Compare commits
	
		
			52 Commits
		
	
	
		
			0.1.0
			...
			7dc25f5821
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 7dc25f5821 | |||
| 5ed71fa11a | |||
| 95aff397b8 | |||
| a708450260 | |||
| 8b600a9830 | |||
| e4c4f0bac4 | |||
| 236a7236d4 | |||
| 6f22e87252 | |||
| 6504e0d7f8 | |||
| 68fac3624b | |||
| f8861c266f | |||
| d2e870389f | |||
| 0f671549d5 | |||
| c045b0586e | |||
| 4e2757f649 | |||
| 80ec87c7f4 | |||
| e079c5d48b | |||
| acbb6bfef7 | |||
| 0368d71410 | |||
| c7fd45b47f | |||
| 8ff2a5878e | |||
| b02037f743 | |||
| 63a291121a | |||
| 69d76f3342 | |||
| f465c5d792 | |||
| 29a145fe42 | |||
| f27abe9e42 | |||
| e76e4beac0 | |||
| b40bd1a383 | |||
| 6acf6314eb | |||
| 3e5ad9ac5d | |||
| ed8f838092 | |||
| cd527b9faa | |||
| 991b8c635c | |||
| 63f45dc193 | |||
| c56b82121b | |||
| e46c687b89 | |||
| ea33ee5ea7 | |||
| a907549dc9 | |||
| b1a1daf955 | |||
| 341780731c | |||
| fe15b316bf | |||
| e9715e31bf | |||
| feadc801d5 | |||
| 3b2957492e | |||
| dd5223afaa | |||
| dd295b4129 | |||
| 5d00b7637d | |||
| 5bc19d4ddc | |||
| 80317cae6a | |||
| f2e66f002b | |||
| 1caf613ff2 | 
							
								
								
									
										11
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										11
									
								
								README.md
									
									
									
									
									
								
							| @@ -7,12 +7,17 @@ and managing nextcloud installations | ||||
|  | ||||
| ## Roles | ||||
|  | ||||
| - [`roles/nextcloud`](roles/nextcloud/README.md): For deploying | ||||
| - [`roles/server`](roles/server/README.md): For deploying | ||||
|   and configuring a bare nextcloud instance in a docker container. | ||||
|   Supports both the `-apache` (default) and `-fpm` variants. | ||||
| - [`roles/nextcloud-apps`](roles/nextcloud-apps/README.md): | ||||
| - [`roles/apps`](roles/apps/README.md): | ||||
|   For managing nextcloud apps in an already installed nextcloud | ||||
|   instance. Can install, remove, enable/disable and update apps. | ||||
|   server instance. Can install, remove, enable/disable and update apps. | ||||
| - [`roles/ldap-user-backend`](roles/ldap-user-backend/README.md): | ||||
|   Manages LDAP authentication sources in installed nextcloud instances. | ||||
| - [`roles/nginx-fpm-proxy`](roles/nginx-fpm-proxy/README.md): | ||||
|   Reverse proxy role which connects to nextcloud using FPM | ||||
|   and serves static content. | ||||
|  | ||||
| ## License | ||||
|  | ||||
|   | ||||
							
								
								
									
										13
									
								
								galaxy.yml
									
									
									
									
									
								
							
							
						
						
									
										13
									
								
								galaxy.yml
									
									
									
									
									
								
							| @@ -1,13 +1,14 @@ | ||||
| namespace: finallycoffee | ||||
| name: nextcloud | ||||
| version: 0.1.0 | ||||
| version: 0.5.1 | ||||
| readme: README.md | ||||
| authors: | ||||
| - Johanna Dorothea Reichmann <transcaffeine@finallycoffee.eu> | ||||
| - transcaffeine <transcaffeine@finally.coffee> | ||||
| description: Installing and configuring nextcloud (and related apps/services) using docker | ||||
| license: | ||||
| - CNPLv7+ | ||||
| dependencies: | ||||
|   "community.docker": "^1.10.0" | ||||
| license_file: LICENSE.md | ||||
| build_ignore: | ||||
| - '*.tar.gz' | ||||
| repository: https://git.finallycoffee.eu/finallycoffee.eu/nextcloud | ||||
| issues: https://git.finallycoffee.eu/finallycoffee.eu/nextcloud/issues | ||||
| repository: https://git.finally.coffee/finallycoffee/nextcloud | ||||
| issues: https://git.finally.coffee/finallycoffee/nextcloud/issues | ||||
|   | ||||
							
								
								
									
										3
									
								
								meta/runtime.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								meta/runtime.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| --- | ||||
|  | ||||
| requires_ansible: ">=2.12" | ||||
| @@ -3,3 +3,5 @@ | ||||
| nextcloud_container_name: nextcloud | ||||
| nextcloud_apps: [] | ||||
| nextcloud_run_user: nextcloud | ||||
| 
 | ||||
| nextcloud_apps_check_integrity: false | ||||
| @@ -1,7 +1,9 @@ | ||||
| --- | ||||
| 
 | ||||
| - name: restart-nextcloud | ||||
|   docker_container: | ||||
|   community.docker.docker_container: | ||||
|     name: "{{ nextcloud_container_name }}" | ||||
|     state: started | ||||
|     restart: yes | ||||
|     restart: true | ||||
|     comparisons: | ||||
|       '*': ignore | ||||
| @@ -1,7 +1,7 @@ | ||||
| --- | ||||
| 
 | ||||
| - name: Ensure nextcloud user is created | ||||
|   user: | ||||
|   ansible.builtin.user: | ||||
|     name: "{{ nextcloud_run_user }}" | ||||
|     state: present | ||||
|   register: nextcloud_user_res | ||||
| @@ -48,3 +48,12 @@ | ||||
|   loop: "{{ nextcloud_apps }}" | ||||
|   notify: | ||||
|     - restart-nextcloud | ||||
| 
 | ||||
| - name: Ensure app integrity | ||||
|   community.docker.docker_container_exec: | ||||
|     container: "{{ nextcloud_container_name }}" | ||||
|     command: "php occ integrity:check-app {{ item.name }}" | ||||
|     user: "{{ nextcloud_run_user }}" | ||||
|     tty: yes | ||||
|   when: nextcloud_apps_check_integrity and item.state|default('present') in ['latest', 'present'] | ||||
|   loop: "{{ nextcloud_apps }}" | ||||
							
								
								
									
										3
									
								
								roles/apps/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								roles/apps/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| --- | ||||
|  | ||||
| nc_apps_occ_command: "php occ" | ||||
							
								
								
									
										37
									
								
								roles/ldap_user_backend/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										37
									
								
								roles/ldap_user_backend/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,37 @@ | ||||
| # `finallycoffee.nextcloud.ldap-user-backend` ansible role | ||||
|  | ||||
| Ansible role for managing LDAP authentication of nextcloud instances using ansible. | ||||
|  | ||||
| ## Prerequisites | ||||
|  | ||||
| This role assumes a nextcloud instance is up and running, and has the `user_ldap` | ||||
| nextcloud app installed. For starting a nextcloud instance, see the | ||||
| `finallycoffee.nextcloud.server` role, for managing nextcloud apps see the | ||||
| `finallycoffee.nextcloud.apps` ansible role. | ||||
|  | ||||
| ## Configuration | ||||
|  | ||||
| - Set `nc_ldap_api_method` to either `occ` or `http` to control wether the | ||||
|   configuration is set using `php occ` command line calls or the `http` API | ||||
|   of the `user_ldap` nextcloud app. | ||||
|  | ||||
| - For `nc_ldap_api_method: occ`, ensure `nc_ldap_container` is set to the name | ||||
|   of the docker container where nextcloud is running, and `nc_ldap_occ_user` is | ||||
|   the user the container / nextcloud itself runs as. `nc_ldap_occ_command` | ||||
|   _can_ also be tweaked if `php` is not in the path, but the default should | ||||
|   be fine in most cases. | ||||
|  | ||||
| - For `nc_ldap_api_method: http`, ensure `nc_ldapi_api_instance_url` contains | ||||
|   the URL to the nextcloud server, including protocol (and port, if | ||||
|   non-standard), and `nc_ldap_api_basic_auth_[user|password]` contain the | ||||
|   credentials of an admin user with the rights to edit the LDAP settings. | ||||
|  | ||||
| - Set `nc_ldap_test_configuration` to `true`/`false` to have the role issue a | ||||
|   nextcloud-provided test of the configured LDAP configuration, this corresponds | ||||
|   to a `occ ldap:test-config <id>`. | ||||
|  | ||||
| For most of the options, see the | ||||
| [nextcloud manual on configuration keys](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap_api.html#configuration-keys), | ||||
| the config keys are mapped 1:1 with a prefix of `nc_ldap_config_` and | ||||
| the so-called "snake-case" (`ldap_backup_host`), so `ldapUserFilterMode` becomes | ||||
| `nc_ldap_config_ldap_user_filter_mode`. | ||||
							
								
								
									
										67
									
								
								roles/ldap_user_backend/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										67
									
								
								roles/ldap_user_backend/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,67 @@ | ||||
| --- | ||||
|  | ||||
| nc_ldap_api_method: occ | ||||
| nc_ldap_test_configuration: true | ||||
|  | ||||
| nc_ldap_api_instance_url: http://localhost | ||||
| nc_ldap_api_basic_auth_user: | ||||
| nc_ldap_api_basic_auth_password: | ||||
|  | ||||
| nc_ldap_occ_command: "php occ" | ||||
| nc_ldap_occ_user: "nextcloud" | ||||
| nc_ldap_container: nextcloud | ||||
|  | ||||
| nc_ldap_config_id: s01 | ||||
| nc_ldap_config_host: 127.0.0.1 | ||||
| nc_ldap_config_port: 389 | ||||
| nc_ldap_config_backup_host: ~ | ||||
| nc_ldap_config_backup_port: ~ | ||||
|  | ||||
| nc_ldap_config_base_dn: | ||||
| nc_ldap_config_base_dn_users: | ||||
| nc_ldap_config_base_dn_groups: | ||||
| nc_ldap_config_agent_name: | ||||
| nc_ldap_config_agent_password: | ||||
|  | ||||
| nc_ldap_config_override_main_server: ~ | ||||
| nc_ldap_config_tls: ~ | ||||
| nc_ldap_config_turn_off_cert_check: ~ | ||||
| nc_ldap_config_user_displayname: ~ | ||||
| nc_ldap_config_user_displayname2: ~ | ||||
| nc_ldap_config_user_avatar_rule: ~ | ||||
| nc_ldap_config_gid_number: ~ | ||||
| nc_ldap_config_user_filter_objectclass: ~ | ||||
| nc_ldap_config_user_filter_groups: ~ | ||||
| nc_ldap_config_user_filter: ~ | ||||
| nc_ldap_config_user_filter_mode: ~ | ||||
| nc_ldap_config_attributes_for_user_search: ~ | ||||
| nc_ldap_config_group_filter: ~ | ||||
| nc_ldap_config_group_filter_mode: ~ | ||||
| nc_ldap_config_group_filter_objectclass: ~ | ||||
| nc_ldap_config_group_filter_groups: ~ | ||||
| nc_ldap_config_group_member_assoc_attr: ~ | ||||
| nc_ldap_config_group_displayname: ~ | ||||
| nc_ldap_config_attributes_for_group_search: ~ | ||||
| nc_ldap_config_login_filter: ~ | ||||
| nc_ldap_config_login_filter_mode: ~ | ||||
| nc_ldap_config_login_filter_email: ~ | ||||
| nc_ldap_config_login_filter_username: ~ | ||||
| nc_ldap_config_login_filter_attributes: ~ | ||||
| nc_ldap_config_quota_attribute: ~ | ||||
| nc_ldap_config_quota_default: ~ | ||||
| nc_ldap_config_email_attribute: ~ | ||||
| nc_ldap_config_cache_ttl: ~ | ||||
| nc_ldap_config_configuration_active: ~ | ||||
| nc_ldap_config_experienced_admin: ~ | ||||
| nc_ldap_config_home_folder_naming_rule: ~ | ||||
| nc_ldap_config_use_memberOf_to_detect_membership: ~ | ||||
| nc_ldap_config_expert_username_attr: ~ | ||||
| nc_ldap_config_expert_uuid_user_attr: ~ | ||||
| nc_ldap_config_expert_uuid_group_attr: ~ | ||||
| nc_ldap_config_nested_groups: ~ | ||||
| nc_ldap_config_paging_size: ~ | ||||
| nc_ldap_config_turn_on_password_change: ~ | ||||
| nc_ldap_config_dynamic_group_member_url: ~ | ||||
| nc_ldap_config_default_ppolicy_dn: ~ | ||||
|  | ||||
| nc_ldap_meta_http_agent: "ansible-httpget/finallycoffee.nextcloud.ldap-user-backend" | ||||
							
								
								
									
										4
									
								
								roles/ldap_user_backend/meta/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								roles/ldap_user_backend/meta/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| --- | ||||
|  | ||||
| collections: | ||||
|   - community.docker | ||||
							
								
								
									
										49
									
								
								roles/ldap_user_backend/tasks/load_config_http.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										49
									
								
								roles/ldap_user_backend/tasks/load_config_http.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,49 @@ | ||||
| --- | ||||
|  | ||||
| - name: Set default api parameters for HTTP | ||||
|   ansible.builtin.meta: noop | ||||
|   vars: &api_defaults | ||||
|     http_agent: "{{ nc_ldap_meta_http_agent }}" | ||||
|     headers: "{{ nc_ldap_api_headers }}" | ||||
|     url_username: "{{ nc_ldap_api_basic_auth_user }}" | ||||
|     url_password: "{{ nc_ldap_api_basic_auth_password }}" | ||||
|     force_basic_auth: yes | ||||
|     force: yes | ||||
|  | ||||
| - name: Check if configuration with given config ID already exists | ||||
|   ansible.builtin.uri: | ||||
|     <<: *api_defaults | ||||
|     url: "{{ nc_ldap_api_path }}/{{ nc_ldap_config_id }}{{ query_params }}" | ||||
|     method: GET | ||||
|   vars: | ||||
|     query_params: "?showPassword={{ '1' if nc_ldap_config_agent_password else '0' }}&format={{nc_ldap_api_parameter_format }}" | ||||
|   register: nc_ldap_existing_config_api | ||||
|  | ||||
| # TODO: Can we force an ID on POST? | ||||
| - name: Create ldap configuration with id={{ nc_ldap_config_id }} | ||||
|   ansible.builtin.uri: | ||||
|     <<: *api_defaults | ||||
|     url: "{{ nc_ldap_api_path }}" | ||||
|     method: POST | ||||
|   when: nc_ldap_existing_config_api.status != 200 | ||||
|  | ||||
| - name: Parse output of query command to dict | ||||
|   ansible.builtin.set_fact: | ||||
|     nc_ldap_existing_config: "{{ nc_ldap_existing_config_api.stdout | from_json }}" | ||||
|   changed_when: false | ||||
|  | ||||
| - name: Create changeset | ||||
|   ansible.builtin.set_fact: | ||||
|     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" | ||||
|   vars: | ||||
|     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" | ||||
|   loop: "{{ nc_ldap_config_keys.keys() }}" | ||||
|   when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item] | ||||
|  | ||||
| - name: Ensure ldap configuration is in sync (http) | ||||
|   ansible.builtin.uri: | ||||
|     <<: *api_defaults | ||||
|     url: "{{ nc_lap_api_path }}/{{ nc_ldap_config_id }}" | ||||
|     method: PUT | ||||
|     body: "{{ { 'configData': nc_ldap_config_changeset } }}" | ||||
|     body_format: "form-urlencoded" | ||||
							
								
								
									
										49
									
								
								roles/ldap_user_backend/tasks/load_config_occ.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										49
									
								
								roles/ldap_user_backend/tasks/load_config_occ.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,49 @@ | ||||
| --- | ||||
|  | ||||
| - name: Check if configuration with given config ID already exists | ||||
|   community.docker.docker_container_exec: | ||||
|     container: "{{ nc_ldap_container }}" | ||||
|     command: "{{ nc_ldap_occ_command }} ldap:show-config --output json {{ '--show-password' if nc_ldap_config_agent_password else '' }} {{ nc_ldap_config_id }}" | ||||
|     user: "{{ nc_ldap_occ_user }}" | ||||
|     tty: yes | ||||
|   changed_when: false | ||||
|   check_mode: false | ||||
|   register: nc_ldap_existing_config_occ | ||||
|  | ||||
| - name: Create ldap configuration with id={{ nc_ldap_config_id }} | ||||
|   community.docker.docker_container_exec: | ||||
|     container: "{{ nc_ldap_container }}" | ||||
|     command: "{{ nc_ldap_occ_command }} ldap:create-empty-config --output json {{ nc_ldap_config_id }}" | ||||
|     user: "{{ nc_ldap_occ_user }}" | ||||
|     tty: yes | ||||
|   when: nc_ldap_existing_config_occ.rc != 0 and nc_ldap_config_id not in (nc_ldap_existing_config_occ.stdout | from_json).keys() | ||||
|  | ||||
| - name: Parse output of query command to dict | ||||
|   ansible.builtin.set_fact: | ||||
|     nc_ldap_existing_config: "{{ nc_ldap_existing_config_occ.stdout | from_json }}" | ||||
|   changed_when: false | ||||
|  | ||||
| - name: Create changeset | ||||
|   ansible.builtin.set_fact: | ||||
|     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" | ||||
|   vars: | ||||
|     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" | ||||
|   loop: "{{ nc_ldap_config_keys.keys() }}" | ||||
|   when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item] | ||||
|  | ||||
| - name: Ensure ldap configuration is in sync | ||||
|   community.docker.docker_container_exec: | ||||
|     container: "{{ nc_ldap_container }}" | ||||
|     command: "{{ nc_ldap_occ_command }} ldap:set-config \"{{ nc_ldap_config_id }}\" \"{{ item.key }}\" \"{{ item.value }}\"" | ||||
|     user: "{{ nc_ldap_occ_user }}" | ||||
|     tty: yes | ||||
|   loop: "{{ nc_ldap_config_changeset | dict2items }}" | ||||
|  | ||||
| - name: Ensure ldap configuration is working | ||||
|   community.docker.docker_container_exec: | ||||
|     container: "{{ nc_ldap_container }}" | ||||
|     command: "{{ nc_ldap_occ_command }} ldap:test-config {{ nc_ldap_config_id }}" | ||||
|     user: "{{ nc_ldap_occ_user }}" | ||||
|     tty: yes | ||||
|   changed_when: false | ||||
|   when: nc_ldap_test_configuration | ||||
							
								
								
									
										10
									
								
								roles/ldap_user_backend/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										10
									
								
								roles/ldap_user_backend/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,10 @@ | ||||
| --- | ||||
|  | ||||
| - name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is http | ||||
|   ansible.builtin.include_tasks: load_config_http.yml | ||||
|   when: nc_ldap_api_method == 'http' | ||||
|  | ||||
| - name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is occ | ||||
|   ansible.builtin.include_tasks: load_config_occ.yml | ||||
|   when: nc_ldap_api_method == 'occ' | ||||
|  | ||||
							
								
								
									
										60
									
								
								roles/ldap_user_backend/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										60
									
								
								roles/ldap_user_backend/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,60 @@ | ||||
| --- | ||||
|  | ||||
| nc_ldap_api_path: "/ocs/v2.php/apps/user_ldap/api/v1/config" | ||||
| nc_ldap_api_url: "{{ nc_ldap_api_instance_url }}{{ nc_ldap_api_path }}" | ||||
| nc_ldap_api_headers: | ||||
|   OCS-APIREQUEST: "true" | ||||
| nc_ldap_api_parameter_format: json | ||||
|  | ||||
| nc_ldap_config_keys: | ||||
|   ldapHost: "{{ nc_ldap_config_host }}" | ||||
|   ldapPort: "{{ nc_ldap_config_port }}" | ||||
|   ldapBackupHost: "{{ nc_ldap_config_backup_host }}" | ||||
|   ldapBackupPort: "{{ nc_ldap_config_backup_port }}" | ||||
|   ldapOverrideMainServer: "{{ nc_ldap_config_override_main_server }}" | ||||
|   ldapBase: "{{ nc_ldap_config_base_dn }}" | ||||
|   ldapBaseUsers: "{{ nc_ldap_config_base_dn_users }}" | ||||
|   ldapBaseGroups: "{{ nc_ldap_config_base_dn_groups }}" | ||||
|   ldapAgentName: "{{ nc_ldap_config_agent_name }}" | ||||
|   ldapAgentPassword: "{{ nc_ldap_config_agent_password }}" | ||||
|   ldapTLS: "{{ nc_ldap_config_tls }}" | ||||
|   turnOffCertCheck: "{{ nc_ldap_config_turn_off_cert_check }}" | ||||
|   ldapUserDisplayName: "{{ nc_ldap_config_user_displayname }}" | ||||
|   ldapUserDisplayName2: "{{ nc_ldap_config_user_displayname2 }}" | ||||
|   ldapUserAvatarRule: "{{ nc_ldap_config_user_avatar_rule }}" | ||||
|   ldapGidNumber: "{{ nc_ldap_config_gid_number }}" | ||||
|   ldapUserFilterObjectclass: "{{ nc_ldap_config_user_filter_objectclass }}" | ||||
|   ldapUserFilterGroups: "{{ nc_ldap_config_user_filter_groups }}" | ||||
|   ldapUserFilter: "{{ nc_ldap_config_user_filter }}" | ||||
|   ldapUserFilterMode: "{{ nc_ldap_config_user_filter_mode }}" | ||||
|   ldapAttributesForUserSearch: "{{ nc_ldap_config_attributes_for_user_search }}" | ||||
|   ldapGroupFilter: "{{ nc_ldap_config_group_filter }}" | ||||
|   ldapGroupFilterMode: "{{ nc_ldap_config_group_filter_mode }}" | ||||
|   ldapGroupFilterObjectclass: "{{ nc_ldap_config_group_filter_objectclass }}" | ||||
|   ldapGroupFilterGroups: "{{ nc_ldap_config_group_filter_groups }}" | ||||
|   ldapGroupMemberAssocAttr: "{{ nc_ldap_config_group_member_assoc_attr }}" | ||||
|   ldapGroupDisplayName: "{{ nc_ldap_config_group_displayname }}" | ||||
|   ldapAttributesForGroupSearch: "{{ nc_ldap_config_attributes_for_group_search }}" | ||||
|   ldapLoginFilter: "{{ nc_ldap_config_login_filter }}" | ||||
|   ldapLoginFilterMode: "{{ nc_ldap_config_login_filter_mode }}" | ||||
|   ldapLoginFilterEmail: "{{ nc_ldap_config_login_filter_email }}" | ||||
|   ldapLoginFilterUsername: "{{ nc_ldap_config_login_filter_username }}" | ||||
|   ldapLoginFilterAttributes: "{{ nc_ldap_config_login_filter_attributes }}" | ||||
|   ldapQuotaAttribute: "{{ nc_ldap_config_quota_attribute }}" | ||||
|   ldapQuotaDefault: "{{ nc_ldap_config_quota_default }}" | ||||
|   ldapEmailAttribute: "{{ nc_ldap_config_email_attribute }}" | ||||
|   ldapCacheTTL: "{{ nc_ldap_config_cache_ttl }}" | ||||
|   ldapConfigurationActive: "{{ nc_ldap_config_configuration_active }}" | ||||
|   ldapExperiencedAdmin: "{{ nc_ldap_config_experienced_admin }}" | ||||
|   homeFolderNamingRule: "{{ nc_ldap_config_home_folder_naming_rule }}" | ||||
|   useMemberOfToDetectMembership: "{{ nc_ldap_config_use_memberOf_to_detect_membership }}" | ||||
|   ldapExpertUsernameAttr: "{{ nc_ldap_config_expert_username_attr }}" | ||||
|   ldapExpertUUIDUserAttr: "{{ nc_ldap_config_expert_uuid_user_attr }}" | ||||
|   ldapExpertUUIDGroupAttr: "{{ nc_ldap_config_expert_uuid_group_attr }}" | ||||
|   ldapNestedGroups: "{{ nc_ldap_config_nested_groups }}" | ||||
|   ldapPagingSize: "{{ nc_ldap_config_paging_size }}" | ||||
|   turnOnPasswordChange: "{{ nc_ldap_config_turn_on_password_change }}" | ||||
|   ldapDynamicGroupMemberURL: "{{ nc_ldap_config_dynamic_group_member_url }}" | ||||
|   ldapDefaultPPolicyDN: "{{ nc_ldap_config_default_ppolicy_dn }}" | ||||
|  | ||||
| nc_ldap_config_changeset: {} | ||||
| @@ -1,8 +0,0 @@ | ||||
| # `finallycoffee.nextcloud.nextcloud` ansible role | ||||
|  | ||||
| This role can be used to deploy nextcloud in a docker container, | ||||
| regardless of wether the `apache` or `fpm` docker image is used. | ||||
|  | ||||
| It provides various common (optimization) configuration options | ||||
| and creates a user on the host which is mapped into the container, | ||||
| so the host file permissions remain comprehensible. | ||||
| @@ -1,14 +0,0 @@ | ||||
| opcache.enable=1 | ||||
| opcache.interned_strings_buffer=32 | ||||
| ; next prime in the set which is suitable for large installations | ||||
| ; default for this setting is 10000 which picks the prime 7963, | ||||
| ; but default installation of nextcloud has already ~9k php files | ||||
| ; see https://www.php.net/manual/en/opcache.configuration.php#ini.opcache.max-accelerated-files | ||||
| opcache.max_accelerated_files=32531 | ||||
| opcache.memory_consumption=256 | ||||
| ; deconstructor optimizations | ||||
| opcache.fast_shutdown=1 | ||||
| ;opcache.save_comments=1 | ||||
| ; not used if validate_timestamps=0 | ||||
| ;opcache.revalidate_freq=1 | ||||
| opcache.validate_timestamps=0 | ||||
| @@ -1,14 +0,0 @@ | ||||
| [www] | ||||
|  | ||||
| user = www-data | ||||
| group = www-data | ||||
|  | ||||
| listen = 127.0.0.1:9000 | ||||
|  | ||||
| pm = dynamic | ||||
| pm.max_children = 64 | ||||
| pm.start_servers = 32 | ||||
| pm.min_spare_servers = 24 | ||||
| pm.max_spare_servers = 48 | ||||
|  | ||||
| ;pm.max_requests=500 | ||||
							
								
								
									
										22
									
								
								roles/nginx_fpm_proxy/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								roles/nginx_fpm_proxy/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| # `finallycoffee.nextcloud.nginx-fpm-proxy` ansible role | ||||
|  | ||||
| Ansible role for serving nextcloud static content and connecting to dynamic content via PHP-FPM. | ||||
|  | ||||
| ## Prerequisites | ||||
|  | ||||
| A running nextcloud instance with FPM available either via IP+port or a unix socket. | ||||
|  | ||||
| ## Configuration | ||||
|  | ||||
| - Set `nextcloud_nginx_data_path` to the data directory of the nextcloud instance, | ||||
|   from where static content etc is served from. | ||||
|  | ||||
| - `nextcloud_nginx_storage_path` needs to be set to the storage path of the nextcloud | ||||
|   instance, where user data is stored. Usually this is `{{ nextcloud_nginx_data_path }}/data`. | ||||
|  | ||||
| - Set `nextcloud_nginx_fpm_socket_dir` to the directory containing the FPM socket, | ||||
|   called `nextcloud.sock` by default. This can be overridden in `nextcloud_nginx_fpm_socket_path`. | ||||
|  | ||||
| - If FPM is not used via a unix socket, set `nextcloud_nginx_fpm_server_ip` and | ||||
|   `nextcloud_nginx_fpm_server_port` accordingly. Note that the IP must be reachable | ||||
|   from inside the nginx container. | ||||
							
								
								
									
										23
									
								
								roles/nginx_fpm_proxy/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								roles/nginx_fpm_proxy/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| --- | ||||
|  | ||||
| nextcloud_nginx_version: "1.25.3" | ||||
| nextcloud_nginx_basepath: /opt/nextcloud-nginx | ||||
| nextcloud_nginx_config: "{{ nextcloud_nginx_basepath }}/nextcloud.conf" | ||||
| nextcloud_nginx_servernames: ~ | ||||
|  | ||||
| nextcloud_nginx_container_name: nextcloud_nginx | ||||
| nextcloud_nginx_container_image: "docker.io/library/nginx" | ||||
| nextcloud_nginx_container_image_flavor: "alpine" | ||||
| nextcloud_nginx_container_image_ref: "{{ nextcloud_nginx_container_image }}:{{ nextcloud_nginx_version }}{{ '-' + nextcloud_nginx_container_image_flavor if nextcloud_nginx_container_image_flavor else ''}}" | ||||
| nextcloud_nginx_container_image_force_pull: false | ||||
| nextcloud_nginx_container_extra_volumes: [] | ||||
| nextcloud_nginx_container_extra_labels: {} | ||||
| nextcloud_nginx_container_extra_env: {} | ||||
| nextcloud_nginx_container_restart_policy: unless-stopped | ||||
|  | ||||
| nextcloud_nginx_fpm_server_ip: ~ | ||||
| nextcloud_nginx_fpm_server_port: 9000 | ||||
| nextcloud_nginx_fpm_socket_dir: ~ | ||||
| nextcloud_nginx_fpm_socket_path: "{{ nextcloud_nginx_fpm_socket_dir }}/nextcloud.sock" | ||||
| nextcloud_nginx_data_path: ~ | ||||
| nextcloud_nginx_storage_path: ~ | ||||
							
								
								
									
										8
									
								
								roles/nginx_fpm_proxy/handlers/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								roles/nginx_fpm_proxy/handlers/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | ||||
| --- | ||||
|  | ||||
| - name: Restart nextcloud nginx fpm proxy container | ||||
|   listen: restart-nextcloud-nginx | ||||
|   docker_container: | ||||
|     name: "{{ nextcloud_nginx_container_name }}" | ||||
|     state: started | ||||
|     restart: yes | ||||
							
								
								
									
										37
									
								
								roles/nginx_fpm_proxy/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										37
									
								
								roles/nginx_fpm_proxy/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,37 @@ | ||||
| --- | ||||
|  | ||||
| - name: Create directory for nginx config | ||||
|   ansible.builtin.file: | ||||
|     path: "{{ nextcloud_nginx_basepath }}" | ||||
|     state: directory | ||||
|     mode: 0750 | ||||
|  | ||||
| - name: Template nginx reverse proxy config for nextcloud | ||||
|   ansible.builtin.template: | ||||
|     src: nextcloud-nginx.conf.j2 | ||||
|     dest: "{{ nextcloud_nginx_config }}" | ||||
|   vars: | ||||
|     fpm_server: "{{ nextcloud_nginx_fpm_server_ip }}" | ||||
|     fpm_server_port: "{{ nextcloud_nginx_fpm_server_port }}" | ||||
|     fpm_socket: "{{ nextcloud_nginx_fpm_socket_path }}" | ||||
|     domain: "{{ nextcloud_nginx_servernames }}" | ||||
|   notify: restart-nextcloud-nginx | ||||
|  | ||||
| - name: Ensure nginx docker image is pulled | ||||
|   community.general.docker_image: | ||||
|     name: "{{ nextcloud_nginx_container_image_ref }}" | ||||
|     state: present | ||||
|     source: pull | ||||
|     force_source: "{{ nextcloud_nginx_container_image_force_pull }}" | ||||
|  | ||||
| - name: Ensure nginx is running for FPM and static file serving | ||||
|   community.docker.docker_container: | ||||
|     env: "{{ nextcloud_nginx_container_env }}" | ||||
|     name: "{{ nextcloud_nginx_container_name }}" | ||||
|     image: "{{ nextcloud_nginx_container_image_ref }}" | ||||
|     ports: "{{ nextcloud_nginx_container_ports }}" | ||||
|     volumes: "{{ nextcloud_nginx_container_volumes }}" | ||||
|     labels: "{{ nextcloud_nginx_container_labels }}" | ||||
|     networks: "{{ nextcloud_nginx_container_networks | default(omit) }}" | ||||
|     restart_policy: "{{ nextcloud_nginx_container_restart_policy }}" | ||||
|     state: started | ||||
							
								
								
									
										207
									
								
								roles/nginx_fpm_proxy/templates/nextcloud-nginx.conf.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										207
									
								
								roles/nginx_fpm_proxy/templates/nextcloud-nginx.conf.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,207 @@ | ||||
| upstream php-handler { | ||||
| {% if fpm_socket %} | ||||
| {% if fpm_socket is not string %} | ||||
| {% for upstream in fpm_socket %} | ||||
|     server unix:{{ upstream }}; | ||||
| {% endfor %} | ||||
| {% else %} | ||||
|     server unix:{{ fpm_socket }}; | ||||
| {% endif %} | ||||
| {% else %} | ||||
|     server {{ fpm_server }}:{{ fpm_server_port }}; | ||||
| {% endif %} | ||||
| } | ||||
|  | ||||
| server { | ||||
|     listen 80; | ||||
|     listen [::]:80; | ||||
|     server_name {{ domain | join(' ') }}; | ||||
|  | ||||
|     # Path to the root of your installation | ||||
|     root /var/www/nextcloud; | ||||
|  | ||||
|     # Add headers to serve security related headers | ||||
|     # Before enabling Strict-Transport-Security headers please read into this | ||||
|     # topic first. | ||||
|     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; | ||||
|  | ||||
|     # Prevent nginx HTTP Server Detection | ||||
|     server_tokens off; | ||||
|  | ||||
|     # set max upload size | ||||
|     client_max_body_size {{ nextcloud_php_upload_limit }}; | ||||
|     client_body_timeout 300s; | ||||
|     fastcgi_buffers 128 4K; | ||||
|  | ||||
|     # Enable gzip but do not remove ETag headers | ||||
|     gzip on; | ||||
|     gzip_vary on; | ||||
|     gzip_comp_level 4; | ||||
|     gzip_min_length 256; | ||||
|     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; | ||||
|     gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; | ||||
|  | ||||
|     # Uncomment if your server is build with the ngx_pagespeed module | ||||
|     # This module is currently not supported. | ||||
|     #pagespeed off; | ||||
|  | ||||
|     # The settings allows you to optimize the HTTP2 bandwidth. | ||||
|     # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ | ||||
|     # for tuning hints | ||||
|     client_body_buffer_size 512k; | ||||
|  | ||||
|     # HTTP response headers borrowed from Nextcloud `.htaccess` | ||||
|     add_header Referrer-Policy "no-referrer" always; | ||||
|     add_header X-Content-Type-Options "nosniff" always; | ||||
|     add_header X-Frame-Options "SAMEORIGIN" always; | ||||
|     add_header X-Permitted-Cross-Domain-Policies "none" always; | ||||
|     add_header X-Robots-Tag "noindex, nofollow" always; | ||||
|     add_header X-XSS-Protection "1; mode=block" always; | ||||
|  | ||||
|     # Remove X-Powered-By, which is an information leak | ||||
|     fastcgi_hide_header X-Powered-By; | ||||
|  | ||||
|     # Set .mjs and .wasm MIME types | ||||
|     # Either include it in the default mime.types list | ||||
|     # and include that list explicitly or add the file extension | ||||
|     # only for Nextcloud like below: | ||||
|     include mime.types; | ||||
|     types { | ||||
|         text/javascript js; | ||||
| 	application/javascript mjs; | ||||
| 	application/wasm wasm; | ||||
|     } | ||||
|  | ||||
|     # Specify how to handle directories -- specifying `/index.php$request_uri` | ||||
|     # here as the fallback means that Nginx always exhibits the desired behaviour | ||||
|     # when a client requests a path that corresponds to a directory that exists | ||||
|     # on the server. In particular, if that directory contains an index.php file, | ||||
|     # that file is correctly served; if it doesn't, then the request is passed to | ||||
|     # the front-end controller. This consistent behaviour means that we don't need | ||||
|     # to specify custom rules for certain paths (e.g. images and other assets, | ||||
|     # `/updater`, `/ocs-provider`), and thus | ||||
|     # `try_files $uri $uri/ /index.php$request_uri` | ||||
|     # always provides the desired behaviour. | ||||
|     index index.php index.html /index.php$request_uri; | ||||
|  | ||||
|     # Rule borrowed from `.htaccess` to handle Microsoft DAV clients | ||||
|     location = / { | ||||
|         if ( $http_user_agent ~ ^DavClnt ) { | ||||
|             return 302 /remote.php/webdav/$is_args$args; | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     location = /robots.txt { | ||||
|         allow all; | ||||
|         log_not_found off; | ||||
|         access_log off; | ||||
|     } | ||||
|  | ||||
|     # Make a regex exception for `/.well-known` so that clients can still | ||||
|     # access it despite the existence of the regex rule | ||||
|     # `location ~ /(\.|autotest|...)` which would otherwise handle requests | ||||
|     # for `/.well-known`. | ||||
|     location ^~ /.well-known { | ||||
|         # The rules in this block are an adaptation of the rules | ||||
|         # in `.htaccess` that concern `/.well-known`. | ||||
|  | ||||
|         location = /.well-known/carddav { return 301 https://$host/remote.php/dav; } | ||||
|         location = /.well-known/caldav  { return 301 https://$host/remote.php/dav; } | ||||
|  | ||||
|         location = /.well-known/webfinger  { return 301 https://$host/index.php/.well-known/webfinger; } | ||||
|         location = /.well-known/nodeinfo   { return 301 https://$host/index.php/.well-known/nodeinfo; } | ||||
|  | ||||
|         location /.well-known/acme-challenge    { try_files $uri $uri/ =404; } | ||||
|         location /.well-known/pki-validation    { try_files $uri $uri/ =404; } | ||||
|  | ||||
|         # Let Nextcloud's API for `/.well-known` URIs handle all other | ||||
|         # requests by passing them to the front-end controller. | ||||
|         return 301 /index.php$request_uri; | ||||
|     } | ||||
|  | ||||
|     # Rules borrowed from `.htaccess` to hide certain paths from clients | ||||
|     location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; } | ||||
|     location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; } | ||||
|  | ||||
|     # Ensure this block, which passes PHP files to the PHP process, is above the blocks | ||||
|     # which handle static assets (as seen below). If this block is not declared first, | ||||
|     # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` | ||||
|     # to the URI, resulting in a HTTP 500 error response. | ||||
|     location ~ \.php(?:$|/) { | ||||
|         # Required for legacy support | ||||
|         rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; | ||||
|  | ||||
|         fastcgi_split_path_info ^(.+?\.php)(/.*)$; | ||||
|         set $path_info $fastcgi_path_info; | ||||
|  | ||||
|         try_files $fastcgi_script_name =404; | ||||
|  | ||||
|         include fastcgi_params; | ||||
|         fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; | ||||
|         fastcgi_param PATH_INFO $path_info; | ||||
|         fastcgi_param HTTPS on; | ||||
|  | ||||
|         fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice | ||||
|         fastcgi_param front_controller_active true;     # Enable pretty urls | ||||
|         fastcgi_pass php-handler; | ||||
|  | ||||
|         fastcgi_intercept_errors on; | ||||
|         fastcgi_request_buffering off; | ||||
|  | ||||
|         fastcgi_max_temp_file_size 0; | ||||
|     } | ||||
|  | ||||
|     # Adding the cache control header for js, css and map files | ||||
|     # Make sure it is BELOW the PHP block | ||||
|     location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { | ||||
|         expires 1d; | ||||
|         # How `sendfile`, `tcp_nopush` and `tcp_nodelay` interact | ||||
|         # https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765?gi=f11af534b564 | ||||
|         sendfile on; # use `sendfile` syscall, which is a DMA (zero-copy) call | ||||
|         tcp_nopush on; # wait until the file is fully "read" | ||||
|         tcp_nodelay on; # always immediately flush, never wait for a full packet worth of data (default wait interval = 200ms) | ||||
|         aio on; #async IO for files | ||||
|         open_file_cache max=10000; # cache metadata for up to 10000 files | ||||
|         open_file_cache_valid 3600s; # previous cache is valid for 1h | ||||
|         open_file_cache_errors off; # except if there was an error, that is not cached | ||||
|         try_files $uri /index.php$request_uri; | ||||
|         add_header Cache-Control "public, max-age=15778463"; | ||||
|         # Add headers to serve security related headers (It is intended to | ||||
|         # have those duplicated to the ones above) | ||||
|         # Before enabling Strict-Transport-Security headers please read into | ||||
|         # this topic first. | ||||
|         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; | ||||
|         # | ||||
|         # WARNING: Only add the preload option once you read about | ||||
|         # the consequences in https://hstspreload.org/. This option | ||||
|         # will add the domain to a hardcoded list that is shipped | ||||
|         # in all major browsers and getting removed from this list | ||||
|         # could take several months. | ||||
|         add_header Referrer-Policy "no-referrer" always; | ||||
|         add_header X-Content-Type-Options "nosniff" always; | ||||
|         add_header X-Download-Options "noopen" always; | ||||
|         add_header X-Frame-Options "SAMEORIGIN" always; | ||||
|         add_header X-Permitted-Cross-Domain-Policies "none" always; | ||||
|         add_header X-Robots-Tag "none" always; | ||||
|         add_header X-XSS-Protection "1; mode=block" always; | ||||
|  | ||||
|         # Optional: Don't log access to assets | ||||
|         access_log off; | ||||
|     } | ||||
|  | ||||
|  | ||||
|     location ~ \.woff2?$ { | ||||
|         try_files $uri /index.php$request_uri; | ||||
|         expires 7d;         # Cache-Control policy borrowed from `.htaccess` | ||||
|         access_log off;     # Optional: Don't log access to assets | ||||
|     } | ||||
|  | ||||
|     # Rule borrowed from `.htaccess` | ||||
|     location /remote { | ||||
|         return 301 /remote.php$request_uri; | ||||
|     } | ||||
|  | ||||
|     location / { | ||||
|         try_files $uri $uri/ /index.php$request_uri; | ||||
|     } | ||||
| } | ||||
							
								
								
									
										18
									
								
								roles/nginx_fpm_proxy/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								roles/nginx_fpm_proxy/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| --- | ||||
|  | ||||
| nextcloud_nginx_container_volumes_base: >-2 | ||||
|   {{ | ||||
|     [ | ||||
|       nextcloud_nginx_config + ':/etc/nginx/conf.d/nextcloud.conf:ro', | ||||
|       nextcloud_nginx_data_path + ':/var/www/nextcloud:ro', | ||||
|       nextcloud_nginx_storage_path + ':/var/www/nextcloud/data:rw' | ||||
|     ] | ||||
|     + ([nextcloud_nginx_fpm_socket_dir + ':' + nextcloud_nginx_fpm_socket_dir + ':rw'] if nextcloud_nginx_fpm_socket_dir else []) | ||||
|   }} | ||||
| nextcloud_nginx_container_labels_base: | ||||
|   version: "{{ nextcloud_nginx_version }}" | ||||
| nextcloud_nginx_container_env_base: {} | ||||
|  | ||||
| nextcloud_nginx_container_volumes: "{{ nextcloud_nginx_container_volumes_base + nextcloud_nginx_container_extra_volumes }}" | ||||
| nextcloud_nginx_container_labels: "{{ nextcloud_nginx_container_labels_base | combine(nextcloud_nginx_container_extra_labels) }}" | ||||
| nextcloud_nginx_container_env: "{{ nextcloud_nginx_container_env_base | combine(nextcloud_nginx_container_extra_env) }}" | ||||
							
								
								
									
										21
									
								
								roles/server/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								roles/server/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| # `finallycoffee.nextcloud.nextcloud` ansible role | ||||
|  | ||||
| This role can be used to deploy nextcloud in a docker container, | ||||
| regardless of wether the `apache` or `fpm` docker image is used. | ||||
|  | ||||
| It provides various common (optimization) configuration options | ||||
| and creates a user on the host which is mapped into the container, | ||||
| so the host file permissions remain comprehensible. | ||||
|  | ||||
| ## Configuration | ||||
|  | ||||
| - `nextcloud_socket_path`: Setting this (to, for example, `{{ nextcloud_basepath }}/socket`), | ||||
|   will make FPM listen on `{{ nextcloud_socket_path }}/nextcloud.sock` on the host, enabling | ||||
|   you to use FPM to interface with nextcloud. | ||||
|  | ||||
| ### Redis over UNIX-Socket | ||||
|  | ||||
| Set `REDIS_HOST` to a path in the container where the socket is mapped using | ||||
| `nextcloud_container_extra_environment`. Also set `REDIS_HOST_PORT` to 0 | ||||
| explicitely, as `redis.config.php` will set it to `null` otherwise, resulting | ||||
| in an exception. Set your redis password in `REDIS_HOST_PASSWORD`. | ||||
| @@ -1,6 +1,6 @@ | ||||
| --- | ||||
| 
 | ||||
| nextcloud_version: 22.2.0 | ||||
| nextcloud_version: 28.0.8 | ||||
| nextcloud_user: nextcloud | ||||
| nextcloud_basepath: /opt/nextcloud | ||||
| nextcloud_config_path: "{{ nextcloud_basepath }}/config" | ||||
| @@ -9,6 +9,9 @@ nextcloud_data_path: "{{ nextcloud_basepath }}/data" | ||||
| # Where user data like media, documents etc are persisted | ||||
| nextcloud_storage_path: "{{ nextcloud_basepath }}/storage" | ||||
| nextcloud_fpm_config_path: "{{ nextcloud_basepath }}/fpm-config" | ||||
| #nextcloud_socket_path: "{{ nextcloud_basepath }}/socket" | ||||
| 
 | ||||
| nextcloud_background_job_mode: cron | ||||
| 
 | ||||
| nextcloud_database_type: sqlite | ||||
| nextcloud_database_name: nextcloud | ||||
| @@ -30,6 +33,7 @@ nextcloud_container_base_volumes: | ||||
|   - "{{ nextcloud_data_path }}:/var/www/html:z" | ||||
|   - "{{ nextcloud_fpm_config_path }}/opcache.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:z" | ||||
|   - "{{ nextcloud_fpm_config_path }}/fpm.ini:/usr/local/etc/php-fpm.d/www.conf:z" | ||||
|   - "{{ nextcloud_fpm_config_path }}/fpm-docker.ini:/usr/local/etc/php-fpm.d/zz-docker.conf:z" | ||||
|   - "{{ nextcloud_basepath }}/nextcloud-passwd:/etc/passwd:z" | ||||
|   - "{{ nextcloud_basepath }}/nextcloud-group:/etc/group:z" | ||||
| nextcloud_container_extra_volumes: [] | ||||
| @@ -42,17 +46,36 @@ nextcloud_container_purge_other_networks: true | ||||
| nextcloud_paths: | ||||
|   - path: "{{ nextcloud_config_path }}" | ||||
|     mode: "0755" | ||||
|     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||
|     group: "root" | ||||
|     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" | ||||
|     group: root | ||||
|   - path: "{{ nextcloud_data_path }}" | ||||
|     mode: "0755" | ||||
|     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||
|     group: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||
|     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" | ||||
|     group: "{{ nextcloud_user_info.group | default(nextcloud_user) }}" | ||||
|   - path: "{{ nextcloud_fpm_config_path }}" | ||||
|     mode: "0750" | ||||
|     owner: root | ||||
|     group: root | ||||
|   - path: "{{ nextcloud_storage_path }}" | ||||
|     mode: "0770" | ||||
|     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||
|     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" | ||||
|     group: "root" | ||||
| 
 | ||||
| # PHP OpCache tuning | ||||
| nextcloud_opcache_enable: 1 | ||||
| nextcloud_opcache_interned_strings_buffer_mb: 32 | ||||
| nextcloud_opcache_max_accelerated_files: 32531 | ||||
| nextcloud_opcache_memory_consumption_mb: 256 | ||||
| nextcloud_opcache_fast_shutdown: 1 | ||||
| nextcloud_opcache_save_comments: 1 | ||||
| nextcloud_opcache_revalidate_freq: 1 | ||||
| nextcloud_opcache_validate_timestamps: 0 | ||||
| 
 | ||||
| # FPM config | ||||
| nextcloud_fpm_max_children: 64 | ||||
| nextcloud_fpm_start_servers: "{{ nextcloud_fpm_max_children / 2 | int }}" | ||||
| nextcloud_fpm_min_spare_servers: "{{ nextcloud_fpm_max_children / 4 | int }}" | ||||
| nextcloud_fpm_max_spare_servers: "{{ nextcloud_fpm_max_children * 3/4 | int }}" | ||||
| 
 | ||||
| nextcloud_php_memory_limit: 1024M | ||||
| nextcloud_php_upload_limit: 1024M | ||||
							
								
								
									
										41
									
								
								roles/server/tasks/configure-single-setting.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										41
									
								
								roles/server/tasks/configure-single-setting.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,41 @@ | ||||
| --- | ||||
|  | ||||
| - name: Ensure {{ key }} is set to {{ '***' if ['pass', 'secret', 'key']|select('in', key) else value }} | ||||
|   block: | ||||
|     - name: Check value of {{ key }} | ||||
|       community.docker.docker_container_exec: | ||||
|         container: "{{ nextcloud_container_name }}" | ||||
|         command: "{{ nextcloud_occ_command }} config:{{ type }}:get {{ scope }} {{ entry }}" | ||||
|         user: "{{ nextcloud_user_info.uid }}" | ||||
|         tty: yes | ||||
|       register: nextcloud_current_config_entry | ||||
|       check_mode: false | ||||
|       changed_when: false | ||||
|  | ||||
|     - name: Set {{ key }} to {{ '***' if (['pass', 'secret', 'key']|select('in', key)) else value }} | ||||
|       community.docker.docker_container_exec: | ||||
|         container: "{{ nextcloud_container_name }}" | ||||
|         command: "{{ nextcloud_occ_command }} config:{{ type }}:set {{ scope }} {{ entry }} --type={{ value_type }} --value={{ value }} -n" | ||||
|         user: "{{ nextcloud_user_info.uid }}" | ||||
|         tty: yes | ||||
|       when: nextcloud_current_config_entry.stdout != value | ||||
|       notify: restart-nextcloud | ||||
|   vars: | ||||
|     entry_path: "{{ key.split('.') }}" | ||||
|     value_type: >- | ||||
|       {% if value is boolean %} | ||||
|       boolean | ||||
|       {% elsif value is integer %} | ||||
|       integer | ||||
|       {% elsif value is float %} | ||||
|       float | ||||
|       {% else %} | ||||
|       string | ||||
|       {% endif %} | ||||
|     type: "{{ entry_path | first }}" | ||||
|     scope: "{{ entry_path[1] if entry_path | length > 2 else '' }}" | ||||
|     entry: >- | ||||
|       {{ | ||||
|          entry_path[1] if entry_path|length == 2 else  | ||||
|          (entry_path[2:] | join(" ")) | ||||
|       }} | ||||
| @@ -1,14 +1,27 @@ | ||||
| --- | ||||
| 
 | ||||
| - name: Create nextcloud user | ||||
|   user: | ||||
|   ansible.builtin.user: | ||||
|     name: "{{ nextcloud_user }}" | ||||
|     state: present | ||||
|     system: yes | ||||
|   register: nextcloud_user_info | ||||
| 
 | ||||
| - name: Map nextcloud socket path if defined | ||||
|   ansible.builtin.set_fact: | ||||
|     nextcloud_paths: "{{ nextcloud_paths + [ socket_dir ] }}" | ||||
|     nextcloud_container_base_volumes: "{{ nextcloud_container_base_volumes + [ socket_map ] }}" | ||||
|   vars: | ||||
|     socket_dir: | ||||
|       path: "{{ nextcloud_socket_path }}" | ||||
|       mode: "0755" | ||||
|       owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||
|       group: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||
|     socket_map: "{{ nextcloud_socket_path }}:{{ nextcloud_container_php_socket_path }}:z" | ||||
|   when: nextcloud_socket_path is defined and nextcloud_socket_path is string | ||||
| 
 | ||||
| - name: Ensure nextcloud directories exist and have correct permissions | ||||
|   file: | ||||
|   ansible.builtin.file: | ||||
|     path: "{{ item.path }}" | ||||
|     state: directory | ||||
|     mode: "{{ item.mode }}" | ||||
| @@ -17,14 +30,14 @@ | ||||
|   loop: "{{ nextcloud_paths }}" | ||||
| 
 | ||||
| - name: Ensure docker container for nextcloud is pulled | ||||
|   docker_image: | ||||
|   community.docker.docker_image: | ||||
|     name: "{{ nextcloud_container_image_ref }}" | ||||
|     state: present | ||||
|     source: pull | ||||
|     force_source: "{{ nextcloud_container_image_force_source }}" | ||||
| 
 | ||||
| - name: Template OpCache configuration | ||||
|   template: | ||||
|   ansible.builtin.template: | ||||
|     src: nextcloud-fpm-opcache.ini.j2 | ||||
|     dest: "{{ nextcloud_fpm_config_path }}/opcache.ini" | ||||
|     mode: "0640" | ||||
| @@ -34,7 +47,7 @@ | ||||
|     - reload-nextcloud | ||||
| 
 | ||||
| - name: Template PHP FPM configuration | ||||
|   template: | ||||
|   ansible.builtin.template: | ||||
|     src: nextcloud-fpm.ini.j2 | ||||
|     dest: "{{ nextcloud_fpm_config_path }}/fpm.ini" | ||||
|     mode: "0640" | ||||
| @@ -43,8 +56,18 @@ | ||||
|   notify: | ||||
|     - reload-nextcloud | ||||
| 
 | ||||
| - name: Template PHP FPM docker-specific configuration | ||||
|   ansible.builtin.template: | ||||
|     src: nextcloud-fpm-docker.ini.j2 | ||||
|     dest: "{{ nextcloud_fpm_config_path }}/fpm-docker.ini" | ||||
|     mode: "0640" | ||||
|     owner: "root" | ||||
|     group: "root" | ||||
|   notify: | ||||
|     - reload-nextcloud | ||||
| 
 | ||||
| - name: Template modified /etc/passwd for nextcloud container | ||||
|   template: | ||||
|   ansible.builtin.template: | ||||
|     src: nextcloud-passwd.j2 | ||||
|     dest: "{{ nextcloud_basepath }}/nextcloud-passwd" | ||||
|     mode: "0640" | ||||
| @@ -54,7 +77,7 @@ | ||||
|     - reload-nextcloud | ||||
| 
 | ||||
| - name: Template modified /etc/passwd for nextcloud container | ||||
|   template: | ||||
|   ansible.builtin.template: | ||||
|     src: nextcloud-group.j2 | ||||
|     dest: "{{ nextcloud_basepath }}/nextcloud-group" | ||||
|     mode: "0640" | ||||
| @@ -64,40 +87,32 @@ | ||||
|     - reload-nextcloud | ||||
| 
 | ||||
| - name: Template systemd service for nextcloud's cron job | ||||
|   template: | ||||
|   ansible.builtin.template: | ||||
|     src: systemd-nextcloud-cron.service.j2 | ||||
|     dest: /etc/systemd/system/nextcloud-cron.service | ||||
|     mode: "0640" | ||||
|     owner: root | ||||
|     group: root | ||||
|   when: nextcloud_background_job_mode == 'cron' | ||||
|   notify: | ||||
|     - reload-systemd | ||||
| 
 | ||||
| - name: Template timer for nextcloud's cron job | ||||
|   template: | ||||
|   ansible.builtin.template: | ||||
|     src: systemd-nextcloud-cron.timer.j2 | ||||
|     dest: /etc/systemd/system/nextcloud-cron.timer | ||||
|     mode: "0640" | ||||
|     owner: root | ||||
|     group: root | ||||
|   when: nextcloud_background_job_mode == 'cron' | ||||
|   notify: | ||||
|     - reload-systemd | ||||
| 
 | ||||
| - meta: flush_handlers | ||||
| 
 | ||||
| - name: Enable systemd timer for nextcloud cron | ||||
|   systemd: | ||||
|     name: "nextcloud-cron.timer" | ||||
|     enabled: yes | ||||
| 
 | ||||
| - name: Ensure systemd timer for nextcloud cron is started | ||||
|   systemd: | ||||
|     name: "nextcloud-cron.timer" | ||||
|     state: started | ||||
| 
 | ||||
| - name: Flush handlers now to ensure systemd can know about the timer before it's enabled | ||||
|   ansible.builtin.meta: flush_handlers | ||||
| 
 | ||||
| - name: Ensure docker container for nextcloud is running | ||||
|   docker_container: | ||||
|   community.docker.docker_container: | ||||
|     name: "{{ nextcloud_container_name }}" | ||||
|     image: "{{ nextcloud_container_image_ref }}" | ||||
|     volumes: "{{ nextcloud_container_volumes }}" | ||||
| @@ -107,3 +122,23 @@ | ||||
|     purge_networks: "{{ nextcloud_container_purge_other_networks }}" | ||||
|     restart_policy: "{{ nextcloud_container_restart_policy }}" | ||||
|     state: started | ||||
| 
 | ||||
| - name: Enable systemd timer for nextcloud cron | ||||
|   ansible.builtin.systemd: | ||||
|     name: "nextcloud-cron.timer" | ||||
|     enabled: yes | ||||
|   when: nextcloud_background_job_mode == 'cron' | ||||
| 
 | ||||
| - name: Ensure systemd timer for nextcloud cron is started | ||||
|   ansible.builtin.systemd: | ||||
|     name: "nextcloud-cron.timer" | ||||
|     state: started | ||||
|   when: nextcloud_background_job_mode == 'cron' | ||||
| 
 | ||||
| - name: Configure nextcloud | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: configure-single-setting.yml | ||||
|   vars: | ||||
|     key: "{{ item.key | replace('[', '.') | replace(']', '.') }}" | ||||
|     value: "{{ item.value }}" | ||||
|   loop: "{{ lookup('ansible.utils.to_paths', nextcloud_config ) | dict2items }}" | ||||
							
								
								
									
										2
									
								
								roles/server/templates/nextcloud-fpm-docker.ini.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								roles/server/templates/nextcloud-fpm-docker.ini.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | ||||
| [global] | ||||
| daemonize = no | ||||
							
								
								
									
										14
									
								
								roles/server/templates/nextcloud-fpm-opcache.ini.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								roles/server/templates/nextcloud-fpm-opcache.ini.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | ||||
| opcache.enable={{ nextcloud_opcache_enable }} | ||||
| opcache.interned_strings_buffer={{ nextcloud_opcache_interned_strings_buffer_mb }} | ||||
| ; next prime in the set which is suitable for large installations | ||||
| ; default for this setting is 10000 which picks the prime 7963, | ||||
| ; but default installation of nextcloud has already ~9k php files | ||||
| ; see https://www.php.net/manual/en/opcache.configuration.php#ini.opcache.max-accelerated-files | ||||
| opcache.max_accelerated_files={{ nextcloud_opcache_max_accelerated_files }} | ||||
| opcache.memory_consumption={{ nextcloud_opcache_memory_consumption_mb }} | ||||
| ; deconstructor optimizations | ||||
| opcache.fast_shutdown={{ nextcloud_opcache_fast_shutdown }} | ||||
| opcache.save_comments={{ nextcloud_opcache_save_comments }} | ||||
| ; not used if validate_timestamps=0 | ||||
| opcache.revalidate_freq={{ nextcloud_opcache_revalidate_freq }} | ||||
| opcache.validate_timestamps={{ nextcloud_opcache_validate_timestamps }} | ||||
							
								
								
									
										21
									
								
								roles/server/templates/nextcloud-fpm.ini.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								roles/server/templates/nextcloud-fpm.ini.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| [www] | ||||
|  | ||||
| user = www-data | ||||
| group = www-data | ||||
|  | ||||
| {% if nextcloud_socket_path is defined and nextcloud_socket_path is string %} | ||||
| listen = {{ nextcloud_container_php_socket_path }}/{{ nextcloud_container_name }}.sock | ||||
| listen.owner = www-data | ||||
| listen.group = www-data | ||||
| listen.mode = 0666 | ||||
| {% else %} | ||||
| ;listen = 0.0.0.0:9000 | ||||
| {% endif %} | ||||
|  | ||||
| pm = dynamic | ||||
| pm.max_children = {{ nextcloud_fpm_max_children }} | ||||
| pm.start_servers = {{ nextcloud_fpm_start_servers }} | ||||
| pm.min_spare_servers = {{ nextcloud_fpm_min_spare_servers }} | ||||
| pm.max_spare_servers = {{ nextcloud_fpm_max_spare_servers }} | ||||
|  | ||||
| ;pm.max_requests=500 | ||||
| @@ -22,3 +22,27 @@ nextcloud_container_base_environment_yaml: |+2 | ||||
|   {% elif nextcloud_database_type == 'sqlite' %} | ||||
|   SQLITE_DATABASE: "{{ nextcloud_database_name }}" | ||||
|   {% endif %} | ||||
|   PHP_MEMORY_LIMIT: "{{ nextcloud_php_memory_limit }}" | ||||
|   PHP_UPLOAD_LIMIT: "{{ nextcloud_php_upload_limit }}" | ||||
| 
 | ||||
| nextcloud_config: "{{ nextcloud_base_config | from_yaml | combine(nextcloud_extra_config|default({}), recursive=True, list_merge='append') }}" | ||||
| nextcloud_base_config: |+2 | ||||
|   {% if nextcloud_database_type != 'sqlite' %} | ||||
|   system: | ||||
|     dbhost: "{{ nextcloud_database_host }}" | ||||
|     dbuser: "{{ nextcloud_database_user }}" | ||||
|     dbpassword: "{{ nextcloud_database_pass }}" | ||||
|     dbname: "{{ nextcloud_database_name }}" | ||||
|     dbtype: "{{ nextcloud_database_types[nextcloud_database_type] }}" | ||||
|   {% endif %} | ||||
|   app: | ||||
|     core: | ||||
|       backgroundjobs_mode: "{{ nextcloud_background_job_mode }}" | ||||
| 
 | ||||
| nextcloud_occ_command: "php occ" | ||||
| nextcloud_container_php_socket_path: /var/run/php | ||||
| nextcloud_database_types: | ||||
|   postgres: pgsql | ||||
|   mysql: mysql | ||||
|   mariadb: mysql | ||||
|   sqlite: sqlite3 | ||||
		Reference in New Issue
	
	Block a user