diff --git a/roles/0-init/tasks/main.yml b/roles/0-init/tasks/main.yml index 0fcc4e3de..b017a837a 100644 --- a/roles/0-init/tasks/main.yml +++ b/roles/0-init/tasks/main.yml @@ -37,11 +37,11 @@ include_tasks: validate_vars.yml # SEE: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md -- name: "apache_install is currently '{{ apache_install }}' and apache_enabled is currently '{{ apache_enabled }}'. Now let's set 'apache_install: True' and 'apache_enabled: True' if NGINX is set not to be enabled OR if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install." +- name: "apache_install is currently '{{ apache_install }}' and apache_enabled is currently '{{ apache_enabled }}'. Now let's set 'apache_install: True' and 'apache_enabled: True' if NGINX is set not to be enabled OR if any of {Elgg, Lokole, Moodle, Node-RED} are set to install." set_fact: apache_install: True apache_enabled: True - when: not nginx_enabled or dokuwiki_install or elgg_install or lokole_install or moodle_install or nextcloud_install or nodered_install + when: not nginx_enabled or elgg_install or lokole_install or moodle_install or nodered_install # #- name: "Verify 'apache_install: True' and 'apache_enabled: True' if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install" # assert: diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml index a1196888d..f728ffca8 100644 --- a/roles/httpd/defaults/main.yml +++ b/roles/httpd/defaults/main.yml @@ -7,15 +7,12 @@ # apache_port: 8090 # NGINX proxies to this IP address, for legacy IIAB services still requiring Apache # apache_interface: 127.0.0.1 -# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147 -# apache_high_php_limits: False -# WARNING: Enabling this might cause excess use of RAM/disk or other resources! -# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/enable.yml#L1-L14 -# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php//apache2/php.ini - # Make this False to disable http://box/common/services/power_off.php button: # apache_allow_sudo: True # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! + + +# 2020-02-15: apache_high_php_limits deprecated... +# Please instead set 'nginx_high_php_limits: True' in /etc/iiab/local_vars.yml diff --git a/roles/moodle/defaults/main.yml b/roles/moodle/defaults/main.yml index 1c9fe47d2..c7d758108 100644 --- a/roles/moodle/defaults/main.yml +++ b/roles/moodle/defaults/main.yml @@ -1,4 +1,4 @@ -# If using Moodle intensively, consider setting apache_high_php_limits in: +# If using Moodle intensively, consider setting nginx_high_php_limits in: # /etc/iiab/local_vars.yml # moodle_install: False diff --git a/roles/nextcloud/README.md b/roles/nextcloud/README.md index d47739523..d36618a2b 100644 --- a/roles/nextcloud/README.md +++ b/roles/nextcloud/README.md @@ -19,13 +19,13 @@ The Nextcloud suite is divided into three main categories: nextcloud_install: True nextcloud_enabled: True -(2) If you want to access Nextcloud from IPv4 addresses across the public Internet, then also set: +(2) If you want to access Nextcloud from IPv4 addresses across the public Internet, then also set: nextcloud_allow_public_ips: True -To further refine Nextcloud access controls based on IPv4 addresses, you can edit `/etc/apache2/sites-available/nextcloud.conf` _after_ it's created by this template: [/opt/iiab/iiab/roles/nextcloud/templates/nextcloud.conf.j2](https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2) +To further refine Nextcloud access controls based on IPv4 addresses, you can edit `/etc/apache2/sites-available/nextcloud.conf` _after_ it's created by this template: [/opt/iiab/iiab/roles/nextcloud/templates/nextcloud.conf.j2](https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2) -(3) Strongly consider also setting `apache_high_php_limits: True` in the 3-BASE-SERVER section of /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP. Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware and network! So _after_ install is complete, verify and evaluate these 5 settings in /etc/php/[ACTUAL PHP VERSION]/apache2/php.ini: +(3) Strongly consider also setting `nginx_high_php_limits: True` in your /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP. Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware and network! So _after_ install is complete, verify and evaluate these 5 settings in /etc/php/[ACTUAL PHP VERSION]/fpm/php.ini: - upload_max_filesize - post_max_size @@ -33,7 +33,7 @@ To further refine Nextcloud access controls based on IPv4 addresses, you can edi - max_execution_time - max_input_time -Useful PHP recommendations for these settings (while largely tailored to WordPress, and aimed at very low-end hardware) can be found here: [/opt/iiab/iiab/roles/httpd/tasks/enable.yml](https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/enable.yml#L1-L14) +Useful PHP recommendations for these settings (while largely tailored to WordPress, and aimed at very low-end hardware) can be found here: [/opt/iiab/iiab/roles/www_front_end/tasks/main.yml#L47-L51](../www_front_end/tasks/main.yml#L47-L51) ## Using It diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 102319cb1..19f333409 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -1,46 +1,51 @@ -# If using Nextcloud intensively, consider setting apache_high_php_limits in: +# If using Nextcloud intensively, consider setting nginx_high_php_limits in: # /etc/iiab/local_vars.yml # nextcloud_install: False # nextcloud_enabled: False -# nextcloud_allow_public_ips: False - # Configuration tips for IPv4 access controls and tuning RAM/resources: # https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! -# REMOVE /opt/nextcloud/version.php TO FORCE AN INSTALL OR REINSTALL OR UPGRADE - -nextcloud_url: /nextcloud -nextcloud_prefix: /opt -nextcloud_data_dir: "{{ content_base }}/nextcloud/data" # /library/nextcloud/data # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). # The following line can avoid that: (but might install an older Nextcloud!) -# nextcloud_dl_url: http://d.iiab.io/packages -nextcloud_dl_url: https://download.nextcloud.com/server/releases +# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 +nextcloud_dl_url: https://download.nextcloud.com/server/releases/latest.tar.bz2 + +nextcloud_url: /nextcloud + +nextcloud_base_dir: "{{ doc_base }}" # /library/www +#nextcloud_base_dir: "{{ doc_root }}" # /library/www/html +nextcloud_root_dir: "{{ nextcloud_base_dir }}/nextcloud" +# +# 2020-02-16 options... +# /opt/nextcloud <-- Old Nextcloud recommendation +# /var/www/nextcloud <-- Nextcloud recommendation +# /library/nextcloud <-- Old IIAB recommendation +# /library/www/nextcloud <-- IIAB RECOMMENDATION FOR NOW ? +# /library/www/html/nextcloud <-- Bad idea? Security & privacy consequences? +# +# IN ANY CASE, PLEASE VERIFY nextcloud/config/config.php AFTER INSTALLATION! +# +# Nextcloud's default for now--OR PUT PERSONAL DATA ON ANOTHER DRIVE/PARTITION: +nextcloud_data_dir: "{{ nextcloud_root_dir }}/data" # /library/www/nextcloud -# For OLD OS's where PHP 7.1+ isn't detected -- e.g. Raspbian 9, Debian 9, Ubuntu 16.04 -nextcloud_orig_src_file_old: latest-15.tar.bz2 -nextcloud_src_file_old: nextcloud_{{ nextcloud_orig_src_file_old }} -# For NEW OS's where PHP 7.1+ is auto-detected -- e.g. Raspbian 10, Debian 10 & Ubuntu 18.04 -nextcloud_orig_src_file: latest.tar.bz2 -nextcloud_src_file: nextcloud_{{ nextcloud_orig_src_file }} # We install on MySQL with these settings: nextcloud_dbname: nextcloud -nextcloud_dbhost: localhost nextcloud_dbuser: nextcloud nextcloud_dbpassword: nextcloudmysql -nextcloud_user: nextcloud -nextcloud_user_password: nextcloudmysql nextcloud_admin_user: 'Admin' nextcloud_admin_password: 'changeme' # 2019-09-04: UNUSED (due to changes in roles/nextcloud/templates/nextcloud.conf.j2) nextcloud_required_ip: 10.0.0.0/8 192.168.0.0/16 + +# 2020-02-15: UNUSED at the time. Legacy remains from Apache: +# nextcloud_allow_public_ips: True diff --git a/roles/nextcloud/tasks/install.yml b/roles/nextcloud/tasks/install.yml index cf1d233a5..3d792401b 100644 --- a/roles/nextcloud/tasks/install.yml +++ b/roles/nextcloud/tasks/install.yml @@ -1,183 +1,117 @@ # CHECK FOR PHP VERSION AUTOMATICALLY, TO DETERMINE WHICH NEXTCLOUD TO INSTALL. -# INSPIRED BY: github.com/iiab/iiab/blob/master/roles/nodejs/tasks/main.yml#L10-L54 +# INSPIRED BY: github.com/iiab/iiab/blob/master/roles/nodejs/tasks/main.yml -- name: Try to run 'php -v' to get PHP version - # e.g. converts multi-line "PHP 7.0.33-0ubuntu0.16.04.5 (cli) ( NTS ) ..." to "7.0.33" - shell: php -v | head -1 | sed 's/^[^0-9.]*//' | sed 's/[^0-9.].*//' - register: php_version_installed - #ignore_errors: yes # NOT NEC: if php is not installed, php_version_installed.stdout will get set to "" +# - name: Try to run 'php -v' to get PHP version +# # e.g. converts multi-line "PHP 7.0.33-0ubuntu0.16.04.5 (cli) ( NTS ) ..." to "7.0.33" +# shell: php -v | head -1 | sed 's/^[^0-9.]*//' | sed 's/[^0-9.].*//' +# register: php_version_installed +# #ignore_errors: yes # NOT NEC: if php is not installed, php_version_installed.stdout will get set to "" -#- debug: -# var: php_version_installed +# - debug: +# var: php_version_installed -# NOTE: this could easily be made to work even if PHP was not installed, e.g. -# by pre-initializing variable 'php_new' to False here. But trapping the -# absence of PHP (below) is a useful software safety precondition! -# -#- name: Initialize var 'php_new' to False -# set_fact: -# php_new: False +# # NOTE: this could easily be made to work even if PHP was not installed, e.g. +# # by pre-initializing variable 'php_new' to False here. But trapping the +# # absence of PHP (below) is a useful software safety precondition! +# # +# #- name: Initialize var 'php_new' to False +# # set_fact: +# # php_new: False -- name: INTENTIONALLY FAIL, IF PHP (Nextcloud prerequisite) ISN'T INSTALLED - fail: - msg: > - Nextcloud install cannot proceed, as it requires PHP be installed first. - Note that as of 2019-07-04, IIAB takes care of this by forcing vars - mysql_install and mysql_enabled to True in - /opt/iiab/iiab/roles/0-init/tasks/main.yml, which in turn forces the - installation of PHP in /opt/iiab/iiab/roles/mysql/tasks/main.yml, as - invoked by /opt/iiab/iiab/roles/3-base-server/tasks/main.yml - when: php_version_installed.stdout == "" +# - name: INTENTIONALLY FAIL, IF PHP (Nextcloud prerequisite) ISN'T INSTALLED +# fail: +# msg: > +# Nextcloud install cannot proceed, as it requires PHP be installed first. +# Note that as of 2019-07-04, IIAB takes care of this by forcing vars +# mysql_install and mysql_enabled to True in +# /opt/iiab/iiab/roles/0-init/tasks/main.yml, which in turn forces the +# installation of PHP in /opt/iiab/iiab/roles/mysql/tasks/main.yml, as +# invoked by /opt/iiab/iiab/roles/3-base-server/tasks/main.yml +# when: php_version_installed.stdout == "" -- name: Set var 'php_new' indicating if installed version of PHP ({{ php_version_installed.stdout }}) >= 7.1, as required by Nextcloud 16 - set_fact: - php_new: "{{ php_version_installed.stdout is version('7.1', '>=') }}" - # Ansible's Version Comparison routine: - # https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html#version-comparison - when: php_version_installed.stdout != "" # i.e. IF ABOVE 'php -v' WORKED +# - name: Set var 'php_new' indicating if installed version of PHP ({{ php_version_installed.stdout }}) >= 7.1, as required by Nextcloud 16 +# set_fact: +# php_new: "{{ php_version_installed.stdout is version('7.1', '>=') }}" +# # Ansible's Version Comparison routine: +# # https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html#version-comparison +# when: php_version_installed.stdout != "" # i.e. IF ABOVE 'php -v' WORKED -#- debug: -# var: php_new +# - debug: +# var: php_new -- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file_old }} to {{ downloads_dir }}/{{ nextcloud_src_file_old }} on older OS's lacking PHP 7.1+ - get_url: - url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file_old }}" - dest: "{{ downloads_dir }}/{{ nextcloud_src_file_old }}" - timeout: "{{ download_timeout }}" - force: yes - #validate_certs: False # TEMPORARY ON/AFTER 2018-07-22 AS download.nextcloud.com CERT EXPIRED: https://github.com/iiab/iiab/issues/954 - #async: 1800 - #poll: 10 - when: internet_available and not php_new - #when: internet_available and nextcloud_force_install and (is_debian_9 or is_raspbian_9 or is_ubuntu_16) - -- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }} to {{ downloads_dir }}/{{ nextcloud_src_file }} on newer OS's that have PHP 7.1+ - get_url: - url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }}" - dest: "{{ downloads_dir }}/{{ nextcloud_src_file }}" - timeout: "{{ download_timeout }}" - force: yes - #validate_certs: False # TEMPORARY ON/AFTER 2018-07-22 AS download.nextcloud.com CERT EXPIRED: https://github.com/iiab/iiab/issues/954 - #async: 1800 - #poll: 10 - when: internet_available and php_new - #when: internet_available and nextcloud_force_install and not (is_debian_9 or is_raspbian_9 or is_ubuntu_16) - -# Ubuntu and Debian treat names differently -- name: Install 4 php packages (debian/raspian) +# https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation +- name: Install ffmpeg + libxml2 + 13 php packages package: name: - - "libapache2-mod-php{{ php_version }}" - - "php{{ php_version }}-imagick" - - "php{{ php_version }}-mbstring" - - "php{{ php_version }}-zip" - state: present - when: is_debian | bool - -# Ubuntu and Debian treat names differently -- name: Install 4 php packages (ubuntu) - package: - name: - - libapache2-mod-php - - php-imagick + #- dnsutils # NOT REQUESTED by Nextcloud + - ffmpeg # Optional (for preview generation) + - libxml2 # php-libxml requires libxml2 >= 2.7.0 + #- libapache2-mod-php # 2020-02-15: NO LONGER NEEDED? + - php-bz2 # Optional (for extraction of apps) + #- php-cli # NOT REQUESTED by Nextcloud + #- php-common # NOT REQUESTED by Nextcloud + - php-curl + - php-fpm # ALSO INSTALLED IN roles/www_back_end (Stage 3) for nginx_high_php_limits + - php-gd + - php-gmp # Optional (for SFTP storage) + - php-imagick # Optional (for preview generation) + - php-intl # Optional (increases language translation performance and fixes sorting of non-ASCII characters) + - php-json + #- php-libxml # NOT INSTALLABLE: ENABLED BY DEFAULT (https://www.php.net/manual/en/libxml.installation.php) - php-mbstring + - php-mysql + #- php-openssl # NOT INSTALLABLE: ENABLED BY DEFAULT? + #- php-pdo_mysql # NOT INSTALLABLE: php-mysql handles this on all OS's? + #- php-redis # @m-anish future work? + #- php-session # NOT INSTALLABLE: ENABLED BY DEFAULT? + - php-smbclient # Optional (SMB/CIFS integration + - php-xml # NOT FORMALLY REQUESTED by Nextcloud (BUT hopefully delivers php-simplexml if not {php-xmlreader, php-xmlwriter} on Raspbian?) - php-zip + #- php-zlib # NOT INSTALLABLE: ENABLED BY DEFAULT? state: present - when: is_ubuntu | bool -- name: Install 5 more php packages (debuntu) +# https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation +- name: Install 9 additional php packages, if OS is not Raspbian (these are not available on Raspbian on RPi, as of Feb 2020) package: name: - - "php{{ php_version }}-gd" - - "php{{ php_version }}-json" - - "php{{ php_version }}-mysql" - - "php{{ php_version }}-curl" - - "php{{ php_version }}-intl" + - php-ctype + - php-dom + - php-exif # Optional (for image rotation in pictures app) + - php-fileinfo # Optional (enhances file analysis performance) + - php-iconv + - php-posix + - php-simplexml + - php-xmlreader + - php-xmlwriter state: present - when: is_debuntu | bool + when: not is_raspbian -- name: 'Install php{{ php_version }}-mcrypt IF this is a "pre-2018" distro in the debuntu family. NOTE: PHP 7.1 deprecated mcrypt 1-Dec-2016 and PHP 7.2 dropped it completely 30-Nov-2017, as it should no longer be nec.' - package: - name: "php{{ php_version }}-mcrypt" - state: present - when: is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17 - # NOT NEC TO TEST FOR is_raspbian_8 OR is_raspbian_9 AS /opt/iiab/iiab/vars/.yml - # DEFINES THESE AS SUBSETS OF is_debian_8 OR is_debian_9 (FOR NOW!) -## we need to install the rpm in order to get the dependencies -## but we only need to do this the first time -# -#- name: Install 7 php packages (redhat) -# package: -# name: -# - php -# - php-gd -# - php-json -# - php-mysql -# - php-curl -# - php-intl -# - php-mcrypt -# # CentOS does not have a package for php-imagick -# #- php-imagick -# state: present -# when: is_redhat | bool - -- name: Unarchive {{ nextcloud_src_file_old }} to permanent location {{ nextcloud_prefix }}/nextcloud on older OS's lacking PHP 7.1+ # i.e. unpack nextcloud_latest-15.tar.bz2 to /opt/nextcloud - unarchive: - src: "{{ downloads_dir }}/{{ nextcloud_src_file_old }}" - dest: "{{ nextcloud_prefix }}" - #creates: "{{ nextcloud_prefix }}/nextcloud/version.php" - when: not php_new - #when: nextcloud_force_install and (is_debian_9 or is_raspbian_9 or is_ubuntu_16) - -- name: Unarchive {{ nextcloud_src_file }} to permanent location {{ nextcloud_prefix }}/nextcloud on newer OS's that have PHP 7.1+ # i.e. unpack nextcloud_latest-16.tar.bz2 to /opt/nextcloud - unarchive: - src: "{{ downloads_dir }}/{{ nextcloud_src_file }}" - dest: "{{ nextcloud_prefix }}" - #creates: "{{ nextcloud_prefix }}/nextcloud/version.php" - when: php_new | bool - #when: nextcloud_force_install and not (is_debian_9 or is_raspbian_9 or is_ubuntu_16) - -#- name: Create dir /etc/nextcloud (centos) for a subsequent config dir that's symlinked to /etc/nextcloud ? -# file: -# path: /etc/nextcloud -# state: directory -# when: is_centos | bool -# -#- name: Install {{ nextcloud_prefix }}/nextcloud/config/autoconfig.php from template (centos) -# template: -# src: autoconfig.php.j2 -# dest: "{{ nextcloud_prefix }}/nextcloud/config/autoconfig.php" -# owner: "{{ apache_user }}" -# group: "{{ apache_user }}" -# mode: '0640' -# when: is_centos | bool - -- name: chown -R {{ apache_user }}:{{ apache_user }} {{ nextcloud_prefix }}/nextcloud +- name: Create dir {{ nextcloud_root_dir }} file: - path: "{{ nextcloud_prefix }}/nextcloud" # /opt - owner: "{{ apache_user }}" - group: "{{ apache_user }}" - recurse: yes state: directory + path: "{{ nextcloud_root_dir }}" # /library/www/nextcloud -- name: Create data directory {{ nextcloud_data_dir }} - file: - path: "{{ nextcloud_data_dir }}" # /opt/nextcloud/data - owner: "{{ apache_user }}" +- name: Unarchive {{ nextcloud_dl_url }} to {{ nextcloud_root_dir }} ({{ apache_user }}:{{ apache_user }}) + unarchive: + remote_src: yes + src: "{{ nextcloud_dl_url }}" + #dest: "{{ nextcloud_base_dir }}" # /library/www + dest: "{{ nextcloud_root_dir }}" # /library/www/nextcloud + owner: "{{ apache_user }}" # apache2 on debuntu group: "{{ apache_user }}" - mode: '0750' - state: directory + extra_opts: --strip-components=1 # Or use 'dest: /library/www' above + when: internet_available -- name: Install Apache's nextcloud.conf from template, for http://box/nextcloud +- name: Provision Nextcloud's MySQL DB, run Nextcloud's install wizard, etc + include_tasks: setup.yml + +- name: Install /etc/{{ apache_conf_dir }}/nextcloud.conf from template, for http://box{{ nextcloud_url }} # http://box/nextcloud template: src: nextcloud.conf.j2 - dest: "/etc/{{ apache_conf_dir }}/nextcloud.conf" - - -- name: Provision Nextcloud's MySQL DB, run Nextcloud's install wizard etc - include_tasks: setup.yml + dest: "/etc/{{ apache_conf_dir }}/nextcloud.conf" # apache2/sites-available on debuntu + when: apache_install | bool # RECORD Nextcloud AS INSTALLED diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index bb69fefe0..b8091cae4 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -22,14 +22,11 @@ - name: Install Nextcloud if 'nextcloud_installed' not defined, e.g. in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml include_tasks: install.yml when: nextcloud_installed is undefined -# -# ABOVE install.yml RUNS setup.yml -#- name: Enable/Disable/Restart Apache if primary -- name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache +- name: Enable/Disable/Restart Apache if primary include_tasks: apache.yml - #when: not nginx_enabled + when: not nginx_enabled - name: Enable/Disable/Restart NGINX if primary include_tasks: nginx.yml @@ -47,11 +44,15 @@ value: Nextcloud - option: description value: '"Nextcloud is a local server-based facility for sharing files, photos, contacts, calendars, etc."' - - option: path - value: "{{ nextcloud_prefix }}/nextcloud" - - option: nextcloud_orig_src_file - value: "{{ nextcloud_orig_src_file }}" - - option: nextcloud_src_file - value: "{{ nextcloud_src_file }}" + - option: nextcloud_dl_url + value: "{{ nextcloud_dl_url }}" + - option: nextcloud_url + value: "{{ nextcloud_url }}" + - option: nextcloud_base_dir + value: "{{ nextcloud_base_dir }}" + - option: nextcloud_root_dir + value: "{{ nextcloud_root_dir }}" + - option: nextcloud_data_dir + value: "{{ nextcloud_data_dir }}" - option: nextcloud_enabled value: "{{ nextcloud_enabled }}" diff --git a/roles/nextcloud/tasks/nginx.yml b/roles/nextcloud/tasks/nginx.yml index 80001b232..e2e7db20f 100644 --- a/roles/nextcloud/tasks/nginx.yml +++ b/roles/nextcloud/tasks/nginx.yml @@ -10,7 +10,10 @@ state: absent when: not nextcloud_enabled -- name: Restart 'nginx' systemd service +- name: Restart 'nginx' & 'php{{ php_version }}-fpm' systemd services systemd: - name: nginx + name: "{{ item }}" state: restarted + with_items: + - nginx + - "php{{ php_version }}-fpm" diff --git a/roles/nextcloud/tasks/setup.yml b/roles/nextcloud/tasks/setup.yml index dda083f15..dbede553e 100644 --- a/roles/nextcloud/tasks/setup.yml +++ b/roles/nextcloud/tasks/setup.yml @@ -9,23 +9,51 @@ password: "{{ nextcloud_dbpassword }}" priv: "{{ nextcloud_dbname }}.*:ALL,GRANT" with_items: - - "{{ nextcloud_dbhost }}" - 127.0.0.1 - ::1 - localhost -# The install wizard fails if already installed. -- name: Determine if Nextcloud is installed + +# https://docs.nextcloud.com/server/18/admin_manual/installation/command_line_installation.html +- name: Create data dir {{ nextcloud_data_dir }} + file: + state: directory + path: "{{ nextcloud_data_dir }}" # /library/www/nextcloud/data + owner: "{{ apache_user }}" + group: "{{ apache_user }}" + +# 1 of 3: Very Old Way... from OwnCloud days +#- name: Install {{ nextcloud_root_dir }}/config/autoconfig.php from template +# template: +# src: autoconfig.php.j2 +# dest: "{{ nextcloud_root_dir }}/config/autoconfig.php" +# owner: "{{ apache_user }}" +# group: "{{ apache_user }}" +# mode: '0640' + +# 2 of 3: Another Possible Way... not quite ready for prime time +# - name: Set 'datadirectory' to {{ nextcloud_data_dir }} in {{ nextcloud_root_dir }}/config/config.php +# lineinfile: +# path: "{{ nextcloud_root_dir }}/config/config.php" +# regexp: "^ 'datadirectory' => " +# insertafter: '^\$CONFIG = array \(' +# line: " 'datadirectory' => '{{ nextcloud_data_dir }}'," + +# 2020-02-16: SHOULD THIS STANZA GO AWAY IN FUTURE, in favor of 'nextcloud_installed is undefined' test below? +- name: Use php to determine if Nextcloud is installed (causes install wizard to fail) shell: > - php {{ nextcloud_prefix }}/nextcloud/occ status | + php {{ nextcloud_root_dir }}/occ status | gawk '/installed:/ { print $3 }' become: yes become_user: "{{ apache_user }}" register: returned -- name: Run Nextcloud initial install wizard +# 3 of 3: New Way In 2020... use --data-dir "{{ nextcloud_data_dir }}" +# https://docs.nextcloud.com/server/18/admin_manual/installation/command_line_installation.html +# https://docs.nextcloud.com/server/18/admin_manual/configuration_server/occ_command.html#command-line-installation-label +- name: Run Nextcloud initial install wizard, seeding data dir {{ nextcloud_data_dir }} (IF THIS FAILS, CONSIDER MANUALLY DROPPING MySQL db '{{ nextcloud_dbname }}' THEN RERUN THIS) shell: > - cd {{ nextcloud_prefix }}/nextcloud; + cd {{ nextcloud_root_dir }}; php occ maintenance:install --database "mysql" --database-name "{{ nextcloud_dbname }}" @@ -33,54 +61,22 @@ --database-pass "{{ nextcloud_dbpassword }}" --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_password }}" + --data-dir "{{ nextcloud_data_dir }}" become: yes become_user: "{{ apache_user }}" - when: nextcloud_enabled and returned.stdout == "false" + #when: nextcloud_installed is undefined + when: returned.stdout == "false" # and nextcloud_enabled -# RELATED: /etc/apache2/sites-available/nextcloud.conf sourced from -# https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2 -- name: 'Allow Nextcloud access from all hosts and IP addresses (SEE ALSO: /etc/apache2/sites-available/nextcloud.conf)' - command: php {{ nextcloud_prefix }}/nextcloud/occ config:system:set trusted_domains 1 --value=* - become: yes - become_user: "{{ apache_user }}" - when: nextcloud_enabled and returned.stdout == "false" -# Code below was NEVER RUNNING as of 2018-10-29, as "wc | cut -d' ' -f1" ALWAYS -# returns null (rather than the intended returned_count !) This line could -# be replaced by ALTERNATIVE 1 or ALTERNATIVE 2 below IF it truly needs fixing. -# -# Or perhaps default user/password nextcloud/nextcloudmysql (from variables -# nextcloud_user/nextcloud_user_password) is just not needed in the end... -# -# NOTE: COMMENTS (FOLLOWING '#' SIGN) WITHIN A SHELL COMMAND CAUSE IT TO *FAIL* -# -#- name: Determine if Nextcloud user exists already -# shell: > -# php {{ nextcloud_prefix }}/nextcloud/occ user:list | -# grep {{ nextcloud_user }} | wc | cut -d' ' -f1 # USELESS -# #grep {{ nextcloud_user }} | wc -l # ALTERNATIVE 1 -# #grep {{ nextcloud_user }} | wc | awk '{print $1}' # ALTERNATIVE 2 -# become: yes -# become_user: "{{ apache_user }}" -# register: returned_count -# -# debug: -# var: returned_count -# -## nextcloud wants to make users rather than just mysql users and not done -#- name: Create the default user -# shell: > -# OC_PASS={{ nextcloud_user_password }}; -# php {{ nextcloud_prefix }}/nextcloud/occ user:add -# --password-from-env --display-name={{ nextcloud_user }} -# --group="users" {{ nextcloud_user }} -# become: yes -# become_user: "{{ apache_user }}" -# when: nextcloud_enabled and returned_count == "0" - -# 2019-09-04: NEXT 5 LINES APPEAR INEFFECTIVE DURING 1ST INSTALL? (possibly "overwrite.cli.url" appears later, when Nextcloud's web install completes using http://box/nextcloud ?) -- name: Try to remove overwrite.cli.url line (Rewrite URL) from /opt/nextcloud/config/config.php +# https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#php-fpm-configuration-notes +- name: Set 'clear_env = no' in /etc/php/{{ php_version }}/fpm/pool.d/www.conf lineinfile: - regexp: "overwrite.cli.url" - state: absent - path: "{{ nextcloud_prefix }}/nextcloud/config/config.php" + path: "/etc/php/{{ php_version }}/fpm/pool.d/www.conf" + regexp: '^clear_env' + insertafter: ';.*clear_env' + line: 'clear_env = no' + +- name: 'Allow Nextcloud access from all hosts and IP addresses (SEE ALSO: /etc/apache2/sites-available/nextcloud.conf)' + command: php {{ nextcloud_root_dir }}/occ config:system:set trusted_domains 1 --value=* + become: yes + become_user: "{{ apache_user }}" diff --git a/roles/nextcloud/templates/autoconfig.php.j2 b/roles/nextcloud/templates/autoconfig.php.j2.unused similarity index 100% rename from roles/nextcloud/templates/autoconfig.php.j2 rename to roles/nextcloud/templates/autoconfig.php.j2.unused diff --git a/roles/nextcloud/templates/nextcloud-nginx.conf.j2 b/roles/nextcloud/templates/nextcloud-nginx.conf.j2 index 3e0b3e6b2..8723cb7e5 100644 --- a/roles/nextcloud/templates/nextcloud-nginx.conf.j2 +++ b/roles/nextcloud/templates/nextcloud-nginx.conf.j2 @@ -1,10 +1,143 @@ -location {{ nextcloud_url }} { - proxy_pass http://127.0.0.1:{{ apache_port }}{{ nextcloud_url }}; -} +# 2020-02-16: Customized from template...thanks to @m_anish: +# +# https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html#nextcloud-in-a-subdir-of-nginx +# https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx -location ~ {{ nextcloud_url }}/.*\.php$ { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; - proxy_pass http://127.0.0.1:{{ apache_port }}; +location ^~ {{ nextcloud_url }} { + + ## Add headers to serve security related headers + ## Before enabling Strict-Transport-Security headers please read into this + ## topic first. + ##add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + ## + ## WARNING: Only add the preload option once you read about + ## the consequences in https://hstspreload.org/. This option + ## will add the domain to a hardcoded list that is shipped + ## in all major browsers and getting removed from this list + ## could take several months. + # + # THESE 1 + 6 ALSO APPEAR ~100 LINES BELOW + # + #add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + ## Remove X-Powered-By, which is an information leak + #fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + #root {{ nextcloud_root_dir }}; # /library/www/nextcloud IN FUTURE ?? + root {{ nextcloud_base_dir }}; # /library/www == {{ doc_base }} FOR NOW + + location = /nextcloud/robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + # The following rule is only needed for the Social app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + + location = /nextcloud/.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /nextcloud/.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location /nextcloud { + rewrite ^ /nextcloud/index.php; + } + + location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + #fastcgi_param HTTPS on; + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass php; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ ^\/nextcloud\/.+[^\/]\.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /nextcloud/index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + # + # THESE 1 + 6 ALSO APPEAR ~100 LINES ABOVE + # + #add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ ^\/nextcloud\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { + try_files $uri /nextcloud/index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } } diff --git a/roles/nextcloud/templates/nextcloud-nginx.conf.j2.shim.unused b/roles/nextcloud/templates/nextcloud-nginx.conf.j2.shim.unused new file mode 100644 index 000000000..3e0b3e6b2 --- /dev/null +++ b/roles/nextcloud/templates/nextcloud-nginx.conf.j2.shim.unused @@ -0,0 +1,10 @@ +location {{ nextcloud_url }} { + proxy_pass http://127.0.0.1:{{ apache_port }}{{ nextcloud_url }}; +} + +location ~ {{ nextcloud_url }}/.*\.php$ { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_pass http://127.0.0.1:{{ apache_port }}; +} diff --git a/roles/nextcloud/templates/nextcloud.conf.j2 b/roles/nextcloud/templates/nextcloud.conf.j2 index dcba0ae0c..7f36683c3 100644 --- a/roles/nextcloud/templates/nextcloud.conf.j2 +++ b/roles/nextcloud/templates/nextcloud.conf.j2 @@ -1,10 +1,8 @@ # Ansible template that becomes /etc/apache2/sites-available/nextcloud.conf -Alias {{ nextcloud_url }} {{ nextcloud_prefix }}/nextcloud +Alias {{ nextcloud_url }} {{ nextcloud_root_dir }} - - # 2019-09-04 commenting out towards future removal - #Options -Indexes + Options +FollowSymlinks AllowOverride All @@ -13,10 +11,7 @@ Alias {{ nextcloud_url }} {{ nextcloud_prefix }}/nextcloud # Apache 2.4 # http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html - # 2019-09-04 commenting out towards future removal - #Require host localhost - -{% if nextcloud_allow_public_ips %} +{% if True %} {# 2020-02-15: Condition WAS... nextcloud_allow_public_ips #} # PERMIT ACCESS FROM ALL IPv4 ADDRESSES: Require all granted # PERMIT ACCESS FROM THESE IPv4 ADDRESS RANGES ONLY: @@ -32,33 +27,4 @@ Alias {{ nextcloud_url }} {{ nextcloud_prefix }}/nextcloud #Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} {{ nextcloud_required_ip }} {{ openvpn_server_virtual_ip }}/255.255.255.0 - # 2019-09-04 commenting out towards future removal - # - ## Apache 2.2 - #Order Deny,Allow - #Deny from all - #Allow from 127.0.0.1 - #Allow from ::1 - # - # - #ErrorDocument 404 /core/templates/404.php - # - # 2019-09-04 commenting out towards future removal - # - #php_value upload_max_filesize 512M - #php_value post_max_size 512M - #php_value memory_limit 512M - #php_value mbstring.func_overload 0 - # - # - #SetEnv htaccessWorking true - # - # - #ModPagespeed Off - # - # - #RewriteEngine on - #RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},last] - #RewriteRule ^\.well-known/carddav /remote.php/carddav/ [R] - #RewriteRule ^\.well-known/caldav /remote.php/caldav/ [R] diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 5bf1eea0c..c44210946 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -28,6 +28,7 @@ * kolibri * mediawiki * munin + * nextcloud * sugarizer * wordpress @@ -35,7 +36,6 @@ * elgg * lokole * moodle - * nextcloud ([PR #2119](https://github.com/iiab/iiab/pull/2119)) [*] * nodered 4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations). In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite) @@ -46,4 +46,4 @@ * openvpn [*] * pbx [*] -[*] The 6 above starred roles could use improvement, as of 2020-02-14. +[*] The 5 above starred roles could use improvement, as of 2020-02-15. diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index c7d736510..25eb624b3 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -10,5 +10,8 @@ # nginx_conf_dir: /etc/nginx/conf.d # nginx_log_dir: /var/log/nginx +# For schools that use WordPress/Nextcloud/Moodle intensively: +# nginx_high_php_limits: False + # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! diff --git a/roles/wordpress/defaults/main.yml b/roles/wordpress/defaults/main.yml index 2055c0ded..a66698386 100644 --- a/roles/wordpress/defaults/main.yml +++ b/roles/wordpress/defaults/main.yml @@ -1,4 +1,4 @@ -# If using WordPress intensively, consider setting apache_high_php_limits in: +# If using WordPress intensively, consider setting nginx_high_php_limits in: # /etc/iiab/local_vars.yml # wordpress_install: False diff --git a/roles/www_back_end/tasks/main.yml b/roles/www_back_end/tasks/main.yml index 12741954f..d452084ac 100644 --- a/roles/www_back_end/tasks/main.yml +++ b/roles/www_back_end/tasks/main.yml @@ -5,29 +5,8 @@ - include_tasks: html.yml - - - include_tasks: php-stem.yml -# 2020-02-12: DOES THE FLAG BELOW (apache_high_php_limits) WORK WITH NGINX TOO? -# COMPARE apache_allow_sudo @ roles/www_front_end/tasks/main.yml - -# For schools that use WordPress/Nextcloud/Moodle intensively. iiab/iiab#1147 -# WARNING: Enabling this might cause excess use of RAM/disk or other resources! -- name: Enact high limits in /etc/php/{{ php_version }}/{{ apache_service }}/php.ini if using WordPress/Nextcloud/Moodle intensively - lineinfile: - path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - when: apache_high_php_limits | bool - with_items: - - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M ; default is 2M' } - - { regexp: '^post_max_size', line: 'post_max_size = 500M ; default is 8M' } - - { regexp: '^memory_limit', line: 'memory_limit = 256M ; default is 128M / Nextcloud requests 512M' } - - { regexp: '^max_execution_time', line: 'max_execution_time = 300 ; default is 30' } - - { regexp: '^max_input_time', line: 'max_input_time = 300 ; default is 60' } - - - name: Create dir {{ doc_root }}/home -- if you customized var iiab_home_url e.g. in /etc/iiab/local_vars.yml, that dir is created later -- by www_front_end/tasks/main.yml file: state: directory diff --git a/roles/www_front_end/tasks/main.yml b/roles/www_front_end/tasks/main.yml index af3672bbe..aa1d8b6ed 100644 --- a/roles/www_front_end/tasks/main.yml +++ b/roles/www_front_end/tasks/main.yml @@ -25,11 +25,46 @@ when: nginx_install | bool +- block: # 3-STANZA BLOCK BEGINS + + # Also installed by roles/nextcloud/tasks/install.yml in case './runrole nextcloud' bypasses this role here. (Possibly make php-fpm mandatory in nginx/tasks/install.yml in future?) + - name: Install php-fpm (FastCGI Process Manager) as nec + package: + name: php-fpm + + # For schools that use WordPress/Nextcloud/Moodle intensively. + # WARNING: Enabling this might cause excess use of RAM/disk or other resources! + + # COMPARE apache_allow_sudo further below. + + - name: Enact high limits in /etc/php/{{ php_version }}/fpm/php.ini if using WordPress/Nextcloud/Moodle intensively, as nec + lineinfile: + path: "/etc/php/{{ php_version }}/fpm/php.ini" + #path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M ; default is 2M' } + - { regexp: '^post_max_size', line: 'post_max_size = 500M ; default is 8M' } + - { regexp: '^memory_limit', line: 'memory_limit = 512M ; default is 128M / Nextcloud requests 512M' } + - { regexp: '^max_execution_time', line: 'max_execution_time = 300 ; default is 30' } + - { regexp: '^max_input_time', line: 'max_input_time = 300 ; default is 60' } + when: nginx_high_php_limits + + - name: Restart 'php{{ php_version }}-fpm' systemd services, as nec + systemd: + name: "php{{ php_version }}-fpm" + state: restarted + + when: (nextcloud_install or pbx_install) and nginx_enabled # 3-STANZA BLOCK ENDS + + # 'Is a "Rapid Power Off" button possible for low-electricity environments?' # gives more details here: http://FAQ.IIAB.IO +# COMPARE nginx_high_php_limits further above. + # 2020-02-12: DOES THE FLAG BELOW (apache_allow_sudo) WORK WITH NGINX TOO ? -# COMPARE apache_high_php_limits @ roles/www_back_end/tasks/main.yml - name: Give {{ apache_user }} (per variable apache_user) permission to poweroff, installing /etc/sudoers.d/020_apache_poweroff from template template: diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 17b435793..b5487f935 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -236,6 +236,12 @@ exFAT_enabled: True admin_console_install: True admin_console_enabled: True +# MySQL MANDATORY - THESE 2 VARS HAVE NO EFFECT - SEE roles/0-init/tasks/main.yml & roles/mysql/tasks/main.yml +mysql_install: True +mysql_enabled: True +# mysql_root_password: $6$iiab51$3ICIW0CLWxxMW2a3yrHZ38ukZItD5tcadL4rWcE9D.qIGStxhh8rRsaSxoj3b.MYxI/VRDNjpzSYK/V6zkWFI0 +mysql_root_password: fixmysql + # 2019-01-13: IIAB's use of NGINX is still evolving -- please review this # evolving doc: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md nginx_install: True @@ -244,6 +250,13 @@ nginx_port: 80 nginx_interface: 0.0.0.0 nginx_conf_dir: /etc/nginx/conf.d nginx_log_dir: /var/log/nginx +# +# For schools that use WordPress/Nextcloud/Moodle intensively: +nginx_high_php_limits: False +# WARNING: Enabling this might cause excess use of RAM/disk or other resources! +# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... +# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27 +# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php//fpm/php.ini # See also Apache vars {default_language, language_priority} @ top of this file apache_install: True @@ -253,22 +266,9 @@ apache_enabled: False apache_port: 8090 apache_interface: 127.0.0.1 # 2020-01-13: Var unused # -# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147 -apache_high_php_limits: False -# WARNING: Enabling this might cause excess use of RAM/disk or other resources! -# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84 -# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php//apache2/php.ini -# # Make this False to disable http://box/common/services/power_off.php button: apache_allow_sudo: True -# MySQL MANDATORY - THESE 2 VARS HAVE NO EFFECT - SEE roles/0-init/tasks/main.yml & roles/mysql/tasks/main.yml -mysql_install: True -mysql_enabled: True -# mysql_root_password: $6$iiab51$3ICIW0CLWxxMW2a3yrHZ38ukZItD5tcadL4rWcE9D.qIGStxhh8rRsaSxoj3b.MYxI/VRDNjpzSYK/V6zkWFI0 -mysql_root_password: fixmysql - # 4-SERVER-OPTIONS @@ -343,8 +343,8 @@ azuracast_enabled: False azuracast_http_port: 10080 azuracast_https_port: 10443 -# AzuraCast needs many ports in the 8000:8100 range by default, but IIAB services -# conflict with those ports so this variable below sets a sane prefix. +# AzuraCast needs many ports in the 8000:8100 range by default, but IIAB +# services conflict with those ports so this variable below sets a sane prefix. # e.g. setting the below variable to 10 will result in port ranges 10000-10100 # being reserved for AzuraCast: azuracast_port_range_prefix: 10 @@ -399,17 +399,20 @@ nodered_port: 1880 nodered_web_path: nodered # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Nextcloud intensively, set nginx_high_php_limits further above. nextcloud_install: False nextcloud_enabled: False -nextcloud_allow_public_ips: False +# +# 2020-02-15: UNUSED at this time. Legacy remains from Apache: +# nextcloud_allow_public_ips: True +# # Configuration tips for IPv4 access controls and tuning RAM/resources: # https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md # # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). # Uncomment the following line to end that: (might install an older Nextcloud!) -# nextcloud_dl_url: http://d.iiab.io/packages +# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. # Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3. @@ -421,7 +424,7 @@ pbx_signaling_ports_chan_pjsip: "5060" pbx_data_ports: "10000:20000" pbx_http_port: 83 -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: False wordpress_enabled: False @@ -452,7 +455,7 @@ iiab_zim_path: "{{ content_base }}/zims" # /library/zims moodle_install: False moodle_enabled: False -# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits further above. # MongoDB (/library/dbdata/mongodb) greatly enhances the Sugarizer experience. # This role was formerly installed by roles/sugarizer/meta/main.yml diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 955c54fe4..7e0f2b6c5 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -136,20 +136,20 @@ pi_swap_file_size: 1024 # 3-BASE-SERVER -# See also Apache vars {default_language, language_priority} @ top of this file -# -# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147 -apache_high_php_limits: False +# roles/mysql runs here (mandatory) + +# For schools that use WordPress/Nextcloud/Moodle intensively: +nginx_high_php_limits: False # WARNING: Enabling this might cause excess use of RAM/disk or other resources! # SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84 -# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php//apache2/php.ini +# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27 +# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php//fpm/php.ini + +# See also Apache vars {default_language, language_priority} @ top of this file # # Make this False to disable http://box/common/services/power_off.php button: apache_allow_sudo: True -# roles/mysql runs here (mandatory) - # 4-SERVER-OPTIONS @@ -236,17 +236,20 @@ nodered_install: True nodered_enabled: True # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Nextcloud intensively, set nginx_high_php_limits further above. nextcloud_install: True nextcloud_enabled: True -nextcloud_allow_public_ips: False +# +# 2020-02-15: UNUSED at this time. Legacy remains from Apache: +# nextcloud_allow_public_ips: True +# # Configuration tips for IPv4 access controls and tuning RAM/resources: # https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md # # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). # Uncomment the following line to end that: (might install an older Nextcloud!) -# nextcloud_dl_url: http://d.iiab.io/packages +# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. # Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3. @@ -254,7 +257,7 @@ pbx_install: False pbx_enabled: False asterisk_chan_dongle: False -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: True wordpress_enabled: True @@ -278,7 +281,7 @@ kiwix_enabled: True # Warning: Moodle is a serious LMS, that takes a while to install moodle_install: True moodle_enabled: True -# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits further above. # Regional OSM vector maps use far less disk space than bitmap/raster versions. # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index c85943b5c..04cdb4c45 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -136,20 +136,20 @@ pi_swap_file_size: 1024 # 3-BASE-SERVER -# See also Apache vars {default_language, language_priority} @ top of this file -# -# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147 -apache_high_php_limits: False +# roles/mysql runs here (mandatory) + +# For schools that use WordPress/Nextcloud/Moodle intensively: +nginx_high_php_limits: False # WARNING: Enabling this might cause excess use of RAM/disk or other resources! # SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84 -# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php//apache2/php.ini +# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27 +# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php//fpm/php.ini + +# See also Apache vars {default_language, language_priority} @ top of this file # # Make this False to disable http://box/common/services/power_off.php button: apache_allow_sudo: True -# roles/mysql runs here (mandatory) - # 4-SERVER-OPTIONS @@ -236,17 +236,20 @@ nodered_install: False nodered_enabled: False # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Nextcloud intensively, set nginx_high_php_limits further above. nextcloud_install: True nextcloud_enabled: True -nextcloud_allow_public_ips: False +# +# 2020-02-15: UNUSED at this time. Legacy remains from Apache: +# nextcloud_allow_public_ips: True +# # Configuration tips for IPv4 access controls and tuning RAM/resources: # https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md # # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). # Uncomment the following line to end that: (might install an older Nextcloud!) -# nextcloud_dl_url: http://d.iiab.io/packages +# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. # Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3. @@ -254,7 +257,7 @@ pbx_install: False pbx_enabled: False asterisk_chan_dongle: False -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: True wordpress_enabled: True @@ -278,7 +281,7 @@ kiwix_enabled: True # Warning: Moodle is a serious LMS, that takes a while to install moodle_install: False moodle_enabled: False -# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits further above. # Regional OSM vector maps use far less disk space than bitmap/raster versions. # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index c4b783739..af67d41e8 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -136,20 +136,20 @@ pi_swap_file_size: 1024 # 3-BASE-SERVER -# See also Apache vars {default_language, language_priority} @ top of this file -# -# For schools that use WordPress/Nextcloud/Moodle intensively: iiab/iiab#1147 -apache_high_php_limits: False +# roles/mysql runs here (mandatory) + +# For schools that use WordPress/Nextcloud/Moodle intensively: +nginx_high_php_limits: False # WARNING: Enabling this might cause excess use of RAM/disk or other resources! # SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84 -# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php//apache2/php.ini +# https://github.com/iiab/iiab/blob/master/roles/www_back_end/tasks/main.yml#L23-L27 +# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php//fpm/php.ini + +# See also Apache vars {default_language, language_priority} @ top of this file # # Make this False to disable http://box/common/services/power_off.php button: apache_allow_sudo: True -# roles/mysql runs here (mandatory) - # 4-SERVER-OPTIONS @@ -236,17 +236,20 @@ nodered_install: False nodered_enabled: False # Store your docs, calendar, contacts & photos on your local server not cloud! -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Nextcloud intensively, set nginx_high_php_limits further above. nextcloud_install: False nextcloud_enabled: False -nextcloud_allow_public_ips: False +# +# 2020-02-15: UNUSED at this time. Legacy remains from Apache: +# nextcloud_allow_public_ips: True +# # Configuration tips for IPv4 access controls and tuning RAM/resources: # https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md # # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). # Uncomment the following line to end that: (might install an older Nextcloud!) -# nextcloud_dl_url: http://d.iiab.io/packages +# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. # Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3. @@ -254,7 +257,7 @@ pbx_install: False pbx_enabled: False asterisk_chan_dongle: False -# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: False wordpress_enabled: False @@ -275,10 +278,10 @@ kolibri_language: en # ar,bn-bd,en,es-es,fa,fr-fr,hi-in,mr,nyn,pt-br,sw-tz,ta kiwix_install: True kiwix_enabled: True -# Warning: Moodle is a serious LMS, that takes a while to install +# Warning: Moodle is a serious LMS, that takes a while to install. moodle_install: False moodle_enabled: False -# If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER +# If using Moodle intensively, set nginx_high_php_limits further above. # Regional OSM vector maps use far less disk space than bitmap/raster versions. # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps