diff --git a/CHANGELOG.md b/CHANGELOG.md index 054588bb..2b02be71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -68,6 +68,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed +* **role:nextcloud**: Lay the groundwork for non-RHEL platforms (Debian/Ubuntu) by removing hardcoded RHEL-specific names from the role logic, sourcing each OS-specific value through the mechanism that fits its scope. The web server user/group (previously the hardcoded `apache`) now come directly from the LFOps-wide shared values `__shared__apache_httpd_user`/`__shared__apache_httpd_group` (apache on RedHat, www-data on Debian, wwwrun/www on Suse) throughout the tasks, templates and systemd units, rather than through a redundant role-local variable. The base package list (previously the RHEL names `openldap-clients`/`samba-client`) is sourced from the role-local `vars/RedHat.yml` via `shared/platform-variables.yml`, while the PHP-FPM service name (`nextcloud__php_fpm_service_name`) now defaults to the `php` role's own `php__fpm_service_name` instead of a duplicated role-local value, so the Debian `php-fpm` naming comes for free. The PHP module list consumed by the earlier-running `php` role (`nextcloud__php__modules__dependent_var`) is now an OS-keyed dict in `vars/main.yml` selected with the `linuxfabrik.lfops.platform_select` filter, since `vars/.yml` loads too late for that cross-role `__dependent_var` hand-off. These variables are now used throughout the tasks, the deployed systemd services and the notify_push unit (not just the `/usr/local/bin/nextcloud-update` script). The SELinux `restorecon` tasks are now guarded by `ansible_facts["selinux"]["status"] != "disabled"`, and the SELinux blocks in the update script use `ansible_facts["os_family"]` instead of `ansible_os_family`. Only RHEL package names ship so far, so the role still runs on RHEL only (see `COMPATIBILITY.md`); adding a tested `vars/Debian.yml` plus the matching `platform_select` keys is all that is needed to extend support. * **role:nextcloud**: Automatic app updates are now enabled by default (`nextcloud__timer_app_update_enabled`). The scheduled app update only switches Nextcloud into maintenance mode when an app update is actually pending, so an instance that is already up to date keeps serving requests without interruption. After updating, the recommended database migrations are applied automatically. A failed run no longer leaves the instance stuck in maintenance mode. * **role:clamav**: Now runs on Debian and Ubuntu in addition to Red Hat-family systems, and works on RHEL 10. The role seeds the signature database on first install so the scanner starts reliably, and runs an EICAR self-test (also available on its own via the `clamav:test` tag) that confirms detection actually works. * **role:sshd**: Ship hardened SSH defaults: X11 forwarding, agent forwarding and TCP keepalives are now off, `MaxAuthTries` is `3`, `ClientAliveCountMax` is `2`, and the log level is `VERBOSE`. All are overridable via the new `sshd__allow_agent_forwarding`, `sshd__allow_tcp_forwarding`, `sshd__client_alive_count_max`, `sshd__max_auth_tries`, `sshd__max_sessions`, `sshd__tcp_keep_alive` and `sshd__x11_forwarding` variables. Note: a client offering more than three keys from its SSH agent can be rejected by `MaxAuthTries 3`; use an explicit identity on the client or raise `sshd__max_auth_tries`. @@ -145,6 +146,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed +* **role:nextcloud**: The `nextcloud-ldap-show-remnants` script no longer aborts the `nextcloud:cron` deploy with `'setup_basic__skip_mailto_root' is undefined` when the role runs outside the `setup_basic` playbook (e.g. via `--tags nextcloud:cron` in `setup_nextcloud`). The report recipients now come from the new role variable `nextcloud__mailto_root__to` (defaulting to the global `mailto_root__to`); the report is mailed when recipients are set and printed to stdout otherwise. * **role:php**: php-fpm workers now run with a defined `PATH`. Previously the worker environment was cleared, leaving `getenv("PATH")` empty, which broke PHP code that shells out to system binaries and tripped Nextcloud's "PHP getenv" setup warning. * **role:redis**: The Redis configuration file is no longer world-readable. It is now deployed as `root:redis` with mode `0640`, so its contents (e.g. a configured password) can no longer be read by other local users. * **role:acme_sh**: No longer reinstalls every certificate and reloads the web server on every run. Certificates are only reinstalled when they were just (re)issued or when the installed file is missing, so repeated runs are idempotent. diff --git a/roles/nextcloud/README.md b/roles/nextcloud/README.md index f0c33495..957cb2dd 100644 --- a/roles/nextcloud/README.md +++ b/roles/nextcloud/README.md @@ -14,7 +14,7 @@ After installing Nextcloud, head over to your http(s)://nextcloud/index.php/sett ## How the Role Behaves -* App updates are applied automatically by the `nextcloud-app-update.timer` (disabled by default, enable via `nextcloud__timer_app_update_enabled`). The timer runs `/usr/local/bin/nextcloud-app-update`, which first checks whether any app update is pending. Nextcloud is switched into maintenance mode only when there is something to update; when everything is up to date the instance keeps serving requests untouched. After updating, the recommended database migrations (`db:add-missing-indices`, `db:add-missing-columns`, `db:add-missing-primary-keys`) are applied. A failed run leaves maintenance mode disabled again, so the instance does not stay offline, and reports the failure to systemd. +* App updates are applied automatically by the `nextcloud-app-update.timer` (enabled by default, disable via `nextcloud__timer_app_update_enabled`). The timer runs `/usr/local/bin/nextcloud-app-update`, which first checks whether any app update is pending. Nextcloud is switched into maintenance mode only when there is something to update; when everything is up to date the instance keeps serving requests untouched. After updating, the recommended database migrations (`db:add-missing-indices`, `db:add-missing-columns`, `db:add-missing-primary-keys`) are applied. A failed run leaves maintenance mode disabled again, so the instance does not stay offline, and reports the failure to systemd. * This automatic update covers app updates only. Updating the Nextcloud server itself is a separate, manual step via `/usr/local/bin/nextcloud-update`. @@ -219,6 +219,12 @@ nextcloud__users: * Type: String. * Default: `'{{ ansible_facts["nodename"] }}'` +`nextcloud__mailto_root__to` + +* Recipients of the monthly `ldap:show-remnants` report (users removed from LDAP that still have remnants in Nextcloud) sent by `/usr/local/bin/nextcloud-ldap-show-remnants`. Defaults to the global `mailto_root__to`; when empty the report is printed to stdout instead of being mailed. +* Type: List. +* Default: `'{{ mailto_root__to | d([]) }}'` + `nextcloud__mariadb_login` * The user account for the database administrator. The Nextcloud setup will create its own database account. @@ -243,6 +249,12 @@ nextcloud__users: * Type: String. * Default: `'*:50:15'` +`nextcloud__php_fpm_service_name` + +* Name of the PHP-FPM systemd service that the role restarts (and that the `/usr/local/bin/nextcloud-update` script restarts). Defaults to the `php` role's `php__fpm_service_name` (`php-fpm` on RHEL, `php-fpm` on Debian). +* Type: String. +* Default: `{{ php__fpm_service_name }}` + `nextcloud__skip_apps` * Completely skips the management of Nextcloud apps. Set this to prevent changes via the WebGUI from being overwritten. diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 5dca7306..b58f94b2 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -172,11 +172,16 @@ nextcloud__icinga2_api_url: 'https://{{ icinga2_agent__icinga2_master_host | d(" nextcloud__icinga2_api_user_login: '{{ system_update__icinga2_api_user_login }}' nextcloud__icinga2_hostname: '{{ ansible_facts["nodename"] }}' +nextcloud__mailto_root__to: '{{ mailto_root__to | d([]) }}' + nextcloud__mariadb_login: '{{ mariadb_server__admin_user }}' nextcloud__on_calendar_app_update: '06,18,23:{{ 59 | random(seed=inventory_hostname) }}' nextcloud__on_calendar_jobs: '*:0/5' # every 5 minutes nextcloud__on_calendar_scan_files: '*:50:15' # every hour at hh:50:15 + +nextcloud__php_fpm_service_name: '{{ php__fpm_service_name }}' + nextcloud__skip_apps: false nextcloud__skip_notify_push: false @@ -471,41 +476,11 @@ nextcloud__php__ini_memory_limit__dependent_var: '1024M' nextcloud__php__ini_opcache_interned_strings_buffer__dependent_var: '20' nextcloud__php__ini_post_max_size__dependent_var: '16M' nextcloud__php__ini_upload_max_filesize__dependent_var: '10000M' -nextcloud__php__modules__dependent_var: - - name: 'php-bcmath' - state: 'present' - - name: 'php-gd' - state: 'present' - - name: 'php-gmp' - state: 'present' - - name: 'php-imap' - state: 'present' - - name: 'php-imagick' - state: 'present' - - name: 'php-intl' - state: 'present' - - name: 'php-json' - state: 'present' - - name: 'php-ldap' - state: 'present' - - name: 'php-mbstring' - state: 'present' - - name: 'php-memcached' - state: 'present' - - name: 'php-mysqlnd' - state: 'present' - - name: 'php-opcache' - state: 'present' - - name: 'php-pecl-apcu' - state: 'present' - - name: 'php-process' # posix module for oc - state: 'present' - - name: 'php-redis' - state: 'present' - - name: 'php-smbclient' - state: 'present' - - name: 'php-zip' - state: 'present' +# OS-specific package names live in vars/main.yml (see platform_select). The php role runs earlier in the play and consumes this via the __dependent_var pattern. +nextcloud__php__modules__dependent_var: '{{ + __nextcloud__php__modules__dependent_var + | linuxfabrik.lfops.platform_select(ansible_facts) + }}' nextcloud__selinux__booleans__dependent_var: - key: 'httpd_can_network_connect' @@ -546,6 +521,6 @@ nextcloud__systemd_unit__services__dependent_var: Environment=PORT=7867 ExecStartPre=-/bin/chcon --type bin_t /var/www/html/nextcloud/apps/notify_push/bin/x86_64/notify_push ExecStart=/var/www/html/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/html/nextcloud/config/config.php - User=apache + User={{ __shared__apache_httpd_user }} enabled: true state: 'present' diff --git a/roles/nextcloud/meta/argument_specs.yml b/roles/nextcloud/meta/argument_specs.yml index 0e116345..e9524855 100644 --- a/roles/nextcloud/meta/argument_specs.yml +++ b/roles/nextcloud/meta/argument_specs.yml @@ -15,6 +15,7 @@ # * nextcloud__icinga2_api_user_login -> '{{ system_update__icinga2_api_user_login }}' # * nextcloud__icinga2_hostname -> '{{ ansible_facts["nodename"] }}' # * nextcloud__mariadb_login -> '{{ mariadb_server__admin_user }}' +# * nextcloud__php_fpm_service_name -> '{{ php__fpm_service_name }}' argument_specs: main: options: @@ -89,6 +90,12 @@ argument_specs: required: false description: 'The URL of the Icinga2 API used to set a downtime during a server update.' + nextcloud__mailto_root__to: + type: 'list' + elements: 'str' + required: false + description: 'Recipients of the ldap-show-remnants report. Defaults to the global mailto_root__to; empty means stdout only.' + nextcloud__on_calendar_app_update: type: 'str' required: false diff --git a/roles/nextcloud/tasks/create-user.yml b/roles/nextcloud/tasks/create-user.yml index c6cfb78f..a0f288a6 100644 --- a/roles/nextcloud/tasks/create-user.yml +++ b/roles/nextcloud/tasks/create-user.yml @@ -1,7 +1,7 @@ - name: 'Create Nextcloud user {{ ncuser["username"] }}' ansible.builtin.shell: >- export OC_PASS={{ ncuser["password"] | quote }}; - sudo -E -u apache php occ user:add + sudo -E -u {{ __shared__apache_httpd_user }} php occ user:add --password-from-env --group {{ ncuser["group"] | d('""') | quote }} {{ ncuser["username"] | quote }} @@ -15,7 +15,7 @@ - name: 'Update Nextcloud settings for user {{ ncuser["username"] }}' ansible.builtin.command: | - sudo -u apache php occ user:setting {{ ncuser["username"] }} {{ item }} + sudo -u {{ __shared__apache_httpd_user }} php occ user:setting {{ ncuser["username"] }} {{ item }} args: chdir: '/var/www/html/nextcloud/' # changed_when: there is no easy way to check for changes diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 2c5e5f00..4bbecc78 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -1,12 +1,19 @@ - block: - - name: 'Install bzip2 jq openldap-clients samba-client' + - name: 'Set platform/version specific variables' + ansible.builtin.import_role: + name: 'shared' + tasks_from: 'platform-variables.yml' + + tags: + - 'always' + + +- block: + + - name: 'Install required packages' ansible.builtin.package: - name: - - 'bzip2' - - 'jq' - - 'openldap-clients' - - 'samba-client' + name: '{{ __nextcloud__required_packages }}' state: 'present' - name: 'wget https://download.nextcloud.com/server/releases/{{ nextcloud__version }}.tar.bz2' @@ -26,25 +33,25 @@ backup: true src: 'var/www/html/nextcloud/config/objectstore.config.php.j2' dest: '/var/www/html/nextcloud/config/objectstore.config.php' - owner: 'apache' - group: 'apache' + owner: '{{ __shared__apache_httpd_user }}' + group: '{{ __shared__apache_httpd_group }}' mode: 0o644 when: '(nextcloud__storage_backend_s3["bucket"] is defined and nextcloud__storage_backend_s3["bucket"] | length > 0) or (nextcloud__storage_backend_swift["bucket"] is defined and nextcloud__storage_backend_swift["bucket"] | length > 0)' - - name: 'chown -R apache:apache /var/www/html/nextcloud' + - name: 'chown -R {{ __shared__apache_httpd_user }}:{{ __shared__apache_httpd_group }} /var/www/html/nextcloud' ansible.builtin.file: path: '/var/www/html/nextcloud' - owner: 'apache' - group: 'apache' + owner: '{{ __shared__apache_httpd_user }}' + group: '{{ __shared__apache_httpd_group }}' recurse: true - - name: 'mkdir path/to/data; chown -R apache:apache path/to/data; chmod 0750 -R path/to/data' + - name: 'mkdir path/to/data; chown -R {{ __shared__apache_httpd_user }}:{{ __shared__apache_httpd_group }} path/to/data; chmod 0750 -R path/to/data' ansible.builtin.file: path: '{{ item }}' state: 'directory' - owner: 'apache' - group: 'apache' + owner: '{{ __shared__apache_httpd_user }}' + group: '{{ __shared__apache_httpd_group }}' mode: 0o750 loop: - '/data' @@ -59,6 +66,8 @@ ansible.builtin.command: 'restorecon -Fvr /data /var/www/html/nextcloud' register: 'nextcloud__restorecon_nextcloud_result' changed_when: 'nextcloud__restorecon_nextcloud_result["stdout"] | length > 0' + when: + - 'ansible_facts["selinux"]["status"] != "disabled"' - name: 'Run the Nextcloud installer' # installation hangs without "--admin-user" and "--admin-pass" @@ -76,7 +85,7 @@ chdir: '/var/www/html/nextcloud/' creates: '/var/www/html/nextcloud/config/config.php' become: true - become_user: 'apache' + become_user: '{{ __shared__apache_httpd_user }}' - name: 'Convert some database columns to big int' ansible.builtin.command: | @@ -84,7 +93,7 @@ args: chdir: '/var/www/html/nextcloud/' become: true - become_user: 'apache' + become_user: '{{ __shared__apache_httpd_user }}' register: 'nextcloud__convert_filecache_bigint_result' changed_when: '"All tables already up to date" not in nextcloud__convert_filecache_bigint_result["stdout"]' # changed_when: there is no easy way to check for changes @@ -98,7 +107,7 @@ - name: 'Get Nextcloud config list' ansible.builtin.command: 'php /var/www/html/nextcloud/occ --no-interaction --output=json config:list --private' become: true - become_user: 'apache' + become_user: '{{ __shared__apache_httpd_user }}' changed_when: false check_mode: false register: '__nextcloud__config_list_result' @@ -111,14 +120,14 @@ state: '{{ item["state"] | d("present") }}' installed_config_json: '{{ __nextcloud__config_list_result["stdout"] | from_json }}' become: true - become_user: 'apache' + become_user: '{{ __shared__apache_httpd_user }}' loop: '{{ nextcloud__sysconfig__combined_var }}' # do this straight after the installation to get NC up and running # otherwise subsequent occ commands might fail - - name: 'restart php-fpm' + - name: 'restart {{ nextcloud__php_fpm_service_name }}' ansible.builtin.service: - name: 'php-fpm' + name: '{{ nextcloud__php_fpm_service_name }}' state: 'restarted' tags: @@ -131,7 +140,7 @@ - name: 'Get Nextcloud app list' ansible.builtin.command: 'php /var/www/html/nextcloud/occ --no-interaction --output=json app:list' become: true - become_user: 'apache' + become_user: '{{ __shared__apache_httpd_user }}' changed_when: false check_mode: false register: '__nextcloud__app_list_result' @@ -143,13 +152,13 @@ force: '{{ item["force"] | d(false) }}' installed_apps_json: '{{ __nextcloud__app_list_result["stdout"] | from_json }}' become: true - become_user: 'apache' + become_user: '{{ __shared__apache_httpd_user }}' loop: '{{ nextcloud__apps__combined_var }}' - name: 'Get Nextcloud config list' ansible.builtin.command: 'php /var/www/html/nextcloud/occ --no-interaction --output=json config:list --private' become: true - become_user: 'apache' + become_user: '{{ __shared__apache_httpd_user }}' changed_when: false check_mode: false register: '__nextcloud__config_list_result' @@ -163,12 +172,12 @@ state: '{{ item["state"] | d("present") }}' installed_config_json: '{{ __nextcloud__config_list_result["stdout"] | from_json }}' become: true - become_user: 'apache' + become_user: '{{ __shared__apache_httpd_user }}' loop: '{{ nextcloud__app_configs__combined_var }}' - - name: 'restart php-fpm' + - name: 'restart {{ nextcloud__php_fpm_service_name }}' ansible.builtin.service: - name: 'php-fpm' + name: '{{ nextcloud__php_fpm_service_name }}' state: 'restarted' when: @@ -184,6 +193,8 @@ ansible.builtin.command: 'restorecon -Fvr /var/www/html/nextcloud/apps/notify_push/' register: 'nextcloud__restorecon_notify_push_result' changed_when: 'nextcloud__restorecon_notify_push_result["stdout"] | length > 0' + when: + - 'ansible_facts["selinux"]["status"] != "disabled"' - name: 'systemctl restart notify_push.service' ansible.builtin.systemd_service: @@ -196,7 +207,7 @@ args: chdir: '/var/www/html/nextcloud/' become: true - become_user: 'apache' + become_user: '{{ __shared__apache_httpd_user }}' when: - 'not nextcloud__skip_notify_push' @@ -221,11 +232,11 @@ - block: - - name: 'chown -R apache:apache /var/www/html/nextcloud' + - name: 'chown -R {{ __shared__apache_httpd_user }}:{{ __shared__apache_httpd_group }} /var/www/html/nextcloud' ansible.builtin.file: path: '/var/www/html/nextcloud' - owner: 'apache' - group: 'apache' + owner: '{{ __shared__apache_httpd_user }}' + group: '{{ __shared__apache_httpd_group }}' recurse: true tags: @@ -260,7 +271,7 @@ args: chdir: '/var/www/html/nextcloud/' become: true - become_user: 'apache' + become_user: '{{ __shared__apache_httpd_user }}' # changed_when: there is no easy way to check for changes - name: 'Deploy /usr/local/bin/nextcloud-app-update' diff --git a/roles/nextcloud/templates/etc/systemd/system/nextcloud-app-update.service.j2 b/roles/nextcloud/templates/etc/systemd/system/nextcloud-app-update.service.j2 index 907f8b76..796c6eae 100644 --- a/roles/nextcloud/templates/etc/systemd/system/nextcloud-app-update.service.j2 +++ b/roles/nextcloud/templates/etc/systemd/system/nextcloud-app-update.service.j2 @@ -8,4 +8,4 @@ Description=Nextcloud App Update Service ExecStart=/usr/local/bin/nextcloud-app-update WorkingDirectory=/var/www/html/nextcloud Type=oneshot -User=apache +User={{ __shared__apache_httpd_user }} diff --git a/roles/nextcloud/templates/etc/systemd/system/nextcloud-jobs.service.j2 b/roles/nextcloud/templates/etc/systemd/system/nextcloud-jobs.service.j2 index 668db63b..15b2d477 100644 --- a/roles/nextcloud/templates/etc/systemd/system/nextcloud-jobs.service.j2 +++ b/roles/nextcloud/templates/etc/systemd/system/nextcloud-jobs.service.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -# 2023041802 +# 2026052001 [Unit] Description=Nextcloud Background Jobs Service @@ -7,6 +7,6 @@ Description=Nextcloud Background Jobs Service [Service] ExecStart=/usr/bin/php --file /var/www/html/nextcloud/cron.php Type=oneshot -User=apache +User={{ __shared__apache_httpd_user }} KillMode=process TimeoutStartSec=10m diff --git a/roles/nextcloud/templates/etc/systemd/system/nextcloud-ldap-show-remnants.service.j2 b/roles/nextcloud/templates/etc/systemd/system/nextcloud-ldap-show-remnants.service.j2 index 3e69a47d..4eb81d05 100644 --- a/roles/nextcloud/templates/etc/systemd/system/nextcloud-ldap-show-remnants.service.j2 +++ b/roles/nextcloud/templates/etc/systemd/system/nextcloud-ldap-show-remnants.service.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -# 2024062101 +# 2026052001 [Unit] Description=Nextcloud LDAP Show Remnants Service @@ -8,4 +8,4 @@ Description=Nextcloud LDAP Show Remnants Service # need the help of /bin/sh here, since systemd units don't understand pipes directly ExecStart=/usr/local/bin/nextcloud-ldap-show-remnants Type=oneshot -User=apache +User={{ __shared__apache_httpd_user }} diff --git a/roles/nextcloud/templates/etc/systemd/system/nextcloud-scan-files.service.j2 b/roles/nextcloud/templates/etc/systemd/system/nextcloud-scan-files.service.j2 index f5b66f9e..cc06b147 100644 --- a/roles/nextcloud/templates/etc/systemd/system/nextcloud-scan-files.service.j2 +++ b/roles/nextcloud/templates/etc/systemd/system/nextcloud-scan-files.service.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -# 2022110701 +# 2026052001 [Unit] Description=Nextcloud Scan Files Service @@ -8,4 +8,4 @@ Description=Nextcloud Scan Files Service ExecStart=/usr/bin/nice --adjustment 19 /usr/bin/php occ files:scan --all --unscanned WorkingDirectory=/var/www/html/nextcloud Type=oneshot -User=apache +User={{ __shared__apache_httpd_user }} diff --git a/roles/nextcloud/templates/usr/local/bin/nextcloud-ldap-show-remnants.j2 b/roles/nextcloud/templates/usr/local/bin/nextcloud-ldap-show-remnants.j2 index 0479167c..49f14258 100644 --- a/roles/nextcloud/templates/usr/local/bin/nextcloud-ldap-show-remnants.j2 +++ b/roles/nextcloud/templates/usr/local/bin/nextcloud-ldap-show-remnants.j2 @@ -1,6 +1,6 @@ #!/usr/bin/env bash # {{ ansible_managed }} -# 2026042001 +# 2026060801 output=$(/usr/bin/php /var/www/html/nextcloud/occ ldap:show-remnants) if [ -z "$output" ]; then @@ -8,11 +8,10 @@ if [ -z "$output" ]; then exit 0 fi -{% if setup_basic__skip_mailto_root %} -echo "$output" -exit 0 +{% if nextcloud__mailto_root__to | length > 0 %} +# only mail the output if recipients are configured +echo "$output" | /usr/bin/mail -s "$(hostname --short) - Users not available on LDAP anymore, but have remnants in Nextcloud" {{ nextcloud__mailto_root__to | join(' ') }} {% else %} -# only send output if there is any -echo "$output" | /usr/bin/mail -s "$(hostname --short) - Users not available on LDAP anymore, but have remnants in Nextcloud" {{ mailto_root__to | join(' ') }} -exit 0 +echo "$output" {% endif %} +exit 0 diff --git a/roles/nextcloud/templates/usr/local/bin/nextcloud-update.j2 b/roles/nextcloud/templates/usr/local/bin/nextcloud-update.j2 index 953c6224..fd73932a 100644 --- a/roles/nextcloud/templates/usr/local/bin/nextcloud-update.j2 +++ b/roles/nextcloud/templates/usr/local/bin/nextcloud-update.j2 @@ -1,6 +1,6 @@ #!/usr/bin/env bash # {{ ansible_managed }} -# 2026051102 +# 2026052001 set -euo pipefail @@ -11,9 +11,9 @@ error_handler() { } trap 'error_handler "${LINENO}"' ERR -WEBSERVER_USER="apache" -WEBSERVER_GROUP="apache" -PHP_SERVICE_NAME="php-fpm" +WEBSERVER_USER="{{ __shared__apache_httpd_user }}" +WEBSERVER_GROUP="{{ __shared__apache_httpd_group }}" +PHP_SERVICE_NAME="{{ nextcloud__php_fpm_service_name }}" NC_DIR="/var/www/html/nextcloud" DATA_DIR=$(sudo -u "${WEBSERVER_USER}" php "${NC_DIR}/occ" config:system:get datadirectory) @@ -84,7 +84,7 @@ else echo 'skipping.' fi -{% if ansible_os_family == "RedHat" %} +{% if ansible_facts["os_family"] == "RedHat" %} echo echo 'setsebool httpd_unified on' echo '--------------------------' @@ -140,7 +140,7 @@ else echo 'skipping.' fi -{% if ansible_os_family == "RedHat" %} +{% if ansible_facts["os_family"] == "RedHat" %} echo echo 'setsebool httpd_unified off' echo '---------------------------' @@ -186,7 +186,7 @@ else echo 'skipping.' fi -{% if ansible_os_family == "RedHat" %} +{% if ansible_facts["os_family"] == "RedHat" %} echo echo "restorecon" echo '----------' diff --git a/roles/nextcloud/vars/RedHat.yml b/roles/nextcloud/vars/RedHat.yml new file mode 100644 index 00000000..cef93f11 --- /dev/null +++ b/roles/nextcloud/vars/RedHat.yml @@ -0,0 +1,5 @@ +__nextcloud__required_packages: + - 'bzip2' + - 'jq' + - 'openldap-clients' + - 'samba-client' diff --git a/roles/nextcloud/vars/main.yml b/roles/nextcloud/vars/main.yml new file mode 100644 index 00000000..2d68653b --- /dev/null +++ b/roles/nextcloud/vars/main.yml @@ -0,0 +1,39 @@ +# OS-specific values consumed by a *different* role that runs *earlier* in the same play (the `__dependent_var` pattern). vars/.yml would load too late for an earlier consumer, but vars/main.yml is auto-loaded at play parse and is visible to every role in the play. The public variables in defaults/main.yml select from these dicts with the linuxfabrik.lfops.platform_select filter; to extend platform support, add a Debian / Suse key here. + +# PHP modules installed by the linuxfabrik.lfops.php role via nextcloud__php__modules__dependent_var. +__nextcloud__php__modules__dependent_var: + RedHat: + - name: 'php-bcmath' + state: 'present' + - name: 'php-gd' + state: 'present' + - name: 'php-gmp' + state: 'present' + - name: 'php-imap' + state: 'present' + - name: 'php-imagick' + state: 'present' + - name: 'php-intl' + state: 'present' + - name: 'php-json' + state: 'present' + - name: 'php-ldap' + state: 'present' + - name: 'php-mbstring' + state: 'present' + - name: 'php-memcached' + state: 'present' + - name: 'php-mysqlnd' + state: 'present' + - name: 'php-opcache' + state: 'present' + - name: 'php-pecl-apcu' + state: 'present' + - name: 'php-process' # posix module for oc + state: 'present' + - name: 'php-redis' + state: 'present' + - name: 'php-smbclient' + state: 'present' + - name: 'php-zip' + state: 'present'