Many updates and fixes

nextcloud/ansible/.gitignore

@@ -7,7 +7,8 @@ files/backups/*
 
 # variable3s
 vars/main.*.yaml
-!vars/main.ejemplo.yaml
+!vars/main.example.yaml
+!vars/main.test.yaml
 
 # misc
 *~

nextcloud/ansible/deploy-example-talk-ha.yaml

@@ -32,7 +32,6 @@
   roles:
     - name: redis
 
-# Este es el collabora
 - hosts: coolwsd
   vars_files:
     - "vars/{{ ansible_facts['os_family'] }}.yaml"
@@ -51,8 +50,8 @@
 
 - hosts: turn
   vars_files:
-    - vars/main.example.yaml
     - "vars/{{ ansible_facts['os_family'] }}.yaml"
+    - vars/main.example.yaml
   roles:
     - name: turn
     - name: nats-server

nextcloud/ansible/deploy-test.yaml

@@ -1,7 +1,7 @@
 - hosts: localhost
   vars_files:
-    - vars/main.test.yaml
     - "vars/{{ ansible_facts['os_family'] }}.yaml"
+    - vars/main.test.yaml
   vars:
     services:
       - nginx
@@ -11,38 +11,37 @@
     - name: certificates
 
 - hosts: all
-  serial: 1
   vars_files:
-    - vars/main.test.yaml
     - "vars/{{ ansible_facts['os_family'] }}.yaml"
+    - vars/main.test.yaml
   roles:
     - name: common
 
 - hosts: postgresql
   vars_files:
-    - vars/main.test.yaml
     - "vars/{{ ansible_facts['os_family'] }}.yaml"
+    - vars/main.test.yaml
   roles:
     - name: postgresql
 
 - hosts: redis
   vars_files:
-    - vars/main.test.yaml
     - "vars/{{ ansible_facts['os_family'] }}.yaml"
+    - vars/main.test.yaml
   roles:
     - name: redis
 
 - hosts: coolwsd
   vars_files:
-    - vars/main.test.yaml
     - "vars/{{ ansible_facts['os_family'] }}.yaml"
+    - vars/main.test.yaml
   roles:
     - name: coolwsd
 
 - hosts: nextcloud
   vars_files:
-    - vars/main.test.yaml
     - "vars/{{ ansible_facts['os_family'] }}.yaml"
+    - vars/main.test.yaml
   roles:
     - name: nextcloud
     - name: coolwsd-nginx
@@ -50,11 +49,10 @@
 
 - hosts: turn
   vars_files:
-    - vars/main.test.yaml
     - "vars/{{ ansible_facts['os_family'] }}.yaml"
+    - vars/main.test.yaml
   roles:
     - name: turn
     - name: nats-server
     - name: signaling-server
     - name: janus
-

nextcloud/ansible/inventory-example-single-no-talk-ha

@@ -1,12 +1,29 @@
-[redis]
+# If your FQDNs are resolvable, then you don't need the ansible_host= part. If they're not, you need to change the IPs and add all
-<your server fqdn>
+# these entries to the /etc/hosts file of the deployment server (a.k.a. where the ansible-playbooks reside).
-
+#
-[postgresql]
+# For example:
-<your server fqdn>
+#
+# /etc/hosts:
+# # Loopback entries; do not change.
+# For historical reasons, localhost precedes localhost.localdomain:
+# 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+# ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+#
+# # my nextcloud
+# 192.168.0.10 nx0.example.com nx0
+# 192.168.0.11 db0.example.com db0
+# 192.168.0.12 rds0.example.com rds0
+# 192.168.0.13 cl0.example.com cl0
 
 [nextcloud]
-<your server fqdn>
+nx0.example.com ansible_host=192.168.0.10
+
+[postgresql]
+db0.example.com ansible_host=192.168.0.11
+
+[redis]
+rds0.example.com ansible_host=192.168.0.12
 
 [coolwsd]
-<your server fqdn>
+cl0.example.com ansible_host=192.168.0.13
 

nextcloud/ansible/inventory-example-talk-ha

@@ -1,25 +1,42 @@
-[redis]
+# If your FQDNs are resolvable, then you don't need the ansible_host= part. If they're not, you need to change the IPs and add all
-<your server fqdn>
+# these entries to the /etc/hosts file of the deployment server (a.k.a. where the ansible-playbooks reside).
-
+#
-[postgresql]
+# For example:
-<your server fqdn>
+#
+# /etc/hosts:
+# # Loopback entries; do not change.
+# For historical reasons, localhost precedes localhost.localdomain:
+# 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+# ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+#
+# # my nextcloud
+# 192.168.0.10 nx0.example.com nx0
+# 192.168.0.11 db0.example.com db0
+# 192.168.0.12 rds0.example.com rds0
+# 192.168.0.13 cl0.example.com cl0
+# 192.168.0.14 turn0.example.com turn0
 
 [nextcloud]
-<your server fqdn>
+nx0.example.com ansible_host=192.168.0.10
+
+[postgresql]
+db0.example.com ansible_host=192.168.0.11
+
+[redis]
+rds0.example.com ansible_host=192.168.0.12
 
 [coolwsd]
-<your server fqdn>
+cl0.example.com ansible_host=192.168.0.13
 
-
+# Nextcloud Talk
-# Uncomment this if you're going to use HA with Nextcloud Talk
 [turn]
-<turn server fqdn>
+turn0.example.com ansible_host=192.168.0.14
 
 [nats]
-<nats server fqdn> ansible_host=<nats server IP>
+turn0.example.com ansible_host=192.168.0.14
 
 [signaling]
-<signaling spreed server fqdn> ansible_host=<signaling server IP>
+turn0.example.com ansible_host=192.168.0.14
 
 [janus]
-<janus server fqdn> ansible_host=<janus server IP>
+turn0.example.com ansible_host=192.168.0.14

nextcloud/ansible/inventory-test

@@ -1,24 +1,23 @@
 [nextcloud]
-nx0-test.libreoffice.gob.mx ansible_host=10.201.15.250
+nx0.test.virt.g02.org ansible_host=192.168.0.41
 
 [postgresql]
-db0-test.libreoffice.gob.mx ansible_host=10.201.15.220
+db0.test.virt.g02.org ansible_host=192.168.0.40
 
 [redis]
-rds0-test.libreoffice.gob.mx ansible_host=10.201.15.24
+rds0.test.virt.g02.org ansible_host=192.168.0.39
 
 [coolwsd]
-clwsd0-test.libreoffice.gob.mx ansible_host=10.201.15.132
+cl0.test.virt.g02.org ansible_host=192.168.0.42
 
 [turn]
-turn1.softwarelibre.mx
+turn0.test.virt.g02.org ansible_host=192.168.0.43
 
 [nats]
-nats1.softwarelibre.mx ansible_host=10.201.15.199
+turn0.test.virt.g02.org ansible_host=192.168.0.43
 
 [signaling]
-signaling1.softwarelibre.mx ansible_host=10.201.15.199
+turn0.test.virt.g02.org ansible_host=192.168.0.43
 
 [janus]
-janus1.softwarelibre.mx ansible_host=10.201.15.199
+turn0.test.virt.g02.org ansible_host=192.168.0.43
-

nextcloud/ansible/roles/common/tasks/main.yml

@@ -24,3 +24,17 @@
   include_tasks: redhat_tasks.yaml
   when: ansible_facts['os_family'] == 'RedHat'
 
+- name: "Set hostname"
+  ansible.builtin.hostname:
+    name: "{{ inventory_hostname }}"
+    use: systemd
+
+- name: "Build hosts file"
+  lineinfile:
+    dest: /etc/hosts
+    regexp: '.*{{ item }}$'
+    line: "{{ hostvars[item]['ansible_default_ipv4']['address'] }} {{ hostvars[item]['ansible_fqdn'] }} {{ hostvars[item]['ansible_hostname'] }}"
+    state: present
+  when: hostvars[item].ansible_default_ipv4.address is defined
+  loop: "{{ groups['all'] }}"
+

nextcloud/ansible/roles/coolwsd/tasks/main.yaml

@@ -15,7 +15,7 @@
     group: root
 
 - name: Install Collabora Online Packages
-  package: 
+  package:
     name:
       - coolwsd
     state: latest
@@ -33,3 +33,13 @@
   tags:
     - nextcloud_collabora
 
+- name: Open up required firewall ports
+  block:
+    - name: Open ports for CODE service
+      ansible.posix.firewalld:
+        port: 9980/tcp
+        permanent: yes
+        immediate: true
+        state: enabled
+  when: code_firewalld_enabled | bool
+

nextcloud/ansible/roles/nextcloud/tasks/main.yml

@@ -3,6 +3,7 @@
   package:
     state: latest
     name:
+      - bzip2
       - nginx
       - php-cli
       - php-curl
@@ -18,6 +19,8 @@
       - php-json
       - php-ldap
       - php-mbstring
+      - php-memcache
+      - php-opcache
       - php-openssl
       - php-pcre
       - php-pdo
@@ -36,7 +39,6 @@
       - python3-pyOpenSSL
       - sudo
       - tar
-      - bzip2
 
 - name: Create nextcloud nginx configuration directory
   ansible.builtin.file:
@@ -137,6 +139,24 @@
     enabled: yes
     state: restarted
 
+
+- name: Open up required firewall ports
+  block:
+    - name: Open ports for HTTP service
+      ansible.posix.firewalld:
+        service: http
+        permanent: yes
+        immediate: true
+        state: enabled
+
+    - name: Open ports for HTTPS service
+      ansible.posix.firewalld:
+        service: https
+        permanent: yes
+        immediate: true
+        state: enabled
+  when: nextcloud_firewalld_enabled | bool
+
 - name: Remove config_is_read_only setting from config.php
   lineinfile:
     path: "{{ nextcloud_path }}/config/config.php"

nextcloud/ansible/roles/postgresql/tasks/main.yml

@@ -75,3 +75,13 @@
   tags:
     - database
 
+- name: Open up required firewall ports
+  block:
+    - name: Open ports for PostgreSQL service
+      ansible.posix.firewalld:
+        service: postgresql
+        permanent: yes
+        immediate: true
+        state: enabled
+  when: postgresql_firewalld_enabled | bool
+

nextcloud/ansible/roles/pre/tasks/main.yml

@@ -1,54 +1,31 @@
 ---
 # tasks file for pre
-  - name: Update the /etc/hosts file with node host name
+- name: Create fact directory
-    tags: etchostsupdate
+  file:
-    become: yes
+    path: /etc/ansible/facts.d/
-    become_user: root
+    state: directory
-    lineinfile:
-      path: "/etc/hosts"
-      regexp: ".*\t{{ ansible_hostname }}"
-      #TODO: crear una variable que tenga la IP del balanceador
-      line: "{{ nextcloud_host_ip }}\t{{ nextcloud_fqdn }} {{ nextcloud_hostname }}"
-      state: present
-      backup: yes
-    register: etchostsupdate
 
-#  - name: Update the /etc/hosts file with node domain name
+- name: Create nextcloud custom facts
-#    tags: etchostsupdate_domain
+  copy:
-#    become: yes
+    src: nextcloud.fact
-#    become_user: root
+    dest: /etc/ansible/facts.d/nextcloud.fact
-#    lineinfile:
+    mode: 0775
-#      path: "/etc/hosts"
+    force: yes
-#      line: "{{ nextcloud_host }}\t{{ nextcloud_fqdn }}"
+  tags:
-#      state: present
+    - check_facts
-#      backup: yes
 
-  - name: Create fact directory
+- name: Check if nextcloud is unpacked
-    file:
+  stat:
-      path: /etc/ansible/facts.d/
+    path: /var/www/html/config/config.sample.php
-      state: directory
+  register: nextcloud_is_unpacked
 
-  - name: Create nextcloud custom facts
+- name: Reload facts
-    copy:
+  setup:
-      src: nextcloud.fact
+  tags:
-      dest: /etc/ansible/facts.d/nextcloud.fact
+    - check_facts
-      mode: 0775
-      force: yes
-    tags:
-      - check_facts
 
-  - name: Check if nextcloud is unpacked
+- name: Pre tasks for Red Hat distros
-    stat:
+  include_tasks: redhat_pre_tasks.yaml
-      path: /var/www/html/config/config.sample.php
+  when:
-    register: nextcloud_is_unpacked
+    ansible_facts['os_family'] == "RedHat"
-
-  - name: Reload facts
-    setup:
-    tags:
-      - check_facts
-
-  - name: Pre tasks for Red Hat distros
-    include_tasks: redhat_pre_tasks.yaml
-    when:
-      ansible_facts['os_family'] == "RedHat"
 

nextcloud/ansible/roles/redis/tasks/main.yml

@@ -33,3 +33,13 @@
   tags:
     - check_redis
 
+- name: Open up required firewall ports
+  block:
+    - name: Open ports for Redis service
+      ansible.posix.firewalld:
+        service: redis
+        permanent: yes
+        immediate: true
+        state: enabled
+  when: redis_firewalld_enabled | bool
+

nextcloud/ansible/vars/main.example.yaml

@@ -0,0 +1,133 @@
+---
+
+# NextCloud
+# The nexctloud_checksum changes with every release to get this string go to:
+# https://download.nextcloud.com/server/releases/ and download the *.sha256 file
+# for the proper version
+## version
+nextcloud_version: 29.0.2
+nextcloud_checksum: "sha256:2d49d297dc340092021057823e8e78a312bc00f56de7d8677ac790590918ab17"
+nextcloud_url: https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud_version }}.tar.bz2
+php_version: 8.3
+
+## credentials
+nextcloud_admin_user: admin
+nextcloud_admin_password: UnaContraseñaBienDifícil.
+
+## domain
+nextcloud_fqdn: nx0.example.com
+nextcloud_host_ip: "{{ hostvars['cs9-nc-nx0.test.virt.g02.org']['ansible_default_ipv4']['address'] }}"
+nextcloud_hostname: nx0
+
+## db
+db_host: db0.example.com
+nextcloud_db: nextcloud
+nextcloud_db_user: nextcloud
+nextcloud_db_user_password: Unacontraseñabien.
+postgresql_firewalld_enabled: true
+
+## LDAP
+ldap_enabled: false
+ldap_agent_password: cIBI4mLESN1nSrAPr7pX3350NPXkD3vExjr27X1ju
+ldap_server_host: id0.example.com
+ldapBase: "cn=users,cn=accounts,dc=softwarelibre,dc=mx"
+ldapBaseGroups: "cn=users,cn=accounts,dc=softwarelibre,dc=mx"
+ldapBaseUsers: "cn=users,cn=accounts,dc=softwarelibre,dc=mx"
+ldapAgentName: "cn=Directory Manager"
+ldapAgentPassword: "{{ ldap_agent_password }}"
+ldapHost: "{{ ldap_server_host }}"
+hasMemberOfFilterSupport: 1
+ldapEmailAttribute: mail
+ldapLoginFilter: "(&(&(|(objectclass=posixAccount)))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))"
+ldapPort: 389
+ldapUserFilter: "(&(|(objectclass=posixAccount)))"
+ldapUserFilterObjectclass: posixAccount
+ldapConfigurationActive: 1
+
+
+## occ
+nextcloud_occ: "{{ nextcloud_path }}/occ"
+
+## S3
+nextcloud_s3_enabled: true
+nextcloud_s3_hostname: fqdn_or_ip               # change me
+nextcloud_s3_key: usuario                       # change me
+nextcloud_s3_secret: password_muy_difícil       # change me
+nextcloud_s3_bucket: contenedor                 # change me
+
+## security
+## Set this to true for production
+nextcloud_config_is_read_only: true
+nextcloud_firewalld_enabled: true
+
+
+# Redis
+redis_host: rds0.example.com
+redis_user: nextcloud
+redis_password: ParángariCutirimiNoMeAcuerdoCuaro
+redis_url: "https://{{ redis_host }}"
+redis_path: /etc/redis
+redis_firewalld_enabled: true
+
+
+# SSL
+key_size: 4096
+key_type: RSA # Others include DSA, ECC, Ed25519, Ed448, X25519, X448
+country_name: MX
+organization_name: Mi Organización bien chida, LTD
+generate_self_signed_cert: true
+
+
+# Colabora Online (coolwsd)
+coolwsd_host: cl0.example.com
+code_enable_ssl: false
+code_enable_ssl_termination: true
+code_ssl_key: ""
+code_ssl_cert: ""
+code_ssl_ca: ""
+code_firewalld_enabled: true
+
+## The only way to make notify_push work without a signed cert is to use plain http
+notify_push_nextcloud_url: http://localhost
+
+
+# reverse proxy
+reverse_proxy_ip: "{{ hostvars['cs9-nc-nx0.test.virt.g02.org']['ansible_default_ipv4']['address'] }}"
+
+
+# turn
+turn_fqdn: turn0.example.com
+turn_firewalld_enabled: false
+turn_letsencrypt_certificate_enabled: true
+turn_static_auth_secret: OtroSecretoBienSuperDifícilDeAdivinar
+
+
+# nats
+nats_fqdn: turn0.example.com
+nats_firewalld_enabled: false
+nats_letsencrypt_certificate_enabled: false
+
+
+# signaling
+signaling_fqdn: turn0.example.com
+signaling_debug: false
+signaling_firewalld_enabled: false
+signaling_letsencrypt_certificate_enabled: true
+signaling_connections_per_host: 16
+signaling_backend_name: nextcloud
+signaling_checksum: sha256:fb505651bab4f91f6c60d2308541e1bf695f4177aa4f92e01bc1c8982bd3db76
+
+
+# janus
+janus_firewalld_enabled: false
+janus_letsencrypt_certificate_enabled: false
+janus_stun_server_ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
+janus_turn_server_ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
+
+
+# nextcloud spreed (talk)
+nextcloud_talk_turn_server: "{{ turn_fqdn }}"
+nextcloud_talk_signaling_server: "https://{{ turn_fqdn }}:8443"
+nextcloud_talk_signaling_server_secret: ElMegaSecretoDeSignalingQueNadieSabe.
+nextcloud_talk_stun_server: "{{ turn_fqdn }}"
+

nextcloud/ansible/vars/main.test.yaml

@@ -5,25 +5,26 @@
 # https://download.nextcloud.com/server/releases/ and download the *.sha256 file
 # for the proper version
 ## version
-nextcloud_version: 28.0.3
+nextcloud_version: 29.0.2
-nextcloud_checksum: "sha256:9ed413c0de16f5b033ceeffcca99c0d61fc698dbeb8db851ac9adf9eef951906"
+nextcloud_checksum: "sha256:2d49d297dc340092021057823e8e78a312bc00f56de7d8677ac790590918ab17"
-nextcloud_url: https://download.nextcloud.com/server/releases/nextcloud-28.0.3.tar.bz2
+nextcloud_url: https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud_version }}.tar.bz2
-php_version: 8.2
+php_version: 8.3
 
 ## credentials
-nextcloud_admin_user: el_admin
+nextcloud_admin_user: admin
-nextcloud_admin_password: Una contraseña bien difícil.
+nextcloud_admin_password: UnaContraseñaBienDifícil.
 
 ## domain
-nextcloud_fqdn: nextcloud.midominio.tld
+nextcloud_fqdn: cs9-nc-nx0.test.virt.g02.org
-nextcloud_host_ip: 10.0.5.33
+nextcloud_host_ip: "{{ hostvars['cs9-nc-nx0.test.virt.g02.org']['ansible_default_ipv4']['address'] }}"
-nextcloud_hostname: nextcloud
+nextcloud_hostname: cs9-nc-nx0
 
 ## db
-db_host: 10.0.5.43
+db_host: cs9-nc-db0.test.virt.g02.org
 nextcloud_db: nextcloud
 nextcloud_db_user: nextcloud
-nextcloud_db_user_password: Una contraseña bien, pero bien difícil.
+nextcloud_db_user_password: Unacontraseñabien.
+postgresql_firewalld_enabled: true
 
 ## LDAP
 ldap_enabled: false
@@ -48,7 +49,7 @@ ldapConfigurationActive: 1
 nextcloud_occ: "{{ nextcloud_path }}/occ"
 
 ## S3
-nextcloud_s3_enabled: true
+nextcloud_s3_enabled: false
 nextcloud_s3_hostname: dirección_ip_o_hostname  # cámbiame
 nextcloud_s3_key: usuario                       # cámbiame
 nextcloud_s3_secret: password_muy_difícil       # cámbiame
@@ -57,14 +58,16 @@ nextcloud_s3_bucket: contenedor                 # cámbiame
 ## security
 ## Set this to true for production
 nextcloud_config_is_read_only: true
+nextcloud_firewalld_enabled: true
 
 
 # Redis
-redis_host: 10.0.5.53
+redis_host: cs9-nc-rds0.test.virt.g02.org
 redis_user: nextcloud
 redis_password: ParángariCutirimiNoMeAcuerdoCuaro
 redis_url: "https://{{ redis_host }}"
 redis_path: /etc/redis
+redis_firewalld_enabled: true
 
 
 # SSL
@@ -76,39 +79,40 @@ generate_self_signed_cert: true
 
 
 # Colabora Online (coolwsd)
-coolwsd_host: 10.0.5.64
+coolwsd_host: cs9-nc-cl0.test.virt.g02.org
 code_enable_ssl: false
 code_enable_ssl_termination: true
 code_ssl_key: ""
 code_ssl_cert: ""
 code_ssl_ca: ""
+code_firewalld_enabled: true
 
 ## The only way to make notify_push work without a signed cert is to use plain http
 notify_push_nextcloud_url: http://localhost
 
 
 # reverse proxy
-reverse_proxy_ip: 10.0.5.1
+reverse_proxy_ip: "{{ hostvars['cs9-nc-nx0.test.virt.g02.org']['ansible_default_ipv4']['address'] }}"
 
 
 # turn
-turn_fqdn: turn0.midominio.tld
+turn_fqdn: f40-nc-turn0.test.virt.g02.org
 turn_firewalld_enabled: false
-turn_letsencrypt_certificate_enabled: true
+turn_letsencrypt_certificate_enabled: false
 turn_static_auth_secret: OtroSecretoBienSuperDifícilDeAdivinar
 
 
 # nats
-nats_fqdn: turn0.midominio.tld
+nats_fqdn: f40-nc-turn0.test.virt.g02.org
 nats_firewalld_enabled: false
 nats_letsencrypt_certificate_enabled: false
 
 
 # signaling
-signaling_fqdn: turn0.midominio.tld
+signaling_fqdn: f40-nc-turn0.test.virt.g02.org
 signaling_debug: false
 signaling_firewalld_enabled: false
-signaling_letsencrypt_certificate_enabled: true
+signaling_letsencrypt_certificate_enabled: false
 signaling_connections_per_host: 16
 signaling_backend_name: nextcloud
 signaling_checksum: sha256:fb505651bab4f91f6c60d2308541e1bf695f4177aa4f92e01bc1c8982bd3db76