Merge pull request #1942 from holta/nextcloud-local-ips

New variable "nextcloud_allow_public_ips: False" in local_vars.yml
2025-02-13 03:32:12 +00:00 · 2019-09-04 22:29:41 -04:00 · 2019-09-04 22:29:41 -04:00 · eb5ced37d1
commit eb5ced37d1
parent fa655bebed 89393d1b5b
12 changed files with 177 additions and 73 deletions
--- a/roles/httpd/defaults/main.yml
+++ b/roles/httpd/defaults/main.yml
@ -1,6 +1,15 @@
-# Make this False to disable http://box/common/services/power_off.php button:
-apache_allow_sudo: True
+# default_language: en
+# language_priority: en es fr

-# For schools that use WordPress and/or Moodle intensively. See iiab/iiab #1147
+# For schools that use WordPress/Nextcloud/Moodle intensively:  iiab/iiab#1147
+# apache_high_php_limits: False
 # WARNING: Enabling this might cause excess use of RAM/disk or other resources!
-apache_high_php_limits: False
+# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
+# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84
+# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php/<VERSION>/apache2/php.ini
+
+# Make this False to disable http://box/common/services/power_off.php button:
+# apache_allow_sudo: True
+
+# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
+# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
--- a/roles/httpd/tasks/main.yml
+++ b/roles/httpd/tasks/main.yml
@ -23,18 +23,12 @@
  tags:
    - download

-# 2019-05-30: Irrelevant (never invoked)
-#- name: Install php{{ php_version }}-sqlite (raspbian-8 or debian-8)
-#  package:
-#    name: "php{{ php_version }}-sqlite"
-#  when: is_raspbian_8 or is_debian_8
-#  #when: is_debian and ansible_distribution_major_version == "8"
-
 # 2019-05-30: It's interesting that http://box.lan/admin and everything seems
 # to work even without php{{ php_version }}-sqlite3 as confirmed on Ubuntu
 # 16.04 (SEE PR #1697).  And likely all others?  @tim-moody writes "I think
 # we decided that because sqlite3 and php are part of the base install the
 # connector should be too."
+#
 # We might *try* deprecating this here as we transition beyond {raspbian-9,
 # debian-9, ubuntu-18} in coming months to verify that roles/osm-vector-maps
 # is the only role that needs it?
@ -74,9 +68,9 @@
    - { src: 'proxy_ajp.conf.j2', dest: '/etc/{{ apache_config_dir }}/proxy_ajp.conf' }
    #- { src: 'php.ini.j2', dest: '/etc/php.ini', mode: '0644' }    # @jvonau suggests removing this in https://github.com/iiab/iiab/issues/1147

-# For schools that use WordPress and/or Moodle intensively. See iiab/iiab #1147
+# For schools that use WordPress/Nextcloud/Moodle intensively.  iiab/iiab#1147
 # WARNING: Enabling this might cause excess use of RAM/disk or other resources!
- name: Enact high limits in /etc/php/{{ php_version }}/{{ apache_service }}/php.ini if using WordPress and/or Moodle intensively
+- name: Enact high limits in /etc/php/{{ php_version }}/{{ apache_service }}/php.ini if using WordPress/Nextcloud/Moodle intensively
  lineinfile:
    path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
    regexp: "{{ item.regexp }}"
@ -85,7 +79,7 @@
  with_items:
    - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M    ; default is 2M' }
    - { regexp: '^post_max_size', line: 'post_max_size = 500M    ; default is 8M' }
-    - { regexp: '^memory_limit', line: 'memory_limit = 256M    ; default is 128M' }
+    - { regexp: '^memory_limit', line: 'memory_limit = 256M    ; default is 128M / Nextcloud requests 512M' }
    - { regexp: '^max_execution_time', line: 'max_execution_time = 300    ; default is 30' }
    - { regexp: '^max_input_time', line: 'max_input_time = 300    ; default is 60' }

--- a/roles/moodle/defaults/main.yml
+++ b/roles/moodle/defaults/main.yml
@ -1,12 +1,12 @@
+# If using Moodle intensively, consider setting apache_high_php_limits in:
+# /etc/iiab/local_vars.yml
+
 # moodle_install: False
 # moodle_enabled: False

 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

-# If using Moodle intensively, consider setting apache_high_php_limits in:
-# /etc/iiab/local_vars.yml
-
 moodle_version: 37
 #moodle_repo_url: "https://github.com/moodle/moodle.git"
 moodle_repo_url: "git://git.moodle.org/moodle.git"
--- a/roles/nextcloud/README.md
+++ b/roles/nextcloud/README.md
@ -1,14 +1,45 @@
 # Nextcloud

+Students and teachers can store their documents, calendars, contacts and photos locally within [Nextcloud](https://nextcloud.com), which is much like having a (local) version of Dropbox or Google Drive on your very own [Internet-in-a-Box](http://internet-in-a-box.org).
+
 This Ansible playbook was derived from an earlier ownCloud playbook thanks to [Josh Dennis](https://github.com/floydianslips) in 2016/2017.

-Login to Nextcloud at http://box/nextcloud, http://box.lan/nextcloud, http://172.18.96.1/nextcloud (or similar) using:
+### Install It
+
+(1) Set these 2 variable in [/etc/iiab/local_vars.yml](http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F) prior to installing Internet-in-a-Box:
+
+    nextcloud_install: True
+    nextcloud_enabled: True
+
+(2) If you want to access Nextcloud from IPv4 addresses across the public Internet, then also set:
+
+    nextcloud_allow_public_ips: True
+
+To further refine Nextcloud access controls based on IPv4 addresses, you can edit `/etc/apache2/sites-available/nextcloud.conf` after it's created by template [/opt/iiab/iiab/roles/nextcloud/templates/nextcloud.conf.j2](https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2)
+
+(3) Strongly consider also setting `apache_high_php_limits: True` in the 3-BASE-SERVER section of /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP.  Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware!  So after install is complete, verify and evaluate these 5 settings in /etc/php/[ACTUAL PHP VERSION]/apache2/php.ini:
+
+- upload_max_filesize
+- post_max_size
+- memory_limit (Nextcloud recommends 512+ MB)
+- max_execution_time
+- max_input_time
+
+Useful PHP recommendations for these settings (while largely tailored to WordPress, and aimed at very low-end hardware) can be found in [/opt/iiab/iiab/roles/httpd/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84)
+
+### Using It
+
+Log in to Nextcloud at http://box/nextcloud, http://box.lan/nextcloud, http://172.18.96.1/nextcloud (or similar) using:

    Username: Admin
    Password: changeme

+### Future Directions
+
 Going forward, should Internet-in-a-Box consider integrating optimizations (or more!) from these below?

- https://github.com/nextcloud/nextcloudpi
- https://ownyourbits.com/2017/02/13/nextcloud-ready-raspberry-pi-image/
 - https://ownyourbits.com/nextcloudpi/
+- https://ownyourbits.com/2017/02/13/nextcloud-ready-raspberry-pi-image/
+- https://github.com/nextcloud/nextcloudpi
+
+Please [contact us](http://internet-in-a-box.org/pages/contributing.html) if you can help!
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@ -1,6 +1,14 @@
+# If using Nextcloud intensively, consider setting apache_high_php_limits in:
+# /etc/iiab/local_vars.yml
+
 # nextcloud_install: False
 # nextcloud_enabled: False

+# nextcloud_allow_public_ips: False
+
+# Configuration tips for IPv4 access controls and tuning RAM/resources:
+# https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md
+
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

--- a/roles/nextcloud/tasks/enable_or_disable.yml
+++ b/roles/nextcloud/tasks/enable_or_disable.yml
@ -100,8 +100,8 @@
 #  become_user: "{{ apache_user }}"
 #  when: nextcloud_enabled and returned_count == "0"

-# 2019-09-04: THE NEXT 5 LINES ARE INEFFECTIVE AND LIKELY USELESS
- name: Remove overwrite.cli.url line (Rewrite URL) from /opt/nextcloud/config/config.php
+# 2019-09-04: NEXT 5 LINES APPEAR INEFFECTIVE DURING 1ST INSTALL? (possibly "overwrite.cli.url" appears later, when Nextcloud's web install completes using http://box/nextcloud ?)
+- name: Try to remove overwrite.cli.url line (Rewrite URL) from /opt/nextcloud/config/config.php
  lineinfile:
    regexp: "overwrite.cli.url"
    state: absent
--- a/roles/nextcloud/templates/nextcloud.conf.j2
+++ b/roles/nextcloud/templates/nextcloud.conf.j2
@ -1,45 +1,64 @@
+# Ansible template that becomes /etc/apache2/sites-available/nextcloud.conf
+
 Alias {{ nextcloud_url }} {{ nextcloud_prefix }}/nextcloud

 <Directory {{ nextcloud_prefix }}/nextcloud/>
-    Options -Indexes
+    # 2019-09-04 commenting out towards future removal
+    #Options -Indexes
+
+    Options +FollowSymlinks
    AllowOverride All

    <IfModule mod_authz_core.c>
    # Apache 2.4
    # http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html
-    Require host localhost
+
+    # 2019-09-04 commenting out towards future removal
+    #Require host localhost
+
+{% if nextcloud_allow_public_ips %}
    # PERMIT ACCESS FROM ALL IPv4 ADDRESSES:
    Require all granted
-    # WANT BASIC SECURITY BASED ON IPv4 ADDRESSES?  THEN USE THIS LINE INSTEAD:
-    #Require ip 127.0.0.1 172.18.96.1/255.255.224.0 192.168 10
-    # AVOID THIS LINE WHICH CAUSES PROBLEMS IN SCHOOLS WITH 192.168.1.x etc:
+    # PERMIT ACCESS FROM THESE IPv4 ADDRESS RANGES ONLY:
+    #Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} 192.168 10
+{% else %}
+    # PERMIT ACCESS FROM ALL IPv4 ADDRESSES:
+    #Require all granted
+    # PERMIT ACCESS FROM THESE IPv4 ADDRESS RANGES ONLY:
+    Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} 192.168 10
+{% endif %}
+{# Reminder that {{ lan_ip }}/{{ lan_netmask }} is 172.18.96.1/255.255.224.0 #}
+    # AVOID THIS LINE AS IT OVERLY RESTRICTS SCHOOLS W/ 192.168.1.x, 10.x.y.z:
    #Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} {{ nextcloud_required_ip }} {{ openvpn_server_virtual_ip }}/255.255.255.0
    </IfModule>
-    <IfModule !mod_authz_core.c>
-    # Apache 2.2
-    Order Deny,Allow
-    Deny from all
-    Allow from 127.0.0.1
-    Allow from ::1
-    </IfModule>
-
-    ErrorDocument 404 /core/templates/404.php
-
-    <IfModule mod_php5.c>
-    php_value upload_max_filesize 512M
-    php_value post_max_size 512M
-    php_value memory_limit 512M
-    php_value mbstring.func_overload 0
-    </IfModule>
-
-    SetEnv htaccessWorking true
-
-    <IfModule pagespeed_module>
-    ModPagespeed Off
-    </IfModule>
-
-    RewriteEngine on
-    RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},last]
-    RewriteRule ^\.well-known/carddav /remote.php/carddav/ [R]
-    RewriteRule ^\.well-known/caldav /remote.php/caldav/ [R]
+    
+    # 2019-09-04 commenting out towards future removal
+    #<IfModule !mod_authz_core.c>
+    ## Apache 2.2
+    #Order Deny,Allow
+    #Deny from all
+    #Allow from 127.0.0.1
+    #Allow from ::1
+    #</IfModule>
+    #
+    #ErrorDocument 404 /core/templates/404.php
+    #
+    # 2019-09-04 commenting out towards future removal
+    #<IfModule mod_php5.c>
+    #php_value upload_max_filesize 512M
+    #php_value post_max_size 512M
+    #php_value memory_limit 512M
+    #php_value mbstring.func_overload 0
+    #</IfModule>
+    #
+    #SetEnv htaccessWorking true
+    #
+    #<IfModule pagespeed_module>
+    #ModPagespeed Off
+    #</IfModule>
+    #
+    #RewriteEngine on
+    #RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},last]
+    #RewriteRule ^\.well-known/carddav /remote.php/carddav/ [R]
+    #RewriteRule ^\.well-known/caldav /remote.php/caldav/ [R]
 </Directory>
--- a/roles/wordpress/defaults/main.yml
+++ b/roles/wordpress/defaults/main.yml
@ -1,12 +1,12 @@
+# If using WordPress intensively, consider setting apache_high_php_limits in:
+# /etc/iiab/local_vars.yml
+
 # wordpress_install: False
 # wordpress_enabled: False

 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

-# If using WordPress intensively, consider setting apache_high_php_limits in:
-# /etc/iiab/local_vars.yml
-
 wordpress_download_base_url: https://wordpress.org
 wordpress_src: latest.tar.gz

--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@ -220,12 +220,17 @@ exFAT_enabled: True

 # 3-BASE-SERVER

+# See also Apache vars {default_language, language_priority} @ top of this file
+#
+# For schools that use WordPress/Nextcloud/Moodle intensively:  iiab/iiab#1147
+apache_high_php_limits: False
+# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
+# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
+# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84
+# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php/<VERSION>/apache2/php.ini
+#
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
-# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
-# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
-apache_high_php_limits: False
-# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority

 # MySQL MANDATORY - THESE 2 VARS HAVE NO EFFECT - SEE roles/0-init/tasks/main.yml & roles/mysql/tasks/main.yml
 mysql_install: True
@ -344,8 +349,13 @@ nodered_enabled: False
 nodered_port: 1880
 nodered_web_path: nodered

+# Store your docs, calendar, contacts & photos on your local server not cloud!
+# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
 nextcloud_install: False
 nextcloud_enabled: False
+nextcloud_allow_public_ips: False
+# Configuration tips for IPv4 access controls and tuning RAM/resources:
+# https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md

 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
 # Works on Ubuntu 18.04, Debian 9. Experimental on Rasp/RPi 3. Uses Node.js 10.x
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@ -125,12 +125,17 @@ pi_swap_file_size: 1024

 # 3-BASE-SERVER

+# See also Apache vars {default_language, language_priority} @ top of this file
+#
+# For schools that use WordPress/Nextcloud/Moodle intensively:  iiab/iiab#1147
+apache_high_php_limits: False
+# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
+# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
+# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84
+# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php/<VERSION>/apache2/php.ini
+#
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
-# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
-# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
-apache_high_php_limits: False
-# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority

 # roles/mysql runs here (mandatory)

@ -220,8 +225,16 @@ mosquitto_enabled: True
 nodered_install: True
 nodered_enabled: True

+# Store your docs, calendar, contacts & photos on your local server not cloud!
+# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
 nextcloud_install: True
 nextcloud_enabled: True
+nextcloud_allow_public_ips: False
+# Configuration tips for IPv4 access controls and tuning RAM/resources:
+# https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md
+
+# To further refine Nextcloud access controls based on IPv4 addresses, see:
+# https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2

 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
 # Works on Ubuntu 18.04, Debian 9. Experimental on Rasp/RPi 3. Uses Node.js 10.x
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@ -125,12 +125,17 @@ pi_swap_file_size: 1024

 # 3-BASE-SERVER

+# See also Apache vars {default_language, language_priority} @ top of this file
+#
+# For schools that use WordPress/Nextcloud/Moodle intensively:  iiab/iiab#1147
+apache_high_php_limits: False
+# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
+# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
+# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84
+# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php/<VERSION>/apache2/php.ini
+#
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
-# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
-# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
-apache_high_php_limits: False
-# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority

 # roles/mysql runs here (mandatory)

@ -220,8 +225,13 @@ mosquitto_enabled: False
 nodered_install: False
 nodered_enabled: False

+# Store your docs, calendar, contacts & photos on your local server not cloud!
+# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
 nextcloud_install: True
 nextcloud_enabled: True
+nextcloud_allow_public_ips: False
+# Configuration tips for IPv4 access controls and tuning RAM/resources:
+# https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md

 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
 # Works on Ubuntu 18.04, Debian 9. Experimental on Rasp/RPi 3. Uses Node.js 10.x
--- a/vars/local_vars_min.yml
+++ b/vars/local_vars_min.yml
@ -125,12 +125,17 @@ pi_swap_file_size: 1024

 # 3-BASE-SERVER

+# See also Apache vars {default_language, language_priority} @ top of this file
+#
+# For schools that use WordPress/Nextcloud/Moodle intensively:  iiab/iiab#1147
+apache_high_php_limits: False
+# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
+# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
+# https://github.com/iiab/iiab/blob/master/roles/httpd/tasks/main.yml#L80-L84
+# ...ARE SUITABLE FOR YOUR HARDWARE IN /etc/php/<VERSION>/apache2/php.ini
+#
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
-# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
-# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
-apache_high_php_limits: False
-# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority

 # roles/mysql runs here (mandatory)

@ -220,8 +225,13 @@ mosquitto_enabled: False
 nodered_install: False
 nodered_enabled: False

+# Store your docs, calendar, contacts & photos on your local server not cloud!
+# If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
 nextcloud_install: False
 nextcloud_enabled: False
+nextcloud_allow_public_ips: False
+# Configuration tips for IPv4 access controls and tuning RAM/resources:
+# https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md

 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
 # Works on Ubuntu 18.04, Debian 9. Experimental on Rasp/RPi 3. Uses Node.js 10.x