nierdz.nextcloud

Nextcloud

这个 ansible 角色以 capistrano 的方式安装 nextcloud。这意味着文件夹结构如下所示：

/var/wwww
└── nextcloud.local
    ├── current -> /var/www/nextcloud.local/releases/20.0.7
    │   └── nextcloud
    │       └── config
    │          └── config.php -> /var/www/shared/config.php
    ├── data
    │   ├── admin
    │   ├── appdata_somerandomshit
    │   ├── files_external
    │   ├── index.html
    │   └── nextcloud.log
    ├── releases
    │   ├── 20.0.5
    │   ├── 20.0.6
    │   └── 20.0.7
    └── shared
        └── config.php

目前，此角色仅支持 MySQL 作为后端。它使用默认配置的 redis 作为本地和分布式缓存，以及事务文件锁定。

系统要求

Nextcloud 需要 PHP、Web 服务器 和 数据库管理系统 (DBMS) 才能工作。为满足这些要求，强烈建议使用以下三个角色：

为什么要特别使用这些角色？因为它们维护得很好，并且这些角色中的一些变量在这个角色中使用，但您仍然可以使用其他角色。

在生产环境中，您还需要一个 TLS 证书，可以通过 acme.sh 获得。

角色变量

`nextcloud_version`

要安装的 nextcloud 版本。默认值: "29.0.1"

`nextcloud_domain`

要使用的域名。默认值: ""

`nextcloud_php_user`

所有 nextcloud 文件将由此用户拥有。通常需要将此值设置为 www-data。默认值: "{{ php_fpm_pool_user | default('www-data') }}"

`nextcloud_php_version`

要使用的 PHP 主要版本。默认值: "{{ php_default_version_debian | default('8.2') }}"

`nextcloud_php_bin_path`

PHP 可执行文件的路径。默认值: /usr/bin/php

`nextcloud_keep_releases`

希望保留旧版本的时间。默认值: "60d"

`nextcloud_admin_user`

安装过程中创建的默认管理员用户。安装完成后，可以创建另一个具有管理员角色的用户并删除此用户。默认值: ""

`nextcloud_admin_password`

nextcloud_admin_user 的密码。强烈建议使用 ansible-vault 进行加密。默认值: ""

`nextcloud_config_template`

用于 Nextcloud 的 config.php 的 Jinja2 模板。要使用自定义配置模板，您需要：

在与您的剧本同一层级下创建 templates/ 目录
创建一个名为 templates/myconfig.php.j2 的文件（选择与默认模板不同的名称）
在您的剧本中设置变量 nextcloud_config_template: myconfig.php.j2 默认值: "config.php.j2"

`nextcloud_instanceid`

唯一的实例 ID。生成一个随机的，并在安装期间保持有效。默认值: ""

`nextcloud_passwordsalt`

用于对所有密码进行哈希处理的盐。强烈建议使用 ansible-vault 进行加密。默认值: ""

`nextcloud_secret`

Nextcloud 用于多种目的的密钥，例如加密数据。如果丢失此字符串，将导致数据损坏。强烈建议使用 ansible-vault 进行加密。默认值: ""

`nextcloud_dbhost`

连接数据库所用的主机。默认值: "localhost"

`nextcloud_dbname`

安装期间设置的 nextcloud 数据库名称。默认值: "nextcloud"

`nextcloud_dbuser`

nextcloud 用于读写数据库的用户。默认值: "nextcloud"

`nextcloud_dbpassword`

nextcloud_dbuser 的密码。强烈建议使用 ansible-vault 进行加密。默认值: ""

`nextcloud_deploy_to`

nextcloud 安装的主文件夹。默认值: "/var/www/{{ nextcloud_domain }}"

`nextcloud_datadirectory`

用户文件存储位置。默认值: "{{ nextcloud_deploy_to }}/data"

`nextcloud_php_packages`

nextcloud 需要的附加 PHP 包。默认值:

- php-pear
- php{{ nextcloud_php_version }}-bcmath
- php{{ nextcloud_php_version }}-bz2
- php{{ nextcloud_php_version }}-curl
- php{{ nextcloud_php_version }}-gd
- php{{ nextcloud_php_version }}-gmp
- php{{ nextcloud_php_version }}-imagick
- php{{ nextcloud_php_version }}-intl
- php{{ nextcloud_php_version }}-json
- php{{ nextcloud_php_version }}-mbstring
- php{{ nextcloud_php_version }}-mysql
- php{{ nextcloud_php_version }}-redis
- php{{ nextcloud_php_version }}-xml
- php{{ nextcloud_php_version }}-zip

`nextcloud_packages`

nextcloud 需要的附加软件包。默认值:

- redis-server
- redis-tools
- unzip

`nextcloud_apps`

要安装和启用的应用列表。默认值: []

`nextcloud_no_log`

在部署期间隐藏敏感数据。默认值: true

工作示例

在您的 playbook.yml 中，您应包含以下内容：

- name: 配置 nextcloud 服务器
  become: true
  hosts: nextcloud
  vars_files:
    - vault_vars/nextcloud.yml
  roles:
    - {role: acme_sh, tags: [acme_sh]} （用于获取 TLS 证书，可以使用任何内容）
    - {role: nginx, tags: ['nginx']}
    - {role: mysql, tags: ['mysql']}
    - {role: php, tags: ['php']}
    - {role: percona, tags: ['percona']}
    - {role: nextcloud, tags: ['nextcloud']}
  pre_tasks:
    - name: 安装 sury 密钥
      apt_key:
        url: "https://packages.sury.org/php/apt.gpg"
        state: present
    - name: 添加 sury 仓库
      apt_repository:
        repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
        state: present
        update_cache: true
        filename: sury
    - name: 复制特定的 nginx 配置文件
      copy:
        src: "{{ item }}"
        dest: /etc/nginx/
        owner: root
        mode: 0644
      with_fileglob:
        - nginx/*.conf
    - name: 复制 /etc/nginx/dh4096.pem
      copy:
        src: nginx/dh4096.pem
        dest: /etc/nginx/dh4096.pem
        owner: www-data
        mode: 0400

这是您在 vault_vars/nextcloud.yml 中加密的变量：

mysql_root_password_vault: vaultmeplease
nextcloud_dbpassword_vault: vaultmeplease
nextcloud_passwordsalt_vault: vaultmeplease
nextcloud_secret_vault: vaultmeplease
nextcloud_instanceid_vault: vaultmeplease
nextcloud_admin_user_vault: admin
nextcloud_admin_password_vault: vaultmeplease

您的 grupos 变量在 group_vars/nextcloud.yml 中是：

# Nextcloud
nextcloud_domain: "yourdomain.com"
nextcloud_admin_user: "{{ nextcloud_admin_user_vault }}"
nextcloud_admin_password: "{{ nextcloud_admin_password_vault }}"
nextcloud_instanceid: "{{ nextcloud_instanceid_vault }}"
nextcloud_passwordsalt: "{{ nextcloud_passwordsalt_vault }}"
nextcloud_secret: "{{ nextcloud_secret_vault }}"
nextcloud_dbpassword: "{{ nextcloud_dbpassword_vault }}"
nextcloud_apps: [calendar]

# MySQL
mysql_root_password: "{{ mysql_root_password_vault }}"
mysql_bind_address: 127.0.0.1
mysql_packages:
  - mariadb-client
  - mariadb-server
  - python-mysqldb
mysql_databases:
  - name: nextcloud
    encoding: utf8mb4
    collation: utf8mb4_general_ci
mysql_users:
  - name: nextcloud
    host: "localhost"
    password: "{{ nextcloud_dbpassword }}"
    priv: "nextcloud.*:ALL"
    state: present

# Nginx
nginx_remove_default_vhost: true
nginx_service_enabled: true
nginx_service_state: started
nginx_listen_ipv6: false
nginx_vhosts:
  - listen: {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:443 ssl http2 default_server
    server_name: "{{ nextcloud_domain }}"
    state: "present"
    root: "/var/www/{{ nextcloud_domain }}/current/nextcloud"
    index: index.php
    extra_parameters: |
      add_header Referrer-Policy "no-referrer" always;
      add_header X-Content-Type-Options "nosniff" always;
      add_header X-Download-Options "noopen" always;
      add_header X-Frame-Options "SAMEORIGIN" always;
      add_header X-Permitted-Cross-Domain-Policies "none" always;
      add_header X-Robots-Tag "none" always;
      add_header X-XSS-Protection "1; mode=block" always;

      ssl_certificate /root/.acme.sh/{{ nextcloud_domain }}/fullchain.cer;
      ssl_certificate_key /root/.acme.sh/{{ nextcloud_domain }}/{{ nextcloud_domain }}.key;
      include /etc/nginx/generic.conf;
      include /etc/nginx/gzip.conf;
      include /etc/nginx/security.conf;
      include /etc/nginx/ssl.conf;

      location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
      }

      location = /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
      }

      client_max_body_size 512M;
      fastcgi_buffers 64 4K;

      location / {
        rewrite ^ /index.php;
      }

      location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
          deny all;
      }
      location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
          deny all;
      }

      location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
      }

      location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
      }

      location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;
        access_log off;
      }

      location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        access_log off;
      }

# PHP
php_default_version_debian: "8.2"
php_packages:
  - php8.2-cli
  - php8.2-fpm
php_install_recommends: false
php_enable_webserver: false
php_enable_php_fpm: true
php_enable_apc: false
php_memory_limit: "512M"
php_upload_max_filesize: "512M"
php_post_max_size: "512M"
php_date_timezone: "Europe/Paris"
php_opcache_zend_extension: "opcache.so"
php_opcache_enable: "1"
php_opcache_enable_cli: "0"
php_opcache_memory_consumption: "128"
php_opcache_interned_strings_buffer: "16"
php_opcache_max_accelerated_files: "10000"
php_opcache_max_wasted_percentage: "5"
php_opcache_validate_timestamps: "0"
php_opcache_revalidate_path: "0"
php_opcache_revalidate_freq: "1"
php_opcache_max_file_size: "0"

开发文档

许可证

GPLv3

关于项目

Ansible role to install nextcloud

role nextcloud owncloud php nginx mysql

安装

ansible-galaxy install nierdz.nextcloud

GitHub 仓库

2 星标

2 分叉

0 未解决问题

许可证

gpl-3.0

下载

1.4k

拥有者

Kévin Met