353 lines
11 KiB
YAML
353 lines
11 KiB
YAML
- name: Voeg lokale host toe aan nextcloud groep
|
||
hosts: localhost
|
||
gather_facts: yes
|
||
tasks:
|
||
- name: Haal IP-adres op van huidige server
|
||
debug:
|
||
var: ansible_default_ipv4.address
|
||
|
||
- name: Voeg IP-adres toe aan 'nextcloud' groep
|
||
add_host:
|
||
name: "{{ ansible_default_ipv4.address }}"
|
||
groups: nextcloud
|
||
ansible_user: "{{ ansible_user }}"
|
||
|
||
- name: Volledige Nextcloud-installatie met veilige Apache + Let's Encrypt
|
||
hosts: nextcloud
|
||
become: true
|
||
vars:
|
||
ansible_python_interpreter: /usr/bin/python3
|
||
|
||
tasks:
|
||
- name: Voeg ondubbelzinnig de laatste stabiele PHP PPA toe (voor recentste versies)
|
||
apt_repository:
|
||
repo: ppa:ondrej/php
|
||
state: present
|
||
update_cache: yes
|
||
|
||
- name: Installeer benodigde pakketten
|
||
apt:
|
||
name:
|
||
- apache2
|
||
- mariadb-server
|
||
- php
|
||
- php-mysql
|
||
- php-xml
|
||
- php-mbstring
|
||
- php-curl
|
||
- php-gd
|
||
- php-zip
|
||
- php-intl
|
||
- php-bcmath
|
||
- php-gmp
|
||
- libapache2-mod-php
|
||
- unzip
|
||
- wget
|
||
- curl
|
||
- certbot
|
||
- python3-certbot-apache
|
||
- python3-pymysql
|
||
state: present
|
||
update_cache: yes
|
||
|
||
- name: Detecteer actieve PHP-versie
|
||
shell: php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;'
|
||
register: detected_php_version
|
||
retries: 5
|
||
delay: 3
|
||
until: detected_php_version.rc == 0
|
||
changed_when: false
|
||
|
||
- name: Zet gedetecteerde PHP-versie als fact
|
||
set_fact:
|
||
php_version: "{{ detected_php_version.stdout }}"
|
||
|
||
- name: Verhoog PHP-geheugenlimiet naar 512 MB
|
||
lineinfile:
|
||
path: "/etc/php/{{ php_version }}/apache2/php.ini"
|
||
regexp: '^memory_limit\s*='
|
||
line: 'memory_limit = 512M'
|
||
backup: yes
|
||
|
||
- name: Verhoog OPcache interned_strings_buffer naar aanbevolen waarde
|
||
lineinfile:
|
||
path: "/etc/php/{{ php_version }}/apache2/php.ini"
|
||
regexp: '^opcache\.interned_strings_buffer\s*='
|
||
line: 'opcache.interned_strings_buffer = 16'
|
||
insertafter: EOF
|
||
backup: yes
|
||
|
||
- name: Start Apache en MariaDB
|
||
systemd:
|
||
name: "{{ item }}"
|
||
enabled: true
|
||
state: started
|
||
loop:
|
||
- apache2
|
||
- mariadb
|
||
|
||
- name: Maak databasebeheerder aan
|
||
mysql_user:
|
||
name: "{{ db_admin_user }}"
|
||
password: "{{ db_admin_password }}"
|
||
priv: "*.*:ALL,GRANT"
|
||
host: localhost
|
||
state: present
|
||
login_unix_socket: /var/run/mysqld/mysqld.sock
|
||
|
||
- name: Maak Nextcloud database aan
|
||
mysql_db:
|
||
name: "{{ nextcloud_db }}"
|
||
state: present
|
||
login_user: "{{ db_admin_user }}"
|
||
login_password: "{{ db_admin_password }}"
|
||
login_host: localhost
|
||
|
||
- name: Maak Nextcloud databasegebruiker aan
|
||
mysql_user:
|
||
name: "{{ nextcloud_db_user }}"
|
||
password: "{{ nextcloud_db_password }}"
|
||
priv: "{{ nextcloud_db }}.*:ALL"
|
||
host: localhost
|
||
state: present
|
||
login_user: "{{ db_admin_user }}"
|
||
login_password: "{{ db_admin_password }}"
|
||
login_host: localhost
|
||
|
||
- name: Download Nextcloud
|
||
get_url:
|
||
url: https://download.nextcloud.com/server/releases/latest.zip
|
||
dest: /tmp/nextcloud.zip
|
||
|
||
- name: Pak Nextcloud uit
|
||
unarchive:
|
||
src: /tmp/nextcloud.zip
|
||
dest: /var/www/
|
||
remote_src: yes
|
||
creates: /var/www/nextcloud
|
||
|
||
- name: Zet juiste rechten
|
||
file:
|
||
path: /var/www/nextcloud
|
||
owner: www-data
|
||
group: www-data
|
||
recurse: yes
|
||
|
||
- name: Voeg globale ServerName toe aan apache2.conf
|
||
lineinfile:
|
||
path: /etc/apache2/apache2.conf
|
||
line: "ServerName {{ nextcloud_domain }}"
|
||
insertafter: BOF
|
||
|
||
- name: Maak Apache HTTP VirtualHost (geen SSL vooraf)
|
||
copy:
|
||
dest: /etc/apache2/sites-available/nextcloud.conf
|
||
content: |
|
||
<VirtualHost *:80>
|
||
ServerName {{ nextcloud_domain }}
|
||
DocumentRoot /var/www/nextcloud
|
||
|
||
<Directory /var/www/nextcloud>
|
||
Require all granted
|
||
AllowOverride All
|
||
Options FollowSymLinks MultiViews
|
||
</Directory>
|
||
</VirtualHost>
|
||
|
||
- name: Activeer Apache-modules
|
||
shell: a2enmod rewrite headers env dir mime
|
||
register: apache_mods
|
||
changed_when: "'enabled' in apache_mods.stdout"
|
||
|
||
- name: Activeer Apache-site nextcloud
|
||
shell: a2ensite nextcloud
|
||
register: site_enabled
|
||
changed_when: "'enabled' in site_enabled.stdout"
|
||
|
||
- name: Deactiveer Apache default-site
|
||
shell: a2dissite 000-default
|
||
register: default_disabled
|
||
changed_when: "'disabled' in default_disabled.stdout"
|
||
|
||
- name: Valideer Apache-configuratie (negeer waarschuwingen)
|
||
shell: apache2ctl configtest 2>&1
|
||
register: apache_config
|
||
failed_when: apache_config.rc != 0 or ('Syntax OK' not in apache_config.stdout and 'Syntax OK' not in apache_config.stderr)
|
||
changed_when: false
|
||
|
||
- name: Herstart Apache
|
||
systemd:
|
||
name: apache2
|
||
state: restarted
|
||
|
||
- name: Vraag Let's Encrypt-certificaat aan (voegt automatisch HTTPS toe)
|
||
command: >
|
||
certbot --apache --non-interactive --agree-tos
|
||
--redirect
|
||
-m admin@{{ nextcloud_domain }}
|
||
-d {{ nextcloud_domain }}
|
||
args:
|
||
creates: /etc/letsencrypt/live/{{ nextcloud_domain }}/fullchain.pem
|
||
|
||
- name: Voeg Strict-Transport-Security header toe voor HSTS
|
||
blockinfile:
|
||
path: "/etc/apache2/sites-available/nextcloud-le-ssl.conf"
|
||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR HSTS"
|
||
block: |
|
||
<IfModule mod_headers.c>
|
||
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
|
||
</IfModule>
|
||
notify: Herstart Apache
|
||
|
||
- name: Installeer Nextcloud via OCC
|
||
shell: >
|
||
sudo -u www-data php /var/www/nextcloud/occ maintenance:install
|
||
--database "mysql"
|
||
--database-name "{{ nextcloud_db }}"
|
||
--database-user "{{ nextcloud_db_user }}"
|
||
--database-pass "{{ nextcloud_db_password }}"
|
||
--admin-user "{{ nextcloud_admin_user }}"
|
||
--admin-pass "{{ nextcloud_admin_password }}"
|
||
args:
|
||
creates: /var/www/nextcloud/config/config.php
|
||
chdir: /var/www/nextcloud
|
||
|
||
- name: Voeg domein toe aan trusted_domains
|
||
shell: >
|
||
sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_domains 1
|
||
--value="{{ nextcloud_domain }}"
|
||
args:
|
||
chdir: /var/www/nextcloud
|
||
|
||
- name: Voer mimetype migraties uit via occ
|
||
shell: sudo -u www-data php /var/www/nextcloud/occ maintenance:repair --include-expensive
|
||
args:
|
||
chdir: /var/www/nextcloud
|
||
|
||
- name: Stel Nextcloud in om cron als achtergrondproces te gebruiken
|
||
shell: sudo -u www-data php /var/www/nextcloud/occ background:cron
|
||
args:
|
||
chdir: /var/www/nextcloud
|
||
|
||
- name: Voeg cronjob toe voor Nextcloud background jobs (elke 5 minuten)
|
||
cron:
|
||
name: "Nextcloud background jobs"
|
||
user: www-data
|
||
minute: "*/5"
|
||
job: "php -f /var/www/nextcloud/cron.php"
|
||
|
||
- name: Voeg cronjob toe voor Nextcloud logrotatie (dagelijks)
|
||
cron:
|
||
name: "Nextcloud logrotate"
|
||
user: www-data
|
||
minute: "0"
|
||
hour: "2"
|
||
job: "php /var/www/nextcloud/occ log:manage --shrink --days=14"
|
||
cron_file: nextcloud_logrotate
|
||
|
||
- name: Voeg cronjob toe voor OCC onderhoud (elke zondag)
|
||
cron:
|
||
name: "Nextcloud DB onderhoud (repair + files:scan-app-data)"
|
||
user: www-data
|
||
minute: "30"
|
||
hour: "3"
|
||
weekday: "0"
|
||
job: "php /var/www/nextcloud/occ maintenance:repair && php /var/www/nextcloud/occ files:scan-app-data"
|
||
cron_file: nextcloud_maintenance
|
||
|
||
- name: Voeg cronjob toe voor mimetype repair (1× per week)
|
||
cron:
|
||
name: "Nextcloud mimetype repair"
|
||
user: www-data
|
||
minute: "0"
|
||
hour: "4"
|
||
weekday: "0"
|
||
job: "php /var/www/nextcloud/occ maintenance:repair --include-expensive"
|
||
cron_file: nextcloud_mimetype_repair
|
||
|
||
- name: Stel onderhoudsvenster in op 03:00 (Nextcloud background tasks)
|
||
shell: >
|
||
sudo -u www-data php /var/www/nextcloud/occ config:system:set maintenance_window_start --value="3"
|
||
args:
|
||
chdir: /var/www/nextcloud
|
||
|
||
- name: Stel standaard telefoonregio in (bijv. NL)
|
||
shell: >
|
||
sudo -u www-data php /var/www/nextcloud/occ config:system:set default_phone_region --value="NL"
|
||
args:
|
||
chdir: /var/www/nextcloud
|
||
|
||
- name: Controleer of het php.ini-bestand bestaat
|
||
stat:
|
||
path: "/etc/php/{{ php_version }}/apache2/php.ini"
|
||
register: php_ini_stat
|
||
|
||
- name: Maak php.ini aan als het nog niet bestaat
|
||
copy:
|
||
dest: "/etc/php/{{ php_version }}/apache2/php.ini"
|
||
content: ""
|
||
when: not php_ini_stat.stat.exists
|
||
|
||
- name: Installeer php{{ php_version }}-apcu voor memcache
|
||
apt:
|
||
name: "php{{ php_version }}-apcu"
|
||
state: present
|
||
update_cache: yes
|
||
notify: Herstart Apache
|
||
|
||
- name: Installeer php{{ php_version }}-redis
|
||
apt:
|
||
name:
|
||
- "php{{ php_version }}-redis"
|
||
state: present
|
||
update_cache: yes
|
||
notify: Herstart Apache
|
||
|
||
- name: Installeer Redis-server
|
||
apt:
|
||
name: redis-server
|
||
state: present
|
||
update_cache: yes
|
||
notify: Herstart Redis
|
||
|
||
- name: Installeer php-imagick extensie
|
||
apt:
|
||
name: php-imagick
|
||
state: present
|
||
update_cache: yes
|
||
notify: Herstart Apache
|
||
|
||
- name: Installeer ImageMagick en SVG-ondersteuning
|
||
apt:
|
||
name:
|
||
- imagemagick
|
||
- librsvg2-2
|
||
- librsvg2-bin
|
||
state: present
|
||
update_cache: yes
|
||
notify: Herstart Apache
|
||
|
||
- name: Stel memcache in (APCu) voor Nextcloud
|
||
shell: >
|
||
sudo -u www-data php /var/www/nextcloud/occ config:system:set memcache.local --value="\\OC\\Memcache\\APCu" --type=string
|
||
args:
|
||
chdir: /var/www/nextcloud
|
||
|
||
- name: Stel memcache locking in (Redis) voor Nextcloud
|
||
shell: >
|
||
sudo -u www-data php /var/www/nextcloud/occ config:system:set memcache.locking --value="\\OC\\Memcache\\Redis" --type=string
|
||
args:
|
||
chdir: /var/www/nextcloud
|
||
|
||
handlers:
|
||
- name: Herstart Apache
|
||
systemd:
|
||
name: apache2
|
||
state: restarted
|
||
|
||
- name: Herstart Redis
|
||
systemd:
|
||
name: redis-server
|
||
enabled: true
|
||
state: restarted
|