--- - hosts: all vars: nextcloud_path: "{{ '/usr/share/nginx/html' if ansible_distribution_file_variety == 'RedHat' else '/var/www/html' }}" nextcloud_occ: "{{ nextcloud_path }}/occ" nginx_path: "{{ '/etc/nginx/conf.d' if ansible_distribution_file_variety == 'RedHat' else '/etc/nginx/sites-enabled' }}" # FIXME: Set PHP version from Debian version: 7.4 for Debian 11, 7.3 for Debian 10 php_ini_path: "{{ '/etc' if ansible_distribution_file_variety == 'RedHat' else '/etc/php/7.3/fpm' }}" php_pool_path: "{{ '/etc/php-fpm.d' if ansible_distribution_file_variety == 'RedHat' else '/etc/php/7.3/fpm/pool.d' }}" php_fpm_service: "{{ 'php-fpm' if ansible_distribution_file_variety == 'RedHat' else 'php7.3-fpm' }}" document_root: "{{ '/usr/share/nginx/html' if ansible_distribution_file_variety == 'RedHat' else '/var/www/html' }}" web_user: "{{ 'nginx' if ansible_distribution_file_variety == 'RedHat' else 'www-data' }}" pg_hba_conf: "{{ '/var/lib/pgsql/data/pg_hba.conf' if ansible_distribution_file_variety == 'RedHat' else '/etc/postgresql/13/main/pg_hba.conf' }}" redis_dir: "{{ '/etc' if ansible_distribution_file_variety == 'RedHat' else '/etc/redis' }}" redis_user: "nextcloud" redis_url: "https://127.0.0.1" redis_password: "2XenoNNBtLJqrELTfmCLum/42Guz72Ym0RPMxXh5+pT" nextcloud_version: "22.1.0" nextcloud_checksum: "sha256:4820808f799146853604e1fa27d7f292449018a44dc73bf928a97b02028318ba" nextcloud_database: "nextcloud" nextcloud_database_user: "nextcloud" nextcloud_database_user_password: "nVdUe6%Ua9c,Rd.8BVugPHPm2yqUSXWCAy%1GXOQGn8tg9F?k%R" nextcloud_admin_user: "nextcloud_admin" nextcloud_admin_password: "prueba123" #nextcloud_domain_name: "{{ ansible_default_ipv4.address }}" nextcloud_domain_name: "nextcloud" # The only way to make notify_push work without a signed cert is to use plain http notify_push_nextcloud_url: "http://localhost" key_size: 4096 key_type: "RSA" # Others include DSA, ECC, Ed25519, Ed448, X25519, X448 country_name: "MX" email_address: "ssl@{{ nextcloud_domain_name }}" organization_name: "AnsibleNextcloud" #server_hostname: "{{ ansible_hostname }}" server_hostname: "{{ nextcloud_domain_name }}" redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem" redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt" redis_csr: "/etc/pki/tls/certs/redis-self.csr" generate_self_signed_cert: true nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt" nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key" nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr" #nextcloud_domain: "cloud.example.com" code_enable_ssl: false code_enable_ssl_termination: true code_ssl_key: "" code_ssl_cert: "" code_ssl_ca: "" pre_tasks: - name: Update the /etc/hosts file with node host name tags: etchostsupdate become: yes become_user: root lineinfile: path: "/etc/hosts" regexp: ".*\t{{ ansible_hostname }}" line: "{{ ansible_env.SSH_CONNECTION.split(' ')[2] }}\t{{ ansible_hostname }}" state: present backup: yes register: etchostsupdate - name: Update the /etc/hosts file with node domain name tags: etchostsupdate_domain become: yes become_user: root lineinfile: path: "/etc/hosts" line: "{{ ansible_env.SSH_CONNECTION.split(' ')[2] }}\t{{ nextcloud_domain_name }}" state: present backup: yes - name: Create fact directory file: path: /etc/ansible/facts.d/ state: directory - name: Create nextcloud custom facts copy: dest: /etc/ansible/facts.d/nextcloud.fact mode: 0775 force: yes content: | #!/usr/bin/bash FACTS='' INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ status | grep installed | cut -d':' -f 2 | sed 's/ //') if [[ "${INSTALLED}" == "true" ]]; then FACTS="{\"is_installed\": true" CODE_INSTALLED=$(sudo -u www-data /usr/bin/php /var/www/html/occ app:list | grep richdocuments) if [[ "${CODE_INSTALLED}" == *"richdocuments"* ]]; then FACTS="${FACTS},\n\"is_code_installed\": true}" else FACTS="${FACTS},\n\"is_code_installed\": false}" fi else FACTS="{\"is_installed\": false" FACTS="${FACTS},\n\"is_code_installed\": false}" fi echo -e "${FACTS}" tags: - check_facts - name: Check if nextcloud is unpacked stat: path: /var/www/html/config/config.sample.php register: nextcloud_is_unpacked - name: Reload facts setup: tags: - check_facts - name: Include a play after another play include: redhat_pre_tasks.yaml when: ansible_distribution_file_variety == 'RedHat' tasks: - name: Display local facts debug: var=ansible_local tags: - check_facts # System setup - name: sysctl -w net.core.somaxconn=65535 sysctl: name: net.core.somaxconn value: "65535" state: present reload: true sysctl_file: /etc/sysctl.conf - name: Red Hat Distros Tasks block: - name: Install System Packages action: package name={{item}} state=present with_items: - nginx - sudo - php-fpm - postgresql - postgresql-server - python3-psycopg2 - redis - php-pgsql - php-cli - php-curl - php-dom - php-exif - php-fileinfo - php-gd - php-iconv - php-json - php-ldap - php-mbstring - php-openssl - php-pcre - php-pdo - php-session - php-simplexml - php-xmlwriter - php-spl - php-zip - php-filter - php-ldap - php-smbclient - php-imap - php-gmp - php-process - php-pecl-imagick - php-pecl-memcached - php-pecl-apcu - php-pecl-redis - python3-pyOpenSSL - name: Import Collabora key ansible.builtin.rpm_key: state: present key: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos8/repodata/repomd.xml.key - name: Add Collabora repository for Red Hat distros yum_repository: name: CollaboraOnline description: Collabora Online baseurl: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos8 - name: Install Collabora Online Packages action: package name={{item}} state=present with_items: - loolwsd - CODE-brand - name: Check if the '/var/lib/pgsql/data' directory exists ansible.builtin.stat: path: "/var/lib/pgsql/data" register: pgsql_data_dir - name: Initialize postgres database ansible.builtin.shell: cmd: /usr/bin/postgresql-setup --initdb when: not pgsql_data_dir.stat.isdir is defined when: ansible_distribution_file_variety == 'RedHat' - name: Debian Distros Tasks block: - name: Run the equivalent of "apt-get update" as a separate step apt: update_cache: yes - name: Install System Packages action: package name={{item}} state=present with_items: - dirmngr - nginx - sudo - php-fpm - postgresql-all - python3-psycopg2 - php-pgsql - php-cli - php-curl - php-gd - php-json - php-ldap - php-mbstring #- php7.4-xml # en Debián 10 la versión de PHP es 7.3 y en este paquete el 7.4 causa conflicto - php-xml #- php-xmlwriter - php-zip - php-ldap #- php-smbclient - php-imap - php-gmp #- php-process - php-imagick - php-memcached - php-apcu - php-redis - python3-openssl - name: Install Redis for Debian versions differen than 10 action: package name=redis state=present when: ansible_distribution_version != "10" - name: Install Redis for Debian 10 action: apt deb="{{ item }}" state=present with_items: - http://sandino.araico.net/parches/Debian/redis/redis-tools_5.0.3-4+deb10u4_amd64.deb - http://sandino.araico.net/parches/Debian/redis/redis-server_5.0.3-4+deb10u4_amd64.deb - http://sandino.araico.net/parches/Debian/redis/redis_5.0.3-4+deb10u4_all.deb when: ansible_distribution_version == "10" - name: Get php version shell: "php -v | grep built | cut -d '.' -f 1,2 | sed 's/PHP //'" register: php_version tags: - php_ver - name: Get PostgreSQL version shell: "psql -V | cut -d ' ' -f 3 | cut -d '.' -f 1" register: postgres_version tags: - php_ver - name: Update the php_ini_path variable set_fact: php_ini_path: "/etc/php/{{ php_version.stdout }}/fpm" - name: Update the pg_hba_conf variable set_fact: pg_hba_conf: "/etc/postgresql/{{ postgres_version.stdout }}/main/pg_hba.conf" - name: Update the php_pool_path variable set_fact: php_pool_path: "/etc/php/{{ php_version.stdout }}/fpm/pool.d" - name: Update the php_fpm_service variable set_fact: php_fpm_service: "php{{ php_version.stdout }}-fpm" - name: Add Collabora apt key by id from keyserver for Debian 10 ansible.builtin.apt_key: #keyserver: keyserver.ubuntu.com id: 0C54D189F4BA284D data: "{{ lookup('file', 'files/0C54D189F4BA284D.asc') }}" tags: - debian-collabora-repos - collabora - name: Add Collabora repository for Debian distros (10) ansible.builtin.apt_repository: repo: deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian10 ./ state: present tags: - debian-collabora-repos - collabora - name: Install Collabora Online Packages action: package name={{item}} state=present with_items: - loolwsd - code-brand tags: - collabora - name: Remove nginx default configuration ansible.builtin.file: path: /etc/nginx/sites-enabled/default state: absent tags: - clean_defaults when: ansible_distribution_file_variety == 'Debian' - name: Configure Nginx Nextcloud pool template: src=files/nextcloud_nginx.conf.j2 dest="{{ nginx_path }}/nextcloud_nginx.conf" tags: - notify_push - name: Configure PHP template: src=files/php.ini.j2 dest="{{ php_ini_path }}/php.ini" - name: Configure PHP FPM pool template: src=files/www.conf.j2 dest="{{ php_pool_path }}/www.conf" # nextcloud specific tasks #- name: Ensure that Nextcloud target directory exists # ansible.builtin.file: # path: /var/www/nextcloud # state: directory # mode: '0755' # owner: "{{ web_user }}" - name: Download Nextcloud get_url: url: "https://download.nextcloud.com/server/releases/nextcloud-{{nextcloud_version}}.tar.bz2" dest: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2" checksum: "{{ nextcloud_checksum }}" when: nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true - name: Unpack Nextcloud ansible.builtin.unarchive: src: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2" dest: "{{ nextcloud_path }}" remote_src: yes owner: "{{ web_user }}" extra_opts: - --strip-components=1 when: nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true - name: Create nginx ssl directory file: path: /etc/ssl/nginx state: directory - name: Generate Nginx SSL Private Key openssl_privatekey: path: "{{ nginx_ssl_key_file }}" size: "{{ key_size }}" type: "{{ key_type }}" backup: yes - name: Generate Nginx SSL CSR openssl_csr: path: "{{ nginx_ssl_csr_file }}" privatekey_path: "{{ nginx_ssl_key_file }}" country_name: "{{ country_name }}" organization_name: "{{ organization_name }}" email_address: "{{ email_address }}" common_name: "nextcloud" subject_alt_name: "DNS:{{ ansible_hostname }},DNS:{{ nextcloud_domain_name }},DNS:{{ server_hostname }}" - name: Generate Nginx Self Signed OpenSSL certificate openssl_certificate: path: "{{ nginx_ssl_cert_file }}" privatekey_path: "{{ nginx_ssl_key_file }}" csr_path: "{{ nginx_ssl_csr_file }}" provider: selfsigned - name: Enable nginx service systemd: name: nginx enabled: yes state: restarted tags: - notify_push - name: Enable php-fpm service systemd: name: "{{ php_fpm_service }}" enabled: yes state: restarted - name: Enable PostgreSQL service systemd: name: postgresql enabled: yes state: restarted - name: Generate Redis SSL Private Key openssl_privatekey: path: "{{ redis_cert_private_key }}" size: "{{ key_size }}" type: "{{ key_type }}" backup: yes owner: redis #FIXME versionar para debian 10 o crear un paquete de redis para debian 10 con soporte de TLS - name: Generate Redis SSL CSR openssl_csr: path: "{{ redis_csr }}" privatekey_path: "{{ redis_cert_private_key }}" country_name: "{{ country_name }}" organization_name: "{{ organization_name }}" email_address: "{{ email_address }}" common_name: "{{ server_hostname }}" owner: redis - name: Generate Redis Self Signed OpenSSL certificate openssl_certificate: path: "{{ redis_cert }}" privatekey_path: "{{ redis_cert_private_key }}" csr_path: "{{ redis_csr }}" provider: selfsigned owner: redis - name: Set Redis Configuration template: src=files/redis.conf.j2 dest="{{ redis_dir }}/redis.conf" owner=root group=root mode=0644 - name: Enable Redis service systemd: name: redis enabled: yes state: restarted #when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat" tags: - check_redis - name: "Create database user" postgresql_user: name: "{{ nextcloud_database_user }}" password: "{{ nextcloud_database_user_password }}" become_user: postgres become: yes tags: - database - name: "Create nextcloud database" postgresql_db: name: "{{ nextcloud_database }}" encoding: UTF-8 template: template0 owner: "{{ nextcloud_database_user }}" become_user: postgres become: yes tags: - database - name: Allow postgres user to connect to the database blockinfile: dest: "{{ pg_hba_conf }}" block: | host all all 0.0.0.0/0 md5 - name: Install nextcloud to database ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" maintenance:install --database "pgsql" --database-name "{{ nextcloud_database }}" --database-user "{{ nextcloud_database_user }}" --database-pass "{{ nextcloud_database_user_password}}" --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_password }}" chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" when: ansible_local['nextcloud']['is_installed'] != true - name: Configure Nextcloud trusted domain ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_domains 1 --value={{ nextcloud_domain_name}} chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" - name: Configure localhost as trusted proxy ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 0 --value=127.0.0.1 chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" tags: - notify_push - name: "configure {{ nextcloud_domain }} as trusted proxy" ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 1 --value={{ nextcloud_domain_name}} chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" tags: - notify_push - name: "configure ::1 as trusted proxy" ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set trusted_proxies 2 --value=::1 chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" tags: - notify_push - name: "Import certificate to Nextcloud instance" ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" security:certificates:import "{{ nginx_ssl_cert_file }}" chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" tags: - certificates # Redis como memcache https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html?highlight=cache - name: Configure Nextcloud Redis ansible.builtin.shell: cmd: | /usr/bin/php "{{ nextcloud_occ }}" config:system:set redis host --value=localhost /usr/bin/php "{{ nextcloud_occ }}" config:system:set redis port --value=6379 /usr/bin/php "{{ nextcloud_occ }}" config:system:set redis dbindex --value=0 /usr/bin/php "{{ nextcloud_occ }}" config:system:set redis user --value="{{ redis_user }}" /usr/bin/php "{{ nextcloud_occ }}" config:system:set redis password --value="{{ redis_password }}" chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" #when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat" tags: - nextcloud_redis - name: Enable Nextcloud High Performance Backend ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" app:enable notify_push chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" #when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat" - name: Install Nextcloud High Performance Backend Systemd Service template: src=files/notify_push.service.j2 dest=/etc/systemd/system/notify_push.service #when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat" - name: Set Nextcloud High Performance Backend Systemd Service environment template: src=files/notify_push_environment.j2 dest="{{ nextcloud_path }}/apps/notify_push/environment" #when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat" - name: Enable Nextcloud Notify Push Service systemd: state=restarted name=notify_push daemon_reload=yes #when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat" - name: Setup Nextcloud High Performance Backend ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" notify_push:setup "https://{{ nextcloud_domain_name }}/push" chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" #when: (ansible_distribution == "Debian" and ansible_distribution_version != "10") or ansible_distribution == "RedHat" tags: - redis - notify_push - name: Reload facts after Nextcloud installation setup: tags: - check_facts - name: Copy collabora configuration files template: src=files/loolwsd.xml.j2 dest=/etc/loolwsd/loolwsd.xml - name: Enable Libre Office Web services systemd: name: loolwsd enabled: yes state: restarted tags: - nextcloud_collabora - name: Install Collabora Office nextcloud app ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" app:install richdocuments chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" tags: - nextcloud_collabora when: ansible_local['nextcloud']['is_code_installed'] != true - name: Reload facts after Collabora Nextcloud app installation setup: tags: - check_facts - name: Configure Collabora Office nextcloud app ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" config:app:set --value "https://{{nextcloud_domain_name}}" richdocuments wopi_url chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" tags: - nextcloud_collabora when: ansible_local['nextcloud']['is_code_installed'] == true - name: Activate Collabora Office nextcloud app ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" richdocuments:activate-config chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" tags: - nextcloud_collabora when: ansible_local['nextcloud']['is_code_installed'] == true - name: Allow local remote servers for nextcloud ansible.builtin.shell: cmd: /usr/bin/php "{{ nextcloud_occ }}" config:system:set allow_local_remote_servers --value true --type bool chdir: "{{ document_root }}" become: true become_user: "{{ web_user }}" tags: - nextcloud_collabora when: ansible_local['nextcloud']['is_code_installed'] == true