Version 0.1: Inital working deployment version

LICENSE

@@ -0,0 +1,5 @@
+Author: Petar Cubela
+Company: Softbox GmbH
+Date: 2024-12-04
+
+Bla bla legal advise bla bla trademark, intellectual property and such bla bla

TODO.md

@@ -0,0 +1,23 @@
+## todo
+
+### First Version 0.1
+
+- [x] install smbclient php module
+- [x] install ownCloud via task (trusted domains can
+      be added afterwards)
+- [x] configure cron jobs
+- [x] configure caching and file locking
+- [x] add redis to stack and configure it
+- [x] configure log rotation
+- [ ] configure https access in apache2
+
+### Modifications
+
+- [ ] Build ansible-role-lamp
+- [ ] Build seperate ansible-role-owncloud depending on ansible-role-lamp
+- [ ] Build seperate ansible-role-nextcloud depending on ansible-role-lamp
+
+## LAMP Stack
+
+- [ ] Build with option to choose between apache and nginx
+- [ ] Build with option to choose different databases

ansible.cfg

@@ -0,0 +1,8 @@
+[defaults]
+nocows = 1
+host_key_checking = false
+inventory = ./hosts.ini 
+ansible_python_interpreter  = /usr/bin/python3
+
+[ssh_connections]
+pipelining = true

group_vars/all.yml

@@ -0,0 +1,59 @@
+---
+# generic settings
+main_username: sbxadmin
+main_groupname: "{{ main_username }}"
+main_uid: "1000"
+main_gid: "{{ main_uid }}"
+
+# weareinteractive.environment
+environment_config: { "PUID": "{{ main_gid }}", "PGID": "{{ main_gid }}" }
+
+# geerlingguy.ntp
+ntp_timezone: "Europe/Berlin"
+
+# geerlingguy.nfs
+#nfs_exports: [ "/home/public    *(rw,sync,no_root_squash)" ]
+
+# geerlingguy.security
+security_ssh_port: 22
+security_ssh_password_authentication: "yes"
+security_ssh_permit_root_login: "no"
+security_ssh_usedns: "no"
+security_ssh_permit_empty_password: "no"
+security_ssh_challenge_response_auth: "no"
+security_ssh_gss_api_authentication: "no"
+security_ssh_x11_forwarding: "no"
+security_ssh_allowed_users:
+  - "{{ main_username }}"
+security_ssh_allowed_groups: []
+security_sudoers_passwordless:
+  - "{{ main_username }}"
+security_autoupdate_enabled: false
+security_autoupdate_blacklist: []
+security_autoupdate_reboot: false
+security_autoupdate_reboot_time: "03:00"
+security_autoupdate_mail_to: "service@softbox.de"
+security_autoupdate_mail_on_error: false
+security_fail2ban_enabled: false
+security_fail2ban_custom_configuration_template: "jail.local.j2"
+###
+#packages
+package_list:
+  - bash-completion
+  - htop
+  - apt-transport-https
+  - network-manager
+  - vim
+  - curl
+  - xclip
+  - net-tools
+  - rsync
+  - smartmontools
+  - parted
+  - mlocate
+  - cpp
+  - gcc
+  - make
+  - psmisc
+  - linux-headers-$(uname -r)
+  - open-vpm-tools

group_vars/owncloud.yml

@@ -0,0 +1,4 @@
+domain_base: softbox.net
+hostname: owncloud.{{ domain_base }}
+
+owncloud_core_path: "/var/www/owncloud"

hosts.ini

@@ -0,0 +1,3 @@
+[owncloud]
+10.0.101.99 ansible_user=sbxadmin ansible_port=22
+

playbooks/shutdown.yml

@@ -0,0 +1,9 @@
+---
+- name: Shutdown k3s_cluster
+  hosts: k3s_cluster
+  gather_facts: true
+  tasks:
+    - name: Shutdown the nodes (and wait one 1 min)
+      become: true
+      community.general.shutdown:
+        delay: 60

playbooks/update.yml

@@ -0,0 +1,29 @@
+---
+- hosts:
+    - all
+  become: true
+
+  tasks:
+    - name: Perform a dist-upgrade.
+      ansible.builtin.apt:
+        upgrade: dist
+        update_cache: yes
+
+    - name: Install essential packages
+      package:
+        name: "{{ package_list }}"
+        state: present
+
+    - name: Check if a reboot is required.
+      ansible.builtin.stat:
+        path: /var/run/reboot-required
+        get_checksum: no
+      register: reboot_required_file
+
+    - name: Reboot the server (if required).
+      ansible.builtin.reboot:
+      when: reboot_required_file.stat.exists == true
+
+    - name: Remove dependencies that are no longer required.
+      ansible.builtin.apt:
+        autoremove: yes

post-install.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# -------------------- todo ------------------------- #
+# - [ ] read password from ansible vars file if possible
+# --------------------------------------------------- #
+
+# ------------------ Variables ----------------------- #
+my_domain="owncloud.softbox.net"
+my_ip=$(hostname -I | cut -f1 -d ' ')
+database="mysql"
+database_name="owncloud"
+database_user="owncloud"
+database_pass=""
+data_dir="/var/www/owncloud/data"
+admin_user="root"
+admin_pass=""
+# --------------------------------------------------- #
+
+# Exit if not run as root
+if [ "$EUID" -ne 0 ]; then
+  echo "Please run as root"
+  exit
+fi
+
+# Install owncloud
+occ maintenance:install --database "$database" --database-name "$database_name" --database-user "$database_user" --database-pass "$database_pass" --data-dir "$data_dir" --admin-user "$admin_user" --admin-pass "$admin_pass"
+
+# Set trusted domains
+occ config:system:set trusted_domains 1 --value="$my_ip"
+occ config:system:set trusted_domains 2 --value="$my_domain"
+
+# Set background job mode to cron
+occ background:cron
+
+# Set the execution of two cron jobs
+echo "*/15  *  *  *  * /var/www/owncloud/occ system:cron" |
+  sudo -u www-data -g crontab tee -a \
+    /var/spool/cron/crontabs/www-data
+echo "0  2  *  *  * /var/www/owncloud/occ dav:cleanup-chunks" |
+  sudo -u www-data -g crontab tee -a \
+    /var/spool/cron/crontabs/www-data
+
+# Sync with LDAP server
+echo "1 */6 * * * /var/www/owncloud/occ user:sync \
+  'OCA\User_LDAP\User_Proxy' -m disable -vvv >> \
+  /var/log/ldap-sync/user-sync.log 2>&1" |
+  sudo -u www-data -g crontab tee -a \
+    /var/spool/cron/crontabs/www-data
+mkdir -p /var/log/ldap-sync
+touch /var/log/ldap-sync/user-sync.log
+chown www-data. /var/log/ldap-sync/user-sync.log
+
+# Configure Caching and File Locking
+occ config:system:set \
+  memcache.local \
+  --value '\OC\Memcache\APCu'
+occ config:system:set \
+  memcache.locking \
+  --value '\OC\Memcache\Redis'
+occ config:system:set \
+  redis \
+  --value '{"host": "127.0.0.1", "port": "6379"}' \
+  --type json
+
+systemctl restart apache2

requirements.yml

@@ -0,0 +1,8 @@
+---
+roles:
+  #- name: geerlingguy.pip
+  - name: geerlingguy.docker
+  - name: geerlingguy.nfs
+  - name: geerlingguy.security
+  - name: geerlingguy.ntp
+  - name: ironicbadger.docker_compose_generator

roles/owncloud/defaults/main.yml

@@ -0,0 +1 @@
+owncloud_core_path: "/var/www/owncloud"

roles/owncloud/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart apache
+  service:
+    name: apache2
+    state: restarted

roles/owncloud/tasks/apache.yml

@@ -0,0 +1,35 @@
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ hostname }}"
+
+- name: "Enable recommended Apache Modules."
+  apache2_module: "name={{ item }} state=present"
+  with_items:
+    - dir
+    - env
+    - headers
+    - mime
+    - rewrite
+    - setenvif
+  notify: restart apache
+
+- name: Add Apache virtualhost for Owncloud
+  template:
+    src: "templates/owncloud.dav.conf.j2"
+    dest: "/etc/apache2/sites-available/owncloud.dav.conf"
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart apache
+
+- name: Enable the ownCloud site.
+  command: >
+    a2ensite owncloud.dav
+    creates=/etc/apache2/sites-enabled/owncloud.dav.conf
+  notify: restart apache
+
+- name: Disable the default site.
+  command: >
+    a2dissite 000-default 
+    removes=/etc/apache2/sites-enabled/000-default.conf
+  notify: restart apache

roles/owncloud/tasks/configure.yml

@@ -0,0 +1,13 @@
+#- name: Configure Caching and File locking
+#  command: "{{ item }}"
+#  loop: >
+#    - occ config:system:set memcache.local  --value '\OC\Memcache\APCu'
+#    - occ config:system:set memcache.locking --value '\OC\Memcache\Redis'
+#    - occ config:system:set redis --value '{"host": "127.0.0.1", "port": "6379"}' --type json
+
+- name: Configure Log Rotation.
+  template:
+    src: "templates/log-rotation.j2"
+    dest: "/etc/logrotate.d/owncloud"
+    owner: root
+    group: root

roles/owncloud/tasks/dependencies.yml

@@ -0,0 +1,65 @@
+---
+- name: Get software for apt repository management.
+  apt:
+    state: present
+    name:
+      - python3-apt
+      - python3-pycurl
+      - python3-pymysql
+
+- name: Add ondrej repository for later versions of PHP.
+  apt_repository:
+    repo: "ppa:ondrej/php"
+    update_cache: yes
+
+- name: "Install Apache, MySQL, PHP, and other dependencies."
+  apt:
+    state: present
+    name:
+      - acl
+      - git
+      - curl
+      - wget
+      - unzip
+      - openssl
+      - redis-server
+      - mariadb-server
+      - libpcre3-dev
+      - apache2
+      - libapache2-mod-php7.4
+      - php7.4
+      - php7.4-imagick
+      - php7.4-common
+      - php7.4-curl
+      - php7.4-gd
+      - php7.4-imap
+      - php7.4-intl
+      - php7.4-json
+      - php7.4-mbstring
+      - php7.4-gmp
+      - php7.4-bcmath
+      - php7.4-mysql
+      - php7.4-ssh2
+      - php7.4-xml
+      - php7.4-zip
+      - php7.4-apcu
+      - php7.4-redis
+      - php7.4-ldap
+      - php7.4-smbclient
+      - php-phpseclib
+      - bzip2
+      - rsync
+      - jq
+      - inetutils-ping
+      - ldap-utils
+      - smbclient
+      - cron
+
+#- name: Disable the firewall (since this is behind a firewall)
+#  service: name=ufw state=stopped
+
+- name: "Start Apache, MySQL, and PHP."
+  service: "name={{ item }} state=started enabled=yes"
+  with_items:
+    - apache2
+    - mysql

roles/owncloud/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+- name: Install LAMP stack dependencies
+  include_tasks:
+    file: dependencies.yml
+
+- name: Configure Apache.
+  include_tasks:
+    file: apache.yml
+
+- name: Configure PHP.
+  include_tasks:
+    file: php.yml
+
+- name: Configure MySQL.
+  include_tasks:
+    file: mysql.yml
+
+- name: Create occ helper script.
+  include_tasks:
+    file: occ.yml
+
+- name: Download ownCloud.
+  include_tasks:
+    file: owncloud.yml
+
+#- name: Configure Cronjobs.
+#  include_tasks:
+#    file: cron.yml
+
+- name: Configure ownCloud.
+  include_tasks:
+    file: configure.yml

roles/owncloud/tasks/mysql.yml

@@ -0,0 +1,16 @@
+- name: Create a MySQL database for ownCloud.
+  community.mysql.mysql_db:
+    name: owncloud
+    state: present
+    login_unix_socket: /run/mysqld/mysqld.sock
+
+- name: Create a MySQL db user for ownCloud.
+  community.mysql.mysql_user:
+    name: "owncloud"
+    password: "{{ mysql_passwd }}"
+    login_user: "root"
+    login_password: "{{ mysql_passwd }}"
+    priv: "owncloud.*:ALL"
+    host: localhost
+    state: present
+    login_unix_socket: /run/mysqld/mysqld.sock

roles/owncloud/tasks/occ.yml

@@ -0,0 +1,7 @@
+- name: Create a helper script for running occ commands.
+  template:
+    src: "templates/occ.j2"
+    dest: "/usr/local/bin/occ"
+    owner: root
+    group: root
+    mode: 0755

roles/owncloud/tasks/owncloud.yml

@@ -0,0 +1,23 @@
+---
+- name: Download ownCloud source.
+  ansible.builtin.get_url:
+    url: https://download.owncloud.com/server/stable/owncloud-complete-latest.tar.bz2
+    dest: "/tmp/owncloud-complete-latest.tar.bz2"
+    owner: www-data
+
+- name: Extract the archive.
+  ansible.builtin.unarchive:
+    src: "/tmp/owncloud-complete-latest.tar.bz2"
+    dest: "/var/www/"
+    owner: www-data
+    remote_src: yes
+#- name: Install ownCloud (via occ)
+#  command: >
+#    occ maintenance:install --database "mysql" --database-name "owncloud" --database-user "owncloud" --database-pass "{{ mysql_passwd }}" --data-dir "{{ owncloud_core_path }}/data" --admin-user "root" --admin-pass "{{ mysql_passwd }}"
+#
+#- name: Configure ownCloud's trusted domains
+#  command: "{{ item }}"
+#  loop:
+#    - my_ip=$(hostname -I|cut -f1 -d ' ')
+#    - occ config:system:set trusted_domains 1 --value="$my_ip"
+#    - occ config:system:set trusted_domains 2 --value="{{ hostname }}"

roles/owncloud/tasks/php.yml

@@ -0,0 +1,16 @@
+---
+- name: Adjust OpCache memory setting.
+  lineinfile:
+    dest: "/etc/php/7.4/apache2/conf.d/10-opcache.ini"
+    regexp: "^opcache.memory_consumption"
+    line: "opcache.memory_consumption = 96"
+    state: present
+  notify: restart apache
+
+- name: Adjust smbclient setting.
+  template:
+    src: "templates/smbclient.ini.j2"
+    dest: "/etc/php/7.4/mods-available/smbclient.ini"
+    owner: root
+    group: root
+  notify: restart apache

roles/owncloud/templates/log-rotation.j2

@@ -0,0 +1,8 @@
+/var/www/owncloud/data/owncloud.log {
+  size 10M
+  rotate 12
+  copytruncate
+  missingok
+  compress
+  compresscmd /bin/gzip
+}

roles/owncloud/templates/occ.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+cd /var/www/owncloud
+sudo -E -u www-data /usr/bin/php /var/www/owncloud/occ "$@"

roles/owncloud/templates/owncloud.dav.conf.j2

@@ -0,0 +1,17 @@
+<VirtualHost *:80>
+ServerName {{ hostname }}
+DirectoryIndex index.php index.html
+DocumentRoot /var/www/owncloud
+<Directory /var/www/owncloud>
+  Options +FollowSymlinks -Indexes
+  AllowOverride All
+  Require all granted
+
+ <IfModule mod_dav.c>
+  Dav off
+ </IfModule>
+
+ SetEnv HOME /var/www/owncloud
+ SetEnv HTTP_HOME /var/www/owncloud
+</Directory>
+</VirtualHost>

roles/owncloud/templates/smbclient.ini.j2

@@ -0,0 +1 @@
+extension=smbclient.so

run.yml

@@ -0,0 +1,17 @@
+---
+- hosts: owncloud
+  become: yes
+  vars_files:
+    - "vars/vault.yml"
+
+  pre_tasks:
+    - name: Update apt cache.
+      apt:
+        update_cache: true
+        cache_valid_time: 3600
+      when: ansible_os_family == 'Debian'
+
+  roles:
+    - role: geerlingguy.security
+    #- role: geerlingguy.ntp ## NEEDED?
+    - role: owncloud

vars/vault.yml

@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+63653337393533303833626638303832623538666537306133643930396432613130333961383236
+6664653538623035373236303039636665386239376563640a636566383263663033633631393038
+63343437353536656666636236643134646662383061356636633264306231613439353639636264
+3634613966336664320a373161653932656162343061633330613964653836323361663366356239
+62346665303435666131333232323433366536386261393663383739633465633133