4:04 p.m.
On 8/25/20 2:22 PM, Maciej Delmanowski wrote:
If you write custom playbooks that use these roles, then sure, that
could be
a solution. In DebOps however, the 'pki' role is part of the
'common.yml'
playbook executed on all hosts. The role is designed in such a way that it's
not needed to include it in other playbooks - roles that want to use the PKI
infrasteructure can do so just by getting information from the
'ansible_local.pki.*' local facts.
The initialization of ACME certificates is a bit involved process, because for
'pki' role to correctly get Let's Encrypt certs, it requires a working
webserver. So the usual procedure is:
- run common playbook that includes 'pki'
- run nginx role
- run 'service/pki' playbook that re-runs the 'pki' role which detects
configured 'nginx' server and requests ACME certs where apropriate.
The 'pki' role configures the 'pki-realm' script to renew the
certificates
preiodically, so you don't need to do that yourself.
The logic is clear and helped me a lot!
The actuation did present some difficulties (mostly because I was
overthinking) so I'm reporting here the steps I've followed.
If they are incorrect please correct me otherwise they'll be a reference
for someone else.
Say that:
* your domain is example.com
* the subdomain for nextcloud is cloud.example.com
* the host running nextcloud is nc.example.xyz
These are the var files I've set in nc's inventory folder
(ansible/inventory/host_vars/nc/)
pki.yml
---
pki_enabled: True
pki_acme: True
pki_acme_home_create: False
pki_realms:
- name: "cloud.{{ ansible_domain }}"
acme: True
#acme_ca: "le-staging-v2" #for testing
acme_ca: "le-live-v2"#for production
Basically this file says: use Nginx acme abilities to produce
Letsencrypt certificates for cloud.example.com
acme_ca simply uses Letsencrypt staging or production API. Keep using
le-staging-v2 until the playbooks work as expected then switch to
production (le-live-v2)
nginx.yml
---
nginx_pki: True
nginx_acme: True
nginx_acme_server: False
This enables Letsencrypt acme capabilities in Nginx
owncloud.yml
---
owncloud__deploy_state: "present"
owncloud__webserver: "nginx"
owncloud__variant: "nextcloud"
owncloud__release: "16"
owncloud__deploy_path_mode: "0755"
owncloud__data_path: "/mnt/data/nextcloud"
owncloud__admin_username: "admin"
owncloud__domain: "{{ ansible_domain }}"
owncloud__fqdn: "cloud.{{ ansible_domain }}"
# Drops db in case of new installation
owncloud__do_drop_db: False
owncloud__recommended_php_packages:
- "curl"
- "bz2"
- "imagick"
- "intl"
- "mcrypt"
owncloud__smb_support: False
owncloud__ldap_enabled: False
owncloud__apcu_enabled: False
owncloud__redis_enabled: True
owncloud__redis_host: "127.0.0.1"
owncloud__redis_password: '{{ lookup("password", secret +
"/redis/clusters/" + ansible_domain + "/password") }}'
owncloud__database: "mariadb"
owncloud__database_server: "localhost"
owncloud__database_name: "{{ owncloud__variant }}"
owncloud__database_user: "{{ owncloud__variant }}"
owncloud__database_password: '{{ lookup("password", secret +
"/mariadb/nc/credentials/nextcloud/password") }}'
owncloud__password_length: 18 #whatever
This simply configures Nextcloud accordingly to my needs
Once the files are done, I make sure that there the nginx servers in
/etc/nginx/sites-*/* are well defined so that nginx won't crash at
reload. I often delete them all.
Then I run:
debops common -l nc
debops service/owncloud
debops service/pki
and everything works fine.
Thanks Maciej for the usual impeccable support!