From 9c36560f1166af39297f706415a1e9844da21b7a Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 08:28:33 +0100 Subject: [PATCH 01/12] =?UTF-8?q?=F0=9F=A7=B1:=20move=20letsencrypt=20dir?= =?UTF-8?q?=20from=20/srv/http=20to=20/var/www?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/nginx/tasks/main.yml | 10 +--------- roles/nginx/templates/default.j2 | 2 +- roles/nginx/vars/main.yml | 2 ++ 3 files changed, 4 insertions(+), 10 deletions(-) create mode 100644 roles/nginx/vars/main.yml diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index c9219e0..e94d40c 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -33,17 +33,9 @@ - {src: proxy_params.j2, dest: /etc/nginx/proxy_params} - {src: default.j2, dest: /etc/nginx/sites-available/default} -- name: Create base dir - ansible.builtin.file: - path: /srv/http - owner: root - group: www-data - mode: 'u+rwx,g+rs,o-rwx' - state: directory - - name: Create letsencrypt dir ansible.builtin.file: - path: /srv/http/common/letsencrypt + path: "{{ nginx_letsencrypt_dir }}" owner: root group: www-data mode: 'u+rwx,g+rs,o-rwx' diff --git a/roles/nginx/templates/default.j2 b/roles/nginx/templates/default.j2 index d1f936b..22b6586 100644 --- a/roles/nginx/templates/default.j2 +++ b/roles/nginx/templates/default.j2 @@ -16,7 +16,7 @@ server { listen [::]:80 default_server; location /.well-known/acme-challenge { - root /srv/http/common/letsencrypt/; + root {{ nginx_letsencrypt_dir }}; } location / { diff --git a/roles/nginx/vars/main.yml b/roles/nginx/vars/main.yml new file mode 100644 index 0000000..ff1af01 --- /dev/null +++ b/roles/nginx/vars/main.yml @@ -0,0 +1,2 @@ +--- +nginx_letsencrypt_dir: /var/www/common/letsencrypt -- 2.39.5 From 0278b95bcf72504cf004446538a0719a76fd5fc8 Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 08:50:13 +0100 Subject: [PATCH 02/12] =?UTF-8?q?=E2=9C=A8:=20add=20userdata=20dir=20to=20?= =?UTF-8?q?php?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/php/tasks/main.yml | 8 ++++++++ roles/php/vars/main.yml | 3 +++ 2 files changed, 11 insertions(+) create mode 100644 roles/php/vars/main.yml diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index b233786..056f5e7 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -25,3 +25,11 @@ loop: "{{ php_modules }}" notify: - Restart php-fpm + +- name: Create standard php app data dir + ansible.builtin.file: + state: directory + dest: "{{ php_data_dir }}" + owner: www-data + group: www-data + mode: "0o750" diff --git a/roles/php/vars/main.yml b/roles/php/vars/main.yml new file mode 100644 index 0000000..da4bf27 --- /dev/null +++ b/roles/php/vars/main.yml @@ -0,0 +1,3 @@ +--- + +php_data_dir: /srv/www-data -- 2.39.5 From 278613c3b869ec61613f150a273e599f0288818e Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 13:15:25 +0100 Subject: [PATCH 03/12] =?UTF-8?q?=F0=9F=94=A8:=20add=20tags=20to=20avoid?= =?UTF-8?q?=20playing=20everything?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- playbooks/webapps.yml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/playbooks/webapps.yml b/playbooks/webapps.yml index a80317f..b0d835b 100644 --- a/playbooks/webapps.yml +++ b/playbooks/webapps.yml @@ -4,13 +4,20 @@ hosts: web1.dmz.mateu.be diff: true roles: - - koillection - - bac - - roundcube - - shaarli - - freshrss - - nextcloud - - firefly3 + - role: bac + tags: [never, bac] + - role: shaarli + tags: [never, shaarli] + - role: roundcube + tags: [never, roundcube] + - role: freshrss + tags: [never, freshrss] + - role: firefly3 + tags: [never, firefly3] + - role: koillection + tags: [never, koillection] + - role: nextcloud + tags: [never, nextcloud] - name: Install dojo webapplications hosts: web2.dmz.mateu.be -- 2.39.5 From bf1acf00d447af13a10d2634fcef67f3e06fb2ca Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 13:15:51 +0100 Subject: [PATCH 04/12] =?UTF-8?q?=E2=99=BB:=20separate=20app=20from=20user?= =?UTF-8?q?=20data=20for=20shaarli?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../templates/vhosts/fav.libertus.eu.conf.j2 | 4 +- roles/shaarli/tasks/main.yml | 60 +++++++++++++++---- roles/shaarli/vars/main.yml | 13 +++- 3 files changed, 62 insertions(+), 15 deletions(-) diff --git a/roles/nginx/templates/vhosts/fav.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/fav.libertus.eu.conf.j2 index af95cb9..38fba73 100644 --- a/roles/nginx/templates/vhosts/fav.libertus.eu.conf.j2 +++ b/roles/nginx/templates/vhosts/fav.libertus.eu.conf.j2 @@ -1,10 +1,10 @@ ## Shaarli server { {% include './templates/header.conf.j2' %} - root /srv/http/fav.libertus.eu/; + root /var/www/fav.libertus.eu/; index index.html index.htm index.php; - location ^/(cache|data)/ { + location ~* ^/(cache|data)/.* { deny all; } diff --git a/roles/shaarli/tasks/main.yml b/roles/shaarli/tasks/main.yml index 3fe14e3..6c0867e 100644 --- a/roles/shaarli/tasks/main.yml +++ b/roles/shaarli/tasks/main.yml @@ -1,34 +1,70 @@ --- -- name: Create application directory +## Remove the previous app & install the new version +- name: Remove Shaarli previous version + ansible.builtin.file: + state: absent + dest: "{{ shaarli_app_home }}" + +- name: Create app home ansible.builtin.file: state: directory - path: "{{ shaarli_home }}" + path: "{{ shaarli_app_home }}" owner: root group: www-data - mode: "a-rwx,u+rwX,g+rX" + mode: "0o750" -- name: Install Shaarli +- name: Install Shaarli app ansible.builtin.unarchive: remote_src: true src: "{{ shaarli_url }}" - dest: "{{ shaarli_home }}" + dest: "{{ shaarli_app_home }}" owner: root group: www-data mode: "a-rwx,u+rwX,g+rX" extra_opts: ['--strip-components=1'] - exclude: - - "data" + exclude: "{{ shaarli_userdata_app_dirs }}" - name: Check writable dirs ansible.builtin.file: state: directory - dest: "{{ shaarli_home }}/{{ item }}" + dest: "{{ shaarli_app_home }}/{{ item }}" owner: root group: www-data recurse: true mode: "g+w" - loop: - - "data" - - "tmp" - - "pagecache" + loop: "{{ shaarli_writable_app_dirs }}" + +## Ensure the data dirs exists, populate them if not +- name: Create data home + ansible.builtin.file: + state: directory + path: "{{ shaarli_data_home }}" + owner: www-data + group: www-data + mode: "0o750" + +# If the first data dir exists, others should exist too +- name: Get data dir + ansible.builtin.stat: + path: "{{ shaarli_data_home }}/{{ shaarli_userdata_app_dirs[0] }}" + register: _shaarli_userdata_dir_stat + +- name: Install Shaarli data dir + ansible.builtin.unarchive: + remote_src: true + src: "{{ shaarli_url }}" + dest: "{{ shaarli_data_home }}" + owner: www-data + group: www-data + mode: "a-rwx,u+rwX,g+rX" + extra_opts: ['--strip-components=1'] + include: "{{ shaarli_userdata_app_dirs | map('regex_replace', '^', 'Shaarli/') }}" + when: not _shaarli_userdata_dir_stat.stat.exists + +- name: Link Shaarli userdata dirs + ansible.builtin.file: + state: link + src: "{{ shaarli_data_home }}/{{ item }}" + dest: "{{ shaarli_app_home }}/{{ item }}" + loop: "{{ shaarli_userdata_app_dirs }}" diff --git a/roles/shaarli/vars/main.yml b/roles/shaarli/vars/main.yml index 8baf949..e209622 100644 --- a/roles/shaarli/vars/main.yml +++ b/roles/shaarli/vars/main.yml @@ -3,5 +3,16 @@ shaarli_version: "0.14.0" shaarli_url: "https://github.com/shaarli/Shaarli/releases/download/v{{ shaarli_version }}/shaarli-v{{ shaarli_version }}-full.tar.gz" +# Access URL shaarli_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'shaarli') | map(attribute='host') | first }}" -shaarli_home: "/srv/http/{{ shaarli_access_url }}" + +# Access path +shaarli_app_home: "/var/www/{{ shaarli_access_url }}" +shaarli_data_home: "/srv/www-data/{{ shaarli_access_url }}" + +# App dirs +shaarli_writable_app_dirs: + - pagecache + - tmp +shaarli_userdata_app_dirs: + - data -- 2.39.5 From c266e0f4fe66e67dfbf07fe88e498777498e8dbe Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 13:31:37 +0100 Subject: [PATCH 05/12] =?UTF-8?q?=E2=99=BB:=20move=20app=20data=20for=20ba?= =?UTF-8?q?c?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/bac/tasks/main.yml | 15 ++++++++++++++- roles/bac/vars/main.yml | 2 +- .../templates/vhosts/blog.libertus.eu.conf.j2 | 2 +- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/roles/bac/tasks/main.yml b/roles/bac/tasks/main.yml index 9d88df8..d5f93eb 100644 --- a/roles/bac/tasks/main.yml +++ b/roles/bac/tasks/main.yml @@ -1,10 +1,23 @@ --- +- name: Remove BaC previous version + ansible.builtin.file: + state: absent + dest: "{{ bac_app_home }}" + +- name: Create app home + ansible.builtin.file: + state: directory + path: "{{ bac_app_home }}" + owner: root + group: www-data + mode: "a-rwx,u+rwX,g+rX" + - name: Install BaC application ansible.builtin.unarchive: remote_src: true src: "{{ bac_url }}" - dest: "{{ bac_home }}" + dest: "{{ bac_app_home }}" owner: root group: www-data mode: "a-rwx,u+rwX,g+rX" diff --git a/roles/bac/vars/main.yml b/roles/bac/vars/main.yml index 7411864..5d7698e 100644 --- a/roles/bac/vars/main.yml +++ b/roles/bac/vars/main.yml @@ -1,4 +1,4 @@ --- bac_url: "https://giteu.be/hylobates/BaC/releases/download/tamerelol/public.tar.gz" bac_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'bac') | map(attribute='host') | first }}" -bac_home: "/srv/http/{{ bac_access_url }}" +bac_app_home: "/var/www/{{ bac_access_url }}" diff --git a/roles/nginx/templates/vhosts/blog.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/blog.libertus.eu.conf.j2 index 53a00b3..f234bb4 100644 --- a/roles/nginx/templates/vhosts/blog.libertus.eu.conf.j2 +++ b/roles/nginx/templates/vhosts/blog.libertus.eu.conf.j2 @@ -1,6 +1,6 @@ server { {% include './templates/header.conf.j2' %} - root /srv/http/blog.libertus.eu/; + root /var/www/blog.libertus.eu/; index index.html index.htm index.php; ## Optimisation des images -- 2.39.5 From a86577d5c1280cf74fc8b36ea1e723dc7d07d372 Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 13:41:00 +0100 Subject: [PATCH 06/12] =?UTF-8?q?=E2=99=BB:=20move=20roundcube=20app=20dir?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../templates/vhosts/mail.libertus.eu.conf.j2 | 2 +- roles/roundcube/tasks/roundcube.yml | 17 +++++++++-------- roles/roundcube/tasks/roundcube_carddav.yml | 9 +++++++-- roles/roundcube/vars/main.yml | 10 ++++++++-- 4 files changed, 25 insertions(+), 13 deletions(-) diff --git a/roles/nginx/templates/vhosts/mail.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/mail.libertus.eu.conf.j2 index 7fd011b..a2e5d1e 100644 --- a/roles/nginx/templates/vhosts/mail.libertus.eu.conf.j2 +++ b/roles/nginx/templates/vhosts/mail.libertus.eu.conf.j2 @@ -1,6 +1,6 @@ server { {% include './templates/header.conf.j2' %} - root /srv/http/mail.libertus.eu/; + root /var/www/mail.libertus.eu/; index index.html index.htm index.php; client_max_body_size 512M; diff --git a/roles/roundcube/tasks/roundcube.yml b/roles/roundcube/tasks/roundcube.yml index c36099a..d5db54a 100644 --- a/roles/roundcube/tasks/roundcube.yml +++ b/roles/roundcube/tasks/roundcube.yml @@ -1,9 +1,14 @@ --- +## Remove previous app & install new version +- name: Remove roundcube previous version + ansible.builtin.file: + state: absent + dest: "{{ roundcube_app_home }}" - name: Create application directory ansible.builtin.file: state: directory - dest: "{{ roundcube_home }}" + dest: "{{ roundcube_app_home }}" owner: "root" group: "www-data" mode: "0o750" @@ -12,13 +17,11 @@ ansible.builtin.unarchive: remote_src: true src: "{{ roundcube_url }}" - dest: "{{ roundcube_home }}" + dest: "{{ roundcube_app_home }}" owner: root group: www-data mode: "a-rwx,u+rwX,g+rX" extra_opts: ['--strip-components=1'] - exclude: - - "{{ roundcube_config_path }}" - name: Put roundcube configuration ansible.builtin.template: @@ -32,10 +35,8 @@ ansible.builtin.file: state: directory recurse: true - dest: "{{ roundcube_home }}/{{ item }}" + dest: "{{ roundcube_app_home }}/{{ item }}" owner: root group: www-data mode: "g+w" - loop: - - "logs" - - "temp" + loop: "{{ roundcube_writable_app_dirs }}" diff --git a/roles/roundcube/tasks/roundcube_carddav.yml b/roles/roundcube/tasks/roundcube_carddav.yml index 099a1d9..2265947 100644 --- a/roles/roundcube/tasks/roundcube_carddav.yml +++ b/roles/roundcube/tasks/roundcube_carddav.yml @@ -1,10 +1,15 @@ --- +- name: Remove carddav plugin + ansible.builtin.file: + state: absent + dest: "{{ roundcube_app_home }}/plugins/carddav" + - name: Unzip carddav plugin ansible.builtin.unarchive: remote_src: true src: "{{ roundcube_carddav_url }}" - dest: "{{ roundcube_home }}/plugins" + dest: "{{ roundcube_app_home }}/plugins" owner: root group: www-data mode: "a-rwx,u+rwX,g+rX" @@ -12,7 +17,7 @@ - name: Put carddav config file ansible.builtin.template: src: "carddav.config.inc.php.j2" - dest: "{{ roundcube_home }}/plugins/carddav/config.inc.php" + dest: "{{ roundcube_app_home }}/plugins/carddav/config.inc.php" owner: root group: www-data mode: "0o640" diff --git a/roles/roundcube/vars/main.yml b/roles/roundcube/vars/main.yml index c7f864f..086b7c4 100644 --- a/roles/roundcube/vars/main.yml +++ b/roles/roundcube/vars/main.yml @@ -7,9 +7,15 @@ roundcube_url: "https://github.com/roundcube/roundcubemail/releases/download/{{ # only the first occurence is supported roundcube_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'roundcube') | map(attribute='host') | first }}" -roundcube_home: "/srv/http/{{ roundcube_access_url }}" -roundcube_config_path: "{{ roundcube_home }}/config/config.inc.php" +roundcube_app_home: "/var/www/{{ roundcube_access_url }}" +roundcube_config_path: "{{ roundcube_app_home }}/config/config.inc.php" +# App dirs +roundcube_writable_app_dirs: + - logs + - temp + +# CardDAV extension roundcube_carddav_version: "5.1.0" roundcube_carddav_url: "https://github.com/mstilkerich/rcmcarddav/releases/download/v{{ roundcube_carddav_version }}/carddav-v{{ roundcube_carddav_version }}.tar.gz" roundcube_carddav_discovery_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'nextcloud') | map(attribute='host') | first }}" -- 2.39.5 From 64c41a64df7338b7bf8a7afdac050642cfc24ed4 Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 14:21:06 +0100 Subject: [PATCH 07/12] =?UTF-8?q?=E2=99=BB:=20move=20freshrss=20app=20dir?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/freshrss/tasks/check.yml | 2 +- roles/freshrss/tasks/freshrss.yml | 67 +++++++++++++------ roles/freshrss/templates/freshrss.service.j2 | 2 +- roles/freshrss/vars/main.yml | 11 ++- .../templates/vhosts/rss.libertus.eu.conf.j2 | 2 +- 5 files changed, 60 insertions(+), 24 deletions(-) diff --git a/roles/freshrss/tasks/check.yml b/roles/freshrss/tasks/check.yml index 13fa11b..964a8e4 100644 --- a/roles/freshrss/tasks/check.yml +++ b/roles/freshrss/tasks/check.yml @@ -2,7 +2,7 @@ - name: Check freshrss version ansible.builtin.lineinfile: - path: "{{ freshrss_home }}/constants.php" + path: "{{ freshrss_app_home }}/constants.php" line: "const FRESHRSS_VERSION = '{{ freshrss_version }}';" state: present check_mode: true diff --git a/roles/freshrss/tasks/freshrss.yml b/roles/freshrss/tasks/freshrss.yml index 2293894..4221747 100644 --- a/roles/freshrss/tasks/freshrss.yml +++ b/roles/freshrss/tasks/freshrss.yml @@ -1,40 +1,69 @@ --- -- name: Create application directory +## Remove the previous app & install the new version +- name: Remove freshrss previous version + ansible.builtin.file: + state: absent + dest: "{{ freshrss_app_home }}" + +- name: Create app home ansible.builtin.file: state: directory - dest: "{{ freshrss_home }}" + dest: "{{ freshrss_app_home }}" owner: root group: www-data - mode: "a-rwx,u+rwX,g+rX" + mode: "0o750" - name: Install freshrss application ansible.builtin.unarchive: remote_src: true src: "{{ freshrss_url }}" - dest: "{{ freshrss_home }}" + dest: "{{ freshrss_app_home }}" owner: root group: www-data mode: "a-rwx,u+rwX,g+rX" extra_opts: ['--strip-components=1'] - exclude: - - "config/config.php" + exclude: "{{ freshrss_userdata_app_dirs }}" +## Ensure the data dirs exist, populate them if not +- name: Create data home + ansible.builtin.file: + state: directory + path: "{{ freshrss_data_home }}" + owner: www-data + group: www-data + mode: "a-rwx,u+rwX,g+rX" + +# If the first data dir exists, other should exist too +- name: Get data dir + ansible.builtin.stat: + path: "{{ freshrss_data_home }}/{{ freshrss_userdata_app_dirs[0] }}" + register: _freshrss_userdata_dir_stat + +- name: Install freshrss data dir + ansible.builtin.unarchive: + remote_src: true + src: "{{ freshrss_url }}" + dest: "{{ freshrss_data_home }}" + owner: www-data + group: www-data + mode: "a-rwx,u+rwX,g+rX" + extra_opts: ['--strip-components=1'] + include: "{{ freshrss_userdata_app_dirs | map('regex_replace', '^', 'FreshRSS-' ~ freshrss_version ~ '/') }}" + when: not _freshrss_userdata_dir_stat.stat.exists + +- name: Link FreshRSS userdata dirs + ansible.builtin.file: + state: link + src: "{{ freshrss_data_home }}/{{ item }}" + dest: "{{ freshrss_app_home }}/{{ item }}" + loop: "{{ freshrss_userdata_app_dirs }}" + +# Config file is inside `data/`, so we must put it last - name: Put freshrss configuration file ansible.builtin.template: src: config.php.j2 dest: "{{ freshrss_config_path }}" - owner: root + owner: www-data group: www-data - mode: "0o660" - -- name: Check writable dirs - ansible.builtin.file: - state: directory - dest: "{{ freshrss_home }}/{{ item }}" - owner: root - group: www-data - mode: "g+w" - recurse: true - loop: - - "data" + mode: "0o640" diff --git a/roles/freshrss/templates/freshrss.service.j2 b/roles/freshrss/templates/freshrss.service.j2 index 7acdc50..b295a39 100644 --- a/roles/freshrss/templates/freshrss.service.j2 +++ b/roles/freshrss/templates/freshrss.service.j2 @@ -5,4 +5,4 @@ Wants=freshrss.timer [Service] User=www-data Type=simple -ExecStart=/usr/bin/php {{ freshrss_home }}/app/actualize_script.php +ExecStart=/usr/bin/php {{ freshrss_app_home }}/app/actualize_script.php diff --git a/roles/freshrss/vars/main.yml b/roles/freshrss/vars/main.yml index cc6aa91..ffbce52 100644 --- a/roles/freshrss/vars/main.yml +++ b/roles/freshrss/vars/main.yml @@ -4,5 +4,12 @@ freshrss_version: "1.26.0" freshrss_url: "https://github.com/FreshRSS/FreshRSS/archive/refs/tags/{{ freshrss_version }}.tar.gz" freshrss_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'freshrss') | map(attribute='host') | first }}" -freshrss_home: "/srv/http/{{ freshrss_access_url }}" -freshrss_config_path: "{{ freshrss_home }}/data/config.php" + +# Access path +freshrss_app_home: "/var/www/{{ freshrss_access_url }}" +freshrss_data_home: "/srv/www-data/{{ freshrss_access_url }}" +freshrss_config_path: "{{ freshrss_app_home }}/data/config.php" + +# App dirs +freshrss_userdata_app_dirs: + - data diff --git a/roles/nginx/templates/vhosts/rss.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/rss.libertus.eu.conf.j2 index 1f5c97a..63e3331 100644 --- a/roles/nginx/templates/vhosts/rss.libertus.eu.conf.j2 +++ b/roles/nginx/templates/vhosts/rss.libertus.eu.conf.j2 @@ -1,6 +1,6 @@ server { {% include './templates/header.conf.j2' %} - root /srv/http/rss.libertus.eu/p; + root /var/www/rss.libertus.eu/p; index index.html index.htm index.php; location ~ \.(js|css|png|jpg|jpeg|gif|svg|svgz)$ { -- 2.39.5 From bc8394105e50eb54b28fb385f002479751daf334 Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 15:01:37 +0100 Subject: [PATCH 08/12] =?UTF-8?q?=E2=99=BB:=20move=20firefly3=20to=20app?= =?UTF-8?q?=20dir?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/firefly3/tasks/cron.yml | 2 +- roles/firefly3/tasks/firefly3.yml | 56 +++++++++++++++---- roles/firefly3/vars/main.yml | 10 +++- .../templates/vhosts/ff.libertus.eu.conf.j2 | 2 +- 4 files changed, 57 insertions(+), 13 deletions(-) diff --git a/roles/firefly3/tasks/cron.yml b/roles/firefly3/tasks/cron.yml index 20d6f77..046a8c5 100644 --- a/roles/firefly3/tasks/cron.yml +++ b/roles/firefly3/tasks/cron.yml @@ -6,4 +6,4 @@ name: firefly-iii-cron minute: 0 hour: 3 - job: "/usr/bin/php {{ firefly3_home }}/artisan firefly-iii:cron > /dev/null" + job: "/usr/bin/php {{ firefly3_app_home }}/artisan firefly-iii:cron > /dev/null" diff --git a/roles/firefly3/tasks/firefly3.yml b/roles/firefly3/tasks/firefly3.yml index 88f5183..9601da6 100644 --- a/roles/firefly3/tasks/firefly3.yml +++ b/roles/firefly3/tasks/firefly3.yml @@ -1,9 +1,15 @@ --- -- name: Create application directory +## Remove the previous app & install the new version +- name: Remove Firefly3 previous version + ansible.builtin.file: + state: absent + dest: "{{ firefly3_app_home }}" + +- name: Create app home ansible.builtin.file: state: directory - dest: "{{ firefly3_home }}" + dest: "{{ firefly3_app_home }}" owner: root group: www-data mode: "0o750" @@ -12,17 +18,16 @@ ansible.builtin.unarchive: remote_src: true src: "{{ firefly3_url }}" - dest: "{{ firefly3_home }}" + dest: "{{ firefly3_app_home }}" owner: root group: www-data mode: "a-rwx,u+rwX,g+rX" - exclude: - - ".env" + exclude: "{{ firefly3_userdata_app_dirs }}" - name: Put config file ansible.builtin.template: src: "env.j2" - dest: "{{ firefly3_home }}/.env" + dest: "{{ firefly3_app_home }}/.env" owner: root group: www-data mode: "0o640" @@ -30,11 +35,42 @@ - name: Check writable dirs ansible.builtin.file: state: directory - dest: "{{ firefly3_home }}/{{ item }}" + dest: "{{ firefly3_app_home }}/{{ item }}" owner: root group: www-data recurse: true mode: "g+w" - loop: - - "bootstrap" - - "storage" + loop: "{{ firefly3_writable_app_dirs }}" + +## Ensure the data dirs exists, populate them if not +- name: Create data home + ansible.builtin.file: + state: directory + path: "{{ firefly3_data_home }}" + owner: www-data + group: www-data + mode: "0o750" + +# If the first data dir exists, others should exist too +- name: Get data dir + ansible.builtin.stat: + path: "{{ firefly3_data_home }}/{{ firefly3_userdata_app_dirs[0] }}" + register: _firefly3_userdata_dir_stat + +- name: Install Firefly3 data dir + ansible.builtin.unarchive: + remote_src: true + src: "{{ firefly3_url }}" + dest: "{{ firefly3_data_home }}" + owner: www-data + group: www-data + mode: "a-rwx,u+rwX,g+rX" + include: "{{ firefly3_userdata_app_dirs | map('regex_replace', '^', './') }}" + when: not _firefly3_userdata_dir_stat.stat.exists + +- name: Link Firefly3 userdata dirs + ansible.builtin.file: + state: link + src: "{{ firefly3_data_home }}/{{ item }}" + dest: "{{ firefly3_app_home }}/{{ item }}" + loop: "{{ firefly3_userdata_app_dirs }}" diff --git a/roles/firefly3/vars/main.yml b/roles/firefly3/vars/main.yml index 0d6a84f..deb772f 100644 --- a/roles/firefly3/vars/main.yml +++ b/roles/firefly3/vars/main.yml @@ -4,4 +4,12 @@ firefly3_version: "6.2.9" firefly3_url: "https://github.com/firefly-iii/firefly-iii/releases/download/v{{ firefly3_version }}/FireflyIII-v{{ firefly3_version }}.tar.gz" firefly3_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'firefly3') | map(attribute='host') | first }}" -firefly3_home: "/srv/http/{{ firefly3_access_url }}" + +# Access path +firefly3_app_home: "/var/www/{{ firefly3_access_url }}" +firefly3_data_home: "/srv/www-data/{{ firefly3_access_url }}" + +firefly3_writable_app_dirs: + - bootstrap +firefly3_userdata_app_dirs: + - storage diff --git a/roles/nginx/templates/vhosts/ff.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/ff.libertus.eu.conf.j2 index 1fd58be..e7506c6 100644 --- a/roles/nginx/templates/vhosts/ff.libertus.eu.conf.j2 +++ b/roles/nginx/templates/vhosts/ff.libertus.eu.conf.j2 @@ -1,7 +1,7 @@ server { {% include './templates/header.conf.j2' %} - root /srv/http/ff.libertus.eu/public; + root /var/www/ff.libertus.eu/public; index index.html index.htm index.php; -- 2.39.5 From 6af8c3d8a6d47373e618cbff26817a8687bf194b Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 15:40:58 +0100 Subject: [PATCH 09/12] =?UTF-8?q?=E2=99=BB:=20move=20koillection=20to=20ap?= =?UTF-8?q?p=20dir?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/koillection/tasks/api.yml | 23 +++++++ roles/koillection/tasks/main.yml | 68 +++++++++++++------ roles/koillection/vars/main.yml | 11 ++- .../templates/vhosts/koi.libertus.eu.conf.j2 | 2 +- 4 files changed, 82 insertions(+), 22 deletions(-) create mode 100644 roles/koillection/tasks/api.yml diff --git a/roles/koillection/tasks/api.yml b/roles/koillection/tasks/api.yml new file mode 100644 index 0000000..bd6cb5d --- /dev/null +++ b/roles/koillection/tasks/api.yml @@ -0,0 +1,23 @@ +--- + +- name: Create API config dir + ansible.builtin.file: + state: directory + dest: "{{ koillection_data_home }}/config/jwt" + owner: www-data + group: www-data + mode: "0o750" + +- name: Link JWT config dir + ansible.builtin.file: + state: link + src: "{{ koillection_data_home }}/config/jwt" + dest: "{{ koillection_app_home }}/config/jwt" + +- name: Run lexik jwt + become: true + become_user: www-data + ansible.builtin.command: + cmd: "php bin/console lexik:jwt:generate-keypair" + chdir: "{{ koillection_app_home }}" + creates: "{{ koillection_app_home }}/config/jwt/private.pem" diff --git a/roles/koillection/tasks/main.yml b/roles/koillection/tasks/main.yml index 41f17ac..4be1e76 100644 --- a/roles/koillection/tasks/main.yml +++ b/roles/koillection/tasks/main.yml @@ -3,10 +3,16 @@ - name: Init db ansible.builtin.include_tasks: db.yml -- name: Create application directory +## Remove the previous app & install the new version +- name: Remove Koillection previous version + ansible.builtin.file: + state: absent + dest: "{{ koillection_app_home }}" + +- name: Create app home ansible.builtin.file: state: directory - dest: "{{ koillection_home }}" + dest: "{{ koillection_app_home }}" owner: root group: www-data mode: "0o750" @@ -15,19 +21,17 @@ ansible.builtin.unarchive: remote_src: true src: "{{ koillection_url }}" - dest: "{{ koillection_home }}" + dest: "{{ koillection_app_home }}" owner: root group: www-data mode: "a-rwx,u+rwX,g+rX" extra_opts: ['--strip-components=1'] - exclude: - - .env - - config/jwt + exclude: "{{ koillection_userdata_app_dirs }}" - name: Put config file ansible.builtin.template: src: "env.j2" - dest: "{{ koillection_home }}/.env" + dest: "{{ koillection_app_home }}/.env" owner: root group: www-data mode: "0o640" @@ -35,21 +39,45 @@ - name: Check writable dirs ansible.builtin.file: state: directory - dest: "{{ koillection_home }}/{{ item }}" + dest: "{{ koillection_app_home }}/{{ item }}" owner: root group: www-data mode: "g+w" recurse: true - loop: - - "var" - - "config/jwt" - - "public/uploads" - - "public/tmp" + loop: "{{ koillection_writable_app_dirs }}" -- name: Run lexik jwt - become: true - become_user: www-data - ansible.builtin.command: - cmd: "php bin/console lexik:jwt:generate-keypair" - chdir: "{{ koillection_home }}" - creates: "{{ koillection_home }}/config/jwt/private.pem" +## Ensure the data dirs exist, populate them if not +- name: Create data home + ansible.builtin.file: + state: directory + path: "{{ koillection_data_home }}" + owner: www-data + group: www-data + mode: "0o750" + +- name: Get data dir + ansible.builtin.stat: + path: "{{ koillection_data_home }}/{{ koillection_userdata_app_dirs[0] }}" + register: _koillection_userdata_dir_stat + +- name: Install Koillection data dir + ansible.builtin.unarchive: + remote_src: true + src: "{{ koillection_url }}" + dest: "{{ koillection_data_home }}" + owner: www-data + group: www-data + mode: "a-rwx,u+rwX,g+rX" + extra_opts: ['--strip-components=1'] + include: "{{ koillection_userdata_app_dirs | map('regex_replace', '^', 'public/') }}" + when: not _koillection_userdata_dir_stat.stat.exists + +- name: Link Koillection userdata dirs + ansible.builtin.file: + state: link + src: "{{ koillection_data_home }}/{{ item }}" + dest: "{{ koillection_app_home }}/{{ item }}" + loop: "{{ koillection_userdata_app_dirs }}" + +- name: Include API activation task + ansible.builtin.include_tasks: api.yml diff --git a/roles/koillection/vars/main.yml b/roles/koillection/vars/main.yml index 4827f94..8c22650 100644 --- a/roles/koillection/vars/main.yml +++ b/roles/koillection/vars/main.yml @@ -5,4 +5,13 @@ koillection_url: "https://giteu.be/koillection/koillection/releases/download/{{ koillection_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'koillection') | map(attribute='host') | first }}" -koillection_home: "/srv/http/{{ koillection_access_url }}" +# Access path +koillection_app_home: "/var/www/{{ koillection_access_url }}" +koillection_data_home: "/srv/www-data/{{ koillection_access_url }}" + +# App dirs +koillection_writable_app_dirs: + - var + - public/tmp +koillection_userdata_app_dirs: + - public/uploads diff --git a/roles/nginx/templates/vhosts/koi.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/koi.libertus.eu.conf.j2 index 4ca85a8..0c1486b 100644 --- a/roles/nginx/templates/vhosts/koi.libertus.eu.conf.j2 +++ b/roles/nginx/templates/vhosts/koi.libertus.eu.conf.j2 @@ -1,7 +1,7 @@ server { {% include './templates/header.conf.j2' %} - root /srv/http/koi.libertus.eu/public; + root /var/www/koi.libertus.eu/public; index index.html index.htm index.php; -- 2.39.5 From 75868ab2169a5029465267efad8e520a2159baf8 Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 15:45:24 +0100 Subject: [PATCH 10/12] =?UTF-8?q?=E2=99=BB:=20move=20repo=20to=20data=20di?= =?UTF-8?q?r?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/nginx/templates/vhosts/r.mateu.be.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/vhosts/r.mateu.be.conf.j2 b/roles/nginx/templates/vhosts/r.mateu.be.conf.j2 index b0ad81c..fae8bff 100644 --- a/roles/nginx/templates/vhosts/r.mateu.be.conf.j2 +++ b/roles/nginx/templates/vhosts/r.mateu.be.conf.j2 @@ -10,7 +10,7 @@ server { ssl_certificate /etc/x509/r.mateu.be/fullchain.cer; ssl_certificate_key /etc/x509/r.mateu.be/r.mateu.be.key; - root /srv/http/r.mateu.be/; + root /srv/www-data/r.mateu.be/; location / { autoindex on; -- 2.39.5 From a4572768b4e76ba0962328d59e4503f7a7174d25 Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 16:53:21 +0100 Subject: [PATCH 11/12] =?UTF-8?q?=E2=99=BB:=20move=20nextcloud=20to=20app?= =?UTF-8?q?=20dir?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/nextcloud/tasks/main.yml | 4 ++ roles/nextcloud/tasks/nextcloud.yml | 63 +++++++++++-------- roles/nextcloud/tasks/nextcloud_modules.yml | 10 +++ roles/nextcloud/vars/main.yml | 18 +++++- .../templates/vhosts/o.libertus.eu.conf.j2 | 2 +- 5 files changed, 68 insertions(+), 29 deletions(-) create mode 100644 roles/nextcloud/tasks/nextcloud_modules.yml diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 99badbc..d197c8c 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -6,5 +6,9 @@ - name: Install nextcloud ansible.builtin.include_tasks: nextcloud.yml +- name: Install nextcloud modules + ansible.builtin.include_tasks: nextcloud_modules.yml + loop: "{{ nextcloud_modules }}" + - name: Check nextcloud version ansible.builtin.include_tasks: check.yml diff --git a/roles/nextcloud/tasks/nextcloud.yml b/roles/nextcloud/tasks/nextcloud.yml index e1292d6..1132f28 100644 --- a/roles/nextcloud/tasks/nextcloud.yml +++ b/roles/nextcloud/tasks/nextcloud.yml @@ -1,9 +1,15 @@ --- -- name: Create application directory +## Remove the previous app & install the new version +- name: Remove Nextcloud previous version + ansible.builtin.file: + state: absent + dest: "{{ nextcloud_app_home }}" + +- name: Create app home ansible.builtin.file: state: directory - dest: "{{ nextcloud_home }}" + dest: "{{ nextcloud_app_home }}" owner: root group: www-data mode: "0o750" @@ -12,47 +18,50 @@ ansible.builtin.unarchive: remote_src: true src: "{{ nextcloud_url }}" - dest: "{{ nextcloud_home }}" + dest: "{{ nextcloud_app_home }}" owner: root group: www-data mode: "a-rwx,u+rwX,g+rX" extra_opts: ['--strip-components=1'] - exclude: - - "data" - - "config/config.php" - -- name: Put config file - ansible.builtin.template: - src: "config.php.j2" - dest: "{{ nextcloud_home }}/config/config.php" - owner: www-data - group: www-data - mode: "0o640" - -- name: Set config dir permissions - ansible.builtin.file: - state: directory - dest: "{{ nextcloud_home }}/config" - owner: www-data - group: www-data - mode: "0o750" - name: Check writable dirs ansible.builtin.file: state: directory - dest: "{{ nextcloud_home }}/{{ item }}" + dest: "{{ nextcloud_app_home }}/{{ item }}" owner: root group: www-data mode: "g+w" recurse: true - loop: - - "apps" - - "data" + loop: "{{ nextcloud_writable_app_dirs }}" + +- name: Put config file + ansible.builtin.template: + src: "config.php.j2" + dest: "{{ nextcloud_app_home }}/config/config.php" + owner: www-data + group: www-data + mode: "0o640" + +# Nextcloud `data/` does not exist in the archive, so create it everytime +- name: Create data home + ansible.builtin.file: + state: directory + path: "{{ nextcloud_data_home }}/data" + owner: www-data + group: www-data + mode: "0o750" + +- name: Link Nextcloud userdata dirs + ansible.builtin.file: + state: link + src: "{{ nextcloud_data_home }}/{{ item }}" + dest: "{{ nextcloud_app_home }}/{{ item }}" + loop: "{{ nextcloud_userdata_app_dirs }}" - name: Run occ upgrade become: true become_user: www-data ansible.builtin.command: cmd: "php occ upgrade" - chdir: "{{ nextcloud_home }}" + chdir: "{{ nextcloud_app_home }}" changed_when: false diff --git a/roles/nextcloud/tasks/nextcloud_modules.yml b/roles/nextcloud/tasks/nextcloud_modules.yml new file mode 100644 index 0000000..e8587d6 --- /dev/null +++ b/roles/nextcloud/tasks/nextcloud_modules.yml @@ -0,0 +1,10 @@ +--- + +- name: "Install {{ item.name }} module" + become: true + become_user: www-data + ansible.builtin.command: + cmd: "php occ app:install {{ item.force | default(false) | ternary('--force', '') }} {{ item.name }}" + chdir: "{{ nextcloud_app_home }}" + creates: "{{ nextcloud_app_home }}/apps/{{ item.name }}" + changed_when: false diff --git a/roles/nextcloud/vars/main.yml b/roles/nextcloud/vars/main.yml index 60d5650..aa942ec 100644 --- a/roles/nextcloud/vars/main.yml +++ b/roles/nextcloud/vars/main.yml @@ -5,4 +5,20 @@ nextcloud_url: "https://download.nextcloud.com/server/releases/nextcloud-{{ next nextcloud_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'nextcloud') | map(attribute='host') | first }}" -nextcloud_home: "/srv/http/{{ nextcloud_access_url }}" +# Access path +nextcloud_app_home: "/var/www/{{ nextcloud_access_url }}" +nextcloud_data_home: "/srv/www-data/{{ nextcloud_access_url }}" + +# App dirs +nextcloud_writable_app_dirs: + - apps + - config +nextcloud_userdata_app_dirs: + - data + +# Supplementary modules +nextcloud_modules: + - name: calendar + - name: tasks + - name: user_external + force: true diff --git a/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 index 3b5c9bb..8ba2a19 100644 --- a/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 +++ b/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 @@ -11,7 +11,7 @@ map $arg_v $asset_immutable { server { {% include './templates/header.conf.j2' %} # Path to the root of your installation - root /srv/http/o.libertus.eu; + root /var/www/o.libertus.eu; # Prevent nginx HTTP Server Detection server_tokens off; -- 2.39.5 From 6165124acb7c85ad3798f65df52ff04e77033a9a Mon Sep 17 00:00:00 2001 From: VC Date: Sun, 9 Mar 2025 16:53:59 +0100 Subject: [PATCH 12/12] =?UTF-8?q?=F0=9F=9A=91:=20specific=20the=20absolute?= =?UTF-8?q?=20exclude=20list=20to=20avoid=20conflicts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/firefly3/tasks/firefly3.yml | 2 +- roles/freshrss/tasks/freshrss.yml | 2 +- roles/koillection/tasks/main.yml | 2 +- roles/shaarli/tasks/main.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/firefly3/tasks/firefly3.yml b/roles/firefly3/tasks/firefly3.yml index 9601da6..97ab0bc 100644 --- a/roles/firefly3/tasks/firefly3.yml +++ b/roles/firefly3/tasks/firefly3.yml @@ -22,7 +22,7 @@ owner: root group: www-data mode: "a-rwx,u+rwX,g+rX" - exclude: "{{ firefly3_userdata_app_dirs }}" + exclude: "{{ firefly3_userdata_app_dirs | map('regex_replace', '^', './') }}" - name: Put config file ansible.builtin.template: diff --git a/roles/freshrss/tasks/freshrss.yml b/roles/freshrss/tasks/freshrss.yml index 4221747..fa0643a 100644 --- a/roles/freshrss/tasks/freshrss.yml +++ b/roles/freshrss/tasks/freshrss.yml @@ -23,7 +23,7 @@ group: www-data mode: "a-rwx,u+rwX,g+rX" extra_opts: ['--strip-components=1'] - exclude: "{{ freshrss_userdata_app_dirs }}" + exclude: "{{ freshrss_userdata_app_dirs | map('regex_replace', '^', 'FreshRSS-' ~ freshrss_version ~ '/') }}" ## Ensure the data dirs exist, populate them if not - name: Create data home diff --git a/roles/koillection/tasks/main.yml b/roles/koillection/tasks/main.yml index 4be1e76..0642a95 100644 --- a/roles/koillection/tasks/main.yml +++ b/roles/koillection/tasks/main.yml @@ -26,7 +26,7 @@ group: www-data mode: "a-rwx,u+rwX,g+rX" extra_opts: ['--strip-components=1'] - exclude: "{{ koillection_userdata_app_dirs }}" + exclude: "{{ koillection_userdata_app_dirs | map('regex_replace', '^', 'public/') }}" - name: Put config file ansible.builtin.template: diff --git a/roles/shaarli/tasks/main.yml b/roles/shaarli/tasks/main.yml index 6c0867e..5d9898f 100644 --- a/roles/shaarli/tasks/main.yml +++ b/roles/shaarli/tasks/main.yml @@ -23,7 +23,7 @@ group: www-data mode: "a-rwx,u+rwX,g+rX" extra_opts: ['--strip-components=1'] - exclude: "{{ shaarli_userdata_app_dirs }}" + exclude: "{{ shaarli_userdata_app_dirs | map('regex_replace', '^', 'Shaarli/') }}" - name: Check writable dirs ansible.builtin.file: -- 2.39.5