ansible – nextcloud playbook

---
- name: httpd installation & preparation
  hosts: nextcloud
  become: true

  tasks:
  - name: httpd installation
    ansible.builtin.dnf:
      name: "{{ item }}"
      state: latest
    with_items:
      - httpd
      - mod_ssl
  - name: firewalld - http service enable
    ansible.builtin.firewalld:
      service: http
      permanent: yes
      immediate: yes
      state: enabled
  - name: firewalld - https service enable
    ansible.builtin.firewalld:
      service: https
      permanent: yes
      immediate: yes
      state: enabled
  - name: sites-available directory create
    ansible.builtin.file:
      path: /etc/httpd/sites-available
      state: directory
      mode: '0755'
  - name: sites-enabled directory create
    ansible.builtin.file:
      path: /etc/httpd/sites-enabled
      state: directory
      mode: '0755'
  - name: sites-enabled add to the httpd configuration
    ansible.builtin.lineinfile:
      dest: /etc/httpd/conf/httpd.conf
      insertafter: EOF
      line: 'Include /etc/httpd/sites-enabled'
      state: present
  - name: httpd service enable
    ansible.builtin.systemd:
      name: httpd
      enabled: true
  - name: httpd service start
    ansible.builtin.systemd:
      name: httpd
      state: started

- name: fail2ban installation & configuration
  hosts: nextcloud
  become: true

  tasks:
  - name: fail2ban installation
    ansible.builtin.dnf:
      name: fail2ban
      state: latest
  - name: fail2ban configuration
    ansible.builtin.copy:
      src: /etc/ansible/templates/fail2ban/sshd.local
      dest: /etc/fail2ban/jail.d/sshd.local
      owner: root
      group: root
      mode: "0644"
      backup: true
  - name: fail2ban httpd configuration
    ansible.builtin.copy:
      src: /etc/ansible/templates/fail2ban/httpd.local
      dest: /etc/fail2ban/jail.d/httpd.local
      owner: root
      group: root
      mode: "0644"
      backup: true
  - name: fail2ban service enable
    ansible.builtin.systemd:
      name: fail2ban
      enabled: true
  - name: fail2ban service restart
    ansible.builtin.systemd:
      name: fail2ban
      state: restarted

- name: php 8 installation & configuration
  hosts: nextcloud
  become: true

  tasks:
  - name: php 8 installation
    ansible.builtin.dnf:
      name: 'php'
      state: present

- name: php 8 installation & configuration
  hosts: nextcloud
  become: true

  tasks:
  - name: php 8 installation
    ansible.builtin.dnf:
      name: 'php'
      state: present
  - name: php required modules installation
    ansible.builtin.dnf:
      name: "{{ item }}"
      state: latest
    with_items:
      - php-cli
      - php-gd
      - php-imagick
      - php-intl
      - php-json
      - php-mbstring
      - php-mysqlnd
      - php-opcache
      - php-pecl-apcu
      - php-process
      - php-redis
      - php-zip
  - name: php post_max_size 512M set
    ansible.builtin.lineinfile:
      path: /etc/php.ini
      regexp: "^post_max_size ="
      line: "post_max_size = 512M"
      state: present
  - name: php upload_max_filesize 512M set
    ansible.builtin.lineinfile:
      path: /etc/php.ini
      regexp: "^upload_max_filesize ="
      line: "upload_max_filesize = 512M"
      state: present
  - name: php max_input_vars 5000 set
    ansible.builtin.lineinfile:
      path: /etc/php.ini
      regexp: "^;max_input_vars = 1000"
      line: "max_input_vars = 5000"
      state: present
  - name: php memory_limit 1024 set
    ansible.builtin.lineinfile:
      path: /etc/php.ini
      regexp: "^memory_limit"
      line: "memory_limit = 1024"
      state: present
  - name: httpd service restart
    ansible.builtin.systemd:
      name: httpd
      state: restarted

- name: redis installation
  hosts: nextcloud
  become: true

  tasks:
  - name: redis installation
    ansible.builtin.dnf:
      name: redis
      state: latest
  - name: redis service enable
    ansible.builtin.systemd:
      name: redis.service
      enabled: true
  - name: redis service start
    ansible.builtin.systemd:
      name: redis.service
      state: started

- name: mariadb installation & configuration
  hosts: nextcloud
  become: true

  tasks:
  - name: mariadb 10.11 repository add
    ansible.builtin.copy:
      src: /etc/ansible/templates/yum.repos.d/mariadb.repo
      dest: /etc/yum.repos.d/mariadb.repo
      owner: root
      group: root
      mode: "0644"
  - name: autoremove unneeded packages installed as dependencies
    ansible.builtin.dnf:
      autoremove: yes
  - name: update packages
    ansible.builtin.dnf:
      name: "*"
      state: latest
  - name: mariadb installation
    ansible.builtin.dnf:
      name: mariadb-server
      state: latest
  - name: python3-PyMySQL installation
    ansible.builtin.dnf:
      name: python3-PyMySQL
      state: present
  - name: mariadb service enable
    ansible.builtin.systemd:
      name: mariadb
      enabled: true
  - name: mariadb service start
    ansible.builtin.systemd:
      name: mariadb
      state: started

- name: mariadb secure installation
  hosts: nextcloud
  become: true

  tasks:
  - name: my.cnf file set
    ansible.builtin.template:
      src: "/etc/ansible/templates/mariadb/my.cnf.j2"
      dest: "~/.my.cnf"
      owner: root
      group: root
      mode: "0600"
  - name: root password set
    community.mysql.mysql_user:
      login_user: "root"
      login_password: "{{ mariadb_root_password }}"
      user: root
      check_implicit_admin: true
      password: "{{ mariadb_root_password }}"
      host: localhost
  - name: anonymous user account for localhost delete
    community.mysql.mysql_user:
      login_host: "localhost"
      login_user: "root"
      login_password: "{{ mariadb_root_password }}"
      check_implicit_admin: true
      name: ''
      host: localhost
      state: absent
  - name: all anonymous user accounts delete
    community.mysql.mysql_user:
      login_host: "localhost"
      login_user: "root"
      login_password: "{{ mariadb_root_password }}"
      check_implicit_admin: true
      name: ''
      host_all: true
      state: absent
  - name: test database delete
    community.mysql.mysql_db:
      login_host: "localhost"
      login_user: "root"
      login_password: "{{ mariadb_root_password }}"
      check_implicit_admin: true
      name: test
      state: absent

- name: nextcloud installation & configuration
  hosts: nextcloud
  become: true

  vars:
  - dns_hostname: cloud
  - dns_domain: krolaki.eu
  - mariadb_database_password: veryStrongPassword

  tasks:
  - name: ssl certificate to the target server copy
    ansible.builtin.copy:
      src: "/etc/pki/tls/certs/{{ dns_hostname }}-{{ dns_domain }}.crt"
      dest: "/etc/pki/tls/certs/{{ dns_hostname }}-{{ dns_domain }}.crt"
      owner: root
      group: root
      mode: "0644"
  - name: ssl key to the target server copy
    ansible.builtin.copy:
      src: "/etc/pki/tls/private/{{ dns_hostname }}-{{ dns_domain }}.key"
      dest: "/etc/pki/tls/private/{{ dns_hostname }}-{{ dns_domain }}.key"
      owner: root
      group: root
      mode: "0644"
  - name: vhost configuration
    ansible.builtin.template:
      src: /etc/ansible/templates/httpd/sites-available/template.conf.j2
      dest: /etc/httpd/sites-available/{{ dns_hostname }}.conf
  - name: vhost enable
    ansible.builtin.file:
      src: /etc/httpd/sites-available/{{ dns_hostname }}.conf
      dest: /etc/httpd/sites-enabled/{{ dns_hostname }}.conf
      owner: root
      group: root
      state: link
  - name: nextcloud download
    ansible.builtin.unarchive:
      src: "https://download.nextcloud.com/server/releases/latest.zip"
      dest: /var/www/html/
      remote_src: yes
      owner: apache
      group: apache
      mode: "755"
  - name: nextcloud directory create
    ansible.builtin.file:
      path: /var/www/html/{{ dns_hostname }}
      state: directory
      owner: apache
      group: apache
      mode: "755"
  - name: nextcloud data directory create
    ansible.builtin.file:
      path: /var/www/html/{{ dns_hostname }}/data
      state: directory
      owner: apache
      group: apache
      mode: "755"
  - name: nextcloud files copy
    ansible.builtin.copy:
      src: /var/www/html/nextcloud/
      dest: /var/www/html/{{ dns_hostname }}
      remote_src: yes
      owner: apache
      group: apache
      mode: "755"
  - name: nextcloud directory delete
    ansible.builtin.file:
      path: /var/www/html/nextcloud
      state: absent
  - name: httpd_sys_rw_content_t dir selinux context set
    community.general.sefcontext:
      target: '/var/www/html/{{ dns_hostname }}/data(/.*)?'
      setype: httpd_sys_rw_content_t
      state: present
  - name: httpd_sys_rw_content_t dir selinux context set
    community.general.sefcontext:
      target: '/var/www/html/{{ dns_hostname }}/config(/.*)?'
      setype: httpd_sys_rw_content_t
      state: present
  - name: httpd_sys_rw_content_t dir selinux context set
    community.general.sefcontext:
      target: '/var/www/html/{{ dns_hostname }}/apps(/.*)?'
      setype: httpd_sys_rw_content_t
      state: present
  - name: httpd_sys_rw_content_t dir selinux context set
    community.general.sefcontext:
      target: '/var/www/html/{{ dns_hostname }}/.htaccess'
      setype: httpd_sys_rw_content_t
      state: present
  - name: httpd_sys_rw_content_t dir selinux context set
    community.general.sefcontext:
      target: '/var/www/html/{{ dns_hostname }}/.user.ini'
      setype: httpd_sys_rw_content_t
      state: present
  - name: httpd_sys_rw_content_t dir selinux context set
    community.general.sefcontext:
      target: '/var/www/html/{{ dns_hostname }}/3rdparty/aws/aws-sdk-php/src/data/logs(/.*)?'
      setype: httpd_sys_rw_content_t
      state: present
  - name: selinux file context set
    ansible.builtin.command: restorecon -R '/var/www/html/{{ dns_hostname }}'
  - name: httpd_can_network_connect flag set
    ansible.posix.seboolean:
      name: httpd_can_network_connect
      state: true
      persistent: true
  - name: selinux load module
    ansible.builtin.shell: "{{ item }}"
    loop:
      - ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
      - semodule -X 300 -i my-phpfpm.pp
  - name: database create
    community.mysql.mysql_db:
      login_host: "localhost"
      login_user: "root"
      login_password: "{{ mariadb_root_password }}"    
      name: "{{ dns_hostname }}"
      state: present
  - name: database user create
    community.mysql.mysql_user:
      login_host: "localhost"
      login_user: "root"
      login_password: "{{ mariadb_root_password }}"
      name: "{{ dns_hostname }}"
      password: "{{ mariadb_database_password }}"
      priv: "{{ dns_hostname }}.*:ALL"
      state: present
  - name: httpd service restart
    ansible.builtin.systemd:
      name: httpd
      state: restarted
...

Leave a Reply

Your email address will not be published. Required fields are marked *