CCCHH/ansible-infra
CCCHH/ansible-infra
3
0
Fork 0
Code Issues 4 Pull requests Actions Wiki Activity

Introduce Nextcloud role and deploy Cloud on Chaosknoten

Browse source 
Co-authored-by: Max <max@mlem.cloud>
This commit is contained in:
June 2023-08-25 20:50:46 +02:00 committed by julian
parent 112f1990b9
commit 62b4f93218
16 changed files with 352 additions and 200 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
inventories/chaosknoten/host_vars/cloud.yaml
View file

@ -1,14 +1,11 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/compose.yaml.j2') }}" nextcloud__version: 27
docker_compose__configuration_files: [] nextcloud__postgres_version: 15.3
nextcloud__fqdn: cloud.hamburg.ccc.de
certbot__version_spec: "" nextcloud__data_dir: /data/nextcloud
certbot__acme_account_email_address: le-admin@hamburg.ccc.de nextcloud__admin_password: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/cloud/admin', create=false, missing='error') }}"
certbot__certificate_domains: nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/extra_configuration.config.php.j2') }}"
- "cloud.hamburg.ccc.de" nextcloud__use_custom_new_user_skeleton: true
nextcloud__custom_new_user_skeleton_directory: "chaosknoten/cloud/new_user_skeleton_directory/"
nextcloud__config_php: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/config.php.j2') }}" nextcloud__postgres_password: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD', create=false, missing='error') }}"
nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
nginx__version_spec: "" nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de
nginx__configurations:
- name: cloud.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/cloud/nginx/cloud.hamburg.ccc.de.conf') }}"

4
inventories/chaosknoten/hosts.yaml
View file

@ -2,7 +2,6 @@ all:
children: children:
certbot_hosts: certbot_hosts:
hosts: hosts:
cloud:
pad: pad:
keycloak: keycloak:
engelsystem: engelsystem:
@ -11,7 +10,6 @@ all:
hosts: hosts:
cloud: cloud:
ansible_host: cloud-intern.hamburg.ccc.de ansible_host: cloud-intern.hamburg.ccc.de
ansible_port: 42666
ansible_user: chaos ansible_user: chaos
ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666 ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
pad: pad:
@ -37,7 +35,6 @@ all:
ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666 ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
docker_compose_hosts: docker_compose_hosts:
hosts: hosts:
cloud:
pad: pad:
keycloak: keycloak:
engelsystem: engelsystem:
@ -46,7 +43,6 @@ all:
cloud: cloud:
nginx_hosts: nginx_hosts:
hosts: hosts:
cloud:
pad: pad:
public-reverse-proxy: public-reverse-proxy:
keycloak: keycloak:

BIN
playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/Photos/augenohrenkatze.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 9.7 KiB

BIN
playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/Photos/ccclubhajs.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 1,007 KiB

10
playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/README.md Normal file
View file

@ -0,0 +1,10 @@
# CCCHH Nextcloud
Willkommen auf der CCCHH Nextcloud Instanz.
Hier kannst du Dateien ablegen und teilen, Termine verwalten und vieles mehr.
**Hinweis:** Die Dateien werden (zumindest zur Zeit) nicht verschlüsselt gespeichert.
Weitere Infos:
- <https://docs.nextcloud.com/server/latest/user_manual/de/>

134
playbooks/files/chaosknoten/configs/cloud/nginx/cloud.hamburg.ccc.de.conf
View file

@ -1,134 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
upstream nextcloud {
server 127.0.0.1:9000;
}
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name cloud.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /data/docker/volumes/nextcloud;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME /var/www/html/index.php;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass nextcloud;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}

11
playbooks/roles/nextcloud/README.md Normal file
View file

@ -0,0 +1,11 @@
# Role `nextcloud`
A role for deploying Nextcloud.
Note: PostgreSQL upgrades need manual migration steps.
## Links & Resources
- <https://github.com/nextcloud/docker>
- <https://docs.nextcloud.com/server/latest/admin_manual/index.html>
- <https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/apache>

5
playbooks/roles/nextcloud/defaults/main.yaml Normal file
View file

@ -0,0 +1,5 @@
nextcloud__nginx_version_spec: ""
nextcloud__certbot_version_spec: ""
nextcloud__extra_configuration: ""
nextcloud__use_custom_new_user_skeleton: false
nextcloud__custom_new_user_skeleton_directory: ""

22
playbooks/roles/nextcloud/files/supervisord.conf Normal file
View file

@ -0,0 +1,22 @@
[supervisord]
nodaemon=true
logfile=/var/log/supervisord/supervisord.log
pidfile=/var/run/supervisord/supervisord.pid
childlogdir=/var/log/supervisord/
logfile_maxbytes=50MB ; maximum size of logfile before rotation
logfile_backups=10 ; number of backed up logfiles
loglevel=error
[program:apache2]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=apache2-foreground
[program:cron]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/cron.sh

63
playbooks/roles/nextcloud/meta/argument_specs.yaml Normal file
View file

@ -0,0 +1,63 @@
argument_specs:
main:
options:
nextcloud__version:
description: The version label to use for the Nextcloud Docker image.
type: str
required: true
nextcloud__postgres_version:
description: The version label to use for the PostgreSQL Docker image.
type: str
required: true
nextcloud__nginx_version_spec:
description: The version spec. to pass to nginx to use for the nginx version spec.
type: str
required: false
default: ""
nextcloud__certbot_version_spec:
description: The version spec. to pass to certbot to use for the certbot version spec.
type: str
required: false
default: ""
nextcloud__fqdn:
description: The FQDN to use for Nextcloud.
type: str
required: true
nextcloud__data_dir:
description: The directory where to store the Nextcloud data.
type: str
required: true
nextcloud__admin_password:
description: The password to use for the Admin user.
type: str
required: true
nextcloud__extra_configuration:
description: Additional nextcloud configuration.
type: str
required: false
default: ""
nextcloud__use_custom_new_user_skeleton:
description: >-
Enable to make use of the given custom new user skeleton directory.
type: bool
required: false
default: false
nextcloud__custom_new_user_skeleton_directory:
description: >-
Path of to a custom new user skeleton directory to be used by this
role via ansible.builtin.copy.
type: str
required: false
default: ""
nextcloud__postgres_password:
description: The password to use for the nextcloud PostgreSQL user.
type: str
required: true
nextcloud__proxy_protocol_reverse_proxy_ip:
description: The IP of the reverse proxy to do proxy protocol with.
type: str
required: true
nextcloud__certbot_acme_account_email_address:
description: The E-Mail address to pass to certbot to use for the ACME account.
type: str
required: true

18
playbooks/roles/nextcloud/meta/main.yaml Normal file
View file

@ -0,0 +1,18 @@
---
dependencies:
- role: certbot
vars:
certbot__version_spec: "{{ nextcloud__certbot_version_spec }}"
certbot__acme_account_email_address: "{{ nextcloud__certbot_acme_account_email_address }}"
certbot__certificate_domains:
- "{{ nextcloud__fqdn }}"
- role: nginx
vars:
nginx__version_spec: "{{ nextcloud__nginx_version_spec }}"
nginx__configurations:
- name: "{{ nextcloud__fqdn }}"
content: "{{ lookup('ansible.builtin.template', 'nginx_nextcloud.conf.j2') }}"
- role: docker_compose
vars:
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'compose.yaml.j2') }}"
docker_compose__configuration_files: []

55
playbooks/roles/nextcloud/tasks/main.yaml
View file

@ -1,9 +1,58 @@
--- ---
- name: Nextcloud config - name: wait for existence of config directory
ansible.builtin.wait_for:
path: /ansible_docker_compose/nextcloud_var_www_html/config
state: present
become: true become: true
- name: extra Nextcloud configuration
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ nextcloud__config_php }}" content: "{{ nextcloud__extra_configuration }}"
dest: "/data/docker/volumes/nextcloud/config/config.php" dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_extra_config.config.php
mode: "0644" mode: "0644"
owner: www-data owner: www-data
group: www-data group: www-data
become: true
- name: fail, if nextcloud__use_custom_new_user_skeleton is set, but nextcloud__custom_new_user_skeleton_directory isn't
ansible.builtin.fail:
msg: If you set nextcloud__use_custom_new_user_skeleton, you also need to set nextcloud__custom_new_user_skeleton_directory.
when: nextcloud__use_custom_new_user_skeleton and nextcloud__custom_new_user_skeleton_directory == ""
- name: ensure custom new user skeleton
when: nextcloud__use_custom_new_user_skeleton
block:
- name: ensure `rsync` package is installed
ansible.builtin.apt:
name: rsync
state: present
become: true
- name: ensure custom new user skeleton directory
ansible.posix.synchronize:
src: "{{ nextcloud__custom_new_user_skeleton_directory }}"
dest: /ansible_docker_compose/custom_new_user_skeleton
delete: true
recursive: true
use_ssh_args: true
become: true
- name: ensure custom new user skeleton config
ansible.builtin.copy:
content: |
<?php
$CONFIG = array (
'skeletondirectory' => '/custom_new_user_skeleton'
);
dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
mode: "0644"
owner: www-data
group: www-data
become: true
- name: ensure absence of custom new user skeleton config
ansible.builtin.file:
path: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
state: absent
become: true
when: not nextcloud__use_custom_new_user_skeleton

83
playbooks/roles/nextcloud/templates/compose.yaml.j2 Normal file
View file

@ -0,0 +1,83 @@
---
version: "3.6"
services:
nextcloud:
build:
context: .
# Use the following example for adding cron:
# https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/apache
dockerfile_inline: |
FROM nextcloud:{{ nextcloud__version }}
RUN apt-get update && apt-get install -y \
supervisor \
&& rm -rf /var/lib/apt/lists/* \
&& mkdir /var/log/supervisord /var/run/supervisord
RUN cat <<EOF > /supervisord.conf
{% filter indent(width=8) %}
{{ lookup('ansible.builtin.file', 'supervisord.conf') }}
{% endfilter %}
EOF
ENV NEXTCLOUD_UPDATE=1
CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
restart: unless-stopped
ports:
- "8080:80"
# This is a hotfix until we have a new mail setup and this also really
# doesn't belong into this role, but whatever, it works for now and it's not
# like anyone else really uses this role (or would be bothered by this
# really).
extra_hosts:
- "send-only-mailserver.ccchh.net:185.161.129.132"
depends_on:
- db
- redis
networks:
- nextcloud
volumes:
{% if nextcloud__use_custom_new_user_skeleton %}
- "./custom_new_user_skeleton:/custom_new_user_skeleton"
{% endif %}
- "./nextcloud_var_www_html:/var/www/html"
- "{{ nextcloud__data_dir }}:/var/www/html/data"
environment:
POSTGRES_HOST: db
POSTGRES_DB: nextcloud
POSTGRES_USER: nextcloud
POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
NEXTCLOUD_ADMIN_USER: admin
NEXTCLOUD_ADMIN_PASSWORD: "{{ nextcloud__admin_password }}"
REDIS_HOST: redis
NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud__fqdn }}"
# See here: https://github.com/nextcloud/docker#using-the-apache-image-behind-a-reverse-proxy-and-auto-configure-server-host-and-protocol
APACHE_DISABLE_REWRITE_IP: 1
TRUSTED_PROXIES: 127.0.0.1
OVERWRITECLIURL: "https://{{ nextcloud__fqdn }}/"
OVERWRITEHOST: "{{ nextcloud__fqdn }}"
OVERWRITEPROTOCOL: "https"
db:
image: postgres:{{ nextcloud__postgres_version }}
restart: unless-stopped
networks:
- nextcloud
volumes:
- "./database:/var/lib/postgresql/data"
environment:
POSTGRES_DB: nextcloud
POSTGRES_USER: nextcloud
POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
redis:
image: redis:alpine
restart: unless-stopped
networks:
- nextcloud
networks:
nextcloud:
external: false

61
playbooks/roles/nextcloud/templates/nginx_nextcloud.conf.j2 Normal file
View file

@ -0,0 +1,61 @@
# also see here:
# - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
# - https://nginx.org/en/docs/http/ngx_http_realip_module.html
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from {{ nextcloud__proxy_protocol_reverse_proxy_ip }};
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# This should work, but isn't needed for now.
# # Still listen for https on 443 as usual.
# listen 443 ssl http2;
# #listen [::]:443 ssl http2;
server_name {{ nextcloud__fqdn }};
ssl_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ nextcloud__fqdn }}/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/chain.pem;
# replace with the IP address of your resolver
resolver 1.1.1.1;
# allow uploads of any size
client_max_body_size 0;
location /.well-known/carddav {
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
return 301 $scheme://$host/remote.php/dav;
}
location / {
proxy_set_header Host $host;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Front-End-Https on;
proxy_pass http://127.0.0.1:8080;
}
}

45
playbooks/templates/chaosknoten/configs/cloud/compose.yaml.j2
View file

@ -1,45 +0,0 @@
---
version: "3.6"
services:
database:
image: docker.io/library/mariadb:11
restart: always
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
volumes:
- /data/docker/volumes/database:/var/lib/mysql
environment:
- "MYSQL_ROOT_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
- "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
- "MYSQL_DATABASE=nextcloud"
- "MYSQL_USER=nextcloud"
networks:
backend: {}
app:
image: docker.io/library/nextcloud:25-fpm
restart: always
ports:
- 9000:9000
links:
- database
volumes:
- /data/docker/volumes/nextcloud:/var/www/html
environment:
- "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
- "MYSQL_DATABASE=nextcloud"
- "MYSQL_USER=nextcloud"
- "MYSQL_HOST=database"
networks:
backend: {}
frontend: {}
volumes: {}
# FIXME: tell Docker to put volumes in /data instead of /var/lib/docker/
#database: {}
#nextcloud: {}
networks:
backend:
internal: true
frontend: {}

16
playbooks/templates/chaosknoten/configs/cloud/extra_configuration.config.php.j2 Normal file
View file

@ -0,0 +1,16 @@
<?php
$CONFIG = array (
'default_phone_region' => 'DE',
'hide_login_form' => true,
'mail_smtpmode' => 'smtp',
'mail_smtphost' => 'send-only-mailserver.ccchh.net',
'mail_smtpport' => 465,
'mail_smtpsecure' => 'ssl',
'mail_smtpauth' => true,
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpname' => 'nextcloud',
'mail_from_address' => 'cloud',
'mail_domain' => 'send-only-mail.ccchh.net',
'mail_smtppassword' => '{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/smtp_password", create=false, missing="error") }}',
'mail_smtpdebug' => true,
);