From eda567fc8185f55e43b5455b450a44952eb01a06 Mon Sep 17 00:00:00 2001 From: Erik Stambaugh Date: Sun, 2 Jan 2022 18:32:29 -0800 Subject: [PATCH] Autoconfigure admin password; Fix MariaDB encryption problem --- .gitignore | 1 + Makefile | 2 +- nextcloud.tf | 18 +++++++++ roles/nextcloud/files/nginx.conf | 9 +++-- roles/nextcloud/tasks/main.yaml | 34 +++++++++++++++- .../{files => templates}/docker-compose.yaml | 40 +++++++++---------- 6 files changed, 76 insertions(+), 28 deletions(-) rename roles/nextcloud/{files => templates}/docker-compose.yaml (62%) diff --git a/.gitignore b/.gitignore index f1ee8b4..792f4bb 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ terraform.tfstate* .infracost privkey.pem inventory.ini +roles/nextcloud/files/adminpass diff --git a/Makefile b/Makefile index 6dfde5e..3d3d449 100644 --- a/Makefile +++ b/Makefile @@ -11,9 +11,9 @@ setup: $(eval INSTANCE := $(shell terraform output instance_id | sed -e 's/"//g')) $(eval PUBLIC_IP := $(shell terraform output public_ip | sed -e 's/"//g')) chmod 600 privkey.pem - timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE) "/bin/true"; do sleep 0.5; done' ansible: setup + timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE) "/bin/true"; do sleep 0.5; done' $(SSH) $(INSTANCE) "which -a ansible || (sudo apt-get update && sudo apt-get -y install ansible)" sed \ -e 's/{{INSTANCE}}/$(INSTANCE)/' \ diff --git a/nextcloud.tf b/nextcloud.tf index f3dde6c..66d2600 100644 --- a/nextcloud.tf +++ b/nextcloud.tf @@ -179,6 +179,23 @@ module "records" { depends_on = [module.zone] } +## generate admin password + +resource "random_password" "admin" { + length = 20 + special = true + lower = true + upper = true + number = true +} + +resource "local_file" "adminpass" { + content = random_password.admin.result + filename = "roles/nextcloud/files/adminpass" +} + +## outputs + output "instance_id" { value = aws_instance.nextcloud.id } @@ -189,3 +206,4 @@ output "nameservers" { value = module.zone.route53_zone_name_servers } + diff --git a/roles/nextcloud/files/nginx.conf b/roles/nextcloud/files/nginx.conf index dc08b3e..d8f4b13 100644 --- a/roles/nextcloud/files/nginx.conf +++ b/roles/nextcloud/files/nginx.conf @@ -10,9 +10,9 @@ events { worker_connections 1024; } http { - upstream backend { - server app; - } +# upstream backend { +# server nextcloud; +# } server { listen 80; @@ -75,11 +75,12 @@ http { gunzip on; location @nextcloud { - proxy_pass http://backend; + proxy_pass http://nextcloud; } location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; diff --git a/roles/nextcloud/tasks/main.yaml b/roles/nextcloud/tasks/main.yaml index 0c42a85..c2027fc 100644 --- a/roles/nextcloud/tasks/main.yaml +++ b/roles/nextcloud/tasks/main.yaml @@ -80,10 +80,40 @@ # --- +#- name: adminpass file +# copy: +# src: files/adminpass +# dest: /tmp/adminpass +# +#- name: create docker secrets +# shell: docker secret create nextcloud_admin_password - < /tmp/adminpass +# +#- name: create other docker secrets +# shell: "echo '{item.value}' | docker secret create {item.key} -" +# with_items: +# - key: nextcloud_admin_user +# value: b4rry +# - key: mysql_user +# value: nextcloud +# - key: mysql_host +# value: db +# - key: mysql_db +# value: nextcloud +# - key: mysql_root_password +# value: s00p3rs3krit + - name: nextcloud docker-compose - copy: - src: files/docker-compose.yaml + template: + src: templates/docker-compose.yaml dest: /srv/nextcloud/docker-compose.yaml + vars: + nextcloud_admin_password: "{{ lookup('file', 'files/adminpass') }}" + nextcloud_admin_user: b4rry + mysql_host: nextcloud_db + mysql_db: nextcloud + mysql_user: nextcloud + mysql_password: s00p3rs3krit + mysql_root_password: s00p3rs3krit register: dockercompose - name: nextcloud nginx.conf diff --git a/roles/nextcloud/files/docker-compose.yaml b/roles/nextcloud/templates/docker-compose.yaml similarity index 62% rename from roles/nextcloud/files/docker-compose.yaml rename to roles/nextcloud/templates/docker-compose.yaml index d68c086..1198c17 100644 --- a/roles/nextcloud/files/docker-compose.yaml +++ b/roles/nextcloud/templates/docker-compose.yaml @@ -2,39 +2,39 @@ version: '2' -volumes: - nextcloud: - db: - services: db: container_name: nextcloud_db image: mariadb restart: unless-stopped - command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW + command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb_read_only_compressed=OFF volumes: - - db:/var/lib/mysql + - /srv/nextcloud/db:/var/lib/mysql environment: - - MYSQL_ROOT_PASSWORD=s00p3rs3krit - - MYSQL_PASSWORD=s00p3rs3krit - - MYSQL_DATABASE=nextcloud - - MYSQL_USER=nextcloud + - "MYSQL_ROOT_PASSWORD={{mysql_root_password}}" + - "MYSQL_USER={{mysql_user}}" + - "MYSQL_PASSWORD={{mysql_password}}" + - "MYSQL_DATABASE={{mysql_db}}" app: container_name: nextcloud image: nextcloud restart: unless-stopped - ports: - - 8080:80 - links: - - db volumes: - - nextcloud:/var/www/html + - /srv/nextcloud/www:/var/www/html environment: - - MYSQL_PASSWORD=s00p3rs3krit - - MYSQL_DATABASE=nextcloud - - MYSQL_USER=nextcloud - - MYSQL_HOST=db + - "NEXTCLOUD_ADMIN_USER={{nextcloud_admin_user}}" + - "NEXTCLOUD_ADMIN_PASSWORD={{nextcloud_admin_password | replace("$","$$") }}" + - "MYSQL_DATABASE={{mysql_db}}" + - "MYSQL_PASSWORD={{mysql_password}}" + - "MYSQL_USER={{mysql_user}}" + - "MYSQL_HOST={{mysql_host}}" + - "TRUSTED_PROXIES=172.0.0.0/8" + - "NEXTCLOUD_TRUSTED_DOMAINS=cloud.stoopid.club nextcloud" + - "NEXTCLOUD_UPDATE=1" +# entrypoint: sh -c "sleep 5; /entrypoint.sh php-fpm" + depends_on: + - db web: container_name: nginx @@ -43,8 +43,6 @@ services: ports: - "80:80" - "443:443" - links: - - app volumes: - /srv/nextcloud/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - /srv/nextcloud/nginx/conf.d:/etc/nginx/conf.d:ro