M README.org => README.org +31 -10
@@ 13,8 13,15 @@ and as you might have noticed, contains the letters ~NAS~.
* Requirements
- ~ansible~ (~ansible-core~ is not enough, as I'm using ~community~ packages)
- ~ssh~
+- ~py3-passlib~ (on Alpine Linux,
+ because the ~crypt~ module will be deprecated from python 3.13 onward)
+
+Because the ~system~ role will disable ~password-ssh-login~,
+you should copy your ssh key to your new machine
+#+begin_src bash
+ssh-copy-id root@<hostname/ip>
+#+end_src
-* Running
As you might have noticed, from the ~.gitignore~,
this repo does not contain the ~secret.yml~ nor the ~hosts.yml~,
that is because they are meant to stay secret and you have to write your own.
@@ 40,16 47,9 @@ run the following command:
ansible-vault edit group_vars/all/secret.yml
#+end_src
-Additionally you have to install ~python3~ on the host machine.
-
-Because the ~system~ role will disable ~password-ssh-login~,
-you should copy your ssh key to your new machine
-#+begin_src bash
-ssh-copy-id root@<hostname/ip>
-#+end_src
+Additionally you have to install ~python3~ on the remote machine.
-
-*** Example hosts.yml
+** Example hosts.yml
#+begin_src yaml
---
homenas:
@@ 63,6 63,27 @@ homenas:
ansible_become_method: doas
#+end_src
+* Running the playbook
+To run the full playbook, you can use the following command:
+#+begin_src bash
+ansible-playbook run.yml --ask-vault-pass
+#+end_src
+
+However it might be a good idea to reboot the remote machine,
+after running the system role:
+#+begin_src bash
+ansible-playbook run.yml --ask-vault-pass -t system
+ssh user@<hostname/ip> doas reboot
+ansible-playbook run.yml --ask-vault-pass
+#+end_src
+
+To run only a specific role from the playbook,
+you can use the following command:
+#+begin_src bash
+ansible-playbook run.yml --ask-vault-pass -t <role-tag i.e cloud>
+#+end_src
+
+
* Additional resources
- [[https://www.youtube.com/watch?v=Z7p9-m4cimg][Ansible IaC Deep Dive (Wolfang's Channel)]]
- [[https://www.redhat.com/sysadmin/ansible-templates-configuration][Ansible template guide]]
M group_vars/all/vars.yml => group_vars/all/vars.yml +3 -0
@@ 8,4 8,7 @@ base_packages:
- doas
shell: /bin/ash
docker_subid: "100000:65536"
+# where to store docker data
container_dir: "/home/{{ username }}"
+# The folder where the external drives (RAID) are mounted
+storage_dir: "/mnt"
M roles/infra => roles/infra +1 -1
@@ 1,1 1,1 @@
-Subproject commit bcd8089add031e07e977926488797bbc899647e0
+Subproject commit cfe1e4ff0d04ac3f65289aa9e902fbadac660990
A roles/nextcloud/README.org => roles/nextcloud/README.org +2 -0
@@ 0,0 1,2 @@
+* roles/nextcloud
+Ansible playbook role to setup a nextcloud docker container
A roles/nextcloud/defaults/main.yml => roles/nextcloud/defaults/main.yml +7 -0
@@ 0,0 1,7 @@
+---
+nextcloud_project_dir: "nextcloud"
+
+nextcloud_db: "nextcloud"
+nextcloud_db_user: "nextcloud"
+nextcloud_timezone: "Europe/Berlin"
+nextcloud_upload_size: "4G"
A roles/nextcloud/tasks/main.yml => roles/nextcloud/tasks/main.yml +3 -0
@@ 0,0 1,3 @@
+---
+- name: Setup nextcloud docker images
+ ansible.builtin.include_tasks: setup.yml
A roles/nextcloud/tasks/setup.yml => roles/nextcloud/tasks/setup.yml +70 -0
@@ 0,0 1,70 @@
+---
+- name: Ensure nextcloud-project-dir exists
+ ansible.builtin.file:
+ path: "{{ container_dir }}/{{ nextcloud_project_dir }}"
+ state: directory
+ recurse: true
+
+- name: Setup MariaDB for nextcloud
+ community.docker.docker_container:
+ name: nextcloud_db
+ image: mariadb:10.6
+ restart_policy: unless-stopped
+ command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+ volumes:
+ - "{{ container_dir }}\
+ /{{ nextcloud_project_dir }}\
+ /db:/var/lib/mysql"
+ env:
+ MYSQL_PASSWORD: "{{ nextcloud_db_password }}"
+ MYSQL_ROOT_PASSWORD: "{{ nextcloud_db_password }}"
+ MYSQL_DATABASE: "{{ nextcloud_db }}"
+ MYSQL_USER: "{{ nextcloud_db_user }}"
+
+- name: Setup Nextcloud
+ community.docker.docker_container:
+ name: nextcloud
+ image: ghcr.io/crazy-max/nextcloud:27.0.1
+ restart_policy: unless-stopped
+ volumes:
+ - "{{ container_dir }}\
+ /{{ nextcloud_project_dir }}\
+ /data:/data"
+ env:
+ PGUID: "1000"
+ PGID: "1000"
+ TZ: "{{ nextcloud_timezone }}"
+ UPLOAD_MAX_SIZE: "{{ nextcloud_upload_size }}"
+ DB_TYPE: "mysql"
+ DB_HOST: "nextcloud_db"
+ DB_NAME: "{{ nextcloud_db }}"
+ DB_USER: "{{ nextcloud_db_user }}"
+ DB_PASSWORD: "{{ nextcloud_db_password }}"
+ ports:
+ - "8080:8000"
+ links:
+ - nextcloud_db
+
+- name: Setup Nextcloud Cron Sidecar
+ community.docker.docker_container:
+ name: nextcloud_cron_sidecar
+ image: ghcr.io/crazy-max/nextcloud:27.0.1
+ restart_policy: unless-stopped
+ volumes:
+ - "{{ container_dir }}\
+ /{{ nextcloud_project_dir }}\
+ /data:/data"
+ env:
+ SIDECAR_CRON: "1"
+ CRON_PERIOD: "*/5 * * * *"
+ PGUID: "1000"
+ PGID: "1000"
+ TZ: "{{ nextcloud_timezone }}"
+ UPLOAD_MAX_SIZE: "{{ nextcloud_upload_size }}"
+ DB_TYPE: "mysql"
+ DB_HOST: "nextcloud_db"
+ DB_NAME: "{{ nextcloud_db }}"
+ DB_USER: "{{ nextcloud_db_user }}"
+ DB_PASSWORD: "{{ nextcloud_db_password }}"
+ links:
+ - nextcloud_db
A roles/nextcloud/templates/nginx.conf => roles/nextcloud/templates/nginx.conf +173 -0
@@ 0,0 1,173 @@
+worker_processes auto;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+
+events {
+ worker_connections 1024;
+}
+
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ # Prevent nginx HTTP Server Detection
+ server_tokens off;
+
+ keepalive_timeout 65;
+
+ #gzip on;
+
+ upstream php-handler {
+ server {{ nextcloud_host }}:9000;
+ }
+
+ server {
+ listen 80;
+
+ # HSTS settings
+ # WARNING: Only add the preload option once you read about
+ # the consequences in https://hstspreload.org/. This option
+ # will add the domain to a hardcoded list that is shipped
+ # in all major browsers and getting removed from this list
+ # could take several months.
+ #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+
+ # set max upload size
+ client_max_body_size 512M;
+ fastcgi_buffers 64 4K;
+
+ # Enable gzip but do not remove ETag headers
+ gzip on;
+ gzip_vary on;
+ gzip_comp_level 4;
+ gzip_min_length 256;
+ gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+ gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+ # Pagespeed is not supported by Nextcloud, so if your server is built
+ # with the `ngx_pagespeed` module, uncomment this line to disable it.
+ #pagespeed off;
+
+ # HTTP response headers borrowed from Nextcloud `.htaccess`
+ add_header Referrer-Policy "no-referrer" always;
+ add_header X-Content-Type-Options "nosniff" always;
+ add_header X-Download-Options "noopen" always;
+ add_header X-Frame-Options "SAMEORIGIN" always;
+ add_header X-Permitted-Cross-Domain-Policies "none" always;
+ add_header X-Robots-Tag "noindex, nofollow" always;
+ add_header X-XSS-Protection "1; mode=block" always;
+
+ # Remove X-Powered-By, which is an information leak
+ fastcgi_hide_header X-Powered-By;
+
+ # Path to the root of your installation
+ root /var/www/html;
+
+ # Specify how to handle directories -- specifying `/index.php$request_uri`
+ # here as the fallback means that Nginx always exhibits the desired behaviour
+ # when a client requests a path that corresponds to a directory that exists
+ # on the server. In particular, if that directory contains an index.php file,
+ # that file is correctly served; if it doesn't, then the request is passed to
+ # the front-end controller. This consistent behaviour means that we don't need
+ # to specify custom rules for certain paths (e.g. images and other assets,
+ # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+ # `try_files $uri $uri/ /index.php$request_uri`
+ # always provides the desired behaviour.
+ index index.php index.html /index.php$request_uri;
+
+ # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+ location = / {
+ if ( $http_user_agent ~ ^DavClnt ) {
+ return 302 /remote.php/webdav/$is_args$args;
+ }
+ }
+
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ }
+
+ # Make a regex exception for `/.well-known` so that clients can still
+ # access it despite the existence of the regex rule
+ # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+ # for `/.well-known`.
+ location ^~ /.well-known {
+ # The rules in this block are an adaptation of the rules
+ # in `.htaccess` that concern `/.well-known`.
+
+ location = /.well-known/carddav { return 301 /remote.php/dav/; }
+ location = /.well-known/caldav { return 301 /remote.php/dav/; }
+
+ location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
+ location /.well-known/pki-validation { try_files $uri $uri/ =404; }
+
+ # Let Nextcloud's API for `/.well-known` URIs handle all other
+ # requests by passing them to the front-end controller.
+ return 301 /index.php$request_uri;
+ }
+
+ # Rules borrowed from `.htaccess` to hide certain paths from clients
+ location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
+ location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
+
+ # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+ # which handle static assets (as seen below). If this block is not declared first,
+ # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+ # to the URI, resulting in a HTTP 500 error response.
+ location ~ \.php(?:$|/) {
+ # Required for legacy support
+ rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+ fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+ set $path_info $fastcgi_path_info;
+
+ try_files $fastcgi_script_name =404;
+
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $path_info;
+ #fastcgi_param HTTPS on;
+
+ fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
+ fastcgi_param front_controller_active true; # Enable pretty urls
+ fastcgi_pass php-handler;
+
+ fastcgi_intercept_errors on;
+ fastcgi_request_buffering off;
+ }
+
+ location ~ \.(?:css|js|svg|gif)$ {
+ try_files $uri /index.php$request_uri;
+ expires 6M; # Cache-Control policy borrowed from `.htaccess`
+ access_log off; # Optional: Don't log access to assets
+ }
+
+ location ~ \.woff2?$ {
+ try_files $uri /index.php$request_uri;
+ expires 7d; # Cache-Control policy borrowed from `.htaccess`
+ access_log off; # Optional: Don't log access to assets
+ }
+
+ # Rule borrowed from `.htaccess`
+ location /remote {
+ return 301 /remote.php$request_uri;
+ }
+
+ location / {
+ try_files $uri $uri/ /index.php$request_uri;
+ }
+ }
+}
M run.yml => run.yml +9 -0
@@ 12,3 12,12 @@
roles:
- role: infra/roles/system
tags: system
+
+############################################
+# SETUP CLOUD SERVICES
+############################################
+- name: Setup nextcloud
+ hosts: ananas
+ roles:
+ - role: nextcloud
+ tags: cloud