rbicker / ansible-nextcloud Goto Github PK
View Code? Open in Web Editor NEWnextcloud ansible role
nextcloud ansible role
Hello @rbicker ,
Lately, I have this issue on ansible and I do not understand how to fix it.
TASK [rbicker.nextcloud : ensure rpm keys are imported] ************************
failed: [shared] (item=https://getfedora.org/static/fedora.gpg) => {"ansible_loop_var": "item", "changed": false, "item": "https://getfedora.org/static/fedora.gpg", "msg": "Not a public key: https://getfedora.org/static/fedora.gpg"}
changed: [shared] => (item=https://rpms.remirepo.net/RPM-GPG-KEY-remi2018) => {"ansible_loop_var": "item", "changed": true, "item": "https://rpms.remirepo.net/RPM-GPG-KEY-remi2018"}
I tried to update my centOS/7 virtual machine but it doesn't work.
Do you have any idea to solve it?
Thank you.
Granted I'm running CentOS 7.5, but I thought I'd report. The playbook failed for me on the "ensure mariadb-server is enabled and started" step.
fatal: [nextcloud]: FAILED! => {"changed": false, "msg": "Unable to start service mariadb: Job for mariadb.service failed because the control process exited with error code. See "systemctl status mariadb.service" and "journalctl -xe" for details.\n"}
Mariadb didn't like this particular option which the playbook adds to /etc/my.cnf.d/server.cnf:
explicit_defaults_for_timestamp=1
If I run the play without having it add that option in mariadb config it completes successfully.
Everytime we install an update for php package (CentOS 7) the permissions on my /var/lib/session folder is reverted to root:apache with 600 permissions. As we enable yum cron for auto patching this is quiet anoying an breakes our nextcloud.
I would suggest to use a custom session directory in the php config, so the permissions are not altered by the update anymore.
One could add this config to the php-fpm file and add the directories to the file system with the needed permissions for nginx
; Set session path to a directory owned by process user
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/nextcloud/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/nextcloud/wsdlcache
better behaviour when changing passwords (support for repeated run with random passwords)
my changes:
diff --git a/playbooks/roles/rbicker.nextcloud/tasks/main.yml b/playbooks/roles/rbicker.nextcloud/tasks/main.yml
index ebbcad0..837e27e 100644
--- a/playbooks/roles/rbicker.nextcloud/tasks/main.yml
+++ b/playbooks/roles/rbicker.nextcloud/tasks/main.yml
@@ -169,7 +169,7 @@
owner: root
group: root
mode: '0600'
- force: no # don't overwrite, only create if not exists
+ force: yes # make sense to overwrite after password changed, otherwise mysql root password would be different than saved in .my.cnf
when: mysql_root_pw_modify
- name: ensure anonymous mysql user is absent
@@ -191,6 +191,10 @@
login_user: root
state: present
+- name: check if Nextcloud already configured
+ stat: path={{ nextcloud_web_root }}/config/config.php
+ register: nextcloud_config_details
+
- name: ensure database user {{ nextcloud_mysql_user }} exists and has all privileges on {{ nextcloud_mysql_db }}
mysql_user:
name: '{{ nextcloud_mysql_user }}'
@@ -198,6 +202,8 @@
login_user: root
priv: '{{ nextcloud_mysql_db }}.*:ALL,GRANT'
state: present
+# do not create or modify nextcloud user when it already exists, e.g. changing password of nextcloud user in this task and not in config results in Nextcloud not working
+ when: not nextcloud_config_details.stat.exists
- name: ensure php options are set
lineinfile:
example made from my playbook illustrating generating of random passwords (I have got inspiration from another role (https://galaxy.ansible.com/inmotionhosting/wordpress) and SELinux tune up (can be probably done more elegantly)
---
- name: nextcloud_nginx_mysql_php
hosts: all
gather_facts: yes
vars:
pass_gen_alias: "{{ lookup('password', '/dev/null length=23 chars=ascii_letters,digits') }}"
#mine_mysql_root_pw: "example" #will be randomly generated if not defined
#mine_nextcloud_mysql_pw: "example" #will be randomly generated if not defined
mine_nextcloud_domain: nextcloud.example.com
mine_nextcloud_ssl_subject: '/C=US/ST=Example/L=Example/CN={{ nextcloud_domain }}'
mine_nextcloud_web_root: /var/www/html/nextcloud
mine_nextcloud_version: latest-19
# mysql_root_pw: "{{ password_generate }}"
# nextcloud_mysql_pw: "{{ password_generate }}"
roles:
- role: rbicker.nextcloud
vars:
mysql_root_pw: "{{ mine_mysql_root_pw }}"
nextcloud_mysql_pw: "{{ mine_nextcloud_mysql_pw }}"
nextcloud_domain: "{{ mine_nextcloud_domain }}"
nextcloud_ssl_subject: "{{ mine_nextcloud_ssl_subject }}"
nextcloud_web_root: "{{ mine_nextcloud_web_root }}"
nextcloud_version: "{{ mine_nextcloud_version }}"
pre_tasks:
- debug:
msg: I execute before roles
- name: (Nextcloud) Set random MySQL password when not defined
set_fact:
mine_mysql_root_pw: "{{ pass_gen_alias }}"
when: mine_mysql_root_pw is undefined
### - name: Print that password for debug purposes
### debug:
### var: mine_mysql_root_pw
- name: (Nextcloud) Set random Nextcloud password when not defined
set_fact:
mine_nextcloud_mysql_pw: "{{ pass_gen_alias }}"
when: mine_nextcloud_mysql_pw is undefined
### - name: Print that password for debug purposes
### debug:
### var: mine_nextcloud_mysql_pw
post_tasks:
- debug:
msg: I execute after roles
- name: permit traffic in default zone for http service
ansible.posix.firewalld:
service: http
permanent: yes
state: enabled
- name: permit traffic in default zone for https service
ansible.posix.firewalld:
service: https
permanent: yes
state: enabled
- name: reload service firewalld
systemd:
name: firewalld
state: reloaded
- name: Create and apply httpd-to-redis-socket SELinux policy
shell: |
cat > /root/httpd-to-redis-socket.te << 'HERE_ENDS'
module httpd-to-redis-socket 1.0;
require {
type httpd_t;
type redis_var_run_t;
class sock_file write;
}
#============= httpd_t ==============
allow httpd_t redis_var_run_t:sock_file write;
HERE_ENDS
cd /root
checkmodule -M -m -o httpd-to-redis-socket.mod httpd-to-redis-socket.te
semodule_package -o httpd-to-redis-socket.pp -m httpd-to-redis-socket.mod
rm -f httpd-to-redis-socket.mod
semodule -i httpd-to-redis-socket.pp
exit 0
- name: Create /usr/local/bin/nextcloud-cron
copy:
dest: /usr/local/bin/nextcloud-cron
content: |
#!/bin/bash
php -f /var/www/html/nextcloud/cron.php
owner: root
group: root
mode: '755'
- name: Set SELinux context of /usr/local/bin/nextcloud-cron so it will run under httpd_t
sefcontext:
target: '/usr/local/bin/nextcloud-cron'
setype: httpd_exec_t
state: present
register: filecontext
- name: Run restore context to reload SELinux
shell: restorecon -R -v /usr/local/bin
when: filecontext.changed
- name: nextcloud cron in root's crontab
cron:
name: "nextcloud cron"
user: root
minute: "*/5"
job: "sudo -u nginx -r system_r -t initrc_t /usr/local/bin/nextcloud-cron"
- name: delete (because SELinux) not working nextcloud cron under user nginx
cron:
name: "nextcloud"
user: nginx
state: absent
I'm probably overlooking something.
I tried to add config options as per the example, but Ansible 2.10.4 keeps complaining about the syntax.
Syntax Error while loading YAML.
did not find expected node content
nextcloud_config_options:
- { option: overwrite.cli.url, value: "'https://nc-demo.example.com'" }
^ here
This is my playbook for context:
- hosts: all
gather_facts: yes
become: yes
roles:
- { role: rbicker.nextcloud,
nextcloud_domain: nc-demo.hosting.example.com,
nextcloud_version: latest-20,
nextcloud_use_https: false,
nextcloud_web_root: '/var/www/virtual/nc-demo',
nextcloud_data_root: '/srv/nextcloud/nc-demo/data',
php_version: "7.4",
nextcloud_config_options:
- { option: overwrite.cli.url, value: "'https://nc-demo.example.com'" }
- { option: trusted.domains, value: "'webhost.example.com'" }
}
Environment: macOS 10.15.7
ed@BigMac:~/etc/ansible-nextcloud$ ansible --version
ansible 2.10.4
config file = /Users/ed/etc/ansible-nextcloud/ansible.cfg
configured module search path = ['/Users/ed/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/Cellar/ansible/2.10.5/libexec/lib/python3.9/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.9.1 (default, Jan 8 2021, 17:17:17) [Clang 12.0.0 (clang-1200.0.32.28)]
I'm trying to use this role together with another role and added tags for both role_includes.
tasks:
- import_role:
name: ansible-nextcloud
tags:
- nextcloud
- import_role:
name: collabora
tags:
- collabora
running the playbook with --tags collabora
fails as one of the always
tasks depend on an other task without always
:
FAILED! => {"msg": "The conditional check 'new_installation.changed' failed. The error was: error while evaluating conditional (new_installation.changed): 'new_installation' is undefined ...
This role currently uses php 7.1 packages. There are 7.2 packages available and most notably they have dropped the php71w-mcrypt
package out of security concerns so I think it would be a good idea to update. As far as I understand there are currently no known vulnerabilities with the mcrypt package, but better safe than sorry.
[root@server ~]# rpm -qf /etc/my.cnf.d/server.cnf
error: file /etc/my.cnf.d/server.cnf: No such file or directory
[root@server ~]# rpm -qf /etc/my.cnf.d/mariadb-server.cnf
mariadb-server-10.3.35-1.module+el8.6.0+1005+cdf19c22.x86_64
[root@server ~]# rpm -qf /etc/redis/redis.conf
error: file /etc/redis/redis.conf: No such file or directory
[root@server ~]# rpm -qf /etc/redis.conf
redis-5.0.3-5.module+el8.5.0+657+2674830e.x86_64
I have tried it yesterday for system running on Rocky Linux 8 (freshly updated).
Quick for me was to copy your role (from .ansible/...) to my playbooks/roles directory and then edit it.
rbicker.nextcloud/handlers/main.yml
- name: mysql optimization
lineinfile:
- path: /etc/my.cnf.d/server.cnf
+ path: /etc/my.cnf.d/mariadb-server.cnf
regexp: '^{{ item.option }}'
line: '{{ item.option }}={{ item.value }}'
insertafter: '\[mysqld\]'
rbicker.nextcloud/tasks/main.yml
- name: ensure mysql binary logging is disabled
lineinfile:
- path: /etc/my.cnf.d/server.cnf
+ path: /etc/my.cnf.d/mariadb-server.cnf
state: absent
regexp: "^log-bin$"
notify:
@@ -255,7 +255,7 @@
- name: ensure redis options are set
lineinfile:
- path: /etc/redis/redis.conf
+ path: /etc/redis.conf
regexp: '^{{ item.option }}\s'
line: "{{ item.option }} {{ item.value }}"
Hello,
configuration file that is placed in /root/.my.cnf contain server configuration that start with [mysqld] but this config is not read by mysql server. I think that this config have to be placed in /etc/my.cnf.d/mariadb-server.cnf directory .
Thanks
Regards
I'm getting the following error on vanilla centos 8 (via vagrant box)
TASK [rbicker.nextcloud : ensure MariaDB-server is installed] ******************
fatal: [default]: FAILED! => {"changed": false, "failures": ["MariaDB-server All matches were filtered out by modular filtering for argument: MariaDB-server"], "msg": "Failed to install some of the specified packages", "rc": 1, "results": []}
Seems like yum lowercases the package (running yum search only provides lowercase results), even though I can clearly see that it is using case in the yum repo:
http://yum.mariadb.org/10.4/centos8-amd64/rpms/
The simple fix is to just lowercase the package in the server install yum script.
I get this when using the role on CentOS Linux release 8.2.2004:
TASK [rbicker.nextcloud : ensure epel-release and Remi yum repos are installed] *****************************************************************************************************$
fatal: [nextcloud-01]: FAILED! => {"changed": false, "msg": "Failed to validate GPG signature for epel-release-8-8.el8.noarch"}
I've installed NC 20.0.1.1 on CentOS 8.2 via this playbook.
When I try to open my NC mainpage i get an error (sorry in german):
Interner Serverfehler
Der Server konnte die Anfrage nicht fertig stellen.
Sollte dies erneut auftreten, sende bitte die nachfolgenden technischen Einzelheiten an Deinen Server-Administrator.
Weitere Details können im Server-Protokoll gefunden werden.
Technische Details
Entfernte Adresse: <snipped>
Anfragekennung: <snipped>
After commenting out the redis part in the config.php of nextcloud things work. I have no experience with redis but for me this looks like it is a problem with the redis install/configuration. I don't know what other information would be helpfull but I'll include if I am told what would help.
If nextcloud_web_root does not end by /nextcloud, installation script fails as:
nextcloud
nextcloud_web_root
last part is not nextcloud, path are not consistentI suggest to use unarchive option: extra_opts: --strip-components=1
and to get rid of /..
in dest
, so that it is the content of archive's nextcloud folder that is placed directly in nextcloud_web_root
.
This solution is backward compatible, and allow to use arbitrary nextcloud_web_root
. I can provide a PR if you agree with it.
Else, documentation must be updated.
Hi,
I step into a problem with the URL pushed in Activity notifications. URL is http://localhost.
From a Nextcloud viewpoint, I find out it is related to the value of overwrite.cli.url. From my installation, value is http://localhost (sudo -u nginx php /opt/nextcloud/web/occ config:system:get overwrite.cli.url
).
Not sure of the way we should fix this. The better option from my point of view should be to introduce a ``nextcloud_overwrite_cli_url: "{{ ('https://' if nextcloud_use_https else 'http://') + nextcloud_domain }}".
Then to use it in installation.yml to set overwrite.cli.url.
This solution provides a decent default behavior.
I'm not sure of the behavior of upgrade process, as it appears that occ system:config:set is done only during installation ? Is config.php preserved by updater.phar during update process ? If this is the case, existing installation needs to be fixed manually (fine for me).
I can work on a pull-request implementing this solution, or any solution you prefer.
Is the role licensed under MIT (as stated in the README) or under BSD (as stated in the meta/main.yml)?
In nextcloud 13.0.4, max_input_time and max_execution_time configuration are dropped from .user.ini. As Nextcloud checks .user.ini consistency by copying installed file, setting default values on copied file, then computing file checksum (described here: nextcloud/server#115).
As the .user.ini
deployed by the role contains this configuration items, integrity check now fails, with a warning in administration pages (see screen capture). This does not prevent nextcloud to work.
The better way I see to fix it is to template .user.ini to drop problematic section, based on ansible_version
variable.
Do you see / plan any other fix ? Interested by a PR for this ?
Hi,
I'm working with this role, and add letsencrypt support to the role will be great.
Thanks for your work
Regards
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.