diff --git a/nextcloud/ansible/.gitignore b/nextcloud/ansible/.gitignore index 0e436b4..11f6e4f 100644 --- a/nextcloud/ansible/.gitignore +++ b/nextcloud/ansible/.gitignore @@ -7,7 +7,8 @@ files/backups/* # variable3s vars/main.*.yaml -!vars/main.ejemplo.yaml +!vars/main.example.yaml +!vars/main.test.yaml # misc *~ diff --git a/nextcloud/ansible/deploy-example-talk-ha.yaml b/nextcloud/ansible/deploy-example-talk-ha.yaml index afe4324..176ad01 100644 --- a/nextcloud/ansible/deploy-example-talk-ha.yaml +++ b/nextcloud/ansible/deploy-example-talk-ha.yaml @@ -32,7 +32,6 @@ roles: - name: redis -# Este es el collabora - hosts: coolwsd vars_files: - "vars/{{ ansible_facts['os_family'] }}.yaml" @@ -51,8 +50,8 @@ - hosts: turn vars_files: - - vars/main.example.yaml - "vars/{{ ansible_facts['os_family'] }}.yaml" + - vars/main.example.yaml roles: - name: turn - name: nats-server diff --git a/nextcloud/ansible/deploy-test.yaml b/nextcloud/ansible/deploy-test.yaml index f777ec9..2a8951c 100644 --- a/nextcloud/ansible/deploy-test.yaml +++ b/nextcloud/ansible/deploy-test.yaml @@ -1,7 +1,7 @@ - hosts: localhost vars_files: - - vars/main.test.yaml - "vars/{{ ansible_facts['os_family'] }}.yaml" + - vars/main.test.yaml vars: services: - nginx @@ -11,38 +11,37 @@ - name: certificates - hosts: all - serial: 1 vars_files: - - vars/main.test.yaml - "vars/{{ ansible_facts['os_family'] }}.yaml" + - vars/main.test.yaml roles: - name: common - hosts: postgresql vars_files: - - vars/main.test.yaml - "vars/{{ ansible_facts['os_family'] }}.yaml" + - vars/main.test.yaml roles: - name: postgresql - hosts: redis vars_files: - - vars/main.test.yaml - "vars/{{ ansible_facts['os_family'] }}.yaml" + - vars/main.test.yaml roles: - name: redis - hosts: coolwsd vars_files: - - vars/main.test.yaml - "vars/{{ ansible_facts['os_family'] }}.yaml" + - vars/main.test.yaml roles: - name: coolwsd - hosts: nextcloud vars_files: - - vars/main.test.yaml - "vars/{{ ansible_facts['os_family'] }}.yaml" + - vars/main.test.yaml roles: - name: nextcloud - name: coolwsd-nginx @@ -50,11 +49,10 @@ - hosts: turn vars_files: - - vars/main.test.yaml - "vars/{{ ansible_facts['os_family'] }}.yaml" + - vars/main.test.yaml roles: - name: turn - name: nats-server - name: signaling-server - name: janus - diff --git a/nextcloud/ansible/inventory-example-single-no-talk-ha b/nextcloud/ansible/inventory-example-single-no-talk-ha index d159d76..a47d1cc 100644 --- a/nextcloud/ansible/inventory-example-single-no-talk-ha +++ b/nextcloud/ansible/inventory-example-single-no-talk-ha @@ -1,12 +1,29 @@ -[redis] - - -[postgresql] - +# If your FQDNs are resolvable, then you don't need the ansible_host= part. If they're not, you need to change the IPs and add all +# these entries to the /etc/hosts file of the deployment server (a.k.a. where the ansible-playbooks reside). +# +# For example: +# +# /etc/hosts: +# # Loopback entries; do not change. +# For historical reasons, localhost precedes localhost.localdomain: +# 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +# ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +# +# # my nextcloud +# 192.168.0.10 nx0.example.com nx0 +# 192.168.0.11 db0.example.com db0 +# 192.168.0.12 rds0.example.com rds0 +# 192.168.0.13 cl0.example.com cl0 [nextcloud] - +nx0.example.com ansible_host=192.168.0.10 + +[postgresql] +db0.example.com ansible_host=192.168.0.11 + +[redis] +rds0.example.com ansible_host=192.168.0.12 [coolwsd] - +cl0.example.com ansible_host=192.168.0.13 diff --git a/nextcloud/ansible/inventory-example-talk-ha b/nextcloud/ansible/inventory-example-talk-ha index a368b62..c365d85 100644 --- a/nextcloud/ansible/inventory-example-talk-ha +++ b/nextcloud/ansible/inventory-example-talk-ha @@ -1,25 +1,42 @@ -[redis] - - -[postgresql] - +# If your FQDNs are resolvable, then you don't need the ansible_host= part. If they're not, you need to change the IPs and add all +# these entries to the /etc/hosts file of the deployment server (a.k.a. where the ansible-playbooks reside). +# +# For example: +# +# /etc/hosts: +# # Loopback entries; do not change. +# For historical reasons, localhost precedes localhost.localdomain: +# 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +# ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +# +# # my nextcloud +# 192.168.0.10 nx0.example.com nx0 +# 192.168.0.11 db0.example.com db0 +# 192.168.0.12 rds0.example.com rds0 +# 192.168.0.13 cl0.example.com cl0 +# 192.168.0.14 turn0.example.com turn0 [nextcloud] - +nx0.example.com ansible_host=192.168.0.10 + +[postgresql] +db0.example.com ansible_host=192.168.0.11 + +[redis] +rds0.example.com ansible_host=192.168.0.12 [coolwsd] - +cl0.example.com ansible_host=192.168.0.13 - -# Uncomment this if you're going to use HA with Nextcloud Talk +# Nextcloud Talk [turn] - +turn0.example.com ansible_host=192.168.0.14 [nats] - ansible_host= +turn0.example.com ansible_host=192.168.0.14 [signaling] - ansible_host= +turn0.example.com ansible_host=192.168.0.14 [janus] - ansible_host= +turn0.example.com ansible_host=192.168.0.14 diff --git a/nextcloud/ansible/inventory-test b/nextcloud/ansible/inventory-test index 046bc43..e452129 100644 --- a/nextcloud/ansible/inventory-test +++ b/nextcloud/ansible/inventory-test @@ -1,24 +1,23 @@ [nextcloud] -nx0-test.libreoffice.gob.mx ansible_host=10.201.15.250 +nx0.test.virt.g02.org ansible_host=192.168.0.41 [postgresql] -db0-test.libreoffice.gob.mx ansible_host=10.201.15.220 +db0.test.virt.g02.org ansible_host=192.168.0.40 [redis] -rds0-test.libreoffice.gob.mx ansible_host=10.201.15.24 +rds0.test.virt.g02.org ansible_host=192.168.0.39 [coolwsd] -clwsd0-test.libreoffice.gob.mx ansible_host=10.201.15.132 +cl0.test.virt.g02.org ansible_host=192.168.0.42 [turn] -turn1.softwarelibre.mx +turn0.test.virt.g02.org ansible_host=192.168.0.43 [nats] -nats1.softwarelibre.mx ansible_host=10.201.15.199 +turn0.test.virt.g02.org ansible_host=192.168.0.43 [signaling] -signaling1.softwarelibre.mx ansible_host=10.201.15.199 +turn0.test.virt.g02.org ansible_host=192.168.0.43 [janus] -janus1.softwarelibre.mx ansible_host=10.201.15.199 - +turn0.test.virt.g02.org ansible_host=192.168.0.43 diff --git a/nextcloud/ansible/roles/common/tasks/main.yml b/nextcloud/ansible/roles/common/tasks/main.yml index 63eec8a..03f7c9a 100644 --- a/nextcloud/ansible/roles/common/tasks/main.yml +++ b/nextcloud/ansible/roles/common/tasks/main.yml @@ -24,3 +24,17 @@ include_tasks: redhat_tasks.yaml when: ansible_facts['os_family'] == 'RedHat' +- name: "Set hostname" + ansible.builtin.hostname: + name: "{{ inventory_hostname }}" + use: systemd + +- name: "Build hosts file" + lineinfile: + dest: /etc/hosts + regexp: '.*{{ item }}$' + line: "{{ hostvars[item]['ansible_default_ipv4']['address'] }} {{ hostvars[item]['ansible_fqdn'] }} {{ hostvars[item]['ansible_hostname'] }}" + state: present + when: hostvars[item].ansible_default_ipv4.address is defined + loop: "{{ groups['all'] }}" + diff --git a/nextcloud/ansible/roles/coolwsd/tasks/main.yaml b/nextcloud/ansible/roles/coolwsd/tasks/main.yaml index 99f1dfd..8d1c265 100644 --- a/nextcloud/ansible/roles/coolwsd/tasks/main.yaml +++ b/nextcloud/ansible/roles/coolwsd/tasks/main.yaml @@ -15,7 +15,7 @@ group: root - name: Install Collabora Online Packages - package: + package: name: - coolwsd state: latest @@ -33,3 +33,13 @@ tags: - nextcloud_collabora +- name: Open up required firewall ports + block: + - name: Open ports for CODE service + ansible.posix.firewalld: + port: 9980/tcp + permanent: yes + immediate: true + state: enabled + when: code_firewalld_enabled | bool + diff --git a/nextcloud/ansible/roles/nextcloud/tasks/main.yml b/nextcloud/ansible/roles/nextcloud/tasks/main.yml index 1ae75aa..b54fe9e 100644 --- a/nextcloud/ansible/roles/nextcloud/tasks/main.yml +++ b/nextcloud/ansible/roles/nextcloud/tasks/main.yml @@ -3,6 +3,7 @@ package: state: latest name: + - bzip2 - nginx - php-cli - php-curl @@ -18,6 +19,8 @@ - php-json - php-ldap - php-mbstring + - php-memcache + - php-opcache - php-openssl - php-pcre - php-pdo @@ -36,7 +39,6 @@ - python3-pyOpenSSL - sudo - tar - - bzip2 - name: Create nextcloud nginx configuration directory ansible.builtin.file: @@ -137,6 +139,24 @@ enabled: yes state: restarted + +- name: Open up required firewall ports + block: + - name: Open ports for HTTP service + ansible.posix.firewalld: + service: http + permanent: yes + immediate: true + state: enabled + + - name: Open ports for HTTPS service + ansible.posix.firewalld: + service: https + permanent: yes + immediate: true + state: enabled + when: nextcloud_firewalld_enabled | bool + - name: Remove config_is_read_only setting from config.php lineinfile: path: "{{ nextcloud_path }}/config/config.php" diff --git a/nextcloud/ansible/roles/postgresql/tasks/main.yml b/nextcloud/ansible/roles/postgresql/tasks/main.yml index 668b48f..5e16f35 100644 --- a/nextcloud/ansible/roles/postgresql/tasks/main.yml +++ b/nextcloud/ansible/roles/postgresql/tasks/main.yml @@ -75,3 +75,13 @@ tags: - database +- name: Open up required firewall ports + block: + - name: Open ports for PostgreSQL service + ansible.posix.firewalld: + service: postgresql + permanent: yes + immediate: true + state: enabled + when: postgresql_firewalld_enabled | bool + diff --git a/nextcloud/ansible/roles/pre/tasks/main.yml b/nextcloud/ansible/roles/pre/tasks/main.yml index 6d42fa4..1ff0de4 100644 --- a/nextcloud/ansible/roles/pre/tasks/main.yml +++ b/nextcloud/ansible/roles/pre/tasks/main.yml @@ -1,54 +1,31 @@ --- # tasks file for pre - - name: Update the /etc/hosts file with node host name - tags: etchostsupdate - become: yes - become_user: root - lineinfile: - path: "/etc/hosts" - regexp: ".*\t{{ ansible_hostname }}" - #TODO: crear una variable que tenga la IP del balanceador - line: "{{ nextcloud_host_ip }}\t{{ nextcloud_fqdn }} {{ nextcloud_hostname }}" - state: present - backup: yes - register: etchostsupdate +- name: Create fact directory + file: + path: /etc/ansible/facts.d/ + state: directory -# - name: Update the /etc/hosts file with node domain name -# tags: etchostsupdate_domain -# become: yes -# become_user: root -# lineinfile: -# path: "/etc/hosts" -# line: "{{ nextcloud_host }}\t{{ nextcloud_fqdn }}" -# state: present -# backup: yes +- name: Create nextcloud custom facts + copy: + src: nextcloud.fact + dest: /etc/ansible/facts.d/nextcloud.fact + mode: 0775 + force: yes + tags: + - check_facts - - name: Create fact directory - file: - path: /etc/ansible/facts.d/ - state: directory +- name: Check if nextcloud is unpacked + stat: + path: /var/www/html/config/config.sample.php + register: nextcloud_is_unpacked - - name: Create nextcloud custom facts - copy: - src: nextcloud.fact - dest: /etc/ansible/facts.d/nextcloud.fact - mode: 0775 - force: yes - tags: - - check_facts +- name: Reload facts + setup: + tags: + - check_facts - - name: Check if nextcloud is unpacked - stat: - path: /var/www/html/config/config.sample.php - register: nextcloud_is_unpacked - - - name: Reload facts - setup: - tags: - - check_facts - - - name: Pre tasks for Red Hat distros - include_tasks: redhat_pre_tasks.yaml - when: - ansible_facts['os_family'] == "RedHat" +- name: Pre tasks for Red Hat distros + include_tasks: redhat_pre_tasks.yaml + when: + ansible_facts['os_family'] == "RedHat" diff --git a/nextcloud/ansible/roles/redis/tasks/main.yml b/nextcloud/ansible/roles/redis/tasks/main.yml index 9b8ef99..60dcc87 100644 --- a/nextcloud/ansible/roles/redis/tasks/main.yml +++ b/nextcloud/ansible/roles/redis/tasks/main.yml @@ -33,3 +33,13 @@ tags: - check_redis +- name: Open up required firewall ports + block: + - name: Open ports for Redis service + ansible.posix.firewalld: + service: redis + permanent: yes + immediate: true + state: enabled + when: redis_firewalld_enabled | bool + diff --git a/nextcloud/ansible/vars/main.example.yaml b/nextcloud/ansible/vars/main.example.yaml new file mode 100644 index 0000000..63c8ced --- /dev/null +++ b/nextcloud/ansible/vars/main.example.yaml @@ -0,0 +1,133 @@ +--- + +# NextCloud +# The nexctloud_checksum changes with every release to get this string go to: +# https://download.nextcloud.com/server/releases/ and download the *.sha256 file +# for the proper version +## version +nextcloud_version: 29.0.2 +nextcloud_checksum: "sha256:2d49d297dc340092021057823e8e78a312bc00f56de7d8677ac790590918ab17" +nextcloud_url: https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud_version }}.tar.bz2 +php_version: 8.3 + +## credentials +nextcloud_admin_user: admin +nextcloud_admin_password: UnaContraseñaBienDifícil. + +## domain +nextcloud_fqdn: nx0.example.com +nextcloud_host_ip: "{{ hostvars['cs9-nc-nx0.test.virt.g02.org']['ansible_default_ipv4']['address'] }}" +nextcloud_hostname: nx0 + +## db +db_host: db0.example.com +nextcloud_db: nextcloud +nextcloud_db_user: nextcloud +nextcloud_db_user_password: Unacontraseñabien. +postgresql_firewalld_enabled: true + +## LDAP +ldap_enabled: false +ldap_agent_password: cIBI4mLESN1nSrAPr7pX3350NPXkD3vExjr27X1ju +ldap_server_host: id0.example.com +ldapBase: "cn=users,cn=accounts,dc=softwarelibre,dc=mx" +ldapBaseGroups: "cn=users,cn=accounts,dc=softwarelibre,dc=mx" +ldapBaseUsers: "cn=users,cn=accounts,dc=softwarelibre,dc=mx" +ldapAgentName: "cn=Directory Manager" +ldapAgentPassword: "{{ ldap_agent_password }}" +ldapHost: "{{ ldap_server_host }}" +hasMemberOfFilterSupport: 1 +ldapEmailAttribute: mail +ldapLoginFilter: "(&(&(|(objectclass=posixAccount)))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))" +ldapPort: 389 +ldapUserFilter: "(&(|(objectclass=posixAccount)))" +ldapUserFilterObjectclass: posixAccount +ldapConfigurationActive: 1 + + +## occ +nextcloud_occ: "{{ nextcloud_path }}/occ" + +## S3 +nextcloud_s3_enabled: true +nextcloud_s3_hostname: fqdn_or_ip # change me +nextcloud_s3_key: usuario # change me +nextcloud_s3_secret: password_muy_difícil # change me +nextcloud_s3_bucket: contenedor # change me + +## security +## Set this to true for production +nextcloud_config_is_read_only: true +nextcloud_firewalld_enabled: true + + +# Redis +redis_host: rds0.example.com +redis_user: nextcloud +redis_password: ParángariCutirimiNoMeAcuerdoCuaro +redis_url: "https://{{ redis_host }}" +redis_path: /etc/redis +redis_firewalld_enabled: true + + +# SSL +key_size: 4096 +key_type: RSA # Others include DSA, ECC, Ed25519, Ed448, X25519, X448 +country_name: MX +organization_name: Mi Organización bien chida, LTD +generate_self_signed_cert: true + + +# Colabora Online (coolwsd) +coolwsd_host: cl0.example.com +code_enable_ssl: false +code_enable_ssl_termination: true +code_ssl_key: "" +code_ssl_cert: "" +code_ssl_ca: "" +code_firewalld_enabled: true + +## The only way to make notify_push work without a signed cert is to use plain http +notify_push_nextcloud_url: http://localhost + + +# reverse proxy +reverse_proxy_ip: "{{ hostvars['cs9-nc-nx0.test.virt.g02.org']['ansible_default_ipv4']['address'] }}" + + +# turn +turn_fqdn: turn0.example.com +turn_firewalld_enabled: false +turn_letsencrypt_certificate_enabled: true +turn_static_auth_secret: OtroSecretoBienSuperDifícilDeAdivinar + + +# nats +nats_fqdn: turn0.example.com +nats_firewalld_enabled: false +nats_letsencrypt_certificate_enabled: false + + +# signaling +signaling_fqdn: turn0.example.com +signaling_debug: false +signaling_firewalld_enabled: false +signaling_letsencrypt_certificate_enabled: true +signaling_connections_per_host: 16 +signaling_backend_name: nextcloud +signaling_checksum: sha256:fb505651bab4f91f6c60d2308541e1bf695f4177aa4f92e01bc1c8982bd3db76 + + +# janus +janus_firewalld_enabled: false +janus_letsencrypt_certificate_enabled: false +janus_stun_server_ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" +janus_turn_server_ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" + + +# nextcloud spreed (talk) +nextcloud_talk_turn_server: "{{ turn_fqdn }}" +nextcloud_talk_signaling_server: "https://{{ turn_fqdn }}:8443" +nextcloud_talk_signaling_server_secret: ElMegaSecretoDeSignalingQueNadieSabe. +nextcloud_talk_stun_server: "{{ turn_fqdn }}" + diff --git a/nextcloud/ansible/vars/main.ejemplo.yaml b/nextcloud/ansible/vars/main.test.yaml similarity index 73% rename from nextcloud/ansible/vars/main.ejemplo.yaml rename to nextcloud/ansible/vars/main.test.yaml index 3ca9eba..97096b4 100644 --- a/nextcloud/ansible/vars/main.ejemplo.yaml +++ b/nextcloud/ansible/vars/main.test.yaml @@ -5,25 +5,26 @@ # https://download.nextcloud.com/server/releases/ and download the *.sha256 file # for the proper version ## version -nextcloud_version: 28.0.3 -nextcloud_checksum: "sha256:9ed413c0de16f5b033ceeffcca99c0d61fc698dbeb8db851ac9adf9eef951906" -nextcloud_url: https://download.nextcloud.com/server/releases/nextcloud-28.0.3.tar.bz2 -php_version: 8.2 +nextcloud_version: 29.0.2 +nextcloud_checksum: "sha256:2d49d297dc340092021057823e8e78a312bc00f56de7d8677ac790590918ab17" +nextcloud_url: https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud_version }}.tar.bz2 +php_version: 8.3 ## credentials -nextcloud_admin_user: el_admin -nextcloud_admin_password: Una contraseña bien difícil. +nextcloud_admin_user: admin +nextcloud_admin_password: UnaContraseñaBienDifícil. ## domain -nextcloud_fqdn: nextcloud.midominio.tld -nextcloud_host_ip: 10.0.5.33 -nextcloud_hostname: nextcloud +nextcloud_fqdn: cs9-nc-nx0.test.virt.g02.org +nextcloud_host_ip: "{{ hostvars['cs9-nc-nx0.test.virt.g02.org']['ansible_default_ipv4']['address'] }}" +nextcloud_hostname: cs9-nc-nx0 ## db -db_host: 10.0.5.43 +db_host: cs9-nc-db0.test.virt.g02.org nextcloud_db: nextcloud nextcloud_db_user: nextcloud -nextcloud_db_user_password: Una contraseña bien, pero bien difícil. +nextcloud_db_user_password: Unacontraseñabien. +postgresql_firewalld_enabled: true ## LDAP ldap_enabled: false @@ -48,7 +49,7 @@ ldapConfigurationActive: 1 nextcloud_occ: "{{ nextcloud_path }}/occ" ## S3 -nextcloud_s3_enabled: true +nextcloud_s3_enabled: false nextcloud_s3_hostname: dirección_ip_o_hostname # cámbiame nextcloud_s3_key: usuario # cámbiame nextcloud_s3_secret: password_muy_difícil # cámbiame @@ -57,14 +58,16 @@ nextcloud_s3_bucket: contenedor # cámbiame ## security ## Set this to true for production nextcloud_config_is_read_only: true +nextcloud_firewalld_enabled: true # Redis -redis_host: 10.0.5.53 +redis_host: cs9-nc-rds0.test.virt.g02.org redis_user: nextcloud redis_password: ParángariCutirimiNoMeAcuerdoCuaro redis_url: "https://{{ redis_host }}" redis_path: /etc/redis +redis_firewalld_enabled: true # SSL @@ -76,39 +79,40 @@ generate_self_signed_cert: true # Colabora Online (coolwsd) -coolwsd_host: 10.0.5.64 +coolwsd_host: cs9-nc-cl0.test.virt.g02.org code_enable_ssl: false code_enable_ssl_termination: true code_ssl_key: "" code_ssl_cert: "" code_ssl_ca: "" +code_firewalld_enabled: true ## The only way to make notify_push work without a signed cert is to use plain http notify_push_nextcloud_url: http://localhost # reverse proxy -reverse_proxy_ip: 10.0.5.1 +reverse_proxy_ip: "{{ hostvars['cs9-nc-nx0.test.virt.g02.org']['ansible_default_ipv4']['address'] }}" # turn -turn_fqdn: turn0.midominio.tld +turn_fqdn: f40-nc-turn0.test.virt.g02.org turn_firewalld_enabled: false -turn_letsencrypt_certificate_enabled: true +turn_letsencrypt_certificate_enabled: false turn_static_auth_secret: OtroSecretoBienSuperDifícilDeAdivinar # nats -nats_fqdn: turn0.midominio.tld +nats_fqdn: f40-nc-turn0.test.virt.g02.org nats_firewalld_enabled: false nats_letsencrypt_certificate_enabled: false # signaling -signaling_fqdn: turn0.midominio.tld +signaling_fqdn: f40-nc-turn0.test.virt.g02.org signaling_debug: false signaling_firewalld_enabled: false -signaling_letsencrypt_certificate_enabled: true +signaling_letsencrypt_certificate_enabled: false signaling_connections_per_host: 16 signaling_backend_name: nextcloud signaling_checksum: sha256:fb505651bab4f91f6c60d2308541e1bf695f4177aa4f92e01bc1c8982bd3db76