DTSV/Ansible
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: DTSV:a44b4102658da48cf90b68e006cd195fd8e35489
Branches Tags
DTSV:main
..
compare: DTSV:main
Branches Tags
DTSV:main

42 Commits
a44b410265 ... main

Author SHA1 Message Date
Oli
e376193480 remove deprecated nginx config options 
This commit removes the Nginx configuration options related to OCSP stapling and OCSP Must-Staple.
Let's Encrypt is discontinuing OCSP support in favor of CRLs (Certificate Revocation Lists) to improve privacy and simplify infrastructure.
 2025-07-01 18:06:15 +00:00
Oli
c818db0f1b update rclone user agent for GoogleDrive 2025-06-05 22:56:08 +00:00
Oli
c8bd485677 add task to update nextcloud apps 2025-06-05 22:55:44 +00:00
Oli
7de3ae47c6 use metrics instead of rc 2025-06-05 22:55:30 +00:00
Oli
2e692f9ae4 fix config options 2025-06-05 22:53:39 +00:00
Oli
230feb9b0c rewrite lego role 2025-06-05 22:53:10 +00:00
Oli
62fabb2277 update MariaDB repo to use rolling updates 2025-06-05 22:51:25 +00:00
Oli
b576441879 fix task naming 2025-06-05 21:42:23 +00:00
Oli
2c29133d84 fix deprecated ansible modules / variables 2025-06-05 21:37:36 +00:00
Oli
b9cb2d338a raise php-fpm max_requests 2024-06-01 21:34:02 +00:00
Oli
89516afd42 increase PHP opcache memory 2024-06-01 21:33:47 +00:00
Oli
4a9131d6d6 update rclone user agent for GoogleDrive 2024-06-01 21:27:10 +00:00
Oli
edec41a65b change lego config directory 2024-06-01 21:26:45 +00:00
Oli
02ef5b75da change time format 2024-06-01 21:24:52 +00:00
Oli
3cfb92f3a1 enable new SystemD feature in nextcloud notify push v0.6.12 2024-06-01 21:23:29 +00:00
Oli
329873e44c remove gtar dependency 2024-06-01 21:22:42 +00:00
Oli
ebbdff2fd6 enable HTTP2 for nextcloud 2024-03-23 14:27:19 +00:00
Oli
d260772904 update rclone user agent for GoogleDrive 2024-03-23 14:19:38 +00:00
Oli
2b9eda9e9c disable QUIC and HTTP/3 2024-03-01 07:18:40 +00:00
Oli
e5da9c9c54 Add .wasm file extension for javascript 2024-03-01 07:18:18 +00:00
Oli
acc4a64622 Add .mjs file extension for javascript 2024-02-11 11:24:03 +00:00
Oli
ccd75528ed sync roles with changes from OWS 2023-10-21 13:13:20 +00:00
Oli
e14271eab0 change drive OAuth 2023-09-23 20:32:04 +00:00
Oli
b4218d3ec0 ansible-lint recommendations 
activate privilege escalation when changing users
 2023-09-23 20:31:07 +00:00
Oli
e7620417ac change deprecated HTTP/2 directive 2023-09-20 14:08:55 +00:00
Oli
bccf9deff0 add new vfs-cache-min-free-space option 2023-09-17 21:21:04 +00:00
Oli
903584558e use occ absolute path 2023-09-17 21:20:55 +00:00
Oli
204378dc3a move token to env variable 2023-09-17 21:20:46 +00:00
Oli
b5f1c47c0f new nextcloud config management 2023-09-17 21:20:27 +00:00
Oli
27d1200dc1 update php-fpm config according to nextcloud docs 2023-07-27 23:29:39 +00:00
Oli
1d37dfa5b8 raise rclone mount poll interval 2023-07-27 23:28:06 +00:00
Oli
3e747a1069 ansible-lint recommendations 2023-07-27 23:27:11 +00:00
Oli
ccca06915f update X-Robots-Tag to noindex, nofollow 2023-03-24 15:34:18 +00:00
Oli
a0fef30464 change smtp port to 587 to bypass hcloud restrictions 
Hetzner block port 25 and 465 by default on all cloud servers.
https://docs.hetzner.com/cloud/servers/faq/#why-can-i-not-send-any-mails-from-my-server
 2023-03-04 11:01:54 +00:00
Oli
ae2010e259 update tokens to use new DTSV hcloud account 2023-03-04 10:25:46 +00:00
Oli
033b8a8160 fix permissions for wordpress user in webroot 2023-02-28 21:44:41 +00:00
Oli
eac33a98c8 update README 2023-02-28 21:13:15 +00:00
Oli
ce5b361ef6 change wordpress webroot 2023-02-28 21:11:50 +00:00
Oli
b9af96fbbe replace apt_repository with shell module 
apt_repository use deprecated apt-key
 2023-02-28 01:52:50 +00:00
Oli
34f3c54ceb add quotes around octal values 
YAML loaders will load them as strings, providing a consistent behavior. This is also safer as JSON does not support octal values either.
 2023-02-19 14:18:09 +00:00
Oli
4d1d486512 add wordpress SSH user for uploads 2023-02-05 00:02:42 +00:00
Oli
977a12730f restrict permissions on mounts 2023-02-04 23:34:41 +00:00
79 changed files with 1172 additions and 626 deletions
Expand all files Collapse all files

3
README.md
View File

@@ -3,6 +3,7 @@ The infrastructure runs a basic LNPP (Linux + Nginx + PostgreSQL + PHP) stack on
[**DB instance**](./db.yml) [**DB instance**](./db.yml)
* PostgreSQL 15 * PostgreSQL 15
* MariaDB 10.10
[**Webserver instance**](./web.yml) [**Webserver instance**](./web.yml)
* Nginx (mainline) * Nginx (mainline)
@@ -11,8 +12,8 @@ The infrastructure runs a basic LNPP (Linux + Nginx + PostgreSQL + PHP) stack on
**Web-Services** **Web-Services**
* Wordpress ([twirling.de](https://twirling.de))
* Nextcloud ([cloud.twirling.de](https://cloud.twirling.de)) * Nextcloud ([cloud.twirling.de](https://cloud.twirling.de))
* Wordpress ([dev.twirling.de](https://dev.twirling.de))
**Monitoring System** (🚧 under construction 🚧) **Monitoring System** (🚧 under construction 🚧)
* node_exporter (basic metrics) * node_exporter (basic metrics)

34
group_vars/all.yml
View File

@@ -2,24 +2,24 @@
# Hetzner Cloud API Tokens # Hetzner Cloud API Tokens
vault_hcloud_token: !vault | vault_hcloud_token: !vault |
$ANSIBLE_VAULT;1.2;AES256;dtsv-dev $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
34663466303439366438333433393130326337383265643332316333336331306461303330356131 32383834663934356366623563663765633561363438633064363061636632333831303137383065
3965396464356466373466313037306638396130633130370a643639363964636630633062333261 3936613361323135306363333265323036653063626662610a616563306166376331346333373066
66653764326538393934396537626463356162376661333635663563303465633537343030353435 63303536393931336234303634363437396337346264336338303862396366373830396231396635
3533646561663736390a613666643565313838343636646265373735386464613533306437326261 3864336230623462350a373337633638643530666331656434363836663033616132373931383964
32616235396138306335373466303337666330383633666663653162613736386132383132346333 35656333626335356463316231393132393633383962386661613933656535313638326130616330
32613539313165366363363633356463356539363561396365626435343139336266656362313536 61366232373262383236623231376636653433616131623163666536383462373736313837646231
63386239383362636231633138333136383339336662623331393530613034663664663164353364 65333665343835323663383230626661346134343264636237313262396333623265336436353166
34636138383365633862 64386637316265323439
vault_hcloud_token_terraform: !vault | vault_hcloud_token_terraform: !vault |
$ANSIBLE_VAULT;1.2;AES256;dtsv-dev $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
32613339373964636635323439396465313732393463643134306635653532346665363630386135 39363935653466626365383331343966646161363438376236396339373266303964303438333562
6130353538326163663462666538623962346362323930330a303331373835663861323335656532 3137346338323838633062663433333634373132306231340a306264346261633439623931356664
36386464373464353436613738326530653433303435363730323534363565386366396132333034 62313430343130376465623633363666646234656666633965326161613436353733666166316533
6139613632363464310a326234666230653638653736343562346565663661326161313565643433 3966663335396338630a306638666139353562316263383033343233303561643966333035656561
30616632336538633436396631656563356264303662383361633161623766303364656236386366 32376530636435613239323130626439623465363838643062666535636433333137326635643334
30623065323661346135613334383465613037663133636239363362363162313966393730353765 37346637316464393337653635623737353063616338326566313537313331323264656161323535
30353633353231633065333439326264303135616365373461623033663262333965643237366534 65313938343435616439616662326362303935353234316336313231623961356134383134353664
61323365373231626337 65613432616366336466
vault_ionos_token_terraform: !vault | vault_ionos_token_terraform: !vault |
$ANSIBLE_VAULT;1.2;AES256;dtsv-dev $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
30653231383361616437346262386365353031613265333238323866313033666336343863353539 30653231383361616437346262386365353031613265333238323866313033666336343863353539
@@ -52,7 +52,7 @@ pgsql_server_port: 5432
mariadb_server_ip: "10.0.0.3" mariadb_server_ip: "10.0.0.3"
mariadb_server_port: 3306 mariadb_server_port: 3306
smtp_hostname: "smtp.ionos.de" smtp_hostname: "smtp.ionos.de"
smtp_port: 465 smtp_port: 587
turn_server: "turn.ows.cx" turn_server: "turn.ows.cx"
turn_port: 443 turn_port: 443
vault_turn_secret: !vault | vault_turn_secret: !vault |

1
group_vars/hcloud.yml
View File

@@ -1,6 +1,5 @@
--- ---
# Hetzner Cloud Node Variables # Hetzner Cloud Node Variables
deb_architecture: "amd64"
# Main User from Terraform cloud-init # Main User from Terraform cloud-init
main_user: oli main_user: oli
# SSH Private Key # SSH Private Key

1
host_vars/localhost.yml
View File

@@ -1,3 +1,2 @@
--- ---
deb_architecture: "amd64"
main_user: oli main_user: oli

16
inventory/hcloud.yml
View File

@@ -1,14 +1,14 @@
plugin: hcloud plugin: hcloud
token: !vault | token: !vault |
$ANSIBLE_VAULT;1.2;AES256;dtsv-dev $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
34663466303439366438333433393130326337383265643332316333336331306461303330356131 32383834663934356366623563663765633561363438633064363061636632333831303137383065
3965396464356466373466313037306638396130633130370a643639363964636630633062333261 3936613361323135306363333265323036653063626662610a616563306166376331346333373066
66653764326538393934396537626463356162376661333635663563303465633537343030353435 63303536393931336234303634363437396337346264336338303862396366373830396231396635
3533646561663736390a613666643565313838343636646265373735386464613533306437326261 3864336230623462350a373337633638643530666331656434363836663033616132373931383964
32616235396138306335373466303337666330383633666663653162613736386132383132346333 35656333626335356463316231393132393633383962386661613933656535313638326130616330
32613539313165366363363633356463356539363561396365626435343139336266656362313536 61366232373262383236623231376636653433616131623163666536383462373736313837646231
63386239383362636231633138333136383339336662623331393530613034663664663164353364 65333665343835323663383230626661346134343264636237313262396333623265336436353166
34636138383365633862 64386637316265323439
connect_with: public_ipv4 connect_with: public_ipv4
# Group by a location with prefix e.g. "hcloud_location_nbg1" # Group by a location with prefix e.g. "hcloud_location_nbg1"

5
roles/bastion/tasks/ssh.yml
View File

@@ -1,9 +1,10 @@
--- ---
- name: Copy SSH config/keys - name: Copy SSH config/keys
become: true
become_user: "{{ main_user }}"
copy: copy:
src: "ssh/" src: "ssh/"
dest: "~/.ssh/" dest: "~/.ssh/"
mode: 0600 mode: "0600"
directory_mode: true directory_mode: true
become_user: "{{ main_user }}"

10
roles/bastion/tasks/terraform.yml
View File

@@ -1,16 +1,18 @@
--- ---
- name: Create .tfvars_token_dtsv - name: Create .tfvars_token_dtsv
become: true
become_user: "{{ main_user }}"
template: template:
src: "tfvars_token.j2" src: "tfvars_token.j2"
dest: "~/.tfvars_token_dtsv" dest: "~/.tfvars_token_dtsv"
mode: 0640 mode: "0640"
become_user: "{{ main_user }}"
- name: Add .tfvars_token to .bash_profile - name: Add .tfvars_token to .bash_profile
become: true
become_user: "{{ main_user }}"
lineinfile: lineinfile:
path: "~/.bash_profile" path: "~/.bash_profile"
create: true create: true
line: "source ~/.tfvars_token_dtsv" line: "source ~/.tfvars_token_dtsv"
mode: 0644 mode: "0644"
become_user: "{{ main_user }}"

14
roles/lego/defaults/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
# lego_certificate_domains:
# - cn: "dns.ows.cx"
# sans: [*.dns.ows.cx]
# lego_certificate_destination:
# path: /etc/nginx/certs
# owner: root
# group: nginx
# lego_services_reload:
# name: nginx
# # OR
# command: /usr/sbin/nginx -s reload

4
roles/lego/handlers/main.yml
View File

@@ -1,12 +1,12 @@
--- ---
- name: restart lego_timer - name: Restart lego_timer
systemd: systemd:
daemon_reload: true daemon_reload: true
enabled: true enabled: true
name: lego.timer name: lego.timer
state: restarted state: restarted
- name: restart lego_service - name: Restart lego_service
systemd: systemd:
daemon_reload: true daemon_reload: true
enabled: true enabled: true

98
roles/lego/tasks/main.yml
View File

@@ -1,22 +1,41 @@
--- ---
- name: Get latest lego version - name: Get latest lego version
github_release: become: false
user: go-acme
repo: lego
action: latest_release
token: "{{ vault_github_token }}"
delegate_to: localhost delegate_to: localhost
run_once: true run_once: true
register: lego_version when: lego_version is undefined
block:
- name: Get latest version from Github
github_release: # needs Python Module github3.py
user: go-acme
repo: lego
action: latest_release
token: "{{ vault_github_token }}"
register: lego_github_version
- name: Download lego {{ lego_version.tag }} from GitHub - name: "{{ lego_github_version }}"
set_fact:
lego_version: "{{ lego_github_version.tag }}"
- name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: "Download lego from GitHub"
get_url: get_url:
url: "https://github.com/go-acme/lego/releases/download/\ url: "https://github.com/go-acme/lego/releases/download/\
{{ lego_version.tag }}/lego_{{ lego_version.tag }}\ {{ lego_version }}/lego_{{ lego_version }}\
_linux_{{ deb_architecture }}.tar.gz" _linux_{{ architecture_alias }}.tar.gz"
dest: "/var/tmp/lego.tar.gz" dest: "/var/tmp/lego.tar.gz"
register: _download_archive mode: "0644"
until: _download_archive is succeeded register: lego_download_archive
until: lego_download_archive is succeeded
retries: 3 retries: 3
delay: 5 delay: 5
@@ -24,8 +43,7 @@
unarchive: unarchive:
remote_src: true remote_src: true
src: "/var/tmp/lego.tar.gz" src: "/var/tmp/lego.tar.gz"
dest: "/var/tmp" dest: "{{ lego_install_dir }}"
mode: 0755
extra_opts: extra_opts:
- --one-top-level - --one-top-level
include: include:
@@ -34,29 +52,47 @@
- name: Create lego config directory - name: Create lego config directory
file: file:
path: "{{ lego_config_dir }}" path: "{{ lego_config_dir }}"
mode: 0755 mode: "0755"
state: directory state: directory
- name: Check lego registration - name: Copy ACME renew-hook script
stat: template:
path: "{{ lego_config_dir }}/accounts" src: "renew-hook.sh.j2"
register: account_dir dest: "{{ lego_config_dir }}/renew-hook.sh"
mode: "0750"
vars:
lego_cert_dir: "{{ lego_config_dir }}/certificates"
- name: Register lego and create cert - name: Register lego and create cert
command: | shell: >
{{ lego_install_dir }}/lego --accept-tos {{ lego_install_dir }}/lego --accept-tos
{% for dns in certificate_domains %} --domains="{{ item.cn }}"
--domains="{{ dns }}" {% if item.sans is defined and item.sans %}
{% endfor %} {% for san in item.sans %}--domains="{{ san }}" {% endfor %}
{{ lego_cli_params|join(' ') }} {% endif %}
run {{ lego_cli_params | join(' ') }}
run &&
{{ lego_config_dir }}/renew-hook.sh '{{ item.cn }}'
args:
creates: "{{ lego_certificate_destination.path | default(lego_config_dir + '/certificates') }}/{{ item.cn }}.crt"
environment: '{ "{{ lego_provider|upper }}_API_KEY": "{{ vault_ionos_token_dns }}" }' environment: '{ "{{ lego_provider|upper }}_API_KEY": "{{ vault_ionos_token_dns }}" }'
when: not account_dir.stat.exists loop: "{{ lego_certificate_domains }}"
loop_control:
label: "{{ item.cn }}"
- name: Copy lego systemd service - name: Copy lego systemd service
template: template:
src: "{{ item }}.j2" src: "lego.{{ item.1 }}.j2"
dest: "/etc/systemd/system/{{ item }}" dest: "/etc/systemd/system/lego_{{ item.0.cn }}.{{ item.1 }}"
mode: 0644 mode: "0644"
loop: [lego.service, lego.timer] loop: "{{ lego_certificate_domains | product(['service', 'timer']) | list }}"
notify: [restart lego_service, restart lego_timer] loop_control:
label: "lego_{{ item.0.cn }}.{{ item.1 }}"
- name: Start lego_timer
systemd:
daemon_reload: true
enabled: true
name: "lego_{{ item.cn }}.timer"
state: started
loop: "{{ lego_certificate_domains }}"

24
roles/lego/templates/lego.service.j2
View File

@@ -1,19 +1,31 @@
## Managed by Ansible ## ## Managed by Ansible ##
[Unit] [Unit]
Description=Run lego renew Description=Renew Lets Encrypt certificate for {{ item.0.cn }}
After=network-online.target After=network-online.target
[Service] [Service]
Type=oneshot Type=oneshot
{% if lego_provider == "ionos" %}
Environment={{ lego_provider|upper }}_API_KEY={{ vault_ionos_token_dns }} Environment={{ lego_provider|upper }}_API_KEY={{ vault_ionos_token_dns }}
{% endif %}
ExecStart={{ lego_install_dir }}/lego \ ExecStart={{ lego_install_dir }}/lego \
{% for dns in certificate_domains %} --domains="{{ item.0.cn }}" \
--domains="{{ dns }}" \ {% if item.0.sans is defined and item.0.sans %}
{% endfor %} {% for san in item.0.sans %}
{{ lego_cli_params|join(' ') }} \ --domains="{{ san }}" \
renew {% endfor %}
{% endif %}
{{ lego_cli_params | join(' ') }} \
renew \
--renew-hook="{{ lego_config_dir }}/renew-hook.sh {{ item.0.cn }}"
User=root User=root
# Restart if renewal fails, but not too quickly
RestartSec=12h
Restart=on-failure
StartLimitInterval=72h
StartLimitBurst=3
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

6
roles/lego/templates/lego.timer.j2
View File

@@ -1,12 +1,12 @@
## Managed by Ansible ## ## Managed by Ansible ##
[Unit] [Unit]
Description=Start lego renew Description=Timer for Lets Encrypt certificate renewal of {{ item.0.cn }}
[Timer] [Timer]
Persistent=true Persistent=true
OnCalendar=Mon 04:00:00 OnCalendar=Mon 03:00:00
RandomizedDelaySec=3600 RandomizedDelaySec=1h
[Install] [Install]
WantedBy=timers.target WantedBy=timers.target

134
roles/lego/templates/renew-hook.sh.j2 Normal file
View File

@@ -0,0 +1,134 @@
#!/usr/bin/bash
## Managed by Ansible ##
# Variables set by Ansible
cert_src_path="{{ lego_cert_dir }}"
# Certificate destination variables (if defined)
cert_dest_path="{{ lego_certificate_destination.path | default('') }}"
cert_owner="{{ lego_certificate_destination.owner | default('') }}"
cert_group="{{ lego_certificate_destination.group | default('') }}"
# Service reload variables (if defined)
service_name="{{ lego_services_reload.name | default('') }}"
service_command="{{ lego_services_reload.command | default('') }}"
copy_certificate_files() {
local domain="$1"
local success=true
# Check if destination is defined
if [ -z "$cert_dest_path" ]; then
echo "No certificate destination defined, skipping copy"
return 0
fi
echo "Copying certificate files for $domain..."
echo "Copying to $cert_dest_path..."
# Create destination directory if it doesn't exist
mkdir -p "$cert_dest_path"
# Copy certificate files
cp "$cert_src_path/${domain}.crt" "$cert_dest_path/${domain}.crt" || success=false
cp "$cert_src_path/${domain}.key" "$cert_dest_path/${domain}.key" || success=false
# Copy issuer cert if it exists
if [ -f "$cert_src_path/${domain}.issuer.crt" ]; then
cp "$cert_src_path/${domain}.issuer.crt" "$cert_dest_path/${domain}.issuer.crt" || success=false
fi
# Set standard secure permissions
# 644 for certificates, 600 for keys
chmod 644 "$cert_dest_path/${domain}.crt" || success=false
chmod 600 "$cert_dest_path/${domain}.key" || success=false
# Set issuer cert permissions if it exists
if [ -f "$cert_dest_path/${domain}.issuer.crt" ]; then
chmod 644 "$cert_dest_path/${domain}.issuer.crt" || success=false
fi
# Set ownership if specified
if [ -n "$cert_owner" ] && [ -n "$cert_group" ]; then
if [ -f "$cert_dest_path/${domain}.issuer.crt" ]; then
chown "$cert_owner":"$cert_group" "$cert_dest_path/${domain}.crt" "$cert_dest_path/${domain}.key" "$cert_dest_path/${domain}.issuer.crt" || success=false
else
chown "$cert_owner":"$cert_group" "$cert_dest_path/${domain}.crt" "$cert_dest_path/${domain}.key" || success=false
fi
fi
if $success; then
echo "Certificate files copied successfully"
return 0
else
echo "Error copying certificate files"
return 1
fi
}
reload_service() {
local domain="$1"
local success=true
# Check if service reload is defined
if [ -z "$service_name" ] && [ -z "$service_command" ]; then
echo "No service reload defined, skipping reload"
return 0
fi
echo "Reloading service..."
if [ -n "$service_command" ]; then
echo "Running command: $service_command"
eval "$service_command" || success=false
elif [ -n "$service_name" ]; then
echo "Reloading $service_name..."
systemctl reload "$service_name" || systemctl restart "$service_name" || success=false
fi
if $success; then
echo "Service reloaded successfully"
return 0
else
echo "Error reloading service"
return 1
fi
}
# Check if domain is provided as parameter
if [ $# -lt 1 ]; then
echo "Error: Domain parameter is required"
echo "Usage: $0 <domain>"
exit 1
fi
# Get domain from parameter
domain="$1"
# Main execution
echo "Certificate renewal hook triggered for $domain"
# Call the functions
copy_certificate_files "$domain"
copy_result=$?
reload_service "$domain"
reload_result=$?
# Send webhook notification
message="$domain certificate was successfully renewed"
if [ -n "$cert_dest_path" ]; then
message="${message}, files copied"
fi
if [ -n "$service_name" ] || [ -n "$service_command" ]; then
message="${message}, and service reloaded"
fi
if [ $copy_result -eq 0 ] && [ $reload_result -eq 0 ]; then
echo "$message"
else
echo "$domain certificate was renewed but post-renewal tasks failed"
fi

20
roles/lego/vars/main.yml
View File

@@ -1,21 +1,17 @@
--- ---
# Lego
lego_install_dir: "/usr/local/bin" lego_install_dir: "/usr/local/bin"
lego_config_dir: "/etc/lego" lego_config_dir: "/var/lib/lego"
lego_provider: "ionos" lego_provider: "ionos"
lego_cert_mail: !vault | lego_cli_params:
- --path={{ lego_config_dir }}
- --email={{ vault_lego_cert_mail }}
- --dns={{ lego_provider }}
- --key-type=ec256
vault_lego_cert_mail: !vault |
$ANSIBLE_VAULT;1.2;AES256;dtsv-dev $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
32353064653631636431646333633664363866666439306235303138306461313266343939346463 32353064653631636431646333633664363866666439306235303138306461313266343939346463
6565636462656666366133653638333433393730656362360a333363623561646436613530623662 6565636462656666366133653638333433393730656362360a333363623561646436613530623662
34623331313964316464653333646134353037333065373063346164623037663235316361646666 34623331313964316464653333646134353037333065373063346164623037663235316361646666
3466623937663061340a643863633034633665316364313065303166643363653366363063303261 3466623937663061340a643863633034633665316364313065303166643363653366363063303261
34316163616637633837333539626337356563616566346561333439646565373665 34316163616637633837333539626337356563616566346561333439646565373665
lego_cli_params:
- --path={{ lego_config_dir }}
- --email={{ lego_cert_mail }}
- --dns={{ lego_provider }}
- --key-type=ec384
# Certificates
certificate_domains:
- "twirling.de"
- "*.twirling.de"

6
roles/mariadb/handlers/main.yml
View File

@@ -1,15 +1,15 @@
--- ---
- name: restart mariadb - name: Restart mariadb
systemd: systemd:
name: mariadb.service name: mariadb.service
state: restarted state: restarted
- name: reload mariadb - name: Reload mariadb
systemd: systemd:
name: mariadb.service name: mariadb.service
state: reloaded state: reloaded
- name: restart mysqld_exporter - name: Restart mysqld_exporter
systemd: systemd:
daemon_reload: true daemon_reload: true
enabled: true enabled: true

25
roles/mariadb/tasks/mariadb.yml
View File

@@ -1,4 +1,14 @@
--- ---
- name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: Add MariaDB GPG apt key - name: Add MariaDB GPG apt key
apt_key: apt_key:
url: https://mariadb.org/mariadb_release_signing_key.asc url: https://mariadb.org/mariadb_release_signing_key.asc
@@ -7,8 +17,15 @@
- name: Add MariaDB Repository - name: Add MariaDB Repository
apt_repository: apt_repository:
repo: "deb [arch={{ deb_architecture }} signed-by=/usr/share/keyrings/mariadb_release_signing_key.gpg] \ repo: "deb [arch={{ architecture_alias }} signed-by=/usr/share/keyrings/mariadb_release_signing_key.gpg] \
https://mirrors.n-ix.net/mariadb/repo/{{ mariadb_server_version }}/ubuntu {{ ansible_distribution_release }} main/debug" https://dlm.mariadb.com/repo/mariadb-server/{{ mariadb_server_version }}/repo/ubuntu {{ ansible_distribution_release }} main"
state: present
update_cache: true
- name: Add MariaDB Debug Repository
apt_repository:
repo: "deb [arch={{ architecture_alias }} signed-by=/usr/share/keyrings/mariadb_release_signing_key.gpg] \
https://dlm.mariadb.com/repo/mariadb-server/{{ mariadb_server_version }}/repo/ubuntu {{ ansible_distribution_release }} main/debug"
state: present state: present
update_cache: true update_cache: true
@@ -32,5 +49,5 @@
dest: /etc/mysql/my.cnf dest: /etc/mysql/my.cnf
owner: mysql owner: mysql
group: mysql group: mysql
mode: 0600 mode: "0600"
notify: restart mariadb notify: Restart mariadb

24
roles/mariadb/tasks/mysqld_exporter.yml
View File

@@ -14,14 +14,24 @@
mysqld_exporter_version: "{{ mysqld_exporter_version | replace ('v', '', 1) | trim }}" mysqld_exporter_version: "{{ mysqld_exporter_version | replace ('v', '', 1) | trim }}"
run_once: true run_once: true
- name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: Download mysqld_exporter {{ mysqld_exporter_version.tag }} from GitHub - name: Download mysqld_exporter {{ mysqld_exporter_version.tag }} from GitHub
get_url: get_url:
url: "https://github.com/prometheus/mysqld_exporter/releases/download/\ url: "https://github.com/prometheus/mysqld_exporter/releases/download/\
v{{ mysqld_exporter_version.tag }}/mysqld_exporter-{{ mysqld_exporter_version.tag }}\ v{{ mysqld_exporter_version.tag }}/mysqld_exporter-{{ mysqld_exporter_version.tag }}\
.linux-{{ deb_architecture }}.tar.gz" .linux-{{ architecture_alias }}.tar.gz"
dest: "/var/tmp/mysqld_exporter.tar.gz" dest: "/var/tmp/mysqld_exporter.tar.gz"
register: _download_archive register: mysqld_exporter_download_archive
until: _download_archive is succeeded until: mysqld_exporter_download_archive is succeeded
retries: 3 retries: 3
delay: 5 delay: 5
@@ -35,8 +45,8 @@
extra_opts: extra_opts:
--strip-components=1 --strip-components=1
include: include:
- "mysqld_exporter-{{ mysqld_exporter_version.tag }}.linux-{{ deb_architecture }}/mysqld_exporter" - "mysqld_exporter-{{ mysqld_exporter_version.tag }}.linux-{{ architecture_alias }}/mysqld_exporter"
notify: restart mysqld_exporter notify: Restart mysqld_exporter
- name: Copy the mysqld_exporter systemd service file - name: Copy the mysqld_exporter systemd service file
template: template:
@@ -44,5 +54,5 @@
dest: /etc/systemd/system/mysqld_exporter.service dest: /etc/systemd/system/mysqld_exporter.service
owner: root owner: root
group: root group: root
mode: 0644 mode: "0644"
notify: restart mysqld_exporter notify: Restart mysqld_exporter

2
roles/mariadb/vars/main.yml
View File

@@ -1,7 +1,7 @@
--- ---
# MariaDB # MariaDB
mariadb_server_version: "10.10" mariadb_server_version: "11.rolling"
mariadb_config: mariadb_config:
# - name: unix_socket_directories # - name: unix_socket_directories
# value: default # comma-separated list of directories. default: "/var/run/mariadb" # value: default # comma-separated list of directories. default: "/var/run/mariadb"

17
roles/nextcloud/handlers/main.yml
View File

@@ -1,13 +1,13 @@
--- ---
- name: restart rclone_mount_nextcloud - name: Restart rclone_mount_nextcloud
systemd: systemd:
daemon_reload: true daemon_reload: true
enabled: true enabled: true
name: rclone_mount_nextcloud.service name: rclone_mount_nextcloud.service
state: restarted state: restarted
- name: restart nextcloudcron - name: Restart nextcloudcron
systemd: systemd:
daemon_reload: true daemon_reload: true
enabled: true enabled: true
@@ -15,30 +15,23 @@
state: restarted state: restarted
loop: [nextcloudcron.service, nextcloudcron.timer] loop: [nextcloudcron.service, nextcloudcron.timer]
- name: restart nextcloud_nightlycron - name: Restart nextcloud_nightlycron
systemd: systemd:
daemon_reload: true daemon_reload: true
enabled: true enabled: true
name: nextcloud_nightlycron.timer name: nextcloud_nightlycron.timer
state: restarted state: restarted
- name: restart nextcloud_notify_push - name: Restart nextcloud_notify_push
systemd: systemd:
daemon_reload: true daemon_reload: true
enabled: true enabled: true
name: nextcloud_notify_push.service name: nextcloud_notify_push.service
state: restarted state: restarted
- name: restart nextcloud_exporter - name: Restart nextcloud_exporter
systemd: systemd:
daemon_reload: true daemon_reload: true
enabled: true enabled: true
name: nextcloud_exporter.service name: nextcloud_exporter.service
state: restarted state: restarted
- name: restart nextcloud_backup_timer
systemd:
daemon_reload: true
enabled: true
name: nextcloud_backup.timer
state: restarted

108
roles/nextcloud/tasks/configure.yml
View File

@@ -4,9 +4,10 @@
lineinfile: lineinfile:
path: "{{ nextcloud_dir }}/.user.ini" path: "{{ nextcloud_dir }}/.user.ini"
line: '{{ item.type }} {{ item.option }} {{ item.value }}' line: '{{ item.type }} {{ item.option }} {{ item.value }}'
create: true
owner: "{{ webserver_user }}" owner: "{{ webserver_user }}"
group: "{{ webserver_group }}" group: "{{ webserver_group }}"
mode: "0644"
create: true
loop: "{{ nextcloud_user_ini }}" loop: "{{ nextcloud_user_ini }}"
- name: Install apps - name: Install apps
@@ -14,24 +15,31 @@
become_user: "{{ webserver_user }}" become_user: "{{ webserver_user }}"
command: command:
cmd: php occ app:install {{ item }} cmd: php occ app:install {{ item }}
args:
chdir: "{{ nextcloud_dir }}" chdir: "{{ nextcloud_dir }}"
creates: "{{ nextcloud_dir }}/apps/{{ item }}" creates: "{{ nextcloud_dir }}/apps/{{ item }}"
ignore_errors: true loop: "{{ nextcloud_occ_install_app }}"
with_items: "{{ nextcloud_apps }}"
- name: Update apps
become: true
become_user: "{{ webserver_user }}"
command:
cmd: php occ app:update --all
args:
chdir: "{{ nextcloud_dir }}"
register: nextcloud_apps_update
changed_when: "' updated' in nextcloud_apps_update.stdout"
- name: Set configs via occ - name: Set configs via occ
become: true become: true
become_user: "{{ webserver_user }}" become_user: "{{ webserver_user }}"
command: command:
cmd: php occ config:app:set {{ item }} cmd: php occ config:app:set {{ item }}
args:
chdir: "{{ nextcloud_dir }}" chdir: "{{ nextcloud_dir }}"
loop: register: nextcloud_occ_config_app_output
- "preview jpeg_quality --value=60" changed_when: nextcloud_occ_config_app_output.rc != 0
- "previewgenerator squareSizes --value='256 1024'" loop: "{{ nextcloud_occ_config_app }}"
- "previewgenerator widthSizes --value=2048"
- "previewgenerator heightSizes --value=2048"
- "files_trashbin background_job_expire_trash --value=no"
- "files_versions background_job_expire_versions --value=no"
when: not nextcloud_dir_stat.stat.exists when: not nextcloud_dir_stat.stat.exists
- name: Get latest nextcloud_exporter version - name: Get latest nextcloud_exporter version
@@ -45,35 +53,49 @@
register: nextcloud_exporter_version register: nextcloud_exporter_version
- name: "{{ nextcloud_exporter_version }}" - name: "{{ nextcloud_exporter_version }}"
set_fact: set_fact:
nextcloud_exporter_version: "{{ nextcloud_exporter_version | replace ('v', '', 1) | trim }}" nextcloud_exporter_version: "{{ nextcloud_exporter_version | replace('v', '', 1) | trim }}"
run_once: true run_once: true
- name: Download nextcloud_exporter {{ nextcloud_exporter_version.tag }} from GitHub - name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: "Download nextcloud_exporter from GitHub"
get_url: get_url:
url: "https://github.com/xperimental/nextcloud-exporter/releases/download/\ url: "https://github.com/xperimental/nextcloud-exporter/releases/download/\
v{{ nextcloud_exporter_version.tag }}/nextcloud-exporter-{{ nextcloud_exporter_version.tag }}\ v{{ nextcloud_exporter_version.tag }}/nextcloud-exporter_{{ nextcloud_exporter_version.tag }}\
-{{ deb_architecture }}.bz2" _{{ architecture_alias }}.bz2"
dest: "/var/tmp/nextcloud-exporter.bz2" dest: "/var/tmp/nextcloud-exporter.bz2"
register: _download_archive mode: "0644"
until: _download_archive is succeeded register: nextcloud_exporter_download_archive
until: nextcloud_exporter_download_archive is succeeded
retries: 3 retries: 3
delay: 5 delay: 5
- name: decompress nextcloud_exporter - name: Decompress nextcloud_exporter
command: command:
cmd: "bzip2 -dk nextcloud-exporter.bz2" cmd: "bzip2 -dkf nextcloud-exporter.bz2"
chdir: /var/tmp args:
creates: /var/tmp/nextcloud-exporter chdir: /var/tmp/
register: nextcloud_exporter_decompress_archive
changed_when: nextcloud_exporter_decompress_archive.rc != 0
when: nextcloud_exporter_download_archive.changed # noqa: no-handler
- name: Copy nextcloud_exporter - name: Copy nextcloud_exporter
copy: copy:
remote_src: true
src: "/var/tmp/nextcloud-exporter" src: "/var/tmp/nextcloud-exporter"
dest: "{{ nextcloud_exporter_install_dir }}/nextcloud_exporter" dest: "{{ nextcloud_exporter_install_dir }}/nextcloud_exporter"
remote_src: true
owner: "{{ nextcloud_exporter_system_user }}" owner: "{{ nextcloud_exporter_system_user }}"
group: "{{ nextcloud_exporter_system_group }}" group: "{{ nextcloud_exporter_system_group }}"
mode: 0755 mode: "0755"
notify: restart nextcloud_exporter notify: Restart nextcloud_exporter
- name: Get latest nextcloud_notify_push version - name: Get latest nextcloud_notify_push version
github_release: github_release:
@@ -86,38 +108,29 @@
register: nextcloud_notify_push_version register: nextcloud_notify_push_version
- name: "{{ nextcloud_notify_push_version }}" - name: "{{ nextcloud_notify_push_version }}"
set_fact: set_fact:
nextcloud_notify_push_version: "{{ nextcloud_notify_push_version | replace ('v', '', 1) | trim }}" nextcloud_notify_push_version: "{{ nextcloud_notify_push_version | replace('v', '', 1) | trim }}"
run_once: true run_once: true
- name: "set deb_architecture alias" - name: "Download nextcloud_notify_push from GitHub"
set_fact:
deb_architecture_alias: "x86_64"
when: deb_architecture == "amd64"
- name: "set deb_architecture alias"
set_fact:
deb_architecture_alias: "{{ deb_architecture }}"
when: deb_architecture != "amd64"
- name: Download nextcloud_notify_push {{ nextcloud_notify_push_version.tag }} from GitHub
get_url: get_url:
url: "https://github.com/nextcloud/notify_push/releases/download/v{{ nextcloud_notify_push_version.tag }}\ url: "https://github.com/nextcloud/notify_push/releases/download/v{{ nextcloud_notify_push_version.tag }}\
/notify_push-{{ deb_architecture_alias }}-unknown-linux-musl" /notify_push-{{ ansible_architecture }}-unknown-linux-musl"
dest: "/var/tmp/notify_push-{{ deb_architecture_alias }}-unknown-linux-musl" dest: "/var/tmp/nextcloud_notify_push"
register: _download_archive mode: "0700"
until: _download_archive is succeeded register: nextcloud_notify_push_download_file
until: nextcloud_notify_push_download_file is succeeded
retries: 3 retries: 3
delay: 5 delay: 5
- name: Copy nextcloud_notify_push - name: Copy nextcloud_notify_push
copy: copy:
src: "/var/tmp/notify_push-{{ deb_architecture_alias }}-unknown-linux-musl"
dest: "{{ nextcloud_notify_push_install_dir }}/nextcloud_notify_push-{{ deb_architecture_alias }}"
remote_src: true remote_src: true
src: "/var/tmp/nextcloud_notify_push"
dest: "{{ nextcloud_notify_push_install_dir }}/nextcloud_notify_push"
owner: "{{ webserver_user }}" owner: "{{ webserver_user }}"
group: "{{ webserver_group }}" group: "{{ webserver_group }}"
mode: 0700 mode: "0700"
notify: restart nextcloud_notify_push notify: Restart nextcloud_notify_push
- name: Copy nextcloud_nightlycron - name: Copy nextcloud_nightlycron
template: template:
@@ -125,7 +138,7 @@
dest: "{{ nextcloud_background_script_dir }}/nextcloud_nightlycron.sh" dest: "{{ nextcloud_background_script_dir }}/nextcloud_nightlycron.sh"
owner: "{{ webserver_user }}" owner: "{{ webserver_user }}"
group: "{{ webserver_group }}" group: "{{ webserver_group }}"
mode: 0700 mode: "0700"
- name: Copy Nextcloud systemd service file - name: Copy Nextcloud systemd service file
template: template:
@@ -133,7 +146,7 @@
dest: "/etc/systemd/system/{{ item }}" dest: "/etc/systemd/system/{{ item }}"
owner: root owner: root
group: root group: root
mode: 0644 mode: "0644"
loop: loop:
- nextcloudcron.service - nextcloudcron.service
- nextcloudcron.timer - nextcloudcron.timer
@@ -142,11 +155,10 @@
- nextcloud_nightlycron.service - nextcloud_nightlycron.service
- nextcloud_nightlycron.timer - nextcloud_nightlycron.timer
notify: notify:
- restart {{ item | regex_replace ('\..*', '') }} - Restart {{ item | regex_replace('\..*', '') }}
- restart systemd_exporter
- name: Copy Nextcloud logrotate file - name: Copy Nextcloud logrotate file
template: template:
src: logrotate.nextcloud.j2 src: logrotate.nextcloud.j2
dest: /etc/logrotate.d/nextcloud dest: /etc/logrotate.d/nextcloud
mode: 0644 mode: "0644"

15
roles/nextcloud/tasks/dependencies.yml
View File

@@ -1,22 +1,9 @@
--- ---
- name: Install required system packages
apt:
name:
- python3-pip
state: latest
update_cache: true
cache_valid_time: 3600
- name: Install required python packages
pip:
name: gtar # needed for latest nextcloud tar.bz archive
state: latest
- name: Enable APCu - name: Enable APCu
lineinfile: lineinfile:
path: /etc/php/{{ php_version }}/cli/conf.d/20-apcu.ini path: /etc/php/{{ php_version }}/cli/conf.d/20-apcu.ini
line: apc.enable_cli=1 line: apc.enable_cli=1
notify: restart php-fpm notify: Restart php-fpm
- name: "Add {{ webserver_user }} user to redis group" - name: "Add {{ webserver_user }} user to redis group"
user: user:

25
roles/nextcloud/tasks/nextcloud.yml
View File

@@ -9,6 +9,7 @@
register: nextcloud_dir_stat register: nextcloud_dir_stat
- name: Install Nextcloud - name: Install Nextcloud
when: not nextcloud_dir_stat.stat.exists
block: block:
- name: Create nextcloud directory - name: Create nextcloud directory
file: file:
@@ -16,15 +17,16 @@
state: directory state: directory
owner: "{{ webserver_user }}" owner: "{{ webserver_user }}"
group: "{{ webserver_group }}" group: "{{ webserver_group }}"
mode: 0775 mode: "0770"
force: false force: false
- name: Download nextcloud latest from nextcloud.com - name: Download nextcloud latest from nextcloud.com
get_url: get_url:
url: "https://download.nextcloud.com/server/releases/latest.tar.bz2" url: "https://download.nextcloud.com/server/releases/latest.tar.bz2"
dest: "/var/tmp/nextcloud.tar.gz" dest: "/var/tmp/nextcloud.tar.gz"
register: _download_archive mode: "0644"
until: _download_archive is succeeded register: nextcloud_download_archive
until: nextcloud_download_archive is succeeded
retries: 3 retries: 3
delay: 5 delay: 5
@@ -55,7 +57,7 @@
src: "nextcloud.config.json.j2" src: "nextcloud.config.json.j2"
dest: /tmp/nextcloud.config.json dest: /tmp/nextcloud.config.json
owner: "{{ webserver_user }}" owner: "{{ webserver_user }}"
mode: 0600 mode: "0600"
- name: Ensure nextcloud installation is finished - name: Ensure nextcloud installation is finished
become: true become: true
@@ -79,17 +81,20 @@
become_user: "{{ webserver_user }}" become_user: "{{ webserver_user }}"
command: command:
cmd: php occ config:import /tmp/nextcloud.config.json cmd: php occ config:import /tmp/nextcloud.config.json
args:
chdir: "{{ nextcloud_dir }}" chdir: "{{ nextcloud_dir }}"
register: nextcloud_occ_config_import_output
when: not nextcloud_dir_stat.stat.exists changed_when: nextcloud_occ_config_import_output.rc != 0
- name: Update Nextcloud - name: Update Nextcloud
when: nextcloud_updater
block: block:
- name: Run nextcloud's updater.phar in non-interactive way - name: Run nextcloud's updater.phar in non-interactive way
become: true become: true
become_user: "{{ webserver_user }}" become_user: "{{ webserver_user }}"
command: command:
cmd: 'php updater/updater.phar --no-interaction' cmd: 'php updater/updater.phar --no-interaction'
args:
chdir: "{{ nextcloud_dir }}" chdir: "{{ nextcloud_dir }}"
register: nextcloud_update_result register: nextcloud_update_result
changed_when: "'Start update' in nextcloud_update_result.stdout" changed_when: "'Start update' in nextcloud_update_result.stdout"
@@ -97,17 +102,19 @@
- name: Update result - name: Update result
debug: debug:
msg: "{{ nextcloud_update_result.stdout_lines }}" msg: "{{ nextcloud_update_result.stdout_lines }}"
when: nextcloud_update_result.changed when: nextcloud_update_result.changed # noqa: no-handler
- name: DB tuning after update - name: DB tuning after update
become: true become: true
become_user: "{{ webserver_user }}" become_user: "{{ webserver_user }}"
command: command:
cmd: php occ {{ item }} cmd: php occ {{ item }}
args:
chdir: "{{ nextcloud_dir }}" chdir: "{{ nextcloud_dir }}"
loop: loop:
- db:add-missing-indices - db:add-missing-indices
- db:convert-filecache-bigint - db:convert-filecache-bigint
- integrity:check-core - integrity:check-core
when: nextcloud_update_result.changed register: nextcloud_occ_update_tuning_output
when: nextcloud_updater changed_when: nextcloud_occ_update_tuning_output.rc != 0
when: nextcloud_update_result.changed # noqa: no-handler

10
roles/nextcloud/tasks/rclone.yml
View File

@@ -1,10 +1,10 @@
--- ---
# ensure rclone.conf is present (meta role dependencies) # ensure rclone.conf is present (meta role dependencies)
- name: Create rclone mount dir - name: Create Rclone mount directory
file: file:
path: "{{ nextcloud_rclone_mount_dir }}" path: "{{ nextcloud_rclone_mount_dir }}"
mode: 0755 mode: "0770"
state: directory state: directory
# Touch rclone log file to set permissions # Touch rclone log file to set permissions
@@ -12,7 +12,7 @@
file: file:
path: "{{ rclone_log_dir }}/mount_nextcloud.log" path: "{{ rclone_log_dir }}/mount_nextcloud.log"
state: touch state: touch
mode: 0644 mode: "0640"
access_time: preserve access_time: preserve
modification_time: preserve modification_time: preserve
@@ -20,8 +20,8 @@
template: template:
src: rclone_mount_nextcloud.service.j2 src: rclone_mount_nextcloud.service.j2
dest: /etc/systemd/system/rclone_mount_nextcloud.service dest: /etc/systemd/system/rclone_mount_nextcloud.service
mode: 0644 mode: "0640"
notify: restart rclone_mount_nextcloud notify: Restart rclone_mount_nextcloud
- name: "Add {{ webserver_user }} user to rclone group" - name: "Add {{ webserver_user }} user to rclone group"
user: user:

13
roles/nextcloud/templates/nextcloud.config.json.j2
View File

@@ -13,6 +13,7 @@
"dbtableprefix": "oc_", "dbtableprefix": "oc_",
"dbuser": "{{ nextcloud_db_user }}", "dbuser": "{{ nextcloud_db_user }}",
"dbpassword": "{{ vault_nextcloud_db_pass }}", "dbpassword": "{{ vault_nextcloud_db_pass }}",
"installed": true,
"skeletondirectory": "", "skeletondirectory": "",
"default_language": "de", "default_language": "de",
"default_phone_region": "DE", "default_phone_region": "DE",
@@ -25,9 +26,9 @@
"mail_sendmailmode": "smtp", "mail_sendmailmode": "smtp",
"mail_domain": "{{ nextcloud_smtp_from_domain }}", "mail_domain": "{{ nextcloud_smtp_from_domain }}",
"mail_smtpauth": 1, "mail_smtpauth": 1,
"mail_smtpname": "{{ nextcloud_smtp_user }}", "mail_smtpname": "{{ vault_nextcloud_smtp_user }}",
"mail_smtppassword": "{{ nextcloud_smtp_pass }}", "mail_smtppassword": "{{ vault_nextcloud_smtp_pass }}",
"mail_smtpsecure": "ssl", "mail_smtpsecure": "tls",
"loglevel": 1, "loglevel": 1,
"logfile": {{ nextcloud_log_file | to_json }}, "logfile": {{ nextcloud_log_file | to_json }},
"logtimezone": "Europe\/Berlin", "logtimezone": "Europe\/Berlin",
@@ -46,9 +47,9 @@
"tempdirectory": {{ nextcloud_temp_dir | to_json }}, "tempdirectory": {{ nextcloud_temp_dir | to_json }},
"cache_path": {{ nextcloud_cache_dir | to_json }}, "cache_path": {{ nextcloud_cache_dir | to_json }},
"localstorage.allowsymlinks": true, "localstorage.allowsymlinks": true,
"enable_previews": "true", "enable_previews": true,
"preview_max_x": "2048", "preview_max_x": 2048,
"preview_max_y": "2048", "preview_max_y": 2048,
"preview_max_scale_factor": 1 "preview_max_scale_factor": 1
} }
} }

3
roles/nextcloud/templates/nextcloud_exporter.service.j2
View File

@@ -5,10 +5,11 @@ Description=Nextcloud Exporter
After=network-online.target After=network-online.target
[Service] [Service]
Environment=NEXTCLOUD_AUTH_TOKEN={{ vault_nextcloud_exporter_token }} NEXTCLOUD_TIMEOUT=30s
User={{ nextcloud_exporter_system_user }} User={{ nextcloud_exporter_system_user }}
Group={{ nextcloud_exporter_system_group }} Group={{ nextcloud_exporter_system_group }}
Type=simple Type=simple
ExecStart={{ nextcloud_exporter_install_dir }}/nextcloud_exporter --server https://{{ nextcloud_domain_name }} --auth-token {{ vault_nextcloud_exporter_token }} ExecStart={{ nextcloud_exporter_install_dir }}/nextcloud_exporter --server https://{{ nextcloud_domain_name }}
Restart=always Restart=always
[Install] [Install]

6
roles/nextcloud/templates/nextcloud_nightlycron.sh.j2
View File

@@ -2,9 +2,7 @@
## Managed by Ansible ## ## Managed by Ansible ##
cd {{ nextcloud_dir }}
# Print start status message.
echo "delete expired versions" echo "delete expired versions"
/usr/bin/php occ versions:expire --quiet /usr/bin/php {{ nextcloud_dir }}/occ versions:expire --quiet
echo "permanently delete trashed files" echo "permanently delete trashed files"
/usr/bin/php occ trashbin:expire --quiet /usr/bin/php {{ nextcloud_dir }}/occ trashbin:expire --quiet

2
roles/nextcloud/templates/nextcloud_nightlycron.timer.j2
View File

@@ -5,7 +5,7 @@ Description=Run Nextcloud nightly background job every night
[Timer] [Timer]
OnCalendar=00:00:00 OnCalendar=00:00:00
RandomizedDelaySec=600 RandomizedDelaySec=10m
Unit=nextcloud_nightlycron.service Unit=nextcloud_nightlycron.service
[Install] [Install]

3
roles/nextcloud/templates/nextcloud_notify_push.service.j2
View File

@@ -5,12 +5,13 @@ Description = Push daemon for Nextcloud clients
[Service] [Service]
Environment = SOCKET_PATH={{ nextcloud_notify_push_socket }} METRICS_PORT=9206 Environment = SOCKET_PATH={{ nextcloud_notify_push_socket }} METRICS_PORT=9206
Type=notify
User={{ webserver_user }} User={{ webserver_user }}
Group={{ webserver_user }} Group={{ webserver_user }}
RuntimeDirectory=nextcloud RuntimeDirectory=nextcloud
RuntimeDirectoryMode=0750 RuntimeDirectoryMode=0750
PIDFile=/run/nextcloud/notify_push.pid PIDFile=/run/nextcloud/notify_push.pid
ExecStart = {{ nextcloud_notify_push_install_dir }}/nextcloud_notify_push-{{ deb_architecture_alias }} {{ nextcloud_dir }}/config/config.php ExecStart = {{ nextcloud_notify_push_install_dir }}/nextcloud_notify_push {{ nextcloud_dir }}/config/config.php
Restart=always Restart=always
[Install] [Install]

31
roles/nextcloud/templates/rclone_mount_nextcloud.service.j2
View File

@@ -5,38 +5,33 @@ Description = rclone crypt mount {{ nextcloud_rclone_mount_dir }}
After = network-online.target After = network-online.target
[Service] [Service]
Environment=RCLONE_RCD_USER=rclone
Environment=RCLONE_RCD_PASSWORD={{ vault_rclone_rcd_pass }}
Type=notify Type=notify
ExecStart=/usr/bin/rclone mount DTSV_crypt:cloud_data {{ nextcloud_rclone_mount_dir }} \ ExecStart=/usr/bin/rclone mount DTSV_crypt:cloud_data {{ nextcloud_rclone_mount_dir }} \
--devname rclone \ --devname rclone \
--use-mmap \ --use-mmap \
--default-permissions \
--allow-other \ --allow-other \
--uid {{ created_rclone_user.uid }} \ --uid {{ rclone_created_user.uid }} \
--gid {{ created_rclone_group.gid }} \ --gid {{ rclone_created_group.gid }} \
--umask 002 \ --umask 0007 \
--dir-perms 775 \ --dir-perms 0770 \
--file-perms 664 \ --file-perms 0660 \
--dir-cache-time 8760h \ --dir-cache-time 8760h \
--poll-interval 1h \ --poll-interval 12h \
--buffer-size 64M \ --buffer-size 32M \
--drive-chunk-size 256M \ --drive-chunk-size 256M \
--drive-pacer-min-sleep 10ms \ --drive-pacer-min-sleep 20ms \
--drive-pacer-burst 1000 \ --drive-pacer-burst 200 \
--vfs-cache-max-age 720h \ --vfs-cache-max-age 720h \
--vfs-cache-mode full \ --vfs-cache-mode full \
--vfs-cache-max-size 50G \ --vfs-cache-min-free-space 10G \
--vfs-read-chunk-size 128M \ --vfs-read-chunk-size 128M \
--vfs-read-chunk-size-limit off \ --vfs-read-chunk-size-limit off \
--vfs-write-back 20s \ --vfs-write-back 5s \
--cache-dir={{ rclone_cache_dir }} \ --cache-dir={{ rclone_cache_dir }} \
--log-file={{ rclone_log_dir }}/mount_nextcloud.log \ --log-file={{ rclone_log_dir }}/mount_nextcloud.log \
--log-level=INFO \ --log-level=INFO \
--rc \ --metrics-addr "0.0.0.0:5573" \
--rc-addr "0.0.0.0:5572" \
--rc-enable-metrics \
--rc-user $RCLONE_RCD_USER \
--rc-pass $RCLONE_RCD_PASSWORD \
--user-agent "{{ rclone_user_agent_gd }}" --user-agent "{{ rclone_user_agent_gd }}"
ExecStop=/bin/fusermount -u -z {{ nextcloud_rclone_mount_dir }} ExecStop=/bin/fusermount -u -z {{ nextcloud_rclone_mount_dir }}
Restart=on-failure Restart=on-failure

27
roles/nextcloud/vars/main.yml
View File

@@ -24,7 +24,7 @@ trusted_proxies:
- "{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] }}" - "{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] }}"
nextcloud_trashbin_retention_obligation: "auto, 90" nextcloud_trashbin_retention_obligation: "auto, 90"
nextcloud_versions_retention_obligation: "auto, 30" nextcloud_versions_retention_obligation: "auto, 30"
nextcloud_max_upload_size: "10G" nextcloud_max_upload_size: "25G"
# database # database
nextcloud_db_host: "{{ pgsql_server_ip }}" nextcloud_db_host: "{{ pgsql_server_ip }}"
nextcloud_db_port: "{{ pgsql_server_port }}" nextcloud_db_port: "{{ pgsql_server_port }}"
@@ -43,14 +43,14 @@ nextcloud_smtp_host: "{{ smtp_hostname }}"
nextcloud_smtp_port: "{{ smtp_port }}" nextcloud_smtp_port: "{{ smtp_port }}"
nextcloud_smtp_from_address: "cloud" nextcloud_smtp_from_address: "cloud"
nextcloud_smtp_from_domain: "twirling.de" nextcloud_smtp_from_domain: "twirling.de"
nextcloud_smtp_user: !vault | vault_nextcloud_smtp_user: !vault |
$ANSIBLE_VAULT;1.2;AES256;dtsv-dev $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
37323762356630343133346634653965303530363966646236383962313163623637326165346439 37323762356630343133346634653965303530363966646236383962313163623637326165346439
3234303935353134633238396365363036313363663031310a663339363665376564306565393538 3234303935353134633238396365363036313363663031310a663339363665376564306565393538
33663566663534383133623965316362383731303565326632623430303565343134393939343734 33663566663534383133623965316362383731303565326632623430303565343134393939343734
3930376165653536310a656632373336623663356431333136303165653162333137626632333033 3930376165653536310a656632373336623663356431333136303165653162333137626632333033
35363439346237666662333537613363386266653865656238323638666533356535 35363439346237666662333537613363386266653865656238323638666533356535
nextcloud_smtp_pass: !vault | vault_nextcloud_smtp_pass: !vault |
$ANSIBLE_VAULT;1.2;AES256;dtsv-dev $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
61303737376466646164313766373639376133633935313433356637323038626437663736363631 61303737376466646164313766373639376133633935313433356637323038626437663736363631
3864616433353737666137663663666333366463626337630a643034323935613833633439306236 3864616433353737666137663663666333366463626337630a643034323935613833633439306236
@@ -61,10 +61,10 @@ nextcloud_smtp_pass: !vault |
nextcloud_user_ini: nextcloud_user_ini:
- type: php_value - type: php_value
option: upload_max_filesize option: upload_max_filesize
value: "{{ nextcloud_max_upload_size }}B" value: "{{ nextcloud_max_upload_size }}"
- type: php_value - type: php_value
option: post_max_size option: post_max_size
value: "{{ nextcloud_max_upload_size }}B" value: "{{ nextcloud_max_upload_size }}"
- type: php_value - type: php_value
option: max_input_time option: max_input_time
value: 3600 value: 3600
@@ -72,16 +72,31 @@ nextcloud_user_ini:
option: max_execution_time option: max_execution_time
value: 3600 value: 3600
nextcloud_apps: nextcloud_occ_install_app:
- bruteforcesettings
- calendar - calendar
- contacts - contacts
- external - external
- extract - extract
- groupfolders - groupfolders
- metadata
- notes - notes
- notify_push - notify_push
- suspicious_login
- tables
- tasks - tasks
- twofactor_nextcloud_notification
- twofactor_totp - twofactor_totp
- end_to_end_encryption
nextcloud_occ_config_app:
- "preview jpeg_quality --value=60"
- "previewgenerator squareSizes --value='256 1024'"
- "previewgenerator widthSizes --value=2048"
- "previewgenerator heightSizes --value=2048"
- "files_trashbin background_job_expire_trash --value=no"
- "files_versions background_job_expire_versions --value=no"
- "files max_chunk_size --value 134217728"
nextcloud_exporter_install_dir: "/usr/local/bin" nextcloud_exporter_install_dir: "/usr/local/bin"
nextcloud_exporter_system_group: "node-exporter" nextcloud_exporter_system_group: "node-exporter"

2
roles/nginx/handlers/main.yml
View File

@@ -1,5 +1,5 @@
--- ---
- name: reload nginx - name: Reload nginx
systemd: systemd:
name: nginx.service name: nginx.service
state: reloaded state: reloaded

39
roles/nginx/tasks/main.yml
View File

@@ -1,4 +1,14 @@
--- ---
- name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: Add Nginx GPG apt Key - name: Add Nginx GPG apt Key
apt_key: apt_key:
url: https://nginx.org/keys/nginx_signing.key url: https://nginx.org/keys/nginx_signing.key
@@ -7,7 +17,7 @@
- name: Add Nginx Mainline Repository - name: Add Nginx Mainline Repository
apt_repository: apt_repository:
repo: "deb [arch={{ deb_architecture }} signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ repo: "deb [arch={{ architecture_alias }} signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx"
state: present state: present
update_cache: true update_cache: true
@@ -24,21 +34,36 @@
path: /etc/nginx/conf.d/default.conf path: /etc/nginx/conf.d/default.conf
state: absent state: absent
- name: Create global config folder - name: Create additional config folder
file: file:
path: "/etc/nginx/global" path: "/etc/nginx/{{ item }}"
mode: 0755 mode: "0755"
state: directory state: directory
loop:
- global
- snippets
- name: Copy Nginx SSL Config - name: Copy Nginx SSL Config
template: template:
dest: /etc/nginx/global/ssl.conf dest: /etc/nginx/global/ssl.conf
src: ssl.conf.j2 src: ssl.conf.j2
mode: 0644 mode: "0644"
notify: reload nginx notify: Reload nginx
- name: Download pre-defined DHE group # as recommended by IETF RFC 7919 - name: Download pre-defined DHE group # as recommended by IETF RFC 7919
get_url: get_url:
url: https://github.com/internetstandards/dhe_groups/raw/main/ffdhe4096.pem url: https://github.com/internetstandards/dhe_groups/raw/main/ffdhe4096.pem
dest: "{{ nginx_ssl_dhparam }}" dest: "{{ nginx_ssl_dhparam }}"
notify: reload nginx mode: "0644"
register: nginx_ffdhe4096_download_file
until: nginx_ffdhe4096_download_file is succeeded
retries: 3
delay: 5
notify: Reload nginx
- name: Set nginx user to www-data
replace:
path: /etc/nginx/nginx.conf
regexp: "user nginx;"
replace: "user www-data;"
notify: Reload nginx

6
roles/nginx/templates/ssl.conf.j2
View File

@@ -6,12 +6,8 @@
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
ssl_early_data on; ssl_early_data on;
ssl_dhparam {{ nginx_ssl_dhparam }}; ssl_dhparam {{ nginx_ssl_dhparam }};
# OCSP Stapling fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
# SSL session handling # SSL session handling
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_tickets off; ssl_session_tickets off;
ssl_buffer_size 4k; ssl_buffer_size 4k;

2
roles/nginx/vars/main.yml
View File

@@ -1,5 +1,7 @@
--- ---
nginx_user: "www-data"
nginx_group: "www-data"
nginx_ssl_ciphers: "ALL:!AES128:!CAMELLIA128:!CAMELLIA:!ARIA128:!RSA:!SEED:!aNULL:!eNULL:!EXPORT:\ nginx_ssl_ciphers: "ALL:!AES128:!CAMELLIA128:!CAMELLIA:!ARIA128:!RSA:!SEED:!aNULL:!eNULL:!EXPORT:\
!DES:!RC4:!3DES:!MD5:!PSK:!DHE-RSA-AES256:!ECDHE-RSA-AES256-SHA384:\ !DES:!RC4:!3DES:!MD5:!PSK:!DHE-RSA-AES256:!ECDHE-RSA-AES256-SHA384:\
!DHE-RSA-AES256-SHA256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:@STRENGTH" !DHE-RSA-AES256-SHA256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:@STRENGTH"

7
roles/nginx_exporter/handlers/main.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Restart nginx_exporter
systemd:
daemon_reload: true
enabled: true
name: nginx_exporter.service
state: restarted

3
roles/nginx_exporter/meta/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
dependencies:
- role: nginx

66
roles/nginx_exporter/tasks/main.yml Normal file
View File

@@ -0,0 +1,66 @@
---
- name: Get latest nginx_exporter version
github_release:
user: nginxinc
repo: nginx-prometheus-exporter
action: latest_release
token: "{{ vault_github_token }}"
delegate_to: localhost
run_once: true
register: nginx_exporter_version
- name: "{{ nginx_exporter_version }}"
set_fact:
nginx_exporter_version: "{{ nginx_exporter_version | replace('v', '', 1) | trim }}"
run_once: true
- name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: "Download nginx_exporter from GitHub"
get_url:
url: "https://github.com/nginxinc/nginx-prometheus-exporter/releases/download/\
v{{ nginx_exporter_version.tag }}/nginx-prometheus-exporter_{{ nginx_exporter_version.tag }}\
_linux_{{ architecture_alias }}.tar.gz"
dest: "/var/tmp/nginx-prometheus-exporter.tar.gz"
mode: "0644"
register: nginx_exporter_download_archive
until: nginx_exporter_download_archive is succeeded
retries: 3
delay: 5
- name: Unpack nginx_exporter
unarchive:
remote_src: true
src: "/var/tmp/nginx-prometheus-exporter.tar.gz"
dest: "{{ nginx_exporter_install_dir }}"
extra_opts:
- --one-top-level
owner: "{{ nginx_exporter_system_user }}"
group: "{{ nginx_exporter_system_group }}"
include:
- nginx-prometheus-exporter
notify: Restart nginx_exporter
- name: Copy sub_status.conf to nginx conf.d
template:
src: sub_status.conf.j2
dest: /etc/nginx/conf.d/sub_status.conf
mode: "0644"
notify: Reload nginx
- name: Copy nginx_exporter systemd service
template:
src: nginx_exporter.service.j2
dest: /etc/systemd/system/nginx_exporter.service
owner: root
group: root
mode: "0644"
notify: Restart nginx_exporter

17
roles/nginx_exporter/templates/nginx_exporter.service.j2 Normal file
View File

@@ -0,0 +1,17 @@
## Managed by Ansible ##
[Unit]
Description=Prometheus Nginx Exporter
Requires=nginx.service
After=nginx.service
[Service]
Type=simple
User={{ nginx_exporter_system_user }}
Group={{ nginx_exporter_system_group }}
ExecStart={{ nginx_exporter_install_dir }}/nginx-prometheus-exporter -nginx.scrape-uri=unix:{{ nginx_stub_status_socket }}:/stub_status
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target

12
roles/nginx_exporter/templates/sub_status.conf.j2 Normal file
View File

@@ -0,0 +1,12 @@
## Managed by Ansible ##
# stub_status module provides access to basic status information
server {
listen unix:{{ nginx_stub_status_socket }};
server_name _;
access_log off;
location /stub_status {
stub_status;
}
}

6
roles/nginx_exporter/vars/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# Variables
nginx_exporter_install_dir: "/usr/local/bin"
nginx_exporter_system_group: "node-exporter"
nginx_exporter_system_user: "{{ nginx_exporter_system_group }}"
nginx_stub_status_socket: "/var/run/nginx_status.sock"

2
roles/node_exporter/handlers/main.yml
View File

@@ -1,5 +1,5 @@
--- ---
- name: restart node_exporter - name: Restart node_exporter
systemd: systemd:
daemon_reload: true daemon_reload: true
enabled: true enabled: true

29
roles/node_exporter/tasks/main.yml
View File

@@ -28,17 +28,28 @@
register: node_exporter_version register: node_exporter_version
- name: "{{ node_exporter_version }}" - name: "{{ node_exporter_version }}"
set_fact: set_fact:
node_exporter_version: "{{ node_exporter_version | replace ('v', '', 1) | trim }}" node_exporter_version: "{{ node_exporter_version | replace('v', '', 1) | trim }}"
run_once: true run_once: true
- name: Download node_exporter {{ node_exporter_version.tag }} from GitHub - name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: "Download node_exporter from GitHub"
get_url: get_url:
url: "https://github.com/prometheus/node_exporter/releases/download/\ url: "https://github.com/prometheus/node_exporter/releases/download/\
v{{ node_exporter_version.tag }}/node_exporter-{{ node_exporter_version.tag }}\ v{{ node_exporter_version.tag }}/node_exporter-{{ node_exporter_version.tag }}\
.linux-{{ deb_architecture }}.tar.gz" .linux-{{ architecture_alias }}.tar.gz"
dest: "/var/tmp/node_exporter.tar.gz" dest: "/var/tmp/node_exporter.tar.gz"
register: _download_archive mode: "0644"
until: _download_archive is succeeded register: node_exporter_download_archive
until: node_exporter_download_archive is succeeded
retries: 3 retries: 3
delay: 5 delay: 5
@@ -52,8 +63,8 @@
extra_opts: extra_opts:
- --strip-components=1 - --strip-components=1
include: include:
- "node_exporter-{{ node_exporter_version.tag }}.linux-{{ deb_architecture }}/node_exporter" - "node_exporter-{{ node_exporter_version.tag }}.linux-{{ architecture_alias }}/node_exporter"
notify: restart node_exporter notify: Restart node_exporter
- name: Copy node_exporter systemd service - name: Copy node_exporter systemd service
template: template:
@@ -61,5 +72,5 @@
dest: /etc/systemd/system/node_exporter.service dest: /etc/systemd/system/node_exporter.service
owner: root owner: root
group: root group: root
mode: 0644 mode: "0644"
notify: restart node_exporter notify: Restart node_exporter

2
roles/php/handlers/main.yml
View File

@@ -1,5 +1,5 @@
--- ---
- name: restart php-fpm - name: Restart php-fpm
systemd: systemd:
name: php{{ php_version }}-fpm.service name: php{{ php_version }}-fpm.service
state: reloaded state: reloaded

23
roles/php/tasks/main.yml
View File

@@ -1,18 +1,27 @@
--- ---
# - name: Add Sury PHP GPG apt key
# apt_key:
# url: https://packages.sury.org/php/apt.gpg
# keyring: /usr/share/keyrings/deb.sury.org-php.gpg
# state: present
- name: Add Sury PHP Repository - name: Add Sury PHP Repository
apt_repository: command: add-apt-repository -y ppa:ondrej/php
repo: ppa:ondrej/php args:
state: present creates: "/etc/apt/sources.list.d/ondrej-ubuntu-php-{{ ansible_distribution_release }}.sources"
update_cache: true
when: php_version is defined # add repo when version is specified, otherwise use default repo when: php_version is defined # add repo when version is specified, otherwise use default repo
- name: "Uninstall old PHP version" - name: Uninstall old PHP version
apt: apt:
name: "php{{ php_old_version }}*" name: "php{{ php_old_version }}*"
state: absent state: absent
purge: true purge: true
when: php_old_version is defined # uninstall when old version is specified when: php_old_version is defined # uninstall when old version is specified
# - name: Print php_modules list
# debug:
# msg: "{{ ['php' + php_version] | product(php_modules) | map('join', '-') | list }}"
- name: "Install custom PHP modules {{ php_modules }}" - name: "Install custom PHP modules {{ php_modules }}"
apt: apt:
name: "{{ ['php' + php_version] | product(php_modules) | map('join', '-') | list }}" name: "{{ ['php' + php_version] | product(php_modules) | map('join', '-') | list }}"
@@ -24,6 +33,6 @@
template: template:
dest: /etc/nginx/conf.d/php-handler.conf dest: /etc/nginx/conf.d/php-handler.conf
src: php-handler.conf.j2 src: php-handler.conf.j2
mode: 0644 mode: "0644"
when: '"fpm" in php_modules' when: '"fpm" in php_modules'
notify: reload nginx notify: Reload nginx

7
roles/php_fpm_exporter/handlers/main.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Restart php_fpm_exporter
systemd:
daemon_reload: true
enabled: true
name: php-fpm_exporter.service
state: restarted

3
roles/php_fpm_exporter/meta/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
dependencies:
- role: php

66
roles/php_fpm_exporter/tasks/main.yml Normal file
View File

@@ -0,0 +1,66 @@
---
- name: Enable real-time FPM status monitoring
lineinfile:
path: /etc/php/{{ php_version }}/fpm/pool.d/www.conf
regexp: '^;pm.status_path\s'
line: 'pm.status_path = /status'
notify: Restart php-fpm
- name: Get latest php_fpm_exporter version
github_release:
user: hipages
repo: php-fpm_exporter
action: latest_release
token: "{{ vault_github_token }}"
delegate_to: localhost
run_once: true
register: php_fpm_exporter_version
- name: "{{ php_fpm_exporter_version }}"
set_fact:
php_fpm_exporter_version: "{{ php_fpm_exporter_version | replace('v', '', 1) | trim }}"
run_once: true
- name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: "Download php_fpm_exporter from GitHub"
get_url:
url: "https://github.com/hipages/php-fpm_exporter/releases/download/\
v{{ php_fpm_exporter_version.tag }}/php-fpm_exporter_{{ php_fpm_exporter_version.tag }}\
_linux_{{ architecture_alias }}.tar.gz"
dest: "/var/tmp/php-fpm_exporter.tar.gz"
mode: "0644"
register: php_fpm_exporter_download_archive
until: php_fpm_exporter_download_archive is succeeded
retries: 3
delay: 5
- name: Unpack php_fpm_exporter
unarchive:
remote_src: true
src: "/var/tmp/php-fpm_exporter.tar.gz"
dest: "{{ php_fpm_exporter_install_dir }}"
owner: "{{ php_fpm_exporter_system_user }}"
group: "{{ php_fpm_exporter_system_group }}"
mode: "0755"
extra_opts:
- --one-top-level
include:
- php-fpm_exporter
notify: Restart php_fpm_exporter
- name: Copy php_fpm_exporter systemd service
template:
src: php-fpm_exporter.service.j2
dest: /etc/systemd/system/php-fpm_exporter.service
owner: root
group: root
mode: "0644"
notify: Restart php_fpm_exporter

16
roles/php_fpm_exporter/templates/php-fpm_exporter.service.j2 Normal file
View File

@@ -0,0 +1,16 @@
## Managed by Ansible ##
[Unit]
Description=Prometheus PHP-FPM Exporter
After=network-online.target
[Service]
Type=simple
User={{ php_fpm_exporter_system_user }}
Group={{ php_fpm_exporter_system_group }}
ExecStart={{ php_fpm_exporter_install_dir }}/php-fpm_exporter server --phpfpm.fix-process-count --phpfpm.scrape-uri unix:{{ php_socket }};/status
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target

5
roles/php_fpm_exporter/vars/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
# Variables
php_fpm_exporter_install_dir: "/usr/local/bin"
php_fpm_exporter_system_group: "www-data"
php_fpm_exporter_system_user: "{{ php_fpm_exporter_system_group }}"

6
roles/postgresql/handlers/main.yml
View File

@@ -1,15 +1,15 @@
--- ---
- name: restart postgresql - name: Restart postgresql
systemd: systemd:
name: postgresql.service name: postgresql.service
state: restarted state: restarted
- name: reload postgresql - name: Reload postgresql
systemd: systemd:
name: postgresql.service name: postgresql.service
state: reloaded state: reloaded
- name: restart postgres_exporter - name: Restart postgres_exporter
systemd: systemd:
daemon_reload: true daemon_reload: true
enabled: true enabled: true

35
roles/postgresql/tasks/postgres_exporter.yml
View File

@@ -8,20 +8,31 @@
token: "{{ vault_github_token }}" token: "{{ vault_github_token }}"
delegate_to: localhost delegate_to: localhost
run_once: true run_once: true
register: postgres_exporter_version register: postgresql_exporter_version
- name: "{{ postgres_exporter_version }}" - name: "{{ postgresql_exporter_version }}"
set_fact: set_fact:
postgres_exporter_version: "{{ postgres_exporter_version | replace ('v', '', 1) | trim }}" postgresql_exporter_version: "{{ postgresql_exporter_version | replace('v', '', 1) | trim }}"
run_once: true run_once: true
- name: Download postgres_exporter {{ postgres_exporter_version.tag }} from GitHub - name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: "Download postgres_exporter from GitHub"
get_url: get_url:
url: "https://github.com/prometheus-community/postgres_exporter/releases/download/\ url: "https://github.com/prometheus-community/postgres_exporter/releases/download/\
v{{ postgres_exporter_version.tag }}/postgres_exporter-{{ postgres_exporter_version.tag }}\ v{{ postgresql_exporter_version.tag }}/postgres_exporter-{{ postgresql_exporter_version.tag }}\
.linux-{{ deb_architecture }}.tar.gz" .linux-{{ architecture_alias }}.tar.gz"
dest: "/var/tmp/postgres_exporter.tar.gz" dest: "/var/tmp/postgres_exporter.tar.gz"
register: _download_archive mode: "0644"
until: _download_archive is succeeded register: postgresql_exporter_download_archive
until: postgresql_exporter_download_archive is succeeded
retries: 3 retries: 3
delay: 5 delay: 5
@@ -35,8 +46,8 @@
extra_opts: extra_opts:
--strip-components=1 --strip-components=1
include: include:
- "postgres_exporter-{{ postgres_exporter_version.tag }}.linux-{{ deb_architecture }}/postgres_exporter" - "postgres_exporter-{{ postgresql_exporter_version.tag }}.linux-{{ architecture_alias }}/postgres_exporter"
notify: restart postgres_exporter notify: Restart postgres_exporter
- name: Copy the postgres_exporter systemd service file - name: Copy the postgres_exporter systemd service file
template: template:
@@ -44,5 +55,5 @@
dest: /etc/systemd/system/postgres_exporter.service dest: /etc/systemd/system/postgres_exporter.service
owner: root owner: root
group: root group: root
mode: 0644 mode: "0644"
notify: restart postgres_exporter notify: Restart postgres_exporter

26
roles/postgresql/tasks/postgresql.yml
View File

@@ -1,4 +1,15 @@
--- ---
- name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: Add PostgreSQL GPG apt key - name: Add PostgreSQL GPG apt key
apt_key: apt_key:
url: https://www.postgresql.org/media/keys/ACCC4CF8.asc url: https://www.postgresql.org/media/keys/ACCC4CF8.asc
@@ -7,7 +18,7 @@
- name: Add PostgreSQL Repository - name: Add PostgreSQL Repository
apt_repository: apt_repository:
repo: "deb [arch={{ deb_architecture }} signed-by=/usr/share/keyrings/apt.postgresql.org.gpg] \ repo: "deb [arch={{ architecture_alias }} signed-by=/usr/share/keyrings/apt.postgresql.org.gpg] \
http://apt.postgresql.org/pub/repos/apt {{ ansible_distribution_release }}-pgdg main" http://apt.postgresql.org/pub/repos/apt {{ ansible_distribution_release }}-pgdg main"
state: present state: present
update_cache: true update_cache: true
@@ -27,13 +38,14 @@
cache_valid_time: 3600 cache_valid_time: 3600
- name: Set PostgreSQL parameters - name: Set PostgreSQL parameters
community.postgresql.postgresql_set: become: true
name: "{{ item.name }}"
value: "{{ item.value }}"
become_user: postgres become_user: postgres
community.postgresql.postgresql_alter_system:
param: "{{ item.param }}"
value: "{{ item.value }}"
register: postgresql_set register: postgresql_set
loop: "{{ pgsql_config }}" loop: "{{ pgsql_config }}"
notify: restart postgresql notify: Restart postgresql
- name: Set PostgreSQL Client Authentication - name: Set PostgreSQL Client Authentication
community.postgresql.postgresql_pg_hba: community.postgresql.postgresql_pg_hba:
@@ -45,5 +57,5 @@
rules_behavior: combine rules_behavior: combine
contype: host contype: host
# custom rules # custom rules
rules: "{{ pgsql_client_auth }}" rules: "{{ pgsql_client_auth }}" # noqa: args
notify: reload postgresql notify: Reload postgresql

30
roles/postgresql/vars/main.yml
View File

@@ -3,33 +3,33 @@
pgsql_server_version: 15 pgsql_server_version: 15
pgsql_config: pgsql_config:
# - name: unix_socket_directories # - param: unix_socket_directories
# value: default # comma-separated list of directories. default: "/var/run/postgresql" # value: default # comma-separated list of directories. default: "/var/run/postgresql"
- name: listen_addresses - param: listen_addresses
value: "{{ pgsql_server_ip }}" # what IP address(es) to listen on; value: "{{ pgsql_server_ip }}" # what IP address(es) to listen on;
- name: password_encryption - param: password_encryption
value: default # default scram-sha-256 value: scram-sha-256 # default scram-sha-256
- name: max_connections - param: max_connections
value: "200" # default 100 value: "200" # default 100
- name: shared_buffers - param: shared_buffers
value: "1GB" # min 128kB, default 128MB value: "1GB" # min 128kB, default 128MB
- name: effective_cache_size - param: effective_cache_size
value: "3GB" # default 4GB value: "3GB" # default 4GB
- name: maintenance_work_mem - param: maintenance_work_mem
value: "256MB" # min 1MB, default 64MB value: "256MB" # min 1MB, default 64MB
- name: checkpoint_completion_target - param: checkpoint_completion_target
value: "0.9" # checkpoint target duration, 0.0 - 1.0, default 0.9 value: "0.9" # checkpoint target duration, 0.0 - 1.0, default 0.9
- name: wal_buffers - param: wal_buffers
value: "16MB" # min 32kB, default -1 sets based on shared_buffers value: "16MB" # min 32kB, default -1 sets based on shared_buffers
- name: random_page_cost - param: random_page_cost
value: "1.1" # how long it take to seek to a random disk page, default 4.0 value: "1.1" # how long it take to seek to a random disk page, default 4.0
- name: effective_io_concurrency - param: effective_io_concurrency
value: "200" # 1-1000; 0 disables prefetching, default 1 value: "200" # 1-1000; 0 disables prefetching, default 1
- name: work_mem - param: work_mem
value: "2621kB" # min 64kB, default 4MB value: "2621kB" # min 64kB, default 4MB
- name: min_wal_size - param: min_wal_size
value: "1GB" # default 80MB value: "1GB" # default 80MB
- name: max_wal_size - param: max_wal_size
value: "4GB" # default 1GB value: "4GB" # default 1GB
pgsql_client_auth: pgsql_client_auth:

242
roles/rclone/files/TD_DTSV_service_account.json
View File

@@ -1,121 +1,123 @@
$ANSIBLE_VAULT;1.2;AES256;dtsv-dev $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
62646235323433313363376439333961373139613464323833366263656433653761323133656437 61653133643464633733306434633736353330376637306437616131663137383336653034663631
3331326266643131386336303465646162303962353339310a653330316264613462623963646536 3436356463306337616231353365656364306538363261380a383933653338383032376635353861
32303364353236346261303263303965326537663863653436653161383239613165306263653036 63346630663738616538353130646564336265613065616366613466333635623736393564366663
6632356336313634330a396433303036323563653838333537373661326333623936306638333932 3538323337666436320a643663373534633231346261643939353536383536626231373139343330
38616239383462653062643031663361646463343930303265626136393635353835313339313939 34636264613935363632333338303431626335386630383362663636663238636161623533346338
62626236373735343530366530613062306463393565613561643632323966663965613034623932 36663630643466373636373935663933373563326336663034343666336666306634636532356332
35373438643739383832393333383732393963666136396537316163353135316233636638626666 63346137613230656536343937326433393639396638353632666331653865383665653832613035
64343639376665623131343464353266623234666135663864333234366666326563386264373539 63363966346131663638643766353830663565313866623537383363383662383038323238393539
31643231313437363135613965396339663762656466396433313335303561383864356533636264 34323832373862643665356362373530383261623233636331643563626265313066616432373162
61363330633464353839353264613338306133623565663835636632626636356662643032396466 35336636313934633336663663376261616566346230353861356638653362613833646462386333
39663336353738363662313833366530336334646462656432306439396136383762303537343532 38623163336336623937393435306364306138633963663065396233353961303461346365393862
33396261353835376163366337393937363761323965356538393561343639363132353762373531 34343630316431666262663431666637306534663236336261353939356263323336666366306238
35656532363631353531613231353435663862333366663565663838383536633666653332636262 39663037663235393931626236366132333934346633643264393030636532313832616161633066
31643562363337393038636163333265663834306330393830353262386634336135636436323431 33353335323830393132616663346337636431616265393466333033383061626362343137383130
62353338326430313662373962333733656434336138376466336534383963346261636233653232 31316464323431303138373730306335313638643865613637323062366661306366373733373237
62643165383034386233376263333533666162346531623362313337666362356136313266613937 32666561656163353962386131333535613632396265623439613464346639633635383733303536
34373266323034653736666163316135633261303037376632623266366333336635306461636536 61396437373461623363373135313933346539343131326235373738366532356462363164336366
34386633636230663663383565623861326665373062636339663566313433633930656161373134 30363162643936333138653761623838613064366131316438383132643435353466613939653161
35373464643738346366643338373534373163393962393266393936313433653863303066373530 61306264333866363530353637383836633831373735393766613962663166646362393535363930
61303163666162356561623930313636303836383131323230356564306334393161303263333966 34306264383563336637376662343030663666313630366238386332363337663338393165633739
36636361323037366539363338666537633134326561656666613764323266363432656235343931 35346438383265343034336239663435633738353535333563393639363130666536366335323137
36653566373330643762646435656266663333323336366434393066303839653039643064343862 35386432353334626130373134353432386436336161626539663465383034383063303039313564
64366434396564643064316439383438333633623539333338353862663136656539336139343863 65633034386237633861343664396439323939653362373931623132326438366332313065633333
64643234353162376237626563663339633332303535303133313064336433623662393762643032 37626636346639633065613935653066313933663430336564393635393966633135343962393365
33343062653539306539373437326161343461623331666531343138616331393439613361626561 62636638323765316266326333386465626239383564396134616332316334393538356532373464
32653133366633326236636561366433646631656434396365383736616235666539313562653863 64643863623564646131373861326232613862383733376534616234376366616565613139316163
64306332393361353831333562356232656432323138623637653731323030613062343830646665 64643866306366616532396235343938393034343335363361343633303566643534353632653364
63333937666635393039393337313332663834336330643138383338623336633930653532363862 36633731613932306237303938363038643437343335656133616234303036653537623861363130
33663237343939666236663333363765326261616566663765353231643936653036353434613164 62336231323739353035333862636531303963323766633866373663393539383661666465363037
31643233626130303864343961663737326432353230336135393230373066613536353833343932 31393833333064363837306535336133633436303862616137343833383266353934306632303434
62303631623630356636386163663362613432316531353865653639366339316230396238366635 31666634343531393633633761323562343263353863363266396336613035363439326436626466
37636637633032316466663133343664643761303735666365616531643034323365613932633364 34343235643363643731326335386339616439303862343130353633656232363961643833386138
36316562366365373231373235303634646566393731326662343136343130306239333534326230 34663835613231343237316361313234613536373461343333323634323930636637363536353361
39373764663232343135323366333862336164653439363538316234313365643035636133383561 63336434626361663565623231383563633132336435326666636532336236356665666635653565
37336361373961373866353430646337643661303035323837383433633033346134633839623865 31623036353139643937353438616535343433343337343338353666393830373466313261373938
65636333666664346436356235333831303336386531653835326439626665666162653262613366 37343138633863393134633062313437653763353635303638663065373934613564343038616130
39373262623238326430376163356232343763383762643163383932663934336535316465386132 62663537386437643939383762616635323362346635656535323337313861636237303138633739
34363331666563393236613331663463333665363337653162306630666638326565626431636166 33373764353633663665306338373565343530653866623738363762353063633465623635623863
38343631343664626135653638323733393562373435633939316563613131636535343833366638 32653033386330666338373466616135383561316330633162613630376662396661376438343036
66323363393536363938623634656134356531373835646339373437353432373435636134303835 62366633383037643930356263616239386634356130343463366162343364636666363737313430
33376461393835363661373761383463666264353933636231643232633565373636376335623964 63376330326636373631666338656465666430373361646163323735393366663034653132393633
34356530323236666538363861333939306362666133323636313636336433636332386130346331 62343032373433653761363661613163326663323666383437393331636130613565666434646466
34313862643132386166613765646466303035333136353837393130626330346262313335313362 34346137323730623561363739303439343536666237613530623263353239613834333736633737
62373262666137366235363533376366316435653835303334613436613763663732363635656663 64353865623430316161396533323039393264303033646266656563663961373037333461326537
37623962373766666338313864623632663166343730386530333266616430366233393138653563 33326135626533366532333165613166306431393335343864663331333037616636343430633838
64363438333565646137643065386234333064643036656165666535646239333961396530646163 33656461373233643534656333653839653736643632303338393664653763306463643031346166
61353436343134663539663036653863353636353861373836326362643562623030616637376536 64323062303333343638393235373136336665396566663766636338626230666331666334666239
63303761313166323336393963343938366632386339366633363061336139333432366431346533 35366331663062646338623039663732656639343065613438313634366431326334316364373131
61363934656239396631626530613639646634306436346561616534313738623035323537343330 65663264373330656562393336333662626532643530386334643336633262323931313932626238
36366133363235653535656465663531383236653165346130366439356535633435663239313763 64333238396539636161313636653133626632366465326464636565616235336563383237373633
35326532616365646163653262393333303535623937636631383665303230626266666562363563 66396361386464646133353564383064656136386262653466613362393637373335633662343261
32326164323930396633366539323033656230386263616230323532626366333530386335303166 35643430353966373562333837393764366364393635323338386363393532306430383662393665
37653930366262343630326365396262393231633237653138343664633165666531616631653530 31633335303332336461383334623563663331633464636332333761643766636133303734373164
66316230396362363565646338383461663765633865666231366265363962623636363932356436 36613164306235333761663465336437623031663832656239646333356635643365613766353662
63306564666361346439386161386166633934326631656665363839653665633465653365646238 64333730346432643239383834363963636336333039666364313264663439633336313066636561
30323162396433346630383965666436643465333332633962343931393534326539626335343237 36386438363334653632386465613532373163636136393537666330336439633065633130333361
36333763656364376164613639663862666263663237623237393232323963396233373930316238 32613664303437616362383265643730633935663435616437653532393431376564303263623431
31626530353037386362373637626334616239316534653166366237336263633362626238656664 39363066653336366165383436626333643839353136353033396163616337313932323534383461
61613931303036353164623538323432303761303163633635633730663836653333643433393937 30343638613165623563353266376230373339316439343032303164383938346434623362373761
63666136356134393764386163646266323863393236646532613533373133663164363937376230 64656566626230346136353137663037663062333165626438643235613362363339313835646530
31316433333564666662393563303365376562363932343963333462383139336135356666636238 39353035393563303565636634393661636666336335653562643338326437636563353233656564
62653664323238646162633636336539373237613661666330626336626632633139393934653537 35633036363633323539643439383938356139306437366632336431346130653133643938393830
65623335313931623439326634393065303736396134386236353134363263353031336331376664 61343334663434363963333466366366613935323139666630643866306330633630303133363739
66646139646565323465343332623936613735626663653264633064633564373133353037656263 64373634306132323432666636643434633035313932643439313961653531613236313566303263
39656635666232653138663738636661643566326539613364636535323435363139656238333531 37306361303639333437313763343862343763303238346261616438323762383466656336343534
64326636656263303733623031643164653733646137396461396338373866383931626637633066 66383464363738623339356535616533613863396433666639316631336563363136643836363164
62363530303965383464643536323065373238626232646564363566366463376566303632346137 39346239373536316333343366373832386366626636326538333333663761386430326430376536
37363936346130383439663062613236646336653861316462396437383466346363643062323834 62306266643434623735323134396366316437396534666161383135393965616366393064353935
36643034336434646331313764376237636464383165326136656363356236333936623834653934 30653664303963363264383963316532643135336337333066363737383265376235663166653766
36666561333463663937363231386662646261653365636264336265373264663766626265623330 36376331353439626533663530636137623833623761636266373135306633363537303437346232
66346436633235343761663963323533393534363034323135333832353738346435653734333766 35623364613035613061386635626263626631356538326431623763643735323838303238393266
32633435666537633961626533636436653766353066633461353561636262643965363432316235 34636431383336363734383733653538383334613434303033326639633232373465613234646237
65303536316531653463306432646631353535356335623532643730353030373261343836663066 36346532323165613738366563653561633339363430376337666438306132303763666365393863
36353831366231633363396336663666303465303138326537383863616662623637383832636166 63363761643533346537643932643863393761633730363138656362636633656437643930376265
66326536633062626135636530386466386235666462343462393966373637653166643539356235 39666339393032346638393362323734376639343038333864646662356136616131313763666533
66333531613636373733643831396339376162313335313436303531303264393537326231663865 30343763663566333133393366343364346266323134633562656336373166373833333839356263
30383464326230633639366236316265353262306235383734383462353562383433396565373937 65373564376431323236396338383161346663343232306135373764363633623533333037393835
30306662346663373464383038626666333761346162343133343262613164316137323162613035 31316365633163353065323434633732363363633666316132316330643635633164653261396135
63623335373738356538396537386533306537633237616332643962363632383532376237383332 36313361613133663135646639396161613635303566643763613137663332646331376339346132
31393632386333633939363737353531623637346336636135623162303131613538666561343734 61343436646161633233326464643839333139653930656363643338656334366464323162626465
30306437656462346238363839303334613366643031356366323133373663393037323236353834 62386537663136313366393064666531303463363162613036393130653238646166393535653636
65663239633333383066393332336230333337656239313732633962386437336362383564343963 61613963313032313130313665356164653034396666323630383761343661373364303639373165
34303038666132383339373631346666336434333133393432316631363236633734623838643965 62666263396436626164643266623563633466626231306664306137653861633636656631666238
66656238303335393630623033366236326435616537303862353464376561373832373663356532 33353937653865343737636566633764303133376538333034626663316164386130616462623866
39313236646130646266316633336265396132323730313136386436656263663035646534346364 65643464306633633335326135393433663732343064356435313536666230643137306335343163
30626330396432366230386534623839663339376134323639323433383666383035373136613037 61346435306232656461326432643230303935633266353235353763333538656366383739303362
65303330636265353135373066656265373539623839323732653832303562643966386232373566 33653837396238386230336564663462643133636230613461303139383933396565363761653564
64646161326461356533616366653966633638326431306433393739656463316430383664356163 38383437633737333264653239313337643237626338396461643933393832643836333431643562
39643433316136633030333461303362623861396136626433303736326436336539616330613831 34646430323135386362353935313435643131623532393662633963306461393862313334366235
64626133303561333263653331323631343861323530353937333538366466333539373937393732 39633265666165326665623536353230616336383932626534356635666565303139623237366132
65313231336332396463633364663264346430613964363561396339613230303962643834393731 65343431393736376131333735636266346262383832323134356337343433316366326232313066
35656663313335373331396430363062353834636232303165306566633461326533653665636431 39346138666262303031613366666261313937323263333963393231356465356530326164633434
38333563636666643930376235656663303638653134666466376533396639343131306633656331 31393830666361613364323265353430643435653631346365393435306634343639383231626433
35303566363466363362373138343966346339313963613330336337323831353733386531363263 32393530383863343761626239313161383032666330616538633332643133386233656464346437
32343237346332613536353834613163386333313937323739333638336561363431363135393036 39623835306461376533623866633631346533643362613865353534343165396231363937613632
32313863323730343765356437366466393262326535356266313734656664346663663635393639 37333935646462363465366434626131333164613535373030633335326666633137386638343433
34383739613536613931376637373238323139326533333631653963343131663431663639383733 32336134656139633339633665616365343261623566323439633236656462643730303163323362
62316535633337333439363835326435393338313061666335343837353839663133343230326134 30323739393365373162623939356261623639656432623866633031666234626666386563616262
65353935656233613634633162313761376363323438346432613630346662313834323964383163 35333239656563623464306538393337316336643533313965376666623837316362646133646663
30636339633066643666343532306332343338333135373334306537636665353936363833363964 36303032323166666563396234396463306131643139376662626364623462363536633830653231
38396561396463313230656531333632313532623735393935643532663764643533646636313230 61343234663139313431343965663731343337666633623035666664393031653930613637346234
61613766366235303639643031623464396138653463333438356134366361613739366235663136 35386332373962303562633263643765336163613232623733383839616637393762353734633334
61386362663437663266323762363034396132383935353831336436626432303732393731336265 31386264316239383236366564333836656638373539663834633437623134643635363563323636
61343863376237363562353834333862613130373330316333323838396636663631366666653832 66336133333762333339366330323566396234343762303734633466363662303936396361313935
31343534316162356662623563373164326239396361623766366139316630333666346237326162 65373430613962376566343737643165333032366137383439363931343738613436636235616539
38353631633630333139323661666132643035626263633533343766636330336434326131633438 65323437626634303162393032643264656333343931643763613936353365653933343532333061
63303465653531643130393631363432653362393339366536323936666661343639306537383764 66613035386565643165386664636330643533643837356534613938363239663837643234356531
38393739366665633332633062383134383263646138346437613964663233636134326431616639 34346361373466343630306230303037653032376431636432356336326238363235613731336638
63613464353666306363613437353033646362343134646337323935616330353834666138356263 61623037326264643536316462396336346331663331343834396562356165636436643233636334
37656236373833326665633531663537623662343439383263393566643463313437376466303039 66376436333763656537613831626362316135626236393131373335343463353163353932663664
39356463633438656166313036383739306166646663363762333333636338646134323234333034 33356133373461626364646466666235636564613937303134613531383465396562356665363262
33383834633231346533323333326432643464323063363063383665306133663862343230333135 66333638666134393334363932323732653832663430313131613563616337313031653338383734
61366332343464306362643732613635653239306234373665303863326437373962393639616265 61373432353964366165633464333230393263653539613036373635326435343264313234343632
32326638636638393335383734346331323932333030306139386138303935346438306631343836 36376337303234623731356239663730663162383737376437656363323335373164356366363763
31646432393830303662376466353632646564343361393635373436313231393866363931613161 38303039646339653366313136303337326238653630633933316639633636616365316130313637
39636233366465653638356236373232323633636339646162353239323130323437613736346236 66353164396265663236623863646263663836336364623035656565626664616139353464613064
62616235633831616561386666626264326434383534356637363335363039646530653839646539 35393133343638666539353662383666343134383963373634303439323336343535346233383065
35386136396634636264666536383662363366666530626163623835363935353238306133633666 30363739373365633137346339303964353230643764323765343835393736356264383661303037
64633136663634393066623134653738666563363337303039386465393961313637643934393939 37333138356530353433323062393431366533353962653963303735383835376332373038656563
38373632646234393430 61613734386434346430663131353831633833376234633663653736653737353636393166633235
64653639323739643235346335393431346238633038343337646631303061666134376462393866
3662386432396635313130316533626161346635373836333766

37
roles/rclone/tasks/main.yml
View File

@@ -11,16 +11,27 @@
rclone_version rclone_version
- name: "{{ rclone_version.content }}" - name: "{{ rclone_version.content }}"
set_fact: set_fact:
rclone_version: "{{ rclone_version.content | replace ('rclone v', '', 1) | trim }}" rclone_version: "{{ rclone_version.content | replace('rclone v', '', 1) | trim }}"
run_once: true run_once: true
- name: Download rclone {{ rclone_version }} - name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: "Download rclone from rclone.org (v{{ rclone_version }})"
get_url: get_url:
url: "https://downloads.rclone.org/v{{ rclone_version }}/\ url: "https://downloads.rclone.org/v{{ rclone_version }}/\
rclone-v{{ rclone_version }}-linux-{{ deb_architecture }}.deb" rclone-v{{ rclone_version }}-linux-{{ architecture_alias }}.deb"
dest: "/var/tmp/rclone.deb" dest: "/var/tmp/rclone.deb"
register: _download_deb mode: "0644"
until: _download_deb is succeeded register: rclone_download_deb
until: rclone_download_deb is succeeded
retries: 3 retries: 3
delay: 5 delay: 5
@@ -38,14 +49,14 @@
file: file:
path: "{{ rclone_config_dir }}" path: "{{ rclone_config_dir }}"
state: directory state: directory
mode: 700 mode: "0700"
- name: Create rclone group - name: Create rclone group
group: group:
name: "{{ rclone_system_group }}" name: "{{ rclone_system_group }}"
state: present state: present
system: true system: true
register: created_rclone_group register: rclone_created_group
when: rclone_system_group != "root" when: rclone_system_group != "root"
- name: Create rclone user - name: Create rclone user
@@ -58,9 +69,9 @@
system: true system: true
create_home: false create_home: false
home: / home: /
register: created_rclone_user register: rclone_created_user
- name: adding existing user {{ main_user }} to group rclone - name: Add user to rclone group
user: user:
name: "{{ main_user }}" name: "{{ main_user }}"
groups: "{{ rclone_system_group }}" groups: "{{ rclone_system_group }}"
@@ -69,7 +80,7 @@
- name: Create rclone cache/log directory - name: Create rclone cache/log directory
file: file:
path: "{{ item }}" path: "{{ item }}"
mode: 0755 mode: "0750"
state: directory state: directory
loop: loop:
- "{{ rclone_cache_dir }}" - "{{ rclone_cache_dir }}"
@@ -79,13 +90,13 @@
template: template:
src: logrotate.rclone.j2 src: logrotate.rclone.j2
dest: /etc/logrotate.d/rclone dest: /etc/logrotate.d/rclone
mode: 0644 mode: "0644"
- name: Copy service account files - name: Copy service account files
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ rclone_config_dir }}/{{ item }}" dest: "{{ rclone_config_dir }}/{{ item }}"
mode: 0600 mode: "0600"
loop: loop:
- TD_DTSV_service_account.json - TD_DTSV_service_account.json
@@ -93,4 +104,4 @@
copy: copy:
src: set-rclone-password src: set-rclone-password
dest: ~/set-rclone-password dest: ~/set-rclone-password
mode: 0644 mode: "0644"

11
roles/rclone/vars/main.yml
View File

@@ -6,7 +6,7 @@ rclone_config_dir: "/root/.config/rclone"
rclone_config_file: "{{ rclone_config_dir }}/rclone.conf" rclone_config_file: "{{ rclone_config_dir }}/rclone.conf"
rclone_cache_dir: "/var/cache/rclone" rclone_cache_dir: "/var/cache/rclone"
rclone_log_dir: "/var/log/rclone" rclone_log_dir: "/var/log/rclone"
rclone_user_agent_gd: 'GoogleDriveFS/64.0.4.0 (Windows;OSVer=10.0.22621;)' rclone_user_agent_gd: 'GoogleDriveFS/107.0.3.0 (Windows;OSVer=10.0.26100;)'
vault_td_dtsv_id: !vault | vault_td_dtsv_id: !vault |
$ANSIBLE_VAULT;1.2;AES256;dtsv-dev $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
@@ -48,12 +48,3 @@ td_dtsv_service_account_remote: |
remote = DTSV:crypt remote = DTSV:crypt
password = {{ vault_td_dtsv_crypt_password }} password = {{ vault_td_dtsv_crypt_password }}
password2 = {{ vault_td_dtsv_crypt_password2 }} password2 = {{ vault_td_dtsv_crypt_password2 }}
# Rclone Exporter (same password see monitoring role)
vault_rclone_rcd_pass: !vault |
$ANSIBLE_VAULT;1.2;AES256;dtsv-dev
34616137336639363734323532366663626166336638356538663534346530636564333066636337
6636626538653634383063616532393461393036383464620a613765363037306365666236396661
65356565383436383664356338333266353962396239316533303330626335303961383066633066
3032623266653639340a376361376361373235373939623137633630666333383237363138303933
66333735646465306165396536396166616462633766333732323965363566656132

5
roles/redis/defaults/main.yml
View File

@@ -1,4 +1,5 @@
--- ---
# If port 0 is specified Redis will not listen on a TCP socket. redis_port: 0 # If port 0 is specified Redis will not listen on a TCP socket.
redis_port: 0 redis_unixsocket: "/var/run/redis/redis.sock"
redis_unixsocketperm: 770

2
roles/redis/handlers/main.yml
View File

@@ -1,5 +1,5 @@
--- ---
- name: restart redis - name: Restart redis
systemd: systemd:
name: redis-server.service name: redis-server.service
state: restarted state: restarted

15
roles/redis/tasks/main.yml
View File

@@ -4,11 +4,10 @@
name: redis name: redis
state: present state: present
- name: Copy redis config - name: Configure redis
template: lineinfile:
src: redis.conf.j2 path: /etc/redis/redis.conf
dest: /etc/redis/redis.conf regexp: '^#?{{ item.option }} .*'
owner: redis line: '{{ item.option }} {{ item.value }}'
group: redis loop: "{{ redis_options }}"
mode: 0640 notify: Restart redis
notify: restart redis

6
roles/redis/vars/main.yml
View File

@@ -1,4 +1,6 @@
--- ---
redis_unixsocket: "/var/run/redis/redis.sock" redis_options:
redis_unixsocketperm: 770 - {option: port, value: "{{ redis_port }}"}
- {option: unixsocket, value: "{{ redis_unixsocket }}"}
- {option: unixsocketperm, value: "{{ redis_unixsocketperm }}"}

2
roles/systemd_exporter/handlers/main.yml
View File

@@ -1,5 +1,5 @@
--- ---
- name: restart systemd_exporter - name: Restart systemd_exporter
systemd: systemd:
daemon_reload: true daemon_reload: true
enabled: true enabled: true

29
roles/systemd_exporter/tasks/main.yml
View File

@@ -11,17 +11,28 @@
register: systemd_exporter_version register: systemd_exporter_version
- name: "{{ systemd_exporter_version }}" - name: "{{ systemd_exporter_version }}"
set_fact: set_fact:
systemd_exporter_version: "{{ systemd_exporter_version | replace ('v', '', 1) | trim }}" systemd_exporter_version: "{{ systemd_exporter_version | replace('v', '', 1) | trim }}"
run_once: true run_once: true
- name: Download systemd_exporter {{ systemd_exporter_version.tag }} from GitHub - name: Set architecture alias
set_fact:
architecture_alias: "amd64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "x86_64"
- name: Set architecture alias
set_fact:
architecture_alias: "arm64" # noqa: var-naming[no-role-prefix]
when: ansible_architecture == "aarch64"
- name: "Download systemd_exporter from GitHub"
get_url: get_url:
url: "https://github.com/povilasv/systemd_exporter/releases/download/\ url: "https://github.com/povilasv/systemd_exporter/releases/download/\
v{{ systemd_exporter_version.tag }}/systemd_exporter-{{ systemd_exporter_version.tag }}\ v{{ systemd_exporter_version.tag }}/systemd_exporter-{{ systemd_exporter_version.tag }}\
.linux-{{ deb_architecture }}.tar.gz" .linux-{{ architecture_alias }}.tar.gz"
dest: "/var/tmp/systemd_exporter.tar.gz" dest: "/var/tmp/systemd_exporter.tar.gz"
register: _download_archive mode: "0644"
until: _download_archive is succeeded register: systemd_exporter_download_archive
until: systemd_exporter_download_archive is succeeded
retries: 3 retries: 3
delay: 5 delay: 5
@@ -35,8 +46,8 @@
extra_opts: extra_opts:
- --strip-components=1 - --strip-components=1
include: include:
- "systemd_exporter-{{ systemd_exporter_version.tag }}.linux-{{ deb_architecture }}/systemd_exporter" - "systemd_exporter-{{ systemd_exporter_version.tag }}.linux-{{ architecture_alias }}/systemd_exporter"
notify: restart systemd_exporter notify: Restart systemd_exporter
- name: Copy the systemd_exporter systemd service file - name: Copy the systemd_exporter systemd service file
template: template:
@@ -44,5 +55,5 @@
dest: /etc/systemd/system/systemd_exporter.service dest: /etc/systemd/system/systemd_exporter.service
owner: root owner: root
group: root group: root
mode: 0644 mode: "0644"
notify: restart systemd_exporter notify: Restart systemd_exporter

4
roles/webserver/handlers/main.yml
View File

@@ -1,10 +1,10 @@
--- ---
- name: reload nginx - name: Reload nginx
systemd: systemd:
name: nginx.service name: nginx.service
state: reloaded state: reloaded
- name: restart nginx - name: Restart nginx
systemd: systemd:
name: nginx.service name: nginx.service
daemon_reload: true daemon_reload: true

13
roles/webserver/meta/main.yml
View File

@@ -1,8 +1,17 @@
--- ---
dependencies: dependencies:
- role: lego
vars:
lego_certificate_domains:
- cn: "{{ webserver_domain }}"
sans: ["*.{{ webserver_domain }}"]
lego_certificate_destination:
path: "{{ webserver_nginx_cert_path }}"
lego_services_reload:
name: nginx
- role: rclone - role: rclone
- role: nginx - role: nginx
# - role: nginx_exporter - role: nginx_exporter
- role: php - role: php
# - role: php_fpm_exporter - role: php_fpm_exporter
- role: redis - role: redis

1
roles/webserver/tasks/main.yml
View File

@@ -1,4 +1,5 @@
--- ---
- name: Mount Volume - name: Mount Volume
import_tasks: volume.yml import_tasks: volume.yml

38
roles/webserver/tasks/nginx.yml
View File

@@ -4,52 +4,32 @@
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
mode: 0644 mode: "0644"
loop: loop:
- {src: "nginx.conf.j2", dest: "/etc/nginx/nginx.conf"} - {src: "nginx.conf.j2", dest: "/etc/nginx/nginx.conf"}
- {src: "cert.conf.j2", dest: "/etc/nginx/global/cert.conf"} - {src: "cert.conf.j2", dest: "/etc/nginx/snippets/cert.conf"}
- {src: "header.conf.j2", dest: "/etc/nginx/global/header.conf"} - {src: "header.conf.j2", dest: "/etc/nginx/global/header.conf"}
- {src: "proxy.conf.j2", dest: "/etc/nginx/global/proxy.conf"} - {src: "proxy.conf.j2", dest: "/etc/nginx/global/proxy.conf"}
- {src: "php_optimization.j2", dest: "/etc/nginx/global/php_optimization"} - {src: "php_optimization.j2", dest: "/etc/nginx/snippets/php_optimization.conf"}
notify: reload nginx notify: Reload nginx
- name: Copy virtual server configs - name: Copy virtual server configs
template: template:
src: "{{ item }}" src: "{{ item }}"
dest: /etc/nginx/conf.d/{{ item | basename | regex_replace('\.j2$', '') }} dest: /etc/nginx/conf.d/{{ item | basename | regex_replace('\.j2$', '') }}
mode: 0644 mode: "0644"
with_fileglob: "../templates/conf.d/*.j2" with_fileglob: "../templates/conf.d/*.j2"
notify: reload nginx notify: Reload nginx
## Certificates
- name: Create Certificate directory
file:
path: "{{ webserver_nginx_cert_path }}"
state: directory
mode: 0755
- name: Copy SSL certificates for {{ webserver_domain }}
copy:
remote_src: true
# make sure that ssl certs are available
src: "{{ lego_config_dir }}/certificates/{{ webserver_domain }}.{{ item }}"
dest: "{{ webserver_nginx_cert_path }}/{{ webserver_domain }}.{{ item }}"
owner: root
group: root
mode: 0600
loop: [crt, key, issuer.crt]
notify: reload nginx
- name: Create nginx.service.d directory - name: Create nginx.service.d directory
file: file:
path: /etc/systemd/system/nginx.service.d path: /etc/systemd/system/nginx.service.d
mode: 0755 mode: "0755"
state: directory state: directory
- name: Increase max open files - name: Increase max open files
template: template:
src: nginx_systemd.conf.j2 src: nginx_systemd.conf.j2
dest: /etc/systemd/system/nginx.service.d/nginx.conf dest: /etc/systemd/system/nginx.service.d/nginx.conf
mode: 0644 mode: "0644"
notify: restart nginx notify: Restart nginx

9
roles/webserver/tasks/php.yml
View File

@@ -7,18 +7,19 @@
option: "{{ item.option }}" option: "{{ item.option }}"
value: "{{ item.value }}" value: "{{ item.value }}"
state: "{{ item.state | default('present') }}" state: "{{ item.state | default('present') }}"
mode: "0644"
loop: "{{ php_fpm_ini_options }}" loop: "{{ php_fpm_ini_options }}"
when: '"fpm" in php_modules' when: '"fpm" in php_modules'
notify: restart php-fpm notify: Restart php-fpm
- name: Configure FPM pool - name: Configure FPM pool
lineinfile: lineinfile:
path: /etc/php/{{ php_version }}/fpm/pool.d/www.conf path: /etc/php/{{ php_version }}/fpm/pool.d/www.conf
regexp: '^{{ item.option }}\s' regexp: '^;?{{ item.option }} = .*'
line: '{{ item.option }} = {{ item.value }}' line: '{{ item.option }} = {{ item.value }}'
loop: "{{ php_fpm_pool_options }}" loop: "{{ php_fpm_pool_options }}"
when: '"fpm" in php_modules' when: '"fpm" in php_modules'
notify: restart php-fpm notify: Restart php-fpm
- name: Configure FPM environment variables - name: Configure FPM environment variables
replace: replace:
@@ -29,7 +30,7 @@
- {regexp: ";env", replace: "env"} - {regexp: ";env", replace: "env"}
- {regexp: ";clear_env", replace: "clear_env"} - {regexp: ";clear_env", replace: "clear_env"}
when: '"fpm" in php_modules' when: '"fpm" in php_modules'
notify: restart php-fpm notify: Restart php-fpm
- name: Install imagemagick package - name: Install imagemagick package
apt: apt:

2
roles/webserver/tasks/rclone.yml
View File

@@ -3,6 +3,6 @@
template: template:
src: "rclone.conf.j2" src: "rclone.conf.j2"
dest: "{{ rclone_config_file }}" dest: "{{ rclone_config_file }}"
mode: 0600 mode: "0600"
# rclone config file changes while using to force update via ansible use rclone_config_force # rclone config file changes while using to force update via ansible use rclone_config_force
force: "{{ rclone_config_force }}" force: "{{ rclone_config_force }}"

7
roles/webserver/tasks/volume.yml
View File

@@ -5,18 +5,19 @@
api_token: "{{ vault_hcloud_token }}" api_token: "{{ vault_hcloud_token }}"
name: "{{ hcloud_webserver_volume_name }}" name: "{{ hcloud_webserver_volume_name }}"
delegate_to: localhost delegate_to: localhost
register: web_hcloud_volume register: webserver_hcloud_volume_info
- name: Creates mount directory - name: Creates mount directory
file: file:
path: "{{ hcloud_webserver_volume_path }}"
state: directory state: directory
path: "{{ hcloud_webserver_volume_path }}"
mode: "0755"
force: false force: false
- name: Mount hcloud volume - name: Mount hcloud volume
ansible.posix.mount: ansible.posix.mount:
path: "{{ hcloud_webserver_volume_path }}" path: "{{ hcloud_webserver_volume_path }}"
src: "{{ web_hcloud_volume.hcloud_volume_info[0].linux_device }}" src: "{{ webserver_hcloud_volume_info.hcloud_volume_info[0].linux_device }}"
fstype: ext4 fstype: ext4
opts: discard,nofail,defaults opts: discard,nofail,defaults
state: mounted state: mounted

75
roles/webserver/templates/conf.d/cloud.conf.j2
View File

@@ -7,34 +7,42 @@ upstream nextcloud-notify-push {
# Set the `immutable` cache control options only for assets with a cache busting `v` argument # Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable { map $arg_v $asset_immutable {
"" ""; "" "";
default "immutable"; default ", immutable";
} }
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }}; server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
# enforce https
# Prevent nginx HTTP Server Detection
server_tokens off;
# Enforce HTTPS
return 301 https://$server_name$request_uri; return 301 https://$server_name$request_uri;
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }}; server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
include global/cert.conf; include snippets/cert.conf;
# Path to the root of your installation # Path to the root of your installation
root {{ nextcloud_dir }}; root {{ nextcloud_dir }};
# Prevent nginx HTTP Server Detection
server_tokens off;
# HSTS settings # HSTS settings
# WARNING: Only add the preload option once you read about # WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option # the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped # will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list # in all major browsers and getting removed from this list
# could take several months. # could take several months.
add_header Strict-Transport-Security "max-age=63072000" always; add_header Strict-Transport-Security "max-age=15768000; preload" always;
# set max upload size and increase upload timeout: # set max upload size and increase upload timeout:
client_max_body_size {{ nextcloud_max_upload_size }}; client_max_body_size {{ nextcloud_max_upload_size }};
@@ -47,29 +55,38 @@ server {
gzip_comp_level 4; gzip_comp_level 4;
gzip_min_length 256; gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built # Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it. # with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off; #pagespeed off;
# The settings allows you to optimize the HTTP2 bandwitdth. # The settings allows you to optimize the HTTP2 bandwidth.
# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
# for tunning hints # for tuning hints
client_body_buffer_size 512k; client_body_buffer_size 512k;
# HTTP response headers borrowed from Nextcloud `.htaccess` # HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak # Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-Powered-By;
# Set .mjs and .wasm MIME types
# Either include it in the default mime.types list
# and include that list explicitly or add the file extension
# only for Nextcloud like below:
include mime.types;
types {
text/javascript mjs;
application/wasm wasm;
}
# Specify how to handle directories -- specifying `/index.php$request_uri` # Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour # here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists # when a client requests a path that corresponds to a directory that exists
@@ -77,7 +94,7 @@ server {
# that file is correctly served; if it doesn't, then the request is passed to # that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need # the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets, # to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus # `/updater`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri` # `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour. # always provides the desired behaviour.
index index.php index.html /index.php$request_uri; index index.php index.html /index.php$request_uri;
@@ -124,7 +141,7 @@ server {
# to the URI, resulting in a HTTP 500 error response. # to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) { location ~ \.php(?:$|/) {
# Required for legacy support # Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info; set $path_info $fastcgi_path_info;
@@ -146,17 +163,21 @@ server {
fastcgi_max_temp_file_size 0; fastcgi_max_temp_file_size 0;
} }
location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ { # Serve static files
location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri; try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463, $asset_immutable"; # HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Cache-Control "public, max-age=15778463$asset_immutable";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
access_log off; # Optional: Don't log access to assets access_log off; # Optional: Don't log access to assets
location ~ \.wasm$ {
default_type application/wasm;
}
} }
location ~ \.woff2?$ { location ~ \.(otf|woff2?)$ {
try_files $uri /index.php$request_uri; try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess` expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets access_log off; # Optional: Don't log access to assets
@@ -179,4 +200,4 @@ server {
location / { location / {
try_files $uri $uri/ /index.php$request_uri; try_files $uri $uri/ /index.php$request_uri;
} }
} }

18
roles/webserver/templates/conf.d/twirling.conf.j2
View File

@@ -9,15 +9,23 @@ server {
} }
server { server {
# Enable HTTP/2 listen 443 ssl default_server;
listen 443 ssl http2 default_server; listen [::]:443 ssl default_server;
listen [::]:443 ssl http2 default_server; http2 on;
# Enable QUIC and HTTP/3.
listen 443 quic reuseport default_server;
listen [::]:443 quic reuseport default_server;
http3 on;
http3_hq on;
quic_retry on;
quic_gso on;
server_name {{ webserver_domain }} www.{{ webserver_domain }}; server_name {{ webserver_domain }} www.{{ webserver_domain }};
include global/cert.conf; include snippets/cert.conf;
include global/header.conf; include global/header.conf;
# Path to the root of your installation # Path to the root of your installation
root {{ wordpress_dir }}; root {{ wordpress_dir }}/src/web;
add_header Strict-Transport-Security "max-age=63072000" always; add_header Strict-Transport-Security "max-age=63072000" always;

53
roles/webserver/templates/conf.d/wordpress.conf.j2
View File

@@ -1,53 +0,0 @@
## Managed by Ansible ##
server {
listen 80;
listen [::]:80;
server_name dev.{{ webserver_domain }} www.dev.{{ webserver_domain }};
# enforce https
return 301 https://$server_name$request_uri;
}
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.{{ webserver_domain }} www.dev.{{ webserver_domain }};
include global/cert.conf;
include global/header.conf;
# Path to the root of your installation
root {{ wordpress_dir }};
add_header Strict-Transport-Security "max-age=63072000" always;
index index.php index.html index.htm;
client_max_body_size 500M;
location / {
try_files $uri $uri/ /index.php?$args;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \.php$ {
fastcgi_pass php-handler;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

13
roles/webserver/templates/header.conf.j2
View File

@@ -44,14 +44,17 @@ add_header X-XSS-Protection "1; mode=block" always;
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too). # directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src to 'none'; frame-ancestors 'self' https://*.twirling.de https://twirling.de"; #add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline' font-src 'self'; frame-src ; object-src 'none'";
add_header Content-Security-Policy "frame-ancestors 'self' https://*.{{ webserver_domain }} https://{{ webserver_domain }}";
#add_header Referrer-Policy no-referrer; #add_header Referrer-Policy no-referrer;
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
add_header Feature-Policy "accelerometer 'none'; autoplay 'self'; geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self' https://*.twirling.de; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; vibrate 'self'; fullscreen 'self'; payment 'none'; usb 'none'"; add_header Feature-Policy "accelerometer 'none'; autoplay 'self'; geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self' https://*.{{ webserver_domain }}; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; vibrate 'self'; fullscreen 'self'; payment 'none'; usb 'none'";
add_header Permissions-Policy "geolocation=(self);midi=();notifications=(self);push=(self);sync-xhr=(self 'https://*.twirling.de');microphone=(self);camera=(self);magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=()"; add_header Permissions-Policy "geolocation=(self);midi=();notifications=(self);push=(self);sync-xhr=(self 'https://*.{{ webserver_domain }}');microphone=(self);camera=(self);magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=()";
add_header X-Robots-Tag "noindex, noimageindex, nofollow, nosnippet, noarchive" always;
# Add Alt-Svc header to negotiate HTTP/3. # Add Alt-Svc header to negotiate HTTP/3.
#add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always;
#add_header QUIC-Status $quic; # Sent when QUIC was used add_header x-quic 'h3' always;

23
roles/webserver/vars/main.yml
View File

@@ -38,24 +38,27 @@ webserver_nginx_worker_rlimit_nofile: "100000"
# PHP # PHP
php_fpm_ini_options: php_fpm_ini_options:
- {option: post_max_size, value: 512M} - {option: upload_tmp_dir, value: "\"/tmp\""}
- {option: upload_max_filesize, value: 512M} - {option: upload_max_filesize, value: 512M}
- {option: post_max_size, value: 512M}
- {option: memory_limit, value: 512M} - {option: memory_limit, value: 512M}
- {section: opcache, option: opcache.enable, value: 1} - {section: opcache, option: opcache.enable, value: 1}
- {section: opcache, option: opcache.interned_strings_buffer, value: 32} - {section: opcache, option: opcache.interned_strings_buffer, value: 64}
- {section: opcache, option: opcache.max_accelerated_files, value: 10000} - {section: opcache, option: opcache.max_accelerated_files, value: 50000}
- {section: opcache, option: opcache.memory_consumption, value: 256} - {section: opcache, option: opcache.memory_consumption, value: 512}
- {section: opcache, option: opcache.save_comments, value: 1} - {section: opcache, option: opcache.save_comments, value: 1}
- {section: opcache, option: opcache.revalidate_freq, value: 1} - {section: opcache, option: opcache.revalidate_freq, value: 60}
- {section: opcache, option: opcache.validate_timestamps, value: 0} - {section: opcache, option: opcache.validate_timestamps, value: 0}
- {section: opcache, option: opcache.jit, value: 1255}
- {section: opcache, option: opcache.jit_buffer_size, value: 128M}
- {section: redis, option: redis.session.locking_enabled, value: 1} - {section: redis, option: redis.session.locking_enabled, value: 1}
- {section: redis, option: redis.session.lock_retries, value: -1} - {section: redis, option: redis.session.lock_retries, value: -1}
- {section: redis, option: redis.session.lock_wait_time, value: 10000} - {section: redis, option: redis.session.lock_wait_time, value: 10000}
php_fpm_pool_options: php_fpm_pool_options:
- {option: pm, value: dynamic} - {option: pm, value: dynamic}
- {option: pm.max_children, value: 60} - {option: pm.max_children, value: 20}
- {option: pm.start_servers, value: 20} - {option: pm.start_servers, value: 5}
- {option: pm.min_spare_servers, value: 10} - {option: pm.min_spare_servers, value: 5}
- {option: pm.max_spare_servers, value: 30} - {option: pm.max_spare_servers, value: 15}
- {option: pm.max_requests, value: 1000} - {option: pm.max_requests, value: 500}

2
roles/wordpress/files/public_keys.pub Normal file
View File

@@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5M3pWvjwFjDOsrAwnJsysE23SuWW+wQRHUgBWInzX oli@VSC
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTPOurRC0RiGe7+hgWyZzD/kNIEB+XuztHxKkC/xRe6 wordpress@NOVA

48
roles/wordpress/tasks/main.yml
View File

@@ -1,27 +1,45 @@
--- ---
- name: Create wordpress group
group:
name: "{{ wordpress_group }}"
state: present
system: true
when: wordpress_group != "root"
- name: Create wordpress user
user:
name: "{{ wordpress_user }}"
group: "{{ wordpress_group }}"
groups: "{{ wordpress_group }}"
append: true
shell: /bin/bash
create_home: true
- name: Set authorized keys for wordpress user
authorized_key:
user: "{{ wordpress_user }}"
key: "{{ lookup('file', 'public_keys.pub') }}"
state: present
exclusive: false # removing all the authorized keys already set
- name: Add {{ webserver_user }} user to {{ wordpress_group }} group
user:
name: "{{ webserver_user }}"
groups: "{{ wordpress_group }}"
append: true
- name: Create wordpress directory - name: Create wordpress directory
file: file:
path: "{{ wordpress_dir }}" path: "{{ wordpress_dir }}"
state: directory state: directory
owner: "{{ webserver_user }}" owner: "{{ webserver_user }}"
group: "{{ webserver_group }}" group: "{{ wordpress_group }}"
mode: 0755 mode: "0775"
- name: unpack latest wordpress version
unarchive:
remote_src: true
src: "https://wordpress.org/latest.tar.gz"
dest: "{{ wordpress_dir }}"
owner: "{{ webserver_user }}"
group: "{{ webserver_group }}"
creates: "{{ wordpress_dir }}/wp-config-sample.php"
extra_opts:
- --strip-components=1
- name: Copy configuration file - name: Copy configuration file
template: template:
src: wp-config.php.j2 src: wp-config.php.j2
dest: "{{ wordpress_dir }}/wp-config.php" dest: "{{ wordpress_dir }}/wp-config.php"
owner: "{{ webserver_user }}" owner: "{{ webserver_user }}"
group: "{{ webserver_group }}" group: "{{ wordpress_group }}"
mode: 0600 mode: "0660"

2
roles/wordpress/vars/main.yml
View File

@@ -1,4 +1,6 @@
--- ---
wordpress_group: wordpress
wordpress_user: "{{ wordpress_group }}"
wordpress_dir: "/var/www/wordpress" wordpress_dir: "/var/www/wordpress"
# database # database

43
site.yml
View File

@@ -1,8 +1,7 @@
--- ---
## Main Playbook for the staging DTSV Infrastructure ## Main DTSV Infrastructure Playbook
# waiting for terraform provisioning
# Waiting for terraform provisioning
- name: Wait for provisioning - name: Wait for provisioning
hosts: label_env_prod hosts: label_env_prod
gather_facts: false gather_facts: false
@@ -21,8 +20,7 @@
retries: 50 retries: 50
delay: 5 delay: 5
# install terraformed servers # Install terraformed servers
- name: Install common packages - name: Install common packages
hosts: label_env_prod hosts: label_env_prod
roles: roles:
@@ -30,5 +28,36 @@
- node_exporter - node_exporter
become: true become: true
- import_playbook: db.yml - name: DB playbook
- import_playbook: web.yml import_playbook: db.yml
- name: WEB playbook
import_playbook: web.yml
- name: Maintenance
hosts: label_env_prod
become: true
tasks:
- name: Start apt upgrade
block:
- name: Perform upgrade
apt:
name: "*"
state: latest
update_cache: true
cache_valid_time: 3600
- name: Check if a reboot is required
stat:
path: /var/run/reboot-required
register: reboot_required_file # noqa: var-naming[no-role-prefix]
- name: Reboot the server (if required)
reboot:
when: reboot_required_file.stat.exists
- name: Wait for instance to become reachable/usable
wait_for_connection: # host_key_checking must be disabled
- name: Remove dependencies that are no longer required.
apt:
autoremove: true

1
web.yml
View File

@@ -3,7 +3,6 @@
- name: Install Webserver - name: Install Webserver
hosts: WEB hosts: WEB
roles: roles:
- lego
- nextcloud - nextcloud
- wordpress - wordpress
become: true become: true