From: rominique Date: Thu, 14 Mar 2024 23:50:32 +0000 (+0100) Subject: ajout playbook creation site X-Git-Url: https://git.cyclocoop.org/%28%28?a=commitdiff_plain;h=f0a634c73af3548be7ea962f1065f6d1d9f69dd4;p=lhc%2Fansible.git ajout playbook creation site --- diff --git a/creation_nouveau_site.yml b/creation_nouveau_site.yml new file mode 100644 index 0000000..cd2f0f2 --- /dev/null +++ b/creation_nouveau_site.yml @@ -0,0 +1,117 @@ +# commande pour lancer le playbook: ansible-playbook creation_nouveau_site.yml +# attention - Par défaut ce scipt se lancer vers ligatures + +- name: Promp pour définir les variables du nouveau ite + hosts: vm_debian11 # test avec un nom de vm + become: true # toutes les tâches seront pas défaut éxécuter en tant que root + + vars: +# config_nginx: true à l'avenir on pourrait demander à l'utilisateur de choisir si il veut configurer nginx + php_version: 8.0 + postgres_version: 15 + nouvelle_version: 27.1.6 # nextcloud + ancienne_version: 27.1.5 # nextcloud + + vars_prompt: + + - name: SITE + prompt: 'quel type de site?(ex: nuage, www, wiki, paheko)' + private: false + default: "paheko" + + - name: TLD + prompt: 'TLD du site à mettre à jour?(ex: org)' + private: false + default: "org" + + - name: DOMAIN + prompt: 'Domaine du site à mettre à jour?(ex: heureux-cyclage)' + private: false + default: "heureux-cyclage" + + - name: SIGLE + prompt: 'Sigle du site à mettre à jour?(ex: lhc)' + private: false + default: "lhc" + + - name: config_php + prompt: 'Faut-il configurer un pool PHP?(ex: oui/non)' + private: false + default: "non" + + - name: besoin_https + prompt: 'Faut-il configurer un certificat ssl pour le HTTPS?(ex: oui/non)' + private: false + default: "non" + + - name: sftp + prompt: 'besoin de configurer un accès SFTP pour ce compte (ex: oui/non)' + private: false + default: "non" + + - name: sftp_key + prompt: "Entrer la clé publique à autoriser pour l'acces SFTP (si nécessaire)" + private: false + default: "non" + + pre_tasks: + + - name: Vérifier le sigle n'est pas déjà utilisé + ansible.builtin.lineinfile: + dest: /etc/passwd + search_string: "site_{{ SIGLE }}" + state: absent + check_mode: true + changed_when: false + register: presence_sigle + failed_when: presence_sigle.changed + + tasks: + + - name: Inclure la configuration d'un site web basique + ansible.builtin.include_tasks: tasks/config_www.yml + + - name: Bloc permettant de générer les certificats SSL + when: besoin_https == 'oui' + block: + - name: Inclure la configuration nginx http + ansible.builtin.include_tasks: tasks/config_nginx.yml + vars: + template_site: 'http' + + - name: Générer un certififat avec certbot # noqa : command-instead-of-module + become: true + ansible.builtin.command: 'certbot certonly -i nginx -d {{ SITE }}.{{ DOMAIN }}.{{ TLD }}' + register: certbot_log + changed_when: false + + - name: Afficher les logs certbot + ansible.builtin.debug: + var: certbot_log + when: certbot_log is defined + + + - name: Inclure la configuration nginx + ansible.builtin.include_tasks: tasks/config_nginx.yml + vars: + template_site: "{{ SITE }}" + + - name: Inclure la configuration d'un pool PHP + ansible.builtin.include_tasks: tasks/config_pool_php.yml + when: config_php == 'oui' or SITE == 'paheko' or SITE == 'nuage' + + - name: Inclure la configuration nextcloud si besoin + ansible.builtin.include_tasks: tasks/config_nuage.yml + when: SITE == 'nuage' + + - name: Inclure la configuration paheko si besoin + ansible.builtin.include_tasks: tasks/config_paheko.yml + when: SITE == 'paheko' + + # MAJ borgmatic conf +## Mettre à jour la conf de borgmatic pour intégrer les dossiers du nouveau nuage dans 'source_directories' + + # vim /etc/borgmatic/config.yaml + + # - /home/sites/data/${TLD}/${DOMAIN}/${SITE}/config + # - /home/sites/data/${TLD}/${DOMAIN}/${SITE}/data \ No newline at end of file diff --git a/group_vars/vm.yml b/group_vars/vm.yml index bb871ec..1d18013 100644 --- a/group_vars/vm.yml +++ b/group_vars/vm.yml @@ -7,9 +7,10 @@ nouvelle_version: 23.0.12 # 24.0.12 # 25.0.9 # 26.0.4 -php_fpm_service: php8.0-fpm -nextcloud_tmp_path: "/tmp/nextcloud/{{ domain }}" -nextcloud_backup_path: "/opt/nuage/backups/{{ domain }}" +php_fpm_service: php{{ php_version }}-fpm +php_version: '8.0' +nextcloud_tmp_path: "/tmp/nextcloud/{{ DOMAIN }}" +nextcloud_backup_path: "/opt/nuage/backups/{{ DOMAIN }}" nextcloud_db_name: "nextcloud" nextcloud_sources_files_path: "{{ nextcloud_files_path }}/sources" nextcloud_common_files_path: "{{ nextcloud_files_path }}/common" diff --git a/host_vars/ateliers.yml b/host_vars/ateliers.yml index 6d14985..78bc676 100644 --- a/host_vars/ateliers.yml +++ b/host_vars/ateliers.yml @@ -1,5 +1,7 @@ -nextcloud_webroot: "/home/www/data/org/heureux-cyclage/nuages/instances/{{ domain }}" +nextcloud_webroot: "/home/www/data/org/heureux-cyclage/nuages/instances/{{ DOMAIN }}" nextcloud_websrv_user: php_nuages -nextcloud_db_name: "php_nuage_{{ domain }}" -php_fpm_service: php8.0-fpm -nextcloud_tmp_path: "/home/nextcloud_tmp/{{ domain }}" \ No newline at end of file +#nextcloud_db_name: "php_nuage_{{ DOMAIN }}" +nextcloud_db_name: "php_nuage_clav_gre" +php_fpm_service: php{{ php_version }}-fpm +php_version: '8.0' +nextcloud_tmp_path: "/home/nextcloud_tmp/{{ DOMAIN }}" \ No newline at end of file diff --git a/host_vars/ligatures.yml b/host_vars/ligatures.yml index fb4d714..9315720 100644 --- a/host_vars/ligatures.yml +++ b/host_vars/ligatures.yml @@ -1,7 +1,8 @@ -nextcloud_websrv_user: "php_{{ sigle }}_nuage" +nextcloud_websrv_user: "php_{{ SIGLE }}_nuage" nextcloud_sources_files_path: "/home/sites/data/nextcloud/sources" nextcloud_common_files_path: "/home/sites/data/nextcloud/common" -nextcloud_webroot: "/home/sites/data/{{ tld }}/{{ domain }}/nuage" +nextcloud_webroot: "/home/sites/data/{{ TLD }}/{{ DOMAIN }}/nuage" nextcloud_source: "{{ nextcloud_sources_files_path }}/nextcloud-{{ nouvelle_version }}" nextcloud_common: "{{ nextcloud_common_files_path }}/nextcloud-{{ nouvelle_version }}" -php_fpm_service: php8.2-fpm \ No newline at end of file +php_fpm_service: php{{ php_version}}-fpm +php_version: '8.2' \ No newline at end of file diff --git a/mig_nuage_paillettes b/mig_nuage_paillettes new file mode 100644 index 0000000..f1aa106 --- /dev/null +++ b/mig_nuage_paillettes @@ -0,0 +1,78 @@ + + +https://nicolaslang.fr/articles/migrer-la-bdd-nextcloud-de-mysql-vers-postgres + +gzip -d ARCHIVE_dump_bdd.gz + +préparation MYSQL +DROP DATABASE pailleccambouis; +CREATE DATABASE pailleccambouis; +GRANT ALL PRIVILEGES ON *.* TO 'nextcloud' WITH GRANT OPTION; +source /home/roms/ARCHIVE_dump_bdd; + + +drop table oc_bbb_restrictions; +drop table oc_bbb_room_shares; +drop table oc_bbb_rooms; +drop table oc_mail_accounts; +drop table oc_mail_aliases; +drop table oc_mail_attachments; +drop table oc_mail_classifiers; +drop table oc_mail_coll_addresses; +drop table oc_mail_mailboxes; +drop table oc_mail_messages; +drop table oc_mail_recipients; + +mysql -u nextcloud -p pailleccambouis + +modif config.php avec localhost + dbuser nextcloud + dbpass Ckoideja + +sudo -u www-data ./console-7.4 db:convert-mysql-charset +sudo -u www-data ./console-7.4 db:add-missing-columns +sudo -u www-data ./console-7.4 db:add-missing-indices +sudo -u www-data ./console-7.4 db:convert-filecache-bigint +sudo -u www-data ./console-7.4 maintenance:mimetype:update-db +sudo -u www-data ./console-7.4 maintenance:mimetype:update-js + +préparation PGSQL +vim /etc/postgresql/11/main/pg_hba.conf +local all nextcloud peer +CREATE USER nextcloud; +ALTER USER nextcloud WITH PASSWORD 'Ckoideja'; + +DROP DATABASE nextcloud; +CREATE DATABASE nextcloud; + +ALTER DATABASE nextcloud OWNER TO nextcloud; +GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; + + +adduser nextcloud -disabled-login --disabled-password --home /opt/nuage --no-create-home --shell /bin/false --system +adduser nextcloud postgres + +adduser nextcloud www-data +sudo -u www-data ./console-7.4 db:convert-type --all-apps pgsql nextcloud localhost nextcloud +certaines tables ne sont pas convertis donc perdus. Dire OK. + + + +unlink nextcloud +sudo -u www-data ln -s /opt/source/nextcloud22/nextcloud/ nextcloud +sudo -u www-data ./console-7.4 upgrade +service php7.4-fpm reload + + +sudo -u www-data ./console-7.4 db:add-missing-columns +sudo -u www-data ./console-7.4 db:add-missing-indices +sudo -u www-data ./console-7.4 db:add-missing-primary-keys + + +migration: + + autoriser site_pec_nuage a se connecter dans /etc/passwd + lancer un rsync depuis la vm vers ligatures dans un /tmp (ou tester un fichier dans le /data) + comparer les fichiers de conf + sudo -u php_pec_nuage ./console upgrade + test de la v26 + update en v27 + diff --git a/play_move_and_restore.yml b/play_move_and_restore.yml index 13b31d3..4a21cb2 100644 --- a/play_move_and_restore.yml +++ b/play_move_and_restore.yml @@ -6,15 +6,15 @@ hosts: localhost vars_prompt: - - name: domain - prompt: 'Domaine du site à mettre à jour?(ex: heureux-cyclage)' + - name: DOMAIN + prompt: 'Domaine du site à migrer?(ex: heureux-cyclage)' private: false tasks: - name: Rendre la var domain dispo pour le host ateliers ansible.builtin.set_fact: - domain: "{{ domain }}" + DOMAIN: "{{ DOMAIN }}" delegate_to: "{{ item }}" delegate_facts: true loop: @@ -31,8 +31,8 @@ hosts: ateliers tasks: - # - name: Include backup_from_ateliers - # ansible.builtin.include_tasks: tasks/backup_from_ateliers.yml + - name: Include backup_from_ateliers + ansible.builtin.include_tasks: tasks/backup_from_ateliers.yml - name: Play sur vm_debian11 hosts: vm_debian11 diff --git a/tasks/backup_from_ateliers.yml b/tasks/backup_from_ateliers.yml index ea4dcc6..d662d64 100644 --- a/tasks/backup_from_ateliers.yml +++ b/tasks/backup_from_ateliers.yml @@ -1,41 +1,48 @@ --- +# Tâches éxecutées sur le serveur ateliers + - name: Create nextcloud restore dir + become: true + become_user: root ansible.builtin.file: path: "{{ nextcloud_tmp_path }}" state: directory mode: '777' -- name: activate nextcloud maintenance mode - become_user: "{{ nextcloud_websrv_user }}" - become: true - command: './console maintenance:mode --on' - args: - chdir: "{{ nextcloud_webroot }}" +# - name: Activate nextcloud maintenance mode # noqa : command-instead-of-module +# become_user: "{{ nextcloud_websrv_user }}" +# become: true +# ansible.builtin.command: './console maintenance:mode --on' +# args: +# chdir: "{{ nextcloud_webroot }}" -- name: "Compress directory {{ nextcloud_data_path }} into {{ nextcloud_tmp_path }}/data.tar.gz" - become_user: "{{ nextcloud_websrv_user }}" - become: true - community.general.archive: - path: "{{ nextcloud_data_path }}" - dest: "{{ nextcloud_tmp_path }}/data.tar.gz" - format: gz - force_archive: true - mode: '777' +# replace by rsync -t -P --delay-updates -F --compress --archive --partial ateliers:/home/www/data/org/heureux-cyclage/nuages/instances/clavette-gre/data /opt/nuage/backups/clavette-gre/ +# - name: "Compress directory {{ nextcloud_data_path }} into {{ nextcloud_tmp_path }}/data.tar.gz" +# become_user: "{{ nextcloud_websrv_user }}" +# become: true +# community.general.archive: +# path: "{{ nextcloud_data_path }}" +# dest: "{{ nextcloud_tmp_path }}/data.tar.gz" +# format: gz +# force_archive: true +# mode: '777' - name: Create a dump of the postgreSQL database # noqa : command-instead-of-module become: true become_user: "{{ nextcloud_websrv_user }}" - ansible.builtin.command: "pg_dump -f dump.sql -F c -O -b {{ nextcloud_db_name }}" + ansible.builtin.command: "pg_dump -f dump.pgc -F c -O -b {{ nextcloud_db_name }}" args: chdir: "{{ nextcloud_tmp_path }}" -- name: copy nextcloud config file +# rsync -t -P --delay-updates -F --compress --archive --partial ateliers:/tmp/nextcloud_restore/dump.pgc /opt/nuage/backups/clavette-gre/ + +- name: Copy nextcloud config file become_user: "{{ nextcloud_websrv_user }}" become: true - ansible.builtin.copy: + ansible.builtin.copy: src: "{{ nextcloud_webroot }}/config/config.php" dest: "{{ nextcloud_tmp_path }}/config.php" - remote_src: yes # because the config file is already in the nextcloud_tmp_path + remote_src: true # because the config file is already in the nextcloud_tmp_path mode: '755' - name: Add read permissions to created tmp files @@ -57,8 +64,8 @@ dest: "/tmp/nextcloud/{{ domain }}/" flat: true loop: - - "{{ nextcloud_tmp_path }}/dump.sql" - - "{{ nextcloud_tmp_path }}/data.tar.gz" + - "{{ nextcloud_tmp_path }}/dump.pgc" +# - "{{ nextcloud_tmp_path }}/data.tar.gz" - "{{ nextcloud_tmp_path }}/config.php" - name: Supprimer les fichiers temporaires du serveur ateliers @@ -68,8 +75,8 @@ path: "{{ item }}" state: absent loop: - - "{{ nextcloud_tmp_path }}/dump.sql" - - "{{ nextcloud_tmp_path }}/data.tar.gz" + - "{{ nextcloud_tmp_path }}/dump.pgc" + # - "{{ nextcloud_tmp_path }}/data.tar.gz" - "{{ nextcloud_tmp_path }}/config.php" # - name: deactivate nextcloud maintenance mode @@ -77,4 +84,4 @@ # become: true # command: './console maintenance:mode --off' # args: -# chdir: "{{ nextcloud_webroot }}" \ No newline at end of file +# chdir: "{{ nextcloud_webroot }}" diff --git a/tasks/config_nextcloud.yml b/tasks/config_nextcloud.yml new file mode 100644 index 0000000..a9042bf --- /dev/null +++ b/tasks/config_nextcloud.yml @@ -0,0 +1,211 @@ +- name: Install required packages + ansible.builtin.apt: + name: + - php-ctype + - php-curl + - php-dom + - php-fileinfo + - php-gd + - php-json + - php-libxml + - php-mbstring + - php-openssl + - php-posix + - php-session + - php-simplexml + - php-xmlreader + - php-xmlwriter + - php-zip + - php-zlib + - php-pdo_pgsql + - php-intl + - php-bz2 + - php-sodium + - php-gmp +# - php-exif + - php-redis + - php-imagick + state: present + +- name: Boucle d'ajout du user php dans plusieurs groupe + ansible.builtin.user: + name: "php_{{ SIGLE }}_{{ SITE }}" + groups: "{{ item }}" + append: true + loop: + - nextcloud + - postgres-data + - redis + - "site_{{ SIGLE }}_{{ SITE }}" + +- name: Bloc nextcloud_version + when: nouvelle_version is undefined + block: + - name: Demande la version de nextcloud à installer + ansible.builtin.pause: + prompt: "Quelle version de nextcloud doit être utilisée" + echo: true + register: nextcloud_version_prompt + + - name: Definir nouvelle_version + ansible.builtin.set_fact: + nouvelle_version: "{{ nextcloud_version.user_input }}" + + - name: Demande la version de nextcloud déjà installer + ansible.builtin.pause: + prompt: "Quelle version de nextcloud déjà installée" + echo: true + register: ancienne_version_prompt + + - name: Definir ancienne_version + ansible.builtin.set_fact: + ancienne_version: "{{ ancienne_version.user_input }}" + +- name: Inclure la verif de l'install nextcloud + ansible.builtin.include_tasks: tasks/verif_installation_nextcloud.yml + +- name: "[PostgreSQL] - {{ nextcloud_websrv_user }} role is created." + become_user: postgres + become: true + community.postgresql.postgresql_user: + name: "{{ nextcloud_websrv_user }}" + state: present + role_attr_flags: CREATEDB + +- name: "[PostgreSQL] - {{ nextcloud_db_name }} database is created." + become_user: postgres + become: true + community.postgresql.postgresql_db: + name: "{{ nextcloud_db_name }}" + state: "{{ item }}" + owner: "{{ nextcloud_websrv_user }}" + loop: + - absent + - present + +- name: Pour chaque base, ajouter les droits suivants à l'utilisateur php + community.postgresql.postgresql_privs: + db: "{{ item.db }}" + privs: "{{ item.privs }}" + type: "{{ item.type }}" + objs: "{{ item.objs }}" + role: "{{ item.role }}" + grant_option: "{{ item.grant_option |default(false) }}" + loop_control: "{{ item.name }}" + loop: + - db: "{{ php_${SIGLE}_nuage }}" + privs: "ALL" + type: "schema" + objs: "public" + role: "{{ php_${SIGLE}_nuage }}" + grant_option: true + name: "GRANT ALL ON SCHEMA public TO php_${SIGLE}_nuage WITH GRANT OPTION;" + - db: "{{ php_${SIGLE}_nuage }}" + privs: "USAGE,CREATE" + type: "schema" + objs: "public" + role: "{{ php_${SIGLE}_nuage }}" + name: "GRANT USAGE,CREATE ON SCHEMA public TO php_${SIGLE}_nuage;" + - db: "{{ php_${SIGLE}_nuage }}" + privs: "SELECT" + type: "table" + objs: "pg_namespace" + role: "{{ php_${SIGLE}_nuage }}" + name: GRANT SELECT ON TABLE pg_namespace TO php_${SIGLE}_nuage; + - db: "{{ php_${SIGLE}_nuage }}" + privs: "SELECT" + type: "table" + objs: "pg_collation" + role: "{{ php_${SIGLE}_nuage }}" + name: GRANT SELECT ON TABLE pg_collation TO php_${SIGLE}_nuage; + - db: "{{ php_${SIGLE}_nuage }}" + privs: "SELECT" + type: "table" + objs: "pg_index" + role: "{{ php_${SIGLE}_nuage }}" + name: GRANT SELECT ON TABLE pg_index TO php_${SIGLE}_nuage; + - db: "{{ php_${SIGLE}_nuage }}" + privs: "SELECT" + type: "table" + objs: "pg_attrdef" + role: "{{ php_${SIGLE}_nuage }}" + name: GRANT SELECT ON TABLE pg_attrdef TO php_${SIGLE}_nuage; + - db: "{{ php_${SIGLE}_nuage }}" + privs: "SELECT" + type: "table" + objs: "pg_description" + role: "{{ php_${SIGLE}_nuage }}" + name: GRANT SELECT ON TABLE pg_description TO php_${SIGLE}_nuage; + - db: "{{ php_${SIGLE}_nuage }}" + privs: "SELECT" + type: "table" + objs: "pg_settings" + role: "{{ php_${SIGLE}_nuage }}" + name: GRANT SELECT ON TABLE pg_settings TO php_${SIGLE}_nuage; + - db: "{{ php_${SIGLE}_nuage }}" + privs: "SELECT" + objs: "pg_database" + role: "{{ php_${SIGLE}_nuage }}" + name: GRANT SELECT ON pg_database TO php_${SIGLE}_nuage; + +- name: Autoriser l'utilisateur php à se connecter à la bdd nextcloud + community.postgresql.postgresql_pg_hba: + dest: "/etc/postgresql/{{ postgres_version }}/main/pg_hba.conf" + contype: local + users: "php_{{ SIGLE}}_{{SITE}}" + databases: "php_{{ SIGLE}}_{{SITE}}" + method: peer + keep_comments_at_rules: true + comment: "autoriser le user php_{{ SIGLE}}_{{SITE}} à se connecter à la bdd du meme nom" + +# - name: Update nextcloud root dir symbolic link +# become: true +# ansible.builtin.file: +# src: "{{ nextcloud_source }}" +# dest: "{{ nextcloud_webroot }}/nextcloud" +# owner: nextcloud +# group: nextcloud +# state: link +# follow: false + +# - name: Update nextcloud common app dir symbolic link +# become: true +# ansible.builtin.file: +# src: "{{ nextcloud_common }}" +# dest: "{{ nextcloud_webroot }}/common" +# owner: nextcloud +# group: nextcloud +# state: link +# follow: false + +# copy skeleton? + +# lancement de la commande d'installation + +# lien symbolic common conf + +- name: Create sigle nextcloud config + become_user: "{{ nextcloud_websrv_user }}" + become: true + ansible.builtin.template: + src: templates/sigle.config.php.j2 + dest: "{{ nextcloud_webroot }}/config/sigle.config.php" + owner: "{{ nextcloud_websrv_user }}" + group: "{{ nextcloud_websrv_user }}" + mode: '640' # or u=rwx,g=r,o= + +- name: Creation d'un fichier cron pour /etc/cron.d + ansible.builtin.cron: + name: "nextcloud {{ SIGLE }}_{{ SITE }} taches d'arriere plan " + minute: "5" + user: "php_{{ SIGLE}}_{{SITE}}" + job: "/home/sites/data/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/cron" + +- name: Recharger plusieurs services + ansible.builtin.service: + name: "{{ item }}" + state: reloaded + loop: + - "postgresql" + - "php{{ php_version }}-fpm" + - "nginx" diff --git a/tasks/config_nginx.yml b/tasks/config_nginx.yml new file mode 100644 index 0000000..02ac416 --- /dev/null +++ b/tasks/config_nginx.yml @@ -0,0 +1,48 @@ +- name: Boucle création ou modifications des répertoires config et logs de nginx pour le site + ansible.builtin.file: + path: "{{ item.path }}" + state: "{{ item.state }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" + loop_control: + label: "{{ item.path }}" + loop: + - path: "/etc/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}" + state: directory + owner: 'root' + group: 'root' + mode: '2750' + - path: "/home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}" + state: directory + owner: 'log_sites' + group: 'log_sites' + mode: '755' + - path: "/home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}" + state: directory + owner: 'log_sites' + group: 'log_sites' + mode: '2750' + +- name: Création de la conf server nginx + ansible.builtin.template: + src: "templates/nginx_{{ template_site }}_server.j2" + dest: "/etc/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/server.conf" + owner: "root" + group: "root" + mode: '640' # or u=rwx,g=r,o= + +- name: Création de la conf common nginx + ansible.builtin.template: + src: "templates/nginx_{{ template_site }}_common.j2" + dest: "/etc/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/common.conf" + owner: "root" + group: "root" + mode: '640' # or u=rwx,g=r,o= + when: SITE != 'nuage' and template_site != 'http' + +- name: Recharger le service nginx + ansible.builtin.service: + name: nginx + state: reloaded + when: SITE != 'nuage' and SITE != 'paheko' and template_site == 'http' diff --git a/tasks/config_paheko.yml b/tasks/config_paheko.yml new file mode 100644 index 0000000..904aff5 --- /dev/null +++ b/tasks/config_paheko.yml @@ -0,0 +1,145 @@ +- name: Install required packages + ansible.builtin.apt: + name: + - php + - php-sqlite3 + - php-intl + - php-cli + - php-imagick + - php-mbstring + state: present + register: php_install + +- name: Enable PHP modules + ansible.builtin.command: phpenmod sqlite3 imagick intl + when: php_install.changed + +- name: Ajout de l'utilisateur php_SIGLE_SITE + ansible.builtin.user: + name: "php_{{ SIGLE }}_{{ SITE }}" + home: "/etc/php/{{ php_version }}/fpm/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}" + shell: /bin/false + system: true + append: true + create_home: false + password: '!' +# group: "php_{{ SIGLE }}_{{ SITE }}" + +- name: Bloc paheko_version + when: paheko_version is undefined + block: + - name: Demande la version de nextcloud à installer + ansible.builtin.pause: + prompt: "Quelle version de nextcloud doit être utilisé" + echo: true + register: paheko_version_prompt + + - name: Definir paheko_version + ansible.builtin.set_fact: + paheko_version: "{{ paheko_version_prompt.user_input }}" + +- name: Vérif si la source paheko est téléchargée + become: true + ansible.builtin.stat: + path: "/home/sites/data/paheko/{{ paheko_version }}" + register: paheko_source_path + +- name: Installion de la nouvelle version paheko + when: not paheko_source_path.stat.exists + block: + + - name: Boucle création ou modifications des répertoires pahéko + ansible.builtin.file: + path: "{{ item.path }}" + state: "{{ item.state }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" + loop_control: + label: "{{ item.path }}" + loop: + - path: "/home/sites/data/paheko/{{ paheko_version }}" + state: "directory" + owner: "www-data" + group: "www-data" + mode: "755" + + - name: Telecharger la source Paheko + become: true + become_user: www-data + ansible.builtin.get_url: + url: "https://fossil.kd2.org/paheko/uv/paheko-{{ paheko_version }}.tar.gz" + dest: "/home/sites/data/paheko/{{ paheko_version }}.tar.gz" + mode: '755' # or u=rwx,g=rx,o=rx + + - name: Extract downloaded nextcloud source + become: true + become_user: www-data + ansible.builtin.unarchive: + src: "/home/sites/data/paheko/{{ paheko_version }}.tar.gz" + dest: "/home/sites/data/paheko" + # mode: '755' # or u=rwx,g=rx,o=rx + remote_src: true + + - name: Renommer paheko-version par uniquement la version + become: true + become_user: www-data + ansible.builtin.copy: + src: "/home/sites/data/paheko/paheko-{{ paheko_version }}/" + dest: "/home/sites/data/paheko/{{ paheko_version }}" + remote_src: true # because the config file is already in the nextcloud_tmp_path + mode: preserve + + - name: Deleted downloaded nextcloud files + become: true + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - "/home/sites/data/paheko/{{ paheko_version }}.tar.gz" + - "/home/sites/data/paheko/paheko-{{ paheko_version }}" + +- name: Copie la source paheko vers le home du site + become: true +# become_user: "php_{{ SIGLE }}_{{ SITE }}" + ansible.builtin.copy: + src: "/home/sites/data/paheko/{{ paheko_version }}/" + dest: "/home/sites/data/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}" + remote_src: true # because the config file is already in the nextcloud_tmp_path + +- name: Modification du propriétaire group et droits du dossier + ansible.builtin.file: + path: "/home/sites/data/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/" + state: directory + owner: "php_{{ SIGLE }}_{{ SITE }}" + group: "php_{{ SIGLE }}_{{ SITE }}" + mode: '644' + recurse: true + +- name: Boucle d'ajout du user php dans plusieurs groupe + ansible.builtin.user: + name: "php_{{ SIGLE }}_{{ SITE }}" + groups: "{{ item }}" + append: true + loop: + - "site_{{ SIGLE }}_{{ SITE }}" + +# - name: Change displayed icon +# ansible.builtin.copy: +# src: "{{ icon }}" +# dest: "/usr/share/garradin/www/admin/static/icon{{ icon | splitext | last }}" +# when: icon is defined + +# - name: Change page favicon +# ansible.builtin.copy: +# src: "{{ favicon }}" +# dest: "/usr/share/garradin/www/admin/static/favicon{{ icon | splitext | last }}" +# when: favicon is defined + +- name: Recharger PHP service + ansible.builtin.service: + name: "{{ item }}" + state: reloaded + loop: + - "php{{ php_version }}-fpm" + - "nginx" diff --git a/tasks/config_pool_php.yml b/tasks/config_pool_php.yml new file mode 100644 index 0000000..f20d74b --- /dev/null +++ b/tasks/config_pool_php.yml @@ -0,0 +1,85 @@ +- name: Ajout de l'utilisateur php_SIGLE_SITE + ansible.builtin.user: + name: "php_{{ SIGLE }}_{{ SITE }}" + home: "/etc/php/{{ php_version }}/fpm/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}" + shell: /bin/false + system: true + append: true + create_home: false + password: '!' +# group: "php_{{ SIGLE }}_{{ SITE }}" + +- name: Boucle d'ajout du user php dans plusieurs groupe + ansible.builtin.user: + name: "php_{{ SIGLE }}_{{ SITE }}" + groups: "{{ item }}" + append: true + loop: + - www-data + +- name: Boucle création ou modifications des répertoires log d'un pool php + ansible.builtin.file: + path: "{{ item.path }}" + state: "{{ item.state }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" + loop_control: + label: "{{ item.path }}" + loop: + - path: "/home/sites/log/php/fpm/{{ TLD }}" + state: directory + owner: 'root' + group: 'root' + mode: '1751' + - path: "/home/sites/log/php/fpm/{{ TLD }}/{{ DOMAIN }}" + state: directory + owner: "php_{{ SIGLE }}_{{ SITE }}" + group: "php_{{ SIGLE }}_{{ SITE }}" + mode: '1751' + - path: "/home/sites/log/php/fpm/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}" + state: directory + owner: "php_{{ SIGLE }}_{{ SITE }}" + group: "php_{{ SIGLE }}_{{ SITE }}" + mode: '750' + +- name: Boucle création ou modifications des répertoires config d'un pool php + ansible.builtin.file: + path: "{{ item.path }}" + state: "{{ item.state }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" + loop_control: + label: "{{ item.path }}" + loop: + - path: "/etc/php/{{ php_version }}/fpm/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}" + state: directory # If directory, all intermediate subdirectories will be created if they do not exist. + owner: 'root' + group: 'root' + mode: '750' + - path: "/run/php_{{ php_version }}/fpm" + state: directory + owner: 'root' + group: 'root' + mode: '2755' + +- name: Création de la conf server nginx + ansible.builtin.template: + src: "templates/php_{{ SITE }}_conf.j2" + dest: "/etc/php/{{ php_version}}/fpm/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/php-fpm.conf" + owner: "root" + group: "root" + mode: '640' # or u=rwx,g=r,o= + when: SITE == 'nuage' or SITE == 'paheko' + +- name: ATTENTION la config php n'a pas été créer + ansible.builtin.debug: + msg: "Il n'y a pas de templates php pour votre site, il faudra le créer manuellement" + when: SITE != 'nuage' or SITE != 'paheko' + +# - name: recharger PHP service +# ansible.builtin.service: +# name: "php{{ php_version }}-fpm" +# state: reloaded +# when: SITE != 'nuage' or SITE != 'paheko' diff --git a/tasks/config_www.yml b/tasks/config_www.yml new file mode 100644 index 0000000..06af483 --- /dev/null +++ b/tasks/config_www.yml @@ -0,0 +1,45 @@ +- name: Ajout de l'utilisateur site_SIGLE_SITE + ansible.builtin.user: + name: "site_{{ SIGLE }}_{{ SITE }}" + home: "/home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}" + shell: /bin/false + groups: www-data + system: true + append: true + create_home: false + password: '!' + +- name: Boucle d'ajout d'user dans le groupe site_SIGLE_SITE + ansible.builtin.user: + name: "{{ item }}" + groups: "site_{{ SIGLE }}_{{ SITE }}" + append: true + loop: + - 'www-data' + - 'backup' # pour borgmatic + +- name: Boucle création ou modifications des répertoires home du site + ansible.builtin.file: + path: "{{ item.path }}" + state: "{{ item.state }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" + loop_control: + label: "{{ item.path }}" + loop: + - path: "/home/sites/data/{{ TLD }}" + state: directory + owner: 'root' + group: 'www-data' + mode: '3751' + - path: "/home/sites/data/{{ TLD }}/{{ DOMAIN }}" + state: directory + owner: 'root' + group: 'www-data' + mode: '2751' + - path: "/home/sites/data/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}" + state: directory + owner: 'root' + group: "site_{{ SIGLE }}_{{ SITE }}" + mode: '2750' diff --git a/tasks/restore_to_vm.yml b/tasks/restore_to_vm.yml index 4998bc2..653b87e 100644 --- a/tasks/restore_to_vm.yml +++ b/tasks/restore_to_vm.yml @@ -1,13 +1,30 @@ --- -# - name: Clean nextcloud restore dir content -# become_user: "{{ nextcloud_websrv_user }}" -# become: true -# ansible.builtin.file: -# path: "{{ item }}" -# state: absent -# loop: -# - "{{ nextcloud_tmp_path }}" -# - "{{ nextcloud_webroot }}/data" +# chown -R www-data: /opt/nuage/backups/clavette-gre +# sudo -u postgres psql +# DROP DATABASE nextcloud; +# CREATE DATABASE nextcloud WITH OWNER=php_mig_nuage; +# GRANT ALL ON SCHEMA public TO php_mig_nuage WITH GRANT OPTION; +# GRANT USAGE,CREATE ON SCHEMA public TO php_mig_nuage; +# GRANT SELECT ON TABLE pg_namespace TO php_mig_nuage; +# GRANT SELECT ON TABLE pg_collation TO php_mig_nuage; +# GRANT SELECT ON TABLE pg_index TO php_mig_nuage; +# GRANT SELECT ON TABLE pg_attrdef TO php_mig_nuage; +# GRANT SELECT ON TABLE pg_description TO php_mig_nuage; +# GRANT SELECT ON TABLE pg_settings TO php_mig_nuage; +# GRANT SELECT ON pg_database TO php_mig_nuage; +# exit +# sudo -u php_mig_nuage pg_restore -F c -Oxc --if-exists -d nextcloud /opt/nuage/backups/clavette-gre/dump.pgc + + +- name: Clean nextcloud restore dir content + become_user: "{{ nextcloud_websrv_user }}" + become: true + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - "{{ nextcloud_tmp_path }}" + - "{{ nextcloud_webroot }}/data" - name: Recreate nextcloud restore dir # necessite le paquet acl installé become_user: "{{ nextcloud_websrv_user }}" @@ -15,23 +32,37 @@ ansible.builtin.file: path: "{{ item }}" state: directory - loop: + loop: - "{{ nextcloud_tmp_path }}" - - "{{ nextcloud_webroot }}/data" -# - name: Copy files from ansible controller to vm host -# become_user: "{{ nextcloud_websrv_user }}" -# become: true -# ansible.builtin.copy: -# src: "{{ nextcloud_tmp_path }}/" -# dest: "{{ nextcloud_tmp_path }}/" +- name: Copy files from ansible controller to vm host + become_user: "{{ nextcloud_websrv_user }}" + become: true + ansible.builtin.copy: + src: "{{ nextcloud_tmp_path }}/" + dest: "{{ nextcloud_tmp_path }}/" -# - name: Extract nc data archive -# become_user: "{{ nextcloud_websrv_user }}" -# become: true -# ansible.builtin.unarchive: -# src: "{{ nextcloud_tmp_path }}/data.tar.gz" -# dest: "{{ nextcloud_webroot }}/data" +- name: Add read permissions to data backups files + become: true + become_user: root + ansible.builtin.file: + path: "{{ nextcloud_backup_path }}" + owner: "{{ nextcloud_websrv_user }}" + group: "{{ nextcloud_websrv_user }}" + state: directory + recurse: true + mode: '755' # or 'u=rw,g=r,o=r' + +- name: Créer un lien symbolique vers le dossier data backups + become_user: "{{ nextcloud_websrv_user }}" + become: true + ansible.builtin.file: + src: "{{ nextcloud_backup_path }}/data" + dest: "{{ nextcloud_webroot }}/data" + owner: "{{ nextcloud_websrv_user }}" + group: "{{ nextcloud_websrv_user }}" + state: link + follow: false - name: Stop webserver service become: true @@ -55,7 +86,8 @@ name: "{{ nextcloud_db_name }}" state: "{{ item }}" owner: "{{ nextcloud_websrv_user }}" - target: "{{ nextcloud_tmp_path }}/dump.sql" + target: "{{ nextcloud_tmp_path }}/dump.pgc" + target_opts: "-F c -Oxc --if-exists" loop: - absent - present @@ -64,25 +96,35 @@ # - name: Restore psql dump # noqa : command-instead-of-module # become: true # become_user: postgres -# ansible.builtin.command: "pg_restore -c -F c -O -x -d {{ nextcloud_db_name }} {{ nextcloud_tmp_path }}/dump.pgc" +# ansible.builtin.command: "pg_restore -F c -Oxc --if-exists -d {{ nextcloud_db_name }} {{ nextcloud_tmp_path }}/dump.pgc" -- name: Update data fingerprint post db restore # noqa : command-instead-of-module +- name: Create vm nextcloud config become_user: "{{ nextcloud_websrv_user }}" become: true - ansible.builtin.command: './console maintenance:data-fingerprint' - args: - chdir: "{{ nextcloud_webroot }}" + ansible.builtin.template: + src: templates/vm_config_template.j2 + dest: "{{ nextcloud_webroot }}/config/vm.config.php" + owner: "{{ nextcloud_websrv_user }}" + group: "{{ nextcloud_websrv_user }}" + mode: '640' # or u=rwx,g=r,o= -- name: create nextcloud config +- name: Create sigle nextcloud config become_user: "{{ nextcloud_websrv_user }}" become: true ansible.builtin.template: - src: templates/config_template.j2 - dest: "{{ nextcloud_webroot }}/config/config.php" + src: templates/sigle_config_template.j2 + dest: "{{ nextcloud_webroot }}/config/sigle.config.php" owner: "{{ nextcloud_websrv_user }}" group: "{{ nextcloud_websrv_user }}" mode: '640' # or u=rwx,g=r,o= +- name: Update data fingerprint post db restore # noqa : command-instead-of-module + become_user: "{{ nextcloud_websrv_user }}" + become: true + ansible.builtin.command: './console maintenance:data-fingerprint' + args: + chdir: "{{ nextcloud_webroot }}" + - name: Deactivate nextcloud maintenance mode # noqa : command-instead-of-module become_user: "{{ nextcloud_websrv_user }}" become: true @@ -162,7 +204,7 @@ when: "'Nextcloud is already latest version' not in nc_upgrade_result.stdout_lines" block: - - name: Launch some occ cleaning command + - name: Launch some occ cleaning command # noqa : command-instead-of-module become_user: "{{ nextcloud_websrv_user }}" become: true ansible.builtin.command: "./console { command }}" diff --git a/tasks/update_nextcloud.yml b/tasks/update_nextcloud.yml index 68eae33..850be74 100644 --- a/tasks/update_nextcloud.yml +++ b/tasks/update_nextcloud.yml @@ -42,7 +42,7 @@ debug: var: nc_upgrade_result.stdout_lines -- name: Bloque de tâches contrôlant la fin de la maintenance de mise à jour +- name: Bloc de tâches contrôlant la fin de la maintenance de mise à jour block: - name: Wait for nextcloud maintenance mode to become false # noqa : command-instead-of-module become_user: "{{ nextcloud_websrv_user }}" diff --git a/tasks/verif_installation_nextcloud.yml b/tasks/verif_installation_nextcloud.yml new file mode 100644 index 0000000..4ee4e46 --- /dev/null +++ b/tasks/verif_installation_nextcloud.yml @@ -0,0 +1,40 @@ +- name: Vérif si la source nextcloud est téléchargée + become: true + ansible.builtin.stat: + path: "{{ nextcloud_source }}" + register: new_nextcloud_source + +- name: Vérif si le dossier common app est créé + become: true + ansible.builtin.stat: + path: "{{ nextcloud_common }}" + register: new_nextcloud_common + +# - name: Obtenir l'ancienne version # noqa : command-instead-of-module +# become_user: "{{ nextcloud_websrv_user }}" +# become: true +# ansible.builtin.command: '{{ nextcloud_webroot }}/console status --output=json' +# register: result + +# - name: Enregistrer l'ancienne version +# ansible.builtin.set_fact: +# ancienne_version: "{{ tmp.versionstring }}" +# vars: +# tmp: "{{ result.stdout | from_json }}" + +- name: Include download_nextcloud_source tasks + ansible.builtin.include_tasks: tasks/download_nextcloud_source.yml + when: not new_nextcloud_source.stat.exists + vars: + ansible_become: true + become_user: nextcloud + +- name: Create new app common folder from old version one + become_user: nextcloud + become: true + ansible.builtin.copy: + src: "{{ nextcloud_common_files_path }}/nextcloud-{{ ancienne_version }}/" + dest: "{{ nextcloud_common_files_path }}/nextcloud-{{ nouvelle_version }}" + remote_src: true # because the copy is from remote host to remote host + mode: '754' # or 'u=rwx,g=rx,o=r' + when: not new_nextcloud_common.stat.exists \ No newline at end of file diff --git a/templates/config_template.j2 b/templates/config_template.j2 deleted file mode 100644 index 88db3f4..0000000 --- a/templates/config_template.j2 +++ /dev/null @@ -1,35 +0,0 @@ - false, - 'trusted_domains' => - array ( - 0 => 'nuage.migration.org', - ), - 'datadirectory' => '{{ nextcloud_webroot}}/data', - 'overwrite.cli.url' => 'https://nuage.migration.org', - 'dbtype' => 'pgsql', - 'dbname' => '{{ nextcloud_db_name }}', - 'dbhost' => '/run/postgresql', - 'dbport' => '', - 'dbtableprefix' => 'oc_', - 'dbuser' => '{{ nextcloud_websrv_user}}', - 'dbpassword' => '', - 'installed' => true, - 'apps_paths' => - array ( - 0 => - array ( - 'path' => '{{ nextcloud_webroot}}/nextcloud/apps/', - 'url' => '/apps', - 'writable' => false, - ), - 1 => - array ( - 'path' => '{{ nextcloud_webroot}}/common/', - 'url' => '/common-apps', - 'writable' => false, - ), - ), - 'theme' => '', - 'loglevel' => 2, -); diff --git a/templates/nginx_http_server.j2 b/templates/nginx_http_server.j2 new file mode 100644 index 0000000..e5dfb93 --- /dev/null +++ b/templates/nginx_http_server.j2 @@ -0,0 +1,9 @@ +server { + listen 80; + server_name + {{ SITE }}.{{ DOMAIN }}.{{ TLD }}; + disable_symlinks if_not_owner; + access_log /home/sites/log/nginx/{{ SITE }}/{{ DOMAIN }}/{{ TLD }}/access.log main buffer=32k; + error_log /home/sites/log/nginx/org/{{ SITE }}/{{ DOMAIN }}/{{ TLD }}error.log warn; + root /home/sites/data/{{TLD }}/{{ DOMAIN }}/{{SITE }}/; +} \ No newline at end of file diff --git a/templates/nginx_nuage_server.j2 b/templates/nginx_nuage_server.j2 new file mode 100644 index 0000000..3f39e05 --- /dev/null +++ b/templates/nginx_nuage_server.j2 @@ -0,0 +1,202 @@ +# Set the `immutable` cache control options only for assets with a cache busting `v` argument +map $arg_v $asset_immutable { + "" ""; + default "immutable"; +} +server { + listen 80; + server_name {{ SITE }}.{{ DOMAIN }}.{{ TLD }}; + #disable_symlinks if_not_owner; + + # Prevent nginx HTTP Server Detection + server_tokens off; + + # Enforce HTTPS + return 301 https://$server_name$request_uri; + + + access_log /home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/access.log main buffer=32k; + error_log /home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/error.log warn; +} +server { + listen 443 ssl http2; + server_name {{ SITE }}.{{ DOMAIN }}.{{ TLD }}; + + # Path to the root of your installation + root /home/sites/data/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/nextcloud; + + disable_symlinks if_not_owner; +{% if besoin_https == 'oui' %} + ssl_certificate /etc/letsencrypt/live/{{ SITE }}.{{ DOMAIN }}.{{ TLD }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ SITE }}.{{ DOMAIN }}.{{ TLD }}/privkey.pem; +{% endif %} + access_log /home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/access.log main buffer=32k; + error_log /home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/error.log warn; + + # Prevent nginx HTTP Server Detection + server_tokens off; + + # HSTS settings + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.{{ TLD }}/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; + + # set max upload size and increase upload timeout: + client_max_body_size 512M; + client_body_timeout 300s; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Pagespeed is not supported by Nextcloud, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to disable it. + #pagespeed off; + + # The settings allows you to optimize the HTTP2 bandwitdth. + # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ + # for tunning hints + client_body_buffer_size 512k; + + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Add .mjs as a file extension for javascript + # Either include it in the default mime.types list + # or include you can include that list explicitly and add the file extension + # only for Nextcloud like below: + include mime.types; + types { + text/javascript js mjs; + } + + location ~ /common-apps/(.*)$ { + alias /home/sites/data/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/common/$1; + } + + location ~ /instance-apps/(.*)$ { + alias /home/sites/data/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/apps/$1; + } + + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The rules in this block are an adaptation of the rules + # in the Nextcloud `.htaccess` that concern `/.well-known`. + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } + + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends + # `/index.php` to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + # Required for legacy support + # commented lines from nextcloud nginx template are already in /etc/nginx/conf.d/fastcgi.conf + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + #set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include /etc/nginx/conf.d/fastcgi.conf; + #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + #fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + + fastcgi_param NEXTCLOUD_CONFIG_DIR /home/sites/data/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/config; + fastcgi_pass unix:/run/php{{ php_version}}/fpm/php_{{ SIGLE }}_{{ SITE }}; + + #fastcgi_intercept_errors on; + fastcgi_request_buffering off; + + #fastcgi_max_temp_file_size 0; #2M in /etc/nginx/conf.d/fastcgi.conf + } + + # Serve static files + location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + access_log off; # Optional: Don't log access to assets + + location ~ \.wasm$ { + default_type application/wasm; + } + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } +} \ No newline at end of file diff --git a/templates/nginx_paheko_common.j2 b/templates/nginx_paheko_common.j2 new file mode 100644 index 0000000..02eb52d --- /dev/null +++ b/templates/nginx_paheko_common.j2 @@ -0,0 +1,17 @@ +server_name {{ SITE }}.{{ DOMAIN }}.{{ TLD }}; +root /home/www/data/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/www; + +location / { + try_files $uri $uri/ /_route.php?$query_string; + index index.php /_route.php; +} + +location ~ \.php { + try_files $uri $uri/ /_route.php?$query_string; + include /etc/nginx/conf.d/fastcgi.conf; + fastcgi_index index.php ; + fastcgi_param REDIRECT_STATUS 200; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + fastcgi_pass unix:/run/php{{ php_version}}/fpm/php_{{ SIGLE }}_{{ SITE }}; +} \ No newline at end of file diff --git a/templates/nginx_paheko_server.j2 b/templates/nginx_paheko_server.j2 new file mode 100644 index 0000000..d09e5f9 --- /dev/null +++ b/templates/nginx_paheko_server.j2 @@ -0,0 +1,17 @@ +server { + listen 80; + include /etc/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/common.conf; + access_log /home/www/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/access.log main buffer=32k; + error_log /home/www/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/error.log warn; + return 301 https://{{ SITE }}.{{ DOMAIN }}.{{ TLD }}$request_uri; + } +server { + listen 443; + include /etc/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/common.conf; +{% if besoin_https == 'oui' %} + ssl_certificate /etc/letsencrypt/live/{{ SITE }}.{{ DOMAIN }}.{{ TLD }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ SITE }}.{{ DOMAIN }}.{{ TLD }}/privkey.pem; +{% endif %} + access_log /home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/access.log main buffer=32k; + error_log /home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/error.log warn; +} diff --git a/templates/nginx_www_common.j2 b/templates/nginx_www_common.j2 new file mode 100644 index 0000000..a1484ae --- /dev/null +++ b/templates/nginx_www_common.j2 @@ -0,0 +1,10 @@ +server_name + {{ DOMAIN }}.{{ TLD }} + www.{{ DOMAIN }}.{{ TLD }}; +root /home/site/data/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/; +index index.html; + +client_body_buffer_size 8k; +client_max_body_size 10m; + +error_page 404 404.html; \ No newline at end of file diff --git a/templates/nginx_www_server.j2 b/templates/nginx_www_server.j2 new file mode 100644 index 0000000..2279016 --- /dev/null +++ b/templates/nginx_www_server.j2 @@ -0,0 +1,17 @@ +server { + listen 80; + server_name {{ DOMAIN }}.{{ TLD }}; + access_log /home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/access.log main buffer=32k; + error_log /home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/error.log warn; + return 301 https://{{ DOMAIN }}.{{ TLD }}$request_uri; +} +server { + listen 443 ssl; + include /etc/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/common.conf; +{% if besoin_https == 'oui' %} + ssl_certificate /etc/letsencrypt/live/{{ SITE }}.{{ DOMAIN }}.{{ TLD }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ SITE }}.{{ DOMAIN }}.{{ TLD }}/privkey.pem; +{% endif %} + access_log /home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/access.log main buffer=32k; + error_log /home/sites/log/nginx/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/error.log warn; +} \ No newline at end of file diff --git a/templates/php_nuage_conf.j2 b/templates/php_nuage_conf.j2 new file mode 100644 index 0000000..a949175 --- /dev/null +++ b/templates/php_nuage_conf.j2 @@ -0,0 +1,46 @@ +[{{ TLD }}/{{ DOMAIN }}/{{ SITE }}] +access.log = /home/sites/log/php/fpm/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/access.log +catch_workers_output = no +chdir = / +env[HOSTNAME] = $HOSTNAME +env[TEMP] = /tmp +env[TMPDIR] = /tmp +env[TMP] = /tmp +env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +group = php_{{ SIGLE }}_{{ SITE }} +;listen = 127.0.0.1:9000 +listen = /run/php{{ php_version }}/fpm/php_{{ SIGLE }}_{{ SITE }} +listen.backlog = -1 +listen.group = www-data +listen.mode = 0660 +;listen.allowed_clients = 127.0.0.1 +;listen.owner = www-data +;opcache.enable_cli = 1 +;opcache.enable=1 +;opcache.interned_strings_buffer=8 +;opcache.jit = 1255 +;opcache.jit_buffer_size = 128M +;opcache.max_accelerated_files=10000 +;opcache.memory_consumption=128 +;opcache.revalidate_freq=60 +;opcache.validate_timestamps=0 +;opcache.save_comments=1 +;php_admin_value[extension] = curl.so +;php_admin_value[extension] = pdo_mysql.so +php_admin_value[memory_limit] = 512M +ping.path = /ping +pm = dynamic +pm.max_children = 10 +pm.max_requests = 1000 +pm.max_spare_servers = 7 +pm.min_spare_servers = 2 +pm.process_idle_timeout = 60s +pm.start_servers = 2 +pm.status_path = /status +;request_slowlog_timeout = 5s +request_terminate_timeout = 120s +rlimit_core = unlimited +rlimit_files = 131072 +security.limit_extensions = .php +slowlog = /home/sites/log/php/fpm/{{ TLD }}/{{ DOMAIN }}/{{ SITE }}/slow.log +user = php_{{ SIGLE }}_{{ SITE }} \ No newline at end of file diff --git a/templates/php_paheko_conf.j2 b/templates/php_paheko_conf.j2 new file mode 100644 index 0000000..5abb624 --- /dev/null +++ b/templates/php_paheko_conf.j2 @@ -0,0 +1,15 @@ +[{{ TLD}}/{{ DOMAIN}}/{{ SITE}}] +user = php_{{ SIGLE }}_{{ SITE }} +group = php_{{ SIGLE }}_{{ SITE }} + +listen = /run/php{{ php_version }}/fpm/php_{{ SIGLE }}_{{ SITE }} + +listen.group = www-data + +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +access.log = /home/sites/log/php/fpm/{{ TLD}}/{{ DOMAIN}}/{{ SITE}}/access.log \ No newline at end of file diff --git a/templates/sigle_config_template.j2 b/templates/sigle_config_template.j2 new file mode 100644 index 0000000..7881c52 --- /dev/null +++ b/templates/sigle_config_template.j2 @@ -0,0 +1,10 @@ + 'oc2ls3ih38ml', + 'passwordsalt' => 'eKxcXZBq+rTNj8fCWQ5/Iw+GJPpEVo', + 'secret' => 'tEVNpFGKZVmab4zIjZq5qeBNjJtgDc50Ezz9zvebjIGwxcIf', + 'version' => '22.2.0.2', + 'installed' => true, + 'maintenance' => false, +); diff --git a/templates/vm_config_template.j2 b/templates/vm_config_template.j2 new file mode 100644 index 0000000..88db3f4 --- /dev/null +++ b/templates/vm_config_template.j2 @@ -0,0 +1,35 @@ + false, + 'trusted_domains' => + array ( + 0 => 'nuage.migration.org', + ), + 'datadirectory' => '{{ nextcloud_webroot}}/data', + 'overwrite.cli.url' => 'https://nuage.migration.org', + 'dbtype' => 'pgsql', + 'dbname' => '{{ nextcloud_db_name }}', + 'dbhost' => '/run/postgresql', + 'dbport' => '', + 'dbtableprefix' => 'oc_', + 'dbuser' => '{{ nextcloud_websrv_user}}', + 'dbpassword' => '', + 'installed' => true, + 'apps_paths' => + array ( + 0 => + array ( + 'path' => '{{ nextcloud_webroot}}/nextcloud/apps/', + 'url' => '/apps', + 'writable' => false, + ), + 1 => + array ( + 'path' => '{{ nextcloud_webroot}}/common/', + 'url' => '/common-apps', + 'writable' => false, + ), + ), + 'theme' => '', + 'loglevel' => 2, +); diff --git a/test.yml b/test.yml index ee3db82..29a4802 100644 --- a/test.yml +++ b/test.yml @@ -1,47 +1,27 @@ - hosts: ligatures vars: - nouvelle_version: 27.1.1 + domain: chatperche ancienne_version: 27.1.0 - tasks: - - # - name: Vérif si le dossier common app est créé - # become: true - # ansible.builtin.stat: - # path: "/home/sites/data/nextcloud/common/nextcloud-{{ nouvelle_version }}" - # register: new_nextcloud_common + nouvelle_version: 27.1.4 - # - name: create new app common folder from old version one - # become_user: nextcloud - # become: true - # ansible.builtin.copy: - # src: "/home/sites/data/nextcloud/common/nextcloud-{{ ancienne_version }}" - # dest: "/home/sites/data/nextcloud/common/nextcloud-{{ nouvelle_version }}" - # remote_src: yes #because the config file is already in the nextcloud_tmp_path - # mode: '754' - # when: not new_nextcloud_common.stat.exists + tasks: - - name: Extract downloaded archive - become: true - become_user: nextcloud - ansible.builtin.unarchive: - src: "/tmp/test_nextcloud/groupfolder_v15.3.1.tar.gz" - dest: "/tmp/test_nextcloud/" - # mode: '755' #or u=rwx,g=rx,o=rx - remote_src: yes + # - name: Synchronisation des fichiers nextcloud présent sur ateliers dans la vm de migration nextcloud + # ansible.builtin.command: "rsync --delay-updates -F --compress --archive --partial rominique@ateliers.heureux-cyclage.org:{{ item }} /opt/nuage/backups/{{ domain }}/" + # delegate_to: vm_debian11 + # loop: + # - "{{ nextcloud_webroot }}/config/config.php" + # register: my_output - - name: "rename" - become: true - become_user: nextcloud - ansible.builtin.copy: - src: "/tmp/test_nextcloud/groupfolders-15.3.1/" - dest: "/tmp/test_nextcloud/groupfolder" - remote_src: yes #because the config file is already in the nextcloud_tmp_path + # - name: Debug + # ansible.builtin.debug: + # var: my_output - - name: deleted downloaded nextcloud files - become: true - become_user: nextcloud - ansible.builtin.file: - path: "{{ item }}" - state: absent - loop: - - "/tmp/test_nextcloud/groupfolders-15.3.1" \ No newline at end of file + - name: Download nextcloud source + become: true + become_user: nextcloud + ansible.builtin.get_url: + url: "{{ nextcloud_repo_url }}/nextcloud-{{ nouvelle_version }}.tar.bz2" + dest: "{{ nextcloud_sources_files_path }}/" + mode: '755' # or u=rwx,g=rx,o=rx + checksum: "md5:{{ nextcloud_repo_url }}/nextcloud-{{ nouvelle_version }}.tar.bz2.md5" diff --git a/update_nuage_instance.yml b/update_nuage_instance.yml index 996e39b..d94d637 100644 --- a/update_nuage_instance.yml +++ b/update_nuage_instance.yml @@ -1,6 +1,7 @@ --- # commande pour lancer le playbook: ansible-playbook update_nuage_instance.yml -# ATTENTION pour l'instance "test-nuage" il faut lancer commande pour lancer le playbook: ansible-playbook update_nuage_instance.yml --extra-vars "nextcloud_websrv_user=php_lhc_test_nuage nextcloud_webroot=/home/sites/data/org/heureux-cyclage/test-nuage" +# ATTENTION pour l'instance "test-nuage" il faut lancer commande pour lancer le playbook: +# ansible-playbook update_nuage_instance.yml --extra-vars "nextcloud_websrv_user=php_lhc_test_nuage nextcloud_webroot=/home/sites/data/org/heureux-cyclage/test-nuage" - name: Promp pour définir les variables hosts: ligatures @@ -10,21 +11,21 @@ prompt: 'Nouvelle version nextcloud à télécharger?(ex: 27.1.0)' private: false - - name: tld + - name: TLD prompt: 'TLD du site à mettre à jour?(ex: org)' private: false - - name: domain + - name: DOMAIN prompt: 'Domaine du site à mettre à jour?(ex: heureux-cyclage)' private: false - - name: sigle + - name: SIGLE prompt: 'Sigle du site à mettre à jour?(ex: lhc)' private: false pre_tasks: - - name: Vérif' si la source nextcloud est téléchargée + - name: Vérif si la source nextcloud est téléchargée become: true ansible.builtin.stat: path: "{{ nextcloud_source }}"