj6oMk/Qm6oA59V1PnOpF +RkidoaeT7Qxxu+7e3qctg1tUE/DTBVNofpGtLbSaUTxM2iQAxU+Y+7LzvcA2M0jx +9yW9sqHaMOXq2UJrnuaR3hV0rNu5gAZmuetwQs6J3AFmjzR2ADp4xNLnXIQdTXac +Y2Ick7YKDuMFCTdih45YgqtmK1A8fPicr7kXxdA+yKZuRuuWYxvA9bCC+NZEqlLC +HBt4P+Go6wWx1Bt0pb9GJo6kwl6rNSzfpVxuS6hfjaAPmBLveNnpagvpmd7YoUJT +xHNdfCRHYYJWmZCrHBrBSm3CDu4SJIf1S5tIJ7kkK0RXDUoY6wpZIK2Bo0llm+2N +LSAXpSRJsrBq8lFv7Dvb5a7MRXc07xgUWbU2vRuDPNJxxK/SLSkSCnkjUmLJV5/j +j/7YnzPPAOKkg2pRW48vBQMCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/certs/public/cloud.fripost.org.pub b/certs/public/cloud.fripost.org.pub new file mode 100644 index 0000000..fcc2551 --- /dev/null +++ b/certs/public/cloud.fripost.org.pub @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsB6EsiqVH4Ewh+FdJETv +RM+0jT9+r6yqhXEqcihW8zne6Gw4OJQXECZ7BTntMWwwVkyFv0/yjd3wgyD6jeQT +AK8EQkrggb6PF1xOppU9dkXEn1soXShVciS6VFqlC8mJFlaniwWq2Ns5zenCnHc4 +N9dcLuR92PEm7cwhBMve6faLepTB6XHee2Mylrk6z+/Bs31bHE30qqjxZ3Tchedy +HEO3gchaBsYxi8HzZv9sbZz2u0Ho/vn/U6Xac9KV6mY2PvBmKrGxUJzRiT97PCf5 +Q75v4Jfw5uSFlG+6aUMvDriJJlA25rhFnZDAo3WDAGQJHeTuDwPYOUMnzcaWU46X +RM4/XTDfPoS0oXxDUVU+SSTkhkLsX9UC4TVhUtsaN8sQMsCvRvakYhv3yHxb0GPF +iMjJaAyodGAorMUmx6Li5qPuTrm62IIZNcntc5Kng19R2mwFcDNwOz1JissC+ET2 +jbGUtcMPSAw6nodtkUF+TEusXRliIJS4umIern4Bc6O+RohWSPhiCEaqKJ4mXhf6 +a7DyNBrjGeQ2ciZ+JCiSy7aZFzUto/zuswydseXwE61yIcnn1+7oGUK5uiuesXUN +yMLcdmsogjOb4uxO9zH07syh6Nq3OP2AiY64QzVsNBJ5POjcSWu9iimV3u8J8ms4 +XwKK6rpQ1l7jYLLewE2+oBsCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/certs/public/cloud.fripost.org.pub.back b/certs/public/cloud.fripost.org.pub.back new file mode 100644 index 0000000..584e3f3 --- /dev/null +++ b/certs/public/cloud.fripost.org.pub.back @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyA1KQ7E+DCWeNLCaPc6b +SWg6cNoHZbJAC1aAeDPPh63AqPJzz/pnARVKn+PeA6MZiHb6xEyst1Im62sc0cGb +z5e0TDZ3H2yk84ibD3GYiL5k2Z4Ig81Arp2MggXxLCwA1/ZvMPk9Ys1hi6oZVz5D +UxGlqowKuYPfRtFkj/pweboXMPbla44LQiGSwdK5JvMtYwg85804RUUetR38Yuuz +zUGdTf+xeNvMMZ196SrIOPAYYI3cGCdZt7gx5U6wFkJA6F3xHGHrMHZE6S4t+h2r +C+dewIQBr6m7z+Ph9z4SUC1XpCMpnoBOhCvPXxhurvT+8HILffk3eo4aogs2mcVR +zSoxdjbkrtpcg7oKXoJua2mEYlWXSax2gbuu+h4C2205G6pQpkmWw/OdRq2YQJmP +kYHrczit9l/K3jAx8JfcCnhdfs8b46n/a3ksc2xkxdxTPMYAyJlkg4iWDSiPf2vI +g4HB1vJPOdBGaoCuQD59XeWItCl9SehN/yBd/LofKxKLvTpYAJC9pVi/Kfzhvym+ +/H6KNIE1FWkKLNdDifzQQACn5wGwOHOmTAOn5u+L0kZt9ttUkJAYzAoH8IvtFZ6P +ut4RRKP+oAC05ORxZyho1UAlXDeF49/MCAKuXNCWJyZm0P+xRhaCn2JQ+8mVjJPW +pdk45F7RLEa9FVbDotvXhs8CAwEAAQ== +-----END PUBLIC KEY----- diff --git a/certs/ssh_known_hosts b/certs/ssh_known_hosts index b60b9c6..99a22e8 100644 --- a/certs/ssh_known_hosts +++ b/certs/ssh_known_hosts @@ -9,3 +9,5 @@ giraff.fripost.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC4LvKA4E8S/Yh8Il8NqnSYR giraff.fripost.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgW2S1gVYQGNn9j0PBz7QSIhw0w49YlaZN8ku2RYPm8 mistral.fripost.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzGR8+jafHmXZF7b7DuOe89PSVaulIJ8epu9bgqWCwxfNpS7zNuK5EaOx3zkjhL35959v8G/83uifB/Z5vO8ymUfsZpgt4h95EU/XIif4nBqfQoGwhlvsfSnfY89+513AHx46r/QpcWqJ5UYPXlT4XHPM9A8NnSAMysorhdysesr70sbZfXkQ9pOcvOqtZU5gN6SWfvSYzUQ/WwNAvwXAH8A7rTVsnOsFdtLhK/JAmsVpXQyvuO9Qhl1YsPCnWgLuoGdHibTcx39dndCInFSDDW7o059Jn3u1af7Ns0mMSZhdUBBz3w88JXW5q9xjVjM3yai3u6cuL2a8QiMWfae9GcoDS3FQzdBckf26jxM3/DV4qHej50aHByApioaAFnHaXFLDQeCOGCI2mxtASt7UNCThUKwkLohWWMHXJVgtny8YeAd21Q5FvJnz4L65J2+A7X0PAlkpdesRfo/4FnDmvgL8LzPP9xM3A4on+apY1llJ4M3hWFjkeLt08HjdmPEAehbN+lUaIoTN+ukE2wfZipb7RbHyCanw/JS/GPKQmYGBbiFDv/Mc5Ky9yEi+dStFPNu2E3+jFFSONaPui50/50WQkA70zqtNbPgyZ9jlGS7fP+I+hiZXHCsRhcT0fAWSK4KZg1FKgNPZTi046cpmhJJTaaZsPnhCI4HrV37qSAQ== mistral.fripost.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtVVGS/t8LBTinXuDIlVthaOTq9fyP79j1nBOchF4A4 +calima.fripost.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWqe+XY9I+a4hemK5wIlwbqdDFC+jMP+nJ0SA5wX+5Lsu1sdj2FO4ziNZ0zluLA/YLyGawaqWhMWSBvDLtYa4KAv/kwzuc0Zifj6KfeBYhQnWaUZWIJp4y0KvZyaw1/QBYyea56j93zI4H0Ea9ay1jPL3kPTF9x8ynKNi34PhrEpXrXzvv9jrCgKwrwG1s5iqznzE5Rg0xJQIoKSOJXE+3xAbAA9ZGYtaFemMG+fcm67isGPYKS7DBmaMEsAQF0ri/qNsQOo7vMhw5lmYRNzehq74GL/njXzugp8cmClRGGk0YNWA0b9qfzHRYocX25OzAEQ1JE3b3cvctVeZcimqj +calima.fripost.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbr+FgV+fnwbDsFJ/oiM79ku3V8N+SQwxuHxODIpsmk diff --git a/common.yml b/common.yml index 2136c5d..f670699 100644 --- a/common.yml +++ b/common.yml @@ -13,7 +13,7 @@ - common - name: Let's Encrypt - hosts: IMAP:MX:MSA:webmail:lists:wiki:git + hosts: IMAP:MX:MSA:webmail:lists:wiki:git:nextcloud gather_facts: False roles: - lacme @@ -23,7 +23,7 @@ - ACME - name: Common SQL tasks - hosts: MDA:webmail:lists:bacula-dir + hosts: MDA:webmail:lists:bacula-dir:nextcloud gather_facts: False tags: mysql,sql roles: @@ -44,7 +44,7 @@ - LDAP-provider - name: Configure the Web servers - hosts: webmail:wiki:lists:git:munin-master + hosts: webmail:wiki:lists:git:munin-master:nextcloud gather_facts: False tags: nginx,www,web roles: diff --git a/group_vars/all.yml b/group_vars/all.yml index 7386dad..49cf935 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -16,6 +16,7 @@ ipsec: elefant: 172.16.0.4 giraff: 172.16.0.5 mistral: 172.16.0.6 + calima: 172.16.0.7 postfix_instance: diff --git a/nextcloud.yml b/nextcloud.yml new file mode 100644 index 0000000..84a3c2d --- /dev/null +++ b/nextcloud.yml @@ -0,0 +1,5 @@ +--- +- name: Configure Nextcloud + hosts: nextcloud + roles: + - nextcloud diff --git a/production b/production index 192976b..92eae30 100644 --- a/production +++ b/production @@ -16,6 +16,9 @@ civett.fripost.org geoip=se mxno=2 [benjamin] benjamin.skangas.se geoip=se +[calima] +calima.fripost.org geoip=se + # ldap.fripost.org [LDAP-provider:children] @@ -65,6 +68,9 @@ civett [git:children] wiki +[nextcloud:children] +calima + [munin-master:children] benjamin diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 563a310..8c606e8 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -22,7 +22,7 @@ out udp 123 123 # NTP in tcp {{ ansible_port|default('22') }} # SSH {% if 'LDAP-provider' in group_names %} in tcp 636 # LDAPS -{% elif 'MX' in group_names or 'lists' in group_names %} +{% elif 'MX' in group_names or 'lists' in group_names or 'nextcloud' in group_names %} out tcp 636 # LDAPS {% endif %} {% if 'MX' in group_names %} @@ -38,7 +38,7 @@ in tcp 4190 # MANAGESIEVE {% if 'MSA' in group_names %} in tcp 587 # SMTP-AUTH {% endif %} -{% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names %} +{% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names or 'nextcloud' in group_names %} in tcp 80,443 # HTTP/HTTPS {% endif %} {% if 'LDAP-provider' in group_names %} diff --git a/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 index f7b255a..8550d0f 100644 --- a/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 +++ b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 @@ -60,4 +60,13 @@ subject = /O=Fripost/CN=git.fripost.org notify = /bin/systemctl reload nginx {% endif %} +{% if 'nextcloud' in group_names %} +[cloud] +certificate-key = /etc/nginx/ssl/cloud.fripost.org.key +certificate-chain = /etc/nginx/ssl/cloud.fripost.org.pem +subject = /O=Fripost/CN=cloud.fripost.org +subjectAltName = DNS:cloud.fripost.org,DNS:www.cloud.fripost.org +notify = /bin/systemctl reload nginx +{% endif %} + ; vim:ft=dosini diff --git a/roles/nextcloud/files/etc/cron.d/nextcloud b/roles/nextcloud/files/etc/cron.d/nextcloud new file mode 100644 index 0000000..8bd7d86 --- /dev/null +++ b/roles/nextcloud/files/etc/cron.d/nextcloud @@ -0,0 +1,2 @@ +MAILTO=root +*/15 * * * * www-data php -f /var/www/nextcloud/cron.php diff --git a/roles/nextcloud/files/etc/ldap/ldap.conf b/roles/nextcloud/files/etc/ldap/ldap.conf new file mode 100644 index 0000000..5f388f1 --- /dev/null +++ b/roles/nextcloud/files/etc/ldap/ldap.conf @@ -0,0 +1,10 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +# TLS certificates (needed for GnuTLS) +TLS_CACERT /etc/ldap/ssl/ldap.fripost.org.pem +TLS_REQCERT hard diff --git a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud new file mode 100644 index 0000000..9e5e9b0 --- /dev/null +++ b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud @@ -0,0 +1,112 @@ +server { + listen 80; + listen [::]:80; + + server_name cloud.fripost.org; + + include snippets/acme-challenge.conf; + + access_log /var/log/nginx/cloud.access.log; + error_log /var/log/nginx/cloud.error.log info; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name cloud.fripost.org; + + root /var/www/nextcloud/; + + include snippets/headers.conf; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + + include snippets/ssl.conf; + ssl_certificate ssl/cloud.fripost.org.pem; + ssl_certificate_key ssl/cloud.fripost.org.key; + include snippets/cloud.fripost.org.hpkp-hdr; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + access_log /var/log/nginx/cloud.access.log; + error_log /var/log/nginx/cloud.error.log info; + + location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } + location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + fastcgi_buffer_size 32k; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + location = / { return 303 $scheme://$host/apps/files/; } + location / { rewrite ^ /index.php$uri last; } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { internal; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { internal; } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include snippets/fastcgi-php.conf; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_request_buffering off; + fastcgi_param PHP_VALUE "upload_max_filesize=512M + post_max_size=512M + memory_limit=512M"; + fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/mnt/nextcloud-data:/etc/nextcloud:/usr/share/php:/tmp:/dev"; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + location ~* \.(?:css|js|woff|svg|gif)$ { + try_files $uri /index.php$uri$is_args$args; + expires 30d; + } + + location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$uri$is_args$args; + } +} + +server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name www.cloud.fripost.org; + + include snippets/acme-challenge.conf; + + access_log /var/log/nginx/cloud.access.log; + error_log /var/log/nginx/cloud.error.log info; + + location / { + return 301 https://cloud.fripost.org$request_uri; + } +} diff --git a/roles/nextcloud/handlers/main.yml b/roles/nextcloud/handlers/main.yml new file mode 100644 index 0000000..6552940 --- /dev/null +++ b/roles/nextcloud/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart php7.0-fpm + service: name=php7.0-fpm state=restarted + +- name: Restart Nginx + service: name=nginx state=restarted diff --git a/roles/nextcloud/tasks/ldap.yml b/roles/nextcloud/tasks/ldap.yml new file mode 100644 index 0000000..17cd963 --- /dev/null +++ b/roles/nextcloud/tasks/ldap.yml @@ -0,0 +1,17 @@ +- name: Create /etc/ldap/ssl + file: path=/etc/ldap/ssl + state=directory + owner=root group=root + mode=0755 + +- name: Copy the slapd X.509 certificate + copy: src=certs/ldap/ldap.fripost.org.pem + dest=/etc/ldap/ssl/ldap.fripost.org.pem + owner=root group=root + mode=0644 + +- name: Copy ldap.conf(5) + copy: src=etc/ldap/ldap.conf + dest=/etc/ldap/ldap.conf + owner=root group=root + mode=0644 diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml new file mode 100644 index 0000000..09554e0 --- /dev/null +++ b/roles/nextcloud/tasks/main.yml @@ -0,0 +1,108 @@ +- name: Install PHP + apt: pkg={{ packages }} + vars: + packages: + - php-cli + - php-fpm + - php-apcu + - php-gd + - php-imagick + - php-mbstring + - php-mcrypt + - php-xml + - php-curl + - php-intl + - php-ldap + - php-mysql + - php-zip + - php-json + +- name: Configure PHP 7.0 Zend opcache + lineinfile: dest=/etc/php/7.0/fpm/php.ini + regexp='^;?{{ item.var }}\\s*=' + line="{{ item.var }} = {{ item.value }}" + owner=root group=root + mode=0644 + with_items: + - { var: opcache.enable, value: 1 } + - { var: opcache.enable_cli, value: 1 } + - { var: opcache.memory_consumption, value: 128 } + - { var: opcache.interned_strings_buffer, value: 8 } + - { var: opcache.max_accelerated_files, value: 10000 } + - { var: opcache.revalidate_freq, value: 1 } + - { var: opcache.fast_shutdown, value: 1 } + notify: + - Restart php7.0-fpm + +- name: Configure PHP 7.0 pool environment + lineinfile: dest=/etc/php/7.0/fpm/pool.d/www.conf + regexp='^;?env\[{{ item.var }}\]\\s*=' + line="env[{{ item.var }}] = {{ item.value }}" + owner=root group=root + mode=0644 + with_items: + - { var: HOSTNAME, value: "$HOSTNAME" } + - { var: PATH, value: "/usr/bin:/bin" } + - { var: TMP, value: "/tmp" } + - { var: TMPDIR, value: "/tmp" } + - { var: TEMP, value: "/tmp" } + notify: + - Restart php7.0-fpm + +- name: Start php7.0-fpm + service: name=php7.0-fpm state=started + +- name: Copy /etc/cron.d/nextcloud + copy: src=etc/cron.d/nextcloud + dest=/etc/cron.d/nextcloud + owner=root group=root + mode=0644 + +- name: Copy /etc/nginx/sites-available/nextcloud + copy: src=etc/nginx/sites-available/nextcloud + dest=/etc/nginx/sites-available/nextcloud + owner=root group=root + mode=0644 + register: r1 + notify: + - Restart Nginx + +- name: Create /etc/nginx/sites-enabled/nextcloud + file: src=../sites-available/nextcloud + dest=/etc/nginx/sites-enabled/nextcloud + owner=root group=root + state=link force=yes + register: r2 + notify: + - Restart Nginx + +- name: Copy HPKP header snippet + # never modify the pined pubkeys as we don't want to lock out our users + template: src=etc/nginx/snippets/cloud.fripost.org.hpkp-hdr.j2 + dest=/etc/nginx/snippets/cloud.fripost.org.hpkp-hdr + validate=/bin/false + owner=root group=root + mode=0644 + register: r3 + notify: + - Restart Nginx + +- name: Start Nginx + service: name=nginx state=started + when: not (r1.changed or r2.changed or r3.changed) + +- meta: flush_handlers + +- name: Fetch Nginx's X.509 certificate + # Ensure we don't fetch private data + become: False + fetch_cmd: cmd="openssl x509 -noout -pubkey" + stdin=/etc/nginx/ssl/cloud.fripost.org.pem + dest=certs/public/cloud.fripost.org.pub + tags: + - genkey + +- import_tasks: ldap.yml + when: "'LDAP-provider' not in group_names" + tags: + - ldap diff --git a/roles/nextcloud/templates/etc/nginx/snippets/cloud.fripost.org.hpkp-hdr.j2 b/roles/nextcloud/templates/etc/nginx/snippets/cloud.fripost.org.hpkp-hdr.j2 new file mode 120000 index 0000000..a8ba598 --- /dev/null +++ b/roles/nextcloud/templates/etc/nginx/snippets/cloud.fripost.org.hpkp-hdr.j2 @@ -0,0 +1 @@ +../../../../../../certs/hpkp-hdr.j2 \ No newline at end of file -- cgit v1.2.3