From fd502fb289a59e975994f665df833523bb379b20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Chavero?= Date: Sun, 29 Aug 2021 17:19:56 -0600 Subject: [PATCH] Updated Nextcloud + collabora + notify_push * Idempotent * Parametrized SSL settings for: * nginx * collabora * redis --- .gitignore | 9 ++ nextcloud/ansible/files/loolwsd.xml.j2 | 10 +- .../ansible/files/nextcloud_nginx.conf.j2 | 108 ++++++++-------- nextcloud/ansible/nextcloud_appliance.yaml | 118 ++++++++++++++++-- 4 files changed, 171 insertions(+), 74 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e30ab2a --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +# miscellaneous junk +*~ +.DS_Store +.idea +.project +.vscode + +# editor swap files +.*.sw? diff --git a/nextcloud/ansible/files/loolwsd.xml.j2 b/nextcloud/ansible/files/loolwsd.xml.j2 index 27014a8..a2e35b9 100644 --- a/nextcloud/ansible/files/loolwsd.xml.j2 +++ b/nextcloud/ansible/files/loolwsd.xml.j2 @@ -114,11 +114,11 @@ - true - false - /etc/loolwsd/cert.pem - /etc/loolwsd/key.pem - /etc/loolwsd/ca-chain.cert.pem + {{ code_enable_ssl }} + {{ code_enable_ssl_termination }} + {{ code_ssl_cert }} + {{ code_ssl_key }} + {{ code_ssl_ca }} 1000 diff --git a/nextcloud/ansible/files/nextcloud_nginx.conf.j2 b/nextcloud/ansible/files/nextcloud_nginx.conf.j2 index 0f63de4..b4a57cd 100644 --- a/nextcloud/ansible/files/nextcloud_nginx.conf.j2 +++ b/nextcloud/ansible/files/nextcloud_nginx.conf.j2 @@ -62,6 +62,58 @@ server { # Path to the root of your installation root {{ nextcloud_path }}; + ########################################################################### + # # + # # + # C O L L A B O R A C O N F I G # + # # + # https://www.collaboraoffice.com/code/nginx-reverse-proxy/ # + # # + ########################################################################### + + + # static files + location ^~ /loleaflet { + proxy_pass http://localhost:9980; + proxy_set_header Host $http_host; + } + + # WOPI discovery URL + location ^~ /hosting/discovery { + proxy_pass http://localhost:9980; + proxy_set_header Host $http_host; + } + + # Capabilities + location ^~ /hosting/capabilities { + proxy_pass http://localhost:9980; + proxy_set_header Host $http_host; + } + + # main websocket + location ~ ^/lool/(.*)/ws$ { + proxy_pass http://localhost:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + # download, presentation and image upload + location ~ ^/lool { + proxy_pass http://localhost:9980; + proxy_set_header Host $http_host; + } + + # Admin Console websocket + location ^~ /lool/adminws { + proxy_pass http://localhost:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + # Specify how to handle directories -- specifying `/index.php$request_uri` # here as the fallback means that Nginx always exhibits the desired behaviour # when a client requests a path that corresponds to a directory that exists @@ -162,61 +214,5 @@ server { location / { try_files $uri $uri/ /index.php$request_uri; } - - - - - ########################################################################### - # # - # # - # C O L L A B O R A C O N F I G # - # # - # https://www.collaboraoffice.com/code/nginx-reverse-proxy/ # - # # - ########################################################################### - - - # static files - location ^~ /loleaflet { - proxy_pass http://localhost:9980; - proxy_set_header Host $http_host; - } - - # WOPI discovery URL - location ^~ /hosting/discovery { - proxy_pass http://localhost:9980; - proxy_set_header Host $http_host; - } - - # Capabilities - location ^~ /hosting/capabilities { - proxy_pass http://localhost:9980; - proxy_set_header Host $http_host; - } - - # main websocket - location ~ ^/lool/(.*)/ws$ { - proxy_pass http://localhost:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; - proxy_read_timeout 36000s; - } - - # download, presentation and image upload - location ~ ^/lool { - proxy_pass http://localhost:9980; - proxy_set_header Host $http_host; - } - - # Admin Console websocket - location ^~ /lool/adminws { - proxy_pass http://localhost:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; - proxy_read_timeout 36000s; - } - } diff --git a/nextcloud/ansible/nextcloud_appliance.yaml b/nextcloud/ansible/nextcloud_appliance.yaml index 7d802cf..b209971 100644 --- a/nextcloud/ansible/nextcloud_appliance.yaml +++ b/nextcloud/ansible/nextcloud_appliance.yaml @@ -37,6 +37,11 @@ nginx_ssl_key_file: "/etc/ssl/nginx/self_signed.key" nginx_ssl_csr_file: "/etc/ssl/nginx/self_signed.csr" #nextcloud_domain: "cloud.example.com" + code_enable_ssl: false + code_enable_ssl_termination: true + code_ssl_key: "" + code_ssl_cert: "" + code_ssl_ca: "" pre_tasks: @@ -47,19 +52,28 @@ - name: Create nextcloud custom facts copy: - dest: /etc/ansible/facts.d/is_nextcloud_installed.fact + dest: /etc/ansible/facts.d/nextcloud.fact mode: 0775 force: yes content: | #!/usr/bin/bash + FACTS='' INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ status | grep installed | cut -d':' -f 2 | sed 's/ //') if [[ "${INSTALLED}" == "true" ]]; then - echo "true" + FACTS="{\"is_installed\": true" else - echo "false" + FACTS="{\"is_installed\": false" fi + CODE_INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ app:list | grep richdocuments) + if [[ "${CODE_INSTALLED}" == *"richdocumentscode"* ]]; then + FACTS="${FACTS},\n\"is_code_installed\": true}" + else + FACTS="${FACTS},\n\"is_code_installed\": false}" + fi + echo -e "${FACTS}" tags: - check_facts + - name: Reload facts setup: tags: @@ -87,6 +101,7 @@ action: package name={{item}} state=present with_items: - nginx + - sudo - php-fpm - postgresql - postgresql-server @@ -154,6 +169,7 @@ with_items: - dirmngr - nginx + - sudo - php-fpm - postgresql-all - python3-psycopg2 @@ -180,6 +196,24 @@ - php-redis - python3-openssl + - name: Get php version + shell: "php -v | grep built | cut -d '.' -f 1,2 | sed 's/PHP //'" + register: php_version + tags: + - php_ver + + - name: Update the php_ini_path variable + set_fact: + php_ini_path: "/etc/php/{{ php_version.stdout }}/fpm" + + - name: Update the php_pool_path variable + set_fact: + php_pool_path: "/etc/php/{{ php_version.stdout }}/fpm/pool.d" + + - name: Update the php_fpm_service variable + set_fact: + php_fpm_service: "php{{ php_version.stdout }}-fpm" + - name: Add Collabora apt key by id from keyserver for Debian 10 ansible.builtin.apt_key: #keyserver: keyserver.ubuntu.com @@ -217,8 +251,8 @@ - name: Configure Nginx Nextcloud pool template: src=files/nextcloud_nginx.conf.j2 dest="{{ nginx_path }}/nextcloud_nginx.conf" - - + tags: + - notify_push - name: Configure PHP template: src=files/php.ini.j2 dest="{{ php_ini_path }}/php.ini" @@ -244,7 +278,7 @@ extra_opts: - --strip-components=1 when: - ansible_local['is_nextcloud_installed'] != true + ansible_local['nextcloud']['is_installed'] != true - name: Create nginx ssl directory file: @@ -282,6 +316,8 @@ name: nginx enabled: yes state: restarted + tags: + - notify_push - name: Enable php-fpm service systemd: @@ -364,7 +400,7 @@ become_user: "{{ web_user }}" when: - ansible_local['is_nextcloud_installed'] != true + ansible_local['nextcloud']['is_installed'] != true - name: Configure Nextcloud Redis ansible.builtin.shell: @@ -387,7 +423,32 @@ become: true become_user: "{{ web_user }}" + - name: Configure localhost as trusted proxy + ansible.builtin.shell: + cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 0 --value=127.0.0.1 + chdir: "{{ document_root }}" + become: true + become_user: "{{ web_user }}" + tags: + - notify_push + - name: "configure {{ nextcloud_domain }} as trusted proxy" + ansible.builtin.shell: + cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 1 --value={{ nextcloud_domain_name}} + chdir: "{{ document_root }}" + become: true + become_user: "{{ web_user }}" + tags: + - notify_push + + - name: "configure ::1 as trusted proxy" + ansible.builtin.shell: + cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 2 --value=::1 + chdir: "{{ document_root }}" + become: true + become_user: "{{ web_user }}" + tags: + - notify_push - name: Enable Nextcloud High Performance Backend ansible.builtin.shell: @@ -411,20 +472,43 @@ become_user: "{{ web_user }}" tags: - redis + - notify_push - name: Copy collabora configuration files template: src=files/loolwsd.xml.j2 dest=/etc/loolwsd/loolwsd.xml + - name: Enable Libre Office Web services + systemd: + name: loolwsd + enabled: yes + state: restarted + tags: + - nextcloud_collabora + - name: Install Collabora Office nextcloud app ansible.builtin.shell: - cmd: /usr/bin/php "{{ nextcloud_occ }}" onfig:app:set --value "https://{{ nextcloud_domain_name }} richdocuments wopi_url" + cmd: /usr/bin/php "{{ nextcloud_occ }}" app:install richdocuments chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" tags: - nextcloud_collabora + when: + ansible_local['nextcloud']['is_code_installed'] != true - name: Configure Collabora Office nextcloud app + ansible.builtin.shell: + cmd: /usr/bin/php "{{ nextcloud_occ }}" config:app:set --value "https://{{nextcloud_domain_name}}" richdocuments wopi_url + chdir: "{{ document_root }}" + become: true + become_user: "{{ web_user }}" + tags: + - nextcloud_collabora + when: + ansible_local['nextcloud']['is_code_installed'] == true + + + - name: Activate Collabora Office nextcloud app ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" richdocuments:activate-config chdir: "{{ document_root }}" @@ -432,10 +516,18 @@ become_user: "{{ web_user }}" tags: - nextcloud_collabora + when: + ansible_local['nextcloud']['is_code_installed'] == true + + - name: Allow local remote servers for nextcloud + ansible.builtin.shell: + cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set allow_local_remote_servers --value true --type bool + chdir: "{{ document_root }}" + become: true + become_user: "{{ web_user }}" + tags: + - nextcloud_collabora + when: + ansible_local['nextcloud']['is_code_installed'] == true - - name: Enable Libre Office Web services - systemd: - name: loolwsd - enabled: yes - state: restarted