diff --git a/roles/collabora_code/README.md b/roles/collabora_code/README.md new file mode 100644 index 0000000000000000000000000000000000000000..0e1754c0b2026125c5dce3e5377e39c7b00fa499 --- /dev/null +++ b/roles/collabora_code/README.md @@ -0,0 +1,37 @@ +# site_statitque + +Installation d'une instance de collabora code via docker. Ce role ne devrait être utilisé qu'à travers un role nextcloud + +## Files created + +- `/etc/letsencrypt/live/{{ app_domain }}/` : certificats lets encrypt +- `/home/collabora/{{ app_instance_id }}` : fichiers de log nginx et docker-compose +- `/etc/nginx/sites-available/{{ app_instance_id }}.conf : fichier de conf nginx +- `/etc/nginx/sites-enabled/{{ app_instance_id }}.conf : lien symbolique fichier de conf nginx + +## Files modified + +## Role dependency + +- _letsencrypt_certificate + +## Variables + +### Default + + - code_domain: "{{ app_instance_id | replace('_','-') }}.code.paquerette.eu" + - app_instance_root: "/home/collabora/{{ app_instance_id }}" + - host_code: "vps11" + +### host_vars + + - app_domain + - app_instance_id + - code_version + +## Custom instructions + + +## Limitations and improvements + +Pour l'instant le role n'installe pas automatiquement l'extension dans nextcloud ni ne configure l'extension. diff --git a/roles/collabora_code/defaults/main.yml b/roles/collabora_code/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..645cb3a07f81f984c800b46d55ae5293b1f6ae0b --- /dev/null +++ b/roles/collabora_code/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# defaults file for site_static +app_instance_root: "/home/collabora/{{ app_instance_id }}" +code_domain: "{{ app_instance_id | replace('_','-') }}.code.paquerette.eu" +host_code: "vps15" diff --git a/roles/collabora_code/handlers/main.yml b/roles/collabora_code/handlers/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..09738691c63ac046aada7082ff976760307bb968 --- /dev/null +++ b/roles/collabora_code/handlers/main.yml @@ -0,0 +1,5 @@ +--- + +- name: reload nginx collabora + service: name=nginx state=reloaded + diff --git a/roles/collabora_code/meta/main.yml b/roles/collabora_code/meta/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..c572acc9f8b466bea50f2799b0ca1956418b862c --- /dev/null +++ b/roles/collabora_code/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/collabora_code/tasks/install.yml b/roles/collabora_code/tasks/install.yml new file mode 100644 index 0000000000000000000000000000000000000000..b509d99bedcab92622bafab441e104ab4ec6804b --- /dev/null +++ b/roles/collabora_code/tasks/install.yml @@ -0,0 +1,62 @@ +--- + +- name: create directory + file: + path: "{{ app_instance_root }}" + state: directory + delegate_to: "{{ host_code }}" + delegate_facts: true + tags: + - collabora + +- name: Create LetsEncrypt certificate + import_role: + name: _letsencrypt_certificate + vars: + app_domain: "{{ code_domain }}" + delegate_to: "{{ host_code }}" + delegate_facts: true + +- name: create log dir + file: + state: directory + path: "{{ app_instance_root }}" + delegate_to: "{{ host_code }}" + delegate_facts: true + +- name: nginx configuration + template: + src: nginx.j2 + dest: "/etc/nginx/sites-available/{{ app_instance_id }}.conf" + notify: reload nginx collabora + delegate_to: "{{ host_code }}" + delegate_facts: true + +- name: "enable site for {{ app_domain }}" + file: + state: link + path: "/etc/nginx/sites-enabled/{{ app_instance_id }}.conf" + src: "/etc/nginx/sites-available/{{ app_instance_id }}.conf" + notify: reload nginx collabora + delegate_to: "{{ host_code }}" + delegate_facts: true + +- name: "copy docker-compose {{ app_instance_id }}" + template: + src: "docker-compose.j2" + dest: "{{ app_instance_root }}/docker-compose.yml" + tags: + - collabora_installation + delegate_to: "{{ host_code }}" + delegate_facts: true + + +- name: "start collabora - docker compose" + docker_compose: + project_src: "{{ app_instance_root }}" + state: present + tags: + - collabora_installation + delegate_to: "{{ host_code }}" + delegate_facts: true + diff --git a/roles/collabora_code/tasks/main.yml b/roles/collabora_code/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..cca6795e1e7c42c82dfe8ee9655119208b5cb80e --- /dev/null +++ b/roles/collabora_code/tasks/main.yml @@ -0,0 +1,23 @@ +--- +# tasks file for site_static +- import_tasks: install.yml + when: app_run in ['install', 'reinstall'] + tags: + - collabora + +- import_tasks: upgrade.yml + when: app_run == 'upgrade' + +- import_tasks: uninstall.yml + when: app_run == 'uninstall' + +- name: update instance in prod list + import_role: + name: instance_prod + vars: + app_version: "{{ code_version }}" + role: "collabora_code" + app_domain: "{{ code_domain }}" + inventory_hostname: "{{ host_code }}" + delegate_to: "{{ host_code }}" + delegate_facts: true diff --git a/roles/collabora_code/tasks/uninstall.yml b/roles/collabora_code/tasks/uninstall.yml new file mode 100644 index 0000000000000000000000000000000000000000..41723fadf91eb0824cfda9063058d502cef68697 --- /dev/null +++ b/roles/collabora_code/tasks/uninstall.yml @@ -0,0 +1,43 @@ +--- + +- name: "Stop collabora - docker compose" + docker_compose: + project_src: "{{ app_instance_root }}" + state: absent + remove_volumes: true + delegate_to: "{{ host_code }}" + delegate_facts: true + tags: + - code_installation + +- name: remove directory + file: + path: "{{ app_instance_root }}" + state: absent + delegate_to: "{{ host_code }}" + delegate_facts: true + +- name: removing LetsEncrypt certificate + import_role: + name: _letsencrypt_certificate + vars: + app_domain: "{{ code_domain }}" + delegate_to: "{{ host_code }}" + delegate_facts: true + +- name: nginx configuration + file: + state: absent + path: "/etc/nginx/sites-available/{{ app_instance_id }}.conf" + notify: reload nginx collabora + delegate_to: "{{ host_code }}" + delegate_facts: true + +- name: "disable site for {{ app_domain }}" + file: + state: absent + path: "/etc/nginx/sites-enabled/{{ app_instance_id }}.conf" + notify: reload nginx + delegate_to: "{{ host_code }}" + delegate_facts: true + diff --git a/roles/collabora_code/tasks/update.yml b/roles/collabora_code/tasks/update.yml new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/roles/collabora_code/tasks/upgrade.yml b/roles/collabora_code/tasks/upgrade.yml new file mode 100644 index 0000000000000000000000000000000000000000..289de56a944f0fcd8f7345b0a55c0c45258890db --- /dev/null +++ b/roles/collabora_code/tasks/upgrade.yml @@ -0,0 +1,7 @@ +- name: "start collabora_code - docker compose" + docker_compose: + project_src: "{{ app_instance_root }}" + state: present + tags: + - collabora_code_installation + diff --git a/roles/collabora_code/templates/docker-compose.j2 b/roles/collabora_code/templates/docker-compose.j2 new file mode 100644 index 0000000000000000000000000000000000000000..2a03ed36996ef67279abd258f019d96f13151a1a --- /dev/null +++ b/roles/collabora_code/templates/docker-compose.j2 @@ -0,0 +1,16 @@ +services: + collabora: + image: collabora/code:{{ code_version }} + container_name: collabora + environment: + - "TZ=Europe/Paris" + - aliasgroup1={{ app_domain }} + - DONT_GEN_SSL_CERT=1 + - serveur_name={{ code_domain }} + - "extra_params=--o:ssl.enable=false --o:ssl.termination=true" + ports: + - "{{ code_port }}:9980" + cap_add: + - MKNOD + restart: + unless-stopped diff --git a/roles/collabora_code/templates/docker-compose.yml b/roles/collabora_code/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..601e10cf1da322040bc2adb17b87c79c860961f0 --- /dev/null +++ b/roles/collabora_code/templates/docker-compose.yml @@ -0,0 +1,15 @@ +collabora: + image: collabora/code:{{ code_version }} + container_name: collabora + environment: + - "TZ=Europe/Paris" + - aliasgroup1={{ app_domain }} + - DONT_GEN_SSL_CERT=1 + - serveur_name={{ code_domain }} + - "extra_params=--o:ssl.enable=false --o:ssl.termination=true" + ports: + - "{{ code_port }}:9980 + cap_add: + - MKNOD + restart: + unless-stopped diff --git a/roles/collabora_code/templates/nginx.j2 b/roles/collabora_code/templates/nginx.j2 new file mode 100644 index 0000000000000000000000000000000000000000..dfbd57204901612531d0432d2ad348434ad76bd2 --- /dev/null +++ b/roles/collabora_code/templates/nginx.j2 @@ -0,0 +1,104 @@ +server { + listen 80; + listen [::]:80; + server_name {{ code_domain | mandatory }}; + # enforce https + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ code_domain | mandatory }}; + + ssl_certificate /etc/letsencrypt/live/{{ code_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ code_domain }}/privkey.pem; + + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Strict-Transport-Security "max-age=15768000"; + add_header X-Frame-Options "ALLOW-FROM https://{{ app_domain }}" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-referrer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + + access_log {{ app_instance_root }}/access.log; + error_log {{ app_instance_root }}/error.log; + + location = /favicon.ico { # Optional + log_not_found off; + access_log off; + } + + location = /robots.txt { # Optional + allow all; + log_not_found off; + access_log off; + } + + location ~* \.(png|jpg|jpeg|gif|ico)$ { # Optional + expires max; + log_not_found off; + } + + # static files + location ^~ /browser { + proxy_pass http://127.0.0.1:{{ code_port }}; + proxy_set_header Host $http_host; + } + + + + # WOPI discovery URL + + location ^~ /hosting/discovery { + proxy_pass http://127.0.0.1:{{ code_port }}; + proxy_set_header Host $http_host; + } + + + + # Capabilities + + location ^~ /hosting/capabilities { + proxy_pass http://127.0.0.1:{{ code_port }}; + proxy_set_header Host $http_host; + } + + + + # main websocket + location ~ ^/cool/(.*)/ws$ { + proxy_pass http://127.0.0.1:{{ code_port }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + + + # download, presentation and image upload + location ~ ^/(c|l)ool { + proxy_pass http://127.0.0.1:{{ code_port }}; + proxy_set_header Host $http_host; + } + + + + # Admin Console websocket + + location ^~ /cool/adminws { + proxy_pass http://127.0.0.1:{{ code_port }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + + } +} diff --git a/roles/collabora_code/vars/main.yml b/roles/collabora_code/vars/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..941b275590c65f3170ee41d2be6e5c84f6fd8df5 --- /dev/null +++ b/roles/collabora_code/vars/main.yml @@ -0,0 +1,3 @@ +--- +# vars file for collabora +app_instance_root: "/home/collabora/{{ app_instance_id }}" diff --git a/roles/nextcloud_instance/tasks/main.yml b/roles/nextcloud_instance/tasks/main.yml index 51f4921139a993acc36d1217c9c0a33cde6a2a1e..5faa9009cfaadff5351a11b35e8f8a5c4fb9c1c7 100644 --- a/roles/nextcloud_instance/tasks/main.yml +++ b/roles/nextcloud_instance/tasks/main.yml @@ -21,3 +21,11 @@ - import_role: name: instance_prod + tags: + - instance_prod + +- import_role: + name: collabora_code + when: collabora_code == True + tags: + - collabora