Merge pull request '9.1.0' (#30) from 24-install-role into main

Reviewed-on: https://git.osuv.de/ansible_collections/markuman.nextcloud/pulls/30

changelogs/fragments/24-install-role.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - add install role ``markuman.nextcloud` to distribute a turnkey nextcloud on Ubuntu 20.04.

galaxy.yml

@@ -1,7 +1,7 @@
 namespace: "markuman"
 description: bring up your nextcloud usage to the next level 🚀
 name: "nextcloud"
-version: "9.0.2"
+version: "9.1.0"
 readme: "README.md"
 authors:
     - "Markus Bergholz <markuman+spambelongstogoogle@gmail.com>"
@@ -10,5 +10,10 @@ license:
 tags:
     - nextcloud
     - collection
+    - devops
+    - installation
+    - setup
 repository: "https://git.osuv.de/m/nextcloud_collection"
 issues: https://github.com/markuman/nextcloud_collection/issues
+dependencies:
+  devsec.hardening: '>=7.14.0'

meta/runtime.yml

@@ -1,5 +1,5 @@
 ---
-requires_ansible: '>=2.9.6'
+requires_ansible: '>=2.9.10'
 action_groups:
   nextcloud:
   - file

roles/nextcloud/defaults/main.yml

@@ -0,0 +1,19 @@
+nextcloud_version: 23.0.2
+caddy_version: 2.4.6
+
+nextcloud_db_name: nextcloud
+nextcloud_db_user: nextcloud
+
+# php-fpm
+php_fpm:
+  max_children: 120
+  start_servers: 12
+  min_spare_servers: 6
+  max_spare_servers: 18
+
+# php
+opcache:
+  interned_strings_buffer: 16
+
+# mariadb
+innodb_buffer_pool_size: 512M

roles/nextcloud/handlers/main.yml

@@ -0,0 +1,18 @@
+- name: reload ufw
+  community.general.ufw:
+    state: reloaded
+
+- name: restart caddy
+  systemd:
+    name: caddy
+    state: restarted
+
+- name: restart php-fpm
+  systemd:
+    name: php7.4-fpm
+    state: restarted
+
+- name: restart coturn
+  systemd:
+    name: coturn
+    state: restarted

roles/nextcloud/meta/main.yml

@@ -0,0 +1,17 @@
+---
+galaxy_info:
+  author: Markus Bergholz
+  description: Ansible role to install nextcloud on a dedicated Ubuntu Server
+
+  license: license (BSD)
+  min_ansible_version: 2.9
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - focal
+
+  galaxy_tags:
+    - nextcloud
+
+dependencies: []

roles/nextcloud/tasks/01-packages.yml

@@ -0,0 +1,76 @@
+- name: set hostname
+  hostname:
+    name: "{{ nextcloud_fqdn.split('.')[0] }}"
+
+- name: complete /etc/hosts
+  lineinfile:
+    name: /etc/hosts
+    line: "127.0.1.1 {{ nextcloud_fqdn }} {{ nextcloud_fqdn.split('.')[0] }}"
+
+- name: uprade all packages first
+  apt:
+    update_cache: yes
+    state: latest
+    upgrade: yes
+
+- name: install php and mariadb
+  apt:
+    update_cache: yes
+    state: latest
+    name:
+      - mariadb-server
+      - mariadb-client
+      - ufw
+      - vnstat
+      - python3-pymysql
+      - unzip
+      - php-fpm
+      - php-gd
+      - php-mysql
+      - php-curl
+      - php-xml
+      - php-zip
+      - php-intl
+      - php-mbstring
+      - php-bz2
+      - php-json
+      - php-apcu
+      - php-imagick
+      - php-gmp
+      - php-bcmath
+      - imagemagick
+      - libmagickcore-6.q16-6-extra
+
+- name: enable ipv6 for ufw
+  lineinfile:
+    name: /etc/default/ufw
+    regexp: IPV6=no
+    line: IPV6=yes
+  notify:
+    - reload ufw
+
+- name: ufw rules
+  command: "{{ item }}"
+  with_items:
+    - ufw limit ssh comment "incomming ssh with ratelimit"
+    - ufw allow out 22 comment "outgoing ssh"
+    - ufw allow 80 comment "incomming http for caddy"
+    - ufw allow 443 comment "incomming https for caddy"
+    - ufw allow 3478/udp comment "incomming for coturn"
+    - ufw allow 3478 comment "incomming for coturn"
+    - ufw allow out 80 comment "outgoing http"
+    - ufw allow out 443 comment "outgoing https"
+    - ufw allow out 53/udp comment "outgoing for dns"
+    - ufw allow out 123/udp comment "outgoing for ntp"
+    - ufw allow out 993 comment "outgoing imap ssl"
+    - ufw allow out 465 comment "outgoing smtp ssl"
+    - ufw allow out 3478/udp comment "outgoing coturn"
+    - ufw allow out 3478 comment "outgoing coturn"
+
+- name: ufw enable
+  community.general.ufw:
+    state: enabled
+
+- name: os hardening
+  include_role:
+    name: devsec.hardening.os_hardening

roles/nextcloud/tasks/02-user.yml

@@ -0,0 +1,50 @@
+- name: add ubuntu nextcloud system user
+  ansible.builtin.user:
+    name: "{{ ubuntu_nextcloud_user }}"
+    shell: /bin/bash
+    comment: Ubuntu Nextcloud System User
+    password_expire_max: 99999
+    groups:
+      - www-data
+      - sudo
+
+- name: set authorized_keys file for ubuntu nextcloud user
+  ansible.posix.authorized_key:
+    user: "{{ ubuntu_nextcloud_user }}"
+    state: present
+    manage_dir: yes
+    key: "{{ ubuntu_nextcloud_user_ssh_key_location }}"
+
+- name: Allow 'sudo' group to have passwordless sudo
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^%sudo	ALL=(ALL:ALL) ALL'
+    line: '%sudo ALL=(ALL:ALL) NOPASSWD: ALL'
+    validate: visudo -cf %s
+
+- name: ssh hardening
+  include_role:
+    name: devsec.hardening.ssh_hardening
+  vars:
+    ssh_allow_users: "{{ ubuntu_nextcloud_user }}"
+    ssh_max_auth_retries: 5
+    # mozilla ssh_scan: Modern - with just ETM (encrypt-then-mac) macs
+    # https://github.com/mozilla/ssh_scan/blob/master/config/policies/just_etm_macs.yaml
+    ssh_kex:
+      - curve25519-sha256@libssh.org
+      - diffie-hellman-group-exchange-sha256
+      - ecdh-sha2-nistp521
+      - ecdh-sha2-nistp384
+      - ecdh-sha2-nistp256
+    ssh_macs:
+      - hmac-sha2-512-etm@openssh.com
+      - hmac-sha2-256-etm@openssh.com
+      - umac-128-etm@openssh.com
+    ssh_ciphers:
+      - chacha20-poly1305@openssh.com
+      - aes256-gcm@openssh.com
+      - aes128-gcm@openssh.com
+      - aes256-ctr
+      - aes192-ctr
+      - aes128-ctr

roles/nextcloud/tasks/03-mariadb.yml

@@ -0,0 +1,62 @@
+- name: init root user
+  command: >
+    sudo mysql -uroot -e "
+    UPDATE mysql.user SET plugin='mysql_native_password';
+    SET PASSWORD FOR root@localhost = PASSWORD('{{ mariadb_root_password }}');
+    FLUSH PRIVILEGES;"
+
+- name: root save my.cnf
+  ini_file:
+    owner: root
+    path: "/root/.my.cnf"
+    section: client
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    mode: '0600'
+  with_items:
+    - option: user
+      value: root
+    - option: password
+      value: "{{ mariadb_root_password }}"
+
+- include_role:
+    name: devsec.hardening.mysql_hardening
+  vars:
+    mysql_root_password: "{{ mariadb_root_password }}"
+
+- name: save my.cnf
+  ini_file:
+    owner: "{{ ubuntu_nextcloud_user }}"
+    path: "/home/{{ ubuntu_nextcloud_user }}/.my.cnf"
+    section: client
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    mode: '0600'
+  with_items:
+    - option: user
+      value: "{{ nextcloud_db_user }}"
+    - option: password
+      value: "{{ nextcloud_db_password }}"
+
+- name: create nextcloud db
+  community.mysql.mysql_db:
+    name: nextcloud
+    encoding: utf8mb4
+    collation: utf8mb4_general_ci
+    state: present
+
+- name: add nextcloud mysql user
+  community.mysql.mysql_user:
+    name: nextcloud
+    password: "{{ nextcloud_db_password }}"
+    priv: 'nextcloud.*:ALL'
+    state: present
+
+- name: mariadb settings
+  lineinfile:
+    name: /etc/mysql/mariadb.conf.d/50-server.cnf
+    insertafter: '^\[mysqld]'
+    line: "{{ item }}"
+  with_items:
+    - innodb_buffer_pool_size = "{{ innodb_buffer_pool_size }}"
+    - max_allowed_packet = 64M

roles/nextcloud/tasks/04-php.yml

@@ -0,0 +1,77 @@
+- name: setup php-fpm
+  notify:
+    - restart php-fpm
+  lineinfile:
+    dest: /etc/php/7.4/fpm/pool.d/www.conf
+    state: present
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    - regexp: ;env[HOSTNAME] = $HOSTNAME
+      line: env[HOSTNAME] = $HOSTNAME
+    - regexp: ;env[PATH] = /usr/local/bin:/usr/bin:/bin
+      line: env[PATH] = /usr/local/bin:/usr/bin:/bin
+    - regexp: ;env[TMP] = /tmp
+      line: env[TMP] = /tmp
+    - regexp: ;env[TMPDIR] = /tmp
+      line: env[TMPDIR] = /tmp
+    - regexp: ;env[TEMP] = /tmp
+      line: env[TEMP] = /tmp
+    - regexp: pm.max_children.*
+      line: pm.max_children = "{{ php_fpm.max_children }}"
+    - regexp: pm.start_servers.*
+      line: pm.start_servers = "{{ php_fpm.start_servers }}"
+    - regexp: pm.min_spare_servers.*
+      line: pm.min_spare_servers = "{{ php_fpm.min_spare_servers }}"
+    - regexp: pm.max_spare_servers.*
+      line: pm.max_spare_servers = "{{ php_fpm.max_spare_servers }}"
+
+- name: setup php
+  notify:
+    - restart php-fpm
+  lineinfile:
+    dest: /etc/php/7.4/fpm/php.ini
+    state: present
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    - regexp: ;cgi.fix_pathinfo=1
+      line: cgi.fix_pathinfo=0
+    - regexp: memory_limit = 128M
+      line: memory_limit = 1G
+    - regexp: ;opcache.enable=1
+      line: opcache.enable=1
+    - regexp: ;opcache.enable_cli=0
+      line: opcache.enable_cli=1
+    - regexp: ;opcache.memory_consumption=128
+      line: opcache.memory_consumption=128
+    - regexp: ;opcache.interned_strings_buffer=8
+      line: opcache.interned_strings_buffer="{{ opcache.interned_strings_buffer }}"
+    - regexp: ;opcache.max_accelerated_files=10000
+      line: opcache.max_accelerated_files=10000
+    - regexp: ;opcache.revalidate_freq=2
+      line: opcache.revalidate_freq=60
+    - regexp: ;opcache.save_comments=1
+      line: opcache.save_comments=1
+
+- name: setup php cli
+  notify:
+    - restart php-fpm
+  lineinfile:
+    dest: /etc/php/7.4/cli/php.ini
+    state: present
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    - regexp: ;cgi.fix_pathinfo=1
+      line: cgi.fix_pathinfo=0
+    - regexp: max_execution_time = 30
+      line: max_execution_time = 300
+
+- name: setup php cli apc
+  notify:
+    - restart php-fpm
+  lineinfile:
+    dest: /etc/php/7.4/cli/php.ini
+    state: present
+    line: apc.enable_cli=1

roles/nextcloud/tasks/05-caddy.yml

@@ -0,0 +1,29 @@
+- name: Install caddy from github releases
+  apt:
+    deb: "https://github.com/caddyserver/caddy/releases/download/v{{ caddy_version }}/caddy_{{ caddy_version }}_linux_amd64.deb"
+
+- name: change caddy user to www-data
+  lineinfile:
+    dest: /lib/systemd/system/caddy.service
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    - regexp: User=.*
+      line: User=www-data
+    - regexp: Group=.*
+      line: Group=www-data
+
+- name: create www/.local directory for caddy
+  ansible.builtin.file:
+    path: /var/www/.local
+    state: directory
+    owner: www-data
+    group: www-data
+    mode: '0755'
+
+- name: caddy config
+  template:
+    dest: /etc/caddy/Caddyfile
+    src: caddyfile.j2
+  notify:
+    - restart caddy