From f27af0b0b74d6cdaff60bf4f62734ff0ea76beeb Mon Sep 17 00:00:00 2001 From: vincent Date: Sun, 16 Feb 2020 16:22:01 +0100 Subject: [PATCH] finalize nextcloud roles --- defaults/main.yml | 27 +++++- files/nextcloud.hook | 11 +++ handlers/main.yml | 9 +- meta/main.yml | 12 ++- tasks/main.yml | 124 +++++++++++++++++++++++++- templates/fail2ban/nextcloud.local.j2 | 9 ++ 6 files changed, 185 insertions(+), 7 deletions(-) create mode 100644 files/nextcloud.hook create mode 100644 templates/fail2ban/nextcloud.local.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 94d629c..2dea285 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,27 @@ --- -# defaults file for nextcloud \ No newline at end of file +# defaults file for nextcloud +nextcloud_db_name: nextcloud +nextcloud_SQl_target_file: +nextcloud_db_user: nextcloud +nextcloud_db_password: +nextcloud_admin_user: admin +nextcloud_admin_password: +nextcloud_datadirectory: /var/nextcloud +nextcloud_web_root: /usr/share/webapps/nextcloud +nextcloud_trusted_domains: + - localhost +nextcloud_dbhost: localhost +nextcloud_dbport: + +nextcloud_config_options: # additional options to set in config.php + - option: overwrite.cli.url + value: "'https://nextcloud.example.com'" + - option: maintenance + value: false + - option: loglevel + value: 2 + +nextcloud_fail2ban_jail_maxretry: 10 +nextcloud_fail2ban_jail_findtime: 3600 +nextcloud_fail2ban_jail_bantime: 900 +nextcloud_fail2ban_jail_action: iptables-allports \ No newline at end of file diff --git a/files/nextcloud.hook b/files/nextcloud.hook new file mode 100644 index 0000000..9719132 --- /dev/null +++ b/files/nextcloud.hook @@ -0,0 +1,11 @@ +[Trigger] +Operation = Install +Operation = Upgrade +Type = Package +Target = nextcloud +Target = nextcloud-app-* + +[Action] +Description = Update Nextcloud installation +When = PostTransaction +Exec = /usr/bin/runuser -u http -- /usr/bin/php /usr/share/webapps/nextcloud/occ upgrade \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml index 3cdfcfd..295ff8d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,9 @@ --- -# handlers file for nextcloud \ No newline at end of file +# handlers file for nextcloud + +- name: "Restart fail2ban" + service: + name: fail2ban + state: restarted + when: ansible_service_mgr == "systemd" + become: yes diff --git a/meta/main.yml b/meta/main.yml index 227ad9c..8f40d5b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,6 @@ galaxy_info: - author: your name - description: your role description - company: your company (optional) + author: VDU + description: nextcloud instalation # If the issue tracker for your role is not on github, uncomment the # next line and provide a value @@ -47,7 +46,12 @@ galaxy_info: # NOTE: A tag is limited to a single word comprised of alphanumeric characters. # Maximum 20 tags per role. -dependencies: [] +dependencies: + - nginx + - mariadb + - php + - cronie + - fail2ban # List your role dependencies here, one per line. Be sure to remove the '[]' above, # if you add dependencies to this list. \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 1a2a620..a53f756 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,124 @@ --- -# tasks file for nextcloud \ No newline at end of file +# tasks file for nextcloud + +- name: "Ensure database is present" + become: yes + mysql_db: + name: "{{ nextcloud_db_name }}" + collation: utf8mb4_unicode_ci + encoding: utf8mb4 + state: present + register: nextcloud_database_creation + +- name: import DATA in database in case of creation + become: yes + mysql_db: + name: "{{ nextcloud_db_name }}" + state: import + target: "{{gitea_SQl_target_file}}" + when: nextcloud_database_creation.changed == true and nextcloud_SQl_target_file is defined + +- name: "Ensure db user is present" + become: yes + mysql_user: + name: "{{ nextcloud_db_user }}" + host: localhost + password: "{{ nextcloud_db_password }}" + priv: "{{ nextcloud_db_name }}.*:ALL" + state: present + +- name: ensure pacman hook folder exist + become: true + file: + path: /etc/pacman.d/hooks + state: directory + + +- name: add pacman hook + copy: + dest: /etc/pacman.d/hooks/nextcloud_hook # required. Remote absolute path where the file should be copied to. If I(src) is a directory, this must be a directory too. If I(dest) is a nonexistent path and if either I(dest) ends with "/" or I(src) is a directory, I(dest) is created. If I(src) and I(dest) are files, the parent directory of I(dest) isn't created: the task fails if it doesn't already exist. + src: nextcloud.hook # not required. Local path to a file to copy to the remote server; can be absolute or relative. If path is a directory, it is copied recursively. In this case, if path ends with "/", only inside contents of that directory are copied to destination. Otherwise, if it does not end with "/", the directory itself with all contents is copied. This behavior is similar to Rsync. + become: true + when: ansible_facts['os_family'] == "Archlinux" + +- name: install nextcloud + package: + state: present # required. Whether to install (C(present)), or remove (C(absent)) a package. Other states depend on the underlying package module, i.e C(latest). + name: nextcloud # required. Package name, or package specifier with version, like C(name-1.0).,Be aware that packages are not always named the same and this module will not 'translate' them per distro. + become: true + +- name: change owner on nextcloud web directory + become: true + file: + state: directory + path: "{{ nextcloud_web_root}}" + owner: http + recurse: yes + +- name: création du répertoire data + become: true + file: + path: "{{ nextcloud_datadirectory }}" + group: http # not required. Name of the group that should own the file/directory, as would be fed to I(chown). + state: directory # not required. choices: absent;directory;file;hard;link;touch. If C(directory), all intermediate subdirectories will be created if they do not exist. Since Ansible 1.7 they will be created with the supplied permissions. If C(file), the file will NOT be created if it does not exist; see the C(touch) value or the M(copy) or M(template) module if you want that behavior. If C(link), the symbolic link will be created or changed. Use C(hard) for hardlinks. If C(absent), directories will be recursively deleted, and files or symlinks will be unlinked. Note that C(absent) will not cause C(file) to fail if the C(path) does not exist as the state did not change. If C(touch) (new in 1.4), an empty file will be created if the C(path) does not exist, while an existing file or directory will receive updated file access and modification times (similar to the way `touch` works from the command line). + owner: http # not required. Name of the user that should own the file/directory, as would be fed to I(chown). + +- name: check if config exist + stat: + path: /etc/webapps/nextcloud/config/config.php # required. The full path of the file/object to get the facts of. + register: nextcloud_config_exist + +- name: "Searching for a String" + become: yes + shell: awk "/'installed' => true/" /etc/webapps/nextcloud/config/config.php + register: installed_mode + changed_when: installed_mode.stdout == "" + when: nextcloud_config_exist.stat.exists == true + + + +- name: installation - ensure nextcloud installation is finished + command: > + php {{ nextcloud_web_root }}/occ maintenance:install --database "mysql" --database-name "{{ nextcloud_db_name}}" + --database-user "{{ nextcloud_db_user }}" --database-pass "{{ nextcloud_db_password }}" + --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_password }}" --data-dir "{{ nextcloud_datadirectory }}" + become: true + become_user: http + changed_when: true + when: installed_mode is changed or nextcloud_config_exist.stat.exists == false + +- name: installation - ensure trusted domains are set + command: 'php {{ nextcloud_web_root }}/occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"' + become: true + become_user: http + changed_when: true + with_indexed_items: + - '{{ nextcloud_trusted_domains }}' + +- name: ensure additional options are set in config.php if defined + become: true + lineinfile: + path: '{{ nextcloud_web_root }}/config/config.php' + regexp: '^\s*''{{ item.option }}''' + line: ' ''{{ item.option }}'' => {{ item.value }},' + insertafter: '\$CONFIG' + with_items: '{{ nextcloud_config_options }}' + when: nextcloud_config_options is defined + +- name: create cron for nextcloud + cron: + job: "sudo -u http /usr/bin/php -f {{nextcloud_web_root}}/cron.php" + user: root # not required. The specific user whose crontab should be modified. + minute: 0,15,30,45 # not required. Minute when the job should run ( 0-59, *, */2, etc ) + name: "nextcloud cron job" # not required. Description of a crontab entry or, if env is set, the name of environment variable. Required if state=absent. Note that if name is not set and state=present, then a new crontab entry will always be created, regardless of existing ones. + become: yes + +- name: Install fail2ban jail + template: + src: fail2ban/nextcloud.local.j2 + dest: /etc/fail2ban/jail.d/nextcloud_local + owner: root + group: root + mode: 0644 + notify: Restart fail2ban + become: yes diff --git a/templates/fail2ban/nextcloud.local.j2 b/templates/fail2ban/nextcloud.local.j2 new file mode 100644 index 0000000..5444b69 --- /dev/null +++ b/templates/fail2ban/nextcloud.local.j2 @@ -0,0 +1,9 @@ +[gitea] +enabled = true +port = http,https +filter = nextcloud +logpath = {{ nextcloud_datadirectory }}/nextcloud.log +maxretry = {{ nextcloud_fail2ban_jail_maxretry }} +findtime = {{ nextcloud_fail2ban_jail_findtime }} +bantime = {{ nextcloud_fail2ban_jail_bantime }} +action = {{ nextcloud_fail2ban_jail_action }} \ No newline at end of file