Updated Nextcloud + collabora + notify_push
* Idempotent * Parametrized SSL settings for: * nginx * collabora * redis
This commit is contained in:
parent
386717a312
commit
fd502fb289
4 changed files with 171 additions and 74 deletions
9
.gitignore
vendored
Normal file
9
.gitignore
vendored
Normal file
|
@ -0,0 +1,9 @@
|
|||
# miscellaneous junk
|
||||
*~
|
||||
.DS_Store
|
||||
.idea
|
||||
.project
|
||||
.vscode
|
||||
|
||||
# editor swap files
|
||||
.*.sw?
|
|
@ -114,11 +114,11 @@
|
|||
</net>
|
||||
|
||||
<ssl desc="SSL settings">
|
||||
<enable type="bool" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable>
|
||||
<termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination>
|
||||
<cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path>
|
||||
<key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path>
|
||||
<ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
|
||||
<enable type="bool" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">{{ code_enable_ssl }}</enable>
|
||||
<termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">{{ code_enable_ssl_termination }}</termination>
|
||||
<cert_file_path desc="Path to the cert file" relative="false">{{ code_ssl_cert }}</cert_file_path>
|
||||
<key_file_path desc="Path to the key file" relative="false">{{ code_ssl_key }}</key_file_path>
|
||||
<ca_file_path desc="Path to the ca file" relative="false">{{ code_ssl_ca }}</ca_file_path>
|
||||
<cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
|
||||
<hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
|
||||
<max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
|
||||
|
|
|
@ -62,6 +62,58 @@ server {
|
|||
# Path to the root of your installation
|
||||
root {{ nextcloud_path }};
|
||||
|
||||
###########################################################################
|
||||
# #
|
||||
# #
|
||||
# C O L L A B O R A C O N F I G #
|
||||
# #
|
||||
# https://www.collaboraoffice.com/code/nginx-reverse-proxy/ #
|
||||
# #
|
||||
###########################################################################
|
||||
|
||||
|
||||
# static files
|
||||
location ^~ /loleaflet {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
# WOPI discovery URL
|
||||
location ^~ /hosting/discovery {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
# Capabilities
|
||||
location ^~ /hosting/capabilities {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
# main websocket
|
||||
location ~ ^/lool/(.*)/ws$ {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_read_timeout 36000s;
|
||||
}
|
||||
|
||||
# download, presentation and image upload
|
||||
location ~ ^/lool {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
# Admin Console websocket
|
||||
location ^~ /lool/adminws {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_read_timeout 36000s;
|
||||
}
|
||||
|
||||
# Specify how to handle directories -- specifying `/index.php$request_uri`
|
||||
# here as the fallback means that Nginx always exhibits the desired behaviour
|
||||
# when a client requests a path that corresponds to a directory that exists
|
||||
|
@ -162,61 +214,5 @@ server {
|
|||
location / {
|
||||
try_files $uri $uri/ /index.php$request_uri;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
###########################################################################
|
||||
# #
|
||||
# #
|
||||
# C O L L A B O R A C O N F I G #
|
||||
# #
|
||||
# https://www.collaboraoffice.com/code/nginx-reverse-proxy/ #
|
||||
# #
|
||||
###########################################################################
|
||||
|
||||
|
||||
# static files
|
||||
location ^~ /loleaflet {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
# WOPI discovery URL
|
||||
location ^~ /hosting/discovery {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
# Capabilities
|
||||
location ^~ /hosting/capabilities {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
# main websocket
|
||||
location ~ ^/lool/(.*)/ws$ {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_read_timeout 36000s;
|
||||
}
|
||||
|
||||
# download, presentation and image upload
|
||||
location ~ ^/lool {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
# Admin Console websocket
|
||||
location ^~ /lool/adminws {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_read_timeout 36000s;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -37,6 +37,11 @@
|
|||
nginx_ssl_key_file: "/etc/ssl/nginx/self_signed.key"
|
||||
nginx_ssl_csr_file: "/etc/ssl/nginx/self_signed.csr"
|
||||
#nextcloud_domain: "cloud.example.com"
|
||||
code_enable_ssl: false
|
||||
code_enable_ssl_termination: true
|
||||
code_ssl_key: ""
|
||||
code_ssl_cert: ""
|
||||
code_ssl_ca: ""
|
||||
|
||||
pre_tasks:
|
||||
|
||||
|
@ -47,19 +52,28 @@
|
|||
|
||||
- name: Create nextcloud custom facts
|
||||
copy:
|
||||
dest: /etc/ansible/facts.d/is_nextcloud_installed.fact
|
||||
dest: /etc/ansible/facts.d/nextcloud.fact
|
||||
mode: 0775
|
||||
force: yes
|
||||
content: |
|
||||
#!/usr/bin/bash
|
||||
FACTS=''
|
||||
INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ status | grep installed | cut -d':' -f 2 | sed 's/ //')
|
||||
if [[ "${INSTALLED}" == "true" ]]; then
|
||||
echo "true"
|
||||
FACTS="{\"is_installed\": true"
|
||||
else
|
||||
echo "false"
|
||||
FACTS="{\"is_installed\": false"
|
||||
fi
|
||||
CODE_INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ app:list | grep richdocuments)
|
||||
if [[ "${CODE_INSTALLED}" == *"richdocumentscode"* ]]; then
|
||||
FACTS="${FACTS},\n\"is_code_installed\": true}"
|
||||
else
|
||||
FACTS="${FACTS},\n\"is_code_installed\": false}"
|
||||
fi
|
||||
echo -e "${FACTS}"
|
||||
tags:
|
||||
- check_facts
|
||||
|
||||
- name: Reload facts
|
||||
setup:
|
||||
tags:
|
||||
|
@ -87,6 +101,7 @@
|
|||
action: package name={{item}} state=present
|
||||
with_items:
|
||||
- nginx
|
||||
- sudo
|
||||
- php-fpm
|
||||
- postgresql
|
||||
- postgresql-server
|
||||
|
@ -154,6 +169,7 @@
|
|||
with_items:
|
||||
- dirmngr
|
||||
- nginx
|
||||
- sudo
|
||||
- php-fpm
|
||||
- postgresql-all
|
||||
- python3-psycopg2
|
||||
|
@ -180,6 +196,24 @@
|
|||
- php-redis
|
||||
- python3-openssl
|
||||
|
||||
- name: Get php version
|
||||
shell: "php -v | grep built | cut -d '.' -f 1,2 | sed 's/PHP //'"
|
||||
register: php_version
|
||||
tags:
|
||||
- php_ver
|
||||
|
||||
- name: Update the php_ini_path variable
|
||||
set_fact:
|
||||
php_ini_path: "/etc/php/{{ php_version.stdout }}/fpm"
|
||||
|
||||
- name: Update the php_pool_path variable
|
||||
set_fact:
|
||||
php_pool_path: "/etc/php/{{ php_version.stdout }}/fpm/pool.d"
|
||||
|
||||
- name: Update the php_fpm_service variable
|
||||
set_fact:
|
||||
php_fpm_service: "php{{ php_version.stdout }}-fpm"
|
||||
|
||||
- name: Add Collabora apt key by id from keyserver for Debian 10
|
||||
ansible.builtin.apt_key:
|
||||
#keyserver: keyserver.ubuntu.com
|
||||
|
@ -217,8 +251,8 @@
|
|||
|
||||
- name: Configure Nginx Nextcloud pool
|
||||
template: src=files/nextcloud_nginx.conf.j2 dest="{{ nginx_path }}/nextcloud_nginx.conf"
|
||||
|
||||
|
||||
tags:
|
||||
- notify_push
|
||||
|
||||
- name: Configure PHP
|
||||
template: src=files/php.ini.j2 dest="{{ php_ini_path }}/php.ini"
|
||||
|
@ -244,7 +278,7 @@
|
|||
extra_opts:
|
||||
- --strip-components=1
|
||||
when:
|
||||
ansible_local['is_nextcloud_installed'] != true
|
||||
ansible_local['nextcloud']['is_installed'] != true
|
||||
|
||||
- name: Create nginx ssl directory
|
||||
file:
|
||||
|
@ -282,6 +316,8 @@
|
|||
name: nginx
|
||||
enabled: yes
|
||||
state: restarted
|
||||
tags:
|
||||
- notify_push
|
||||
|
||||
- name: Enable php-fpm service
|
||||
systemd:
|
||||
|
@ -364,7 +400,7 @@
|
|||
become_user: "{{ web_user }}"
|
||||
|
||||
when:
|
||||
ansible_local['is_nextcloud_installed'] != true
|
||||
ansible_local['nextcloud']['is_installed'] != true
|
||||
|
||||
- name: Configure Nextcloud Redis
|
||||
ansible.builtin.shell:
|
||||
|
@ -387,7 +423,32 @@
|
|||
become: true
|
||||
become_user: "{{ web_user }}"
|
||||
|
||||
- name: Configure localhost as trusted proxy
|
||||
ansible.builtin.shell:
|
||||
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 0 --value=127.0.0.1
|
||||
chdir: "{{ document_root }}"
|
||||
become: true
|
||||
become_user: "{{ web_user }}"
|
||||
tags:
|
||||
- notify_push
|
||||
|
||||
- name: "configure {{ nextcloud_domain }} as trusted proxy"
|
||||
ansible.builtin.shell:
|
||||
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 1 --value={{ nextcloud_domain_name}}
|
||||
chdir: "{{ document_root }}"
|
||||
become: true
|
||||
become_user: "{{ web_user }}"
|
||||
tags:
|
||||
- notify_push
|
||||
|
||||
- name: "configure ::1 as trusted proxy"
|
||||
ansible.builtin.shell:
|
||||
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 2 --value=::1
|
||||
chdir: "{{ document_root }}"
|
||||
become: true
|
||||
become_user: "{{ web_user }}"
|
||||
tags:
|
||||
- notify_push
|
||||
|
||||
- name: Enable Nextcloud High Performance Backend
|
||||
ansible.builtin.shell:
|
||||
|
@ -411,20 +472,43 @@
|
|||
become_user: "{{ web_user }}"
|
||||
tags:
|
||||
- redis
|
||||
- notify_push
|
||||
|
||||
- name: Copy collabora configuration files
|
||||
template: src=files/loolwsd.xml.j2 dest=/etc/loolwsd/loolwsd.xml
|
||||
|
||||
- name: Enable Libre Office Web services
|
||||
systemd:
|
||||
name: loolwsd
|
||||
enabled: yes
|
||||
state: restarted
|
||||
tags:
|
||||
- nextcloud_collabora
|
||||
|
||||
- name: Install Collabora Office nextcloud app
|
||||
ansible.builtin.shell:
|
||||
cmd: /usr/bin/php "{{ nextcloud_occ }}" onfig:app:set --value "https://{{ nextcloud_domain_name }} richdocuments wopi_url"
|
||||
cmd: /usr/bin/php "{{ nextcloud_occ }}" app:install richdocuments
|
||||
chdir: "{{ document_root }}"
|
||||
become: true
|
||||
become_user: "{{ web_user }}"
|
||||
tags:
|
||||
- nextcloud_collabora
|
||||
when:
|
||||
ansible_local['nextcloud']['is_code_installed'] != true
|
||||
|
||||
- name: Configure Collabora Office nextcloud app
|
||||
ansible.builtin.shell:
|
||||
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:app:set --value "https://{{nextcloud_domain_name}}" richdocuments wopi_url
|
||||
chdir: "{{ document_root }}"
|
||||
become: true
|
||||
become_user: "{{ web_user }}"
|
||||
tags:
|
||||
- nextcloud_collabora
|
||||
when:
|
||||
ansible_local['nextcloud']['is_code_installed'] == true
|
||||
|
||||
|
||||
- name: Activate Collabora Office nextcloud app
|
||||
ansible.builtin.shell:
|
||||
cmd: /usr/bin/php "{{ nextcloud_occ }}" richdocuments:activate-config
|
||||
chdir: "{{ document_root }}"
|
||||
|
@ -432,10 +516,18 @@
|
|||
become_user: "{{ web_user }}"
|
||||
tags:
|
||||
- nextcloud_collabora
|
||||
when:
|
||||
ansible_local['nextcloud']['is_code_installed'] == true
|
||||
|
||||
- name: Allow local remote servers for nextcloud
|
||||
ansible.builtin.shell:
|
||||
cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set allow_local_remote_servers --value true --type bool
|
||||
chdir: "{{ document_root }}"
|
||||
become: true
|
||||
become_user: "{{ web_user }}"
|
||||
tags:
|
||||
- nextcloud_collabora
|
||||
when:
|
||||
ansible_local['nextcloud']['is_code_installed'] == true
|
||||
|
||||
- name: Enable Libre Office Web services
|
||||
systemd:
|
||||
name: loolwsd
|
||||
enabled: yes
|
||||
state: restarted
|
||||
|
||||
|
|
Loading…
Reference in a new issue