From d608cff6fce01455abe438f94de41ceb21d98356 Mon Sep 17 00:00:00 2001 From: Petar Cubela Date: Wed, 4 Dec 2024 10:33:29 +0100 Subject: [PATCH] Version 0.1: Inital working deployment version --- LICENSE | 5 ++ TODO.md | 23 +++++++ ansible.cfg | 8 +++ group_vars/all.yml | 59 +++++++++++++++++ group_vars/owncloud.yml | 4 ++ hosts.ini | 3 + playbooks/shutdown.yml | 9 +++ playbooks/update.yml | 29 +++++++++ post-install.sh | 65 +++++++++++++++++++ requirements.yml | 8 +++ roles/owncloud/defaults/main.yml | 1 + roles/owncloud/handlers/main.yml | 5 ++ roles/owncloud/tasks/apache.yml | 35 ++++++++++ roles/owncloud/tasks/configure.yml | 13 ++++ roles/owncloud/tasks/dependencies.yml | 65 +++++++++++++++++++ roles/owncloud/tasks/main.yml | 32 +++++++++ roles/owncloud/tasks/mysql.yml | 16 +++++ roles/owncloud/tasks/occ.yml | 7 ++ roles/owncloud/tasks/owncloud.yml | 23 +++++++ roles/owncloud/tasks/php.yml | 16 +++++ roles/owncloud/templates/log-rotation.j2 | 8 +++ roles/owncloud/templates/occ.j2 | 4 ++ roles/owncloud/templates/owncloud.dav.conf.j2 | 17 +++++ roles/owncloud/templates/smbclient.ini.j2 | 1 + run.yml | 17 +++++ vars/vault.yml | 6 ++ 26 files changed, 479 insertions(+) create mode 100644 LICENSE create mode 100644 TODO.md create mode 100644 ansible.cfg create mode 100644 group_vars/all.yml create mode 100644 group_vars/owncloud.yml create mode 100644 hosts.ini create mode 100644 playbooks/shutdown.yml create mode 100644 playbooks/update.yml create mode 100644 post-install.sh create mode 100644 requirements.yml create mode 100644 roles/owncloud/defaults/main.yml create mode 100644 roles/owncloud/handlers/main.yml create mode 100644 roles/owncloud/tasks/apache.yml create mode 100644 roles/owncloud/tasks/configure.yml create mode 100644 roles/owncloud/tasks/dependencies.yml create mode 100644 roles/owncloud/tasks/main.yml create mode 100644 roles/owncloud/tasks/mysql.yml create mode 100644 roles/owncloud/tasks/occ.yml create mode 100644 roles/owncloud/tasks/owncloud.yml create mode 100644 roles/owncloud/tasks/php.yml create mode 100644 roles/owncloud/templates/log-rotation.j2 create mode 100644 roles/owncloud/templates/occ.j2 create mode 100644 roles/owncloud/templates/owncloud.dav.conf.j2 create mode 100644 roles/owncloud/templates/smbclient.ini.j2 create mode 100644 run.yml create mode 100644 vars/vault.yml diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f348d77 --- /dev/null +++ b/LICENSE @@ -0,0 +1,5 @@ +Author: Petar Cubela +Company: Softbox GmbH +Date: 2024-12-04 + +Bla bla legal advise bla bla trademark, intellectual property and such bla bla diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..2bf5d95 --- /dev/null +++ b/TODO.md @@ -0,0 +1,23 @@ +## todo + +### First Version 0.1 + +- [x] install smbclient php module +- [x] install ownCloud via task (trusted domains can + be added afterwards) +- [x] configure cron jobs +- [x] configure caching and file locking +- [x] add redis to stack and configure it +- [x] configure log rotation +- [ ] configure https access in apache2 + +### Modifications + +- [ ] Build ansible-role-lamp +- [ ] Build seperate ansible-role-owncloud depending on ansible-role-lamp +- [ ] Build seperate ansible-role-nextcloud depending on ansible-role-lamp + +## LAMP Stack + +- [ ] Build with option to choose between apache and nginx +- [ ] Build with option to choose different databases diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..bd3d219 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,8 @@ +[defaults] +nocows = 1 +host_key_checking = false +inventory = ./hosts.ini +ansible_python_interpreter = /usr/bin/python3 + +[ssh_connections] +pipelining = true diff --git a/group_vars/all.yml b/group_vars/all.yml new file mode 100644 index 0000000..8677bcb --- /dev/null +++ b/group_vars/all.yml @@ -0,0 +1,59 @@ +--- +# generic settings +main_username: sbxadmin +main_groupname: "{{ main_username }}" +main_uid: "1000" +main_gid: "{{ main_uid }}" + +# weareinteractive.environment +environment_config: { "PUID": "{{ main_gid }}", "PGID": "{{ main_gid }}" } + +# geerlingguy.ntp +ntp_timezone: "Europe/Berlin" + +# geerlingguy.nfs +#nfs_exports: [ "/home/public *(rw,sync,no_root_squash)" ] + +# geerlingguy.security +security_ssh_port: 22 +security_ssh_password_authentication: "yes" +security_ssh_permit_root_login: "no" +security_ssh_usedns: "no" +security_ssh_permit_empty_password: "no" +security_ssh_challenge_response_auth: "no" +security_ssh_gss_api_authentication: "no" +security_ssh_x11_forwarding: "no" +security_ssh_allowed_users: + - "{{ main_username }}" +security_ssh_allowed_groups: [] +security_sudoers_passwordless: + - "{{ main_username }}" +security_autoupdate_enabled: false +security_autoupdate_blacklist: [] +security_autoupdate_reboot: false +security_autoupdate_reboot_time: "03:00" +security_autoupdate_mail_to: "service@softbox.de" +security_autoupdate_mail_on_error: false +security_fail2ban_enabled: false +security_fail2ban_custom_configuration_template: "jail.local.j2" +### +#packages +package_list: + - bash-completion + - htop + - apt-transport-https + - network-manager + - vim + - curl + - xclip + - net-tools + - rsync + - smartmontools + - parted + - mlocate + - cpp + - gcc + - make + - psmisc + - linux-headers-$(uname -r) + - open-vpm-tools diff --git a/group_vars/owncloud.yml b/group_vars/owncloud.yml new file mode 100644 index 0000000..5299680 --- /dev/null +++ b/group_vars/owncloud.yml @@ -0,0 +1,4 @@ +domain_base: softbox.net +hostname: owncloud.{{ domain_base }} + +owncloud_core_path: "/var/www/owncloud" diff --git a/hosts.ini b/hosts.ini new file mode 100644 index 0000000..c2ae78a --- /dev/null +++ b/hosts.ini @@ -0,0 +1,3 @@ +[owncloud] +10.0.101.99 ansible_user=sbxadmin ansible_port=22 + diff --git a/playbooks/shutdown.yml b/playbooks/shutdown.yml new file mode 100644 index 0000000..8691d4b --- /dev/null +++ b/playbooks/shutdown.yml @@ -0,0 +1,9 @@ +--- +- name: Shutdown k3s_cluster + hosts: k3s_cluster + gather_facts: true + tasks: + - name: Shutdown the nodes (and wait one 1 min) + become: true + community.general.shutdown: + delay: 60 diff --git a/playbooks/update.yml b/playbooks/update.yml new file mode 100644 index 0000000..9a3e785 --- /dev/null +++ b/playbooks/update.yml @@ -0,0 +1,29 @@ +--- +- hosts: + - all + become: true + + tasks: + - name: Perform a dist-upgrade. + ansible.builtin.apt: + upgrade: dist + update_cache: yes + + - name: Install essential packages + package: + name: "{{ package_list }}" + state: present + + - name: Check if a reboot is required. + ansible.builtin.stat: + path: /var/run/reboot-required + get_checksum: no + register: reboot_required_file + + - name: Reboot the server (if required). + ansible.builtin.reboot: + when: reboot_required_file.stat.exists == true + + - name: Remove dependencies that are no longer required. + ansible.builtin.apt: + autoremove: yes diff --git a/post-install.sh b/post-install.sh new file mode 100644 index 0000000..6ac860f --- /dev/null +++ b/post-install.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# -------------------- todo ------------------------- # +# - [ ] read password from ansible vars file if possible +# --------------------------------------------------- # + +# ------------------ Variables ----------------------- # +my_domain="owncloud.softbox.net" +my_ip=$(hostname -I | cut -f1 -d ' ') +database="mysql" +database_name="owncloud" +database_user="owncloud" +database_pass="" +data_dir="/var/www/owncloud/data" +admin_user="root" +admin_pass="" +# --------------------------------------------------- # + +# Exit if not run as root +if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit +fi + +# Install owncloud +occ maintenance:install --database "$database" --database-name "$database_name" --database-user "$database_user" --database-pass "$database_pass" --data-dir "$data_dir" --admin-user "$admin_user" --admin-pass "$admin_pass" + +# Set trusted domains +occ config:system:set trusted_domains 1 --value="$my_ip" +occ config:system:set trusted_domains 2 --value="$my_domain" + +# Set background job mode to cron +occ background:cron + +# Set the execution of two cron jobs +echo "*/15 * * * * /var/www/owncloud/occ system:cron" | + sudo -u www-data -g crontab tee -a \ + /var/spool/cron/crontabs/www-data +echo "0 2 * * * /var/www/owncloud/occ dav:cleanup-chunks" | + sudo -u www-data -g crontab tee -a \ + /var/spool/cron/crontabs/www-data + +# Sync with LDAP server +echo "1 */6 * * * /var/www/owncloud/occ user:sync \ + 'OCA\User_LDAP\User_Proxy' -m disable -vvv >> \ + /var/log/ldap-sync/user-sync.log 2>&1" | + sudo -u www-data -g crontab tee -a \ + /var/spool/cron/crontabs/www-data +mkdir -p /var/log/ldap-sync +touch /var/log/ldap-sync/user-sync.log +chown www-data. /var/log/ldap-sync/user-sync.log + +# Configure Caching and File Locking +occ config:system:set \ + memcache.local \ + --value '\OC\Memcache\APCu' +occ config:system:set \ + memcache.locking \ + --value '\OC\Memcache\Redis' +occ config:system:set \ + redis \ + --value '{"host": "127.0.0.1", "port": "6379"}' \ + --type json + +systemctl restart apache2 diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..5a4c875 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,8 @@ +--- +roles: + #- name: geerlingguy.pip + - name: geerlingguy.docker + - name: geerlingguy.nfs + - name: geerlingguy.security + - name: geerlingguy.ntp + - name: ironicbadger.docker_compose_generator diff --git a/roles/owncloud/defaults/main.yml b/roles/owncloud/defaults/main.yml new file mode 100644 index 0000000..79ab284 --- /dev/null +++ b/roles/owncloud/defaults/main.yml @@ -0,0 +1 @@ +owncloud_core_path: "/var/www/owncloud" diff --git a/roles/owncloud/handlers/main.yml b/roles/owncloud/handlers/main.yml new file mode 100644 index 0000000..af398e8 --- /dev/null +++ b/roles/owncloud/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart apache + service: + name: apache2 + state: restarted diff --git a/roles/owncloud/tasks/apache.yml b/roles/owncloud/tasks/apache.yml new file mode 100644 index 0000000..f3e2b7d --- /dev/null +++ b/roles/owncloud/tasks/apache.yml @@ -0,0 +1,35 @@ +- name: Set hostname + ansible.builtin.hostname: + name: "{{ hostname }}" + +- name: "Enable recommended Apache Modules." + apache2_module: "name={{ item }} state=present" + with_items: + - dir + - env + - headers + - mime + - rewrite + - setenvif + notify: restart apache + +- name: Add Apache virtualhost for Owncloud + template: + src: "templates/owncloud.dav.conf.j2" + dest: "/etc/apache2/sites-available/owncloud.dav.conf" + owner: root + group: root + mode: 0644 + notify: restart apache + +- name: Enable the ownCloud site. + command: > + a2ensite owncloud.dav + creates=/etc/apache2/sites-enabled/owncloud.dav.conf + notify: restart apache + +- name: Disable the default site. + command: > + a2dissite 000-default + removes=/etc/apache2/sites-enabled/000-default.conf + notify: restart apache diff --git a/roles/owncloud/tasks/configure.yml b/roles/owncloud/tasks/configure.yml new file mode 100644 index 0000000..7500a7d --- /dev/null +++ b/roles/owncloud/tasks/configure.yml @@ -0,0 +1,13 @@ +#- name: Configure Caching and File locking +# command: "{{ item }}" +# loop: > +# - occ config:system:set memcache.local --value '\OC\Memcache\APCu' +# - occ config:system:set memcache.locking --value '\OC\Memcache\Redis' +# - occ config:system:set redis --value '{"host": "127.0.0.1", "port": "6379"}' --type json + +- name: Configure Log Rotation. + template: + src: "templates/log-rotation.j2" + dest: "/etc/logrotate.d/owncloud" + owner: root + group: root diff --git a/roles/owncloud/tasks/dependencies.yml b/roles/owncloud/tasks/dependencies.yml new file mode 100644 index 0000000..2cd1bf4 --- /dev/null +++ b/roles/owncloud/tasks/dependencies.yml @@ -0,0 +1,65 @@ +--- +- name: Get software for apt repository management. + apt: + state: present + name: + - python3-apt + - python3-pycurl + - python3-pymysql + +- name: Add ondrej repository for later versions of PHP. + apt_repository: + repo: "ppa:ondrej/php" + update_cache: yes + +- name: "Install Apache, MySQL, PHP, and other dependencies." + apt: + state: present + name: + - acl + - git + - curl + - wget + - unzip + - openssl + - redis-server + - mariadb-server + - libpcre3-dev + - apache2 + - libapache2-mod-php7.4 + - php7.4 + - php7.4-imagick + - php7.4-common + - php7.4-curl + - php7.4-gd + - php7.4-imap + - php7.4-intl + - php7.4-json + - php7.4-mbstring + - php7.4-gmp + - php7.4-bcmath + - php7.4-mysql + - php7.4-ssh2 + - php7.4-xml + - php7.4-zip + - php7.4-apcu + - php7.4-redis + - php7.4-ldap + - php7.4-smbclient + - php-phpseclib + - bzip2 + - rsync + - jq + - inetutils-ping + - ldap-utils + - smbclient + - cron + +#- name: Disable the firewall (since this is behind a firewall) +# service: name=ufw state=stopped + +- name: "Start Apache, MySQL, and PHP." + service: "name={{ item }} state=started enabled=yes" + with_items: + - apache2 + - mysql diff --git a/roles/owncloud/tasks/main.yml b/roles/owncloud/tasks/main.yml new file mode 100644 index 0000000..f230f88 --- /dev/null +++ b/roles/owncloud/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Install LAMP stack dependencies + include_tasks: + file: dependencies.yml + +- name: Configure Apache. + include_tasks: + file: apache.yml + +- name: Configure PHP. + include_tasks: + file: php.yml + +- name: Configure MySQL. + include_tasks: + file: mysql.yml + +- name: Create occ helper script. + include_tasks: + file: occ.yml + +- name: Download ownCloud. + include_tasks: + file: owncloud.yml + +#- name: Configure Cronjobs. +# include_tasks: +# file: cron.yml + +- name: Configure ownCloud. + include_tasks: + file: configure.yml diff --git a/roles/owncloud/tasks/mysql.yml b/roles/owncloud/tasks/mysql.yml new file mode 100644 index 0000000..3727d0c --- /dev/null +++ b/roles/owncloud/tasks/mysql.yml @@ -0,0 +1,16 @@ +- name: Create a MySQL database for ownCloud. + community.mysql.mysql_db: + name: owncloud + state: present + login_unix_socket: /run/mysqld/mysqld.sock + +- name: Create a MySQL db user for ownCloud. + community.mysql.mysql_user: + name: "owncloud" + password: "{{ mysql_passwd }}" + login_user: "root" + login_password: "{{ mysql_passwd }}" + priv: "owncloud.*:ALL" + host: localhost + state: present + login_unix_socket: /run/mysqld/mysqld.sock diff --git a/roles/owncloud/tasks/occ.yml b/roles/owncloud/tasks/occ.yml new file mode 100644 index 0000000..f53ad67 --- /dev/null +++ b/roles/owncloud/tasks/occ.yml @@ -0,0 +1,7 @@ +- name: Create a helper script for running occ commands. + template: + src: "templates/occ.j2" + dest: "/usr/local/bin/occ" + owner: root + group: root + mode: 0755 diff --git a/roles/owncloud/tasks/owncloud.yml b/roles/owncloud/tasks/owncloud.yml new file mode 100644 index 0000000..44aec4f --- /dev/null +++ b/roles/owncloud/tasks/owncloud.yml @@ -0,0 +1,23 @@ +--- +- name: Download ownCloud source. + ansible.builtin.get_url: + url: https://download.owncloud.com/server/stable/owncloud-complete-latest.tar.bz2 + dest: "/tmp/owncloud-complete-latest.tar.bz2" + owner: www-data + +- name: Extract the archive. + ansible.builtin.unarchive: + src: "/tmp/owncloud-complete-latest.tar.bz2" + dest: "/var/www/" + owner: www-data + remote_src: yes +#- name: Install ownCloud (via occ) +# command: > +# occ maintenance:install --database "mysql" --database-name "owncloud" --database-user "owncloud" --database-pass "{{ mysql_passwd }}" --data-dir "{{ owncloud_core_path }}/data" --admin-user "root" --admin-pass "{{ mysql_passwd }}" +# +#- name: Configure ownCloud's trusted domains +# command: "{{ item }}" +# loop: +# - my_ip=$(hostname -I|cut -f1 -d ' ') +# - occ config:system:set trusted_domains 1 --value="$my_ip" +# - occ config:system:set trusted_domains 2 --value="{{ hostname }}" diff --git a/roles/owncloud/tasks/php.yml b/roles/owncloud/tasks/php.yml new file mode 100644 index 0000000..7ce3511 --- /dev/null +++ b/roles/owncloud/tasks/php.yml @@ -0,0 +1,16 @@ +--- +- name: Adjust OpCache memory setting. + lineinfile: + dest: "/etc/php/7.4/apache2/conf.d/10-opcache.ini" + regexp: "^opcache.memory_consumption" + line: "opcache.memory_consumption = 96" + state: present + notify: restart apache + +- name: Adjust smbclient setting. + template: + src: "templates/smbclient.ini.j2" + dest: "/etc/php/7.4/mods-available/smbclient.ini" + owner: root + group: root + notify: restart apache diff --git a/roles/owncloud/templates/log-rotation.j2 b/roles/owncloud/templates/log-rotation.j2 new file mode 100644 index 0000000..cf7b6d0 --- /dev/null +++ b/roles/owncloud/templates/log-rotation.j2 @@ -0,0 +1,8 @@ +/var/www/owncloud/data/owncloud.log { + size 10M + rotate 12 + copytruncate + missingok + compress + compresscmd /bin/gzip +} diff --git a/roles/owncloud/templates/occ.j2 b/roles/owncloud/templates/occ.j2 new file mode 100644 index 0000000..23cbbd4 --- /dev/null +++ b/roles/owncloud/templates/occ.j2 @@ -0,0 +1,4 @@ +#!/bin/bash + +cd /var/www/owncloud +sudo -E -u www-data /usr/bin/php /var/www/owncloud/occ "$@" diff --git a/roles/owncloud/templates/owncloud.dav.conf.j2 b/roles/owncloud/templates/owncloud.dav.conf.j2 new file mode 100644 index 0000000..f5dc77e --- /dev/null +++ b/roles/owncloud/templates/owncloud.dav.conf.j2 @@ -0,0 +1,17 @@ + +ServerName {{ hostname }} +DirectoryIndex index.php index.html +DocumentRoot /var/www/owncloud + + Options +FollowSymlinks -Indexes + AllowOverride All + Require all granted + + + Dav off + + + SetEnv HOME /var/www/owncloud + SetEnv HTTP_HOME /var/www/owncloud + + diff --git a/roles/owncloud/templates/smbclient.ini.j2 b/roles/owncloud/templates/smbclient.ini.j2 new file mode 100644 index 0000000..f93fe4a --- /dev/null +++ b/roles/owncloud/templates/smbclient.ini.j2 @@ -0,0 +1 @@ +extension=smbclient.so diff --git a/run.yml b/run.yml new file mode 100644 index 0000000..178e48c --- /dev/null +++ b/run.yml @@ -0,0 +1,17 @@ +--- +- hosts: owncloud + become: yes + vars_files: + - "vars/vault.yml" + + pre_tasks: + - name: Update apt cache. + apt: + update_cache: true + cache_valid_time: 3600 + when: ansible_os_family == 'Debian' + + roles: + - role: geerlingguy.security + #- role: geerlingguy.ntp ## NEEDED? + - role: owncloud diff --git a/vars/vault.yml b/vars/vault.yml new file mode 100644 index 0000000..f4df099 --- /dev/null +++ b/vars/vault.yml @@ -0,0 +1,6 @@ +$ANSIBLE_VAULT;1.1;AES256 +63653337393533303833626638303832623538666537306133643930396432613130333961383236 +6664653538623035373236303039636665386239376563640a636566383263663033633631393038 +63343437353536656666636236643134646662383061356636633264306231613439353639636264 +3634613966336664320a373161653932656162343061633330613964653836323361663366356239 +62346665303435666131333232323433366536386261393663383739633465633133