ownCloud + NGINX + DOC

README.md

@@ -6,15 +6,22 @@ Yet another ansible's playbook repository
 roles
 ======
 
-* common
- * provides common configuration
+* Common
+ * provides **common** configuration
  * https://github.com/nojhan/liquidprompt <3
-* mail
- * provides a mail service for a given domain name and the vdomain capability for other domains.
+* Mail
+ * provides a complete **mail** server for a given domain name and the vdomain capability for other domains.
  * **Note** : This role starts in order : common, mariadb, and mail. If you don't want one of them, please comment out.
  * **Note2** : If you already have a SQL server, **it wont erase the original config**, but it needs a ``~/.my.cnf``.
-* mariadb
- * provides a mariadb lambda server peered on ``127.0.0.1:3306`` with ``root`` MySQL password on ``~/.my.cnf`` 
+ * **TODO** : 
+     * Razor/Pyzor
+     * Roundcube
+     * Simplify template copy
+     * Postgrey
+* MariaDB
+ * provides a lambda **MariaDB** server peered on ``127.0.0.1:3306`` with ``root`` MySQL password on ``~/.my.cnf``
+* ownCloud
+ * provides a simple instance of **ownCloud**, with ``NGINX, PHP5-FPM, and MariaDB``
 
 example host file
 ===== 

owncloud.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Deployer et configurer un serveur ownCloud sous NGINX + PHP5-FPM + MariaDB
+  hosts: all
+  user: root
+  gather_facts: yes
+
+
+  roles:
+       - common
+       - mariadb
+       - nginx
+       - owncloud
+

roles/nginx/files/etc-nginx-nginx.conf

@@ -0,0 +1,37 @@
+user www-data;
+worker_processes 4;
+worker_priority   -10;
+pid /var/run/nginx.pid;
+worker_rlimit_nofile 65536;
+
+events {
+  worker_connections 4096;
+  use epoll;
+}
+
+http {
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+  keepalive_timeout 8;
+  types_hash_max_size 2048;
+  server_tokens off;
+
+  keepalive_requests 100000;
+  open_file_cache max=200000 inactive=20s;
+  open_file_cache_valid 30s;
+  open_file_cache_min_uses 2;
+  open_file_cache_errors on;
+
+
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+
+  gzip on;
+  gzip_disable "msie6";
+
+  #include /etc/nginx/naxsi_core.rules;
+
+  include /etc/nginx/conf.d/*.conf;
+  include /etc/nginx/sites-enabled/*;
+}

roles/nginx/files/etc-php5-fpm-pool.d-www-data.conf

@@ -0,0 +1,26 @@
+[www-data]
+prefix = /var/tmp
+
+user = www-data
+group = www-data
+
+listen = /var/run/php5-fpm-www-data.sock
+listen.backlog = 1024
+
+pm = ondemand
+pm.max_children = 2
+pm.process_idle_timeout = 30s;
+pm.max_requests = 800
+pm.status_path = /status
+
+request_terminate_timeout = 120s
+
+chdir = /
+
+security.limit_extensions = .php .php3 .php4 .php5
+
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp
+
+php_admin_value[memory_limit] = 128M

roles/nginx/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+# handlers du role nginx
+
+- name: reload nginx
+  service: name=nginx state=reloaded
+- name: restart nginx
+  service: name=nginx state=restarted
+- name: start nginx
+  service: name=nginx state=started
+- name: stop nginx
+  service: name=nginx state=stopped  
+# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:
+

roles/nginx/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Install default packages Debian.
+  apt: pkg={{item}} state=installed install_recommends=no
+  with_items:
+      - nginx
+      - nginx-common
+      - nginx-full
+      - php5-fpm
+
+- name: Copy nginx.conf
+  tags: nginx
+  copy: src=etc-nginx-nginx.conf dest=/etc/nginx/nginx.conf
+
+- name: Copy php5/fpm/pool.d/www-data.conf
+  tags: nginx
+  copy: src=etc-php5-fpm-pool.d-www-data.conf dest=/etc/php5/fpm/pool.d/www-data.conf
+
+- name: Delete the www.conf template
+  tags: nginx
+  file: path=etc/php5/fpm/pool.d/www.conf state=absent
+  notify: restart nginx
+
+# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:

roles/nginx/vars/main.yml

@@ -0,0 +1,46 @@
+---
+
+packages:
+  - nginx
+  - php5-cli
+  - php5-mysql
+  - php5-fpm
+  - php-apc
+  - php5-mysql
+  - php5-curl
+  - libmime-lite-perl
+
+firewall_role_rules:
+  - "-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT"
+
+sysctls:
+  - name: net.ipv4.ip_local_port_range
+    value: "'1024 65000'"
+  - name: net.ipv4.tcp_tw_reuse
+    value: 1
+  - name: net.ipv4.tcp_fin_timeout
+    value: 15
+  - name: net.core.netdev_max_backlog
+    value: 4096
+  - name: net.core.rmem_max
+    value: 16777216
+  - name: net.core.somaxconn
+    value: 4096
+  - name: net.core.wmem_max
+    value: 16777216
+  - name: net.ipv4.tcp_max_syn_backlog
+    value: 20480
+  - name: net.ipv4.tcp_max_tw_buckets
+    value: 400000
+  - name: net.ipv4.tcp_no_metrics_save
+    value: 1
+  - name: net.ipv4.tcp_rmem
+    value: "'4096 87380 16777216'"
+  - name: net.ipv4.tcp_syn_retries
+    value: 2
+  - name: net.ipv4.tcp_synack_retries
+    value: 2
+  - name: net.ipv4.tcp_wmem
+    value: "'4096 65536 16777216'"
+
+# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:

roles/owncloud/handlers/main.yml

@@ -0,0 +1,46 @@
+---
+# handlers du role common
+
+- name: update aliases
+  command: newaliases
+
+- name: restart munin-node
+  service: name=munin-node state=restarted
+
+- name: restart hobbit-client
+  service: name=hobbit-client state=restarted
+
+- name: restart xymon-client
+  service: name=xymon-client state=restarted
+
+- name: restart gwm
+  service: name=gwm state=restarted
+
+- name: restart xend
+  service: name=xend state=restarted
+
+- name: update-grub
+  command: update-grub
+
+- name: restart collectd
+  service: name=collectd state=restarted
+
+- name: restart ntp
+  service: name=ntp state=restarted
+
+- name: restart xymon
+  service: name=xymon state=restarted
+
+- name: update mysql_relay_domains map
+  shell: postmap /etc/postfix/mysql_relay_domains.cf
+
+- name: restart postfix
+  service: name=postfix state=restarted
+
+- name: restart nginx
+  command: name=nginx state=restarted
+
+- name: restart php5-fpm
+  shell: /etc/init.d/php5-fpm restart
+# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:
+

roles/owncloud/tasks/main.yml

@@ -0,0 +1,74 @@
+---
+      
+- name: Install ownCloud dependencies
+  apt: pkg={{item}} state=installed update_cache=no
+  tags: owncloud
+  with_items: "{{ packages }}" 
+  ignore_errors: no
+
+- name: unlink default vhost nginx
+  tags: owncloud
+  shell: unlink /etc/nginx/sites-enabled/default
+  ignore_errors: yes
+
+- name: Get ownCloud
+  tags:
+      - update
+      - owncloud
+  get_url: url=https://download.owncloud.org/community/owncloud-latest.tar.bz2 validate_certs=no dest=/root/owncloud-latest.tar.bz2
+
+- name: Creation of the right folder
+  tags: owncloud
+  file: path=/etc/nginx/ssl/ state=directory recurse=yes
+
+- name: create self-signed SSL cert
+  command: openssl req -new -nodes -x509 -subj "/C=FR/ST=SomeWhere/L=OverTheRainBow/O=OwnCloud/CN=owncloud.{{ domain }}" -days 3650 -keyout /etc/nginx/ssl/owncloud.key -out /etc/nginx/ssl/owncloud.crt -extensions v3_ca creates=/etc/nginx/ssl/owncloud.crt
+  tags: owncloud
+  notify: restart nginx
+
+- name: Creation of the right folder
+  tags: owncloud
+  file: path=/var/www/owncloud/ state=directory recurse=yes
+
+- name: Untar
+  tags: 
+    - update
+    - owncloud
+  shell: tar xvf /root/owncloud-latest.tar.bz2 -C /var/www/owncloud/
+  ignore_errors: no
+
+- name: Chown
+  tags: 
+    - update
+    - owncloud
+  shell: chown -R www-data. /var/www/
+
+- name: Randomly generate an ownCloud database password
+  shell: pwgen -y -B -s 80 1 
+  tags: 
+      - owncloud
+  register: dbpassword
+
+
+- name: Config nginx
+  template: src=etc-nginx-sites-enabled-owncloud.j2 dest=/etc/nginx/sites-enabled/owncloud
+  tags: owncloud
+  notify: restart nginx
+
+- name: Config PHP5-fpm
+  template: src=etc-php5-fpm-pool.d-www.conf.j2 dest=/etc/php5/fpm/pool.d/www.conf
+  tags: owncloud
+  notify: restart php5-fpm
+
+- name: Import database template
+  tags: 
+      - owncloud
+  template: src=root-ownclouddb.sql.j2 dest=/root/ownclouddb.sql
+
+- name: Import sql file for account and db creation
+  tags: 
+      - owncloud
+  shell: mysql < /root/ownclouddb.sql
+  notify: restart php5-fpm
+
+#vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:

roles/owncloud/templates/etc-nginx-sites-enabled-owncloud.j2

@@ -0,0 +1,73 @@
+server {
+       listen         80;
+       server_name    owncloud.{{ domain }};
+       return         301 https://$server_name$request_uri;
+}
+
+server {
+        listen 443 ssl;
+        server_name owncloud.{{ instance_name }};
+        keepalive_timeout   70;
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
+        ssl_certificate /etc/nginx/ssl/owncloud.crt;
+        ssl_certificate_key /etc/nginx/ssl/owncloud.key;
+        root /var/www/owncloud/owncloud/;
+        error_log /var/log/owncloud.error.log;
+        access_log /var/log/owncloud.access.log;
+        
+        client_max_body_size 10G;
+        fastcgi_buffers 64 4K;
+
+        rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
+        rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
+        rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
+
+        index index.php;
+        error_page 403 /core/templates/403.php;
+        error_page 404 /core/templates/404.php;
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
+                deny all;
+        }
+
+        location / {
+                rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+                rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+                rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
+                rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
+                rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+                try_files $uri $uri/ index.php;
+                error_log /var/log/owncloud.error.log;
+                access_log /var/log/owncloud.access.log;
+        }
+
+        location ~ ^(.+?\.php)(/.*)?$ {
+                try_files $1 = 404;
+                include fastcgi_params;
+                fastcgi_param SCRIPT_FILENAME $document_root$1;
+                fastcgi_param PATH_INFO $2;
+                fastcgi_param HTTPS on;
+                fastcgi_connect_timeout 60;
+                fastcgi_send_timeout 180;
+                fastcgi_param htaccessWorking true;
+                fastcgi_read_timeout 360;
+                fastcgi_pass unix:/var/run/php5-fpm-www-data.sock;
+                error_log /var/log/owncloud.fpm.error.log;
+                access_log /var/log/owncloud.fpm.access.log;
+        }
+
+        # Optional: set long EXPIRES header on static assets
+        location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
+                expires 30d;
+                # Optional: Don't log access to assets
+                access_log off;
+        }
+}
+

roles/owncloud/templates/etc-php5-fpm-pool.d-www.conf.j2

@@ -0,0 +1,36 @@
+[www-data]
+prefix = /var/tmp
+
+user = www-data
+group = www-data
+
+slowlog = /var/log/php-fpm/slowlog-site.log
+listen = /var/run/php5-fpm-www-data.sock
+listen.backlog = 1024
+
+pm = dynamic
+pm.start_servers = 4
+pm.min_spare_servers = 2
+pm.max_spare_servers = 6
+pm.max_children = 8
+pm.process_idle_timeout = 30s;
+pm.max_requests = 800
+pm.status_path = /status
+listen.backlog = -1
+listen.owner = www-data
+listen.group = www-data
+listen.mode = 0666
+request_terminate_timeout = 3600s
+catch_workers_output=no
+chdir = /
+rlimit_core = unlimited
+
+security.limit_extensions = .php .php3 .php4 .php5
+
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp
+env[HOSTNAME] = $HOSTNAME
+
+php_admin_value[memory_limit] = 1G
+

roles/owncloud/templates/root-ownclouddb.sql.j2

@@ -0,0 +1,5 @@
+CREATE USER 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}';
+GRANT USAGE ON * . * TO 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}' WITH MAX_QUERIES_PER_HOUR 0
+MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
+CREATE DATABASE IF NOT EXISTS `owncloud` ;
+GRANT ALL PRIVILEGES ON `owncloud` . * TO 'owncloud'@'localhost';

roles/owncloud/vars/main.yml

@@ -0,0 +1,17 @@
+packages:
+  - php5 
+  - php5-gd 
+  - php-xml-parser 
+  - php5-intl
+  - php5-sqlite 
+  - php5-mysql 
+  - php5-pgsql 
+  - smbclient 
+  - php5-curl
+  - php5-mcrypt
+  - php5-fpm
+  - pwgen
+  - bzip2
+  - php5-ldap
+# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:
+