From cf7f776003022d4d496f63d57248033ffaf16fdd Mon Sep 17 00:00:00 2001 From: root Date: Sat, 15 Feb 2020 22:49:27 -0500 Subject: [PATCH 01/15] Nextcloud tuneup for NGINX --- roles/0-init/tasks/main.yml | 4 +- roles/httpd/defaults/main.yml | 11 +- roles/moodle/defaults/main.yml | 2 +- roles/nextcloud/README.md | 2 +- roles/nextcloud/defaults/main.yml | 20 +- roles/nextcloud/tasks/install.yml | 225 +++++------------- roles/nextcloud/tasks/main.yml | 17 +- roles/nextcloud/tasks/nginx.yml | 7 +- roles/nextcloud/tasks/setup.yml | 70 ++---- ...config.php.j2 => autoconfig.php.j2.unused} | 0 .../templates/nextcloud-nginx.conf.j2 | 143 ++++++++++- .../nextcloud-nginx.conf.j2.shim.unused | 10 + roles/nginx/README.md | 4 +- roles/nginx/defaults/main.yml | 3 + roles/wordpress/defaults/main.yml | 2 +- roles/www_back_end/tasks/main.yml | 15 +- roles/www_front_end/tasks/main.yml | 2 +- vars/default_vars.yml | 34 +-- vars/local_vars_big.yml | 24 +- vars/local_vars_medium.yml | 24 +- vars/local_vars_min.yml | 24 +- 21 files changed, 319 insertions(+), 324 deletions(-) rename roles/nextcloud/templates/{autoconfig.php.j2 => autoconfig.php.j2.unused} (100%) create mode 100644 roles/nextcloud/templates/nextcloud-nginx.conf.j2.shim.unused diff --git a/roles/0-init/tasks/main.yml b/roles/0-init/tasks/main.yml index 0fcc4e3de..b017a837a 100644 --- a/roles/0-init/tasks/main.yml +++ b/roles/0-init/tasks/main.yml @@ -37,11 +37,11 @@ include_tasks: validate_vars.yml # SEE: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md -- name: "apache_install is currently '{{ apache_install }}' and apache_enabled is currently '{{ apache_enabled }}'. Now let's set 'apache_install: True' and 'apache_enabled: True' if NGINX is set not to be enabled OR if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install." +- name: "apache_install is currently '{{ apache_install }}' and apache_enabled is currently '{{ apache_enabled }}'. Now let's set 'apache_install: True' and 'apache_enabled: True' if NGINX is set not to be enabled OR if any of {Elgg, Lokole, Moodle, Node-RED} are set to install." set_fact: apache_install: True apache_enabled: True - when: not nginx_enabled or dokuwiki_install or elgg_install or lokole_install or moodle_install or nextcloud_install or nodered_install + when: not nginx_enabled or elgg_install or lokole_install or moodle_install or nodered_install # #- name: "Verify 'apache_install: True' and 'apache_enabled: True' if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install" # assert: diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml index a1196888d..f728ffca8 100644 --- a/roles/httpd/defaults/main.yml +++ b/roles/httpd/defaults/main.yml @@ -7,15 +7,12 @@ # apache_port: 8090 # NGINX proxies to this IP address, for legacy IIAB services still requiring Apache # apache_interface: 127.0.0.1 -# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147 -# apache_high_php_limits: False -# WARNING: Enabling this might cause excess use of RAM/disk or other resources! -# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/enable.yml#L1-L14 -# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php//apache2/php.ini - # Make this False to disable http://box/common/services/power_off.php button: # apache_allow_sudo: True # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! + + +# 2020-02-15: apache_high_php_limits deprecated... +# Please instead set 'nginx_high_php_limits: True' in /etc/iiab/local_vars.yml diff --git a/roles/moodle/defaults/main.yml b/roles/moodle/defaults/main.yml index 1c9fe47d2..c7d758108 100644 --- a/roles/moodle/defaults/main.yml +++ b/roles/moodle/defaults/main.yml @@ -1,4 +1,4 @@ -# If using Moodle intensively, consider setting apache_high_php_limits in: +# If using Moodle intensively, consider setting nginx_high_php_limits in: # /etc/iiab/local_vars.yml # moodle_install: False diff --git a/roles/nextcloud/README.md b/roles/nextcloud/README.md index d47739523..805afa7db 100644 --- a/roles/nextcloud/README.md +++ b/roles/nextcloud/README.md @@ -25,7 +25,7 @@ The Nextcloud suite is divided into three main categories: To further refine Nextcloud access controls based on IPv4 addresses, you can edit `/etc/apache2/sites-available/nextcloud.conf` _after_ it's created by this template: [/opt/iiab/iiab/roles/nextcloud/templates/nextcloud.conf.j2](https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2) -(3) Strongly consider also setting `apache_high_php_limits: True` in the 3-BASE-SERVER section of /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP. Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware and network! So _after_ install is complete, verify and evaluate these 5 settings in /etc/php/[ACTUAL PHP VERSION]/apache2/php.ini: +(3) Strongly consider also setting `nginx_high_php_limits: True` in the 3-BASE-SERVER section of /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP. Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware and network! So _after_ install is complete, verify and evaluate these 5 settings in /etc/php/[ACTUAL PHP VERSION]/apache2/php.ini: - upload_max_filesize - post_max_size diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 102319cb1..1cd008f8d 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -1,4 +1,4 @@ -# If using Nextcloud intensively, consider setting apache_high_php_limits in: +# If using Nextcloud intensively, consider setting nginx_high_php_limits in: # /etc/iiab/local_vars.yml # nextcloud_install: False @@ -15,29 +15,19 @@ # REMOVE /opt/nextcloud/version.php TO FORCE AN INSTALL OR REINSTALL OR UPGRADE nextcloud_url: /nextcloud -nextcloud_prefix: /opt -nextcloud_data_dir: "{{ content_base }}/nextcloud/data" # /library/nextcloud/data +nextcloud_prefix: "{{ doc_root }}" # /library/www/html (WAS /opt) +nextcloud_data_dir: "{{ content_base }}/nextcloud/data" # /library/nextcloud/data BUT NOT USED BY NEXTCLOUD AS OF 2020-02-15, so it defaults to /opt/nextcloud/data ?? # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). # The following line can avoid that: (but might install an older Nextcloud!) -# nextcloud_dl_url: http://d.iiab.io/packages -nextcloud_dl_url: https://download.nextcloud.com/server/releases - -# For OLD OS's where PHP 7.1+ isn't detected -- e.g. Raspbian 9, Debian 9, Ubuntu 16.04 -nextcloud_orig_src_file_old: latest-15.tar.bz2 -nextcloud_src_file_old: nextcloud_{{ nextcloud_orig_src_file_old }} -# For NEW OS's where PHP 7.1+ is auto-detected -- e.g. Raspbian 10, Debian 10 & Ubuntu 18.04 -nextcloud_orig_src_file: latest.tar.bz2 -nextcloud_src_file: nextcloud_{{ nextcloud_orig_src_file }} +# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 +nextcloud_dl_url: https://download.nextcloud.com/server/releases/latest.tar.bz2 # We install on MySQL with these settings: nextcloud_dbname: nextcloud -nextcloud_dbhost: localhost nextcloud_dbuser: nextcloud nextcloud_dbpassword: nextcloudmysql -nextcloud_user: nextcloud -nextcloud_user_password: nextcloudmysql nextcloud_admin_user: 'Admin' nextcloud_admin_password: 'changeme' diff --git a/roles/nextcloud/tasks/install.yml b/roles/nextcloud/tasks/install.yml index cf1d233a5..c37269910 100644 --- a/roles/nextcloud/tasks/install.yml +++ b/roles/nextcloud/tasks/install.yml @@ -1,183 +1,74 @@ -# CHECK FOR PHP VERSION AUTOMATICALLY, TO DETERMINE WHICH NEXTCLOUD TO INSTALL. -# INSPIRED BY: github.com/iiab/iiab/blob/master/roles/nodejs/tasks/main.yml#L10-L54 - -- name: Try to run 'php -v' to get PHP version - # e.g. converts multi-line "PHP 7.0.33-0ubuntu0.16.04.5 (cli) ( NTS ) ..." to "7.0.33" - shell: php -v | head -1 | sed 's/^[^0-9.]*//' | sed 's/[^0-9.].*//' - register: php_version_installed - #ignore_errors: yes # NOT NEC: if php is not installed, php_version_installed.stdout will get set to "" - -#- debug: -# var: php_version_installed - -# NOTE: this could easily be made to work even if PHP was not installed, e.g. -# by pre-initializing variable 'php_new' to False here. But trapping the -# absence of PHP (below) is a useful software safety precondition! -# -#- name: Initialize var 'php_new' to False -# set_fact: -# php_new: False - -- name: INTENTIONALLY FAIL, IF PHP (Nextcloud prerequisite) ISN'T INSTALLED - fail: - msg: > - Nextcloud install cannot proceed, as it requires PHP be installed first. - Note that as of 2019-07-04, IIAB takes care of this by forcing vars - mysql_install and mysql_enabled to True in - /opt/iiab/iiab/roles/0-init/tasks/main.yml, which in turn forces the - installation of PHP in /opt/iiab/iiab/roles/mysql/tasks/main.yml, as - invoked by /opt/iiab/iiab/roles/3-base-server/tasks/main.yml - when: php_version_installed.stdout == "" - -- name: Set var 'php_new' indicating if installed version of PHP ({{ php_version_installed.stdout }}) >= 7.1, as required by Nextcloud 16 - set_fact: - php_new: "{{ php_version_installed.stdout is version('7.1', '>=') }}" - # Ansible's Version Comparison routine: - # https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html#version-comparison - when: php_version_installed.stdout != "" # i.e. IF ABOVE 'php -v' WORKED - -#- debug: -# var: php_new - - -- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file_old }} to {{ downloads_dir }}/{{ nextcloud_src_file_old }} on older OS's lacking PHP 7.1+ - get_url: - url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file_old }}" - dest: "{{ downloads_dir }}/{{ nextcloud_src_file_old }}" - timeout: "{{ download_timeout }}" - force: yes - #validate_certs: False # TEMPORARY ON/AFTER 2018-07-22 AS download.nextcloud.com CERT EXPIRED: https://github.com/iiab/iiab/issues/954 - #async: 1800 - #poll: 10 - when: internet_available and not php_new - #when: internet_available and nextcloud_force_install and (is_debian_9 or is_raspbian_9 or is_ubuntu_16) - -- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }} to {{ downloads_dir }}/{{ nextcloud_src_file }} on newer OS's that have PHP 7.1+ - get_url: - url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }}" - dest: "{{ downloads_dir }}/{{ nextcloud_src_file }}" - timeout: "{{ download_timeout }}" - force: yes - #validate_certs: False # TEMPORARY ON/AFTER 2018-07-22 AS download.nextcloud.com CERT EXPIRED: https://github.com/iiab/iiab/issues/954 - #async: 1800 - #poll: 10 - when: internet_available and php_new - #when: internet_available and nextcloud_force_install and not (is_debian_9 or is_raspbian_9 or is_ubuntu_16) - -# Ubuntu and Debian treat names differently -- name: Install 4 php packages (debian/raspian) +# https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation +- name: Install ffmpeg + libxml2 + 21 php packages package: name: - - "libapache2-mod-php{{ php_version }}" - - "php{{ php_version }}-imagick" - - "php{{ php_version }}-mbstring" - - "php{{ php_version }}-zip" - state: present - when: is_debian | bool - -# Ubuntu and Debian treat names differently -- name: Install 4 php packages (ubuntu) - package: - name: - - libapache2-mod-php - - php-imagick + #- dnsutils # NOT REQUESTED by Nextcloud + - ffmpeg # Optional (for preview generation) + - libxml2 # php-libxml requires libxml2 >= 2.7.0 + #- libapache2-mod-php # 2020-02-15: NO LONGER NEEDED? + - php-bz2 # Optional (for extraction of apps) + #- php-cli # NOT REQUESTED by Nextcloud + #- php-common # NOT REQUESTED by Nextcloud + - php-ctype + - php-curl + - php-dom + - php-exif # Optional (for image rotation in pictures app) + - php-fileinfo # Optional (enhances file analysis performance) + - php-fpm # Optional (FastCGI Process Manager) + - php-gd + - php-gmp # Optional (for SFTP storage) + - php-iconv + - php-imagick # Optional (for preview generation) + - php-intl # Optional (increases language translation performance and fixes sorting of non-ASCII characters) + - php-json + #- php-libxml # NOT INSTALLABLE: ENABLED BY DEFAULT (https://www.php.net/manual/en/libxml.installation.php) - php-mbstring + - php-mysql + #- php-openssl # NOT INSTALLABLE: ENABLED BY DEFAULT? + #- php-pdo_mysql # NOT INSTALLABLE: php-mysql handles this on all OS's? + - php-posix + #- php-redis # @m-anish future work? + #- php-session # NOT INSTALLABLE: ENABLED BY DEFAULT? + - php-simplexml + - php-smbclient # Optional (SMB/CIFS integration + #- php-xml # NOT REQUESTED by Nextcloud + - php-xmlreader + - php-xmlwriter - php-zip + #- php-zlib # NOT INSTALLABLE: ENABLED BY DEFAULT? state: present - when: is_ubuntu | bool -- name: Install 5 more php packages (debuntu) - package: - name: - - "php{{ php_version }}-gd" - - "php{{ php_version }}-json" - - "php{{ php_version }}-mysql" - - "php{{ php_version }}-curl" - - "php{{ php_version }}-intl" - state: present - when: is_debuntu | bool - -- name: 'Install php{{ php_version }}-mcrypt IF this is a "pre-2018" distro in the debuntu family. NOTE: PHP 7.1 deprecated mcrypt 1-Dec-2016 and PHP 7.2 dropped it completely 30-Nov-2017, as it should no longer be nec.' - package: - name: "php{{ php_version }}-mcrypt" - state: present - when: is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17 - # NOT NEC TO TEST FOR is_raspbian_8 OR is_raspbian_9 AS /opt/iiab/iiab/vars/.yml - # DEFINES THESE AS SUBSETS OF is_debian_8 OR is_debian_9 (FOR NOW!) - -## we need to install the rpm in order to get the dependencies -## but we only need to do this the first time -# -#- name: Install 7 php packages (redhat) -# package: -# name: -# - php -# - php-gd -# - php-json -# - php-mysql -# - php-curl -# - php-intl -# - php-mcrypt -# # CentOS does not have a package for php-imagick -# #- php-imagick -# state: present -# when: is_redhat | bool - -- name: Unarchive {{ nextcloud_src_file_old }} to permanent location {{ nextcloud_prefix }}/nextcloud on older OS's lacking PHP 7.1+ # i.e. unpack nextcloud_latest-15.tar.bz2 to /opt/nextcloud - unarchive: - src: "{{ downloads_dir }}/{{ nextcloud_src_file_old }}" - dest: "{{ nextcloud_prefix }}" - #creates: "{{ nextcloud_prefix }}/nextcloud/version.php" - when: not php_new - #when: nextcloud_force_install and (is_debian_9 or is_raspbian_9 or is_ubuntu_16) - -- name: Unarchive {{ nextcloud_src_file }} to permanent location {{ nextcloud_prefix }}/nextcloud on newer OS's that have PHP 7.1+ # i.e. unpack nextcloud_latest-16.tar.bz2 to /opt/nextcloud - unarchive: - src: "{{ downloads_dir }}/{{ nextcloud_src_file }}" - dest: "{{ nextcloud_prefix }}" - #creates: "{{ nextcloud_prefix }}/nextcloud/version.php" - when: php_new | bool - #when: nextcloud_force_install and not (is_debian_9 or is_raspbian_9 or is_ubuntu_16) - -#- name: Create dir /etc/nextcloud (centos) for a subsequent config dir that's symlinked to /etc/nextcloud ? -# file: -# path: /etc/nextcloud -# state: directory -# when: is_centos | bool -# -#- name: Install {{ nextcloud_prefix }}/nextcloud/config/autoconfig.php from template (centos) -# template: -# src: autoconfig.php.j2 -# dest: "{{ nextcloud_prefix }}/nextcloud/config/autoconfig.php" -# owner: "{{ apache_user }}" -# group: "{{ apache_user }}" -# mode: '0640' -# when: is_centos | bool - -- name: chown -R {{ apache_user }}:{{ apache_user }} {{ nextcloud_prefix }}/nextcloud +- name: Create dir {{ nextcloud_prefix }}{{ nextcloud_url }} file: - path: "{{ nextcloud_prefix }}/nextcloud" # /opt - owner: "{{ apache_user }}" - group: "{{ apache_user }}" - recurse: yes state: directory + path: "{{ nextcloud_prefix }}{{ nextcloud_url }}" # /library/www/html + /nextcloud -- name: Create data directory {{ nextcloud_data_dir }} - file: - path: "{{ nextcloud_data_dir }}" # /opt/nextcloud/data - owner: "{{ apache_user }}" +- name: Unarchive {{ nextcloud_dl_url }} to {{ nextcloud_prefix }}{{ nextcloud_url }} ({{ apache_user }}:{{ apache_user }}) + unarchive: + remote_src: yes + src: "{{ nextcloud_dl_url }}" + dest: "{{ nextcloud_prefix }}{{ nextcloud_url }}" # /library/www/html + /nextcloud + owner: "{{ apache_user }}" # apache2 on debuntu group: "{{ apache_user }}" - mode: '0750' - state: directory + extra_opts: --strip-components=1 + when: internet_available -- name: Install Apache's nextcloud.conf from template, for http://box/nextcloud +# - name: "NOT USED FOR NOW: Create data dir {{ nextcloud_data_dir }}" +# file: +# state: directory +# path: "{{ nextcloud_data_dir }}" # /library/nextcloud/data NOT USED BY NEXTCLOUD AS OF 2020-02-15 ...Nextcloud defaults to /opt/nextcloud/data OR /library/www/html/nextcloud/data ?? +# owner: "{{ apache_user }}" +# group: "{{ apache_user }}" +# mode: '0750' + +- name: Provision Nextcloud's MySQL DB, run Nextcloud's install wizard, etc + include_tasks: setup.yml + +- name: Install /etc/{{ apache_conf_dir }}/nextcloud.conf from template, for http://box/nextcloud template: src: nextcloud.conf.j2 - dest: "/etc/{{ apache_conf_dir }}/nextcloud.conf" - - -- name: Provision Nextcloud's MySQL DB, run Nextcloud's install wizard etc - include_tasks: setup.yml + dest: "/etc/{{ apache_conf_dir }}/nextcloud.conf" # apache2/sites-available on debuntu + when: apache_installed | bool # RECORD Nextcloud AS INSTALLED diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index bb69fefe0..5c3b2772f 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -22,14 +22,11 @@ - name: Install Nextcloud if 'nextcloud_installed' not defined, e.g. in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml include_tasks: install.yml when: nextcloud_installed is undefined -# -# ABOVE install.yml RUNS setup.yml -#- name: Enable/Disable/Restart Apache if primary -- name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache +- name: Enable/Disable/Restart Apache if primary include_tasks: apache.yml - #when: not nginx_enabled + when: not nginx_enabled - name: Enable/Disable/Restart NGINX if primary include_tasks: nginx.yml @@ -47,11 +44,9 @@ value: Nextcloud - option: description value: '"Nextcloud is a local server-based facility for sharing files, photos, contacts, calendars, etc."' - - option: path - value: "{{ nextcloud_prefix }}/nextcloud" - - option: nextcloud_orig_src_file - value: "{{ nextcloud_orig_src_file }}" - - option: nextcloud_src_file - value: "{{ nextcloud_src_file }}" + - option: nextcloud_prefix + value: "{{ nextcloud_prefix }}" + - option: nextcloud_url + value: "{{ nextcloud_url }}" - option: nextcloud_enabled value: "{{ nextcloud_enabled }}" diff --git a/roles/nextcloud/tasks/nginx.yml b/roles/nextcloud/tasks/nginx.yml index 80001b232..e2e7db20f 100644 --- a/roles/nextcloud/tasks/nginx.yml +++ b/roles/nextcloud/tasks/nginx.yml @@ -10,7 +10,10 @@ state: absent when: not nextcloud_enabled -- name: Restart 'nginx' systemd service +- name: Restart 'nginx' & 'php{{ php_version }}-fpm' systemd services systemd: - name: nginx + name: "{{ item }}" state: restarted + with_items: + - nginx + - "php{{ php_version }}-fpm" diff --git a/roles/nextcloud/tasks/setup.yml b/roles/nextcloud/tasks/setup.yml index dda083f15..6e659a1b5 100644 --- a/roles/nextcloud/tasks/setup.yml +++ b/roles/nextcloud/tasks/setup.yml @@ -9,13 +9,21 @@ password: "{{ nextcloud_dbpassword }}" priv: "{{ nextcloud_dbname }}.*:ALL,GRANT" with_items: - - "{{ nextcloud_dbhost }}" - 127.0.0.1 - ::1 - localhost -# The install wizard fails if already installed. -- name: Determine if Nextcloud is installed + +#- name: Install {{ nextcloud_prefix }}/nextcloud/config/autoconfig.php from template +# template: +# src: autoconfig.php.j2 +# dest: "{{ nextcloud_prefix }}/nextcloud/config/autoconfig.php" +# owner: "{{ apache_user }}" +# group: "{{ apache_user }}" +# mode: '0640' + + +- name: Determine if Nextcloud is installed (causes install wizard to fail) shell: > php {{ nextcloud_prefix }}/nextcloud/occ status | gawk '/installed:/ { print $3 }' @@ -23,7 +31,7 @@ become_user: "{{ apache_user }}" register: returned -- name: Run Nextcloud initial install wizard +- name: Run Nextcloud initial install wizard (if absolutely nec, manually drop MySQL db '{{ nextcloud_dbname }}') shell: > cd {{ nextcloud_prefix }}/nextcloud; php occ maintenance:install @@ -35,52 +43,18 @@ --admin-pass "{{ nextcloud_admin_password }}" become: yes become_user: "{{ apache_user }}" - when: nextcloud_enabled and returned.stdout == "false" + when: returned.stdout == "false" # and nextcloud_enabled + + +# https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#php-fpm-configuration-notes +- name: Set 'clear_env = no' in /etc/php/{{ php_version }}/fpm/pool.d/www.conf + lineinfile: + path: "/etc/php/{{ php_version }}/fpm/pool.d/www.conf" + regexp: '^clear_env' + insertafter: ';.*clear_env' + line: 'clear_env = no' -# RELATED: /etc/apache2/sites-available/nextcloud.conf sourced from -# https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2 - name: 'Allow Nextcloud access from all hosts and IP addresses (SEE ALSO: /etc/apache2/sites-available/nextcloud.conf)' command: php {{ nextcloud_prefix }}/nextcloud/occ config:system:set trusted_domains 1 --value=* become: yes become_user: "{{ apache_user }}" - when: nextcloud_enabled and returned.stdout == "false" - -# Code below was NEVER RUNNING as of 2018-10-29, as "wc | cut -d' ' -f1" ALWAYS -# returns null (rather than the intended returned_count !) This line could -# be replaced by ALTERNATIVE 1 or ALTERNATIVE 2 below IF it truly needs fixing. -# -# Or perhaps default user/password nextcloud/nextcloudmysql (from variables -# nextcloud_user/nextcloud_user_password) is just not needed in the end... -# -# NOTE: COMMENTS (FOLLOWING '#' SIGN) WITHIN A SHELL COMMAND CAUSE IT TO *FAIL* -# -#- name: Determine if Nextcloud user exists already -# shell: > -# php {{ nextcloud_prefix }}/nextcloud/occ user:list | -# grep {{ nextcloud_user }} | wc | cut -d' ' -f1 # USELESS -# #grep {{ nextcloud_user }} | wc -l # ALTERNATIVE 1 -# #grep {{ nextcloud_user }} | wc | awk '{print $1}' # ALTERNATIVE 2 -# become: yes -# become_user: "{{ apache_user }}" -# register: returned_count -# -# debug: -# var: returned_count -# -## nextcloud wants to make users rather than just mysql users and not done -#- name: Create the default user -# shell: > -# OC_PASS={{ nextcloud_user_password }}; -# php {{ nextcloud_prefix }}/nextcloud/occ user:add -# --password-from-env --display-name={{ nextcloud_user }} -# --group="users" {{ nextcloud_user }} -# become: yes -# become_user: "{{ apache_user }}" -# when: nextcloud_enabled and returned_count == "0" - -# 2019-09-04: NEXT 5 LINES APPEAR INEFFECTIVE DURING 1ST INSTALL? (possibly "overwrite.cli.url" appears later, when Nextcloud's web install completes using http://box/nextcloud ?) -- name: Try to remove overwrite.cli.url line (Rewrite URL) from /opt/nextcloud/config/config.php - lineinfile: - regexp: "overwrite.cli.url" - state: absent - path: "{{ nextcloud_prefix }}/nextcloud/config/config.php" diff --git a/roles/nextcloud/templates/autoconfig.php.j2 b/roles/nextcloud/templates/autoconfig.php.j2.unused similarity index 100% rename from roles/nextcloud/templates/autoconfig.php.j2 rename to roles/nextcloud/templates/autoconfig.php.j2.unused diff --git a/roles/nextcloud/templates/nextcloud-nginx.conf.j2 b/roles/nextcloud/templates/nextcloud-nginx.conf.j2 index 3e0b3e6b2..564ae072d 100644 --- a/roles/nextcloud/templates/nextcloud-nginx.conf.j2 +++ b/roles/nextcloud/templates/nextcloud-nginx.conf.j2 @@ -1,10 +1,137 @@ -location {{ nextcloud_url }} { - proxy_pass http://127.0.0.1:{{ apache_port }}{{ nextcloud_url }}; -} +location ^~ /nextcloud { -location ~ {{ nextcloud_url }}/.*\.php$ { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; - proxy_pass http://127.0.0.1:{{ apache_port }}; + ## Add headers to serve security related headers + ## Before enabling Strict-Transport-Security headers please read into this + ## topic first. + ##add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + ## + ## WARNING: Only add the preload option once you read about + ## the consequences in https://hstspreload.org/. This option + ## will add the domain to a hardcoded list that is shipped + ## in all major browsers and getting removed from this list + ## could take several months. + # + # THESE 1 + 6 ALSO APPEAR ~100 LINES BELOW + # + #add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + ## Remove X-Powered-By, which is an information leak + #fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root {{ doc_root }}/; # /library/www/html + + location = /nextcloud/robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + # The following rule is only needed for the Social app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + + location = /nextcloud/.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /nextcloud/.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location /nextcloud/ { + rewrite ^ /nextcloud/index.php; + } + + location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + #fastcgi_param HTTPS on; + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass php; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ ^\/nextcloud\/.+[^\/]\.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /nextcloud/index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + # + # THESE 1 + 6 ALSO APPEAR ~100 LINES ABOVE + # + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ ^\/nextcloud\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { + try_files $uri /nextcloud/index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } } diff --git a/roles/nextcloud/templates/nextcloud-nginx.conf.j2.shim.unused b/roles/nextcloud/templates/nextcloud-nginx.conf.j2.shim.unused new file mode 100644 index 000000000..3e0b3e6b2 --- /dev/null +++ b/roles/nextcloud/templates/nextcloud-nginx.conf.j2.shim.unused @@ -0,0 +1,10 @@ +location {{ nextcloud_url }} { + proxy_pass http://127.0.0.1:{{ apache_port }}{{ nextcloud_url }}; +} + +location ~ {{ nextcloud_url }}/.*\.php$ { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_pass http://127.0.0.1:{{ apache_port }}; +} diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 5bf1eea0c..c44210946 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -28,6 +28,7 @@ * kolibri * mediawiki * munin + * nextcloud * sugarizer * wordpress @@ -35,7 +36,6 @@ * elgg * lokole * moodle - * nextcloud ([PR #2119](https://github.com/iiab/iiab/pull/2119)) [*] * nodered 4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations). In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite) @@ -46,4 +46,4 @@ * openvpn [*] * pbx [*] -[*] The 6 above starred roles could use improvement, as of 2020-02-14. +[*] The 5 above starred roles could use improvement, as of 2020-02-15. diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index c7d736510..25eb624b3 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -10,5 +10,8 @@ # nginx_conf_dir: /etc/nginx/conf.d # nginx_log_dir: /var/log/nginx +# For schools that use WordPress/Nextcloud/Moodle intensively: +# nginx_high_php_limits: False + # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! diff --git a/roles/wordpress/defaults/main.yml b/roles/wordpress/defaults/main.yml index 2055c0ded..a66698386 100644 --- a/roles/wordpress/defaults/main.yml +++ b/roles/wordpress/defaults/main.yml @@ -1,4 +1,4 @@ -# If using WordPress intensively, consider setting apache_high_php_limits in: +# If using WordPress intensively, consider setting nginx_high_php_limits in: # /etc/iiab/local_vars.yml # wordpress_install: False diff --git a/roles/www_back_end/tasks/main.yml b/roles/www_back_end/tasks/main.yml index 12741954f..0129887d4 100644 --- a/roles/www_back_end/tasks/main.yml +++ b/roles/www_back_end/tasks/main.yml @@ -9,23 +9,28 @@ - include_tasks: php-stem.yml -# 2020-02-12: DOES THE FLAG BELOW (apache_high_php_limits) WORK WITH NGINX TOO? # COMPARE apache_allow_sudo @ roles/www_front_end/tasks/main.yml # For schools that use WordPress/Nextcloud/Moodle intensively. iiab/iiab#1147 # WARNING: Enabling this might cause excess use of RAM/disk or other resources! -- name: Enact high limits in /etc/php/{{ php_version }}/{{ apache_service }}/php.ini if using WordPress/Nextcloud/Moodle intensively +- name: Enact high limits in /etc/php/{{ php_version }}/fpm/php.ini if using WordPress/Nextcloud/Moodle intensively lineinfile: - path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini" + path: "/etc/php/{{ php_version }}/fpm/php.ini" + #path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini" regexp: "{{ item.regexp }}" line: "{{ item.line }}" - when: apache_high_php_limits | bool with_items: - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M ; default is 2M' } - { regexp: '^post_max_size', line: 'post_max_size = 500M ; default is 8M' } - - { regexp: '^memory_limit', line: 'memory_limit = 256M ; default is 128M / Nextcloud requests 512M' } + - { regexp: '^memory_limit', line: 'memory_limit = 512M ; default is 128M / Nextcloud requests 512M' } - { regexp: '^max_execution_time', line: 'max_execution_time = 300 ; default is 30' } - { regexp: '^max_input_time', line: 'max_input_time = 300 ; default is 60' } + when: nginx_high_php_limits | bool + +- name: Restart 'php{{ php_version }}-fpm' systemd services + systemd: + name: "php{{ php_version }}-fpm" + state: restarted - name: Create dir {{ doc_root }}/home -- if you customized var iiab_home_url e.g. in /etc/iiab/local_vars.yml, that dir is created later -- by www_front_end/tasks/main.yml diff --git a/roles/www_front_end/tasks/main.yml b/roles/www_front_end/tasks/main.yml index af3672bbe..2e0220a54 100644 --- a/roles/www_front_end/tasks/main.yml +++ b/roles/www_front_end/tasks/main.yml @@ -29,7 +29,7 @@ # gives more details here: http://FAQ.IIAB.IO # 2020-02-12: DOES THE FLAG BELOW (apache_allow_sudo) WORK WITH NGINX TOO ? -# COMPARE apache_high_php_limits @ roles/www_back_end/tasks/main.yml +# COMPARE nginx_high_php_limits @ roles/www_back_end/tasks/main.yml - name: Give {{ apache_user }} (per variable apache_user) permission to poweroff, installing /etc/sudoers.d/020_apache_poweroff from template template: diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 17b435793..2a4161c48 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -236,6 +236,12 @@ exFAT_enabled: True admin_console_install: True admin_console_enabled: True +# MySQL MANDATORY - THESE 2 VARS HAVE NO EFFECT - SEE roles/0-init/tasks/main.yml & roles/mysql/tasks/main.yml +mysql_install: True +mysql_enabled: True +# mysql_root_password: $6$iiab51$3ICIW0CLWxxMW2a3yrHZ38ukZItD5tcadL4rWcE9D.qIGStxhh8rRsaSxoj3b.MYxI/VRDNjpzSYK/V6zkWFI0 +mysql_root_password: fixmysql + # 2019-01-13: IIAB's use of NGINX is still evolving -- please review this # evolving doc: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md nginx_install: True @@ -244,6 +250,13 @@ nginx_port: 80 nginx_interface: 0.0.0.0 nginx_conf_dir: /etc/nginx/conf.d nginx_log_dir: /var/log/nginx +# +# For schools that use WordPress/Nextcloud/Moodle intensively: +nginx_high_php_limits: False +# WARNING: Enabling this might cause excess use of RAM/disk or other resources! +# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... +# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27 +# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php//fpm/php.ini # See also Apache vars {default_language, language_priority} @ top of this file apache_install: True @@ -253,22 +266,9 @@ apache_enabled: False apache_port: 8090 apache_interface: 127.0.0.1 # 2020-01-13: Var unused # -# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147 -apache_high_php_limits: False -# WARNING: Enabling this might cause excess use of RAM/disk or other resources! -# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84 -# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php//apache2/php.ini -# # Make this False to disable http://box/common/services/power_off.php button: apache_allow_sudo: True -# MySQL MANDATORY - THESE 2 VARS HAVE NO EFFECT - SEE roles/0-init/tasks/main.yml & roles/mysql/tasks/main.yml -mysql_install: True -mysql_enabled: True -# mysql_root_password: $6$iiab51$3ICIW0CLWxxMW2a3yrHZ38ukZItD5tcadL4rWcE9D.qIGStxhh8rRsaSxoj3b.MYxI/VRDNjpzSYK/V6zkWFI0 -mysql_root_password: fixmysql - # 4-SERVER-OPTIONS @@ -399,7 +399,7 @@ nodered_port: 1880 nodered_web_path: nodered # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER nextcloud_install: False nextcloud_enabled: False nextcloud_allow_public_ips: False @@ -409,7 +409,7 @@ nextcloud_allow_public_ips: False # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). # Uncomment the following line to end that: (might install an older Nextcloud!) -# nextcloud_dl_url: http://d.iiab.io/packages +# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. # Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3. @@ -421,7 +421,7 @@ pbx_signaling_ports_chan_pjsip: "5060" pbx_data_ports: "10000:20000" pbx_http_port: 83 -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER wordpress_install: False wordpress_enabled: False @@ -452,7 +452,7 @@ iiab_zim_path: "{{ content_base }}/zims" # /library/zims moodle_install: False moodle_enabled: False -# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER # MongoDB (/library/dbdata/mongodb) greatly enhances the Sugarizer experience. # This role was formerly installed by roles/sugarizer/meta/main.yml diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 955c54fe4..53b2e0119 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -136,20 +136,20 @@ pi_swap_file_size: 1024 # 3-BASE-SERVER -# See also Apache vars {default_language, language_priority} @ top of this file -# -# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147 -apache_high_php_limits: False +# roles/mysql runs here (mandatory) + +# For schools that use WordPress/Nextcloud/Moodle intensively: +nginx_high_php_limits: False # WARNING: Enabling this might cause excess use of RAM/disk or other resources! # SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84 -# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php//apache2/php.ini +# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27 +# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php//fpm/php.ini + +# See also Apache vars {default_language, language_priority} @ top of this file # # Make this False to disable http://box/common/services/power_off.php button: apache_allow_sudo: True -# roles/mysql runs here (mandatory) - # 4-SERVER-OPTIONS @@ -236,7 +236,7 @@ nodered_install: True nodered_enabled: True # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER nextcloud_install: True nextcloud_enabled: True nextcloud_allow_public_ips: False @@ -246,7 +246,7 @@ nextcloud_allow_public_ips: False # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). # Uncomment the following line to end that: (might install an older Nextcloud!) -# nextcloud_dl_url: http://d.iiab.io/packages +# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. # Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3. @@ -254,7 +254,7 @@ pbx_install: False pbx_enabled: False asterisk_chan_dongle: False -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER wordpress_install: True wordpress_enabled: True @@ -278,7 +278,7 @@ kiwix_enabled: True # Warning: Moodle is a serious LMS, that takes a while to install moodle_install: True moodle_enabled: True -# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER # Regional OSM vector maps use far less disk space than bitmap/raster versions. # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index c85943b5c..5ee6b8ca3 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -136,20 +136,20 @@ pi_swap_file_size: 1024 # 3-BASE-SERVER -# See also Apache vars {default_language, language_priority} @ top of this file -# -# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147 -apache_high_php_limits: False +# roles/mysql runs here (mandatory) + +# For schools that use WordPress/Nextcloud/Moodle intensively: +nginx_high_php_limits: False # WARNING: Enabling this might cause excess use of RAM/disk or other resources! # SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84 -# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php//apache2/php.ini +# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27 +# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php//fpm/php.ini + +# See also Apache vars {default_language, language_priority} @ top of this file # # Make this False to disable http://box/common/services/power_off.php button: apache_allow_sudo: True -# roles/mysql runs here (mandatory) - # 4-SERVER-OPTIONS @@ -236,7 +236,7 @@ nodered_install: False nodered_enabled: False # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER nextcloud_install: True nextcloud_enabled: True nextcloud_allow_public_ips: False @@ -246,7 +246,7 @@ nextcloud_allow_public_ips: False # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). # Uncomment the following line to end that: (might install an older Nextcloud!) -# nextcloud_dl_url: http://d.iiab.io/packages +# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. # Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3. @@ -254,7 +254,7 @@ pbx_install: False pbx_enabled: False asterisk_chan_dongle: False -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER wordpress_install: True wordpress_enabled: True @@ -278,7 +278,7 @@ kiwix_enabled: True # Warning: Moodle is a serious LMS, that takes a while to install moodle_install: False moodle_enabled: False -# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER # Regional OSM vector maps use far less disk space than bitmap/raster versions. # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index c4b783739..783d1a6f3 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -136,20 +136,20 @@ pi_swap_file_size: 1024 # 3-BASE-SERVER -# See also Apache vars {default_language, language_priority} @ top of this file -# -# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147 -apache_high_php_limits: False +# roles/mysql runs here (mandatory) + +# For schools that use WordPress/Nextcloud/Moodle intensively: +nginx_high_php_limits: False # WARNING: Enabling this might cause excess use of RAM/disk or other resources! # SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84 -# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php//apache2/php.ini +# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27 +# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php//fpm/php.ini + +# See also Apache vars {default_language, language_priority} @ top of this file # # Make this False to disable http://box/common/services/power_off.php button: apache_allow_sudo: True -# roles/mysql runs here (mandatory) - # 4-SERVER-OPTIONS @@ -236,7 +236,7 @@ nodered_install: False nodered_enabled: False # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER nextcloud_install: False nextcloud_enabled: False nextcloud_allow_public_ips: False @@ -246,7 +246,7 @@ nextcloud_allow_public_ips: False # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). # Uncomment the following line to end that: (might install an older Nextcloud!) -# nextcloud_dl_url: http://d.iiab.io/packages +# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. # Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3. @@ -254,7 +254,7 @@ pbx_install: False pbx_enabled: False asterisk_chan_dongle: False -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER wordpress_install: False wordpress_enabled: False @@ -278,7 +278,7 @@ kiwix_enabled: True # Warning: Moodle is a serious LMS, that takes a while to install moodle_install: False moodle_enabled: False -# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER # Regional OSM vector maps use far less disk space than bitmap/raster versions. # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps From a26bfd69885cc8c795a802f6f58de5ea9c7b95b9 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 15 Feb 2020 23:19:36 -0500 Subject: [PATCH 02/15] Nextcloud vars/explanation --- roles/nextcloud/README.md | 4 ++-- roles/nextcloud/defaults/main.yml | 7 +++---- vars/default_vars.yml | 5 ++++- vars/local_vars_big.yml | 5 ++++- vars/local_vars_medium.yml | 5 ++++- vars/local_vars_min.yml | 5 ++++- 6 files changed, 21 insertions(+), 10 deletions(-) diff --git a/roles/nextcloud/README.md b/roles/nextcloud/README.md index 805afa7db..d1911bad1 100644 --- a/roles/nextcloud/README.md +++ b/roles/nextcloud/README.md @@ -19,11 +19,11 @@ The Nextcloud suite is divided into three main categories: nextcloud_install: True nextcloud_enabled: True -(2) If you want to access Nextcloud from IPv4 addresses across the public Internet, then also set: +(2) If you want to access Nextcloud from IPv4 addresses across the public Internet, then also set: nextcloud_allow_public_ips: True -To further refine Nextcloud access controls based on IPv4 addresses, you can edit `/etc/apache2/sites-available/nextcloud.conf` _after_ it's created by this template: [/opt/iiab/iiab/roles/nextcloud/templates/nextcloud.conf.j2](https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2) +To further refine Nextcloud access controls based on IPv4 addresses, you can edit `/etc/apache2/sites-available/nextcloud.conf` _after_ it's created by this template: [/opt/iiab/iiab/roles/nextcloud/templates/nextcloud.conf.j2](https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2) (3) Strongly consider also setting `nginx_high_php_limits: True` in the 3-BASE-SERVER section of /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP. Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware and network! So _after_ install is complete, verify and evaluate these 5 settings in /etc/php/[ACTUAL PHP VERSION]/apache2/php.ini: diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 1cd008f8d..f7a403c5c 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -4,16 +4,12 @@ # nextcloud_install: False # nextcloud_enabled: False -# nextcloud_allow_public_ips: False - # Configuration tips for IPv4 access controls and tuning RAM/resources: # https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! -# REMOVE /opt/nextcloud/version.php TO FORCE AN INSTALL OR REINSTALL OR UPGRADE - nextcloud_url: /nextcloud nextcloud_prefix: "{{ doc_root }}" # /library/www/html (WAS /opt) nextcloud_data_dir: "{{ content_base }}/nextcloud/data" # /library/nextcloud/data BUT NOT USED BY NEXTCLOUD AS OF 2020-02-15, so it defaults to /opt/nextcloud/data ?? @@ -34,3 +30,6 @@ nextcloud_admin_password: 'changeme' # 2019-09-04: UNUSED (due to changes in roles/nextcloud/templates/nextcloud.conf.j2) nextcloud_required_ip: 10.0.0.0/8 192.168.0.0/16 + +# 2020-02-15: UNUSED at the time. Legacy remains from Apache: +# nextcloud_allow_public_ips: True diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 2a4161c48..5965e5345 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -402,7 +402,10 @@ nodered_web_path: nodered # If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER nextcloud_install: False nextcloud_enabled: False -nextcloud_allow_public_ips: False +# +# 2020-02-15: UNUSED at the time. Legacy remains from Apache: +# nextcloud_allow_public_ips: True +# # Configuration tips for IPv4 access controls and tuning RAM/resources: # https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md # diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 53b2e0119..414e31431 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -239,7 +239,10 @@ nodered_enabled: True # If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER nextcloud_install: True nextcloud_enabled: True -nextcloud_allow_public_ips: False +# +# 2020-02-15: UNUSED at the time. Legacy remains from Apache: +# nextcloud_allow_public_ips: True +# # Configuration tips for IPv4 access controls and tuning RAM/resources: # https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md # diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 5ee6b8ca3..221a20f67 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -239,7 +239,10 @@ nodered_enabled: False # If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER nextcloud_install: True nextcloud_enabled: True -nextcloud_allow_public_ips: False +# +# 2020-02-15: UNUSED at the time. Legacy remains from Apache: +# nextcloud_allow_public_ips: True +# # Configuration tips for IPv4 access controls and tuning RAM/resources: # https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md # diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index 783d1a6f3..ca0a9833c 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -239,7 +239,10 @@ nodered_enabled: False # If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER nextcloud_install: False nextcloud_enabled: False -nextcloud_allow_public_ips: False +# +# 2020-02-15: UNUSED at the time. Legacy remains from Apache: +# nextcloud_allow_public_ips: True +# # Configuration tips for IPv4 access controls and tuning RAM/resources: # https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md # From 0de4901aa25ba03e3b11cbbc8cdda3b8bf463790 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 15 Feb 2020 23:26:05 -0500 Subject: [PATCH 03/15] Update roles/nextcloud/README.md --- roles/nextcloud/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nextcloud/README.md b/roles/nextcloud/README.md index d1911bad1..5ebb4003c 100644 --- a/roles/nextcloud/README.md +++ b/roles/nextcloud/README.md @@ -25,7 +25,7 @@ The Nextcloud suite is divided into three main categories: To further refine Nextcloud access controls based on IPv4 addresses, you can edit `/etc/apache2/sites-available/nextcloud.conf` _after_ it's created by this template: [/opt/iiab/iiab/roles/nextcloud/templates/nextcloud.conf.j2](https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2) -(3) Strongly consider also setting `nginx_high_php_limits: True` in the 3-BASE-SERVER section of /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP. Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware and network! So _after_ install is complete, verify and evaluate these 5 settings in /etc/php/[ACTUAL PHP VERSION]/apache2/php.ini: +(3) Strongly consider also setting `nginx_high_php_limits: True` in your /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP. Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware and network! So _after_ install is complete, verify and evaluate these 5 settings in /etc/php/[ACTUAL PHP VERSION]/fpm/php.ini: - upload_max_filesize - post_max_size @@ -33,7 +33,7 @@ To further refine Nextcloud access controls based on IPv4 addresses, you can edi - max_execution_time - max_input_time -Useful PHP recommendations for these settings (while largely tailored to WordPress, and aimed at very low-end hardware) can be found here: [/opt/iiab/iiab/roles/httpd/tasks/enable.yml](https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/enable.yml#L1-L14) +Useful PHP recommendations for these settings (while largely tailored to WordPress, and aimed at very low-end hardware) can be found here: [/opt/iiab/iiab/roles/www_back_end/tasks/main.yml](../www_back_end/tasks/main.yml#L23-L27) ## Using It From e9e21e16e5dd519488b3e4d04920b6d6fe9d0984 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 15 Feb 2020 23:40:03 -0500 Subject: [PATCH 04/15] Clarify nginx_high_php_limits --- vars/default_vars.yml | 10 +++++----- vars/local_vars_big.yml | 6 +++--- vars/local_vars_medium.yml | 6 +++--- vars/local_vars_min.yml | 8 ++++---- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 5965e5345..7ea9165bf 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -343,8 +343,8 @@ azuracast_enabled: False azuracast_http_port: 10080 azuracast_https_port: 10443 -# AzuraCast needs many ports in the 8000:8100 range by default, but IIAB services -# conflict with those ports so this variable below sets a sane prefix. +# AzuraCast needs many ports in the 8000:8100 range by default, but IIAB +# services conflict with those ports so this variable below sets a sane prefix. # e.g. setting the below variable to 10 will result in port ranges 10000-10100 # being reserved for AzuraCast: azuracast_port_range_prefix: 10 @@ -399,7 +399,7 @@ nodered_port: 1880 nodered_web_path: nodered # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using Nextcloud intensively, set nginx_high_php_limits further above. nextcloud_install: False nextcloud_enabled: False # @@ -424,7 +424,7 @@ pbx_signaling_ports_chan_pjsip: "5060" pbx_data_ports: "10000:20000" pbx_http_port: 83 -# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: False wordpress_enabled: False @@ -455,7 +455,7 @@ iiab_zim_path: "{{ content_base }}/zims" # /library/zims moodle_install: False moodle_enabled: False -# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits further above. # MongoDB (/library/dbdata/mongodb) greatly enhances the Sugarizer experience. # This role was formerly installed by roles/sugarizer/meta/main.yml diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 414e31431..1da0e9b35 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -236,7 +236,7 @@ nodered_install: True nodered_enabled: True # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using Nextcloud intensively, set nginx_high_php_limits further above. nextcloud_install: True nextcloud_enabled: True # @@ -257,7 +257,7 @@ pbx_install: False pbx_enabled: False asterisk_chan_dongle: False -# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: True wordpress_enabled: True @@ -281,7 +281,7 @@ kiwix_enabled: True # Warning: Moodle is a serious LMS, that takes a while to install moodle_install: True moodle_enabled: True -# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits further above. # Regional OSM vector maps use far less disk space than bitmap/raster versions. # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 221a20f67..24b5ef4d0 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -236,7 +236,7 @@ nodered_install: False nodered_enabled: False # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using Nextcloud intensively, set nginx_high_php_limits further above. nextcloud_install: True nextcloud_enabled: True # @@ -257,7 +257,7 @@ pbx_install: False pbx_enabled: False asterisk_chan_dongle: False -# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: True wordpress_enabled: True @@ -281,7 +281,7 @@ kiwix_enabled: True # Warning: Moodle is a serious LMS, that takes a while to install moodle_install: False moodle_enabled: False -# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits further above. # Regional OSM vector maps use far less disk space than bitmap/raster versions. # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index ca0a9833c..168bb64a7 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -236,7 +236,7 @@ nodered_install: False nodered_enabled: False # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using Nextcloud intensively, set nginx_high_php_limits further above. nextcloud_install: False nextcloud_enabled: False # @@ -257,7 +257,7 @@ pbx_install: False pbx_enabled: False asterisk_chan_dongle: False -# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: False wordpress_enabled: False @@ -278,10 +278,10 @@ kolibri_language: en # ar,bn-bd,en,es-es,fa,fr-fr,hi-in,mr,nyn,pt-br,sw-tz,ta kiwix_install: True kiwix_enabled: True -# Warning: Moodle is a serious LMS, that takes a while to install +# Warning: Moodle is a serious LMS, that takes a while to install. moodle_install: False moodle_enabled: False -# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits further above. # Regional OSM vector maps use far less disk space than bitmap/raster versions. # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps From 6081df71686e979e694963caa4b1bbecef5a73ab Mon Sep 17 00:00:00 2001 From: root Date: Sat, 15 Feb 2020 23:46:32 -0500 Subject: [PATCH 05/15] Typo in local_vars.yml & default_vars.yml --- vars/default_vars.yml | 2 +- vars/local_vars_big.yml | 2 +- vars/local_vars_medium.yml | 2 +- vars/local_vars_min.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 7ea9165bf..b5487f935 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -403,7 +403,7 @@ nodered_web_path: nodered nextcloud_install: False nextcloud_enabled: False # -# 2020-02-15: UNUSED at the time. Legacy remains from Apache: +# 2020-02-15: UNUSED at this time. Legacy remains from Apache: # nextcloud_allow_public_ips: True # # Configuration tips for IPv4 access controls and tuning RAM/resources: diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 1da0e9b35..7e0f2b6c5 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -240,7 +240,7 @@ nodered_enabled: True nextcloud_install: True nextcloud_enabled: True # -# 2020-02-15: UNUSED at the time. Legacy remains from Apache: +# 2020-02-15: UNUSED at this time. Legacy remains from Apache: # nextcloud_allow_public_ips: True # # Configuration tips for IPv4 access controls and tuning RAM/resources: diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 24b5ef4d0..04cdb4c45 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -240,7 +240,7 @@ nodered_enabled: False nextcloud_install: True nextcloud_enabled: True # -# 2020-02-15: UNUSED at the time. Legacy remains from Apache: +# 2020-02-15: UNUSED at this time. Legacy remains from Apache: # nextcloud_allow_public_ips: True # # Configuration tips for IPv4 access controls and tuning RAM/resources: diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index 168bb64a7..af67d41e8 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -240,7 +240,7 @@ nodered_enabled: False nextcloud_install: False nextcloud_enabled: False # -# 2020-02-15: UNUSED at the time. Legacy remains from Apache: +# 2020-02-15: UNUSED at this time. Legacy remains from Apache: # nextcloud_allow_public_ips: True # # Configuration tips for IPv4 access controls and tuning RAM/resources: From 2d31a56ff6dcfad829109cf11116a4b6de0b95be Mon Sep 17 00:00:00 2001 From: root Date: Sun, 16 Feb 2020 01:16:23 -0500 Subject: [PATCH 06/15] Cull nextcloud_allow_public_ips --- roles/nextcloud/tasks/install.yml | 2 +- roles/nextcloud/templates/nextcloud.conf.j2 | 20 ++++++++++---------- roles/www_back_end/tasks/main.yml | 7 ++++++- 3 files changed, 17 insertions(+), 12 deletions(-) diff --git a/roles/nextcloud/tasks/install.yml b/roles/nextcloud/tasks/install.yml index c37269910..d1e7323cd 100644 --- a/roles/nextcloud/tasks/install.yml +++ b/roles/nextcloud/tasks/install.yml @@ -68,7 +68,7 @@ template: src: nextcloud.conf.j2 dest: "/etc/{{ apache_conf_dir }}/nextcloud.conf" # apache2/sites-available on debuntu - when: apache_installed | bool + when: apache_install | bool # RECORD Nextcloud AS INSTALLED diff --git a/roles/nextcloud/templates/nextcloud.conf.j2 b/roles/nextcloud/templates/nextcloud.conf.j2 index dcba0ae0c..89858bdb8 100644 --- a/roles/nextcloud/templates/nextcloud.conf.j2 +++ b/roles/nextcloud/templates/nextcloud.conf.j2 @@ -16,17 +16,17 @@ Alias {{ nextcloud_url }} {{ nextcloud_prefix }}/nextcloud # 2019-09-04 commenting out towards future removal #Require host localhost -{% if nextcloud_allow_public_ips %} - # PERMIT ACCESS FROM ALL IPv4 ADDRESSES: +#{% if CONDITION %} {# where CONDITION was nextcloud_allow_public_ips #} +# # PERMIT ACCESS FROM ALL IPv4 ADDRESSES: Require all granted - # PERMIT ACCESS FROM THESE IPv4 ADDRESS RANGES ONLY: - #Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} 192.168 10 -{% else %} - # PERMIT ACCESS FROM ALL IPv4 ADDRESSES: - #Require all granted - # PERMIT ACCESS FROM THESE IPv4 ADDRESS RANGES ONLY: - Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} 192.168 10 -{% endif %} +# # PERMIT ACCESS FROM THESE IPv4 ADDRESS RANGES ONLY: +# #Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} 192.168 10 +#{% else %} +# # PERMIT ACCESS FROM ALL IPv4 ADDRESSES: +# #Require all granted +# # PERMIT ACCESS FROM THESE IPv4 ADDRESS RANGES ONLY: +# Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} 192.168 10 +#{% endif %} {# Reminder that {{ lan_ip }}/{{ lan_netmask }} is 172.18.96.1/255.255.224.0 #} # AVOID THIS LINE AS IT OVERLY RESTRICTS SCHOOLS W/ 192.168.1.x, 10.x.y.z: #Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} {{ nextcloud_required_ip }} {{ openvpn_server_virtual_ip }}/255.255.255.0 diff --git a/roles/www_back_end/tasks/main.yml b/roles/www_back_end/tasks/main.yml index 0129887d4..4b73f40f6 100644 --- a/roles/www_back_end/tasks/main.yml +++ b/roles/www_back_end/tasks/main.yml @@ -9,9 +9,14 @@ - include_tasks: php-stem.yml +- name: Install php-fpm (FastCGI Process Manager) if nextcloud_install or pbx_install + package: + name: php-fpm + when: nextcloud_install or pbx_install + # COMPARE apache_allow_sudo @ roles/www_front_end/tasks/main.yml -# For schools that use WordPress/Nextcloud/Moodle intensively. iiab/iiab#1147 +# For schools that use WordPress/Nextcloud/Moodle intensively. # WARNING: Enabling this might cause excess use of RAM/disk or other resources! - name: Enact high limits in /etc/php/{{ php_version }}/fpm/php.ini if using WordPress/Nextcloud/Moodle intensively lineinfile: From aad6d421df72fa5c63d4c2c770dc9e2a8f4dda6e Mon Sep 17 00:00:00 2001 From: root Date: Sun, 16 Feb 2020 01:31:41 -0500 Subject: [PATCH 07/15] Fix nextcloud/templates/nextcloud.conf.j2 --- roles/nextcloud/templates/nextcloud.conf.j2 | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/nextcloud/templates/nextcloud.conf.j2 b/roles/nextcloud/templates/nextcloud.conf.j2 index 89858bdb8..0f2aee4f6 100644 --- a/roles/nextcloud/templates/nextcloud.conf.j2 +++ b/roles/nextcloud/templates/nextcloud.conf.j2 @@ -16,17 +16,17 @@ Alias {{ nextcloud_url }} {{ nextcloud_prefix }}/nextcloud # 2019-09-04 commenting out towards future removal #Require host localhost -#{% if CONDITION %} {# where CONDITION was nextcloud_allow_public_ips #} -# # PERMIT ACCESS FROM ALL IPv4 ADDRESSES: +{% if True %} {# 2020-02-15: Condition WAS... nextcloud_allow_public_ips #} + # PERMIT ACCESS FROM ALL IPv4 ADDRESSES: Require all granted -# # PERMIT ACCESS FROM THESE IPv4 ADDRESS RANGES ONLY: -# #Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} 192.168 10 -#{% else %} -# # PERMIT ACCESS FROM ALL IPv4 ADDRESSES: -# #Require all granted -# # PERMIT ACCESS FROM THESE IPv4 ADDRESS RANGES ONLY: -# Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} 192.168 10 -#{% endif %} + # PERMIT ACCESS FROM THESE IPv4 ADDRESS RANGES ONLY: + #Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} 192.168 10 +{% else %} + # PERMIT ACCESS FROM ALL IPv4 ADDRESSES: + #Require all granted + # PERMIT ACCESS FROM THESE IPv4 ADDRESS RANGES ONLY: + Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} 192.168 10 +{% endif %} {# Reminder that {{ lan_ip }}/{{ lan_netmask }} is 172.18.96.1/255.255.224.0 #} # AVOID THIS LINE AS IT OVERLY RESTRICTS SCHOOLS W/ 192.168.1.x, 10.x.y.z: #Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} {{ nextcloud_required_ip }} {{ openvpn_server_virtual_ip }}/255.255.255.0 From 8abc11d54b1ce3512dfe6e0657ef86caf4aa73c4 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 16 Feb 2020 02:47:45 -0500 Subject: [PATCH 08/15] Move php-fpm / high limits from www_back_end (3) to www_front_end (4) --- roles/nextcloud/tasks/install.yml | 2 +- roles/www_back_end/tasks/main.yml | 31 ------------------------- roles/www_front_end/tasks/main.yml | 37 +++++++++++++++++++++++++++++- 3 files changed, 37 insertions(+), 33 deletions(-) diff --git a/roles/nextcloud/tasks/install.yml b/roles/nextcloud/tasks/install.yml index d1e7323cd..2d2a75cfd 100644 --- a/roles/nextcloud/tasks/install.yml +++ b/roles/nextcloud/tasks/install.yml @@ -14,7 +14,7 @@ - php-dom - php-exif # Optional (for image rotation in pictures app) - php-fileinfo # Optional (enhances file analysis performance) - - php-fpm # Optional (FastCGI Process Manager) + - php-fpm # ALSO INSTALLED IN roles/www_back_end (Stage 3) for nginx_high_php_limits - php-gd - php-gmp # Optional (for SFTP storage) - php-iconv diff --git a/roles/www_back_end/tasks/main.yml b/roles/www_back_end/tasks/main.yml index 4b73f40f6..d452084ac 100644 --- a/roles/www_back_end/tasks/main.yml +++ b/roles/www_back_end/tasks/main.yml @@ -5,39 +5,8 @@ - include_tasks: html.yml - - - include_tasks: php-stem.yml -- name: Install php-fpm (FastCGI Process Manager) if nextcloud_install or pbx_install - package: - name: php-fpm - when: nextcloud_install or pbx_install - -# COMPARE apache_allow_sudo @ roles/www_front_end/tasks/main.yml - -# For schools that use WordPress/Nextcloud/Moodle intensively. -# WARNING: Enabling this might cause excess use of RAM/disk or other resources! -- name: Enact high limits in /etc/php/{{ php_version }}/fpm/php.ini if using WordPress/Nextcloud/Moodle intensively - lineinfile: - path: "/etc/php/{{ php_version }}/fpm/php.ini" - #path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M ; default is 2M' } - - { regexp: '^post_max_size', line: 'post_max_size = 500M ; default is 8M' } - - { regexp: '^memory_limit', line: 'memory_limit = 512M ; default is 128M / Nextcloud requests 512M' } - - { regexp: '^max_execution_time', line: 'max_execution_time = 300 ; default is 30' } - - { regexp: '^max_input_time', line: 'max_input_time = 300 ; default is 60' } - when: nginx_high_php_limits | bool - -- name: Restart 'php{{ php_version }}-fpm' systemd services - systemd: - name: "php{{ php_version }}-fpm" - state: restarted - - - name: Create dir {{ doc_root }}/home -- if you customized var iiab_home_url e.g. in /etc/iiab/local_vars.yml, that dir is created later -- by www_front_end/tasks/main.yml file: state: directory diff --git a/roles/www_front_end/tasks/main.yml b/roles/www_front_end/tasks/main.yml index 2e0220a54..aa1d8b6ed 100644 --- a/roles/www_front_end/tasks/main.yml +++ b/roles/www_front_end/tasks/main.yml @@ -25,11 +25,46 @@ when: nginx_install | bool +- block: # 3-STANZA BLOCK BEGINS + + # Also installed by roles/nextcloud/tasks/install.yml in case './runrole nextcloud' bypasses this role here. (Possibly make php-fpm mandatory in nginx/tasks/install.yml in future?) + - name: Install php-fpm (FastCGI Process Manager) as nec + package: + name: php-fpm + + # For schools that use WordPress/Nextcloud/Moodle intensively. + # WARNING: Enabling this might cause excess use of RAM/disk or other resources! + + # COMPARE apache_allow_sudo further below. + + - name: Enact high limits in /etc/php/{{ php_version }}/fpm/php.ini if using WordPress/Nextcloud/Moodle intensively, as nec + lineinfile: + path: "/etc/php/{{ php_version }}/fpm/php.ini" + #path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M ; default is 2M' } + - { regexp: '^post_max_size', line: 'post_max_size = 500M ; default is 8M' } + - { regexp: '^memory_limit', line: 'memory_limit = 512M ; default is 128M / Nextcloud requests 512M' } + - { regexp: '^max_execution_time', line: 'max_execution_time = 300 ; default is 30' } + - { regexp: '^max_input_time', line: 'max_input_time = 300 ; default is 60' } + when: nginx_high_php_limits + + - name: Restart 'php{{ php_version }}-fpm' systemd services, as nec + systemd: + name: "php{{ php_version }}-fpm" + state: restarted + + when: (nextcloud_install or pbx_install) and nginx_enabled # 3-STANZA BLOCK ENDS + + # 'Is a "Rapid Power Off" button possible for low-electricity environments?' # gives more details here: http://FAQ.IIAB.IO +# COMPARE nginx_high_php_limits further above. + # 2020-02-12: DOES THE FLAG BELOW (apache_allow_sudo) WORK WITH NGINX TOO ? -# COMPARE nginx_high_php_limits @ roles/www_back_end/tasks/main.yml - name: Give {{ apache_user }} (per variable apache_user) permission to poweroff, installing /etc/sudoers.d/020_apache_poweroff from template template: From 2b435f7ad65d88897d7e312aa3005d2e4937e46f Mon Sep 17 00:00:00 2001 From: A Holt Date: Sun, 16 Feb 2020 10:08:12 -0500 Subject: [PATCH 09/15] Update roles/nextcloud/README.md --- roles/nextcloud/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nextcloud/README.md b/roles/nextcloud/README.md index 5ebb4003c..20fb94689 100644 --- a/roles/nextcloud/README.md +++ b/roles/nextcloud/README.md @@ -33,7 +33,7 @@ To further refine Nextcloud access controls based on IPv4 addresses, you can edi - max_execution_time - max_input_time -Useful PHP recommendations for these settings (while largely tailored to WordPress, and aimed at very low-end hardware) can be found here: [/opt/iiab/iiab/roles/www_back_end/tasks/main.yml](../www_back_end/tasks/main.yml#L23-L27) +Useful PHP recommendations for these settings (while largely tailored to WordPress, and aimed at very low-end hardware) can be found here: [/opt/iiab/iiab/roles/www_back_end/tasks/main.yml#L47-L51](../www_front_end/tasks/main.yml#L47-L51) ## Using It From 150ef46619e285239621ab3565612103404ae446 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 16 Feb 2020 11:29:12 -0500 Subject: [PATCH 10/15] Bypass 9 php-* pkgs on Raspbian. Try php-xml on all OS's --- roles/nextcloud/tasks/install.yml | 72 ++++++++++++++++++++++++++----- 1 file changed, 61 insertions(+), 11 deletions(-) diff --git a/roles/nextcloud/tasks/install.yml b/roles/nextcloud/tasks/install.yml index 2d2a75cfd..618444aa6 100644 --- a/roles/nextcloud/tasks/install.yml +++ b/roles/nextcloud/tasks/install.yml @@ -1,5 +1,47 @@ +# CHECK FOR PHP VERSION AUTOMATICALLY, TO DETERMINE WHICH NEXTCLOUD TO INSTALL. +# INSPIRED BY: github.com/iiab/iiab/blob/master/roles/nodejs/tasks/main.yml + +# - name: Try to run 'php -v' to get PHP version +# # e.g. converts multi-line "PHP 7.0.33-0ubuntu0.16.04.5 (cli) ( NTS ) ..." to "7.0.33" +# shell: php -v | head -1 | sed 's/^[^0-9.]*//' | sed 's/[^0-9.].*//' +# register: php_version_installed +# #ignore_errors: yes # NOT NEC: if php is not installed, php_version_installed.stdout will get set to "" + +# - debug: +# var: php_version_installed + +# # NOTE: this could easily be made to work even if PHP was not installed, e.g. +# # by pre-initializing variable 'php_new' to False here. But trapping the +# # absence of PHP (below) is a useful software safety precondition! +# # +# #- name: Initialize var 'php_new' to False +# # set_fact: +# # php_new: False + +# - name: INTENTIONALLY FAIL, IF PHP (Nextcloud prerequisite) ISN'T INSTALLED +# fail: +# msg: > +# Nextcloud install cannot proceed, as it requires PHP be installed first. +# Note that as of 2019-07-04, IIAB takes care of this by forcing vars +# mysql_install and mysql_enabled to True in +# /opt/iiab/iiab/roles/0-init/tasks/main.yml, which in turn forces the +# installation of PHP in /opt/iiab/iiab/roles/mysql/tasks/main.yml, as +# invoked by /opt/iiab/iiab/roles/3-base-server/tasks/main.yml +# when: php_version_installed.stdout == "" + +# - name: Set var 'php_new' indicating if installed version of PHP ({{ php_version_installed.stdout }}) >= 7.1, as required by Nextcloud 16 +# set_fact: +# php_new: "{{ php_version_installed.stdout is version('7.1', '>=') }}" +# # Ansible's Version Comparison routine: +# # https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html#version-comparison +# when: php_version_installed.stdout != "" # i.e. IF ABOVE 'php -v' WORKED + +# - debug: +# var: php_new + + # https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation -- name: Install ffmpeg + libxml2 + 21 php packages +- name: Install ffmpeg + libxml2 + 13 php packages package: name: #- dnsutils # NOT REQUESTED by Nextcloud @@ -9,15 +51,10 @@ - php-bz2 # Optional (for extraction of apps) #- php-cli # NOT REQUESTED by Nextcloud #- php-common # NOT REQUESTED by Nextcloud - - php-ctype - php-curl - - php-dom - - php-exif # Optional (for image rotation in pictures app) - - php-fileinfo # Optional (enhances file analysis performance) - php-fpm # ALSO INSTALLED IN roles/www_back_end (Stage 3) for nginx_high_php_limits - php-gd - php-gmp # Optional (for SFTP storage) - - php-iconv - php-imagick # Optional (for preview generation) - php-intl # Optional (increases language translation performance and fixes sorting of non-ASCII characters) - php-json @@ -26,18 +63,31 @@ - php-mysql #- php-openssl # NOT INSTALLABLE: ENABLED BY DEFAULT? #- php-pdo_mysql # NOT INSTALLABLE: php-mysql handles this on all OS's? - - php-posix #- php-redis # @m-anish future work? #- php-session # NOT INSTALLABLE: ENABLED BY DEFAULT? - - php-simplexml - php-smbclient # Optional (SMB/CIFS integration - #- php-xml # NOT REQUESTED by Nextcloud - - php-xmlreader - - php-xmlwriter + - php-xml # NOT FORMALLY REQUESTED by Nextcloud (BUT hopefully delivers php-simplexml if not {php-xmlreader, php-xmlwriter} on Raspbian?) - php-zip #- php-zlib # NOT INSTALLABLE: ENABLED BY DEFAULT? state: present +# https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation +- name: Install 9 additional php packages, if OS is not Raspbian (these are not available on Raspbian on RPi, as of Feb 2020) + package: + name: + - php-ctype + - php-dom + - php-exif # Optional (for image rotation in pictures app) + - php-fileinfo # Optional (enhances file analysis performance) + - php-iconv + - php-posix + - php-simplexml + - php-xmlreader + - php-xmlwriter + state: present + when: not is_raspbian + + - name: Create dir {{ nextcloud_prefix }}{{ nextcloud_url }} file: state: directory From 3d55abc2eff49d2dc9d5923e88ffdc9b0654f526 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 16 Feb 2020 11:49:22 -0500 Subject: [PATCH 11/15] Typo in roles/nextcloud/README.md --- roles/nextcloud/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nextcloud/README.md b/roles/nextcloud/README.md index 20fb94689..d36618a2b 100644 --- a/roles/nextcloud/README.md +++ b/roles/nextcloud/README.md @@ -33,7 +33,7 @@ To further refine Nextcloud access controls based on IPv4 addresses, you can edi - max_execution_time - max_input_time -Useful PHP recommendations for these settings (while largely tailored to WordPress, and aimed at very low-end hardware) can be found here: [/opt/iiab/iiab/roles/www_back_end/tasks/main.yml#L47-L51](../www_front_end/tasks/main.yml#L47-L51) +Useful PHP recommendations for these settings (while largely tailored to WordPress, and aimed at very low-end hardware) can be found here: [/opt/iiab/iiab/roles/www_front_end/tasks/main.yml#L47-L51](../www_front_end/tasks/main.yml#L47-L51) ## Using It From 5a81efedb909b7d6b84680194a60541b7f222a2b Mon Sep 17 00:00:00 2001 From: A Holt Date: Sun, 16 Feb 2020 20:33:47 -0500 Subject: [PATCH 12/15] Gitea 1.11.0 -> 1.11.1 --- roles/gitea/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index 57159bd32..9ac3c0ae0 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -9,7 +9,7 @@ # Info needed to install Gitea: -gitea_version: 1.11.0 +gitea_version: 1.11.1 iset_suffixes: i386: 386 x86_64: amd64 From 821bcec37371369ef8c65090f1b4614913c6f292 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 16 Feb 2020 20:52:01 -0500 Subject: [PATCH 13/15] nextcloud_root_dir & nextcloud_data_dir now work --- roles/nextcloud/defaults/main.yml | 22 +++++++++-- roles/nextcloud/tasks/install.yml | 23 ++++-------- roles/nextcloud/tasks/main.yml | 10 ++++- roles/nextcloud/tasks/setup.yml | 37 +++++++++++++++---- .../templates/nextcloud-nginx.conf.j2 | 14 +++++-- roles/nextcloud/templates/nextcloud.conf.j2 | 6 ++- 6 files changed, 79 insertions(+), 33 deletions(-) diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index f7a403c5c..19f333409 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -10,9 +10,6 @@ # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! -nextcloud_url: /nextcloud -nextcloud_prefix: "{{ doc_root }}" # /library/www/html (WAS /opt) -nextcloud_data_dir: "{{ content_base }}/nextcloud/data" # /library/nextcloud/data BUT NOT USED BY NEXTCLOUD AS OF 2020-02-15, so it defaults to /opt/nextcloud/data ?? # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). @@ -20,6 +17,25 @@ nextcloud_data_dir: "{{ content_base }}/nextcloud/data" # /library/nextcloud/ # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 nextcloud_dl_url: https://download.nextcloud.com/server/releases/latest.tar.bz2 +nextcloud_url: /nextcloud + +nextcloud_base_dir: "{{ doc_base }}" # /library/www +#nextcloud_base_dir: "{{ doc_root }}" # /library/www/html +nextcloud_root_dir: "{{ nextcloud_base_dir }}/nextcloud" +# +# 2020-02-16 options... +# /opt/nextcloud <-- Old Nextcloud recommendation +# /var/www/nextcloud <-- Nextcloud recommendation +# /library/nextcloud <-- Old IIAB recommendation +# /library/www/nextcloud <-- IIAB RECOMMENDATION FOR NOW ? +# /library/www/html/nextcloud <-- Bad idea? Security & privacy consequences? +# +# IN ANY CASE, PLEASE VERIFY nextcloud/config/config.php AFTER INSTALLATION! +# +# Nextcloud's default for now--OR PUT PERSONAL DATA ON ANOTHER DRIVE/PARTITION: +nextcloud_data_dir: "{{ nextcloud_root_dir }}/data" # /library/www/nextcloud + + # We install on MySQL with these settings: nextcloud_dbname: nextcloud nextcloud_dbuser: nextcloud diff --git a/roles/nextcloud/tasks/install.yml b/roles/nextcloud/tasks/install.yml index 618444aa6..3d792401b 100644 --- a/roles/nextcloud/tasks/install.yml +++ b/roles/nextcloud/tasks/install.yml @@ -88,33 +88,26 @@ when: not is_raspbian -- name: Create dir {{ nextcloud_prefix }}{{ nextcloud_url }} +- name: Create dir {{ nextcloud_root_dir }} file: state: directory - path: "{{ nextcloud_prefix }}{{ nextcloud_url }}" # /library/www/html + /nextcloud + path: "{{ nextcloud_root_dir }}" # /library/www/nextcloud -- name: Unarchive {{ nextcloud_dl_url }} to {{ nextcloud_prefix }}{{ nextcloud_url }} ({{ apache_user }}:{{ apache_user }}) +- name: Unarchive {{ nextcloud_dl_url }} to {{ nextcloud_root_dir }} ({{ apache_user }}:{{ apache_user }}) unarchive: remote_src: yes src: "{{ nextcloud_dl_url }}" - dest: "{{ nextcloud_prefix }}{{ nextcloud_url }}" # /library/www/html + /nextcloud - owner: "{{ apache_user }}" # apache2 on debuntu + #dest: "{{ nextcloud_base_dir }}" # /library/www + dest: "{{ nextcloud_root_dir }}" # /library/www/nextcloud + owner: "{{ apache_user }}" # apache2 on debuntu group: "{{ apache_user }}" - extra_opts: --strip-components=1 + extra_opts: --strip-components=1 # Or use 'dest: /library/www' above when: internet_available -# - name: "NOT USED FOR NOW: Create data dir {{ nextcloud_data_dir }}" -# file: -# state: directory -# path: "{{ nextcloud_data_dir }}" # /library/nextcloud/data NOT USED BY NEXTCLOUD AS OF 2020-02-15 ...Nextcloud defaults to /opt/nextcloud/data OR /library/www/html/nextcloud/data ?? -# owner: "{{ apache_user }}" -# group: "{{ apache_user }}" -# mode: '0750' - - name: Provision Nextcloud's MySQL DB, run Nextcloud's install wizard, etc include_tasks: setup.yml -- name: Install /etc/{{ apache_conf_dir }}/nextcloud.conf from template, for http://box/nextcloud +- name: Install /etc/{{ apache_conf_dir }}/nextcloud.conf from template, for http://box{{ nextcloud_url }} # http://box/nextcloud template: src: nextcloud.conf.j2 dest: "/etc/{{ apache_conf_dir }}/nextcloud.conf" # apache2/sites-available on debuntu diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 5c3b2772f..b8091cae4 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -44,9 +44,15 @@ value: Nextcloud - option: description value: '"Nextcloud is a local server-based facility for sharing files, photos, contacts, calendars, etc."' - - option: nextcloud_prefix - value: "{{ nextcloud_prefix }}" + - option: nextcloud_dl_url + value: "{{ nextcloud_dl_url }}" - option: nextcloud_url value: "{{ nextcloud_url }}" + - option: nextcloud_base_dir + value: "{{ nextcloud_base_dir }}" + - option: nextcloud_root_dir + value: "{{ nextcloud_root_dir }}" + - option: nextcloud_data_dir + value: "{{ nextcloud_data_dir }}" - option: nextcloud_enabled value: "{{ nextcloud_enabled }}" diff --git a/roles/nextcloud/tasks/setup.yml b/roles/nextcloud/tasks/setup.yml index 6e659a1b5..7688e3e66 100644 --- a/roles/nextcloud/tasks/setup.yml +++ b/roles/nextcloud/tasks/setup.yml @@ -14,26 +14,47 @@ - localhost -#- name: Install {{ nextcloud_prefix }}/nextcloud/config/autoconfig.php from template +# https://docs.nextcloud.com/server/18/admin_manual/installation/command_line_installation.html +- name: Create data dir {{ nextcloud_data_dir }} + file: + state: directory + path: "{{ nextcloud_data_dir }}" # /library/nextcloud/data NOT USED BY NEXTCLOUD AS OF 2020-02-15 ...Nextcloud defaults to /opt/nextcloud/data OR /library/www/html/nextcloud/data ?? + owner: "{{ apache_user }}" + group: "{{ apache_user }}" + # mode: '0750' + +# 1 of 3: Very Old Way... from OwnCloud days +#- name: Install {{ nextcloud_root_dir }}/config/autoconfig.php from template # template: # src: autoconfig.php.j2 -# dest: "{{ nextcloud_prefix }}/nextcloud/config/autoconfig.php" +# dest: "{{ nextcloud_root_dir }}/config/autoconfig.php" # owner: "{{ apache_user }}" # group: "{{ apache_user }}" # mode: '0640' +# 2 of 3: Another Possible Way... not quite ready for prime time +# - name: Set 'datadirectory' to {{ nextcloud_data_dir }} in {{ nextcloud_root_dir }}/config/config.php +# lineinfile: +# path: "{{ nextcloud_root_dir }}/config/config.php" +# regexp: "^ 'datadirectory' => " +# insertafter: '^\$CONFIG = array \(' +# line: " 'datadirectory' => '{{ nextcloud_data_dir }}'," -- name: Determine if Nextcloud is installed (causes install wizard to fail) +# 2020-02-16: SHOULD THIS STANZA GO AWAY IN FUTURE, in favor of 'nextcloud_installed is undefined' test below? +- name: Use php to determine if Nextcloud is installed (causes install wizard to fail) shell: > - php {{ nextcloud_prefix }}/nextcloud/occ status | + php {{ nextcloud_root_dir }}/occ status | gawk '/installed:/ { print $3 }' become: yes become_user: "{{ apache_user }}" register: returned -- name: Run Nextcloud initial install wizard (if absolutely nec, manually drop MySQL db '{{ nextcloud_dbname }}') +# 3 of 3: New Way In 2020... use --data-dir "{{ nextcloud_data_dir }}" +# https://docs.nextcloud.com/server/18/admin_manual/installation/command_line_installation.html +# https://docs.nextcloud.com/server/18/admin_manual/configuration_server/occ_command.html#command-line-installation-label +- name: Run Nextcloud initial install wizard, seeding data dir {{ nextcloud_data_dir }} (IF THIS FAILS, CONSIDER MANUALLY DROPPING MySQL db '{{ nextcloud_dbname }}' THEN RERUN THIS) shell: > - cd {{ nextcloud_prefix }}/nextcloud; + cd {{ nextcloud_root_dir }}; php occ maintenance:install --database "mysql" --database-name "{{ nextcloud_dbname }}" @@ -41,8 +62,10 @@ --database-pass "{{ nextcloud_dbpassword }}" --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_password }}" + --data-dir "{{ nextcloud_data_dir }}" become: yes become_user: "{{ apache_user }}" + #when: nextcloud_installed is undefined when: returned.stdout == "false" # and nextcloud_enabled @@ -55,6 +78,6 @@ line: 'clear_env = no' - name: 'Allow Nextcloud access from all hosts and IP addresses (SEE ALSO: /etc/apache2/sites-available/nextcloud.conf)' - command: php {{ nextcloud_prefix }}/nextcloud/occ config:system:set trusted_domains 1 --value=* + command: php {{ nextcloud_root_dir }}/occ config:system:set trusted_domains 1 --value=* become: yes become_user: "{{ apache_user }}" diff --git a/roles/nextcloud/templates/nextcloud-nginx.conf.j2 b/roles/nextcloud/templates/nextcloud-nginx.conf.j2 index 564ae072d..8723cb7e5 100644 --- a/roles/nextcloud/templates/nextcloud-nginx.conf.j2 +++ b/roles/nextcloud/templates/nextcloud-nginx.conf.j2 @@ -1,4 +1,9 @@ -location ^~ /nextcloud { +# 2020-02-16: Customized from template...thanks to @m_anish: +# +# https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html#nextcloud-in-a-subdir-of-nginx +# https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx + +location ^~ {{ nextcloud_url }} { ## Add headers to serve security related headers ## Before enabling Strict-Transport-Security headers please read into this @@ -25,7 +30,8 @@ location ^~ /nextcloud { #fastcgi_hide_header X-Powered-By; # Path to the root of your installation - root {{ doc_root }}/; # /library/www/html + #root {{ nextcloud_root_dir }}; # /library/www/nextcloud IN FUTURE ?? + root {{ nextcloud_base_dir }}; # /library/www == {{ doc_base }} FOR NOW location = /nextcloud/robots.txt { allow all; @@ -65,7 +71,7 @@ location ^~ /nextcloud { # This module is currently not supported. #pagespeed off; - location /nextcloud/ { + location /nextcloud { rewrite ^ /nextcloud/index.php; } @@ -117,7 +123,7 @@ location ^~ /nextcloud { # # THESE 1 + 6 ALSO APPEAR ~100 LINES ABOVE # - add_header Referrer-Policy "no-referrer" always; + #add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; diff --git a/roles/nextcloud/templates/nextcloud.conf.j2 b/roles/nextcloud/templates/nextcloud.conf.j2 index 0f2aee4f6..6d742da74 100644 --- a/roles/nextcloud/templates/nextcloud.conf.j2 +++ b/roles/nextcloud/templates/nextcloud.conf.j2 @@ -1,8 +1,10 @@ # Ansible template that becomes /etc/apache2/sites-available/nextcloud.conf -Alias {{ nextcloud_url }} {{ nextcloud_prefix }}/nextcloud +Alias {{ nextcloud_url }} {{ nextcloud_root_dir }} +# Alias {{ nextcloud_url }} [[ nextcloud_prefix ]]/nextcloud - + +# # 2019-09-04 commenting out towards future removal #Options -Indexes From b29f1ab42e1da8be9fd94e6e3521e234b73a3ff5 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 16 Feb 2020 21:00:32 -0500 Subject: [PATCH 14/15] Clean out bitrot --- roles/nextcloud/tasks/setup.yml | 3 +- roles/nextcloud/templates/nextcloud.conf.j2 | 36 --------------------- 2 files changed, 1 insertion(+), 38 deletions(-) diff --git a/roles/nextcloud/tasks/setup.yml b/roles/nextcloud/tasks/setup.yml index 7688e3e66..dbede553e 100644 --- a/roles/nextcloud/tasks/setup.yml +++ b/roles/nextcloud/tasks/setup.yml @@ -18,10 +18,9 @@ - name: Create data dir {{ nextcloud_data_dir }} file: state: directory - path: "{{ nextcloud_data_dir }}" # /library/nextcloud/data NOT USED BY NEXTCLOUD AS OF 2020-02-15 ...Nextcloud defaults to /opt/nextcloud/data OR /library/www/html/nextcloud/data ?? + path: "{{ nextcloud_data_dir }}" # /library/www/nextcloud/data owner: "{{ apache_user }}" group: "{{ apache_user }}" - # mode: '0750' # 1 of 3: Very Old Way... from OwnCloud days #- name: Install {{ nextcloud_root_dir }}/config/autoconfig.php from template diff --git a/roles/nextcloud/templates/nextcloud.conf.j2 b/roles/nextcloud/templates/nextcloud.conf.j2 index 6d742da74..7f36683c3 100644 --- a/roles/nextcloud/templates/nextcloud.conf.j2 +++ b/roles/nextcloud/templates/nextcloud.conf.j2 @@ -1,12 +1,8 @@ # Ansible template that becomes /etc/apache2/sites-available/nextcloud.conf Alias {{ nextcloud_url }} {{ nextcloud_root_dir }} -# Alias {{ nextcloud_url }} [[ nextcloud_prefix ]]/nextcloud -# - # 2019-09-04 commenting out towards future removal - #Options -Indexes Options +FollowSymlinks AllowOverride All @@ -15,9 +11,6 @@ Alias {{ nextcloud_url }} {{ nextcloud_root_dir }} # Apache 2.4 # http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html - # 2019-09-04 commenting out towards future removal - #Require host localhost - {% if True %} {# 2020-02-15: Condition WAS... nextcloud_allow_public_ips #} # PERMIT ACCESS FROM ALL IPv4 ADDRESSES: Require all granted @@ -34,33 +27,4 @@ Alias {{ nextcloud_url }} {{ nextcloud_root_dir }} #Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} {{ nextcloud_required_ip }} {{ openvpn_server_virtual_ip }}/255.255.255.0 - # 2019-09-04 commenting out towards future removal - # - ## Apache 2.2 - #Order Deny,Allow - #Deny from all - #Allow from 127.0.0.1 - #Allow from ::1 - # - # - #ErrorDocument 404 /core/templates/404.php - # - # 2019-09-04 commenting out towards future removal - # - #php_value upload_max_filesize 512M - #php_value post_max_size 512M - #php_value memory_limit 512M - #php_value mbstring.func_overload 0 - # - # - #SetEnv htaccessWorking true - # - # - #ModPagespeed Off - # - # - #RewriteEngine on - #RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},last] - #RewriteRule ^\.well-known/carddav /remote.php/carddav/ [R] - #RewriteRule ^\.well-known/caldav /remote.php/caldav/ [R] From 7d4b6385aeba2d0fa56af5ebb4003c2974db155c Mon Sep 17 00:00:00 2001 From: A Holt Date: Sun, 16 Feb 2020 23:13:08 -0500 Subject: [PATCH 15/15] Fix timestamps @ roles/nginx/README.md --- roles/nginx/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx/README.md b/roles/nginx/README.md index c44210946..c12df574c 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -10,7 +10,7 @@ 2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX. -3. Current state of IIAB App/Service migrations as of 2020-02-14: +3. Current state of IIAB App/Service migrations as of 2020-02-16: 1. These support "Native" NGINX but ***NOT*** Apache * Admin Console @@ -46,4 +46,4 @@ * openvpn [*] * pbx [*] -[*] The 5 above starred roles could use improvement, as of 2020-02-15. +[*] The 5 above starred roles could use improvement, as of 2020-02-16.