192 lines
6.5 KiB
YAML
192 lines
6.5 KiB
YAML
#!/usr/bin/ansible-playbook
|
|
# vim:ft=ansible:
|
|
---
|
|
- name: Include MySQL role
|
|
include_role:
|
|
name: mysql
|
|
- name: Install, configure, and start Nextcloud
|
|
block:
|
|
- name: Install Nextcloud-required packages
|
|
apt:
|
|
name: "{{ packages }}"
|
|
vars:
|
|
packages:
|
|
- apache2
|
|
- libapache2-mod-php7.2
|
|
- php7.2
|
|
- php7.2-gd
|
|
- php7.2-json
|
|
- php7.2-mysql
|
|
- php7.2-curl
|
|
- php7.2-mbstring
|
|
- php7.2-intl
|
|
- php-imagick
|
|
- php7.2-xml
|
|
- php7.2-zip
|
|
- php7.2-cgi
|
|
- php7.2-cli
|
|
- python-openssl # Needed for keygen
|
|
- name: Copy configuration
|
|
copy:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: "{{ item.mode }}"
|
|
loop:
|
|
- { src: "php-apache2.ini", dest: "/etc/php/7.2/apache2/php.ini", mode: "0644" }
|
|
- { src: "php-cgi.ini", dest: "/etc/php/7.2/cgi/php.ini", mode: "0644" }
|
|
- name: Set up MySQL
|
|
block:
|
|
- name: Create database
|
|
mysql_db:
|
|
name: nextclouddb
|
|
login_user: root
|
|
login_password: "{{ mysql_root_password }}"
|
|
state: present
|
|
- name: Create Nextcloud user
|
|
mysql_user:
|
|
name: nextcloud
|
|
host: localhost
|
|
password: "{{ nextcloud_mysql_password }}"
|
|
priv: "nextclouddb.*:ALL,GRANT"
|
|
login_user: root
|
|
login_password: "{{ mysql_root_password }}"
|
|
- name: Set up Apache
|
|
block:
|
|
- name: Disable default configuration
|
|
file:
|
|
# This is a symlink so who cares
|
|
path: "/etc/apache2/sites-enabled/000-default.conf"
|
|
state: absent
|
|
- name: Create webroot
|
|
file:
|
|
path: "{{ nextcloud_webroot }}"
|
|
mode: "0755"
|
|
recurse: yes
|
|
state: directory
|
|
- name: Check for existing installation
|
|
stat:
|
|
path: "{{ nextcloud_webroot }}/index.html"
|
|
register: stat_webroot_index
|
|
- name: Install Nextcloud
|
|
block:
|
|
- name: Download Nextcloud
|
|
get_url:
|
|
dest: /var/www/nextcloud.tar.bz2
|
|
url: "{{ nextcloud_tarbz2 }}"
|
|
- name: Extract Nextcloud
|
|
unarchive:
|
|
src: /var/www/nextcloud.tar.bz2
|
|
remote_src: yes
|
|
dest: "{{ nextcloud_webroot }}"
|
|
extra_opts: [--strip-components=1]
|
|
- name: Create data directory
|
|
file:
|
|
path: "{{ nextcloud_webroot }}/data"
|
|
state: directory
|
|
- name: Chown webroot
|
|
# Nextcloud docs say Apache needs write access, so it gets write access
|
|
file:
|
|
path: "{{ nextcloud_webroot }}"
|
|
state: directory
|
|
recurse: yes
|
|
owner: www-data
|
|
group: www-data
|
|
- name: Cleanup
|
|
file:
|
|
path: /var/www/nextcloud.tar.bz2
|
|
state: absent
|
|
when: not stat_webroot_index.stat.exists
|
|
- name: Enable Apache configs and modules
|
|
shell: "{{ item }}"
|
|
loop:
|
|
- "a2enmod rewrite"
|
|
- "a2enmod ssl"
|
|
- name: Register certificates
|
|
block:
|
|
- name: Set up PKI filesystem hierarchy
|
|
file:
|
|
path: "{{ item.dir }}"
|
|
mode: "{{ item.mode }}"
|
|
recurse: yes
|
|
owner: root
|
|
group: www-data
|
|
state: directory
|
|
loop:
|
|
- { dir: "/etc/pki", mode: "0750" }
|
|
- { dir: "/etc/pki/cert", mode: "0750" }
|
|
- { dir: "/etc/pki/cert/crt", mode: "0750" }
|
|
- { dir: "/etc/pki/cert/csr", mode: "0750" }
|
|
- { dir: "/etc/pki/cert/private", mode: "0750" }
|
|
- name: Create ACME account key
|
|
openssl_privatekey:
|
|
path: "/etc/pki/cert/private/account.key"
|
|
size: 4096
|
|
- name: Create certificate key
|
|
openssl_privatekey:
|
|
path: "/etc/pki/cert/private/{{ nextcloud_url }}.key"
|
|
size: 4096
|
|
- name: Create CSR
|
|
openssl_csr:
|
|
path: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
|
|
common_name: "{{ nextcloud_url }}"
|
|
privatekey_path: /etc/pki/cert/private/{{ nextcloud_url }}.key
|
|
email_address: "rehashedsalt@cock.li"
|
|
- name: Create challenge for CSR
|
|
acme_certificate:
|
|
acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
acme_version: 2
|
|
terms_agreed: yes
|
|
account_email: "rehashedsalt@cock.li"
|
|
account_key: "/etc/pki/cert/private/account.key"
|
|
csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
|
|
dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
|
|
fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
|
|
register: com_challenge
|
|
- name: Fulfill challenge
|
|
block:
|
|
- name: Configure insecure virtual host configs
|
|
template:
|
|
src: apache2-vhost.conf
|
|
dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf"
|
|
- name: Reload Apache
|
|
service:
|
|
name: apache2
|
|
state: reloaded
|
|
- name: Create well-known directory
|
|
file:
|
|
path: "{{ nextcloud_webroot }}/.well-known/acme-challenge"
|
|
mode: "0755"
|
|
recurse: yes
|
|
state: directory
|
|
- name: Copy challenge files
|
|
copy:
|
|
dest: "{{ nextcloud_webroot }}/{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource'] }}"
|
|
content: "{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource_value'] }}"
|
|
- name: Create certificate
|
|
acme_certificate:
|
|
acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
acme_version: 2
|
|
account_key: /etc/pki/cert/private/account.key
|
|
csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
|
|
dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
|
|
fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
|
|
chain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-intermediate.crt"
|
|
data: "{{ com_challenge }}"
|
|
- name: Clean up
|
|
file:
|
|
path: "{{ nextcloud_webroot }}/.well-known"
|
|
state: absent
|
|
when: com_challenge is changed
|
|
- name: Secure Apache
|
|
block:
|
|
- name: Copy over virtual host configs
|
|
template:
|
|
src: apache2-vhost-ssl.conf
|
|
dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf"
|
|
- name: Reload Apache
|
|
service:
|
|
name: apache2
|
|
state: reloaded
|
|
enabled: true
|
|
become: yes
|