@ -0,0 +1,14 @@ | |||
--- | |||
- name: Deployer et configurer un serveur ownCloud sous NGINX + PHP5-FPM + MariaDB | |||
hosts: all | |||
user: root | |||
gather_facts: yes | |||
roles: | |||
- common | |||
- mariadb | |||
- nginx | |||
- owncloud | |||
@ -0,0 +1,37 @@ | |||
user www-data; | |||
worker_processes 4; | |||
worker_priority -10; | |||
pid /var/run/nginx.pid; | |||
worker_rlimit_nofile 65536; | |||
events { | |||
worker_connections 4096; | |||
use epoll; | |||
} | |||
http { | |||
sendfile on; | |||
tcp_nopush on; | |||
tcp_nodelay on; | |||
keepalive_timeout 8; | |||
types_hash_max_size 2048; | |||
server_tokens off; | |||
keepalive_requests 100000; | |||
open_file_cache max=200000 inactive=20s; | |||
open_file_cache_valid 30s; | |||
open_file_cache_min_uses 2; | |||
open_file_cache_errors on; | |||
include /etc/nginx/mime.types; | |||
default_type application/octet-stream; | |||
gzip on; | |||
gzip_disable "msie6"; | |||
#include /etc/nginx/naxsi_core.rules; | |||
include /etc/nginx/conf.d/*.conf; | |||
include /etc/nginx/sites-enabled/*; | |||
} |
@ -0,0 +1,26 @@ | |||
[www-data] | |||
prefix = /var/tmp | |||
user = www-data | |||
group = www-data | |||
listen = /var/run/php5-fpm-www-data.sock | |||
listen.backlog = 1024 | |||
pm = ondemand | |||
pm.max_children = 2 | |||
pm.process_idle_timeout = 30s; | |||
pm.max_requests = 800 | |||
pm.status_path = /status | |||
request_terminate_timeout = 120s | |||
chdir = / | |||
security.limit_extensions = .php .php3 .php4 .php5 | |||
env[TMP] = /tmp | |||
env[TMPDIR] = /tmp | |||
env[TEMP] = /tmp | |||
php_admin_value[memory_limit] = 128M |
@ -0,0 +1,13 @@ | |||
--- | |||
# handlers du role nginx | |||
- name: reload nginx | |||
service: name=nginx state=reloaded | |||
- name: restart nginx | |||
service: name=nginx state=restarted | |||
- name: start nginx | |||
service: name=nginx state=started | |||
- name: stop nginx | |||
service: name=nginx state=stopped | |||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: | |||
@ -0,0 +1,23 @@ | |||
--- | |||
- name: Install default packages Debian. | |||
apt: pkg={{item}} state=installed install_recommends=no | |||
with_items: | |||
- nginx | |||
- nginx-common | |||
- nginx-full | |||
- php5-fpm | |||
- name: Copy nginx.conf | |||
tags: nginx | |||
copy: src=etc-nginx-nginx.conf dest=/etc/nginx/nginx.conf | |||
- name: Copy php5/fpm/pool.d/www-data.conf | |||
tags: nginx | |||
copy: src=etc-php5-fpm-pool.d-www-data.conf dest=/etc/php5/fpm/pool.d/www-data.conf | |||
- name: Delete the www.conf template | |||
tags: nginx | |||
file: path=etc/php5/fpm/pool.d/www.conf state=absent | |||
notify: restart nginx | |||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: |
@ -0,0 +1,46 @@ | |||
--- | |||
packages: | |||
- nginx | |||
- php5-cli | |||
- php5-mysql | |||
- php5-fpm | |||
- php-apc | |||
- php5-mysql | |||
- php5-curl | |||
- libmime-lite-perl | |||
firewall_role_rules: | |||
- "-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT" | |||
sysctls: | |||
- name: net.ipv4.ip_local_port_range | |||
value: "'1024 65000'" | |||
- name: net.ipv4.tcp_tw_reuse | |||
value: 1 | |||
- name: net.ipv4.tcp_fin_timeout | |||
value: 15 | |||
- name: net.core.netdev_max_backlog | |||
value: 4096 | |||
- name: net.core.rmem_max | |||
value: 16777216 | |||
- name: net.core.somaxconn | |||
value: 4096 | |||
- name: net.core.wmem_max | |||
value: 16777216 | |||
- name: net.ipv4.tcp_max_syn_backlog | |||
value: 20480 | |||
- name: net.ipv4.tcp_max_tw_buckets | |||
value: 400000 | |||
- name: net.ipv4.tcp_no_metrics_save | |||
value: 1 | |||
- name: net.ipv4.tcp_rmem | |||
value: "'4096 87380 16777216'" | |||
- name: net.ipv4.tcp_syn_retries | |||
value: 2 | |||
- name: net.ipv4.tcp_synack_retries | |||
value: 2 | |||
- name: net.ipv4.tcp_wmem | |||
value: "'4096 65536 16777216'" | |||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: |
@ -0,0 +1,46 @@ | |||
--- | |||
# handlers du role common | |||
- name: update aliases | |||
command: newaliases | |||
- name: restart munin-node | |||
service: name=munin-node state=restarted | |||
- name: restart hobbit-client | |||
service: name=hobbit-client state=restarted | |||
- name: restart xymon-client | |||
service: name=xymon-client state=restarted | |||
- name: restart gwm | |||
service: name=gwm state=restarted | |||
- name: restart xend | |||
service: name=xend state=restarted | |||
- name: update-grub | |||
command: update-grub | |||
- name: restart collectd | |||
service: name=collectd state=restarted | |||
- name: restart ntp | |||
service: name=ntp state=restarted | |||
- name: restart xymon | |||
service: name=xymon state=restarted | |||
- name: update mysql_relay_domains map | |||
shell: postmap /etc/postfix/mysql_relay_domains.cf | |||
- name: restart postfix | |||
service: name=postfix state=restarted | |||
- name: restart nginx | |||
command: name=nginx state=restarted | |||
- name: restart php5-fpm | |||
shell: /etc/init.d/php5-fpm restart | |||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: | |||
@ -0,0 +1,74 @@ | |||
--- | |||
- name: Install ownCloud dependencies | |||
apt: pkg={{item}} state=installed update_cache=no | |||
tags: owncloud | |||
with_items: "{{ packages }}" | |||
ignore_errors: no | |||
- name: unlink default vhost nginx | |||
tags: owncloud | |||
shell: unlink /etc/nginx/sites-enabled/default | |||
ignore_errors: yes | |||
- name: Get ownCloud | |||
tags: | |||
- update | |||
- owncloud | |||
get_url: url=https://download.owncloud.org/community/owncloud-latest.tar.bz2 validate_certs=no dest=/root/owncloud-latest.tar.bz2 | |||
- name: Creation of the right folder | |||
tags: owncloud | |||
file: path=/etc/nginx/ssl/ state=directory recurse=yes | |||
- name: create self-signed SSL cert | |||
command: openssl req -new -nodes -x509 -subj "/C=FR/ST=SomeWhere/L=OverTheRainBow/O=OwnCloud/CN=owncloud.{{ domain }}" -days 3650 -keyout /etc/nginx/ssl/owncloud.key -out /etc/nginx/ssl/owncloud.crt -extensions v3_ca creates=/etc/nginx/ssl/owncloud.crt | |||
tags: owncloud | |||
notify: restart nginx | |||
- name: Creation of the right folder | |||
tags: owncloud | |||
file: path=/var/www/owncloud/ state=directory recurse=yes | |||
- name: Untar | |||
tags: | |||
- update | |||
- owncloud | |||
shell: tar xvf /root/owncloud-latest.tar.bz2 -C /var/www/owncloud/ | |||
ignore_errors: no | |||
- name: Chown | |||
tags: | |||
- update | |||
- owncloud | |||
shell: chown -R www-data. /var/www/ | |||
- name: Randomly generate an ownCloud database password | |||
shell: pwgen -y -B -s 80 1 | |||
tags: | |||
- owncloud | |||
register: dbpassword | |||
- name: Config nginx | |||
template: src=etc-nginx-sites-enabled-owncloud.j2 dest=/etc/nginx/sites-enabled/owncloud | |||
tags: owncloud | |||
notify: restart nginx | |||
- name: Config PHP5-fpm | |||
template: src=etc-php5-fpm-pool.d-www.conf.j2 dest=/etc/php5/fpm/pool.d/www.conf | |||
tags: owncloud | |||
notify: restart php5-fpm | |||
- name: Import database template | |||
tags: | |||
- owncloud | |||
template: src=root-ownclouddb.sql.j2 dest=/root/ownclouddb.sql | |||
- name: Import sql file for account and db creation | |||
tags: | |||
- owncloud | |||
shell: mysql < /root/ownclouddb.sql | |||
notify: restart php5-fpm | |||
#vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: |
@ -0,0 +1,73 @@ | |||
server { | |||
listen 80; | |||
server_name owncloud.{{ domain }}; | |||
return 301 https://$server_name$request_uri; | |||
} | |||
server { | |||
listen 443 ssl; | |||
server_name owncloud.{{ instance_name }}; | |||
keepalive_timeout 70; | |||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |||
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; | |||
ssl_certificate /etc/nginx/ssl/owncloud.crt; | |||
ssl_certificate_key /etc/nginx/ssl/owncloud.key; | |||
root /var/www/owncloud/owncloud/; | |||
error_log /var/log/owncloud.error.log; | |||
access_log /var/log/owncloud.access.log; | |||
client_max_body_size 10G; | |||
fastcgi_buffers 64 4K; | |||
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; | |||
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; | |||
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; | |||
index index.php; | |||
error_page 403 /core/templates/403.php; | |||
error_page 404 /core/templates/404.php; | |||
location = /robots.txt { | |||
allow all; | |||
log_not_found off; | |||
access_log off; | |||
} | |||
location ~ ^/(data|config|\.ht|db_structure\.xml|README) { | |||
deny all; | |||
} | |||
location / { | |||
rewrite ^/.well-known/host-meta /public.php?service=host-meta last; | |||
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; | |||
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; | |||
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; | |||
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; | |||
try_files $uri $uri/ index.php; | |||
error_log /var/log/owncloud.error.log; | |||
access_log /var/log/owncloud.access.log; | |||
} | |||
location ~ ^(.+?\.php)(/.*)?$ { | |||
try_files $1 = 404; | |||
include fastcgi_params; | |||
fastcgi_param SCRIPT_FILENAME $document_root$1; | |||
fastcgi_param PATH_INFO $2; | |||
fastcgi_param HTTPS on; | |||
fastcgi_connect_timeout 60; | |||
fastcgi_send_timeout 180; | |||
fastcgi_param htaccessWorking true; | |||
fastcgi_read_timeout 360; | |||
fastcgi_pass unix:/var/run/php5-fpm-www-data.sock; | |||
error_log /var/log/owncloud.fpm.error.log; | |||
access_log /var/log/owncloud.fpm.access.log; | |||
} | |||
# Optional: set long EXPIRES header on static assets | |||
location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { | |||
expires 30d; | |||
# Optional: Don't log access to assets | |||
access_log off; | |||
} | |||
} | |||
@ -0,0 +1,36 @@ | |||
[www-data] | |||
prefix = /var/tmp | |||
user = www-data | |||
group = www-data | |||
slowlog = /var/log/php-fpm/slowlog-site.log | |||
listen = /var/run/php5-fpm-www-data.sock | |||
listen.backlog = 1024 | |||
pm = dynamic | |||
pm.start_servers = 4 | |||
pm.min_spare_servers = 2 | |||
pm.max_spare_servers = 6 | |||
pm.max_children = 8 | |||
pm.process_idle_timeout = 30s; | |||
pm.max_requests = 800 | |||
pm.status_path = /status | |||
listen.backlog = -1 | |||
listen.owner = www-data | |||
listen.group = www-data | |||
listen.mode = 0666 | |||
request_terminate_timeout = 3600s | |||
catch_workers_output=no | |||
chdir = / | |||
rlimit_core = unlimited | |||
security.limit_extensions = .php .php3 .php4 .php5 | |||
env[TMP] = /tmp | |||
env[TMPDIR] = /tmp | |||
env[TEMP] = /tmp | |||
env[HOSTNAME] = $HOSTNAME | |||
php_admin_value[memory_limit] = 1G | |||
@ -0,0 +1,5 @@ | |||
CREATE USER 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}'; | |||
GRANT USAGE ON * . * TO 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}' WITH MAX_QUERIES_PER_HOUR 0 | |||
MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; | |||
CREATE DATABASE IF NOT EXISTS `owncloud` ; | |||
GRANT ALL PRIVILEGES ON `owncloud` . * TO 'owncloud'@'localhost'; |
@ -0,0 +1,17 @@ | |||
packages: | |||
- php5 | |||
- php5-gd | |||
- php-xml-parser | |||
- php5-intl | |||
- php5-sqlite | |||
- php5-mysql | |||
- php5-pgsql | |||
- smbclient | |||
- php5-curl | |||
- php5-mcrypt | |||
- php5-fpm | |||
- pwgen | |||
- bzip2 | |||
- php5-ldap | |||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: | |||