From 272017b9d78a0d73f1e77229478db6e49ac8c7b5 Mon Sep 17 00:00:00 2001 From: Elizabeth Hunt Date: Tue, 27 Feb 2024 14:57:36 -0500 Subject: [PATCH] owncloud --- deploy-owncloud.yml | 4 + group_vars/owncloud.yml | 10 +++ inventory | 3 + roles/owncloud/tasks/main.yml | 37 +++++++++ roles/owncloud/templates/config.php.j2 | 82 +++++++++++++++++++ .../owncloud/templates/docker-compose.yml.j2 | 80 ++++++++++++++++++ .../http.owncloud.internal.simponic.xyz.conf | 13 +++ .../https.owncloud.internal.simponic.xyz.conf | 32 ++++++++ 8 files changed, 261 insertions(+) create mode 100644 deploy-owncloud.yml create mode 100644 group_vars/owncloud.yml create mode 100644 roles/owncloud/tasks/main.yml create mode 100644 roles/owncloud/templates/config.php.j2 create mode 100644 roles/owncloud/templates/docker-compose.yml.j2 create mode 100644 roles/private/files/europa/http.owncloud.internal.simponic.xyz.conf create mode 100644 roles/private/files/europa/https.owncloud.internal.simponic.xyz.conf diff --git a/deploy-owncloud.yml b/deploy-owncloud.yml new file mode 100644 index 0000000..959833b --- /dev/null +++ b/deploy-owncloud.yml @@ -0,0 +1,4 @@ +- name: owncloud setup + hosts: owncloud + roles: + - owncloud diff --git a/group_vars/owncloud.yml b/group_vars/owncloud.yml new file mode 100644 index 0000000..7a85800 --- /dev/null +++ b/group_vars/owncloud.yml @@ -0,0 +1,10 @@ +--- +owncloud_admin_password: "{{ lookup('env', 'OWNCLOUD_ADMIN_PASSWORD') }}" +owncloud_domain: "owncloud.internal.simponic.xyz" +owncloud_version: "10.14.0" +owncloud_trusted_domains: "owncloud.internal.simponic.xyz,localhost,127.0.0.1" +owncloud_mount: "/mnt/ssd-01/owncloud" +owncloud_oidc_secret: "{{ lookup('env', 'OWNCLOUD_OIDC_SECRET') }}" +owncloud_mail_password: "{{ lookup('env', 'INFO_FROM_PASSWORD') }}" +owncloud_secret: "{{ lookup('env', 'OWNCLOUD_SECRET') }}" +owncloud_pwd_salt: "{{ lookup('env', 'OWNCLOUD_PWD_SALT') }}" diff --git a/inventory b/inventory index fe8727c..cb31cce 100644 --- a/inventory +++ b/inventory @@ -57,3 +57,6 @@ nijika ansible_user=root ansible_connection=ssh [static] levi ansible_user=root ansible_connection=ssh + +[owncloud] +europa ansible_user=root ansible_connection=ssh diff --git a/roles/owncloud/tasks/main.yml b/roles/owncloud/tasks/main.yml new file mode 100644 index 0000000..f914619 --- /dev/null +++ b/roles/owncloud/tasks/main.yml @@ -0,0 +1,37 @@ +--- +- name: ensure owncloud docker/compose exist + file: + path: /etc/docker/compose/owncloud + state: directory + owner: root + group: root + mode: 0700 + +- name: build owncloud docker-compose.yml.j2 + template: + src: ../templates/docker-compose.yml.j2 + dest: /etc/docker/compose/owncloud/docker-compose.yml + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: ensure owncloud config volume exist + file: + path: "{{ owncloud_mount }}/config" + state: directory + owner: www-data + group: root + +- name: build owncloud config.php + template: + src: ../templates/config.php.j2 + dest: "{{ owncloud_mount }}/config/config.php" + owner: www-data + group: root + mode: 0750 + +- name: daemon-reload and enable owncloud + ansible.builtin.systemd_service: + state: restarted + enabled: true + name: docker-compose@owncloud diff --git a/roles/owncloud/templates/config.php.j2 b/roles/owncloud/templates/config.php.j2 new file mode 100644 index 0000000..0a65ab8 --- /dev/null +++ b/roles/owncloud/templates/config.php.j2 @@ -0,0 +1,82 @@ + + array ( + 0 => + array ( + 'path' => '/var/www/owncloud/apps', + 'url' => '/apps', + 'writable' => false, + ), + 1 => + array ( + 'path' => '/var/www/owncloud/custom', + 'url' => '/custom', + 'writable' => true, + ), + ), + 'trusted_domains' => + array ( + 0 => 'owncloud.internal.simponic.xyz', + 1 => 'localhost', + 2 => '127.0.0.1', + ), + 'datadirectory' => '/mnt/data/files', + 'dbtype' => 'mysql', + 'dbhost' => 'mariadb:3306', + 'dbname' => 'owncloud', + 'dbuser' => 'owncloud', + 'dbpassword' => 'owncloud', + 'dbtableprefix' => 'oc_', + 'log_type' => 'owncloud', + 'supportedDatabases' => + array ( + 0 => 'sqlite', + 1 => 'mysql', + 2 => 'pgsql', + ), + 'upgrade.disable-web' => true, + 'default_language' => 'en', + 'overwrite.cli.url' => 'https://owncloud.internal.simponic.xyz/', + 'htaccess.RewriteBase' => '/', + 'logfile' => '/mnt/data/files/owncloud.log', + 'memcache.local' => '\\OC\\Memcache\\APCu', + 'mysql.utf8mb4' => true, + 'filelocking.enabled' => true, + 'memcache.distributed' => '\\OC\\Memcache\\Redis', + 'memcache.locking' => '\\OC\\Memcache\\Redis', + 'redis' => + array ( + 'host' => 'redis', + 'port' => '6379', + ), + 'passwordsalt' => '{{ owncloud_pwd_salt }}', + 'secret' => '{{ owncloud_secret }}', + 'version' => '10.14.0.3', + 'dbconnectionstring' => '', + 'allow_user_to_change_mail_address' => '', + 'logtimezone' => 'UTC', + 'installed' => true, + 'instanceid' => 'oco7aemx06vf', + 'mail_domain' => 'simponic.xyz', + 'mail_from_address' => 'info', + 'mail_smtpmode' => 'smtp', + 'mail_smtpauth' => 1, + 'mail_smtpsecure' => 'tls', + 'mail_smtphost' => 'mail.simponic.xyz', + 'mail_smtpport' => '587', + 'mail_smtpname' => 'info', + 'mail_smtppassword' => '{{ owncloud_mail_password }}', + 'ldapIgnoreNamingRules' => false, + 'allow_user_to_change_display_name' => false, + 'lost_password_link' => 'disabled', + 'openid-connect' => [ + 'auto-provision' => ['enabled' => true], + 'autoRedirectOnLoginPage' => false, + 'client-id' => 'owncloud', + 'client-secret' => '{{ owncloud_oidc_secret }}', + 'loginButtonName' => 'Simponic Authelia', + 'provider-url' => 'https://authelia.simponic.xyz', + 'redirect-url' => 'https://owncloud.internal.simponic.xyz/apps/openidconnect/redirect' + ], +); diff --git a/roles/owncloud/templates/docker-compose.yml.j2 b/roles/owncloud/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..3db1284 --- /dev/null +++ b/roles/owncloud/templates/docker-compose.yml.j2 @@ -0,0 +1,80 @@ +version: "3" + +volumes: + mysql: + driver: local + redis: + driver: local + +networks: + owncloud: + external: false + +services: + owncloud: + image: owncloud/server:{{ owncloud_version }} + container_name: owncloud_server + restart: always + ports: + - "127.0.0.1:24734:8080" + depends_on: + - mariadb + - redis + environment: + - OWNCLOUD_DOMAIN={{ owncloud_domain }} + - OWNCLOUD_TRUSTED_DOMAINS={{ owncloud_trusted_domains }} + - OWNCLOUD_DB_TYPE=mysql + - OWNCLOUD_DB_NAME=owncloud + - OWNCLOUD_DB_USERNAME=owncloud + - OWNCLOUD_DB_PASSWORD=owncloud + - OWNCLOUD_DB_HOST=mariadb + - OWNCLOUD_ADMIN_USERNAME=admin + - OWNCLOUD_ADMIN_PASSWORD={{ owncloud_admin_password }} + - OWNCLOUD_MYSQL_UTF8MB4=true + - OWNCLOUD_REDIS_ENABLED=true + - OWNCLOUD_REDIS_HOST=redis + healthcheck: + test: ["CMD", "/usr/bin/healthcheck"] + interval: 30s + timeout: 10s + retries: 5 + volumes: + - {{ owncloud_mount }}:/mnt/data:rw + networks: + - owncloud + + mariadb: + image: mariadb:10.11 # minimum required ownCloud version is 10.9 + container_name: owncloud_mariadb + restart: always + environment: + - MYSQL_ROOT_PASSWORD=owncloud + - MYSQL_USER=owncloud + - MYSQL_PASSWORD=owncloud + - MYSQL_DATABASE=owncloud + - MARIADB_AUTO_UPGRADE=1 + command: ["--max-allowed-packet=128M", "--innodb-log-file-size=64M"] + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-u", "root", "--password=owncloud"] + interval: 10s + timeout: 5s + retries: 5 + volumes: + - mysql:/var/lib/mysql + networks: + - owncloud + + redis: + image: redis:6 + container_name: owncloud_redis + restart: always + command: ["--databases", "1"] + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 10s + timeout: 5s + retries: 5 + volumes: + - redis:/data + networks: + - owncloud diff --git a/roles/private/files/europa/http.owncloud.internal.simponic.xyz.conf b/roles/private/files/europa/http.owncloud.internal.simponic.xyz.conf new file mode 100644 index 0000000..9fdc6c3 --- /dev/null +++ b/roles/private/files/europa/http.owncloud.internal.simponic.xyz.conf @@ -0,0 +1,13 @@ +server { + listen 80; + server_name owncloud.internal.simponic.xyz; + + location /.well-known/acme-challenge { + root /var/www/letsencrypt; + try_files $uri $uri/ =404; + } + + location / { + rewrite ^ https://owncloud.internal.simponic.xyz$request_uri? permanent; + } +} diff --git a/roles/private/files/europa/https.owncloud.internal.simponic.xyz.conf b/roles/private/files/europa/https.owncloud.internal.simponic.xyz.conf new file mode 100644 index 0000000..1321199 --- /dev/null +++ b/roles/private/files/europa/https.owncloud.internal.simponic.xyz.conf @@ -0,0 +1,32 @@ +server { + listen 443 ssl; + server_name owncloud.internal.simponic.xyz; + + ssl_certificate /etc/letsencrypt/live/owncloud.internal.simponic.xyz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/owncloud.internal.simponic.xyz/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/owncloud.internal.simponic.xyz/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_dhparam /etc/nginx/dhparams.pem; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass http://127.0.0.1:24734; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $server_name; + proxy_buffering off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + } +}