Updated Nextcloud + collabora + notify_push

* Idempotent * Parametrized SSL settings for: * nginx * collabora * redis
2021-08-29 17:19:56 -06:00 · 2021-08-29 17:19:56 -06:00 · fd502fb289
commit fd502fb289
parent 386717a312
4 changed files with 171 additions and 74 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,9 @@
+# miscellaneous junk
+*~
+.DS_Store
+.idea
+.project
+.vscode
+
+# editor swap files
+.*.sw?
--- a/nextcloud/ansible/files/loolwsd.xml.j2
+++ b/nextcloud/ansible/files/loolwsd.xml.j2
@ -114,11 +114,11 @@
    </net>

    <ssl desc="SSL settings">
-        <enable type="bool" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable>
-        <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination>
-        <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path>
-        <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path>
-        <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
+        <enable type="bool" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">{{ code_enable_ssl }}</enable>
+        <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">{{ code_enable_ssl_termination }}</termination>
+        <cert_file_path desc="Path to the cert file" relative="false">{{ code_ssl_cert }}</cert_file_path>
+        <key_file_path desc="Path to the key file" relative="false">{{ code_ssl_key }}</key_file_path>
+        <ca_file_path desc="Path to the ca file" relative="false">{{ code_ssl_ca }}</ca_file_path>
        <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
        <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
            <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
--- a/nextcloud/ansible/files/nextcloud_nginx.conf.j2
+++ b/nextcloud/ansible/files/nextcloud_nginx.conf.j2
@ -62,6 +62,58 @@ server {
    # Path to the root of your installation
    root {{ nextcloud_path }};

+    ###########################################################################
+    #                                                                         #
+    #                                                                         #
+    #   C O L L A B O R A  C O N F I G                                        #
+    #                                                                         #
+    #   https://www.collaboraoffice.com/code/nginx-reverse-proxy/             #
+    #                                                                         #
+    ###########################################################################
+
+
+    # static files
+    location ^~ /loleaflet {
+        proxy_pass http://localhost:9980;
+        proxy_set_header Host $http_host;
+    }
+
+    # WOPI discovery URL
+    location ^~ /hosting/discovery {
+        proxy_pass http://localhost:9980;
+        proxy_set_header Host $http_host;
+    }
+
+    # Capabilities
+    location ^~ /hosting/capabilities {
+        proxy_pass http://localhost:9980;
+        proxy_set_header Host $http_host;
+    }
+
+    # main websocket
+    location ~ ^/lool/(.*)/ws$ {
+        proxy_pass http://localhost:9980;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $http_host;
+        proxy_read_timeout 36000s;
+    }
+
+    # download, presentation and image upload
+    location ~ ^/lool {
+        proxy_pass http://localhost:9980;
+        proxy_set_header Host $http_host;
+    }
+
+    # Admin Console websocket
+    location ^~ /lool/adminws {
+        proxy_pass http://localhost:9980;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $http_host;
+        proxy_read_timeout 36000s;
+    }
+
    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
@ -162,61 +214,5 @@ server {
    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
-
-
-
-
-    ###########################################################################
-    #                                                                         #
-    #                                                                         #
-    #   C O L L A B O R A  C O N F I G                                        #
-    #                                                                         #
-    #   https://www.collaboraoffice.com/code/nginx-reverse-proxy/             #
-    #                                                                         #
-    ###########################################################################
-
-
-    # static files
-    location ^~ /loleaflet {
-        proxy_pass http://localhost:9980;
-        proxy_set_header Host $http_host;
-    }
-
-    # WOPI discovery URL
-    location ^~ /hosting/discovery {
-        proxy_pass http://localhost:9980;
-        proxy_set_header Host $http_host;
-    }
-
-    # Capabilities
-    location ^~ /hosting/capabilities {
-        proxy_pass http://localhost:9980;
-        proxy_set_header Host $http_host;
-    }
-
-    # main websocket
-    location ~ ^/lool/(.*)/ws$ {
-        proxy_pass http://localhost:9980;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_set_header Host $http_host;
-        proxy_read_timeout 36000s;
-    }
-
-    # download, presentation and image upload
-    location ~ ^/lool {
-        proxy_pass http://localhost:9980;
-        proxy_set_header Host $http_host;
-    }
-
-    # Admin Console websocket
-    location ^~ /lool/adminws {
-        proxy_pass http://localhost:9980;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_set_header Host $http_host;
-        proxy_read_timeout 36000s;
-    }
-
 }

--- a/nextcloud/ansible/nextcloud_appliance.yaml
+++ b/nextcloud/ansible/nextcloud_appliance.yaml
@ -37,6 +37,11 @@
    nginx_ssl_key_file: "/etc/ssl/nginx/self_signed.key" 
    nginx_ssl_csr_file: "/etc/ssl/nginx/self_signed.csr"
    #nextcloud_domain: "cloud.example.com"
+    code_enable_ssl: false
+    code_enable_ssl_termination: true
+    code_ssl_key: ""
+    code_ssl_cert: ""
+    code_ssl_ca: ""

  pre_tasks:

@ -47,19 +52,28 @@

  - name: Create nextcloud custom facts
    copy:
-      dest: /etc/ansible/facts.d/is_nextcloud_installed.fact
+      dest: /etc/ansible/facts.d/nextcloud.fact
      mode: 0775
      force: yes
      content: |
        #!/usr/bin/bash 
+          FACTS=''
          INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ status | grep installed | cut -d':' -f 2 | sed 's/ //')
          if [[ "${INSTALLED}" == "true" ]]; then
-            echo "true"
+            FACTS="{\"is_installed\": true"
          else
-            echo "false"
+            FACTS="{\"is_installed\": false"
          fi
+          CODE_INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ app:list | grep richdocuments)
+           if [[ "${CODE_INSTALLED}" == *"richdocumentscode"* ]]; then
+            FACTS="${FACTS},\n\"is_code_installed\": true}"
+          else
+            FACTS="${FACTS},\n\"is_code_installed\": false}"
+          fi
+          echo -e "${FACTS}"
    tags:
      - check_facts
+
  - name: Reload facts
    setup:
    tags:
@ -87,6 +101,7 @@
      action: package name={{item}} state=present
      with_items:
         - nginx
+         - sudo
         - php-fpm
         - postgresql
         - postgresql-server
@ -154,6 +169,7 @@
      with_items:
         - dirmngr
         - nginx
+         - sudo
         - php-fpm
         - postgresql-all
         - python3-psycopg2
@ -180,6 +196,24 @@
         - php-redis
         - python3-openssl

+    - name: Get php version
+      shell: "php -v | grep built | cut -d '.' -f 1,2 | sed 's/PHP //'"
+      register: php_version
+      tags:
+        - php_ver
+
+    - name: Update the php_ini_path variable
+      set_fact:
+        php_ini_path: "/etc/php/{{ php_version.stdout }}/fpm"
+
+    - name: Update the php_pool_path variable
+      set_fact:
+        php_pool_path: "/etc/php/{{ php_version.stdout }}/fpm/pool.d"
+
+    - name: Update the php_fpm_service variable
+      set_fact:
+        php_fpm_service: "php{{ php_version.stdout }}-fpm"
+
    - name: Add Collabora apt key by id from keyserver for Debian 10
      ansible.builtin.apt_key:
        #keyserver: keyserver.ubuntu.com
@ -217,8 +251,8 @@
  
  - name: Configure Nginx Nextcloud pool
    template: src=files/nextcloud_nginx.conf.j2 dest="{{ nginx_path }}/nextcloud_nginx.conf"
-
-
+    tags:
+      - notify_push

  - name: Configure PHP
    template: src=files/php.ini.j2 dest="{{ php_ini_path }}/php.ini"
@ -244,7 +278,7 @@
      extra_opts:
        - --strip-components=1
    when:
-      ansible_local['is_nextcloud_installed'] != true
+      ansible_local['nextcloud']['is_installed'] != true

  - name: Create nginx ssl directory
    file:
@ -282,6 +316,8 @@
      name: nginx
      enabled: yes
      state: restarted
+    tags:
+      - notify_push

  - name: Enable php-fpm service
    systemd:
@ -364,7 +400,7 @@
    become_user: "{{ web_user }}"

    when:
-      ansible_local['is_nextcloud_installed'] != true
+      ansible_local['nextcloud']['is_installed'] != true

  - name: Configure Nextcloud Redis
    ansible.builtin.shell:
@ -387,7 +423,32 @@
    become: true
    become_user: "{{ web_user }}"

+  - name: Configure localhost as trusted proxy
+    ansible.builtin.shell:
+      cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 0 --value=127.0.0.1
+      chdir: "{{ document_root }}"
+    become: true
+    become_user: "{{ web_user }}"
+    tags:
+      - notify_push

+  - name: "configure {{ nextcloud_domain }}  as trusted proxy"
+    ansible.builtin.shell:
+      cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 1 --value={{ nextcloud_domain_name}}
+      chdir: "{{ document_root }}"
+    become: true
+    become_user: "{{ web_user }}"
+    tags:
+      - notify_push
+
+  - name: "configure ::1  as trusted proxy"
+    ansible.builtin.shell:
+      cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 2 --value=::1
+      chdir: "{{ document_root }}"
+    become: true
+    become_user: "{{ web_user }}"
+    tags:
+      - notify_push

  - name: Enable Nextcloud High Performance Backend
    ansible.builtin.shell:
@ -411,20 +472,43 @@
    become_user: "{{ web_user }}"
    tags:
      - redis
+      - notify_push

  - name: Copy collabora configuration files
    template: src=files/loolwsd.xml.j2 dest=/etc/loolwsd/loolwsd.xml

+  - name: Enable Libre Office Web services
+    systemd:
+      name: loolwsd
+      enabled: yes
+      state: restarted
+    tags:
+      - nextcloud_collabora
+
  - name: Install Collabora Office nextcloud app
    ansible.builtin.shell:
-      cmd: /usr/bin/php "{{ nextcloud_occ }}" onfig:app:set --value "https://{{ nextcloud_domain_name }} richdocuments wopi_url"
+      cmd: /usr/bin/php "{{ nextcloud_occ }}" app:install richdocuments
      chdir: "{{ document_root }}"
    become: true
    become_user: "{{ web_user }}"
    tags:
      - nextcloud_collabora
+    when:
+      ansible_local['nextcloud']['is_code_installed'] != true

  - name: Configure Collabora Office nextcloud app
+    ansible.builtin.shell:
+      cmd: /usr/bin/php "{{ nextcloud_occ }}" config:app:set --value "https://{{nextcloud_domain_name}}" richdocuments wopi_url
+      chdir: "{{ document_root }}"
+    become: true
+    become_user: "{{ web_user }}"
+    tags:
+      - nextcloud_collabora
+    when:
+      ansible_local['nextcloud']['is_code_installed'] == true
+
+
+  - name: Activate Collabora Office nextcloud app
    ansible.builtin.shell:
      cmd: /usr/bin/php "{{ nextcloud_occ }}" richdocuments:activate-config
      chdir: "{{ document_root }}"
@ -432,10 +516,18 @@
    become_user: "{{ web_user }}"
    tags:
      - nextcloud_collabora
+    when:
+      ansible_local['nextcloud']['is_code_installed'] == true
+
+  - name: Allow local remote servers for nextcloud
+    ansible.builtin.shell:
+      cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set allow_local_remote_servers --value true --type bool
+      chdir: "{{ document_root }}"
+    become: true
+    become_user: "{{ web_user }}"
+    tags:
+      - nextcloud_collabora
+    when:
+      ansible_local['nextcloud']['is_code_installed'] == true

-  - name: Enable Libre Office Web services
-    systemd:
-      name: loolwsd
-      enabled: yes
-      state: restarted