diff --git a/.gitignore b/.gitignore index c393c8d255e59d9f109cddafe552b6eed58f8315..1a462a90288af7d6738adad5c078c6681c58a583 100644 --- a/.gitignore +++ b/.gitignore @@ -2,10 +2,6 @@ .idea *.iml -# docker config files -docker-compose.yml -.env - -# data for the local installation -config-dynamic/ -volumes/ +# ansible files +inventory +credentials/ diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000000000000000000000000000000000000..960a7c40fd58f72b093e88b620a40b401affae52 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,5 @@ +[defaults] +inventory=inventory + +[ssh_connection] +pipelining = True diff --git a/ansible.yml b/ansible.yml new file mode 100644 index 0000000000000000000000000000000000000000..c6b82371df4a2f0e4441881d94d32cf0d81020c9 --- /dev/null +++ b/ansible.yml @@ -0,0 +1,213 @@ +--- +- hosts: all + + # Install python if required + # https://www.josharcher.uk/code/ansible-python-connection-failure-ubuntu-server-1604/ + gather_facts: False + pre_tasks: + - name: install python for Ansible + raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal python-setuptools) + args: + executable: /bin/bash + register: output + changed_when: output.stdout != "" + - setup: # gather facts + + tasks: + - name: install dependencies + apt: + pkg: ['apt-transport-https', 'ca-certificates', 'curl', 'software-properties-common', 'apache2-utils', + 'docker.io', 'docker-compose', 'gnupg2', 'pass', 'certbot', 'dnsutils'] + + - name: detect if ecloud selfhosting is already installed (compatibility with old versions) + shell: ls /mnt/repo-base/.git/ /mnt/repo-base/volumes/nextcloud/config/config.php && touch /mnt/repo-base/config-dynamic/.installation-complete + args: + creates: /mnt/repo-base/config-dynamic/.installation-complete + ignore_errors: yes + register: installation_complete_result + + - name: fetch existing passwords from server + block: + - name: fetch env file to read passwords + fetch: + src: /mnt/repo-base/.env + dest: credentials/env + flat: yes + + - name: create credentials folder + shell: mkdir -p credentials/{{ inventory_hostname }}/ + delegate_to: localhost + + - name: read variables from env file and write to credentials folder + shell: grep {{ item.env_var }} credentials/env | cut -d '=' -f2 > credentials/{{ inventory_hostname }}/{{ item.credentials_var }} + delegate_to: localhost + with_items: + - { env_var: 'RSPAMD_PASSWORD', credentials_var: 'rspamd_password' } + #- { env_var: 'NEXTCLOUD_ADMIN_USER', credentials_var: 'nextcloud_admin_user' } + - { env_var: 'NEXTCLOUD_ADMIN_PASSWORD', credentials_var: 'nextcloud_admin_password' } + - { env_var: 'MYSQL_USER_NC', credentials_var: 'mysql_user_nextcloud' } + - { env_var: 'MYSQL_PASSWORD_NC', credentials_var: 'mysql_password_nextcloud' } + - { env_var: 'MYSQL_DATABASE_NC', credentials_var: 'mysql_database_nextcloud' } + - { env_var: 'SMTP_PW', credentials_var: 'smtp_password' } + - { env_var: 'MYSQL_ROOT_PASSWORD', credentials_var: 'mysql_root_password' } + - { env_var: 'DBPASS', credentials_var: 'postfix_database_password' } + - { env_var: 'DRIVE_SMTP_PASSWORD', credentials_var: 'drive_smtp_password' } + - { env_var: 'POSTFIXADMIN_SSH_PASSWORD', credentials_var: 'postfixadmin_ssh_password' } + - { env_var: 'CREATE_ACCOUNT_PASSWORD', credentials_var: 'create_account_password' } + - { env_var: 'PFA_SUPERADMIN_PASSWORD', credentials_var: 'pfa_superadmin_password' } + + - name: remove local copy of env file + command: rm credentials/env + delegate_to: localhost + when: installation_complete_result is changed # meaning that an existing ecloud installation was found on the server + + - name: create folders + file: path={{item.path}} state=directory owner={{item.owner}} + with_items: + - { path: '/mnt/repo-base/', owner: root} + - { path: '/mnt/repo-base/volumes/', owner: root } + - { path: '/mnt/repo-base/volumes/nextcloud/config/', owner: www-data } + - { path: '/mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains/', owner: www-data } + - { path: '/mnt/repo-base/config-static/', owner: root } + - { path: '/mnt/repo-base/config-static/mail/', owner: root } + - { path: '/mnt/repo-base/config-static/nginx/', owner: root } + - { path: '/mnt/repo-base/config-dynamic/', owner: root } + - { path: '/mnt/repo-base/config-dynamic/automx/', owner: root } + - { path: '/mnt/repo-base/config-dynamic/letsencrypt/', owner: root } + - { path: '/mnt/repo-base/config-dynamic/nginx/', owner: root } + - { path: '/mnt/repo-base/scripts/', owner: root } + - { path: '/mnt/repo-base/config-dynamic/letsencrypt/autorenew', owner: root } + - { path: '/mnt/repo-base/config-dynamic/nginx/sites-enabled', owner: root } + - { path: '/mnt/repo-base/volumes/accounts/', owner: www-data } + + # NOTE: This does not delete files that have been deleted from the repo, need to do that manually. + - name: copy static config files + copy: + src: config-static/ + dest: /mnt/repo-base/config-static/ + + - name: copy scripts + copy: + src: scripts/ + dest: /mnt/repo-base/scripts/ + mode: 0755 + + - name: generate random usernames if they dont exist + shell: if [ ! -e "credentials/{{ inventory_hostname }}/{{ item.name }}" ]; then echo "{{ item.prefix }}{{ item.random_id }}" > "credentials/{{ inventory_hostname }}/{{ item.name }}"; fi + delegate_to: localhost + vars: + mysql_user_nextcloud: "{{ lookup('password', '/dev/null chars=ascii_letters,digits length=4') }}" + nextcloud_admin_user: "{{ lookup('password', '/dev/null chars=ascii_letters,digits length=4') }}" + mysql_database_nextcloud: "{{ lookup('password', '/dev/null chars=ascii_letters,digits length=4') }}" + with_items: + - { name: "mysql_user_nextcloud", prefix: 'nc_', random_id: "{{ mysql_user_nextcloud }}" } + - { name: "nextcloud_admin_user", prefix: 'ncadmin_', random_id: "{{ nextcloud_admin_user }}" } + - { name: "mysql_database_nextcloud", prefix: 'ncdb_', random_id: "{{ mysql_database_nextcloud }}" } + + - name: add all template files + template: src={{item.src}} dest={{item.dest}} force={{item.force}} owner={{item.owner}} mode={{item.mode}} + with_items: + - { src: 'templates/docker-compose/env', dest: '/mnt/repo-base/.env', force: yes, owner: root, mode: '0600' } + - { src: 'templates/automx/automx.conf', dest: '/mnt/repo-base/config-dynamic/automx/automx.conf', force: yes, owner: www-data, mode: '0644' } + - { src: 'templates/nextcloud/config.php', dest: '/mnt/repo-base/volumes/nextcloud/config/config.php', force: no, owner: www-data, mode: '0644' } + - { src: 'templates/rainloop/domain-config.ini', dest: '/mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains/{{ domain }}.ini', force: yes, owner: www-data, mode: '0644' } + - { src: 'templates/letsencrypt/ssl-domains.dat', dest: '/mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat', force: yes, owner: root, mode: '0644' } + - { src: 'templates/docker/docker-daemon.json', dest: '/etc/docker/daemon.json', force: no, owner: root, mode: '0644' } + vars: + rspamd_password: "{{ lookup('password', 'credentials/{{ inventory_hostname }}/rspamd_password chars=ascii_letters,digits') }}" + nextcloud_admin_password: "{{ lookup('password', 'credentials/{{ inventory_hostname }}/nextcloud_admin_password chars=ascii_letters,digits') }}" + mysql_password_nextcloud: "{{ lookup('password', 'credentials/{{ inventory_hostname }}/mysql_password_nextcloud chars=ascii_letters,digits') }}" + smtp_password: "{{ lookup('password', 'credentials/{{ inventory_hostname }}/smtp_password chars=ascii_letters,digits') }}" + mysql_root_password: "{{ lookup('password', 'credentials/{{ inventory_hostname }}/mysql_root_password chars=ascii_letters,digits') }}" + postfix_database_password: "{{ lookup('password', 'credentials/{{ inventory_hostname }}/postfix_database_password chars=ascii_letters,digits') }}" + drive_smtp_password: "{{ lookup('password', 'credentials/{{ inventory_hostname }}/drive_smtp_password chars=ascii_letters,digits') }}" + postfixadmin_ssh_password: "{{ lookup('password', 'credentials/{{ inventory_hostname }}/postfixadmin_ssh_password chars=ascii_letters,digits') }}" + create_account_password: "{{ lookup('password', 'credentials/{{ inventory_hostname }}/create_account_password chars=ascii_letters,digits') }}" + pfa_superadmin_password: "{{ lookup('password', 'credentials/{{ inventory_hostname }}/pfa_superadmin_password chars=ascii_letters,digits') }}" + mysql_user_nextcloud: "{{ lookup('file', 'credentials/{{ inventory_hostname }}/mysql_user_nextcloud') }}" + nextcloud_admin_user: "{{ lookup('file', 'credentials/{{ inventory_hostname }}/nextcloud_admin_user') }}" + mysql_database_nextcloud: "{{ lookup('file', 'credentials/{{ inventory_hostname }}/mysql_database_nextcloud') }}" + + - name: add nginx config files + template: src=templates/nginx/sites-enabled/{{item.src}} dest=/mnt/repo-base/config-dynamic/nginx/sites-enabled/{{item.dest}} + with_items: + - { src: 'autoconfig.conf', dest: 'autodiscover.{{ domain }}.conf', service: 'autodiscover' } + - { src: 'autoconfig.conf', dest: 'autoconfig.{{ domain }}.conf', service: 'autoconfig' } + - { src: 'nextcloud.conf', dest: 'nextcloud.conf' } + - { src: 'postfixadmin.conf', dest: 'postfixadmin.conf' } + - { src: 'rspamd.conf', dest: 'rspamd.conf' } + - { src: 'welcome.conf', dest: 'welcome.conf' } + + - name: add onlyoffice nginx config file + template: src=templates/nginx/sites-enabled/onlyoffice.conf dest=/mnt/repo-base/config-dynamic/nginx/sites-enabled/onlyoffice.conf + when: install_onlyoffice + + - name: generate docker-compose.yml with onlyoffice + copy: content={{ compose }} dest=/mnt/repo-base/docker-compose.yml + vars: + - { compose: "{{ lookup('file', 'templates/docker-compose/01-docker-compose-base.yml') }}\n{{ lookup('file', 'templates/docker-compose/02-docker-compose-onlyoffice.yml') }}\n{{ lookup('file', 'templates/docker-compose/03-docker-compose-networks.yml') }}\n" } + when: install_onlyoffice + + - name: generate docker-compose.yml without onlyoffice + copy: content={{ compose }} dest=/mnt/repo-base/docker-compose.yml + vars: + - { compose: "{{ lookup('file', 'templates/docker-compose/01-docker-compose-base.yml') }}\n{{ lookup('file', 'templates/docker-compose/03-docker-compose-networks.yml') }}\n" } + when: not install_onlyoffice + + - name: request letsencrypt certificates + command: "bash /mnt/repo-base/scripts/ssl-renew.sh creates=/mnt/repo-base/config-dynamic/letsencrypt/certstore/live/{{item.domain}}/privkey.pem" + with_items: + - { domain: '{{domain}}' } + - { domain: 'autoconfig.{{domain}}' } + - { domain: 'autodiscover.{{domain}}' } + - { domain: 'mail.{{domain}}' } + - { domain: 'spam.{{domain}}' } + - { domain: 'welcome.{{domain}}' } + + - name: add welcome config file + file: + path: /mnt/repo-base/volumes/accounts/auth.file.done + state: touch + owner: www-data + modification_time: preserve + access_time: preserve + + - name: enable and start docker service + systemd: + name: docker + enabled: yes + state: started + + - name: start docker-compose + docker_compose: + project_src: /mnt/repo-base/ + state: present + pull: yes + restarted: yes + + # NOTE: It is not possible to get realtime output from ansible tasks. + # https://github.com/ansible/ansible/issues/3887#issuecomment-54672569 + # TODO: fails with error Access denied for user 'root'@'localhost' (using password: YES) + # TODO: this works fine: MYSQL_RANDOM_ROOT_PASSWORD=yes + # TODO: also works when passing password directly, without var + - name: run postinstall script (this will take a while) + command: bash /mnt/repo-base/scripts/postinstall.sh + args: + creates: /mnt/repo-base/config-dynamic/.installation-complete + + - name: remove unneeded lines from crontab + lineinfile: regexp={{item.regexp}} path=/var/spool/cron/crontabs/root state=absent + with_items: + - { regexp: 'Lines below here are managed by Salt, do not edit' } + - { regexp: 'SALT_CRON_IDENTIFIER:check-updates' } + - { regexp: 'SALT_CRON_IDENTIFIER:refresh-tls-certs' } + - { regexp: 'SALT_CRON_IDENTIFIER:sync-emails' } + - { regexp: 'bash /mnt/repo-base/scripts/sync-emails.sh' } + - { regexp: 'bash /mnt/repo-base/scripts/check-update.sh' } + + - name: renew certbot certificates + cron: + special_time=daily + name=ssl-renew + job="bash /mnt/repo-base/scripts/ssl-renew.sh >> /mnt/repo-base/volumes/letsencrypt/letsencrypt-cron.log 2>&1" + diff --git a/inventory.example b/inventory.example new file mode 100644 index 0000000000000000000000000000000000000000..82404501317f107e36b86d4a4972c0ea4603d3bb --- /dev/null +++ b/inventory.example @@ -0,0 +1,8 @@ +[ecloud-selfhosting] +# define the username and hostname that you use for ssh connection, and specify the domain +myuser@example.com domain=example.com install_onlyoffice=True/False contact_email=your@email.com +# you can also use a host that is defined in your ssh config +myserver domain=example.com install_onlyoffice=True/False contact_email=your@email.com + +[all:vars] +ansible_connection=ssh diff --git a/scripts/postinstall.sh b/scripts/postinstall.sh index 7d30ad498e86d5c8b3d6aa5ecef7f61a7169e9ab..84de862f18606f927bfa81040371ca316b288605 100755 --- a/scripts/postinstall.sh +++ b/scripts/postinstall.sh @@ -3,6 +3,16 @@ set -e source /mnt/repo-base/scripts/base.sh +echo -e "\nHack: restart everything to ensure that database and nextcloud are initialized" +docker-compose restart + +printf "$(date): Waiting for Nextcloud to finish installation" +# sleep for 300 seconds +for i in {0..300}; do + sleep 1 + printf "." +done + # Create Nextcloud mysql database and user docker-compose exec -T mariadb mysql --user=root --password="$MYSQL_ROOT_PASSWORD" \ -e "CREATE USER '$MYSQL_USER_NC'@'%' IDENTIFIED BY '$MYSQL_PASSWORD_NC';" @@ -65,6 +75,8 @@ echo -e "\n\n\n" echo -e "Please add the following records to your domain's DNS configuration:\n" find /mnt/repo-base/volumes/mail/dkim/ -maxdepth 1 -mindepth 1 -type d | while read line; do DOMAIN=$(basename $line); echo " - DKIM record (TXT) for $DOMAIN:" && cat $line/public.key; done +touch "config-dynamic/.installation-complete" + echo "=================================================================================================================================" echo "=================================================================================================================================" echo "Your logins:" diff --git a/templates/automx/automx.conf b/templates/automx/automx.conf index 8c69952ab92cde571995fe37195eb272520d70be..7b33f306ea637a771c25cb1b47d1b38583c8f657 100644 --- a/templates/automx/automx.conf +++ b/templates/automx/automx.conf @@ -1,7 +1,7 @@ # file: /etc/automx.conf [automx] -provider = @@@DOMAIN@@@ +provider = {{ domain }} domains = * #debug = yes @@ -37,7 +37,7 @@ action = settings #sign_key = /certs/autodiscover.eelo.io.key smtp = yes -smtp_server = mail.@@@DOMAIN@@@ +smtp_server = mail.{{ domain }} smtp_port = 587 smtp_encryption = starttls smtp_auth = plaintext @@ -46,7 +46,7 @@ smtp_refresh_ttl = 6 smtp_default = yes imap = yes -imap_server = mail.@@@DOMAIN@@@ +imap_server = mail.{{ domain }} imap_port = 993 imap_encryption = ssl imap_auth = plaintext diff --git a/templates/docker-compose/docker-compose-base.yml b/templates/docker-compose/01-docker-compose-base.yml similarity index 98% rename from templates/docker-compose/docker-compose-base.yml rename to templates/docker-compose/01-docker-compose-base.yml index 866834e9033d4d9710eeb126c61f4bd1b0f18233..b71c81760a9194683d3c31aa7ccbd0a9c26fdbf7 100644 --- a/templates/docker-compose/docker-compose-base.yml +++ b/templates/docker-compose/01-docker-compose-base.yml @@ -66,7 +66,6 @@ services: - MYSQL_PASSWORD=${DBPASS} volumes: - /mnt/repo-base/volumes/mysql/db:/var/lib/mysql - - /mnt/repo-base/config-dynamic/nextcloud/database:/docker-entrypoint-initdb.d redis: image: redis:5.0-alpine diff --git a/templates/docker-compose/docker-compose-onlyoffice.yml b/templates/docker-compose/02-docker-compose-onlyoffice.yml similarity index 100% rename from templates/docker-compose/docker-compose-onlyoffice.yml rename to templates/docker-compose/02-docker-compose-onlyoffice.yml diff --git a/templates/docker-compose/docker-compose-networks.yml b/templates/docker-compose/03-docker-compose-networks.yml similarity index 100% rename from templates/docker-compose/docker-compose-networks.yml rename to templates/docker-compose/03-docker-compose-networks.yml diff --git a/templates/docker-compose/env b/templates/docker-compose/env new file mode 100644 index 0000000000000000000000000000000000000000..5b2caf34835f15624cced092d7d3de51fec2545d --- /dev/null +++ b/templates/docker-compose/env @@ -0,0 +1,26 @@ +ALT_EMAIL={{ contact_email }} +INSTALL_ONLYOFFICE={{ install_onlyoffice }} +RSPAMD_PASSWORD={{ rspamd_password }} +NEXTCLOUD_ADMIN_USER={{ nextcloud_admin_user }} +NEXTCLOUD_ADMIN_PASSWORD={{ nextcloud_admin_password }} +MYSQL_USER_NC={{ mysql_user_nextcloud }} +MYSQL_PASSWORD_NC={{ mysql_password_nextcloud }} +MYSQL_DATABASE_NC={{ mysql_database_nextcloud }} +SMTP_PW={{ smtp_password }} +PFDB_DB=postfix +PFDB_USR=postfix +MYSQL_ROOT_PASSWORD={{ mysql_root_password }} +DBPASS={{ postfix_database_password }} +DRIVE_SMTP_PASSWORD={{ drive_smtp_password }} +POSTFIXADMIN_SSH_PASSWORD={{ postfixadmin_ssh_password }} +CREATE_ACCOUNT_PASSWORD={{ create_account_password }} +PFA_SUPERADMIN_PASSWORD={{ pfa_superadmin_password }} +ENABLE_POP3=false +DISABLE_RATELIMITING=false +DBA_USER=phpmyadmin +DOMAIN={{ domain }} +ADD_DOMAINS={{ domain }} +VHOSTS_ACCOUNTS=welcome.{{ domain }} +SMTP_FROM=welcome@{{ domain }} +SMTP_HOST=mail.{{ domain }} +VIRTUAL_HOST=autoconfig.{{ domain }},autodiscover.{{ domain }} diff --git a/deployment/salt/base/docker-daemon.json b/templates/docker/docker-daemon.json similarity index 75% rename from deployment/salt/base/docker-daemon.json rename to templates/docker/docker-daemon.json index 242c7069576e23360592b15fa710a27d059c784d..88efca4f24a0090fc33486898693756afe370f02 100644 --- a/deployment/salt/base/docker-daemon.json +++ b/templates/docker/docker-daemon.json @@ -1,7 +1,7 @@ { "log-driver": "json-file", "log-opts": { - "max-size": "50m", + "max-size": "250m", "max-file": "4" } } diff --git a/templates/letsencrypt/ssl-domains.dat b/templates/letsencrypt/ssl-domains.dat new file mode 100644 index 0000000000000000000000000000000000000000..ca9a803d31a61386e255b47d914e482eabcb4950 --- /dev/null +++ b/templates/letsencrypt/ssl-domains.dat @@ -0,0 +1,6 @@ +{{ domain }} +autoconfig.{{ domain }} +autodiscover.{{ domain }} +mail.{{ domain }} +spam.{{ domain }} +welcome.{{ domain }} diff --git a/templates/mail/update-notification.txt b/templates/mail/update-notification.txt deleted file mode 100644 index 04d42f8f2889cfb7d1d08e89166b8480c819a205..0000000000000000000000000000000000000000 --- a/templates/mail/update-notification.txt +++ /dev/null @@ -1,5 +0,0 @@ -Subject:Update available for @@@DOMAIN@@@ -A new update is available. Please login via ssh and run the following -command: - -bash /mnt/repo-base/scripts/update.sh diff --git a/templates/nextcloud/config.php b/templates/nextcloud/config.php index 1883133781ac3e0ac2e4979448aa636763bf981a..9f8b066b8797d5146eb2af7149c7ca2676e75ab3 100644 --- a/templates/nextcloud/config.php +++ b/templates/nextcloud/config.php @@ -1,6 +1,6 @@ 'https://mail.@@@DOMAIN@@@/users/password-recover.php', + 'lost_password_link' => 'https://mail.{{ domain }}/users/password-recover.php', 'htaccess.RewriteBase' => '/', 'memcache.local' => '\OC\Memcache\APCu', 'memcache.locking' => '\OC\Memcache\Redis', @@ -25,20 +25,20 @@ $CONFIG = array ( ), 'trusted_domains' => array ( - 0 => '@@@DOMAIN@@@', + 0 => '{{ domain }}', ), 'datadirectory' => '/var/www/html/data', - 'overwrite.cli.url' => 'https://@@@DOMAIN@@@', + 'overwrite.cli.url' => 'https://{{ domain }}', 'overwriteprotocol' => 'https', 'mysql.utf8mb4' => true, 'maintenance' => true, 'mail_from_address' => 'drive', 'mail_smtpmode' => 'smtp', 'mail_smtpauthtype' => 'PLAIN', - 'mail_domain' => '@@@DOMAIN@@@', + 'mail_domain' => '{{ domain }}', 'mail_smtpauth' => 1, - 'mail_smtphost' => 'mail.@@@DOMAIN@@@', - 'mail_smtpname' => 'drive@@@@DOMAIN@@@', + 'mail_smtphost' => 'mail.{{ domain }}', + 'mail_smtpname' => 'drive@{{ domain }}', 'mail_smtppassword' => '@@@DRIVE_SMTP_PASSWORD@@@', 'mail_smtpport' => '587', 'mail_smtpsecure' => 'tls', @@ -48,9 +48,9 @@ $CONFIG = array ( 'db_type' => 'mariadb', 'db_host' => 'mariadb', 'db_port' => '3306', - 'db_name' => '@@@PFDB_DB@@@', - 'db_user' => '@@@PFDB_USR@@@', - 'db_password' => '@@@DBPASS@@@', + 'db_name' => '{{ mysql_database_nextcloud }}', + 'db_user' => '{{ mysql_user_nextcloud }}', + 'db_password' => '{{ mysql_password_nextcloud }}', 'mariadb_charset' => 'utf8mb4', 'queries' => array ( diff --git a/templates/nginx/sites-enabled/autoconfig.conf b/templates/nginx/sites-enabled/autoconfig.conf index b203a0bf75ad079972f3cac9563a53b3c7b0552a..8589dc923f854995f5467bb338822ed88e2962b5 100644 --- a/templates/nginx/sites-enabled/autoconfig.conf +++ b/templates/nginx/sites-enabled/autoconfig.conf @@ -1,6 +1,6 @@ server { listen 8000; - server_name @@@SERVICE@@@.@@@DOMAIN@@@; + server_name {{ item.service }}.{{ domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name @@@SERVICE@@@.@@@DOMAIN@@@; + server_name {{ item.service }}.{{ domain }}; - ssl_certificate /certs/live/@@@SERVICE@@@.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/@@@SERVICE@@@.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/{{ item.service }}.{{ domain }}/fullchain.pem; + ssl_certificate_key /certs/live/{{ item.service }}.{{ domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/templates/nginx/sites-enabled/nextcloud.conf b/templates/nginx/sites-enabled/nextcloud.conf index f8aebf5c55f6c2204460141d2eb52ad52f261217..220eba19f71456e340d7406915dce83999c8f7d8 100644 --- a/templates/nginx/sites-enabled/nextcloud.conf +++ b/templates/nginx/sites-enabled/nextcloud.conf @@ -3,8 +3,9 @@ upstream php-handler { } server { +<<<<<<< HEAD listen 8000; - server_name @@@DOMAIN@@@; + server_name {{ domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -15,10 +16,10 @@ server { server { listen 4430 ssl http2; - server_name @@@DOMAIN@@@; + server_name {{ domain }}; - ssl_certificate /certs/live/@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/{{ domain }}/fullchain.pem; + ssl_certificate_key /certs/live/{{ domain }}/privkey.pem; include /etc/nginx/params/ssl_params; # We include these headers directly because some are already set by Nextcloud. diff --git a/templates/nginx/sites-enabled/onlyoffice.conf b/templates/nginx/sites-enabled/onlyoffice.conf index 25d70591d2a506f02773b96cc17446bcb991186c..9d42cbe077247672df793e412943359f40b1fa1f 100644 --- a/templates/nginx/sites-enabled/onlyoffice.conf +++ b/templates/nginx/sites-enabled/onlyoffice.conf @@ -1,6 +1,6 @@ server { listen 8000; - server_name office.@@@DOMAIN@@@; + server_name office.{{ domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name office.@@@DOMAIN@@@; + server_name office.{{ domain }}; - ssl_certificate /certs/live/office.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/office.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/office.{{ domain }}/fullchain.pem; + ssl_certificate_key /certs/live/office.{{ domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/templates/nginx/sites-enabled/postfixadmin.conf b/templates/nginx/sites-enabled/postfixadmin.conf index 714bef3fa2d8d17dd1dccfe8f2c3a15c5f41ce54..010872bb17c5d776ef20784f1d69cc4282b0d2af 100644 --- a/templates/nginx/sites-enabled/postfixadmin.conf +++ b/templates/nginx/sites-enabled/postfixadmin.conf @@ -1,6 +1,6 @@ server { listen 8000; - server_name mail.@@@DOMAIN@@@; + server_name mail.{{ domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name mail.@@@DOMAIN@@@; + server_name mail.{{ domain }}; - ssl_certificate /certs/live/mail.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/mail.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/mail.{{ domain }}/fullchain.pem; + ssl_certificate_key /certs/live/mail.{{ domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/templates/nginx/sites-enabled/rspamd.conf b/templates/nginx/sites-enabled/rspamd.conf index 067b466a7dd628bbfaa1af1e817a981c5ee76f48..0925e2446d35342921109f961e63fbdf143918c7 100644 --- a/templates/nginx/sites-enabled/rspamd.conf +++ b/templates/nginx/sites-enabled/rspamd.conf @@ -1,6 +1,6 @@ server { listen 8000; - server_name spam.@@@DOMAIN@@@; + server_name spam.{{ domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name spam.@@@DOMAIN@@@; + server_name spam.{{ domain }}; - ssl_certificate /certs/live/spam.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/spam.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/spam.{{ domain }}/fullchain.pem; + ssl_certificate_key /certs/live/spam.{{ domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/templates/nginx/sites-enabled/welcome.conf b/templates/nginx/sites-enabled/welcome.conf index 25baf3f9981a56ee79ab3cf5a507fb4e6333ac93..5886eca8e03fa6fd2d75290006c882d20657ff91 100644 --- a/templates/nginx/sites-enabled/welcome.conf +++ b/templates/nginx/sites-enabled/welcome.conf @@ -1,6 +1,6 @@ server { listen 8000; - server_name welcome.@@@DOMAIN@@@; + server_name welcome.{{ domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name welcome.@@@DOMAIN@@@; + server_name welcome.{{ domain }}; - ssl_certificate /certs/live/welcome.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/welcome.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/welcome.{{ domain }}/fullchain.pem; + ssl_certificate_key /certs/live/welcome.{{ domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/uninstall.yml b/uninstall.yml new file mode 100644 index 0000000000000000000000000000000000000000..f9fc921544a652f351118d54175ec36250a1a397 --- /dev/null +++ b/uninstall.yml @@ -0,0 +1,51 @@ +--- +- hosts: all + + vars_prompt: + + - name: confirm_uninstall + prompt: "Do you really want to uninstall ecloud? This will delete all data and can not be reverted [yes/no]" + private: no + + - name: delete_certs + prompt: "Delete certificates? Select 'no' if you want to reinstall ecloud [yes/no]" + private: no + + tasks: + - name: end play if no confirmation was given + debug: + msg: "Uninstall cancelled, doing nothing" + when: not confirm_uninstall|bool + + - meta: end_play + when: not confirm_uninstall|bool + + - name: stop docker-compose + docker_compose: + project_src: /mnt/repo-base/ + state: absent + + - name: delete data + file: path={{item.path}} state=absent + with_items: + - { path: '/mnt/repo-base/docker-compose.yml'} + - { path: '/mnt/repo-base/volumes/'} + - { path: '/mnt/repo-base/config-static/' } + - { path: '/mnt/repo-base/scripts/' } + - { path: '/mnt/repo-base/config-dynamic/.installation-complete' } + - { path: '/mnt/repo-base/config-dynamic/automx/' } + - { path: '/mnt/repo-base/config-dynamic/letsencrypt/autorenew/' } + - { path: '/mnt/repo-base/config-dynamic/letsencrypt/acme-challenge/' } + - { path: '/mnt/repo-base/config-dynamic/nextcloud/' } + - { path: '/mnt/repo-base/config-dynamic/nginx/' } + + - name: delete entire ecloud folder + file: path='/mnt/repo-base/' state=absent + when: delete_certs|bool + + - name: remove certbot cronjob + cron: + name=ssl-renew + state=absent + +# TODO: might want to remove docker and other packages, but we dont know if they are used elsewhere