diff --git a/README.md b/README.md index 85c2879..92aa937 100644 --- a/README.md +++ b/README.md @@ -6,15 +6,22 @@ Yet another ansible's playbook repository roles ====== -* common - * provides common configuration +* Common + * provides **common** configuration * https://github.com/nojhan/liquidprompt <3 -* mail - * provides a mail service for a given domain name and the vdomain capability for other domains. +* Mail + * provides a complete **mail** server for a given domain name and the vdomain capability for other domains. * **Note** : This role starts in order : common, mariadb, and mail. If you don't want one of them, please comment out. * **Note2** : If you already have a SQL server, **it wont erase the original config**, but it needs a ``~/.my.cnf``. -* mariadb - * provides a mariadb lambda server peered on ``127.0.0.1:3306`` with ``root`` MySQL password on ``~/.my.cnf`` + * **TODO** : + * Razor/Pyzor + * Roundcube + * Simplify template copy + * Postgrey +* MariaDB + * provides a lambda **MariaDB** server peered on ``127.0.0.1:3306`` with ``root`` MySQL password on ``~/.my.cnf`` +* ownCloud + * provides a simple instance of **ownCloud**, with ``NGINX, PHP5-FPM, and MariaDB`` example host file ===== diff --git a/owncloud.yml b/owncloud.yml new file mode 100644 index 0000000..fe04334 --- /dev/null +++ b/owncloud.yml @@ -0,0 +1,14 @@ +--- + +- name: Deployer et configurer un serveur ownCloud sous NGINX + PHP5-FPM + MariaDB + hosts: all + user: root + gather_facts: yes + + + roles: + - common + - mariadb + - nginx + - owncloud + diff --git a/roles/nginx/files/etc-nginx-nginx.conf b/roles/nginx/files/etc-nginx-nginx.conf new file mode 100644 index 0000000..d4a0f76 --- /dev/null +++ b/roles/nginx/files/etc-nginx-nginx.conf @@ -0,0 +1,37 @@ +user www-data; +worker_processes 4; +worker_priority -10; +pid /var/run/nginx.pid; +worker_rlimit_nofile 65536; + +events { + worker_connections 4096; + use epoll; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 8; + types_hash_max_size 2048; + server_tokens off; + + keepalive_requests 100000; + open_file_cache max=200000 inactive=20s; + open_file_cache_valid 30s; + open_file_cache_min_uses 2; + open_file_cache_errors on; + + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + gzip on; + gzip_disable "msie6"; + + #include /etc/nginx/naxsi_core.rules; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/roles/nginx/files/etc-php5-fpm-pool.d-www-data.conf b/roles/nginx/files/etc-php5-fpm-pool.d-www-data.conf new file mode 100644 index 0000000..87d72dd --- /dev/null +++ b/roles/nginx/files/etc-php5-fpm-pool.d-www-data.conf @@ -0,0 +1,26 @@ +[www-data] +prefix = /var/tmp + +user = www-data +group = www-data + +listen = /var/run/php5-fpm-www-data.sock +listen.backlog = 1024 + +pm = ondemand +pm.max_children = 2 +pm.process_idle_timeout = 30s; +pm.max_requests = 800 +pm.status_path = /status + +request_terminate_timeout = 120s + +chdir = / + +security.limit_extensions = .php .php3 .php4 .php5 + +env[TMP] = /tmp +env[TMPDIR] = /tmp +env[TEMP] = /tmp + +php_admin_value[memory_limit] = 128M diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..e8e59fa --- /dev/null +++ b/roles/nginx/handlers/main.yml @@ -0,0 +1,13 @@ +--- +# handlers du role nginx + +- name: reload nginx + service: name=nginx state=reloaded +- name: restart nginx + service: name=nginx state=restarted +- name: start nginx + service: name=nginx state=started +- name: stop nginx + service: name=nginx state=stopped +# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: + diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..260f0f7 --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Install default packages Debian. + apt: pkg={{item}} state=installed install_recommends=no + with_items: + - nginx + - nginx-common + - nginx-full + - php5-fpm + +- name: Copy nginx.conf + tags: nginx + copy: src=etc-nginx-nginx.conf dest=/etc/nginx/nginx.conf + +- name: Copy php5/fpm/pool.d/www-data.conf + tags: nginx + copy: src=etc-php5-fpm-pool.d-www-data.conf dest=/etc/php5/fpm/pool.d/www-data.conf + +- name: Delete the www.conf template + tags: nginx + file: path=etc/php5/fpm/pool.d/www.conf state=absent + notify: restart nginx + +# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: diff --git a/roles/nginx/vars/main.yml b/roles/nginx/vars/main.yml new file mode 100644 index 0000000..3366136 --- /dev/null +++ b/roles/nginx/vars/main.yml @@ -0,0 +1,46 @@ +--- + +packages: + - nginx + - php5-cli + - php5-mysql + - php5-fpm + - php-apc + - php5-mysql + - php5-curl + - libmime-lite-perl + +firewall_role_rules: + - "-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT" + +sysctls: + - name: net.ipv4.ip_local_port_range + value: "'1024 65000'" + - name: net.ipv4.tcp_tw_reuse + value: 1 + - name: net.ipv4.tcp_fin_timeout + value: 15 + - name: net.core.netdev_max_backlog + value: 4096 + - name: net.core.rmem_max + value: 16777216 + - name: net.core.somaxconn + value: 4096 + - name: net.core.wmem_max + value: 16777216 + - name: net.ipv4.tcp_max_syn_backlog + value: 20480 + - name: net.ipv4.tcp_max_tw_buckets + value: 400000 + - name: net.ipv4.tcp_no_metrics_save + value: 1 + - name: net.ipv4.tcp_rmem + value: "'4096 87380 16777216'" + - name: net.ipv4.tcp_syn_retries + value: 2 + - name: net.ipv4.tcp_synack_retries + value: 2 + - name: net.ipv4.tcp_wmem + value: "'4096 65536 16777216'" + +# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: diff --git a/roles/owncloud/handlers/main.yml b/roles/owncloud/handlers/main.yml new file mode 100644 index 0000000..a708d23 --- /dev/null +++ b/roles/owncloud/handlers/main.yml @@ -0,0 +1,46 @@ +--- +# handlers du role common + +- name: update aliases + command: newaliases + +- name: restart munin-node + service: name=munin-node state=restarted + +- name: restart hobbit-client + service: name=hobbit-client state=restarted + +- name: restart xymon-client + service: name=xymon-client state=restarted + +- name: restart gwm + service: name=gwm state=restarted + +- name: restart xend + service: name=xend state=restarted + +- name: update-grub + command: update-grub + +- name: restart collectd + service: name=collectd state=restarted + +- name: restart ntp + service: name=ntp state=restarted + +- name: restart xymon + service: name=xymon state=restarted + +- name: update mysql_relay_domains map + shell: postmap /etc/postfix/mysql_relay_domains.cf + +- name: restart postfix + service: name=postfix state=restarted + +- name: restart nginx + command: name=nginx state=restarted + +- name: restart php5-fpm + shell: /etc/init.d/php5-fpm restart +# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: + diff --git a/roles/owncloud/tasks/main.yml b/roles/owncloud/tasks/main.yml new file mode 100644 index 0000000..a809752 --- /dev/null +++ b/roles/owncloud/tasks/main.yml @@ -0,0 +1,74 @@ +--- + +- name: Install ownCloud dependencies + apt: pkg={{item}} state=installed update_cache=no + tags: owncloud + with_items: "{{ packages }}" + ignore_errors: no + +- name: unlink default vhost nginx + tags: owncloud + shell: unlink /etc/nginx/sites-enabled/default + ignore_errors: yes + +- name: Get ownCloud + tags: + - update + - owncloud + get_url: url=https://download.owncloud.org/community/owncloud-latest.tar.bz2 validate_certs=no dest=/root/owncloud-latest.tar.bz2 + +- name: Creation of the right folder + tags: owncloud + file: path=/etc/nginx/ssl/ state=directory recurse=yes + +- name: create self-signed SSL cert + command: openssl req -new -nodes -x509 -subj "/C=FR/ST=SomeWhere/L=OverTheRainBow/O=OwnCloud/CN=owncloud.{{ domain }}" -days 3650 -keyout /etc/nginx/ssl/owncloud.key -out /etc/nginx/ssl/owncloud.crt -extensions v3_ca creates=/etc/nginx/ssl/owncloud.crt + tags: owncloud + notify: restart nginx + +- name: Creation of the right folder + tags: owncloud + file: path=/var/www/owncloud/ state=directory recurse=yes + +- name: Untar + tags: + - update + - owncloud + shell: tar xvf /root/owncloud-latest.tar.bz2 -C /var/www/owncloud/ + ignore_errors: no + +- name: Chown + tags: + - update + - owncloud + shell: chown -R www-data. /var/www/ + +- name: Randomly generate an ownCloud database password + shell: pwgen -y -B -s 80 1 + tags: + - owncloud + register: dbpassword + + +- name: Config nginx + template: src=etc-nginx-sites-enabled-owncloud.j2 dest=/etc/nginx/sites-enabled/owncloud + tags: owncloud + notify: restart nginx + +- name: Config PHP5-fpm + template: src=etc-php5-fpm-pool.d-www.conf.j2 dest=/etc/php5/fpm/pool.d/www.conf + tags: owncloud + notify: restart php5-fpm + +- name: Import database template + tags: + - owncloud + template: src=root-ownclouddb.sql.j2 dest=/root/ownclouddb.sql + +- name: Import sql file for account and db creation + tags: + - owncloud + shell: mysql < /root/ownclouddb.sql + notify: restart php5-fpm + +#vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: diff --git a/roles/owncloud/templates/etc-nginx-sites-enabled-owncloud.j2 b/roles/owncloud/templates/etc-nginx-sites-enabled-owncloud.j2 new file mode 100644 index 0000000..afabc5b --- /dev/null +++ b/roles/owncloud/templates/etc-nginx-sites-enabled-owncloud.j2 @@ -0,0 +1,73 @@ +server { + listen 80; + server_name owncloud.{{ domain }}; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl; + server_name owncloud.{{ instance_name }}; + keepalive_timeout 70; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; + ssl_certificate /etc/nginx/ssl/owncloud.crt; + ssl_certificate_key /etc/nginx/ssl/owncloud.key; + root /var/www/owncloud/owncloud/; + error_log /var/log/owncloud.error.log; + access_log /var/log/owncloud.access.log; + + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; + rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; + rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + + index index.php; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~ ^/(data|config|\.ht|db_structure\.xml|README) { + deny all; + } + + location / { + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ index.php; + error_log /var/log/owncloud.error.log; + access_log /var/log/owncloud.access.log; + } + + location ~ ^(.+?\.php)(/.*)?$ { + try_files $1 = 404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; + fastcgi_param PATH_INFO $2; + fastcgi_param HTTPS on; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_param htaccessWorking true; + fastcgi_read_timeout 360; + fastcgi_pass unix:/var/run/php5-fpm-www-data.sock; + error_log /var/log/owncloud.fpm.error.log; + access_log /var/log/owncloud.fpm.access.log; + } + + # Optional: set long EXPIRES header on static assets + location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { + expires 30d; + # Optional: Don't log access to assets + access_log off; + } +} + diff --git a/roles/owncloud/templates/etc-php5-fpm-pool.d-www.conf.j2 b/roles/owncloud/templates/etc-php5-fpm-pool.d-www.conf.j2 new file mode 100644 index 0000000..5a0cd8b --- /dev/null +++ b/roles/owncloud/templates/etc-php5-fpm-pool.d-www.conf.j2 @@ -0,0 +1,36 @@ +[www-data] +prefix = /var/tmp + +user = www-data +group = www-data + +slowlog = /var/log/php-fpm/slowlog-site.log +listen = /var/run/php5-fpm-www-data.sock +listen.backlog = 1024 + +pm = dynamic +pm.start_servers = 4 +pm.min_spare_servers = 2 +pm.max_spare_servers = 6 +pm.max_children = 8 +pm.process_idle_timeout = 30s; +pm.max_requests = 800 +pm.status_path = /status +listen.backlog = -1 +listen.owner = www-data +listen.group = www-data +listen.mode = 0666 +request_terminate_timeout = 3600s +catch_workers_output=no +chdir = / +rlimit_core = unlimited + +security.limit_extensions = .php .php3 .php4 .php5 + +env[TMP] = /tmp +env[TMPDIR] = /tmp +env[TEMP] = /tmp +env[HOSTNAME] = $HOSTNAME + +php_admin_value[memory_limit] = 1G + diff --git a/roles/owncloud/templates/root-ownclouddb.sql.j2 b/roles/owncloud/templates/root-ownclouddb.sql.j2 new file mode 100644 index 0000000..d5ad976 --- /dev/null +++ b/roles/owncloud/templates/root-ownclouddb.sql.j2 @@ -0,0 +1,5 @@ +CREATE USER 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}'; +GRANT USAGE ON * . * TO 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}' WITH MAX_QUERIES_PER_HOUR 0 +MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; +CREATE DATABASE IF NOT EXISTS `owncloud` ; +GRANT ALL PRIVILEGES ON `owncloud` . * TO 'owncloud'@'localhost'; diff --git a/roles/owncloud/vars/main.yml b/roles/owncloud/vars/main.yml new file mode 100644 index 0000000..70794b8 --- /dev/null +++ b/roles/owncloud/vars/main.yml @@ -0,0 +1,17 @@ +packages: + - php5 + - php5-gd + - php-xml-parser + - php5-intl + - php5-sqlite + - php5-mysql + - php5-pgsql + - smbclient + - php5-curl + - php5-mcrypt + - php5-fpm + - pwgen + - bzip2 + - php5-ldap +# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: +