nextcloud-reloaded branch: Issues when deploying non-locally

[dragospe]

I'm using this role to spin up nextcloud on Ubuntu 20.04 LTS with the latest nextcloud (v 20.0.0), where the control node is my desktop and the managed node is a VM with the fqdn of "nc.test".

There's a few issues/improvements I'd like to discuss, and I've broken them down below.

[Disclaimer: I thought these issues were related to something else at first, but I've realized almost of all of them are from deploying non-locally. I've edited this issue to reflect the problems I've encountered and my attempts to rectify them.]

1.) Wrong configuration in config.php to access redis over a socket?

The configuration in /var/www/nextcloud/config/config.php (which I believe is set from vars in group_vars/all.yml and a template in the redis role) gives

'redis' =>
array (
  'host' => "{{ hostvars[groups['redis'][0]].ansible_default_ipv4.address }}"
  'port' => 6379
  'timeout' => 0
  'password' => 'abcdefg'

When installing on my setup, with Redis and Nextcloud running on the same machine, I believe the configuration should render to the following, so that redis is connected via a unix socket.

'redis' =>
array (
  'host' => "/run/redis/redis.sock"
  'port' => 0 
  'timeout' => 0
  'password' => 'abcdefg'

2.) Wrong user added to redis group?

Second, the permissions of the redis socket are set to 770. In the group_vars/all.yml file, the web user is set to nginx for Debian-type operating systems; this user is subsequently added to the redis group in roles/redis/tasks/main.yml.

I believe this is a mistake; as far as I can tell, user nginx does not need to be in the redis group, while www-data does.

I'm not familiar with php, but I believe php-fpm runs as www-data (given the configuration files under /etc/php/7.4/fpm), and I think this is what is accessing Redis.

Changing the configuration to meet these two requirements allows nextcloud to run successfully.

3.) Use APCu for local caching and Redis for distributed?

The latest administration docs recommend using APCu for local caching and Redis for distributed caching and file locks.

I suggest that, given the setup above, the entries in config.php should look like

'memcache.local' => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => [
     'host' => '/run/redis/redis.sock',
     'port' => 0,
     'timeout' => 0,
     'password' => 'abcdefg'
]

4.) TLS certificate generation succeeds, but debug check fails

The first time the playbook is run, the debug check fails on lookup of /etc/ssl/private/nc.test/ca.cert.

[dragospe]

1.)

Since I was not using "localhost" as the name of the node in the inventory, but "nc.test", I need to change the following lines in roles/nextcloud/default/main,yml from

- "redis host --value='{% if groups['redis'][0] == 'localhost' %}{{ redis_socket.path }}{% else %}{{ redis_tcp.address }}{% endif %}'"
  - "redis port --value='{% if groups['redis'][0] == 'localhost' %}0{% else %}{{ redis_tcp.port }}{% endif %}' --type=integer"

to

- "redis host --value='{% if groups['redis'][0] == groups['webserver'][0] %}{{ redis_socket.path }}{% else %}{{ redis_tcp.address }}{% endif %}'"
  - "redis port --value='{% if groups['redis'][0] == groups['webserver'][0] %}0{% else %}{{ redis_tcp.port }}{% endif %}' --type=integer"

So that the proper values are applied.

2.)

The issue here is that the backup: true option is given to the configure php task in roles/php/tasks/main.yml. The backed up file is superseding the www.conf file, because it appears alphabetically later in the /etc/php/7.4/pool.d/ directory which is globed by the line

include={{ php_www_conf[ansible_distribution] | dirname }}/*.conf

in roles/php/templates/php-fpm.conf.j2.

Changing this to

include={{ php_www_conf[ansible_distribution] | dirname }}/www.conf

resolves the issue (but may break other installations.)

4.)

Changing the debug from "lookup" (which looks up on the control machine) to a call to the stat ansible module fixes this.

Then, using slurp on both the certificate CA and certificate file to create a full chain certificate gets you the rest of the way there.

[dragospe]

Before I do some more testing and submit a pull request, I should ask:

@ReinerNippes, are you interested in making this playbook suitable for non-local deployment? I thought my issues here were related to something else at first, but then realized that I was just using it in a way that wasn't originally intended.

If so, I'll do some testing to make sure that everything still works for local deployment.

[ReinerNippes]

Hi Peter,

the original intention was to be able to install Nextcloud also in a distributed environment. That is to say to have Redis, DB, Office and so on on different machines (or e.g. use AWS RDS).

Therefore you find in the inventory (and the playbook) each "service" assigned to a "server" or a group of server.

https://github.com/ReinerNippes/nextcloud/blob/485394d3859629e20cd4d689259c19dc63daa0c3/inventory#L111

The bad news: That's not yet finished. And I'm not sure if it will ever be. In terms of: If two or more Redis machines are defined install a HA Redis cluster.

I run successfully some tests installing Redis and the database on separate machines. But I think I never run the "nextcloud" play on non localhost.

Which of your items would be related to the fact that you try to run the play on "nc.net" instead localhost?

[dragospe]

Hi Riener, thanks for your response!

Items 1 and 4 were related to not deploying locally.

For Item 1.)

The first issue was that the fqdn of "localhost" was hardcoded -- the comparison was

groups['redis'][0] == 'localhost'

rather than something like

groups['redis'][0] == groups['webserver'][0]

which, given a single redis server and single web-server works fine.

For Item 4.)

The fourth item used the "lookup" plugin to ensure that a certificate was generated successfully -- but "lookup" only looks on the control node. Changing this to a "stat" ansible module fixes the problem.

---

Items 2 and 3 were different issues

[ReinerNippes]

Hi Peter,

1. redis socker & 3. APCu cache should be fixed now.

https://github.com/ReinerNippes/nextcloud/blob/nextcloud-reloaded/roles/nextcloud/defaults/main.yml

2. nginx user: On my Test Ubuntu system both nginx and php-fpm are running as nginx not www-data. www-data although is the standard apache user. So I think it should work this way.

The other two items I have to check still. Or do you have already a PR for them?

Thanks for your contribution.

[Nacrul]

Sorry for reviving this again. Almost everything works now remote for the reloaded branch except for the self-signed stuff. I got an initial version up and running with quite some code. Are you interested, to get that in as well? If so I would try to get that in as well roles/tls-certificate/tasks/selfsigned.yml

- stat:
    path: "{{ tls_certificate_ca }}"
  register: tls_certificate_ca_flag
- debug:
    msg: "{{ tls_certificate_ca }} file exists"
  when: tls_certificate_ca_flag.stat.exists

- stat:
    path: "{{ tls_certificate_file }}"
  register: tls_certificate_file_flag
- debug:
    msg: "{{ tls_certificate_file }} file exists"
  when: tls_certificate_file_flag.stat.exists

- name: get content of tls_certificate_ca
  slurp:
    src: "{{ tls_certificate_ca }}"
  register: tls_certificate_ca_encoded

- name: get content of tls_certificate_file
  slurp:
    src: "{{ tls_certificate_file }}"
  register: tls_certificate_file_encoded

- name: decode remote content
  set_fact:
    tls_certificate_file_content: "{{ tls_certificate_file_encoded.content | b64decode}}"
    tls_certificate_ca_content: "{{ tls_certificate_ca_encoded.content | b64decode}}"

- name: create fullchain certificate
  copy:
    dest: "{{ tls_certificate_fullchain }}"
    content: |
      {{ tls_certificate_ca_content }}

      {{ tls_certificate_file_content }}
    owner: "{{ tls_certificate_owner | default('root') }}"
    group: "{{ tls_certificate_group | default('root') }}"
    mode: '0644'