diff --git a/files/nextcloud.nginx b/files/nextcloud.nginx index 623c265..baf2fcc 100644 --- a/files/nextcloud.nginx +++ b/files/nextcloud.nginx @@ -3,18 +3,12 @@ upstream php-handler { } server { - listen [::]:80; - server_name cloud.ungleich.ch; - # enforce https - return 301 https://$server_name$request_uri; -} - -server { + listen 443 ssl; listen [::]:443 ssl; - server_name cloud.ungleich.ch; + server_name DOMAIN; - ssl_certificate /etc/ssl/certs/star.ungleich.ch.crt; - ssl_certificate_key /etc/ssl/private/star.ungleich.ch.key; + ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this diff --git a/gencode-remote b/gencode-remote index 3aedb32..51d7bc1 100755 --- a/gencode-remote +++ b/gencode-remote @@ -20,7 +20,7 @@ case "$os" in 9*) restart="systemctl restart nginx" ;; - *) + *) restart="systemctl restart nginx" echo "Unsupported version $os_version of $os." >&2 exit 1 @@ -44,19 +44,17 @@ admin_user=$(cat "$__object/parameter/admin-user") admin_pass=$(cat "$__object/parameter/admin-pass") domain=$(cat "$__object/parameter/domain") -# TODO check shasum of tar ball +# FIXME: replace if we an if on output && an explorer cat </dev/null -a \$(cd /var/www/nextcloud 2>/dev/null; sudo -u www-data php occ status 2>/dev/null | grep -o true) ]; then - echo "Nextcloud already installed" >&2 - else - echo "installing nextcloud" >&2 - curl -s -L ${nextcloud_uri} -o /tmp/nextcloud.tar.bz2 - tar -C /var/www -xvjf /tmp/nextcloud.tar.bz2 - rm -f /tmp/nextcloud.tar.bz2 - chown -R www-data:www-data /var/www/nextcloud - cd /var/www/nextcloud - sudo -u www-data php occ maintenance:install --database "pgsql" --database-name "$db_name" --database-user "$db_user" --database-pass "$db_pass" --admin-user "$admin_user" --admin-pass "$admin_pass" - sudo -u www-data php occ config:system:set trusted_domains 2 --value="$domain" - fi +if [ ! -e /var/www/nextcloud/occ ]; then + cd /var/www + curl -s -L ${nextcloud_uri} | tar xj + chown -R www-data:www-data /var/www/nextcloud + + cd /var/www/nextcloud + sudo -u www-data php occ maintenance:install --database "pgsql" --database-name "$db_name" --database-user "$db_user" --database-pass "$db_pass" --admin-user "$admin_user" --admin-pass "$admin_pass" + sudo -u www-data php occ config:system:set trusted_domains 2 --value="$domain" +else + true +fi eof -#fi diff --git a/manifest b/manifest index c3504ad..ca0f6d3 100755 --- a/manifest +++ b/manifest @@ -1,6 +1,7 @@ #!/bin/sh # # 2017 ungleich GmbH (cdist at ungleich.ch) +# 2018 ungleich glarus ag (cdist at ungleich.ch) # # This file is part of cdist. # @@ -26,17 +27,11 @@ then fi os_version=$(cat "$__global/explorer/os_version") case "$os_version" in - 8*) + 8*|jessie) distribution="jessie" - : ;; - 9*) + 9*|ascii|ascii/ceres) distribution="stretch" - : - ;; - jessie*) - distribution="jessie" - : ;; *) echo "Unsupported version $os_version of $os." >&2 @@ -49,8 +44,8 @@ db_user=$(cat "$__object/parameter/db-user") db_name=$(cat "$__object/parameter/db-name") domain=$(cat "$__object/parameter/domain") - - +tmpdir="$__object/files" +mkdir "$tmpdir" __apt_key_uri dotdeb --uri https://www.dotdeb.org/dotdeb.gpg require="__apt_key_uri/dotdeb" __apt_source dotdeb --uri http://packages.dotdeb.org \ @@ -62,36 +57,50 @@ require="__apt_source/dotdeb" __apt_update_index # Install packages for package in php7.0-common php7.0-gd php7.0-json php7.0-pgsql php7.0-curl \ php7.0-intl php7.0-mcrypt php7.0-imagick \ - php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm \ - nginx + php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm; do require="__apt_update_index" __package $package --state=present done __package postgresql --state=present __package curl --state=present -# Configure packages -## PHP 7 - - +# Configure packages +## PHP 7 require="__package/php7.0-fpm" __file /etc/php/7.0/fpm/pool.d/www.conf \ --owner root --group root --mode 644 --source "$__type/files/fpm.conf" ## Nginx -require="__package/nginx" __file /etc/nginx/sites-enabled/nextcloud --owner www-data \ - --group www-data --mode 755 --source "$__type/files/nextcloud.nginx" +### HTTP only server to allow access +__ungleich_http_server_ssl_redirect_letsencrypt --webroot /var/www/html/ "$domain" + +### Get the certificates +require="__ungleich_http_server_ssl_redirect_letsencrypt/$domain" \ + __letsencrypt_cert --admin-email technik@ungleich.ch \ + --webroot /var/www/html/ \ + --renew-hook "service nginx reload" \ + --domain "$domain" --automatic-renewal \ + "$domain" + +### The SSL configuration +sed "s/DOMAIN/$domain/" "$__type/files/nextcloud.nginx" > "$tmpdir/nginx" +require="__letsencrypt_cert/$domain __package/nginx" __file /etc/nginx/sites-enabled/nextcloud \ + --owner www-data \ + --group www-data \ + --mode 755 \ + --source "$tmpdir/nginx" + ## Postgres -require="__package/postgresql" __postgres_role "${db_user}" --password "${db_pass}"\ - --login --createdb - +require="__package/postgresql" __postgres_role "${db_user}" --password "${db_pass}" \ + --login --createdb + require="__package/postgresql __postgres_role/${db_user}" __postgres_database "${db_name}"\ --owner "${db_user}" --state present -# Start on boot +# Start on boot require="__package/postgresql" __start_on_boot postgresql require="__package/nginx" __start_on_boot nginx require="__package/php7.0-fpm" __start_on_boot php7.0-fpm diff --git a/parameter/default/version b/parameter/default/version index 0719738..6fe535b 100644 --- a/parameter/default/version +++ b/parameter/default/version @@ -1 +1 @@ -11.0.1 +13.0.6