From 26c93c93159dafad03c501dafa0bb38da64a2091 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Wed, 10 Aug 2016 21:29:03 +0200 Subject: [PATCH] Add owncloud and prevent nginx from dotdeb --- defaults/main.yml | 7 ++ doc/vhost.md | 1 + templates/etc/nginx/sites-available/_base.j2 | 28 ++++---- .../etc/nginx/sites-available/_owncloud.j2 | 69 +++++++++++++++++++ tests/includes/post_Debian.yml | 5 +- tests/includes/pre_Debian.yml | 4 ++ tests/test.yml | 3 + vars/main.yml | 5 +- 8 files changed, 105 insertions(+), 17 deletions(-) create mode 100644 templates/etc/nginx/sites-available/_owncloud.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 0d10d2b..71e4f38 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -110,3 +110,10 @@ nginx_ssl_pairs: [] nginx_dh: null nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem' nginx_dh_length: 2048 + +# Extra + +# Note: +# - On Debian, if you use Owncloud from Upstream repository, you must set this var to "/var/www/owncloud" +# - TODO: force this var in vars/FreeBSD.yml +nginx_owncloud_root: '/usr/share/owncloud' diff --git a/doc/vhost.md b/doc/vhost.md index bf52eeb..17f6936 100644 --- a/doc/vhost.md +++ b/doc/vhost.md @@ -41,6 +41,7 @@ Templates - `_dokuwiki` - `_redirect`: should not be called explicitly - `_nagios3`: access to Nagios3 (be careful: you need to install [fcgiwrap](https://packages.debian.org/jessie/fcgiwrap)) +- `_owncloud`: access to Owncloud (note: you must set `nginx_apt_package` to //nginx-extras//) - `_phalcon`: Phalcon PHP Framework - `_php`: PHP base template. Can work with many frameworks/tools - `_php_index`: Same as above. But you can only run index.php diff --git a/templates/etc/nginx/sites-available/_base.j2 b/templates/etc/nginx/sites-available/_base.j2 index 9da738c..c30adcd 100644 --- a/templates/etc/nginx/sites-available/_base.j2 +++ b/templates/etc/nginx/sites-available/_base.j2 @@ -50,11 +50,13 @@ server { index {{ item.index | default('index.html index.htm') }}; {% endblock %} +{% block template_more %} {% if item.more is defined and item.more is iterable %} {% for line in item.more %} {{ line }} {% endfor %} {% endif %} +{% endblock %} {% if item.htpasswd is defined %} {{ htpasswd(item.htpasswd, 1) }} @@ -81,6 +83,19 @@ server { {% block template_custom_location %} {% endblock %} +{% if __location is iterable and __location | length > 0 %} + # --> Custom locations +{% for location, opts in __location.iteritems() %} + location {{ location }} { +{% for opt in opts %} +{% if opt.htpasswd is defined %}{{ htpasswd(opt.htpasswd, 2) }}{% else %} + {{ opt }} +{% endif %} +{% endfor %} + } +{% endfor %} # <-- Custom locations +{% endif %} + {% block template_local_content %} {% if item.manage_local_content is not defined or item.manage_local_content %} location ~ /\.ht { @@ -100,19 +115,6 @@ server { {% endif %} {% endblock %} -{% if __location is iterable and __location | length > 0 %} - # --> Custom locations -{% for location, opts in __location.iteritems() %} - location {{ location }} { -{% for opt in opts %} -{% if opt.htpasswd is defined %}{{ htpasswd(opt.htpasswd, 2) }}{% else %} - {{ opt }} -{% endif %} -{% endfor %} - } -{% endfor %} # <-- Custom locations -{% endif %} - {% if item.use_access_log is defined %} {% if item.use_access_log %} access_log {{ nginx_log_dir }}/{{ __main_name }}_access.log combined; diff --git a/templates/etc/nginx/sites-available/_owncloud.j2 b/templates/etc/nginx/sites-available/_owncloud.j2 new file mode 100644 index 0000000..9f30ca1 --- /dev/null +++ b/templates/etc/nginx/sites-available/_owncloud.j2 @@ -0,0 +1,69 @@ +{% extends "_php.j2" %} + +{% block root %} + root {{ nginx_owncloud_root }}; +{% endblock %} + +{% block template_index %} + index index.php; +{% endblock %} + +{% block more %} + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + gzip off; + client_max_body_size 10G; + fastcgi_buffers 64 4K; + rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; + rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; + rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; +{% endblock %} + +{% block template_headers %} + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Content-Type-Options nosniff; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options SAMEORIGIN; +{% endblock %} + +{% block template_upstream_location %} + location ~ /remote.php { + dav_methods PUT DELETE MKCOL COPY MOVE; + dav_ext_methods PROPFIND OPTIONS; + fastcgi_pass {{ php_upstream }}; + fastcgi_param HOME /var/www/owncloud; + fastcgi_param HTTP_HOME /var/www/owncloud; + fastcgi_param PATH /usr/local/bin:/usr/bin:/bin; + fastcgi_param modHeadersAvailable true; + fastcgi_split_path_info ^(.+\.php)(/.+)$; +{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %} + include fastcgi_params; +{% else %} + include fastcgi.conf; +{% endif %} + } + + location ~ \.php$ { + fastcgi_pass {{ php_upstream }}; + fastcgi_index index.php; + fastcgi_param HOME /var/www/owncloud; + fastcgi_param HTTP_HOME /var/www/owncloud; + fastcgi_param PATH /usr/local/bin:/usr/bin:/bin; + fastcgi_param modHeadersAvailable true; + fastcgi_split_path_info ^(.+\.php)(/.+)$; +{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %} + include fastcgi_params; +{% else %} + include fastcgi.conf; +{% endif %} + } + + location ~* \.(?:css|js)$ { + try_files $uri /index.php$uri$is_args$args; + add_header Cache-Control "public, max-age=7200"; + expires 2h; + access_log off; + } +{% endblock %} diff --git a/tests/includes/post_Debian.yml b/tests/includes/post_Debian.yml index e86270a..d3179bf 100644 --- a/tests/includes/post_Debian.yml +++ b/tests/includes/post_Debian.yml @@ -1,10 +1,11 @@ --- - name: APT | Install web apps - apt: pkg={{ item }} state=present + apt: pkg={{ item }} state=present install_recommends=no with_items: - - nagios3 - backuppc + - nagios3 + - owncloud - name: SERVICE | Ensure backuppc is started service: name=backuppc state=started diff --git a/tests/includes/pre_Debian.yml b/tests/includes/pre_Debian.yml index 06a6bc7..72851e6 100644 --- a/tests/includes/pre_Debian.yml +++ b/tests/includes/pre_Debian.yml @@ -8,6 +8,10 @@ apt_key: url='http://www.dotdeb.org/dotdeb.gpg' state=present - name: APT_REPOSITORY | Install dotdeb (PHP 7) apt_repository: repo='deb http://packages.dotdeb.org {{ ansible_distribution_release }} all' state=present + - name: LINEFILEFILE | Dotdeb priority (prevent install nginx from dotdeb) + copy: > + content="Package: *\nPin: release o=packages.dotdeb.org\nPin-Priority: 100" + dest=/etc/apt/preferences when: ansible_distribution_release == 'jessie' - name: APT | Install needed packages diff --git a/tests/test.yml b/tests/test.yml index 3efac2a..26d3d12 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -15,6 +15,7 @@ int_ansible_ssl_dir: '/etc/ansible-ssl' # Role vars nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number + nginx_apt_package: 'nginx-extras' nginx_backports: true nginx_php5: true nginx_php7: true @@ -189,6 +190,8 @@ template: '_base' ssl_name: 'test-ssl.local' redirect_https: true + - name: 'owncloud.local' + template: '_owncloud' nginx_dh_length: 1024 roles: - ../../ diff --git a/vars/main.yml b/vars/main.yml index 3fff0ba..419a315 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -28,9 +28,10 @@ nginx_dirs: - "{{ nginx_helper_dir }}" nginx_templates_no_dir: - - '_proxy' - - '_nagios3' - '_backuppc' + - '_nagios3' + - '_owncloud' + - '_proxy' nginx_upstream_php5: 'php5' nginx_upstream_php7: 'php7'