strepsirrhini/lemur
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'imcsk8/centos-9' into 'master'

Browse source 
Actualización para soportar CentOS 9 Stream

See merge request strepsirrhini/lemur!14
This commit is contained in:
Renich Bon Ćirić 2023-07-12 05:43:13 +00:00
commit aa8863f534
13 changed files with 286 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
nextcloud/ansible/README.md
View file

@ -9,3 +9,17 @@ If you're using `ansible-core`, you need to install the requirements first.
```bash
ansible-galaxy install -r requirements.yaml
```
## Usage
We have four types of installation:
| Playbook | Inventory |
| ----------- | ----------- |
| deploy-example-talk-ha.yaml | inventory-example-talk-ha |
| deploy-example-talk-ha.yaml | inventory-example-single-no-talk-ha |
| deploy-example-no-talk-ha.yaml | inventory-example-talk-ha |
| deploy-example-no-talk-ha.yaml | inventory-example-single-no-talk-ha |

63
nextcloud/ansible/deploy-example-no-talk-ha.yaml Normal file
View file

@ -0,0 +1,63 @@
- hosts: localhost
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
vars:
services:
- nginx
- postgresql
- redis
roles:
- name: certificates
- hosts: all
serial: 1
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
roles:
- name: common
- hosts: postgresql
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
roles:
- name: postgresql
- hosts: redis
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
roles:
- name: redis
# Este es el collabora
- hosts: coolwsd
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
roles:
- name: coolwsd
- hosts: nextcloud
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
roles:
- name: nextcloud
- name: coolwsd-nginx
# Enable this for Talk HA
# - name: nextcloud-spreed
#- hosts: turn
# vars_files:
# - vars/main.example.yaml
# - "vars/{{ ansible_facts['os_family'] }}.yaml"
# roles:
# - name: turn
# - name: nats-server
# - name: signaling-server
# - name: janus

61
nextcloud/ansible/deploy-example-talk-ha.yaml Normal file
View file

@ -0,0 +1,61 @@
- hosts: localhost
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
vars:
services:
- nginx
- postgresql
- redis
roles:
- name: certificates
- hosts: all
serial: 1
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
roles:
- name: common
- hosts: postgresql
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
roles:
- name: postgresql
- hosts: redis
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
roles:
- name: redis
# Este es el collabora
- hosts: coolwsd
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
roles:
- name: coolwsd
- hosts: nextcloud
vars_files:
- "vars/{{ ansible_facts['os_family'] }}.yaml"
- vars/main.example.yaml
roles:
- name: nextcloud
- name: coolwsd-nginx
- name: nextcloud-spreed
- hosts: turn
vars_files:
- vars/main.example.yaml
- "vars/{{ ansible_facts['os_family'] }}.yaml"
roles:
- name: turn
- name: nats-server
- name: signaling-server
- name: janus

12
nextcloud/ansible/inventory-example-single-no-talk-ha Normal file
View file

@ -0,0 +1,12 @@
[redis]
<your server fqdn>
[postgresql]
<your server fqdn>
[nextcloud]
<your server fqdn>
[coolwsd]
<your server fqdn>

25
nextcloud/ansible/inventory-example-talk-ha Normal file
View file

@ -0,0 +1,25 @@
[redis]
<your server fqdn>
[postgresql]
<your server fqdn>
[nextcloud]
<your server fqdn>
[coolwsd]
<your server fqdn>
# Uncomment this if you're going to use HA with Nextcloud Talk
[turn]
<turn server fqdn>
[nats]
<nats server fqdn> ansible_host=<nats server IP>
[signaling]
<signaling spreed server fqdn> ansible_host=<signaling server IP>
[janus]
<janus server fqdn> ansible_host=<janus server IP>

38
nextcloud/ansible/roles/nextcloud/tasks/main.yml
View file

@ -35,6 +35,8 @@
- php-zip
- python3-pyOpenSSL
- sudo
- tar
- bzip2
- name: Create nextcloud nginx configuration directory
ansible.builtin.file:
@ -55,15 +57,15 @@
- name: Download Nextcloud
get_url:
url: https://repos.libreoffice.gob.mx/nextcloud/nextcloud-{{nextcloud_version}}.tar.bz2
dest: /usr/src/nextcloud-{{nextcloud_version}}.tar.bz2
url: "{{ nextcloud_url }}"
dest: /usr/src/nextcloud-{{ nextcloud_version }}.tar.bz2
checksum: "{{ nextcloud_checksum }}"
when:
nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true
- name: Unpack Nextcloud
ansible.builtin.unarchive:
src: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2"
src: "/usr/src/nextcloud-{{ nextcloud_version }}.tar.bz2"
dest: "{{ nextcloud_path }}"
remote_src: yes
owner: "{{ web_user }}"
@ -251,7 +253,7 @@
/usr/bin/php {{ nextcloud_occ }} config:system:set redis host --value={{ redis_host }}
/usr/bin/php {{ nextcloud_occ }} config:system:set redis port --value=6379
/usr/bin/php {{ nextcloud_occ }} config:system:set redis dbindex --value=0
#/usr/bin/php {{ nextcloud_occ }} config:system:set redis password user --value={{ redis_user }}
/usr/bin/php {{ nextcloud_occ }} config:system:set redis password user --value={{ redis_user }}
#/usr/bin/php {{ nextcloud_occ }} config:system:set redis password password --value={{ redis_password }}
/usr/bin/php {{ nextcloud_occ }} config:system:set redis password --value={{ redis_password }}
become: true
@ -296,27 +298,27 @@
become_user: "{{ web_user }}"
when: not ansible_local['nextcloud']['is_ldap_configured']
# TODO: quitar "hard-codeos"
- name: Configure LDAP
ansible.builtin.shell:
cmd: |
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapBase cn=users,cn=accounts,dc=libreoffice,dc=gob,dc=mx
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapBaseGroups cn=users,cn=accounts,dc=libreoffice,dc=gob,dc=mx
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapBaseUsers cn=users,cn=accounts,dc=libreoffice,dc=gob,dc=mx
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapAgentName "cn=Directory Manager"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapAgentPassword {{ ldap_agent_password }}
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapHost {{ ldap_server_host }}
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 hasMemberOfFilterSupport 1
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapEmailAttribute mail
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapLoginFilter "(&(&(|(objectclass=posixAccount)))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapPort 389
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapUserFilter "(&(|(objectclass=posixAccount)))"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapUserFilterObjectclass posixAccount
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapConfigurationActive 1
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapBase "{{ ldapBase }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapBaseGroups "{{ ldapBaseGroups }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapBaseUsers "{{ ldapBaseUsers }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapAgentName "{{ ldapAgentName }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapAgentPassword "{{ ldap_agent_password }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapHost "{{ ldap_server_host }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 hasMemberOfFilterSupport "{{ hasMemberOfFilterSupport }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapEmailAttribute "{{ ldapEmailAttribute }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapLoginFilter "{{ ldapLoginFilter }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapPort "{{ ldapPort }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapUserFilter "{{ ldapUserFilter }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapUserFilterObjectclass "{{ ldapUserFilterObjectclass }}"
/usr/bin/php "{{ nextcloud_occ }}" ldap:set-config s01 ldapConfigurationActive "{{ ldapConfigurationActive }}"
become: true
become_user: "{{ web_user }}"
tags:
- ldap
when: ldap_enabled
- name: Set httpd_can_network_relay to allow nginx to proxy connections
seboolean:

2
nextcloud/ansible/roles/postgresql/tasks/main.yml
View file

@ -31,7 +31,7 @@
blockinfile:
dest: "{{ postgresql_conf }}"
block: |
listen_addresses = '{{ ansible_default_ipv4.address }}'
listen_addresses = '{{ db_host }}'
tags:
- database
- database_access

74
nextcloud/ansible/roles/pre/tasks/redhat_pre_tasks.yaml
View file

@ -1,38 +1,72 @@
- name: "Install Remi repo GPG key"
rpm_key:
state: present
key: https://rpms.remirepo.net/RPM-GPG-KEY-remi2018
#key: https://rpms.remirepo.net/RPM-GPG-KEY-remi
when: ansible_facts['distribution'] == 'CentOS'
- name: Enable The CRB Repository
ansible.builtin.command: /usr/bin/dnf config-manager --set-enabled crb
#- name: "Install Remi repo GPG key"
# rpm_key:
# state: present
# key: https://rpms.remirepo.net/RPM-GPG-KEY-remi2018
# #key: https://rpms.remirepo.net/RPM-GPG-KEY-remi
# when:
# - ansible_os_family == 'RedHat'
# - ansible_distribution_major_version|int < 9
# - ansible_distribution != 'Fedora'
- name: Install EPEL
package:
name:
- epel-release
state: latest
when: ansible_facts['distribution'] == 'CentOS'
when:
- ansible_os_family == 'RedHat'
- ansible_distribution != 'Fedora'
- name: Install REMI repository
- name: Import Remi GPG key
ansible.builtin.rpm_key:
state: present
key: "https://rpms.remirepo.net/enterprise/{{ansible_distribution_major_version}}/RPM-GPG-KEY-remi"
- name: Remi::Install REMI repository
dnf:
name:
- https://rpms.remirepo.net/enterprise/remi-release-8.rpm
- "https://rpms.remirepo.net/enterprise/remi-release-{{ansible_distribution_major_version}}.rpm"
state: latest
disable_gpg_check: yes
when: ansible_facts['distribution'] == 'CentOS'
when:
- ansible_os_family == 'RedHat'
- ansible_distribution != 'Fedora'
# TODO: ya está en módulos de centos 8, modificar esto para usarlo
- name: Enable the PHP remi repository
dnf:
name: '@php:remi-7.4'
state: present
# EPEL 8 does not support modules properly so we have to use Remi's repo for
# php-pecl-redis to be available
# https://docs.nextcloud.com/server/latest/admin_manual/installation/example_centos.html
when: ansible_facts['distribution'] == 'CentOS'
#- name: Enable the PHP remi repository
# dnf:
# name: '@php:remi-7.4'
# state: present
# # EPEL 8 does not support modules properly so we have to use Remi's repo for
# # php-pecl-redis to be available
# # https://docs.nextcloud.com/server/latest/admin_manual/installation/example_centos.html
# when:
# - ansible_os_family == 'RedHat'
# - ansible_distribution_major_version|int < 9
# - ansible_distribution != 'Fedora'
- name: Remi::Reset PHP module
ansible.builtin.command: /usr/bin/dnf -y module reset php
- name: Remi::Install PHP {{ php_version }} module
ansible.builtin.command: /usr/bin/dnf -y module install php:remi-{{ php_version }}
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version|int >= 9
- ansible_distribution != 'Fedora'
- name: Remi::Update old versions
ansible.builtin.command: /usr/bin/dnf -y update
- name: Enable the Redis 6 module
dnf:
name: '@redis:6'
state: present
when: ansible_facts['distribution'] == 'CentOS'
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version|int < 9
- ansible_distribution != 'Fedora'

2
nextcloud/ansible/roles/redis/tasks/main.yml
View file

@ -10,7 +10,7 @@
src: certificates/redis_key.pem
dest: "{{ redis_key }}"
owner: root
group: nginx
group: redis
mode: '0640'
- name: Copy the redis Certificate to /etc/pki/tls/certs/

18
nextcloud/ansible/roles/redis/templates/redis.conf.j2
View file

@ -65,7 +65,7 @@
# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
# JUST COMMENT OUT THE FOLLOWING LINE.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
bind {{ ansible_default_ipv4.address }}
bind {{ redis_host }}
# Protected mode is a layer of security protection, in order to avoid that
# Redis instances left open on the internet are accessed and exploited.
@ -769,8 +769,8 @@ user {{ redis_user }} on +@all -DEBUG ~* >{{ redis_password }}
# ACL LOG
#
# The ACL Log tracks failed commands and authentication events associated
# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked
# by ACLs. The ACL Log is stored in memory. You can reclaim memory with
# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked
# by ACLs. The ACL Log is stored in memory. You can reclaim memory with
# ACL LOG RESET. Define the maximum entry length of the ACL Log below.
acllog-max-len 128
@ -1333,18 +1333,18 @@ lua-time-limit 5000
# cluster-replica-no-failover no
# This option, when set to yes, allows nodes to serve read traffic while the
# the cluster is in a down state, as long as it believes it owns the slots.
# the cluster is in a down state, as long as it believes it owns the slots.
#
# This is useful for two cases. The first case is for when an application
# This is useful for two cases. The first case is for when an application
# doesn't require consistency of data during node failures or network partitions.
# One example of this is a cache, where as long as the node has the data it
# should be able to serve it.
# should be able to serve it.
#
# The second use case is for configurations that don't meet the recommended
# three shards but want to enable cluster mode and scale later. A
# The second use case is for configurations that don't meet the recommended
# three shards but want to enable cluster mode and scale later. A
# master outage in a 1 or 2 shard configuration causes a read/write outage to the
# entire cluster without this option set, with it set there is only a write outage.
# Without a quorum of masters, slot ownership will not change automatically.
# Without a quorum of masters, slot ownership will not change automatically.
#
# cluster-allow-reads-when-down no

1
nextcloud/ansible/roles/turn/tasks/main.yml
View file

@ -88,6 +88,7 @@
preconfigured-renewal = True
# Info
# TODO: parametrizar este correo
email = ca@softwarelibre.mx
insertbefore: BOF

2
nextcloud/ansible/vars/RedHat.yaml
View file

@ -6,7 +6,7 @@ nginx_path: /etc/nginx/conf.d
php_ini_path: /etc
php_pool_path: /etc/php-fpm.d
postgresql_path: /var/lib/pgsql/data
redis_path: /etc
redis_path: /etc/redis
ssl_path: /etc/pki/tls
# NextCloud

26
nextcloud/ansible/vars/main.ejemplo.yaml
View file

@ -2,8 +2,10 @@
# NextCloud
## version
nextcloud_version: 24.0.6
nextcloud_checksum: "sha256:b26dff9980a47e7e722805fdbbf87e07f59a3817b03ecc32698e028e9baf0301"
nextcloud_version: 26.0.0
nextcloud_url: https://repos.libreoffice.gob.mx/nextcloud/nextcloud-{{nextcloud_version}}.tar.bz2
nextcloud_checksum: "sha256:f163150363aee9366ecb5cd5259bf6756ed4f073cea78b5fa515cada7a0d0c3d"
php_version: 8.2
## credentials
nextcloud_admin_user: el_admin
@ -20,6 +22,25 @@ nextcloud_db: nextcloud
nextcloud_db_user: nextcloud
nextcloud_db_user_password: Una contraseña bien, pero bien difícil.
## LDAP
ldap_enabled: false
ldap_agent_password: cIBI4mLESN1nSrAPr7pX3350NPXkD3vExjr27X1ju
ldap_server_host: "10.254.1.1"
ldapBase: "cn=users,cn=accounts,dc=softwarelibre,dc=mx"
ldapBaseGroups: "cn=users,cn=accounts,dc=softwarelibre,dc=mx"
ldapBaseUsers: "cn=users,cn=accounts,dc=softwarelibre,dc=mx"
ldapAgentName: "cn=Directory Manager"
ldapAgentPassword: "{{ ldap_agent_password }}"
ldapHost: "{{ ldap_server_host }}"
hasMemberOfFilterSupport: 1
ldapEmailAttribute: mail
ldapLoginFilter: "(&(&(|(objectclass=posixAccount)))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))"
ldapPort: 389
ldapUserFilter: "(&(|(objectclass=posixAccount)))"
ldapUserFilterObjectclass: posixAccount
ldapConfigurationActive: 1
## occ
nextcloud_occ: "{{ nextcloud_path }}/occ"
@ -40,6 +61,7 @@ redis_host: 10.0.5.53
redis_user: nextcloud
redis_password: ParángariCutirimiNoMeAcuerdoCuaro
redis_url: "https://{{ redis_host }}"
redis_path: /etc/redis
# SSL