@ -0,0 +1,14 @@ | |||||
--- | |||||
- name: Deployer et configurer un serveur ownCloud sous NGINX + PHP5-FPM + MariaDB | |||||
hosts: all | |||||
user: root | |||||
gather_facts: yes | |||||
roles: | |||||
- common | |||||
- mariadb | |||||
- nginx | |||||
- owncloud | |||||
@ -0,0 +1,37 @@ | |||||
user www-data; | |||||
worker_processes 4; | |||||
worker_priority -10; | |||||
pid /var/run/nginx.pid; | |||||
worker_rlimit_nofile 65536; | |||||
events { | |||||
worker_connections 4096; | |||||
use epoll; | |||||
} | |||||
http { | |||||
sendfile on; | |||||
tcp_nopush on; | |||||
tcp_nodelay on; | |||||
keepalive_timeout 8; | |||||
types_hash_max_size 2048; | |||||
server_tokens off; | |||||
keepalive_requests 100000; | |||||
open_file_cache max=200000 inactive=20s; | |||||
open_file_cache_valid 30s; | |||||
open_file_cache_min_uses 2; | |||||
open_file_cache_errors on; | |||||
include /etc/nginx/mime.types; | |||||
default_type application/octet-stream; | |||||
gzip on; | |||||
gzip_disable "msie6"; | |||||
#include /etc/nginx/naxsi_core.rules; | |||||
include /etc/nginx/conf.d/*.conf; | |||||
include /etc/nginx/sites-enabled/*; | |||||
} |
@ -0,0 +1,26 @@ | |||||
[www-data] | |||||
prefix = /var/tmp | |||||
user = www-data | |||||
group = www-data | |||||
listen = /var/run/php5-fpm-www-data.sock | |||||
listen.backlog = 1024 | |||||
pm = ondemand | |||||
pm.max_children = 2 | |||||
pm.process_idle_timeout = 30s; | |||||
pm.max_requests = 800 | |||||
pm.status_path = /status | |||||
request_terminate_timeout = 120s | |||||
chdir = / | |||||
security.limit_extensions = .php .php3 .php4 .php5 | |||||
env[TMP] = /tmp | |||||
env[TMPDIR] = /tmp | |||||
env[TEMP] = /tmp | |||||
php_admin_value[memory_limit] = 128M |
@ -0,0 +1,13 @@ | |||||
--- | |||||
# handlers du role nginx | |||||
- name: reload nginx | |||||
service: name=nginx state=reloaded | |||||
- name: restart nginx | |||||
service: name=nginx state=restarted | |||||
- name: start nginx | |||||
service: name=nginx state=started | |||||
- name: stop nginx | |||||
service: name=nginx state=stopped | |||||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: | |||||
@ -0,0 +1,23 @@ | |||||
--- | |||||
- name: Install default packages Debian. | |||||
apt: pkg={{item}} state=installed install_recommends=no | |||||
with_items: | |||||
- nginx | |||||
- nginx-common | |||||
- nginx-full | |||||
- php5-fpm | |||||
- name: Copy nginx.conf | |||||
tags: nginx | |||||
copy: src=etc-nginx-nginx.conf dest=/etc/nginx/nginx.conf | |||||
- name: Copy php5/fpm/pool.d/www-data.conf | |||||
tags: nginx | |||||
copy: src=etc-php5-fpm-pool.d-www-data.conf dest=/etc/php5/fpm/pool.d/www-data.conf | |||||
- name: Delete the www.conf template | |||||
tags: nginx | |||||
file: path=etc/php5/fpm/pool.d/www.conf state=absent | |||||
notify: restart nginx | |||||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: |
@ -0,0 +1,46 @@ | |||||
--- | |||||
packages: | |||||
- nginx | |||||
- php5-cli | |||||
- php5-mysql | |||||
- php5-fpm | |||||
- php-apc | |||||
- php5-mysql | |||||
- php5-curl | |||||
- libmime-lite-perl | |||||
firewall_role_rules: | |||||
- "-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT" | |||||
sysctls: | |||||
- name: net.ipv4.ip_local_port_range | |||||
value: "'1024 65000'" | |||||
- name: net.ipv4.tcp_tw_reuse | |||||
value: 1 | |||||
- name: net.ipv4.tcp_fin_timeout | |||||
value: 15 | |||||
- name: net.core.netdev_max_backlog | |||||
value: 4096 | |||||
- name: net.core.rmem_max | |||||
value: 16777216 | |||||
- name: net.core.somaxconn | |||||
value: 4096 | |||||
- name: net.core.wmem_max | |||||
value: 16777216 | |||||
- name: net.ipv4.tcp_max_syn_backlog | |||||
value: 20480 | |||||
- name: net.ipv4.tcp_max_tw_buckets | |||||
value: 400000 | |||||
- name: net.ipv4.tcp_no_metrics_save | |||||
value: 1 | |||||
- name: net.ipv4.tcp_rmem | |||||
value: "'4096 87380 16777216'" | |||||
- name: net.ipv4.tcp_syn_retries | |||||
value: 2 | |||||
- name: net.ipv4.tcp_synack_retries | |||||
value: 2 | |||||
- name: net.ipv4.tcp_wmem | |||||
value: "'4096 65536 16777216'" | |||||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: |
@ -0,0 +1,46 @@ | |||||
--- | |||||
# handlers du role common | |||||
- name: update aliases | |||||
command: newaliases | |||||
- name: restart munin-node | |||||
service: name=munin-node state=restarted | |||||
- name: restart hobbit-client | |||||
service: name=hobbit-client state=restarted | |||||
- name: restart xymon-client | |||||
service: name=xymon-client state=restarted | |||||
- name: restart gwm | |||||
service: name=gwm state=restarted | |||||
- name: restart xend | |||||
service: name=xend state=restarted | |||||
- name: update-grub | |||||
command: update-grub | |||||
- name: restart collectd | |||||
service: name=collectd state=restarted | |||||
- name: restart ntp | |||||
service: name=ntp state=restarted | |||||
- name: restart xymon | |||||
service: name=xymon state=restarted | |||||
- name: update mysql_relay_domains map | |||||
shell: postmap /etc/postfix/mysql_relay_domains.cf | |||||
- name: restart postfix | |||||
service: name=postfix state=restarted | |||||
- name: restart nginx | |||||
command: name=nginx state=restarted | |||||
- name: restart php5-fpm | |||||
shell: /etc/init.d/php5-fpm restart | |||||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: | |||||
@ -0,0 +1,74 @@ | |||||
--- | |||||
- name: Install ownCloud dependencies | |||||
apt: pkg={{item}} state=installed update_cache=no | |||||
tags: owncloud | |||||
with_items: "{{ packages }}" | |||||
ignore_errors: no | |||||
- name: unlink default vhost nginx | |||||
tags: owncloud | |||||
shell: unlink /etc/nginx/sites-enabled/default | |||||
ignore_errors: yes | |||||
- name: Get ownCloud | |||||
tags: | |||||
- update | |||||
- owncloud | |||||
get_url: url=https://download.owncloud.org/community/owncloud-latest.tar.bz2 validate_certs=no dest=/root/owncloud-latest.tar.bz2 | |||||
- name: Creation of the right folder | |||||
tags: owncloud | |||||
file: path=/etc/nginx/ssl/ state=directory recurse=yes | |||||
- name: create self-signed SSL cert | |||||
command: openssl req -new -nodes -x509 -subj "/C=FR/ST=SomeWhere/L=OverTheRainBow/O=OwnCloud/CN=owncloud.{{ domain }}" -days 3650 -keyout /etc/nginx/ssl/owncloud.key -out /etc/nginx/ssl/owncloud.crt -extensions v3_ca creates=/etc/nginx/ssl/owncloud.crt | |||||
tags: owncloud | |||||
notify: restart nginx | |||||
- name: Creation of the right folder | |||||
tags: owncloud | |||||
file: path=/var/www/owncloud/ state=directory recurse=yes | |||||
- name: Untar | |||||
tags: | |||||
- update | |||||
- owncloud | |||||
shell: tar xvf /root/owncloud-latest.tar.bz2 -C /var/www/owncloud/ | |||||
ignore_errors: no | |||||
- name: Chown | |||||
tags: | |||||
- update | |||||
- owncloud | |||||
shell: chown -R www-data. /var/www/ | |||||
- name: Randomly generate an ownCloud database password | |||||
shell: pwgen -y -B -s 80 1 | |||||
tags: | |||||
- owncloud | |||||
register: dbpassword | |||||
- name: Config nginx | |||||
template: src=etc-nginx-sites-enabled-owncloud.j2 dest=/etc/nginx/sites-enabled/owncloud | |||||
tags: owncloud | |||||
notify: restart nginx | |||||
- name: Config PHP5-fpm | |||||
template: src=etc-php5-fpm-pool.d-www.conf.j2 dest=/etc/php5/fpm/pool.d/www.conf | |||||
tags: owncloud | |||||
notify: restart php5-fpm | |||||
- name: Import database template | |||||
tags: | |||||
- owncloud | |||||
template: src=root-ownclouddb.sql.j2 dest=/root/ownclouddb.sql | |||||
- name: Import sql file for account and db creation | |||||
tags: | |||||
- owncloud | |||||
shell: mysql < /root/ownclouddb.sql | |||||
notify: restart php5-fpm | |||||
#vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: |
@ -0,0 +1,73 @@ | |||||
server { | |||||
listen 80; | |||||
server_name owncloud.{{ domain }}; | |||||
return 301 https://$server_name$request_uri; | |||||
} | |||||
server { | |||||
listen 443 ssl; | |||||
server_name owncloud.{{ instance_name }}; | |||||
keepalive_timeout 70; | |||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |||||
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; | |||||
ssl_certificate /etc/nginx/ssl/owncloud.crt; | |||||
ssl_certificate_key /etc/nginx/ssl/owncloud.key; | |||||
root /var/www/owncloud/owncloud/; | |||||
error_log /var/log/owncloud.error.log; | |||||
access_log /var/log/owncloud.access.log; | |||||
client_max_body_size 10G; | |||||
fastcgi_buffers 64 4K; | |||||
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; | |||||
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; | |||||
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; | |||||
index index.php; | |||||
error_page 403 /core/templates/403.php; | |||||
error_page 404 /core/templates/404.php; | |||||
location = /robots.txt { | |||||
allow all; | |||||
log_not_found off; | |||||
access_log off; | |||||
} | |||||
location ~ ^/(data|config|\.ht|db_structure\.xml|README) { | |||||
deny all; | |||||
} | |||||
location / { | |||||
rewrite ^/.well-known/host-meta /public.php?service=host-meta last; | |||||
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; | |||||
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; | |||||
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; | |||||
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; | |||||
try_files $uri $uri/ index.php; | |||||
error_log /var/log/owncloud.error.log; | |||||
access_log /var/log/owncloud.access.log; | |||||
} | |||||
location ~ ^(.+?\.php)(/.*)?$ { | |||||
try_files $1 = 404; | |||||
include fastcgi_params; | |||||
fastcgi_param SCRIPT_FILENAME $document_root$1; | |||||
fastcgi_param PATH_INFO $2; | |||||
fastcgi_param HTTPS on; | |||||
fastcgi_connect_timeout 60; | |||||
fastcgi_send_timeout 180; | |||||
fastcgi_param htaccessWorking true; | |||||
fastcgi_read_timeout 360; | |||||
fastcgi_pass unix:/var/run/php5-fpm-www-data.sock; | |||||
error_log /var/log/owncloud.fpm.error.log; | |||||
access_log /var/log/owncloud.fpm.access.log; | |||||
} | |||||
# Optional: set long EXPIRES header on static assets | |||||
location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { | |||||
expires 30d; | |||||
# Optional: Don't log access to assets | |||||
access_log off; | |||||
} | |||||
} | |||||
@ -0,0 +1,36 @@ | |||||
[www-data] | |||||
prefix = /var/tmp | |||||
user = www-data | |||||
group = www-data | |||||
slowlog = /var/log/php-fpm/slowlog-site.log | |||||
listen = /var/run/php5-fpm-www-data.sock | |||||
listen.backlog = 1024 | |||||
pm = dynamic | |||||
pm.start_servers = 4 | |||||
pm.min_spare_servers = 2 | |||||
pm.max_spare_servers = 6 | |||||
pm.max_children = 8 | |||||
pm.process_idle_timeout = 30s; | |||||
pm.max_requests = 800 | |||||
pm.status_path = /status | |||||
listen.backlog = -1 | |||||
listen.owner = www-data | |||||
listen.group = www-data | |||||
listen.mode = 0666 | |||||
request_terminate_timeout = 3600s | |||||
catch_workers_output=no | |||||
chdir = / | |||||
rlimit_core = unlimited | |||||
security.limit_extensions = .php .php3 .php4 .php5 | |||||
env[TMP] = /tmp | |||||
env[TMPDIR] = /tmp | |||||
env[TEMP] = /tmp | |||||
env[HOSTNAME] = $HOSTNAME | |||||
php_admin_value[memory_limit] = 1G | |||||
@ -0,0 +1,5 @@ | |||||
CREATE USER 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}'; | |||||
GRANT USAGE ON * . * TO 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}' WITH MAX_QUERIES_PER_HOUR 0 | |||||
MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; | |||||
CREATE DATABASE IF NOT EXISTS `owncloud` ; | |||||
GRANT ALL PRIVILEGES ON `owncloud` . * TO 'owncloud'@'localhost'; |
@ -0,0 +1,17 @@ | |||||
packages: | |||||
- php5 | |||||
- php5-gd | |||||
- php-xml-parser | |||||
- php5-intl | |||||
- php5-sqlite | |||||
- php5-mysql | |||||
- php5-pgsql | |||||
- smbclient | |||||
- php5-curl | |||||
- php5-mcrypt | |||||
- php5-fpm | |||||
- pwgen | |||||
- bzip2 | |||||
- php5-ldap | |||||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: | |||||