strepsirrhini/lemur
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated Nextcloud + collabora + notify_push

Browse source 
* Idempotent
* Parametrized SSL settings for:
  * nginx
  * collabora
  * redis
This commit is contained in:
Iván Chavero 2021-08-29 17:19:56 -06:00
parent 386717a312
commit fd502fb289
4 changed files with 171 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.gitignore vendored Normal file
View file

@ -0,0 +1,9 @@
# miscellaneous junk
*~
.DS_Store
.idea
.project
.vscode
# editor swap files
.*.sw?

10
nextcloud/ansible/files/loolwsd.xml.j2
View file

@ -114,11 +114,11 @@
</net> </net>
<ssl desc="SSL settings"> <ssl desc="SSL settings">
<enable type="bool" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable> <enable type="bool" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">{{ code_enable_ssl }}</enable>
<termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination> <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">{{ code_enable_ssl_termination }}</termination>
<cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path> <cert_file_path desc="Path to the cert file" relative="false">{{ code_ssl_cert }}</cert_file_path>
<key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path> <key_file_path desc="Path to the key file" relative="false">{{ code_ssl_key }}</key_file_path>
<ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path> <ca_file_path desc="Path to the ca file" relative="false">{{ code_ssl_ca }}</ca_file_path>
<cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list> <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
<hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false"> <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
<max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age> <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>

108
nextcloud/ansible/files/nextcloud_nginx.conf.j2
View file

@ -62,6 +62,58 @@ server {
# Path to the root of your installation # Path to the root of your installation
root {{ nextcloud_path }}; root {{ nextcloud_path }};
###########################################################################
# #
# #
# C O L L A B O R A C O N F I G #
# #
# https://www.collaboraoffice.com/code/nginx-reverse-proxy/ #
# #
###########################################################################
# static files
location ^~ /loleaflet {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}
# main websocket
location ~ ^/lool/(.*)/ws$ {
proxy_pass http://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/lool {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}
# Admin Console websocket
location ^~ /lool/adminws {
proxy_pass http://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# Specify how to handle directories -- specifying `/index.php$request_uri` # Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour # here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists # when a client requests a path that corresponds to a directory that exists
@ -162,61 +214,5 @@ server {
location / { location / {
try_files $uri $uri/ /index.php$request_uri; try_files $uri $uri/ /index.php$request_uri;
} }
###########################################################################
# #
# #
# C O L L A B O R A C O N F I G #
# #
# https://www.collaboraoffice.com/code/nginx-reverse-proxy/ #
# #
###########################################################################
# static files
location ^~ /loleaflet {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}
# main websocket
location ~ ^/lool/(.*)/ws$ {
proxy_pass http://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/lool {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}
# Admin Console websocket
location ^~ /lool/adminws {
proxy_pass http://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
} }

118
nextcloud/ansible/nextcloud_appliance.yaml
View file

@ -37,6 +37,11 @@
nginx_ssl_key_file: "/etc/ssl/nginx/self_signed.key" nginx_ssl_key_file: "/etc/ssl/nginx/self_signed.key"
nginx_ssl_csr_file: "/etc/ssl/nginx/self_signed.csr" nginx_ssl_csr_file: "/etc/ssl/nginx/self_signed.csr"
#nextcloud_domain: "cloud.example.com" #nextcloud_domain: "cloud.example.com"
code_enable_ssl: false
code_enable_ssl_termination: true
code_ssl_key: ""
code_ssl_cert: ""
code_ssl_ca: ""
pre_tasks: pre_tasks:
@ -47,19 +52,28 @@
- name: Create nextcloud custom facts - name: Create nextcloud custom facts
copy: copy:
dest: /etc/ansible/facts.d/is_nextcloud_installed.fact dest: /etc/ansible/facts.d/nextcloud.fact
mode: 0775 mode: 0775
force: yes force: yes
content: | content: |
#!/usr/bin/bash #!/usr/bin/bash
FACTS=''
INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ status | grep installed | cut -d':' -f 2 | sed 's/ //') INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ status | grep installed | cut -d':' -f 2 | sed 's/ //')
if [[ "${INSTALLED}" == "true" ]]; then if [[ "${INSTALLED}" == "true" ]]; then
echo "true" FACTS="{\"is_installed\": true"
else else
echo "false" FACTS="{\"is_installed\": false"
fi fi
CODE_INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ app:list | grep richdocuments)
if [[ "${CODE_INSTALLED}" == *"richdocumentscode"* ]]; then
FACTS="${FACTS},\n\"is_code_installed\": true}"
else
FACTS="${FACTS},\n\"is_code_installed\": false}"
fi
echo -e "${FACTS}"
tags: tags:
- check_facts - check_facts
- name: Reload facts - name: Reload facts
setup: setup:
tags: tags:
@ -87,6 +101,7 @@
action: package name={{item}} state=present action: package name={{item}} state=present
with_items: with_items:
- nginx - nginx
- sudo
- php-fpm - php-fpm
- postgresql - postgresql
- postgresql-server - postgresql-server
@ -154,6 +169,7 @@
with_items: with_items:
- dirmngr - dirmngr
- nginx - nginx
- sudo
- php-fpm - php-fpm
- postgresql-all - postgresql-all
- python3-psycopg2 - python3-psycopg2
@ -180,6 +196,24 @@
- php-redis - php-redis
- python3-openssl - python3-openssl
- name: Get php version
shell: "php -v | grep built | cut -d '.' -f 1,2 | sed 's/PHP //'"
register: php_version
tags:
- php_ver
- name: Update the php_ini_path variable
set_fact:
php_ini_path: "/etc/php/{{ php_version.stdout }}/fpm"
- name: Update the php_pool_path variable
set_fact:
php_pool_path: "/etc/php/{{ php_version.stdout }}/fpm/pool.d"
- name: Update the php_fpm_service variable
set_fact:
php_fpm_service: "php{{ php_version.stdout }}-fpm"
- name: Add Collabora apt key by id from keyserver for Debian 10 - name: Add Collabora apt key by id from keyserver for Debian 10
ansible.builtin.apt_key: ansible.builtin.apt_key:
#keyserver: keyserver.ubuntu.com #keyserver: keyserver.ubuntu.com
@ -217,8 +251,8 @@
- name: Configure Nginx Nextcloud pool - name: Configure Nginx Nextcloud pool
template: src=files/nextcloud_nginx.conf.j2 dest="{{ nginx_path }}/nextcloud_nginx.conf" template: src=files/nextcloud_nginx.conf.j2 dest="{{ nginx_path }}/nextcloud_nginx.conf"
tags:
- notify_push
- name: Configure PHP - name: Configure PHP
template: src=files/php.ini.j2 dest="{{ php_ini_path }}/php.ini" template: src=files/php.ini.j2 dest="{{ php_ini_path }}/php.ini"
@ -244,7 +278,7 @@
extra_opts: extra_opts:
- --strip-components=1 - --strip-components=1
when: when:
ansible_local['is_nextcloud_installed'] != true ansible_local['nextcloud']['is_installed'] != true
- name: Create nginx ssl directory - name: Create nginx ssl directory
file: file:
@ -282,6 +316,8 @@
name: nginx name: nginx
enabled: yes enabled: yes
state: restarted state: restarted
tags:
- notify_push
- name: Enable php-fpm service - name: Enable php-fpm service
systemd: systemd:
@ -364,7 +400,7 @@
become_user: "{{ web_user }}" become_user: "{{ web_user }}"
when: when:
ansible_local['is_nextcloud_installed'] != true ansible_local['nextcloud']['is_installed'] != true
- name: Configure Nextcloud Redis - name: Configure Nextcloud Redis
ansible.builtin.shell: ansible.builtin.shell:
@ -387,7 +423,32 @@
become: true become: true
become_user: "{{ web_user }}" become_user: "{{ web_user }}"
- name: Configure localhost as trusted proxy
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 0 --value=127.0.0.1
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- notify_push
- name: "configure {{ nextcloud_domain }} as trusted proxy"
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 1 --value={{ nextcloud_domain_name}}
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- notify_push
- name: "configure ::1 as trusted proxy"
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 2 --value=::1
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- notify_push
- name: Enable Nextcloud High Performance Backend - name: Enable Nextcloud High Performance Backend
ansible.builtin.shell: ansible.builtin.shell:
@ -411,20 +472,43 @@
become_user: "{{ web_user }}" become_user: "{{ web_user }}"
tags: tags:
- redis - redis
- notify_push
- name: Copy collabora configuration files - name: Copy collabora configuration files
template: src=files/loolwsd.xml.j2 dest=/etc/loolwsd/loolwsd.xml template: src=files/loolwsd.xml.j2 dest=/etc/loolwsd/loolwsd.xml
- name: Enable Libre Office Web services
systemd:
name: loolwsd
enabled: yes
state: restarted
tags:
- nextcloud_collabora
- name: Install Collabora Office nextcloud app - name: Install Collabora Office nextcloud app
ansible.builtin.shell: ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" onfig:app:set --value "https://{{ nextcloud_domain_name }} richdocuments wopi_url" cmd: /usr/bin/php "{{ nextcloud_occ }}" app:install richdocuments
chdir: "{{ document_root }}" chdir: "{{ document_root }}"
become: true become: true
become_user: "{{ web_user }}" become_user: "{{ web_user }}"
tags: tags:
- nextcloud_collabora - nextcloud_collabora
when:
ansible_local['nextcloud']['is_code_installed'] != true
- name: Configure Collabora Office nextcloud app - name: Configure Collabora Office nextcloud app
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:app:set --value "https://{{nextcloud_domain_name}}" richdocuments wopi_url
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- nextcloud_collabora
when:
ansible_local['nextcloud']['is_code_installed'] == true
- name: Activate Collabora Office nextcloud app
ansible.builtin.shell: ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" richdocuments:activate-config cmd: /usr/bin/php "{{ nextcloud_occ }}" richdocuments:activate-config
chdir: "{{ document_root }}" chdir: "{{ document_root }}"
@ -432,10 +516,18 @@
become_user: "{{ web_user }}" become_user: "{{ web_user }}"
tags: tags:
- nextcloud_collabora - nextcloud_collabora
when:
ansible_local['nextcloud']['is_code_installed'] == true
- name: Allow local remote servers for nextcloud
ansible.builtin.shell:
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set allow_local_remote_servers --value true --type bool
chdir: "{{ document_root }}"
become: true
become_user: "{{ web_user }}"
tags:
- nextcloud_collabora
when:
ansible_local['nextcloud']['is_code_installed'] == true
- name: Enable Libre Office Web services
systemd:
name: loolwsd
enabled: yes
state: restarted