rbicker / ansible-nextcloud Goto Github PK

View Code? Open in Web Editor NEW

24.0 24.0 18.0 173 KB

nextcloud ansible role

Python 16.37% Jinja 83.63%

ansible-nextcloud's People

Contributors

Stargazers

Watchers

Forkers

antoniobarbaro dachinat kobalt-fr azuron etcet ran404 hlovdal prgcont robinnepomukmai smu torstein-eide phandox iomarmochtar grepler rafaelvico fairytaletrash raivon

ansible-nextcloud's Issues

Rpm keys check - Not a public key: https://getfedora.org/static/fedora.gpg

Hello @rbicker ,
Lately, I have this issue on ansible and I do not understand how to fix it.

TASK [rbicker.nextcloud : ensure rpm keys are imported] ************************
failed: [shared] (item=https://getfedora.org/static/fedora.gpg) => {"ansible_loop_var": "item", "changed": false, "item": "https://getfedora.org/static/fedora.gpg", "msg": "Not a public key: https://getfedora.org/static/fedora.gpg"}
changed: [shared] => (item=https://rpms.remirepo.net/RPM-GPG-KEY-remi2018) => {"ansible_loop_var": "item", "changed": true, "item": "https://rpms.remirepo.net/RPM-GPG-KEY-remi2018"}

I tried to update my centOS/7 virtual machine but it doesn't work.
Do you have any idea to solve it?
Thank you.

Playbook fails on "ensure mariadb-server is enabled and started" step

Granted I'm running CentOS 7.5, but I thought I'd report. The playbook failed for me on the "ensure mariadb-server is enabled and started" step.

fatal: [nextcloud]: FAILED! => {"changed": false, "msg": "Unable to start service mariadb: Job for mariadb.service failed because the control process exited with error code. See "systemctl status mariadb.service" and "journalctl -xe" for details.\n"}

Mariadb didn't like this particular option which the playbook adds to /etc/my.cnf.d/server.cnf:

explicit_defaults_for_timestamp=1

If I run the play without having it add that option in mariadb config it completes successfully.

use different php session and cache directory

Everytime we install an update for php package (CentOS 7) the permissions on my /var/lib/session folder is reverted to root:apache with 600 permissions. As we enable yum cron for auto patching this is quiet anoying an breakes our nextcloud.

I would suggest to use a custom session directory in the php config, so the permissions are not altered by the update anymore.

One could add this config to the php-fpm file and add the directories to the file system with the needed permissions for nginx

; Set session path to a directory owned by process user
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/nextcloud/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/nextcloud/wsdlcache

better behaviour when changing passwords & SELinux tune up - under CentOS 8

better behaviour when changing passwords (support for repeated run with random passwords)
my changes:

diff --git a/playbooks/roles/rbicker.nextcloud/tasks/main.yml b/playbooks/roles/rbicker.nextcloud/tasks/main.yml
index ebbcad0..837e27e 100644
--- a/playbooks/roles/rbicker.nextcloud/tasks/main.yml
+++ b/playbooks/roles/rbicker.nextcloud/tasks/main.yml
@@ -169,7 +169,7 @@
     owner: root
     group: root
     mode: '0600'
-    force: no  # don't overwrite, only create if not exists
+    force: yes  # make sense to overwrite after password changed, otherwise mysql root password would be different than saved in .my.cnf
   when: mysql_root_pw_modify
 
 - name: ensure anonymous mysql user is absent
@@ -191,6 +191,10 @@
     login_user: root
     state: present
 
+- name: check if Nextcloud already configured
+  stat: path={{ nextcloud_web_root }}/config/config.php
+  register: nextcloud_config_details
+
 - name: ensure database user {{ nextcloud_mysql_user }} exists and has all privileges on {{ nextcloud_mysql_db }}
   mysql_user:
     name: '{{ nextcloud_mysql_user }}'
@@ -198,6 +202,8 @@
     login_user: root
     priv: '{{ nextcloud_mysql_db }}.*:ALL,GRANT'
     state: present
+# do not create or modify nextcloud user when it already exists, e.g. changing password of nextcloud user in this task and not in config results in Nextcloud not working
+  when: not nextcloud_config_details.stat.exists
 
 - name: ensure php options are set
   lineinfile:

example made from my playbook illustrating generating of random passwords (I have got inspiration from another role (https://galaxy.ansible.com/inmotionhosting/wordpress) and SELinux tune up (can be probably done more elegantly)

---
- name: nextcloud_nginx_mysql_php
  hosts: all
  gather_facts: yes

  vars:
    pass_gen_alias: "{{ lookup('password', '/dev/null length=23 chars=ascii_letters,digits') }}"
    #mine_mysql_root_pw: "example" #will be randomly generated if not defined
    #mine_nextcloud_mysql_pw: "example" #will be randomly generated if not defined
    mine_nextcloud_domain: nextcloud.example.com
    mine_nextcloud_ssl_subject: '/C=US/ST=Example/L=Example/CN={{ nextcloud_domain }}'
    mine_nextcloud_web_root: /var/www/html/nextcloud
    mine_nextcloud_version: latest-19
#    mysql_root_pw: "{{ password_generate }}"
#    nextcloud_mysql_pw: "{{ password_generate }}"

roles:
   - role: rbicker.nextcloud
     vars:
       mysql_root_pw: "{{ mine_mysql_root_pw }}"
       nextcloud_mysql_pw: "{{ mine_nextcloud_mysql_pw }}"
       nextcloud_domain: "{{ mine_nextcloud_domain }}"
       nextcloud_ssl_subject: "{{ mine_nextcloud_ssl_subject }}"
       nextcloud_web_root: "{{ mine_nextcloud_web_root }}"
       nextcloud_version: "{{ mine_nextcloud_version }}"

  pre_tasks:
   - debug:
       msg: I execute before roles
 
   - name: (Nextcloud) Set random MySQL password when not defined
     set_fact:
       mine_mysql_root_pw: "{{ pass_gen_alias }}"
     when: mine_mysql_root_pw is undefined

###   - name: Print that password for debug purposes
###     debug:
###       var: mine_mysql_root_pw
      
   - name: (Nextcloud) Set random Nextcloud password when not defined
     set_fact:
       mine_nextcloud_mysql_pw: "{{ pass_gen_alias }}"
     when: mine_nextcloud_mysql_pw is undefined

###   - name: Print that password for debug purposes
###     debug:
###       var: mine_nextcloud_mysql_pw
       
  post_tasks:
   - debug:
       msg: I execute after roles

   - name: permit traffic in default zone for http service
     ansible.posix.firewalld:
       service: http
       permanent: yes
       state: enabled

   - name: permit traffic in default zone for https service
     ansible.posix.firewalld:
       service: https
       permanent: yes
       state: enabled

   - name: reload service firewalld
     systemd:
       name: firewalld
       state: reloaded

   - name: Create and apply httpd-to-redis-socket SELinux policy
     shell: |
       cat > /root/httpd-to-redis-socket.te << 'HERE_ENDS'
       module httpd-to-redis-socket 1.0;
       
       require {
               type httpd_t;
               type redis_var_run_t;
               class sock_file write;
       }
       
       #============= httpd_t ==============
       allow httpd_t redis_var_run_t:sock_file write;
       HERE_ENDS
       
       cd /root
       checkmodule -M -m -o httpd-to-redis-socket.mod httpd-to-redis-socket.te
       semodule_package -o httpd-to-redis-socket.pp -m httpd-to-redis-socket.mod
       rm -f httpd-to-redis-socket.mod
       semodule -i httpd-to-redis-socket.pp  

       exit 0 

   - name: Create /usr/local/bin/nextcloud-cron
     copy:
       dest: /usr/local/bin/nextcloud-cron
       content: |
         #!/bin/bash
         php -f /var/www/html/nextcloud/cron.php
       owner: root
       group: root
       mode: '755'

   - name: Set SELinux context of /usr/local/bin/nextcloud-cron so it will run under httpd_t
     sefcontext:
       target: '/usr/local/bin/nextcloud-cron'
       setype: httpd_exec_t
       state: present
     register: filecontext

   - name: Run restore context to reload SELinux
     shell: restorecon -R -v /usr/local/bin
     when: filecontext.changed

   - name: nextcloud cron in root's crontab
     cron:
       name: "nextcloud cron"
       user: root
       minute: "*/5"
       job: "sudo -u nginx -r system_r -t initrc_t /usr/local/bin/nextcloud-cron"

   - name: delete (because SELinux) not working nextcloud cron under user nginx
     cron:
       name: "nextcloud"
       user: nginx
       state: absent

Syntax error in nextcloud_config_options example?

I'm probably overlooking something.
I tried to add config options as per the example, but Ansible 2.10.4 keeps complaining about the syntax.

Syntax Error while loading YAML.
  did not find expected node content

          nextcloud_config_options:
            - { option: overwrite.cli.url, value: "'https://nc-demo.example.com'" }
            ^ here

This is my playbook for context:

- hosts: all
  gather_facts: yes
  become: yes
  roles:
    - { role: rbicker.nextcloud,
              nextcloud_domain: nc-demo.hosting.example.com,
              nextcloud_version: latest-20,
              nextcloud_use_https: false,
              nextcloud_web_root:  '/var/www/virtual/nc-demo',
              nextcloud_data_root: '/srv/nextcloud/nc-demo/data',
              php_version: "7.4",
              nextcloud_config_options:
                - { option: overwrite.cli.url, value: "'https://nc-demo.example.com'" }
                - { option: trusted.domains, value: "'webhost.example.com'" }
      }

Environment: macOS 10.15.7

ed@BigMac:~/etc/ansible-nextcloud$ ansible --version
ansible 2.10.4
  config file = /Users/ed/etc/ansible-nextcloud/ansible.cfg
  configured module search path = ['/Users/ed/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.10.5/libexec/lib/python3.9/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.9.1 (default, Jan  8 2021, 17:17:17) [Clang 12.0.0 (clang-1200.0.32.28)]

"always" tags breaking usage of other tags

I'm trying to use this role together with another role and added tags for both role_includes.

tasks:                                                                        
    - import_role:                                                              
        name: ansible-nextcloud                                                 
      tags:                                                                     
        - nextcloud                                                             
                                                                                
    - import_role:                                                              
        name: collabora                                                         
      tags:                                                                     
        - collabora

running the playbook with --tags collabora fails as one of the always tasks depend on an other task without always:

FAILED! => {"msg": "The conditional check 'new_installation.changed' failed. The error was: error while evaluating conditional (new_installation.changed): 'new_installation' is undefined ...

Update PHP packages to version 7.2

This role currently uses php 7.1 packages. There are 7.2 packages available and most notably they have dropped the php71w-mcrypt package out of security concerns so I think it would be a good idea to update. As far as I understand there are currently no known vulnerabilities with the mcrypt package, but better safe than sorry.

Different paths to configs for mariadb and redis on Rocky Linux 8

[root@server ~]# rpm -qf /etc/my.cnf.d/server.cnf
error: file /etc/my.cnf.d/server.cnf: No such file or directory

[root@server ~]# rpm -qf /etc/my.cnf.d/mariadb-server.cnf
mariadb-server-10.3.35-1.module+el8.6.0+1005+cdf19c22.x86_64

[root@server ~]# rpm -qf /etc/redis/redis.conf
error: file /etc/redis/redis.conf: No such file or directory

[root@server ~]# rpm -qf /etc/redis.conf
redis-5.0.3-5.module+el8.5.0+657+2674830e.x86_64

I have tried it yesterday for system running on Rocky Linux 8 (freshly updated).

Quick for me was to copy your role (from .ansible/...) to my playbooks/roles directory and then edit it.

rbicker.nextcloud/handlers/main.yml

 - name: mysql optimization
   lineinfile:
-    path: /etc/my.cnf.d/server.cnf
+    path: /etc/my.cnf.d/mariadb-server.cnf
     regexp: '^{{ item.option }}'
     line: '{{ item.option }}={{ item.value }}'
     insertafter: '\[mysqld\]'

rbicker.nextcloud/tasks/main.yml

 - name: ensure mysql binary logging is disabled
   lineinfile:
-    path: /etc/my.cnf.d/server.cnf
+    path: /etc/my.cnf.d/mariadb-server.cnf
     state: absent
     regexp: "^log-bin$"
   notify:
@@ -255,7 +255,7 @@

 - name: ensure redis options are set
   lineinfile:
-    path: /etc/redis/redis.conf
+    path: /etc/redis.conf
     regexp: '^{{ item.option }}\s'
     line: "{{ item.option }} {{ item.value }}"

db-server config file location

Hello,

configuration file that is placed in /root/.my.cnf contain server configuration that start with [mysqld] but this config is not read by mysql server. I think that this config have to be placed in /etc/my.cnf.d/mariadb-server.cnf directory .

Thanks
Regards

Failed to install package due to uppercase package names.

I'm getting the following error on vanilla centos 8 (via vagrant box)

TASK [rbicker.nextcloud : ensure MariaDB-server is installed] ******************                                                                                                                             
fatal: [default]: FAILED! => {"changed": false, "failures": ["MariaDB-server All matches were filtered out by modular filtering for argument: MariaDB-server"], "msg": "Failed to install some of the specified packages", "rc": 1, "results": []}

Seems like yum lowercases the package (running yum search only provides lowercase results), even though I can clearly see that it is using case in the yum repo:
http://yum.mariadb.org/10.4/centos8-amd64/rpms/

The simple fix is to just lowercase the package in the server install yum script.

Failed to install epel-release on CentOS 8.2

I get this when using the role on CentOS Linux release 8.2.2004:

TASK [rbicker.nextcloud : ensure epel-release and Remi yum repos are installed] *****************************************************************************************************$
fatal: [nextcloud-01]: FAILED! => {"changed": false, "msg": "Failed to validate GPG signature for epel-release-8-8.el8.noarch"}

Redis server config causes Nextcould to not work

I've installed NC 20.0.1.1 on CentOS 8.2 via this playbook.
When I try to open my NC mainpage i get an error (sorry in german):

Interner Serverfehler

Der Server konnte die Anfrage nicht fertig stellen.

Sollte dies erneut auftreten, sende bitte die nachfolgenden technischen Einzelheiten an Deinen Server-Administrator.

Weitere Details können im Server-Protokoll gefunden werden.
Technische Details

    Entfernte Adresse: <snipped>
    Anfragekennung: <snipped>

After commenting out the redis part in the config.php of nextcloud things work. I have no experience with redis but for me this looks like it is a problem with the redis install/configuration. I don't know what other information would be helpfull but I'll include if I am told what would help.

Inconsistencies about nextcloud_web_root

If nextcloud_web_root does not end by /nextcloud, installation script fails as:

archive is extracted in {{ nextcloud_web_root }}/..
archive root dir is nextcloud
so if nextcloud_web_root last part is not nextcloud, path are not consistent

I suggest to use unarchive option: extra_opts: --strip-components=1 and to get rid of /.. in dest, so that it is the content of archive's nextcloud folder that is placed directly in nextcloud_web_root.

This solution is backward compatible, and allow to use arbitrary nextcloud_web_root. I can provide a PR if you agree with it.

Else, documentation must be updated.

Wrong URL in Activity notifications

Hi,

I step into a problem with the URL pushed in Activity notifications. URL is http://localhost.

From a Nextcloud viewpoint, I find out it is related to the value of overwrite.cli.url. From my installation, value is http://localhost (sudo -u nginx php /opt/nextcloud/web/occ config:system:get overwrite.cli.url).

Not sure of the way we should fix this. The better option from my point of view should be to introduce a ``nextcloud_overwrite_cli_url: "{{ ('https://' if nextcloud_use_https else 'http://') + nextcloud_domain }}".
Then to use it in installation.yml to set overwrite.cli.url.

This solution provides a decent default behavior.

I'm not sure of the behavior of upgrade process, as it appears that occ system:config:set is done only during installation ? Is config.php preserved by updater.phar during update process ? If this is the case, existing installation needs to be fixed manually (fine for me).

I can work on a pull-request implementing this solution, or any solution you prefer.

License MIT or BSD?

Is the role licensed under MIT (as stated in the README) or under BSD (as stated in the meta/main.yml)?

Role triggers .user.ini integrity check with nextcloud 13.0.4

In nextcloud 13.0.4, max_input_time and max_execution_time configuration are dropped from .user.ini. As Nextcloud checks .user.ini consistency by copying installed file, setting default values on copied file, then computing file checksum (described here: nextcloud/server#115).

As the .user.ini deployed by the role contains this configuration items, integrity check now fails, with a warning in administration pages (see screen capture). This does not prevent nextcloud to work.

The better way I see to fix it is to template .user.ini to drop problematic section, based on ansible_version variable.

Do you see / plan any other fix ? Interested by a PR for this ?

letsencrypt support?

Hi,

I'm working with this role, and add letsencrypt support to the role will be great.

Thanks for your work

Regards