external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-02-12 11:12:06 +00:00
Code Issues Releases Wiki Activity

Nextcloud tuneup for NGINX

Browse source
This commit is contained in:
root 2020-02-15 22:49:27 -05:00
parent fd26d794fa
commit cf7f776003
21 changed files with 319 additions and 324 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
roles/0-init/tasks/main.yml
View file

@ -37,11 +37,11 @@
include_tasks: validate_vars.yml
# SEE: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
- name: "apache_install is currently '{{ apache_install }}' and apache_enabled is currently '{{ apache_enabled }}'. Now let's set 'apache_install: True' and 'apache_enabled: True' if NGINX is set not to be enabled OR if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install."
- name: "apache_install is currently '{{ apache_install }}' and apache_enabled is currently '{{ apache_enabled }}'. Now let's set 'apache_install: True' and 'apache_enabled: True' if NGINX is set not to be enabled OR if any of {Elgg, Lokole, Moodle, Node-RED} are set to install."
set_fact:
apache_install: True
apache_enabled: True
when: not nginx_enabled or dokuwiki_install or elgg_install or lokole_install or moodle_install or nextcloud_install or nodered_install
when: not nginx_enabled or elgg_install or lokole_install or moodle_install or nodered_install
#
#- name: "Verify 'apache_install: True' and 'apache_enabled: True' if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install"
# assert:

11
roles/httpd/defaults/main.yml
View file

@ -7,15 +7,12 @@
# apache_port: 8090 # NGINX proxies to this IP address, for legacy IIAB services still requiring Apache
# apache_interface: 127.0.0.1
# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147
# apache_high_php_limits: False
# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/enable.yml#L1-L14
# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php/<VERSION>/apache2/php.ini
# Make this False to disable http://box/common/services/power_off.php button:
# apache_allow_sudo: True
# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
# 2020-02-15: apache_high_php_limits deprecated...
# Please instead set 'nginx_high_php_limits: True' in /etc/iiab/local_vars.yml

2
roles/moodle/defaults/main.yml
View file

@ -1,4 +1,4 @@
# If using Moodle intensively, consider setting apache_high_php_limits in:
# If using Moodle intensively, consider setting nginx_high_php_limits in:
# /etc/iiab/local_vars.yml
# moodle_install: False

2
roles/nextcloud/README.md
View file

@ -25,7 +25,7 @@ The Nextcloud suite is divided into three main categories:
To further refine Nextcloud access controls based on IPv4 addresses, you can edit `/etc/apache2/sites-available/nextcloud.conf` _after_ it's created by this template: [/opt/iiab/iiab/roles/nextcloud/templates/nextcloud.conf.j2](https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2)
(3) Strongly consider also setting `apache_high_php_limits: True` in the 3-BASE-SERVER section of /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP. Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware and network! So _after_ install is complete, verify and evaluate these 5 settings in /etc/php/[ACTUAL PHP VERSION]/apache2/php.ini:
(3) Strongly consider also setting `nginx_high_php_limits: True` in the 3-BASE-SERVER section of /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP. Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware and network! So _after_ install is complete, verify and evaluate these 5 settings in /etc/php/[ACTUAL PHP VERSION]/apache2/php.ini:
- upload_max_filesize
- post_max_size

20
roles/nextcloud/defaults/main.yml
View file

@ -1,4 +1,4 @@
# If using Nextcloud intensively, consider setting apache_high_php_limits in:
# If using Nextcloud intensively, consider setting nginx_high_php_limits in:
# /etc/iiab/local_vars.yml
# nextcloud_install: False
@ -15,29 +15,19 @@
# REMOVE /opt/nextcloud/version.php TO FORCE AN INSTALL OR REINSTALL OR UPGRADE
nextcloud_url: /nextcloud
nextcloud_prefix: /opt
nextcloud_data_dir: "{{ content_base }}/nextcloud/data" # /library/nextcloud/data
nextcloud_prefix: "{{ doc_root }}" # /library/www/html (WAS /opt)
nextcloud_data_dir: "{{ content_base }}/nextcloud/data" # /library/nextcloud/data BUT NOT USED BY NEXTCLOUD AS OF 2020-02-15, so it defaults to /opt/nextcloud/data ??
# 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle
# you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112).
# The following line can avoid that: (but might install an older Nextcloud!)
# nextcloud_dl_url: http://d.iiab.io/packages
nextcloud_dl_url: https://download.nextcloud.com/server/releases
# For OLD OS's where PHP 7.1+ isn't detected -- e.g. Raspbian 9, Debian 9, Ubuntu 16.04
nextcloud_orig_src_file_old: latest-15.tar.bz2
nextcloud_src_file_old: nextcloud_{{ nextcloud_orig_src_file_old }}
# For NEW OS's where PHP 7.1+ is auto-detected -- e.g. Raspbian 10, Debian 10 & Ubuntu 18.04
nextcloud_orig_src_file: latest.tar.bz2
nextcloud_src_file: nextcloud_{{ nextcloud_orig_src_file }}
# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
nextcloud_dl_url: https://download.nextcloud.com/server/releases/latest.tar.bz2
# We install on MySQL with these settings:
nextcloud_dbname: nextcloud
nextcloud_dbhost: localhost
nextcloud_dbuser: nextcloud
nextcloud_dbpassword: nextcloudmysql
nextcloud_user: nextcloud
nextcloud_user_password: nextcloudmysql
nextcloud_admin_user: 'Admin'
nextcloud_admin_password: 'changeme'

225
roles/nextcloud/tasks/install.yml
View file

@ -1,183 +1,74 @@
# CHECK FOR PHP VERSION AUTOMATICALLY, TO DETERMINE WHICH NEXTCLOUD TO INSTALL.
# INSPIRED BY: github.com/iiab/iiab/blob/master/roles/nodejs/tasks/main.yml#L10-L54
- name: Try to run 'php -v' to get PHP version
# e.g. converts multi-line "PHP 7.0.33-0ubuntu0.16.04.5 (cli) ( NTS ) ..." to "7.0.33"
shell: php -v | head -1 | sed 's/^[^0-9.]*//' | sed 's/[^0-9.].*//'
register: php_version_installed
#ignore_errors: yes # NOT NEC: if php is not installed, php_version_installed.stdout will get set to ""
#- debug:
# var: php_version_installed
# NOTE: this could easily be made to work even if PHP was not installed, e.g.
# by pre-initializing variable 'php_new' to False here. But trapping the
# absence of PHP (below) is a useful software safety precondition!
#
#- name: Initialize var 'php_new' to False
# set_fact:
# php_new: False
- name: INTENTIONALLY FAIL, IF PHP (Nextcloud prerequisite) ISN'T INSTALLED
fail:
msg: >
Nextcloud install cannot proceed, as it requires PHP be installed first.
Note that as of 2019-07-04, IIAB takes care of this by forcing vars
mysql_install and mysql_enabled to True in
/opt/iiab/iiab/roles/0-init/tasks/main.yml, which in turn forces the
installation of PHP in /opt/iiab/iiab/roles/mysql/tasks/main.yml, as
invoked by /opt/iiab/iiab/roles/3-base-server/tasks/main.yml
when: php_version_installed.stdout == ""
- name: Set var 'php_new' indicating if installed version of PHP ({{ php_version_installed.stdout }}) >= 7.1, as required by Nextcloud 16
set_fact:
php_new: "{{ php_version_installed.stdout is version('7.1', '>=') }}"
# Ansible's Version Comparison routine:
# https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html#version-comparison
when: php_version_installed.stdout != "" # i.e. IF ABOVE 'php -v' WORKED
#- debug:
# var: php_new
- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file_old }} to {{ downloads_dir }}/{{ nextcloud_src_file_old }} on older OS's lacking PHP 7.1+
get_url:
url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file_old }}"
dest: "{{ downloads_dir }}/{{ nextcloud_src_file_old }}"
timeout: "{{ download_timeout }}"
force: yes
#validate_certs: False # TEMPORARY ON/AFTER 2018-07-22 AS download.nextcloud.com CERT EXPIRED: https://github.com/iiab/iiab/issues/954
#async: 1800
#poll: 10
when: internet_available and not php_new
#when: internet_available and nextcloud_force_install and (is_debian_9 or is_raspbian_9 or is_ubuntu_16)
- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }} to {{ downloads_dir }}/{{ nextcloud_src_file }} on newer OS's that have PHP 7.1+
get_url:
url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }}"
dest: "{{ downloads_dir }}/{{ nextcloud_src_file }}"
timeout: "{{ download_timeout }}"
force: yes
#validate_certs: False # TEMPORARY ON/AFTER 2018-07-22 AS download.nextcloud.com CERT EXPIRED: https://github.com/iiab/iiab/issues/954
#async: 1800
#poll: 10
when: internet_available and php_new
#when: internet_available and nextcloud_force_install and not (is_debian_9 or is_raspbian_9 or is_ubuntu_16)
# Ubuntu and Debian treat names differently
- name: Install 4 php packages (debian/raspian)
# https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
- name: Install ffmpeg + libxml2 + 21 php packages
package:
name:
- "libapache2-mod-php{{ php_version }}"
- "php{{ php_version }}-imagick"
- "php{{ php_version }}-mbstring"
- "php{{ php_version }}-zip"
state: present
when: is_debian | bool
# Ubuntu and Debian treat names differently
- name: Install 4 php packages (ubuntu)
package:
name:
- libapache2-mod-php
- php-imagick
#- dnsutils # NOT REQUESTED by Nextcloud
- ffmpeg # Optional (for preview generation)
- libxml2 # php-libxml requires libxml2 >= 2.7.0
#- libapache2-mod-php # 2020-02-15: NO LONGER NEEDED?
- php-bz2 # Optional (for extraction of apps)
#- php-cli # NOT REQUESTED by Nextcloud
#- php-common # NOT REQUESTED by Nextcloud
- php-ctype
- php-curl
- php-dom
- php-exif # Optional (for image rotation in pictures app)
- php-fileinfo # Optional (enhances file analysis performance)
- php-fpm # Optional (FastCGI Process Manager)
- php-gd
- php-gmp # Optional (for SFTP storage)
- php-iconv
- php-imagick # Optional (for preview generation)
- php-intl # Optional (increases language translation performance and fixes sorting of non-ASCII characters)
- php-json
#- php-libxml # NOT INSTALLABLE: ENABLED BY DEFAULT (https://www.php.net/manual/en/libxml.installation.php)
- php-mbstring
- php-mysql
#- php-openssl # NOT INSTALLABLE: ENABLED BY DEFAULT?
#- php-pdo_mysql # NOT INSTALLABLE: php-mysql handles this on all OS's?
- php-posix
#- php-redis # @m-anish future work?
#- php-session # NOT INSTALLABLE: ENABLED BY DEFAULT?
- php-simplexml
- php-smbclient # Optional (SMB/CIFS integration
#- php-xml # NOT REQUESTED by Nextcloud
- php-xmlreader
- php-xmlwriter
- php-zip
#- php-zlib # NOT INSTALLABLE: ENABLED BY DEFAULT?
state: present
when: is_ubuntu | bool
- name: Install 5 more php packages (debuntu)
package:
name:
- "php{{ php_version }}-gd"
- "php{{ php_version }}-json"
- "php{{ php_version }}-mysql"
- "php{{ php_version }}-curl"
- "php{{ php_version }}-intl"
state: present
when: is_debuntu | bool
- name: 'Install php{{ php_version }}-mcrypt IF this is a "pre-2018" distro in the debuntu family. NOTE: PHP 7.1 deprecated mcrypt 1-Dec-2016 and PHP 7.2 dropped it completely 30-Nov-2017, as it should no longer be nec.'
package:
name: "php{{ php_version }}-mcrypt"
state: present
when: is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17
# NOT NEC TO TEST FOR is_raspbian_8 OR is_raspbian_9 AS /opt/iiab/iiab/vars/<OS>.yml
# DEFINES THESE AS SUBSETS OF is_debian_8 OR is_debian_9 (FOR NOW!)
## we need to install the rpm in order to get the dependencies
## but we only need to do this the first time
#
#- name: Install 7 php packages (redhat)
# package:
# name:
# - php
# - php-gd
# - php-json
# - php-mysql
# - php-curl
# - php-intl
# - php-mcrypt
# # CentOS does not have a package for php-imagick
# #- php-imagick
# state: present
# when: is_redhat | bool
- name: Unarchive {{ nextcloud_src_file_old }} to permanent location {{ nextcloud_prefix }}/nextcloud on older OS's lacking PHP 7.1+ # i.e. unpack nextcloud_latest-15.tar.bz2 to /opt/nextcloud
unarchive:
src: "{{ downloads_dir }}/{{ nextcloud_src_file_old }}"
dest: "{{ nextcloud_prefix }}"
#creates: "{{ nextcloud_prefix }}/nextcloud/version.php"
when: not php_new
#when: nextcloud_force_install and (is_debian_9 or is_raspbian_9 or is_ubuntu_16)
- name: Unarchive {{ nextcloud_src_file }} to permanent location {{ nextcloud_prefix }}/nextcloud on newer OS's that have PHP 7.1+ # i.e. unpack nextcloud_latest-16.tar.bz2 to /opt/nextcloud
unarchive:
src: "{{ downloads_dir }}/{{ nextcloud_src_file }}"
dest: "{{ nextcloud_prefix }}"
#creates: "{{ nextcloud_prefix }}/nextcloud/version.php"
when: php_new | bool
#when: nextcloud_force_install and not (is_debian_9 or is_raspbian_9 or is_ubuntu_16)
#- name: Create dir /etc/nextcloud (centos) for a subsequent config dir that's symlinked to /etc/nextcloud ?
# file:
# path: /etc/nextcloud
# state: directory
# when: is_centos | bool
#
#- name: Install {{ nextcloud_prefix }}/nextcloud/config/autoconfig.php from template (centos)
# template:
# src: autoconfig.php.j2
# dest: "{{ nextcloud_prefix }}/nextcloud/config/autoconfig.php"
# owner: "{{ apache_user }}"
# group: "{{ apache_user }}"
# mode: '0640'
# when: is_centos | bool
- name: chown -R {{ apache_user }}:{{ apache_user }} {{ nextcloud_prefix }}/nextcloud
- name: Create dir {{ nextcloud_prefix }}{{ nextcloud_url }}
file:
path: "{{ nextcloud_prefix }}/nextcloud" # /opt
owner: "{{ apache_user }}"
group: "{{ apache_user }}"
recurse: yes
state: directory
path: "{{ nextcloud_prefix }}{{ nextcloud_url }}" # /library/www/html + /nextcloud
- name: Create data directory {{ nextcloud_data_dir }}
file:
path: "{{ nextcloud_data_dir }}" # /opt/nextcloud/data
owner: "{{ apache_user }}"
- name: Unarchive {{ nextcloud_dl_url }} to {{ nextcloud_prefix }}{{ nextcloud_url }} ({{ apache_user }}:{{ apache_user }})
unarchive:
remote_src: yes
src: "{{ nextcloud_dl_url }}"
dest: "{{ nextcloud_prefix }}{{ nextcloud_url }}" # /library/www/html + /nextcloud
owner: "{{ apache_user }}" # apache2 on debuntu
group: "{{ apache_user }}"
mode: '0750'
state: directory
extra_opts: --strip-components=1
when: internet_available
- name: Install Apache's nextcloud.conf from template, for http://box/nextcloud
# - name: "NOT USED FOR NOW: Create data dir {{ nextcloud_data_dir }}"
# file:
# state: directory
# path: "{{ nextcloud_data_dir }}" # /library/nextcloud/data NOT USED BY NEXTCLOUD AS OF 2020-02-15 ...Nextcloud defaults to /opt/nextcloud/data OR /library/www/html/nextcloud/data ??
# owner: "{{ apache_user }}"
# group: "{{ apache_user }}"
# mode: '0750'
- name: Provision Nextcloud's MySQL DB, run Nextcloud's install wizard, etc
include_tasks: setup.yml
- name: Install /etc/{{ apache_conf_dir }}/nextcloud.conf from template, for http://box/nextcloud
template:
src: nextcloud.conf.j2
dest: "/etc/{{ apache_conf_dir }}/nextcloud.conf"
- name: Provision Nextcloud's MySQL DB, run Nextcloud's install wizard etc
include_tasks: setup.yml
dest: "/etc/{{ apache_conf_dir }}/nextcloud.conf" # apache2/sites-available on debuntu
when: apache_installed | bool
# RECORD Nextcloud AS INSTALLED

17
roles/nextcloud/tasks/main.yml
View file

@ -22,14 +22,11 @@
- name: Install Nextcloud if 'nextcloud_installed' not defined, e.g. in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml
include_tasks: install.yml
when: nextcloud_installed is undefined
#
# ABOVE install.yml RUNS setup.yml
#- name: Enable/Disable/Restart Apache if primary
- name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache
- name: Enable/Disable/Restart Apache if primary
include_tasks: apache.yml
#when: not nginx_enabled
when: not nginx_enabled
- name: Enable/Disable/Restart NGINX if primary
include_tasks: nginx.yml
@ -47,11 +44,9 @@
value: Nextcloud
- option: description
value: '"Nextcloud is a local server-based facility for sharing files, photos, contacts, calendars, etc."'
- option: path
value: "{{ nextcloud_prefix }}/nextcloud"
- option: nextcloud_orig_src_file
value: "{{ nextcloud_orig_src_file }}"
- option: nextcloud_src_file
value: "{{ nextcloud_src_file }}"
- option: nextcloud_prefix
value: "{{ nextcloud_prefix }}"
- option: nextcloud_url
value: "{{ nextcloud_url }}"
- option: nextcloud_enabled
value: "{{ nextcloud_enabled }}"

7
roles/nextcloud/tasks/nginx.yml
View file

@ -10,7 +10,10 @@
state: absent
when: not nextcloud_enabled
- name: Restart 'nginx' systemd service
- name: Restart 'nginx' & 'php{{ php_version }}-fpm' systemd services
systemd:
name: nginx
name: "{{ item }}"
state: restarted
with_items:
- nginx
- "php{{ php_version }}-fpm"

70
roles/nextcloud/tasks/setup.yml
View file

@ -9,13 +9,21 @@
password: "{{ nextcloud_dbpassword }}"
priv: "{{ nextcloud_dbname }}.*:ALL,GRANT"
with_items:
- "{{ nextcloud_dbhost }}"
- 127.0.0.1
- ::1
- localhost
# The install wizard fails if already installed.
- name: Determine if Nextcloud is installed
#- name: Install {{ nextcloud_prefix }}/nextcloud/config/autoconfig.php from template
# template:
# src: autoconfig.php.j2
# dest: "{{ nextcloud_prefix }}/nextcloud/config/autoconfig.php"
# owner: "{{ apache_user }}"
# group: "{{ apache_user }}"
# mode: '0640'
- name: Determine if Nextcloud is installed (causes install wizard to fail)
shell: >
php {{ nextcloud_prefix }}/nextcloud/occ status |
gawk '/installed:/ { print $3 }'
@ -23,7 +31,7 @@
become_user: "{{ apache_user }}"
register: returned
- name: Run Nextcloud initial install wizard
- name: Run Nextcloud initial install wizard (if absolutely nec, manually drop MySQL db '{{ nextcloud_dbname }}')
shell: >
cd {{ nextcloud_prefix }}/nextcloud;
php occ maintenance:install
@ -35,52 +43,18 @@
--admin-pass "{{ nextcloud_admin_password }}"
become: yes
become_user: "{{ apache_user }}"
when: nextcloud_enabled and returned.stdout == "false"
when: returned.stdout == "false" # and nextcloud_enabled
# https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#php-fpm-configuration-notes
- name: Set 'clear_env = no' in /etc/php/{{ php_version }}/fpm/pool.d/www.conf
lineinfile:
path: "/etc/php/{{ php_version }}/fpm/pool.d/www.conf"
regexp: '^clear_env'
insertafter: ';.*clear_env'
line: 'clear_env = no'
# RELATED: /etc/apache2/sites-available/nextcloud.conf sourced from
# https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2
- name: 'Allow Nextcloud access from all hosts and IP addresses (SEE ALSO: /etc/apache2/sites-available/nextcloud.conf)'
command: php {{ nextcloud_prefix }}/nextcloud/occ config:system:set trusted_domains 1 --value=*
become: yes
become_user: "{{ apache_user }}"
when: nextcloud_enabled and returned.stdout == "false"
# Code below was NEVER RUNNING as of 2018-10-29, as "wc | cut -d' ' -f1" ALWAYS
# returns null (rather than the intended returned_count !) This line could
# be replaced by ALTERNATIVE 1 or ALTERNATIVE 2 below IF it truly needs fixing.
#
# Or perhaps default user/password nextcloud/nextcloudmysql (from variables
# nextcloud_user/nextcloud_user_password) is just not needed in the end...
#
# NOTE: COMMENTS (FOLLOWING '#' SIGN) WITHIN A SHELL COMMAND CAUSE IT TO *FAIL*
#
#- name: Determine if Nextcloud user exists already
# shell: >
# php {{ nextcloud_prefix }}/nextcloud/occ user:list |
# grep {{ nextcloud_user }} | wc | cut -d' ' -f1 # USELESS
# #grep {{ nextcloud_user }} | wc -l # ALTERNATIVE 1
# #grep {{ nextcloud_user }} | wc | awk '{print $1}' # ALTERNATIVE 2
# become: yes
# become_user: "{{ apache_user }}"
# register: returned_count
#
# debug:
# var: returned_count
#
## nextcloud wants to make users rather than just mysql users and not done
#- name: Create the default user
# shell: >
# OC_PASS={{ nextcloud_user_password }};
# php {{ nextcloud_prefix }}/nextcloud/occ user:add
# --password-from-env --display-name={{ nextcloud_user }}
# --group="users" {{ nextcloud_user }}
# become: yes
# become_user: "{{ apache_user }}"
# when: nextcloud_enabled and returned_count == "0"
# 2019-09-04: NEXT 5 LINES APPEAR INEFFECTIVE DURING 1ST INSTALL? (possibly "overwrite.cli.url" appears later, when Nextcloud's web install completes using http://box/nextcloud ?)
- name: Try to remove overwrite.cli.url line (Rewrite URL) from /opt/nextcloud/config/config.php
lineinfile:
regexp: "overwrite.cli.url"
state: absent
path: "{{ nextcloud_prefix }}/nextcloud/config/config.php"

0
roles/nextcloud/templates/autoconfig.php.j2 → roles/nextcloud/templates/autoconfig.php.j2.unused
View file

143
roles/nextcloud/templates/nextcloud-nginx.conf.j2
View file

@ -1,10 +1,137 @@
location {{ nextcloud_url }} {
proxy_pass http://127.0.0.1:{{ apache_port }}{{ nextcloud_url }};
}
location ^~ /nextcloud {
location ~ {{ nextcloud_url }}/.*\.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:{{ apache_port }};
## Add headers to serve security related headers
## Before enabling Strict-Transport-Security headers please read into this
## topic first.
##add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
##
## WARNING: Only add the preload option once you read about
## the consequences in https://hstspreload.org/. This option
## will add the domain to a hardcoded list that is shipped
## in all major browsers and getting removed from this list
## could take several months.
#
# THESE 1 + 6 ALSO APPEAR ~100 LINES BELOW
#
#add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
## Remove X-Powered-By, which is an information leak
#fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root {{ doc_root }}/; # /library/www/html
location = /nextcloud/robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
location = /nextcloud/.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /nextcloud/.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location /nextcloud/ {
rewrite ^ /nextcloud/index.php;
}
location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ ^\/nextcloud\/.+[^\/]\.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#
# THESE 1 + 6 ALSO APPEAR ~100 LINES ABOVE
#
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ ^\/nextcloud\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /nextcloud/index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}

10
roles/nextcloud/templates/nextcloud-nginx.conf.j2.shim.unused Normal file
View file

@ -0,0 +1,10 @@
location {{ nextcloud_url }} {
proxy_pass http://127.0.0.1:{{ apache_port }}{{ nextcloud_url }};
}
location ~ {{ nextcloud_url }}/.*\.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:{{ apache_port }};
}

4
roles/nginx/README.md
View file

@ -28,6 +28,7 @@
* kolibri
* mediawiki
* munin
* nextcloud
* sugarizer
* wordpress
@ -35,7 +36,6 @@
* elgg
* lokole
* moodle
* nextcloud ([PR #2119](https://github.com/iiab/iiab/pull/2119)) [*]
* nodered
4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations). In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite)
@ -46,4 +46,4 @@
* openvpn [*]
* pbx [*]
[*] The 6 above starred roles could use improvement, as of 2020-02-14.
[*] The 5 above starred roles could use improvement, as of 2020-02-15.

3
roles/nginx/defaults/main.yml
View file

@ -10,5 +10,8 @@
# nginx_conf_dir: /etc/nginx/conf.d
# nginx_log_dir: /var/log/nginx
# For schools that use WordPress/Nextcloud/Moodle intensively:
# nginx_high_php_limits: False
# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

2
roles/wordpress/defaults/main.yml
View file

@ -1,4 +1,4 @@
# If using WordPress intensively, consider setting apache_high_php_limits in:
# If using WordPress intensively, consider setting nginx_high_php_limits in:
# /etc/iiab/local_vars.yml
# wordpress_install: False

15
roles/www_back_end/tasks/main.yml
View file

@ -9,23 +9,28 @@
- include_tasks: php-stem.yml
# 2020-02-12: DOES THE FLAG BELOW (apache_high_php_limits) WORK WITH NGINX TOO?
# COMPARE apache_allow_sudo @ roles/www_front_end/tasks/main.yml
# For schools that use WordPress/Nextcloud/Moodle intensively. iiab/iiab#1147
# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
- name: Enact high limits in /etc/php/{{ php_version }}/{{ apache_service }}/php.ini if using WordPress/Nextcloud/Moodle intensively
- name: Enact high limits in /etc/php/{{ php_version }}/fpm/php.ini if using WordPress/Nextcloud/Moodle intensively
lineinfile:
path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
path: "/etc/php/{{ php_version }}/fpm/php.ini"
#path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
when: apache_high_php_limits | bool
with_items:
- { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M ; default is 2M' }
- { regexp: '^post_max_size', line: 'post_max_size = 500M ; default is 8M' }
- { regexp: '^memory_limit', line: 'memory_limit = 256M ; default is 128M / Nextcloud requests 512M' }
- { regexp: '^memory_limit', line: 'memory_limit = 512M ; default is 128M / Nextcloud requests 512M' }
- { regexp: '^max_execution_time', line: 'max_execution_time = 300 ; default is 30' }
- { regexp: '^max_input_time', line: 'max_input_time = 300 ; default is 60' }
when: nginx_high_php_limits | bool
- name: Restart 'php{{ php_version }}-fpm' systemd services
systemd:
name: "php{{ php_version }}-fpm"
state: restarted
- name: Create dir {{ doc_root }}/home -- if you customized var iiab_home_url e.g. in /etc/iiab/local_vars.yml, that dir is created later -- by www_front_end/tasks/main.yml

2
roles/www_front_end/tasks/main.yml
View file

@ -29,7 +29,7 @@
# gives more details here: http://FAQ.IIAB.IO
# 2020-02-12: DOES THE FLAG BELOW (apache_allow_sudo) WORK WITH NGINX TOO ?
# COMPARE apache_high_php_limits @ roles/www_back_end/tasks/main.yml
# COMPARE nginx_high_php_limits @ roles/www_back_end/tasks/main.yml
- name: Give {{ apache_user }} (per variable apache_user) permission to poweroff, installing /etc/sudoers.d/020_apache_poweroff from template
template:

34
vars/default_vars.yml
View file

@ -236,6 +236,12 @@ exFAT_enabled: True
admin_console_install: True
admin_console_enabled: True
# MySQL MANDATORY - THESE 2 VARS HAVE NO EFFECT - SEE roles/0-init/tasks/main.yml & roles/mysql/tasks/main.yml
mysql_install: True
mysql_enabled: True
# mysql_root_password: $6$iiab51$3ICIW0CLWxxMW2a3yrHZ38ukZItD5tcadL4rWcE9D.qIGStxhh8rRsaSxoj3b.MYxI/VRDNjpzSYK/V6zkWFI0
mysql_root_password: fixmysql
# 2019-01-13: IIAB's use of NGINX is still evolving -- please review this
# evolving doc: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
nginx_install: True
@ -244,6 +250,13 @@ nginx_port: 80
nginx_interface: 0.0.0.0
nginx_conf_dir: /etc/nginx/conf.d
nginx_log_dir: /var/log/nginx
#
# For schools that use WordPress/Nextcloud/Moodle intensively:
nginx_high_php_limits: False
# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27
# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php/<VERSION>/fpm/php.ini
# See also Apache vars {default_language, language_priority} @ top of this file
apache_install: True
@ -253,22 +266,9 @@ apache_enabled: False
apache_port: 8090
apache_interface: 127.0.0.1 # 2020-01-13: Var unused
#
# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147
apache_high_php_limits: False
# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84
# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php/<VERSION>/apache2/php.ini
#
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
# MySQL MANDATORY - THESE 2 VARS HAVE NO EFFECT - SEE roles/0-init/tasks/main.yml & roles/mysql/tasks/main.yml
mysql_install: True
mysql_enabled: True
# mysql_root_password: $6$iiab51$3ICIW0CLWxxMW2a3yrHZ38ukZItD5tcadL4rWcE9D.qIGStxhh8rRsaSxoj3b.MYxI/VRDNjpzSYK/V6zkWFI0
mysql_root_password: fixmysql
# 4-SERVER-OPTIONS
@ -399,7 +399,7 @@ nodered_port: 1880
nodered_web_path: nodered
# Store your docs, calendar, contacts & photos on your local server not cloud!
# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER
nextcloud_install: False
nextcloud_enabled: False
nextcloud_allow_public_ips: False
@ -409,7 +409,7 @@ nextcloud_allow_public_ips: False
# 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle
# you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112).
# Uncomment the following line to end that: (might install an older Nextcloud!)
# nextcloud_dl_url: http://d.iiab.io/packages
# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3.
@ -421,7 +421,7 @@ pbx_signaling_ports_chan_pjsip: "5060"
pbx_data_ports: "10000:20000"
pbx_http_port: 83
# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER
wordpress_install: False
wordpress_enabled: False
@ -452,7 +452,7 @@ iiab_zim_path: "{{ content_base }}/zims" # /library/zims
moodle_install: False
moodle_enabled: False
# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER
# MongoDB (/library/dbdata/mongodb) greatly enhances the Sugarizer experience.
# This role was formerly installed by roles/sugarizer/meta/main.yml

24
vars/local_vars_big.yml
View file

@ -136,20 +136,20 @@ pi_swap_file_size: 1024
# 3-BASE-SERVER
# See also Apache vars {default_language, language_priority} @ top of this file
#
# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147
apache_high_php_limits: False
# roles/mysql runs here (mandatory)
# For schools that use WordPress/Nextcloud/Moodle intensively:
nginx_high_php_limits: False
# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84
# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php/<VERSION>/apache2/php.ini
# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27
# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php/<VERSION>/fpm/php.ini
# See also Apache vars {default_language, language_priority} @ top of this file
#
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
# roles/mysql runs here (mandatory)
# 4-SERVER-OPTIONS
@ -236,7 +236,7 @@ nodered_install: True
nodered_enabled: True
# Store your docs, calendar, contacts & photos on your local server not cloud!
# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER
nextcloud_install: True
nextcloud_enabled: True
nextcloud_allow_public_ips: False
@ -246,7 +246,7 @@ nextcloud_allow_public_ips: False
# 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle
# you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112).
# Uncomment the following line to end that: (might install an older Nextcloud!)
# nextcloud_dl_url: http://d.iiab.io/packages
# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3.
@ -254,7 +254,7 @@ pbx_install: False
pbx_enabled: False
asterisk_chan_dongle: False
# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER
wordpress_install: True
wordpress_enabled: True
@ -278,7 +278,7 @@ kiwix_enabled: True
# Warning: Moodle is a serious LMS, that takes a while to install
moodle_install: True
moodle_enabled: True
# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER
# Regional OSM vector maps use far less disk space than bitmap/raster versions.
# Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps

24
vars/local_vars_medium.yml
View file

@ -136,20 +136,20 @@ pi_swap_file_size: 1024
# 3-BASE-SERVER
# See also Apache vars {default_language, language_priority} @ top of this file
#
# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147
apache_high_php_limits: False
# roles/mysql runs here (mandatory)
# For schools that use WordPress/Nextcloud/Moodle intensively:
nginx_high_php_limits: False
# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84
# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php/<VERSION>/apache2/php.ini
# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27
# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php/<VERSION>/fpm/php.ini
# See also Apache vars {default_language, language_priority} @ top of this file
#
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
# roles/mysql runs here (mandatory)
# 4-SERVER-OPTIONS
@ -236,7 +236,7 @@ nodered_install: False
nodered_enabled: False
# Store your docs, calendar, contacts & photos on your local server not cloud!
# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER
nextcloud_install: True
nextcloud_enabled: True
nextcloud_allow_public_ips: False
@ -246,7 +246,7 @@ nextcloud_allow_public_ips: False
# 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle
# you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112).
# Uncomment the following line to end that: (might install an older Nextcloud!)
# nextcloud_dl_url: http://d.iiab.io/packages
# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3.
@ -254,7 +254,7 @@ pbx_install: False
pbx_enabled: False
asterisk_chan_dongle: False
# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER
wordpress_install: True
wordpress_enabled: True
@ -278,7 +278,7 @@ kiwix_enabled: True
# Warning: Moodle is a serious LMS, that takes a while to install
moodle_install: False
moodle_enabled: False
# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER
# Regional OSM vector maps use far less disk space than bitmap/raster versions.
# Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps

24
vars/local_vars_min.yml
View file

@ -136,20 +136,20 @@ pi_swap_file_size: 1024
# 3-BASE-SERVER
# See also Apache vars {default_language, language_priority} @ top of this file
#
# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147
apache_high_php_limits: False
# roles/mysql runs here (mandatory)
# For schools that use WordPress/Nextcloud/Moodle intensively:
nginx_high_php_limits: False
# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84
# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php/<VERSION>/apache2/php.ini
# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27
# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php/<VERSION>/fpm/php.ini
# See also Apache vars {default_language, language_priority} @ top of this file
#
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
# roles/mysql runs here (mandatory)
# 4-SERVER-OPTIONS
@ -236,7 +236,7 @@ nodered_install: False
nodered_enabled: False
# Store your docs, calendar, contacts & photos on your local server not cloud!
# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER
nextcloud_install: False
nextcloud_enabled: False
nextcloud_allow_public_ips: False
@ -246,7 +246,7 @@ nextcloud_allow_public_ips: False
# 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle
# you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112).
# Uncomment the following line to end that: (might install an older Nextcloud!)
# nextcloud_dl_url: http://d.iiab.io/packages
# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3.
@ -254,7 +254,7 @@ pbx_install: False
pbx_enabled: False
asterisk_chan_dongle: False
# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using WordPress intensively, set nginx_high_php_limits in 3-BASE-SERVER
wordpress_install: False
wordpress_enabled: False
@ -278,7 +278,7 @@ kiwix_enabled: True
# Warning: Moodle is a serious LMS, that takes a while to install
moodle_install: False
moodle_enabled: False
# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER
# If using Moodle intensively, set nginx_high_php_limits in 3-BASE-SERVER
# Regional OSM vector maps use far less disk space than bitmap/raster versions.
# Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps