add deidcated user for nextcloud andd php pool

This commit is contained in:
vincent 2021-02-25 23:05:26 +01:00
parent d5ff42ef54
commit 4a1eddcae3
4 changed files with 48 additions and 19 deletions

View File

@ -14,7 +14,8 @@ nextcloud_data_directory_creation: true
nextcloud_web_root: /usr/share/webapps/nextcloud nextcloud_web_root: /usr/share/webapps/nextcloud
nextcloud_trusted_domains: nextcloud_trusted_domains:
- localhost - localhost
nextcloud_user: nextcloud
nextcloud_group: nextcloud
nextcloud_config_options: # additional options to set in config.php nextcloud_config_options: # additional options to set in config.php
@ -32,4 +33,4 @@ nextcloud_config_options: # additional options to set in config.php
nextcloud_fail2ban_jail_maxretry: 10 nextcloud_fail2ban_jail_maxretry: 10
nextcloud_fail2ban_jail_findtime: 3600 nextcloud_fail2ban_jail_findtime: 3600
nextcloud_fail2ban_jail_bantime: 900 nextcloud_fail2ban_jail_bantime: 900
nextcloud_fail2ban_jail_action: iptables-allports nextcloud_fail2ban_jail_action: iptables-allports

View File

@ -8,4 +8,4 @@ Target = nextcloud-app-*
[Action] [Action]
Description = Update Nextcloud installation Description = Update Nextcloud installation
When = PostTransaction When = PostTransaction
Exec = /usr/bin/runuser -u http -- /usr/bin/php /usr/share/webapps/nextcloud/occ upgrade Exec = /usr/bin/runuser -u nextcloud -- /usr/bin/php /usr/share/webapps/nextcloud/occ upgrade

View File

@ -23,27 +23,29 @@
state: present # required. Whether to install (C(present)), or remove (C(absent)) a package. Other states depend on the underlying package module, i.e C(latest). state: present # required. Whether to install (C(present)), or remove (C(absent)) a package. Other states depend on the underlying package module, i.e C(latest).
name: nextcloud # required. Package name, or package specifier with version, like C(name-1.0).,Be aware that packages are not always named the same and this module will not 'translate' them per distro. name: nextcloud # required. Package name, or package specifier with version, like C(name-1.0).,Be aware that packages are not always named the same and this module will not 'translate' them per distro.
become: true become: true
- name: change owner on nextcloud web directory - name: ensure nextcloud user exist
become: true become: true
file: user:
state: directory name: "{{nextcloud_user}}"
path: "{{ nextcloud_web_root}}"
owner: http - name: ensure nextcloud group exist
recurse: yes become: true
group:
name: "{{nextcloud_group}}"
- name: création du répertoire data - name: création du répertoire data
become: true become: true
file: file:
path: "{{ nextcloud_datadirectory }}" path: "{{ nextcloud_datadirectory }}"
group: http # not required. Name of the group that should own the file/directory, as would be fed to I(chown). group: "{{nextcloud_group}}" # not required. Name of the group that should own the file/directory, as would be fed to I(chown).
state: directory # not required. choices: absent;directory;file;hard;link;touch. If C(directory), all intermediate subdirectories will be created if they do not exist. Since Ansible 1.7 they will be created with the supplied permissions. If C(file), the file will NOT be created if it does not exist; see the C(touch) value or the M(copy) or M(template) module if you want that behavior. If C(link), the symbolic link will be created or changed. Use C(hard) for hardlinks. If C(absent), directories will be recursively deleted, and files or symlinks will be unlinked. Note that C(absent) will not cause C(file) to fail if the C(path) does not exist as the state did not change. If C(touch) (new in 1.4), an empty file will be created if the C(path) does not exist, while an existing file or directory will receive updated file access and modification times (similar to the way `touch` works from the command line). state: directory # not required. choices: absent;directory;file;hard;link;touch. If C(directory), all intermediate subdirectories will be created if they do not exist. Since Ansible 1.7 they will be created with the supplied permissions. If C(file), the file will NOT be created if it does not exist; see the C(touch) value or the M(copy) or M(template) module if you want that behavior. If C(link), the symbolic link will be created or changed. Use C(hard) for hardlinks. If C(absent), directories will be recursively deleted, and files or symlinks will be unlinked. Note that C(absent) will not cause C(file) to fail if the C(path) does not exist as the state did not change. If C(touch) (new in 1.4), an empty file will be created if the C(path) does not exist, while an existing file or directory will receive updated file access and modification times (similar to the way `touch` works from the command line).
owner: http # not required. Name of the user that should own the file/directory, as would be fed to I(chown). owner: "{{nextcloud_group}}" # got required. Name of the user that should own the file/directory, as would be fed to I(chown).
when: nextcloud_data_directory_creation == true when: nextcloud_data_directory_creation == true
- name: création du fichier .ocdata in data - name: création du fichier .ocdata in data
become: true become: true
become_user: http become_user: "{{nextcloud_user}}"
file: file:
path: "{{ nextcloud_datadirectory }}/.ocdata" path: "{{ nextcloud_datadirectory }}/.ocdata"
state: touch # not required. choices: absent;directory;file;hard;link;touch. If C(directory), all intermediate subdirectories will be created if they do not exist. Since Ansible 1.7 they will be created with the supplied permissions. If C(file), the file will NOT be created if it does not exist; see the C(touch) value or the M(copy) or M(template) module if you want that behavior. If C(link), the symbolic link will be created or changed. Use C(hard) for hardlinks. If C(absent), directories will be recursively deleted, and files or symlinks will be unlinked. Note that C(absent) will not cause C(file) to fail if the C(path) does not exist as the state did not change. If C(touch) (new in 1.4), an empty file will be created if the C(path) does not exist, while an existing file or directory will receive updated file access and modification times (similar to the way `touch` works from the command line). state: touch # not required. choices: absent;directory;file;hard;link;touch. If C(directory), all intermediate subdirectories will be created if they do not exist. Since Ansible 1.7 they will be created with the supplied permissions. If C(file), the file will NOT be created if it does not exist; see the C(touch) value or the M(copy) or M(template) module if you want that behavior. If C(link), the symbolic link will be created or changed. Use C(hard) for hardlinks. If C(absent), directories will be recursively deleted, and files or symlinks will be unlinked. Note that C(absent) will not cause C(file) to fail if the C(path) does not exist as the state did not change. If C(touch) (new in 1.4), an empty file will be created if the C(path) does not exist, while an existing file or directory will receive updated file access and modification times (similar to the way `touch` works from the command line).
@ -66,15 +68,25 @@
- name: installation - ensure nextcloud config - name: installation - ensure nextcloud config
command: > command: >
php7 {{ nextcloud_web_root }}/occ maintenance:install --database "{{ 'pgsql' if nextcloud_DB_type == 'postgres' else nextcloud_DB_type }}" --database-name "{{ nextcloud_db_name}}" php "{{ nextcloud_web_root }}"/occ maintenance:install --database "{{ 'pgsql' if nextcloud_DB_type == 'postgres' else nextcloud_DB_type }}" --database-name "{{ nextcloud_db_name}}"
--database-user "{{ nextcloud_db_user }}" --database-pass "{{ nextcloud_db_password }}" --database-user "{{ nextcloud_db_user }}" --database-pass "{{ nextcloud_db_password }}"
--admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_password }}" --data-dir "{{ nextcloud_datadirectory }}" --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_password }}" --data-dir "{{ nextcloud_datadirectory }}"
become: true become: true
become_user: http become_user: "{{nextcloud_user}}"
changed_when: true changed_when: true
ignore_errors: yes ignore_errors: yes
when: installed_mode is changed or nextcloud_config_exist.stat.exists == false when: installed_mode is changed or nextcloud_config_exist.stat.exists == false
- name: apply php-fpm pool template
become: true
template:
src: php-fpm.j2
dest: /etc/php/php-fpm.d/nextcloud.conf
owner: root
group: root
mode: 0644
- name: ensure additional options are set in config.php if defined - name: ensure additional options are set in config.php if defined
become: true become: true
lineinfile: lineinfile:
@ -86,9 +98,9 @@
when: nextcloud_config_options is defined when: nextcloud_config_options is defined
- name: installation - ensure trusted domains are set - name: installation - ensure trusted domains are set
command: 'php7 {{ nextcloud_web_root }}/occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"' command: 'php {{ nextcloud_web_root }}/occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"'
become: true become: true
become_user: http become_user: "{{nextcloud_user}}"
changed_when: true changed_when: true
with_indexed_items: with_indexed_items:
- '{{ nextcloud_trusted_domains }}' - '{{ nextcloud_trusted_domains }}'
@ -118,7 +130,7 @@
- name: create cron for nextcloud - name: create cron for nextcloud
cron: cron:
job: "sudo -u http /usr/bin/php -f {{nextcloud_web_root}}/cron.php" job: "sudo -u {{nextcloud_user}} /usr/bin/php -f {{nextcloud_web_root}}/cron.php"
user: root # not required. The specific user whose crontab should be modified. user: root # not required. The specific user whose crontab should be modified.
minute: 0,15,30,45 # not required. Minute when the job should run ( 0-59, *, */2, etc ) minute: 0,15,30,45 # not required. Minute when the job should run ( 0-59, *, */2, etc )
name: "nextcloud recuring cron job" # not required. Description of a crontab entry or, if env is set, the name of environment variable. Required if state=absent. Note that if name is not set and state=present, then a new crontab entry will always be created, regardless of existing ones. name: "nextcloud recuring cron job" # not required. Description of a crontab entry or, if env is set, the name of environment variable. Required if state=absent. Note that if name is not set and state=present, then a new crontab entry will always be created, regardless of existing ones.
@ -126,7 +138,7 @@
- name: create cron for file scan - name: create cron for file scan
cron: cron:
job: "sudo -u http /usr/bin/php /usr/share/webapps/nextcloud/occ files:scan --all > /dev/null" job: "sudo -u {{nextcloud_user}} /usr/bin/php /usr/share/webapps/nextcloud/occ files:scan --all > /dev/null"
user: root # not required. The specific user whose crontab should be modified. user: root # not required. The specific user whose crontab should be modified.
minute: "00" # not required. Minute when the job should run ( 0-59, *, */2, etc ) minute: "00" # not required. Minute when the job should run ( 0-59, *, */2, etc )
hour: "4" hour: "4"

16
templates/php-fpm.j2 Normal file
View File

@ -0,0 +1,16 @@
[nextcloud]
user = {{nextcloud_user}}
group = {{nextcloud_group}}
listen = /run/nextcloud/nextcloud.sock
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
; should be accessible by your web server
listen.owner = http
listen.group = http
pm = dynamic
pm.max_children = 15
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3